English High Court limits 'spurious' misuse of private information claims in data breaches

The High Court has ruled that the common practice of tagging on misuse of private information (MPI) claims to data breach cases does not automatically permit recovery of "after the event" (ATE) insurance premiums.

ATE insurance cover provides claimants with financial protection if their claim fails, but the premiums are not generally recoverable from the defendants and can sometimes exceed the damages recoverable in data privacy claims.

To try to address this, claimant law firms frequently supplement their statutory claims under the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 by asserting tortious claims for MPI and breach of confidence to take advantage of a statutory exception for certain media and information claims.

MPI claims curtailed

However, the recently reported High Court judgement of Stephenson v Paymaster has significantly curtailed the circumstances in which this approach can be used.

ATE premiums are generally irrecoverable from the defendant as a result of the Legal Aid, Sentencing and Punishment of Offenders Act 2012 which inserted section 58C into the Courts and Legal Services Act 1990. However, the Legal Aid, Sentencing and Punishment of Offenders Act 2012 (Commencement No. 5 and Saving Provision) Order 2013 (SI 2013 No 77) provides that ATE premiums may be recoverable in "publication and privacy proceedings", which include MPI and breach of confidence claims.

The High Court, in Stadler v Currys Group and Warren v DSG, had already affirmed that MPI and breach of confidence claims were unlikely to be appropriate in circumstances where a data breach did not involve a positive, wrongful act by the defendant.

Stephenson v Paymaster

Now, Stephenson v Paymaster has confirmed that "spurious" MPI claims cannot be shoehorned into an action in order to enable recovery of an ATE premium. The case involved a claimant retired police officer. Paymaster was responsible for processing and administering her retirement benefits and accidentally sent details of them to another officer, who promptly forwarded them to the claimant.

The claimant's claim was founded on two causes of action; one for damages for breach of statutory duty under the UK GDPR and Data Protection Act 2018, and the other in common law for MPI alleging that the defendant had failed to keep her personal data secure by posting it to the wrong address.

The High Court was unconvinced by the MPI claim. It held that to be caught by the exception enabling recovery of ATE premiums, an MPI claim must be genuine and not spurious. Determining this involves looking to the substance and reality of the matter, not the label applied. Misuse of private information ostensibly required "use" of the information in question and the defining characteristic of "use" is doing something with an object with the purpose of achieving or obtaining a particular result or objective. Paymaster's sending of the email was not "use" of the claimant's private information in the true sense of the word.

Osborne Clarke comment

The judgment confirms claimants must present a substantive, actionable MPI claim to have any hope of arguing that an ATE premium is recoverable. It is likely that breach of confidence claims will be subject to the same requirements.

Where ATE premiums are irrecoverable, claimants must accept some financial risk if they wish to proceed with their claim. Consequently, it is likely that only claims with a substantial chance of success will justify proceeding with a claim. The decision should encourage claimant law firms to adopt a more judicious approach when selecting data breach cases, and it forms part of a series of cases, including Warren and Stadler, in which the courts have shown reluctance to entertain relatively low-value data and privacy claims.

Amelia Hodder, a Trainee Solicitor with Osborne Clarke, co-authored this Insight.