Warren v DSG Retail Ltd [2021] EWHC 2168 (QB)
Background
A cyber attack on Dixons Carphone (Defendant) resulted in a data breach affecting the Claimant and 14 million other people. In January 2020, the Information Commissioner’s Office (ICO) issued a monetary penalty notice against the Defendant for the data breach.
In their investigation, the ICO concluded that the breach was in contravention of the seventh data protection principle as set out in Data Protection Act 1998 (DPA 1998). The data breach in question occurred between July 2017 and April 2018 and therefore fell within the remit of the previous regime being the DPA 1998. The seventh principle sets out that an organisation must have the appropriate technical and organisational measures in place in respect of the data that they hold.
Following the above, the Claimant (being one of the individuals affected by the breach) decided to pursue a claim against the Defendant for:
- Breach of data protection legislation;
- Misuse of private information;
- Breach of confidence; and
- Negligence.
The Defendant argued that the claims for misuse of private information, breach of confidence and negligence were misguided and therefore made an application to strike out these elements.
What did the Court decide?
The Defendant argued that in relation to the misuse of private information there would need to be a positive action that had not occurred. The Claimant countered this by claiming that the deficiencies in the Defendant’s systems had intentionally and recklessly left the data exposed.
The Judge concluded that the wrong, in this case, was the Defendant’s failure to provide sufficient security for the data. The Judge clarified that the law surrounding breach of confidence and misuse of private information does not impose a data security duty and therefore the Claimant’s claim for misuse of private information and breach of confidence was misguided in the circumstances.
In relation to the negligence claim, the Judge confirmed that imposing such a duty would be pointless given the obligations imposed by the DPA 1998 and therefore there would be no need for a concurrent duty in negligence when a remedy was available under the statutory regime.
Ultimately, the Defendant was successful in their application for strikeout, with the claim to proceed solely in relation to the breach in contravention with the Seventh Data Protection Principle.
Comment
The above decision helpfully narrows down the scope of what claims can be pursued in relation to an accidental breach. As a claimant, you, therefore, need to carefully consider what actions to include within your claim.
How can Nelsons help?
Ruby Ashby is an Associate in our expert Dispute Resolution team.
If you have any questions in relation to the subjects discussed in this article, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester or Nottingham on 0800 024 1976 or via our online enquiry form.