Lloyd v Google – an update
UK & Europe
A summary judgment decision in the High Court held that damages did not meet the de minimis threshold in a case where a single data breach was quickly remedied. As a warning to Claimants, the claim was criticised for being “plainly exaggerated” and inappropriate.
Master McCloud ruled in Rolfe & Ors v Veale Wasbrough Vizards LLP  EWHC 2809 (QB) that in a data breach claim, the Claimant must establish that they have suffered material or non-material loss resulting from the data breach, which is above a de minimis threshold before awarding compensation. A welcome judgment as it clarified that in trivial claims of distress or damages, the law would not supply a remedy where no harm has been shown or is likely to be displayed.
The Defendant, a firm of solicitors, represented a school that the Claimants owed money to. The school instructed the Defendant to send a demand for payment. On 17 July 2019, the Defendant, in error, sent an email attaching a statement of account to the wrong person. The recipient of the email swiftly responded, informing the Defendant that the email was wrongly delivered and, subsequently, confirmed the deletion of the email.
As has become somewhat common in some seemingly minor data breach claims, the Claimant claimed damages for:
Plus a declaration and an injunction, interest and further or other relief.
Since the GDPR came into force in 2018, we have seen an increase in compensation claims. Often the nature of the breach is trivial and the compensation claimed appears high. The legal costs in such claims can exceed any damages recovered upon success.
Summary Judgment Application
The Defendant applied for a summary judgment under CPR Part 24, requesting a dismissal of the claim as the damage suffered by the Claimants did not satisfy the de minimis threshold.
The basis of the Defendant’s summary judgment application was:
The Claimants position was that it could not be ascertained the extent to which information had reached third parties and that the information in question was not banal. They emphasised that this was a factual dispute and there was a reasonable prospect of success in showing that loss crossed the de minimis threshold and therefore should be an issue for trial, not for summary judgment.
Master McCloud noted that it was common ground between the parties that, in principle, damages were recoverable for breaches of data protection and misuse of private information, including the distress caused devoid of pecuniary loss (see Vidal-Hall v Google  QB 1003). Similarly, in Lloyd v Google, it was emphasised that “it was not in dispute that in principle loss of control of personal data can constitute damage”. Sir Geoffrey Vos made it clear that the threshold of seriousness would exclude a claim for damage for an accidental one-off data breach that was quickly remedied.
The test for summary judgment is that the claim has no real prospect of success. Master McCloud stated that in this case, the question was a simple one: “given the nature of the breach and the nature of the information and the steps taken to mitigate the breach, and the material before me, is it more than fanciful to suppose either that actual loss has been suffered or that distress has been suffered above a de minimis level”. He found no credible case that distress over a de minimis threshold will be proved and observed that no person of ordinary fortitude would reasonably suffer the distress claimed.
TLT and Others V The Home Office  2217 (QB) examined both the legal principles that the Court will use to assess damages in privacy cases and demonstrated how the Court will analyse the strengths and weaknesses of evidence supporting damages for distress. It also established that the threshold for damages for a data breach claim is based on the de minimis principle.
Rolfe guides how the de minimis principle will apply in practice and clarifies that the Courts will not award damages to trivial data breach claims. This approach is reassuring to businesses, confirming that the Court will not simply award damages where no real distress has been caused, and the business has taken steps to remedy the error promptly. The Supreme Court has now issued its judgment in Lloyd v Google, and noted on a number of occasions that damages must be more than trivial in order for a claim to be successful.
We wait to see if these judgments result in a significant fall in the number of data breach claims.