When GDPR (and the Data Protection Act 2018) landed in 2018 much of the focus was directed at the level of fines that could be imposed for a data breach. Little, however, was said about compensation claims for distress from those whose data had been breached. It would appear many thought that compensation, too, would be significant.
Whilst there is still no definitive guidance on the level of compensation that is recoverable in small data breach claims, the evidence suggests very low-value claims might end up being worth just a few hundred pounds. Some have taken to issuing data breach claims in the High Court in an attempt to achieve higher compensation and better their costs' position: successful small claims do not generally result in costs being recoverable by the victor whereas they can be in the High Court. The costs of litigating compensation claims in the High Court are likely, however, to outweigh the value of them by some margin, and the recent case of Stadler v Currys Group highlights this perfectly.
Retail giant Currys sold Mr Stadler a television, which unfortunately turned out to be faulty. He returned the TV and Currys repaired and re-sold it to another customer. All seemed well until the second buyer managed to use Mr Stadler's Amazon account to buy a movie for which Mr Stadler was charged £3.99. This was possible because Currys had not performed a factory reset as part of its repair process, resulting in Mr Stadler's personal data (including his Amazon account) remaining stored on the TV and allowing the second buyer to use it.
Mr Stadler understandably complained to Currys. and it refunded the £3.99 and offered him £200 in vouchers as compensation. Mr Stadler was not happy with this and issued proceedings in the High Court for breach of UK GDPR, misuse of private information, breach of confidence and negligence. He sought compensation for psychological distress, anxiety, and loss and damage.
Currys applied to strike out the claim but the data breach element was allowed to continue. The judge, however, transferred the case to the County Court and suggested it be allocated to the Small Claims Track. He made it clear that claims of such as Mr Stadler's were not suitable to be heard in the High Court as the associated costs were too high in comparison to a potential damages award in the hundreds rather than thousands of pounds. We are unlikely to learn of the final award but it is safe to say that Mr Stadler will not be walking away with a return on his litigation investment.
We are seeing an increasing number of claims of isolated data breaches and for breaches of the rules relating to the setting of cookies by clients' websites: the latter appearing to be particularly opportunistic. These claims can be time-consuming and troubling for clients. Our data protection experts can provide not only advice and training, where required, but can also assist when that letter of claim hits your inbox. Please contact Tim Ashdown, Debbie Venn or John Yates for further help.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
