As a solicitor practising in England and Wales, a common misunderstanding is this: “If my case involves human rights or data protection, surely it belongs in the High Court?”
The recent Court of Appeal decision in Wysokinski v OCS Security Ltd provides a clear and very practical answer.
It is a decision that will matter to anyone considering bringing a data protection claim, particularly where distress and misuse of personal data are alleged. It also offers a useful reminder about procedural fairness and the importance of choosing the right forum from the outset.
What was the case about?
The claimant issued a claim against OCS Security Limited following an incident involving a court security guard.
In summary:
- A medical device was confiscated from the Claimant during court security screening;
- The Claimant alleged that sensitive medical information (special category data) was disclosed to third parties;
- He brought a claim under the UK GDPR and Data Protection Act 2018;
- He also alleged breaches of Articles 6 and 8 of the European Convention on Human Rights; and
- He valued his claim at between £15,000 and £30,000.
The claim was issued in the High Court but in a District Registry rather than the Media and Communications List in the Royal Courts of Justice in London. Under CPR Part 53, that was procedurally incorrect. The judge therefore had to decide whether to transfer it to:
- The Royal Courts of Justice (High Court); or
- The County Court.
The judge transferred it to the County Court without a hearing and without detailed reasons. The claimant appealed.
The central issue: which court was appropriate?
The Court of Appeal made clear that the real issue was straightforward:
Was this claim one that genuinely required determination by a High Court judge, or could it properly be dealt with in the County Court?
The rules allow media and communications claims (including data protection claims) to be issued in either court. The choice depends on factors such as:
- Financial value;
- Complexity of facts and law;
- Public importance; and
- Need for specialist judges.
On the face of the claim form, the Court of Appeal held:
- The value was well within County Court territory;
- The claim was predominantly for damages;
- There was no obvious complexity; and
- There was no significant public importance.
In fact, once additional material was considered, it appeared liability had effectively been admitted (subject to proof of the medical document), leaving primarily an assessment of damages for distress.
The Court concluded that transfer to the County Court was not merely reasonable, it was inevitable.
A key point for Claimants (and those advising them)
The judgment strongly endorses earlier guidance that straightforward data breach claims do not automatically justify High Court proceedings.
The Court emphasised that:
- County Court judges are perfectly capable of handling data protection law;
- Not every GDPR claim is legally complex; and
- Overcomplicating claims can drive up costs unnecessarily.
This is particularly relevant in what I would describe as the “classic data breach” scenario involving human error, limited disclosure, distress claimed and modest financial value.
Bringing such a case in the High Court can expose a Claimant to:
- Greater procedural complexity;
- Higher costs risk; and
- Adverse cost consequences if the court considers the forum inappropriate.
That is not just theoretical. In this case, although the appeal failed, the Court of Appeal reduced the respondent’s recoverable costs to £5,000 (from a claimed £33,000+) due to procedural deficiencies of the original judge and proportionality concerns regarding the costs incurred.
Costs matter. Forum choice affects costs.
Procedural fairness – a warning for the Courts
The Court of Appeal did criticise the process adopted by the original judge below:
- No reasons were given for choosing the County Court over the High Court;
- The order failed to record the right to apply to set aside the decision as it had been made in the absence of the Parties submissions (as required by CPR 3.3(5)); and
- The Claimant’s request for reconsideration was not properly treated as an application.
The Court was clear that better handling at first instance may well have avoided the appeal altogether.
However, and this is crucial, procedural irregularity does not rescue a weak substantive argument. Even with proper procedure, the outcome would have been the same.
What this means in practice
From a solicitor’s perspective, this case reinforces several practical lessons:
1. Forum selection is strategic
Issuing in the wrong court can:
- Delay your case;
- Increase costs; and
- Damage credibility.
We carefully assess complexity, value and public importance before advising on forum for a claim to be issued in.
2. Adding human rights allegations does not elevate a claim automatically
Merely referencing Article 8 does not transform a modest data breach claim into High Court litigation.
The court will look at substance, not labels.
3. Proportionality is king
Judges are increasingly alert to disproportionate litigation in modest-value data cases. Where liability is straightforward and damages are modest, streamlined County Court proceedings are often entirely appropriate.
4. Appeals about procedure rarely succeed if the outcome is obvious
Even where there is procedural unfairness, appellate courts focus on whether the decision was correct in substance.
A broader reflection on data protection litigation
Data protection law is not simple. It intersects with privacy, human rights, statutory interpretation and developing case law. However, not every breach requires a High Court judge to resolve it.
The County Court routinely handles:
- Personal injury claims involving psychiatric harm;
- Professional negligence;
- Complex contractual disputes; and
- Consumer protection claims.
A distress-based GDPR claim valued at £20,000 does not, without more, demand elevation.
For clients, the question is not “Which court sounds more impressive?” but:
“Which forum will resolve this efficiently, proportionately and with appropriate judicial expertise?”
That is a question best answered at the outset.
Final thoughts
Wysokinski v OCS Security Ltd is not a headline-grabbing privacy case. It does not redefine Article 8 rights or reshape GDPR jurisprudence.
What it does provide is something arguably more useful: clarity.
It confirms that:
- Straightforward data breach claims belong in the County Court;
- Complexity must be real, not asserted;
- Procedural missteps do not override substantive correctness; and
- Proportionality will influence both venue and costs.
If you are considering bringing or defending a data protection or privacy claim, early strategic advice on forum, pleadings and proportionality can materially affect both outcome and financial exposure.
That is precisely where experienced legal guidance makes the difference.
How can we help?
Kevin Modiri is a Partner in our expert Dispute Resolution team, specialising in civil disputes, insolvency, inheritance disputes, data breach claims and defamation claims.
If you have a data protection claim or need advice about something similar, please do not hesitate to contact Kevin or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact usIf this article relates to a specific case/cases, please note that the facts of this case/cases are correct at the time of writing.