It has been a busy 12-months for DPA claims, with this increasingly important, and developing area of law thrust into the spotlight on more than 1 occasion.
I would anticipate that DPA Claims, consequences of breaches, and ongoing developments of the law as its stands is something that will remain with us going into 2022 and beyond given that our Data, and its retention, its processing, and unfortunately, its loss, becomes continually more applicable to each and every one of us as the digitisation of the world and our lives continues.
So what have been the developments?
The short answer, is that there have been several, but for the purposes of this brief blog we will consider 2 in particular, with a passing note to VM Morrisons Supermarkets plc v. Various Claimants [2020] UKSC 12.
Morrisons deserves a moment of our time given its importance in terms of its position with regard to the principle of ‘vicarious liability’, and to issues that arose in a case in which I was instructed by the Claimant earlier this year.
Accordingly, this is where we will start.
Whose Fault is It and Who can we Blame?
This is not always a straightforward question to answer. It is often easy to establish that something has happened that ought not to have, and therefore, an issue that is actionable; however, against whom to target our complaint is not always so straightforward.
Vicarious liability and its general principles need no further discussion here, but the position of the Supreme Court does.
In short, Morrisons Supermarket, and its staff, were the victim of a significant data-leak, one perpetrated by a member of their internal audit team, and therefore importantly, a Morrisons’ employee who uploaded a file containing the data of some 98,998 members of Morrisons’ staff to a publicly accessible file-sharing website.
At first glance therefore, we might consider that as the employer of the perpetrator, Morrisons’ would be vicariously liable. However, as per the Supreme Court decision, we must look much closer.
The question that fell to be answered in this regard was as per the general test in Dubai Aluminium [2003] 2 AC 366, namely, whether the disclosure was “so closely connected with acts he was authorised to do that, for the purposes of the liability of his employer to third parties, his wrongful disclosure may fairly and properly be regarded as done by him while acting in the ordinary course of his employment”.
The connecting factor was argued to be that he was in the first instance, given the task of collating and transmitting payroll data to KPMG, and therefore it was argued that he could not have made the disclosure if he had not been given the initial task.
The Court found on the facts however that the employee was not engaged in furthering his employer’s business, but rather, that he was pursuing a personal vendetta, and therefore it could not be “fairly and properly be regarded as done by him while acting in the ordinary course of his employment”.
The second issue that fell to be determined, therefore, was whether the DPA excluded the imposition of vicarious liability for statutory torts committed by an employee data controller under the DPA and, misuse of private information and breach of confidence.
The simple answer is that it did not, the Supreme Court confirming this position.
Accordingly, Morrisons does not find that there is no vicarious liability in such claims per se, but, that Morrison’s were not vicariously liable in that particular case on the facts.
The lesson, therefore is that Claimant’s must look beyond the Employer/Employee relationship to determine liability, as the question may be more nuanced. Importantly however in terms of a cause of action, Employers can and might be vicariously liable for the actions of their employees if the relevant test has been satisfied.
Is It Serious Enough?
Our second question involves our second case, and one of the more important cases of 2021.
Alan Rolfe & Ors v. Veale Wasborough Vizards LLP [2021] EWHC 2809 (QB) fell to be considered by Master McCloud in the High Court, following an application for Summary Judgment.
The case itself involved the sending of a single email, with attachments, sent by the Defendant’s. The intention was that the email, a letter, and a ‘statement of account’ was to be sent to the Claimant’s. However, a mistake in the typing of an email address (a mistake of one letter in the address) meant that the email did not go to the intended recipient.
That person replied promptly, indicating that the email was not intended for them. The Defendant replied asking that the recipient delete the message, that person confirming that she had done so.
The Defendant’s argued that “on the facts, the Cs cannot have suffered damage or distress above a de minimis level”.
Master McCloud at paragraph 11 notes “In this case the question boils down to the relatively simple one: given the nature of the breach and the nature of the information and the steps taken to mitigate the breach and the material before me, is it more than fanciful to suppose either that actual loss has been suffered or that distress has been suffered above a de minimis level”.
It was further noted that nothing particularly personal had been disclosed, that a set of “rapid” steps had been taken, that there was no evidence of further transmission, nor any significant misuse. Accordingly it was found that “no person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st Century, in a case where a single breach was quickly remedied”.
Consequently the case did not demonstrate distress or damage above a de minimis threshold and that summary judgment was granted.
As a further point, the Master expressed concern that such a case had been commenced in the High Court given its trivial nature.
The lesson therefore is that there must be a credible basis upon which to argue damage and or distress, under the DPA, and further that there is a di minimis threshold that must be crossed in order to attract any form of award of damages or declaration, a failure to do so resulting in not just a claim being dismissed but a potentially significant adverse costs award.
The DPA and breaches of the same is thus not quite the free for all anticipated by many, although in the same vein, as much as Rolfe is important, it does not to my mind offer anything new in terms of what is and what isn’t appropriate, but rather just restates the principles.
Come one Come All
Our third and final case, or issue, arises following Lloyd v. Google LLC [2021] UKSC 50 and the ‘group litigation’.
Simplistically, the case arose following Google taking advantage of Apple Safari users, by using a ‘cookie’ that enabled Google to track users activity across websites and to collect information regarding that usage for the purposes of targeted advertising.
Mr. Lloyd brought a representative action for breach of the DPA 1998, seeking to bring a claim not just personally, but on behalf of all of those potentially affected by the ‘cookie’ or ‘Safari Workaround’.
The Supreme Court however, found that absence the proof that a contravention of s.13 DPA 1998 had caused material damage or distress, a data-subject was not conferred the right to compensation, and further, that the Claimant in the instant case was seeking to recover damages without proving that the allegation was true in any specific case over and above that which was required to bring them within the ‘class’.
Accordingly, the ‘uniform’ approach adopted by the Claimant was not appropriate given the effect of the Safari Workaround not being uniform across the represented class because of the difference in the level of internet use of the affected individuals (paras 80, 82, 84-85, 87).
Further, per 144 and 153 of that judgment, even where it was unnecessary to show an individual had suffered material damage or distress as a result of unlawful processing, it would remain necessary to establish the extent of that unlawful processing in each individual case. Without that proof beyond the bare minimum required to bring an individual within the ‘class’ a claim on behalf of such an individual thus had no prospect of meeting the threshold for an award.
So what does this mean practically? Simplistically, representative actions in such cases are unlikely to now be viable. However, this does not mean that numerous Claimant’s cannot bring a case governed by ‘group litigation order’, given that in such circumstances all Claimant’s will have been identified, and therefore the ‘extent of unlawful processing’ issue can be established without falling into the position considered by the Supreme Court considered in Lloyd.
Where are We Going Now?
As I noted at the outset, DPA claims are still developing, as is the law itself; as such we still have some distance to travel to my mind.
However, as much as at first glance certain cases may appear problematic for Claimant’s, on closer inspection they mostly serve to re-affirm pre-established principles, meaning that there is nothing to prevent meritorious claims being brought; it is not all ‘doom and gloom’.
The position concerning vicarious liability has not necessarily been changed, nor has the position in terms of cases having to meet a baseline of seriousness before being brought.
As practitioners therefore, we just need to look carefully and assess accordingly before commencing a claim.
Carl Buckley is experienced in the bringing of Claims under the DPA 1998 and 2018, and can be contacted through Mark Cornell, Senior Clerk at Guernica 37 Chambers, clerks@guernica37.com .