The High Court ruled in the case of Rolfe & Ors v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB) that distress-only compensation claims in an action for a data breach, without accompanying evidence of financial loss or medical evidence showing the impact on physical and mental health, are not only likely to fail for falling below the de minimus threshold, they may also attract severe costs liability against the claimant.
Rolfe & Ors v Veale Wasbrough Vizards LLP
Summary
The case of Rolfe involves a single email with attachments sent by the Defendant, a law firm, to an unintended recipient by reason of a typographical error. The personal data included the Claimants’ address and some financial data but did not include the Claimants’ bank account information or contact details. The recipient immediately informed the Defendant. The Defendant, therefore, asked the recipient to delete the email and it was promptly done.
The Claimants brought a claim in respect of the data breach and sued for damages for the distress they suffered as a result. The Claimants said that “they had lost sleep worrying about the possible consequences of the data breach and that it had made them feel ill”. Much of the alleged distress was also due to the “fear of the unknown”.
The High Court, in an application for summary judgment by the Defendant, considered the nature of the information disclosed, the steps taken to rectify the data breach, and evidence of any loss or harm caused (or rather the lack thereof), and found the claim to be “plainly exaggerated”. The Claimants’ assertion that they had suffered significant distress caused by such a minimal breach was implausible. The Court also remarked that, in the modern world, it is not appropriate for a party to claim for such a trivial data breach.
The Court ruled in favour of the Defendant and awarded £11,000 in costs to the Defendant on the indemnity basis, which is above the normal costs order that a Court would make against a losing party in litigation, to reflect the exaggeration and speculative nature of the claim and the lack of credible evidence of distress beyond a minimal level, as well as a settlement offer made by the Defendant that was more favourable than the Court’s judgment.
Distress-only compensation for a data breach
The Rolfe case illustrates the Court’s tough approach in dealing with increasingly common data breach compensation claims based only on distress and upset but without much evidence of financial loss and/or impact on the Claimant’s physical or mental health.
Article 82 of the GDPR states that:
“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”.
Section 168(1) of the Data Protection Act 2018 makes clear that non-material damage includes distress.
Whilst damages can be recovered for distress without the need for accompanying financial loss, a claim for the distress that is not made out or is trivial will fail, as held in Lloyd v Google [2020] Q.B. 747. The de minimus threshold of seriousness excludes claims for damages for an accidental one-off data breach that was quickly remedied, as such a breach is unlikely to cause any distress without something more (such as a pre-existing mental health condition that is exacerbated as a result of the data breach).
The Rolfe case clarifies that a minor distress-only claim is not only very likely to fail, but it is also likely to attract severe costs penalties where the claimant fails to provide sufficiently compelling evidence of distress.
Whilst the question of whether distress suffered by a claimant exceeds the de minimus threshold can only be answered on a case-by-case basis, the High Court’s judgment in Rolfe suggests that such claims may be viewed as speculative where:
- The data breach was merely inadvertent and technical without deliberate or malicious intent;
- The data disclosed is not special category data as defined in the GDPR and the Data Protection Act 2018, or is not personal data that would potentially be used for fraud;
- The steps taken by the data controller or processor to remedy the breach are prompt and risks of further misuse is therefore mitigated;
- The claimant has not provided sufficient evidence to prove genuine distress that goes beyond mere worry and “fear of the unknown”; and
- The claimant does not rely on any other loss, such as financial loss and impact on physical and mental health, other than distress.
Given the Court’s approach in curtailing distress-only claims that are trivial or not adequately supported by evidence, when you are considering making a data breach claim, expert legal advice must be sought to avoid issuing a claim that is not properly made out and would most likely result in the claimant being penalised with significant costs sanctions.
How we can help
Kevin Modiri is a Partner in our expert Dispute Resolution team, specialising in charity law, civil disputes, insolvency, inheritance disputes, data breach claims and defamation claims.
If you need any advice concerning the subjects discussed in this article, please do not hesitate to contact Kevin or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us