SUMMARY JUDGMENT GRANTED TO DEFENDANT: DAMAGES WERE “DE MINIMIS”: THE LAW WILL NOT SUPPLY A REMEDY WHEN NO HARM HAS CREDIBLY BEEN SHOWN
In Rolfe & Ors v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB) Master MCCloud granted the defendant summary judgment in an action for breach of data.
“There is no credible case that distress or damage over a de minimis threshold will be proved. In the modern world it is not appropriate for a party to claim, (especially in the in the High Court) for breaches of this sort which are, frankly, trivial. The case law referred to above provides ample authority that whatever cause of action is relied on the law will not supply a remedy in cases where effectively no harm has credibly been shown or be likely to be shown.”
THE CASE
The defendant firm of solicitors wrote a letter of claim in relation to unpaid school fees. The letter contained a statement of account of moneys due. An error was made in that the email was sent to the wrong person (with a very similar name). That person immediately indicated that the email was not for them and confirmed it was deleted.
The claimants brought an action “for damages for misuse of confidential information, breach of confidence, negligence, damages under s82 of the GDPR and s169 Data Protection Act 2013, plus a declaration and an injunction, interest and further or other relief.”
THE DEFENDANT’S APPLICATION FOR SUMMARY JUDGMENT
The defendant applied for summary judgment on the grounds that there was no loss.
THE JUDGMENT STRIKING OUT THE ACTION
The Master granted the application.
-
-
It was common ground that in principle damages can be recovered and other remedies obtained for breaches of data protection regulations and misuse of private information, including simply for the distress caused even absent specific pecuniary loss. See Vidal-Hall v Google [2016] QB 1003. Similarly, it is not in dispute that in principle loss of control of personal data can constitute damage: Lloyd v Google [2020] QB 747. However there does need to be damage, one cannot succeed in a claim where any possible loss or distress is not made out or is trivial: see Lloyd v Google where Sir Geoffrey Vos said at [55]:
-
“I understood it to be common ground that the threshold of seriousness applied to section 13 as much as to MPI [misuse of private information]. That threshold would undoubtedly exclude, for example, a claim for damages for an accidental one-off data breach that was quickly remedied.”
-
-
The Defendants argued that the requirement for some damage to be shown even if only credible distress has been a part of the tort of Misuse of Private Information since its inception, and involves looking at the harm that could come from the disclosure of the information in question. In Campbell v MGN [2004] 2 AC 457 per Lady Hale at [157]:
-
“Not every statement about a person’s health will carry the badge of confidentiality or risk doing harm to that person’s physical or moral integrity. The privacy interest in the fact that a public figure has a cold or a broken leg is unlikely to be strong enough to justify restricting the press’s freedom to report it. What harm could it possibly do?”
“On the facts, the Cs cannot have suffered damage or distress above a de minimis level. The court must look at the reality of the personal information in question and the circumstances in which it was inadvertently sent to one third party:
a. The nature of the private information in question:
i. This is not a case where intimate information about health or a sexual relationship are in play. Names and home address are given, but no further details of home life, no phone numbers are included. There are no bank details or details of the state of the Cs finances.[1]
ii. The only financial details are the invoice for school fees (the level of fees being publicly available on the school’s website), and the statement of account of school fees for the past 5 years – i.e. the amounts C1 and C2 had paid for C3’s schooling. These are 25 pages into the attachments. There are documents asking for other financial information, but these are blank and contain no personal data. Whilst the letter states that C1 and C2 have not paid one term’s bill, it gives no information as to why that it. Is does not say they cannot do so, or anything about their financial position. It states the mere fact of non-payment of this bill, and that if payment is not made, legal action may result.
iii. Whilst Cs assert that there is data relating to C3’s location and transport, the only reference to transport is a fee for it– not giving any details of what this transport is or where this transport takes place, contrary to the assertion at para. 9c POC. Therefore the only location data is the school and the Cs’ home address.
b. The circumstances of disclosure:
i. The information was disclosed to one individual only, accidentally as a result of a typographical error;
ii. The individual notified D of the error the same day. The next day, when asked to delete the email and confirm that had been done, the individual did so did so 2½ hours later. There is no reason to think that they did not act in good faith, or even that they read all of the documents in any detail.
iii. The email was encrypted;
iv. That the email went through Gmail servers is irrelevant to the claim, as C1 and C2 have Gmail accounts themselves, and therefore the email, when sent properly, went through this same system.
c. No tangible harm or loss is pleaded or plausible:
i. The (unpleaded) inference in the witness statement of Mr Bennett that phishing phone messages were targeted at C1 and C2 because of this incident is an inference that cannot be drawn. Neither the Cs’ phone numbers nor any information about who they bank with was in the email or attachments and therefore cannot have been exploited.
ii. In his witness statement Mr Bennett quotes from correspondence about the number of hours Mr Rolfe spent dealing with the incident. Firstly, there is no claim made for time spent dealing with the incident. Secondly, the number of hours claimed is wholly implausible. When this claim was made in correspondence D queried it (in particular in relation to an email referred to dated 11 August 2019 which did not deal with this matter but rather the matter of the unpaid fees asked for the correspondence between Cs and D/Moon Hall School. The specific point about the 11 August email was not responded to (but it is repeated in Mr Bennett’s witness statement), but after chasing, D was sent the documents … which consist of email between 19 and 31 July 2019. … these consist of only a small number of short emails. …This amounts to 6 short emails, the longest of which is 10 lines long (including “Dear..”, “Yours sincerely” etc). Whilst Cs will have read the responses, again, these were brief, none amounting to more than approx. ½ a page and most being very brief indeed. This, it is alleged, took over 24hrs (out of a total of 46hrs which it is claimed C1 spent dealing with this matter). This is simply not plausible, and must be exaggerated. It is submitted this is reflective of the Cs’ attitude to the claim as a whole, and the court is entitled to take a sceptical view of their assertions of distress. It need not and should not take them at face value.
