Data breaches: the grounds of claim

The concepts of privacy, confidentiality and data protection are ones which frequently overlap. A recent English High Court decision, Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) provides some clarity in trying to separate out these concepts and in considering what type of actions will be best fit for purpose, particularly in the context of information security breaches. 

Background

The defendant company (DSG) was the entity behind both the Currys PC World and Dixons Travel brands. It had gathered customer data such as names, email and physical addresses and telephone numbers as part of its sales and marketing activities. The claimant, Darren Warren, was one of those customers. The customer data were exposed by a large-scale hacking effort carried out against DSG in 2017 and 2018. It appears that the attack may have been due, at least in part, to failure by DSG in its information security practices. Following an investigation by the Information Commissioner, DSG was subject to a £500,000 penalty notice in respect of the intrusion into customer data. At the time of the High Court’s judgment, DSG was appealing that penalty to the First-tier Tribunal.

The claims made

Warren brought a claim for £5,000 in damages against DSG based on four causes of action: 

• breach of statutory duty under the Data Protection Act 1998 (“DPA 1998”);
• breach of confidence; 
• misuse of private information; and 
• negligence. 

The DPA 1998 claim was brought as the attacks had occurred prior to the entry into force of the GDPR and the Data Protection Act 2018. The claimant had initially relied on breaches of a number of different data protection principles. However, by the time of the hearing, this had narrowed to simply a breach of the seventh principle. That principle requires a data controller (in this case, DSG) to take “appropriate technical and organisational measures” against “unauthorised or unlawful processing of data”. In this case that related largely to the information security protections on the customer personal data held by DSG.

DSG sought strike out or summary judgment on all of the causes of action except the DPA 1998

Parties’ submissions

The position for DSG on the negligence claim was that it would needlessly duplicate the DPA 1998 claim and also disclosed no recoverable loss (judgment, para 14). On the claims for misuse of private information and breach of confidence, DSG maintained that these causes of action required it to have done some “positive wrongful action” such as disclosing the information or using it in some other impermissible way. In a case premised on alleged information security failures, DSG submitted there could be no claims under these two heads where they relied not on commission of an act but only on security omissions.

Warren’s counsel conceded that the claim for breach of confidence should not have been brought (para 15). In terms of the misuse of private information claim, it was argued that the information was “prima facie private” and that the action could cover both disclosure/publication of private information and also the intrusion into that private information caused by failing to protect it. The requirement for a positive act as an element of the action was said not to be supported by authority. In what appears to have been an alternative argument, it was suggested that the lack of proper information security was “tantamount to publication” in leaving the data so exposed to the hackers (who conducted the attacks) that it was effectively published to them (para 16). 

Further, the negligence claim was not duplicative as the duties in negligence and under the seventh DPA principle were not necessarily the same or operated to the same standard (para 17).

The High Court’s conclusions

The court began by considering the actions for breach of confidence and misuse of private information. As Saini J noted (para 21): “Despite the way in which counsel for the claimant has attractively sought to recharacterise her client’s case, it is clear that the claimant does not allege any positive conduct by DSG said to comprise a breach or a misuse for the purposes of either [breach of confidence] or [misuse of private information].” 

Such an omission or failing could not, in the judge’s view, support a breach of the obligations of privacy or of confidence as this would be a significant development in the law which appeared to go against the leading cases in the area (paras 22-27). On this basis, the High Court considered that neither of these claims had any basis of success and struck them out (para 32).

The court then turned to consider whether the claim for negligence should be struck out. In this respect, there were two main difficulties for the negligence claim. First, Saini J was persuaded that the decision of the Court of Appeal in England & Wales in Smeaton v Equifax Ltd [2013] 2 All ER 959 ruled out the availability of negligence. Such an action would, in the court’s view, be unnecessary given the existence of the data protection duties (para 35). It would also not be an instance in which there was sufficient proximity between DSG and the customers, nor would there be a fair, just or reasonable basis for the imposition of a duty of care (para 36). 

