The High Court in Rolfe and others v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB) has considered an application for summary judgment in an action arising out of a misdirected, encrypted email which was promptly deleted by the recipient.  In dismissing the claim, the court considered that there was no real prospect of the Claimants demonstrating that they had suffered any loss or distress as a result of a minor, technical breach of data protection laws. 

The judgement is set against a backdrop of an increase in claims from both individuals and groups seeking damages from alleged breaches of data protection law by data controllers, often with minimal attempt on the part of the claimant to evidence 'distress' or damage.  Its outcome is a welcome development for data controllers, and is the latest in a series of decisions in recent months which provides clarity on the limits of data subject compensation claims.

Facts

The Defendant firm of solicitors had been instructed by a school to write to the Claimants regarding unpaid school fees.  The correspondence contained the Claimants’ names, addresses, amount of fees owed and a reference to proposed legal action if the outstanding sums were not paid.  It did not contain any financial information, or any material information about the Claimant’s child other than the name of the school which the child attended. 

Due to a typographical error, the correspondence was mistakenly sent to the wrong email address. The unintended recipient promptly notified the Defendant and deleted the email.  The email was encrypted and sent via TLS, which meant that for any person to be able to view the email during the time between when it was sent and when it was deleted, they would have needed access to the recipient’s email account. 

The Claimants pursued an action for damages for, among other things misuse of confidential information and damages under s82 of the GDPR. The Claimants said that they had lost sleep worrying about the possible consequences of the data breach which had made them feel ill. They also alleged that they had spent extensive time dealing with the issue. 

The Defendant sought summary judgement.  They said that, in circumstances where there was a one-off accidental misdirection of an email which did not contain private or sensitive information and the email was swiftly deleted, no harm was suffered by the Claimants.  If any damage was suffered by the Claimants, it was too trivial and so the there was no real prospect of the Claimants succeeding at trial. 

Judgement 

The claim was dismissed, with Master McCloud describing the data breach as "trivial," stressing that "whatever cause of action is relied on the law will not supply a remedy in cases where effectively no harm has credibly been shown or be likely to be shown."

The judge quoted with approval  Lloyd v Google [2020] QB 747  where a seriousness threshold had to be applied that "would undoubtedly exclude for example a claim for damages for an accidental one-off data breach that was quickly remedied." There was a suggestion that both the extent of the distress suffered and the amount of time spent dealing with the consequences of the matter were “plainly exaggerated” and “inherently implausible”.  Master McCloud added that, "no person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st century."

What's next?

Rolfe v Veale has provided increased certainty and coherence on the concept of  'de minimis threshold' of distress or loss that has to be suffered in order for a data subject to make a successful claim for misuse of personal information or under GDPR. The case also forms part of a broader trend aligning with the approach taken by the High Court in Warren v DGS Retail Limited [2021] EWHC 2168 (QB) earlier this year (see our commentary on this decision here).  Warren set an important precedent by rejecting a claim for misuse of private information where a data controller had allegedly failed to apply appropriate security measures.  Read together, these decisions show that the courts are keen to set limits around data related claims and that do not want to be bound up with cases where technical breaches may have occurred but distress or loss is, at best, limited.  In a burgeoning claims market where there is a significant uptick in claimants alleging data protection law breaches, these decisions are very helpful in reducing uncertainty for data controllers.

Co-authored by Paul Glass, James Parker and Iman Jamil