The Consequences of Data Breaches

Since the GDPR introduced the possibility of much higher fines for data breaches (in the UK it is £17.5 million or 4% of annual global turnover) we have seen a stream of high-profile fines, most recently those imposed on Amazon ($888 million) and WhatsApp ($266 million). But what does it mean for the individuals whose privacy may have been compromised as a result of a data breach?

In Warren v DSG Retail Ltd (DSG) the High Court considered the possible causes of action for a compensation claim following a cyber-security breach. This case followed a £500,000 fine which was imposed by the Information Commissioner in January 2020.

The individual in question was Mr Warren, who claimed that he had been caused distress due to his name, address, phone number, date of birth and email address being compromised in the cyber-attack and that he was therefore entitled to damages of £5,000. His claim was based on three causes of action:

• Breach of confidence.
• Misuse of private information.
• Negligence.

A breach of confidence requires a three-limb test to be met, as set out in Coco v AN Clark (Engineers) Ltd:

• The information must have the necessary quality of confidence.
• The information must have been imparted in circumstances importing an obligation of confidence.
• There must have been an unauthorised use of the information, causing detriment.

Misuse of private information is a relatively new basis for making a claim, having grown out of breach of confidence with the influence of the European Convention on Human Rights (ECHR). This requires a two-limb test to be met, as set out in the 2015 case of Vidal-Hall v Google Inc:

• The information in question must be information over which the claimant has a reasonable expectation of privacy.
• The claimant’s Article 8 ECHR right to privacy must outweigh the defendant’s Article 10 ECHR right to freedom of expression (the balancing exercise).

However, both causes of action encountered the same problem in the context of Mr Warren’s case. A breach of confidence requires an unauthorised use of information. A misuse of private information, as the name itself suggests, requires a misuse. The express inclusion of the word use is key here, because, as identified by the High Court judge, DSG’s error was a failure which allowed the cyber-attack to occur, not a positive act. It was not DSG that disclosed or misused Mr Warren’s data, but a third-party hacker. As such, DSG could not be said to have used or misused Mr Warren’s data. The judge also expressly clarified that the torts of breach of confidence and misuse of personal information do not impose a data security duty on the holders of information; again, a positive act is required, as opposed to a failure to match up to the standards of a duty.

As for the negligence claim, the judge saw no need to impose a duty of care in negligence, where there is a pre-existing statutory duty under the Data Protection Act 1998. Even if such a duty existed, a successful claim for damages in negligence requires loss of some form to be demonstrated. Distress and anxiety alone rarely constitute sufficient damage for a cause of action in tort, and Mr Warren had suffered no financial loss. As such, the negligence claim also failed.

Warren v DSG reminds us of how difficult it is for individuals to obtain tangible redress for infringements of their data privacy rights. The heavy fines issued by watchdogs like the ICO indicate that they are serious about discouraging these infringements, with the hope that fines and the associated adverse publicity may have a deterrent effect. However, the prospect of the floodgates being opened to unlimited claims and class actions seems to have been diverted, at least for the time being.