The second difficulty faced by the negligence claim lay, in the court’s eyes, in the nature of the loss that Warren was claiming. While he claimed to have suffered distress as a result of the breach and had changed his passwords, there was no evidence of any concrete clinical psychiatric harm or of any financial loss suffered by him (para 40). In this respect, Saini J noted that while s 13 of the DPA 1998 allowed for claims for distress simpliciter, a claim for negligence could only be maintained where there was proof of some pecuniary loss or clinically recognised injury (para 40). As such, the negligence claim would have failed on this basis even if there had been a duty of care (para 42).

Ultimately, Saini J struck out the misuse of private information, breach of confidence and negligence claims with only the DPA 1998 claim remaining standing. That was transferred to the county court with the proceedings stayed until DSG’s appeal against the penalty notice was

Reflections from the case 

While the case was brought under the preceding data protection legislation, it remains a useful one both in illustrating the possibilities involved in data protection claims and in clarifying where the boundaries seem to lie in English law between the potentially overlapping concepts of data protection, confidentiality, privacy and negligence. 

At a narrow level, the decision is helpful in clarifying the elements required in the English civil law actions for breach of confidence and misuse of private information. The judgment effectively confirms that these must be founded on some positive act rather than some omission by the defendant. Equally, where such an omission is present, the judgment confirms that negligence is likely not available as it adds little if anything to data protection claims.

The judgment is also perhaps a useful moment to reflect on the conceptual differences that can be seen to exist between data protection, confidentiality and privacy. Confidentiality may apply to both natural and corporate persons, and information that a person holds about another may be confidential (such as being commercially sensitive) without it necessarily intruding on that person’s private life. There is also at least some suggestion that, conceptually, confidentiality requires a pre-existing relationship to give rise to the obligation of confidence. As a legal concept, privacy seems more focused on this protection of sensitive information about personal affairs or on attacks on the dignity of a person. This protection can, it seems, arise without the need for a pre-existing relationship. As the judgment also seems to acknowledge, there is doubt as to whether a simple intrusion into privacy without further disclosure or misuse warrants any legal remedy. While data protection law does not apply to corporate confidentiality, much of the information falling within the concepts of personal confidentiality and privacy will also be that which is protected by data protection law. 

In the case of data protection, the controlling idea is that of personal data. Some of that information may rise to the level of truly private information (medical status and other sensitive details for instance), but other information (names, addresses, phone numbers for instance) will be personal data deserving of protection but may not rise to the level of sensitivity that necessarily engages legal conceptions of privacy or confidentiality. In addition, it is clear that data protection law provides conceptually distinctive, additional rights, such as rights of correction or objection to automated processing, which go beyond notions of privacy and confidentiality.

The case is useful for Scots lawyers. The High Court’s rejection of negligence in this context in favour of the availability of an action under data protection legislation is a conclusion that is likely to be helpful in framing claims in similar circumstances in Scotland. 

Saini J’s conclusions on the elements of the actions for breach of confidence and misuse of confidential information may be of more limited relevance given the development of Scots law, but it is perhaps useful to reflect on whether Scots law similarly requires some positive act to occur in order for there to be a breach of confidence.   

The position on separate actions for privacy, whether these involve misuse of sensitive information or extend to intrusion into people’s seclusion and dignity, remains more uncertain in Scotland. Some Scottish decisions have tended towards greater protection for privacy (see, for instance Henderson v Chief Constable of Fife 1988 SLT 361 and Martin v McGuiness 2003 SLT 1424). However, in the recent case of C v Chief Constable of Police Scotland [2020] CSIH 61; 2020 SLT 1021, the Inner House seemed doubtful as to whether there was any “general right of privacy” in Scots law (para 83 of that judgment). Whether Scots law should recognise a separate delictual liability for, at least, the misuse of private information is a point that seems still (as commentators such as Professor Elspeth Reid have noted) to be firmly decided, though there seems to be no conceptual difficulty in it doing so.