Data Protection Litigation

Solicitor, Callum Duff looks into the case of Johnson v Eastlight Community Homes Ltd.

Have you been accused of mishandling an individual’s personal data? Have you received a letter from the individual’s solicitor suggesting that they are entitled to claim damages?  If so, don’t panic.

The judgment delivered in Johnson -v- Eastlight Community Homes Ltd [2021] EWHC 3069 (QB) confirms the reality for claimants seeking excessive damages for minor data breaches. Courts are not going to award large sums of money for tiny breaches which are quickly rectified. Data controllers can rest easy so long as appropriate steps are taken following a data protection breach.

The facts of the case

The defendant, a social housing provider, accidentally sent an email to a third party containing the claimant’s name, email address and details of recent payments made by the claimant. The claimant had been a tenant of the social housing provider. The unintended recipient of the defendant’s email immediately notified the defendant of its error, at which point the defendant asked the third party to delete the email. The email was deleted by the unintended recipient within three hours of the defendant sending the email containing the claimant’s details.

The claimant instructed solicitors and issued proceedings against the defendant, seeking an order in the High Court for damages in the sum £3,000 for Misuse of Private Information, Breach of Confidence and Negligence in addition to damages for breach of the GDPR and the Data Protection Act 2018. The claimant pleaded that she had suffered distress, having previously moved address to escape an abusive relationship which increased her concern regarding her address becoming public knowledge.

The steps taken by the defendant

The defendant:

1. Admitted that sending the email containing the claimant’s details was an accident; and
2. Emailed the claimant to inform her of the accident, confirming that the recipient of the email had deleted the information, apologising for the data breach and confirming that the breach had been reported to the ICO (The defendant was not required to report the breach to the ICO and the ICO confirmed that no further action was needed).

The defendant considered the claim to be an abuse of process and applied to strike out the claim.

The outcome of the case

The judge in the High Court criticised the claim and struck out all elements save for the claim in relation to breach of GDPR. What courts are recognising is that previously claims had been made where the breach of GDPR was minimal. Whilst claimants can pursue modest claims for damages where they can show that financial harm or distress has been suffered what we are seeing is courts take a sensible approach. In a recent case the judge struck out the claim, finding that the breach was “trivial” and saying that the suggestion that any distress or worry was caused by the incident was a “frankly inherently implausible suggestion”.

Whilst data controllers should always seek to avoid data protection breaches, mistakes do happen. The line taken by the courts in Johnson -v- Eastlight Community Homes Ltd and other cases is helpful for those instances where mistakes do occur. If quick steps are taken as in this case then any litigation risk can be minimised.

If you are a data controller and require advice in relation to a data protection breach or you have received a legal letter initiating a claim contact a member of the Commercial Dispute Resolution team for further advice.