Mishcon de Reya page structure
Site header
Main menu
Main content section

Data protection damages and "minimal breaches"

Posted on 27 October 2021

Emails sent to incorrect recipients – a common problem of modern communications - can undoubtedly be capable of causing distress. Recently, the Information Commissioner issued a civil monetary penalty, under data protection law, against a Scottish HIV charity which had failed to implement adequate technical and organisational measures to prevent such an occurrence, with the result that an email was inadvertently sent - to 105 recipients - from which an assumption could be made about individuals’ HIV status or risk.

However, it is also plain that some misdirected emails will contain minimally significant information, and will not be capable of causing significant distress to those whose personal data might be exposed or otherwise compromised as a result. In those instances (where the sending of the email results from a failure by the sender) civil enforcement action by the Information Commissioner is unlikely to be appropriate, and legal claims by affected data subjects are likely to fail.

This is shown in a recent application for summary judgment by the law firm which was defendant to the claim. It was held that an email sent by mistake by the law firm, on behalf of a client, to the wrong recipient was - to the extent that it was a breach of the firm’s obligations under data protection and related laws - incapable of giving rise to a “more than fanciful” prospect of success at trial. Accordingly (and in line with the principles for summary judgment) the application succeeded and the claim was dismissed, with costs to be awarded to the defendant.

The offending email had been a demand for payment of a sum said to be owed to the client of the law firm by the claimants. The judge noted that the email contained nothing especially personal, “such as bank details or medical matters” and that the unintended recipient (who was unknown to the claimants) had responded promptly to note that the email was not intended for them and had confirmed she had subsequently deleted it. Consequently, this was, said the judge, "a plainly exaggerated claim for time spent by the Claimants dealing with the case and a frankly inherently implausible suggestion that the minimal breach caused significant distress and worry", and "no person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st Century, in a case where a single breach was quickly remedied".

This judgment comes shortly after the ruling in Warren v DSG, in which the High Court struck out claims for breach of confidence, misuse of private information and negligence based on data loss arising from a cyber incident. These two judgments indicate that the High Court may be unwilling to entertain damages claims arising from data breaches, where the effects are inconsequential, or where the claims are too broadly framed.

Meanwhile, the decision of the Supreme Court in Lloyd v Google is still awaited. When it is handed down it may (among other things) give some further guidance on the circumstances under which such damages claim might successfully be brought.

How can we help you?

How can we help you?

Subscribe: I'd like to keep in touch

If your enquiry is urgent please call +44 20 3321 7000

Crisis Hotline

I'm a client

I'm looking for advice

Something else