Since the introduction of the Defamation Act 2013 and the accompanying serious harm test, claims based in data and privacy rights have shot up the agenda. Generally perceived as being easier options, and more claimant-centric, the increase in their frequency has seemed unstoppable.
So, you’d be forgiven for thinking that a column based on data protection and the related legislation isn’t going to be the most cheerful read for a journalist. However, you may be wrong, so bear with me…
In the last few weeks, there have been two decisions from the courts that have both caught my eye as perhaps being an indication that the data horizon is starting to look a little less gloomy for defendants.
Firstly, there was the much talked about and long-awaited decision from the Supreme Court in the matter of Lloyd v. Google LLC. This case has been ongoing for some time, and I don’t intend to recite the facts here save to say that the dispute centred around the placement of cookies without consent on some iPhones using the Safari internet browsing app.
In this most recent ruling, the Court held in favour of the defendant unanimously, confirming that there is no automatic entitlement to an award of damages in cases where the claimant has been the subject of a non-trivial data breach leading to a loss of control of their personal data
It is now clear that in order to be awarded compensation for such a breach, there must be some material harm suffered by the claimant, or distress. It is now not sufficient to infer such damage on the basis of a breach of data rights alone, evidence of tangible harm is required.
This decision and its renewed emphasis on the demonstration of material loss or distress in the context of the individual is likely to lead to many claimants reviewing the viability of ongoing proceedings against publishers, as well as a potential reduction in the number of claims issued in the future.
The second of the cases is that of Johnson v. Eastlight Community Homes in which a document containing personal data relating to the Claimant was mistakenly forwarded to a third party in error. It is not unheard of for journalists and publishers to make similar mistakes……
The Claimant issued a claim for damages capped at £3,000 for distress under the GDPR. The Defendant for its part, admitted liability for the breach, provided a fulsome apology and self-reported to the ICO (who later determined that no further action was required).
The Defendant sought to have the claim struck out on the basis that this had been an inadvertent disclosure to a single person who had taken no issue with deleting the document immediately, and that the whole incident had lasted only 3 hours. In addition, due to the size and nature of the document within which the personal data was contained, the Defendant invited “inference that it is highly unlikely that the third party read the Claimant’s information at all.”
Furthermore, the Defendant argued that the Claimant had suffered no damage above the de minimis principle and therefore had no prospects of success. The Claimant disputed this assertion stating that the de minimis principle did not apply in cases such as this.
The Judge held that the de minimis principle was applicable in these sorts of cases and that there was no wording in the GDPR which could negate its application.
Though the claim was not struck out (it was held, by a narrow margin, that the damage suffered did exceed the de minimis threshold), it was sent down to the small claims court due to its low value, for a trial in due course.
This decision has serious ramifications for claimants intending to bring proceedings against the press based on alleged breaches of their data rights. In particular, it is clear that the proper place to issue low value claims, even those based on the GDPR, is the small claims court where legal costs are not recoverable from a defendant.
Though not ground-breaking and unlikely to have a significant effect on your day to day working, these decisions represent an apparent shift towards a common-sense approach by the Courts which, in a world where genuine mistakes have become very costly, is welcome.