A new English High Court ruling may make would-be claimants think more carefully before bringing sweeping data breaches claims. Emma Louise Johnson v Eastlight Community Homes Limited involved a claim for £3,000 in compensation under the GDPR against a social housing organisation after an individual’s name, address and details of recent rent payments were accidentally disclosed to another tenant. The English High Court labelled the claim a “form of procedural abuse” and ordered the claim to be transferred to the County Court to be dealt with on the Small Claims Track, narrowly deciding against striking it out.
Background to the case
Eastlight Community Homes Limited (ECH) is a provider of low-cost social housing and the claimant was one of its tenants. On 1 September 2020, ECH emailed another of its tenants attaching their rent statement. However, the attachment to that e-mail contained additional rent statements, including the claimant’s, which recorded her name, address, and details of recent rent payments.
Within three hours of receiving the e-mail, the third-party called ECH to notify them of the error and to confirm that the e-mail had been deleted. On 20 September 2020, ECH e-mailed the claimant to: (i) inform her of the data breach; (ii) confirm that the email and attachment had been deleted; and (iii) confirm that the matter had been reported to the ICO.
Emma Louise Johnson v Eastlight Community Homes
Claims were founded in the tort of misuse of private information (MPI), the tort of breach of confidence (BoC), common law negligence, breach of the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA), and breach of Article 8 of the European Convention on Human Rights (ECHR). The claimant also sought injunctive relief to prevent a reoccurrence of the data breach.
ECH’s application
ECH applied for: (i) summary judgment on the whole claim under the de minimis principle; (ii) strike out of the whole claim on the grounds that the claim was an abuse of the court’s process or was otherwise likely to obstruct the just disposal of the proceedings under the principle in Jameel; and/or (iii) strike out of the claim in negligence on the grounds that the particulars of claim disclosed no reasonable grounds for bringing or defending the claim.
In summary, ECH argued that:
- the claimant was not entitled to any damages at all (or any other relief in the circumstances), as the inadvertent disclosure of the claimant’s personal information was purely a “technical breach” of Article 5 of the GDPR;
- the claimant had suffered no loss or damage above the de minimis threshold (ie the principle that whilst damages can, in principle, be recovered, including simply for the distress caused, any distress must not be trivial in nature) and, therefore, the claimant had no real prospect of success, such that the Court should enter summary judgment; and
- The claimant had no claim in negligence, following recent decision of the High Court in Warren v DSG Retail Limited (see Freshfields TQ article here).
Master Thornett (Master of the Queen’s Bench Division) struck out the claimant’s claims for MPI, BoC and breach of Article 8 of the ECHR, and held that bringing what was left of the claimant’s claim (essentially alleged breaches of GDPR) in the High Court was a form of procedural abuse, transferring it to the County Court to be dealt with on the Small Claims Track.
Master Thornett held that:
- applying Vidal-Hall v Google and Higinbotham v Teekhungam & Anor, the principle in Jameel extends to statutory torts, including claims brought under the GDPR and DPA;
- he saw no basis for this claim having been issued in the High Court (the value of the claim came nowhere near the High Court requirement and the subject matter of the claim did not elevate it to High Court status); and
- he was, however, mindful that the Court should strive to provide a remedy to any litigant if it can and, therefore, the claim was redirected to the more appropriate forum, the County Court.
Wider implications of the case
The High Court’s judgment adds to the growing body of jurisprudence shaping data privacy litigation in England and Wales. It should make would-be claimants pause for thought before bringing sweeping claims following data breaches where only a small amount of distress (if any) has been suffered.
