Lessons from low value data breach claim, Driver v CPS

Why is this data breach claim case of interest to data controllers?

This case contributes to the developing court guidance as to the level of damages a claimant can expect in low level data breach claims. The decision follows similarly robust findings from the courts, such as in the cases of Lloyd v Google [2] and Rolfe [3].

Businesses and data controllers should welcome the decision, as it continues, and further embeds, the trend towards courts taking a dim view of data breach claimants who seek to overstate the value of their claims [4].

Due to the mass scale of claims that businesses and data controllers can potentially face from data subjects, there is potential for data breach claim damages to add up from multiple claimants in one singular data breach situation. This case will provide further comfort for businesses and support robust defensive strategies in the face of data breach claims. It should even dissuade some spurious or unmeritorious claims.

The judgment also offers guidance as to what is the appropriate level of damages for a breach concerning limited personal data.

What happened in the Driver v CPS data breach claim?

Driver, a well-known figure in local politics, had been a suspect in a local government corruption investigation in 2014 by the name of Operation Sheridan. In March 2016, the police informed Driver he was no longer a suspect. The press was subsequently notified.  Driver then became the subject of another investigation under Operation Sheridan. His file was referred to the CPS for it to consider charges.

In May 2019, a member of the public sent an enquiry to the CPS, requesting an update on Operation Sheridan. A CPS lawyer responded in June 2019, advising that “a file has been referred from Operation Sheridan investigation team to the CPS for consideration”.  The member of the public passed this information onto other parties, with his own commentary, which named Driver. There was no evidence that the recipients of this information took any action or notice.

Driver brought a claim against the CPS.  He alleged that sending their email was a breach of the Data Protection Act 2018 and/or GDPR [5].  He also pleaded other causes of action, including misuse of private information.

What did the High Court decide?

Despite the fact that the email did not name Driver, the High Court held that:

“I have no doubt that the June 2019 email contained the Claimant’s personal data in as much as it indirectly allowed him to be identified as one of the people in relation to whom a file had been sent to the CPS for a charging decision…the fact that the Claimant was a suspect in Operation Sheridan was already in the public domain at the time of the sending of the email…and had been so since March 2016. Personal data can relate to more than one person and does not have to relate exclusively to one data subject, particularly when the group referred to is small.” [6]

The court held that the claim fell within the DPA 2018 regime, not the GDPR, as Driver’s position was that the processing was done for law enforcement purposes. Driver’s claim for misuse of private information failed because the facts were already in the public domain. This is consistent with the court’s views on data breach claims advanced on the basis of misuse of private information, as detailed in Darren Lee Warren v DSF Retail Ltd [7].

The High Court accepted that the claimant would have experienced a very modest degree of distress. Notably, however, it considered the breach to be at the “lowest end of the spectrum”, and awarded damages of just £250.  (Driver had claimed £2,000.)

Need advice or assistance in relation to data breach claims?

The decision in Driver is helpful in assessing potential damages in low value data breach claims and is instructive as to the courts’ likely approach.  However, it remains vital for businesses to adopt a data breach strategy [8] and to be aware of risks and their legal obligations. Every data breach claim should be assessed on its own merits.

Walker Morris’ Commercial Dispute Resolution lawyers are highly experienced in resolving and defending data breach claims and our specialist Regulatory & Compliance team has comprehensive, legal and practical understanding of the regulatory background.  This cross-discipline expertise enables Walker Morris’ data breach specialists to offer both proactive risk management advice, and to respond effectively and robustly in the face of any threatened data breach claim.

If you would like to discuss any of the issues covered in this or our earlier briefings, please contact Gwendoline Davies, Nick McQueen or Jack Heward, who will be very happy to help.

[1] [2022] EWHC 2500 (KB)

[2] [2021] UKSC 50 – See our briefing here

[3] Rolfe & Ors v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB) – See our briefing here

[4] Another recent example is the decision in Cleary v Marston (Holdings) Ltd [2021] EWHC 3809 (QB) which saw a low value data breach case transferred from the High Court to the Small Claims Track in the County Court. See our briefing here

[5] General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016)

[6] para 101

[7] [2021] EWHC 2168 (QB) – See our briefing here

[8] See Walker Morris’ publication on how organisations can protect themselves against data breach litigation here