d. There was no real loss of control of the personal data: “Loss of control” means something more than one third party briefly having access to this relatively low-level personal information and then confirming they deleted it. In Lloyd it was commercial exploitation of that information on a large scale. There the Court of Appeal found that individuals’ “browser generated information” had a value and was of commercial value to Google [at 46,47]. In Gulati v MGN Ltd [2017] QB 149 it was disclosure to journalists who used the personal information as they saw fit, in particular by publishing in a national newspaper. This is very different.
On the facts of this case, it is simply not plausible that Cs have suffered distress above a de minimis threshold in relation to the accidental sending of this email to one recipient who quickly deleted it. Whilst unfortunate, the incident is simply not of a sufficiently serious nature to have caused damage over the threshold.”
“21. In Ambrosiadou v Coward [2011] EWCA Civ 409 Lord Neuberger MR said at [30]:
‘Just because information relates to a person’s family and private life, it will not automatically be protected by the courts: for instance, the information may be of slight significance, generally expressed, or anodyne in nature. While respect for family and private life is of fundamental importance, it seems to me that the courts should, in the absence of special facts, generally expect people to adopt a reasonably robust and realistic approach to living in the 21st century.’
22. This was an accidental one-off incident where an email address was mistyped and sent to an incorrect recipient. The data contained in the email was not of a very private or sensitive nature. Whilst the incident is unfortunate, it was swiftly remedied – the recipient emailed the same day to say they were the wrong recipient, and quickly confirmed deletion. Incidents such as this occur regularly in organisations throughout the country. Where no harm is caused, or no harm that overcomes the de minimis threshold, no cause of action lies and no claim for compensation will succeed. If it were not so, the court would be bound up with such cases, every time a minor error occurred. This is a case of no harm done. Exactly the type of case Sir Geoffrey Vos was referring to in Lloyd. The C’s have no realistic prospect of proving that they have suffered harm above de minimis, and therefore no realistic prospect of succeeding in their claim for damages.”
-
-
By contrast the Claimants urged me to take into account that it could not at this stage be ascertained the extent to which the information had reached third parties and that of course damages for distress are available even without proof of special damages, subject to the de minimis threshold and that the information which went to the third party was not banal. It was said (by the solicitor for the Claimants but not in the form of a statement from the Claimants directly) that they had lost sleep worrying about the possible consequences of the data breach and that it ‘had made them feel ill’ and that extensive time (referred to in the extract from D’s skeleton above) had been spent by the Claimants dealing with the issue. This was all a factual dispute and a trial was required and there was a reasonable prospect in showing that loss and damage crossed the de minimis threshold which is a factual issue for trial. Much of the alleged distress stemmed here from the ‘fear of the unknown’, too, it was said, by the parents in terms of who the recipient might have been, given Mr Rolfe’s profession as an IT specialist.
-
Principles
-
-
In a summary judgment application, I must refuse summary judgment if the claim has a ‘more than fanciful’ prospect of success, that is to say a realistic prospect, and that there is no other good reason for a trial. I need not recite all the principles: this is not a ‘mini trial’ I should take into account material reasonably likely to be before the court at trial and need not take current evidence at face value if it is contradictory or inherently implausible. See Swain v Hillman [2001] 2 All ER 91, ED & F Man Liquid Products v Patel [2003] EWCA Civ 472, Royal Brompton Hospital NHS Trust v Hammond (No 5) [2001] EWCA Civ 550, Doncaster Pharmaceuticals Group Ltd v Bolton Pharmaceutical Co 100 Ltd [2007] FSR 63, ICI Chemicals & Polymers Ltd v TTE Training Ltd [2007] EWCA Civ 725.
-
-
-
In this case the question boils down to the relatively simple one: given the nature of the breach and the nature of the information and the steps taken to mitigate the breach, and the material before me, is it more than fanciful to suppose either that actual loss has been suffered or that distress has been suffered above a de minimis level.
-
-
-
What harm has been done, arguably? We have here a case of minimally significant information, nothing especially personal such as bank details or medical matters, a very rapid set of steps to ask the incorrect recipient to delete it (which she confirmed) and no evidence of further transmission or any consequent misuse (and it would be hard to imagine what significant misuse could result, given the minimally private nature of the data). We have a plainly exaggerated claim for time spent by the Claimants dealing with the case and a frankly inherently implausible suggestion that the minimal breach caused significant distress and worry or even made them ‘feel ill’. In my judgment no person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st Century, in a case where a single breach was quickly remedied.
-
-
-
There is no credible case that distress or damage over a de minimis threshold will be proved. In the modern world it is not appropriate for a party to claim, (especially in the in the High Court) for breaches of this sort which are, frankly, trivial. The case law referred to above provides ample authority that whatever cause of action is relied on the law will not supply a remedy in cases where effectively no harm has credibly been shown or be likely to be shown.
-
THE ORDER FOR COSTS
The order for costs is illustrative. The Master ordered costs on the indemnity basis.