ByteSize: Monthly UK TMT case updates

Speed read

Claimants bringing misuse of private information or data breach claims, where information has been inadvertently sent to a third party, must be able to prove the information was actually accessed. Merely showing that correspondence was misaddressed and thereby put at risk is insufficient. The defendant inadvertently sent the annual pension benefit statements of over 400 current or former police officers to incorrect postal addresses. In all but 14 cases, the claimants relied solely on an inference that an unauthorised third party might have accessed the information: there was no evidence that it had been. The High Court held that to have a viable claim under the UK GDPR or in misuse of private information, a claimant must be able to evidence that the data was accessed by an unauthorised third party.

The parties' arguments

The case arose out of Equiniti’s administration of Sussex Police’s pension scheme. In its administrative role, Equiniti sent each member of the scheme an annual pension benefit statement (the “ABS”). The ABS contained personal information such as the name, date of birth, national insurance number, and pension details of the relevant officer. In each case, it would have been apparent to any third party reading the ABS that the intended recipient was a police officer. In late August 2019, Equiniti inadvertently sent some of the statements to the previous postal addresses of certain scheme participants.

Proceedings were issued by 474 of the affected parties, contending that the sending of the ABS to an incorrect postal address amounted to unlawful processing under the UK GDPR and/or DPA 2018 and a misuse of their private information. There was no formal group litigation order, but all 474 claims were all issued as a single action on the same claim form and so heard together.

As a result of the alleged infringements, the claimants claimed they had each suffered non-material damage (anxiety, alarm, distress and/or embarrassment) and in smaller number of cases, personal injury. In all but 14 cases, there was no positive evidence that the ABS had actually been opened or read by an unauthorised third party, and so the claimants advanced only an inferential case – they said that unless the defendants could prove that any of the statements had been returned unopened, it should be inferred that each envelope was opened, and each ABS was read by a third party.

The defendant denied the claims, saying that each envelope containing an ABS was addressed to the relevant claimant and marked “Privileged and Confidential” with a return address for the defendant. The defendant denied that posting an opaque envelope to an incorrect address in this way could constitute misuse or processing and denied that the court should infer that the ABS had been opened by a third party in the absence of evidence to the contrary.

The defendants applied for a strike out and/or summary judgment of all the claimants’ claims. The defendants said that the sending of the statements to the incorrect postal address did not amount to damage in a data breach context or misuse in a privacy context, and in both cases any damage suffered fell well below the requisite seriousness threshold. In making this argument, the defendants relied on the fact that, if unopened, the only information disclosed was the claimant’s name and previous address through the window of the envelope. In other words, without opening the envelope, one could not tell that the claimant was a former/current police offer or see any financial/pension information.

The decision

The court decided that to have a viable claim, each claimant would need to show that they had a real prospect of demonstrating that their ABS was opened and read by a third party. Without such evidence of publication, there could be no misuse claim, as it is not enough to show that the information/data was “in danger” or “at risk” of being accessed by a third party – there must be an actual publication, or at least evidence of publication. Similarly, for a data breach claim, the sending of the personal data to an incorrect address was insufficient without evidence of the information being read by the third party.

The court refused to infer that, absent any contrary evidence, the statements had been opened – it is the claimants’ burden to make their case. Allowing such an inference would be a reversal in the burden of proof. Of the 474 claimants, only 14 were able to show some evidence that their ABS was opened by an unauthorised third party – all other claims were struck out.

The court declined to rule on the Defendant’s argument that the 14 surviving claims were trivial and insufficiently serious to give rise to a claim, as the court believed this was a matter for trial. However, the court did observe that, based on the facts as known at the time of the application, some of the claims for damage seemed exaggerated and much of the information contained in the ABS was fairly banal.

Learning points/Commentary

• Misuse of private information claims require actual tortious interference with the claimant’s reasonable expectation of privacy – this means that where private information is sent by the defendant to an unauthorised third party, the unauthorised third party likely must actually open and read the private information in order for tortious damage to be possible.
• The data breach claims required the actual compromise of personal data – this means where personal data is sent by the defendant to an unauthorised third party, if the correspondence containing the personal data has not been opened or read by a third party, there has been no real processing.
• The court will not infer publication (in this context, third party access of correspondence) absent evidence – however, it is open to a claimant to argue that the natural and probable consequence of sending a letter is that it will be opened and read by a third party (e.g. if it was known that the intended recipient of a letter is illiterate).
• The claimants originally included claims for damage for mere loss of control of personal data / private information, but these claims were abandoned following the Supreme Court decision in Lloyd v Google.

Looking forward

It has long been understood to be the position in English law that there is a threshold of seriousness in relation to claims in misuse of private information or under the Data Protection Act or UK GDPR and that claims cannot be pursued where the breach or damage alleged is too trivial to meet that threshold. This provides a valuable protection against a proliferation of disproportionate litigation over trivial data breaches.

In 2023, the CJEU’s decision in the Austrian Post Case established that EU Member States cannot condition the right to compensation for non-material damage under the EU GDPR upon a threshold of seriousness. This has created an as-yet unanswered question of whether the English courts might modify their approach to the UK GDPR to align with the new European position—that is, whether or not the threshold of seriousness still exists in English law.

The point was raised by the parties in this case, and arguments presented on both sides, but due to the importance of the question and because it was ultimately not relevant to the application at hand, the High Court declined to rule on whether UK GDPR claims are still subject to a seriousness threshold. The wait for judicial guidance on this issue continues.