Since the introduction of the General Data Protection Regulation (GDPR) in 2018, people are becoming increasingly aware of the rights they have in respect to how organisations use and collect their data.
More and more we’re seeing individuals trying to hold organisations to ransom for data breaches, even where those data breaches are trivial. Believing these trivial data breaches to be major infractions, many people are initiating complaint procedures against the organisations in question.
A recent example
Here’s an example we came across recently. A developer was in discussion with a client about the potential purchase of a property. In the course of doing business, the developer contacted the potential purchaser’s mortgage broker. Upon hearing of the communication, the potential purchaser alleged that they had not given permission for the developer to have direct contact with the mortgage broker and that this was therefore a breach of how their data was handled.
Even though this was probably never a data breach and that the developer could liaise with the mortgage broker either out of “contractual necessity” or “legitimate interests”, the individual concerned told the developer that they faced a fine equating to 4% of global turnover and that they were going to report them to the ICO. However, if the developer built a new patio and did some landscaping works at the property they were looking to purchase, the matter would “go away”.
A new case law example
This developer, together with any organisation anxious about minor data breaches, will have been pleased to see the recent verdict in the case of Rolfe & others v Veale Wasbrough Vizards. Veale Wasbrough Vizards (a law firm) had been instructed on behalf of a private school to recover unpaid fees from Mr and Mrs Rolfe. The law firm concerned sent their initial letter demanding payment and a statement of Mr and Mrs Rolfe’s account to Mrs Rolfe’s email address. However, they missed out her middle initial from the e-mail, sending it instead to another person who shared an almost identical address to that of Mrs Rolfe’s.
The recipient of the e-mail contacted the law firm to say they had received this in error. When asked to delete it, she confirmed she had done so. The Rolfe family brought a claim against the law firm concerned, claiming damages for misuse of confidential information, breach of confidence, and negligence under section 82 of the GDPR and section 169 of the Data Protection Act 2018. The claim stated how Mr and Mrs Rolfe had “lost sleep worrying about the possible consequences of the data breach” and how it had made them feel ill.
The courts speak on the matter
Delivering his judgement, Master McCloud commented, “We have here a case of minimally significant information, nothing especially personal such as bank details or medical matters, a very rapid set of steps to ask the incorrect recipient to delete it (which she confirmed) and no evidence of further transmission or any consequent misuse (and it would be hard to imagine what significant misuse could result, given the minimally private nature of the data).
“We have a plainly exaggerated claim for time spent by the claimants dealing with the case and a frankly inherently implausible suggestion that the minimal breach caused significant distress and worry or even made them ‘feel ill’.
“In my judgment, no person of ordinary fortitude would reasonably suffer the distress claimed to arise in these circumstances in the 21st century, in a case where a single breach was quickly remedied.
“There is no credible case that distress or damage over a de minimis threshold will be proved. In the modern world, it is not appropriate for a party to claim, (especially in the High Court) for breaches of this sort which are, frankly, trivial.”
Not only did the Rolfe family find themselves on the wrong end of the Court’s judgement, but the Court also went one stage further by awarding costs on an indemnity basis against the Rolfe Family with the Court ordering them to pay £11,000 as an interim payment.
Our take
Christian Mancier, a partner in the Corporate/Commercial team at Gorvins commented, “The judgement in Rolfe & others v Veale Wasbrough Vizards is one of the few GDPR/Data protection cases to reach a higher court. The verdict handed down by Master McCloud is a common-sense verdict that will be welcomed by organisations up and down the country. Organisations that have taken appropriate steps to contain trivial data breaches will now be reassured that these minor breaches will result in adverse legal outcomes for their business”.