All businesses are vulnerable, to some degree, to threats of cyber-attacks which can result in personal data held by the organisation being compromised.
The evolution of data protection laws continues to tighten duties imposed on businesses to implement measures to securely handle personal data, and the consequences of a data breach are likely to be significant to an organisation.
While we can assist with ensuring you are complying with your data security obligations under GDPR, it is important that your data security measures are effective and properly protect individuals’ data.
In the recent case of Warren v DSG Retail Ltd, the High Court handed down a judgment by Mr Justice Saini in which he provided some clarification in relation to claims by individuals for data breaches. The judgment is likely to impact the way such claims are brought in the future. So, what happened in this case?
Background
The defendant, DSG Retail Ltd (“DSG”) more commonly known as the operator of Currys PC World and Dixons, had been a victim of a cyber-attack between July 2017 and April 2018 causing a data breach. Consequently, the breach was being investigated by the Information Commissioner’s Office (“ICO”).
As the breach occurred prior to the GDPR coming into force in May 2018, the ICO in its decision found that DSG had breached Principle 7 of the Data Protection Act 1998, which requires businesses to have in place appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to personal data. In addition to the finding of a data breach, the ICO also issued a monetary penalty notice of £500,000 against DSG.
The requirement to have in place appropriate technical and organisational security measures is fundamental and equivalent provision has been made for it under the GDPR in Article 5(1)(f).
The claimant, Warren, brought a claim against DSG alleging:
Warren also sought damages of £5,000.
DSG applied to the court for summary judgment or an order to strike out all of the above claims except for breach of statutory duty which arose as a result of the alleged breach of Principle 7 in accordance with the ICO’s decision.
DSG was successful in its strike out application and the judge upheld the strike out of all claims but the breach of statutory duty which has been allowed to proceed.
Reasons for permitting strike out of the claims
Breach of confidence and misuse of private information:
Saini J made clear in his judgment that in order to have a successful claim against the information holder i.e. DSG, for both breach of confidence and misuse of information, there is a requirement for there to have been a positive wrongful action by DSG relating to the information.
The Judge also further emphasised that, “neither BoC nor MPI impose a data security duty on the holders of information (even if private or confidential). Both are concerned with prohibiting actions by the holder of the information which are inconsistent with the obligation of confidence and privacy”.
While it was accepted that DSG had failed to provide adequate security for the data, it had not committed a positive wrongful act that caused the data breach but rather it was a victim of a cyber-attack. Even though the definition of ‘misuse’ includes unintentional use, the act of ‘using’ constitutes a positive act, which DSG had not done.
Negligence:
Warren’s claim of negligence was also struck out on the basis:
Conclusion
The claim will proceed on the grounds of breach of statutory duty. However, for now, the claim has been stayed as DSG is appealing both the ICO’s decision and the monetary penalty notice it has been issued.
While the judgment appears to significantly narrow down the scope of claims of data breaches by data subjects, it is worth noting where a company does commit a positive wrongful act in respect of personal data and is not a victim of a cyber-attack, the data subject is likely to have a strong claim against the company.
The above is one of several claims shaping the nature of data protection claims. We eagerly anticipate judgment by the Supreme Court in a landmark data protection class action in the case of Lloyd v Google LLC. The judgment is expected to provide clarification on two key areas:
We will update on the position as soon as judgment is handed down.
If you or your business requires any assistance with data protection matters, please get in touch with our commercial team or contact us here.
European Commission launches process on personal data flows to UK
In these working from home days, where weekdays seem to blend into weekends which melt into weekdays again, most of us don’t have the luxury of offices at home. Space is at a premium. Desks or dining room tables are shared. Papers are strewn across the floor. We…
The Court of Appeal has held that an individual can claim for compensation under section 13 of the Data Protection Act 1998 where a breach of the DPA results in a “loss or diminution of a right to control” their personal data. A claim of compensation would not require the…
The Information Commissioner’s Office (ICO) has changed their guidance on subject access requests (SARs), as well as other data subject requests relating to their individual rights such as rectification, erasure and data portability. We have referred to them throughout as “data subject requests” or “DSRs”. So what’s changed?…