Select an area of expertise to find out more about our experience.
Find out more about our barristers and business support teams here.
Saini J heard a strike out application by DSG, the company which operates Currys PC World and Dixons Travel. The point of sale computer system at Currys PC World had been the subject of a large scale malware attack in 2017 and 2018. This allowed the attackers to gain access to the personal data of many DSG customers, including the claimant who had previously made a purchase from the company. The pleaded claim was predicated on DSG’s alleged failures to put in place proper IT security systems and measures.
Mr Warren made his claim under the Seventh Principle of the Data Protection Act 1998 (appropriate technical and organisational measures), in negligence, and as a misuse of private (MPI) information and in breach of confidence (BoC). DSG sought strike out of all claims except for the DPA claim.
The Court held that the BoC and MPI claims were not properly arguable. Both causes of action required a positive act on the part the defendant. These facts were likened to a home owner who left their window unlocked, creating the potential for a burglar to enter their home. That was not positive conduct causing the breach or misuse. DSG was a victim of the cyber attack. BoC and MPI do not impose a data security duty.
The negligence claim too was struck out, there being no duty of care. The customer relationship did not create proximity, and it was not fair, just or reasonable to impose a duty. Saini J held that Finally, even if the Claimant had an arguable case on duty of care, he had suffered no loss.
One final point arises from this judgment. The case has been transferred from the High Court to the County Court. This will be of note to solicitors, with many low value data protection cases of late being issued in the High Court.
A monthly data protection bulletin from the barristers at 5 Essex Chambers
The Data Brief is edited by Francesca Whitelaw KC, Aaron Moss and John Goss, barristers at 5 Essex Chambers, with contributions from the whole information law, data protection and AI Team.