Out-Law / Your Daily Need-To-Know

Stadler v Currys: the latest win for data controllers in the High Court

Out-Law Analysis | 15 Feb 2022 | 11:32 am | 5 min. read

The High Court’s ruling in the case of Stadler v Currys is the latest in a series of positive judicial decisions for data controllers.

The High Court confirmed the limited scope for raising misuse of private information and breach of confidence claims in a data breach context, and also reiterated that it is not the right forum for low-value data breach claims to be heard.

The context

The number of low-value data breach claims issued against data controllers in the High Court has grown exponentially in recent years, with most of these cases having been brought before the Media and Communications List, a specialist branch of the court.

This has been driven, at least in part, by the tendency of claimant firms to plead misuse of private information (MoPI) and breach of confidence (BoC) alongside allegations of breach of data protection legislation. This approach is taken with a view to recovering any ‘after the event’ (ATE) insurance premiums if the claim is successful. Claims involving BoC must be issued in the High Court.

The recoverability of costs more generally has likely also driven this trend of issuing in the High Court claims that, on their face, might more be more proportionately dealt with by county courts in the small claims track – a court procedure that significantly caps the costs that can be recovered, in sharp contrast with the general position regarding proceedings raised in the High Court.

A series of recent decisions has indicated that judicial patience with this practice is wearing thin. The High Court’s ruling in the case of Stadler v Currys is the latest in this line of authorities.  

Facts of the case

William Stadler purchased a ‘smart TV’ from electronics retailer Currys in September 2016. When he returned the TV for repairs in September 2020, he did not log out of the various apps installed on the device, including Amazon Prime. Currys determined that the TV would be disproportionately costly to repair and wrote it off, compensated Stadler and sold the TV to a third party without performing a factory reset or data wipe. A movie was subsequently purchased from Stadler’s Amazon Prime account through the TV. Currys reimbursed Stadler the cost of the movie – £3.49 – and provided a £200 shopping voucher as a gesture of goodwill.

Stadler brought a claim against Currys for MoPI, BoC, negligence and breach of data protection laws – in the latter case claiming compensation for alleged breaches of Article 82 of the UK GDPR and sections 168 and 169 of the UK Data Protection Act 2018 in particular. He sought £5,000 in damages.

Currys challenged Stadler’s claim and applied for summary judgment and/or for Stadler’s claim to be struck out on the basis that:

  • he had disclosed no reasonable grounds for bringing any of the causes of action pleaded;
  • he had already been compensated in full and his claim for distress, which is all that remained, was “not worth the candle” and would be disproportionate to pursue; and
  • the claim had no reasonable prospect of success.

Ruling

The privacy claims

His Honour Judge Lewis struck out Stadler’s claims in MoPI and BoC, finding that they had a “fundamental flaw”. He considered that “in passing the Smart TV to a third party [Currys] was not making use of the data or information” and that it followed “that there cannot have been any unauthorised use (or misuse) of the information by [Currys].”

In reaching this conclusion, the judge approved and applied the ruling of Mr Justice Saini in the case of Warren v DSG in which Pinsent Masons acted for DSG Retail. That decision confirms that data controllers cannot be directly liable in MoPI or BoC where the positive action alleged to have amounted to a breach or misuse is carried out by a third party.

In the Warren case, the defendant data controller had suffered a cyber attack and it was therefore the third-party hackers that had misused the affected personal data. Though the circumstances of the Stadler case were different, HHJ Lewis nevertheless found that the same rationale applies. Currys’ failure to wipe Stadler’s information from the TV before resale was not a positive action with respect to the affected data. It could not, therefore, amount to a misuse or breach. It follows from the judgment that the anonymous third party that used Stadler’s Amazon Prime account would be the party properly liable under MoPI and/or BoC, if those claims could be made out at all.  

Stadler’s claim in negligence was also struck out as he had already been fully compensated by Currys. He had therefore not suffered any financial loss following the incident for which a claim in negligence could be brought. HHJ Lewis also reiterated the view taken by Mr Justice Saini in the Warren case that damages for mere distress or anxiety falling short of a psychiatric illness are not recoverable in a claim in negligence.

The remaining data protection claims

HHJ Lewis did allow Stadler’s claim for breach of data protection legislation to continue as he considered that it had a reasonable prospect of success. In so doing, he dismissed Currys’ arguments that the alleged breach was too trivial to give rise to a claim for damages and provided a reminder, and clear illustration, of the fact that the triviality threshold in data breach claims applies to the breach itself and not to the level of damage suffered.

In the case of Lloyd v Google, in which Pinsent Masons acted for Google, the Supreme Court confirmed a breach must be “non-trivial” to give rise to a claim for damages under section 13 of the Data Protection Act 1998. HHJ Lewis applied the same approach to Stadler’s claim under Article 82 of the UK GDPR. However, although in the Lloyd ruling, “a claim for damages for an accidental one-off data breach that was remedied quickly” was cited as an example of a claim unlikely to pass the triviality threshold, HHJ Lewis considered that Stadler’s claim nevertheless had the potential to be non-trivial due to the type of information disclosed and the fact that it had been used by a stranger.

HHJ Lewis went on to hold that, although the damage – in the form of distress suffered – as a result of the alleged non-trivial breach was low-value, that did not mean that Stadler’s claim should not be heard at all. Rather, he transferred it to the County Court to be dealt with in a manner proportionate to its value and, in so doing, made it plain that he considered that the claim should never have been issued in the High Court and that that the inclusion of multiple causes of action had simply “increased the complexity of the proceedings unnecessarily”.

The judge also recommended that the claim be allocated to the small claims track once transferred. Although that will be a matter for the district judge to decide, HHJ Lewis is not the first sitting judge of the High Court to make such recommendations – similar comments and criticisms as to proportionality were recently levelled at the claimants by Master Thornett in the case of Johnson v Eastlight.  

Co-written by David Barker and Caroline Henzell.