What amount of damage is necessary before a claim for a data breach or of misuse of private information is actionable? In TLT and others v The Home Office  2217 (QB), Mitting J noted that the threshold was based on the “de minimis principle”, but how is that principle to be applied in practice? In a short and helpful judgment, Master McCloud provided some guidance to the question in Rolfe and others v Veale Wasbrough Vizards LLP  EWHC 2809 (QB).
The Defendant acted for a school in a fees dispute with the Claimants. On 17 July 2019 the Defendant sent an email to the child’s parents that consisted of a letter requesting the payment of fees along with a statement of account. However, the sender of the email mistyped the relevant email address with the consequence that the email was sent to a third party. The recipient responded promptly saying that they thought that that the email had been sent in error. The Defendant quickly responded by asking that the message be deleted. The recipient confirmed that this had been done.
The Claimants thereafter sought damages for misuse of confidential information, breach of confidence, negligence and for damages under s82 of the GDPR and s.169 of the Data Protection Act 2013.
The Defendant sought summary judgment on the basis that any damage caused to the Claimants was too trivial to found a claim.
Master McCloud noted some common ground between the parties at [§5]:
“It was common ground that in principle damages can be recovered and other remedies obtained for breaches of data protection regulations and misuse of private information, including simply for the distress caused even absent specific pecuniary loss. See Vidal-Hall v Google  QB 1003. Similarly, it is not in dispute that in principle loss of control of personal data can constitute damage: Lloyd v Google  QB 747”.
However, the Court went on to observe that there remained the need for there to be “damage”, quoting from Sir Geoffrey Vos in Lloyd:
“I understood it to be common ground that the threshold of seriousness applied to section 13 as much as to MPI [misuse of private information]. That threshold would undoubtedly exclude, for example, a claim for damages for an accidental one-off data breach that was quickly remedied.”
At [§8] Master McCloud relied upon Ambrosaidou v Coward  EWCA Civ 409, where Lord Neuberger observed:
“Just because information relates to a person’s family and private life, it will not automatically be protected by the courts: for instance, the information may be of slight significance, generally expressed, or anodyne in nature. While respect for family and private life is of fundamental importance, it seems to me that the courts should, in the absence of special facts, generally expect people to adopt a reasonably robust and realistic approach to living in the 21st century.”
In coming to a conclusion on whether the data breach could have caused “distress”, the Court concluded at [§11] that: In this case the question boils down to the relatively simple one: given the nature of the breach and the nature of the information and the steps taken to mitigate the breach, and the material before me, is it more than fanciful to suppose either that actual loss has been suffered or that distress has been suffered above a de minimis level.”
In the next paragraph, the Master asked “What harm has been done …” before holding that “We have a plainly exaggerated claim for time spent by the Claimants dealing with the case and a frankly inherently implausible suggestion that the minimal breach caused significant distress and worry or even made them ‘feel ill’. In my judgment no person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st Century, in a case where a single breach was quickly remedied.”
And at [§13] “There is no credible case that distress or damage over a de minimis threshold will be proved. In the modern world it is not appropriate for a party to claim, (especially in the High Court) for breaches of this sort which are, frankly, trivial. The case law referred to above provides ample authority that whatever cause of action is relied on the law will not supply a remedy in cases where effectively no harm has credibly been shown or be likely to be shown.”
What though of the argument that loss of control itself can constitute damage? Here the Court adopted the submissions advanced in the Defendant’s skeleton argument that “loss of control” must mean more than one third party briefly having access to relatively low-level information before deleting it.
This short judgment is a helpful and welcome application of good sense to the field of privacy law and should assist defendants when faced with low-level and isolated data breaches.