A recent case in the English High Court of Justice – Rolfe v Veale Wasbrough Vizards LLP – considered when a data controller may be liable for a superficial data breach, such as where non-sensitive correspondence is sent to the wrong person.
In this case, the Defendant acted for a school. An employee of the Defendant had written an email for the Claimants – two parents and their daughter – containing the Claimants’ names, address, and school fees owed. A typographical error meant the email was sent to an individual with an email address one character different to the Second Claimant. The unintended recipient promptly contacted the Defendant to report the error. At the Defendant’s request, the recipient deleted the email from their inbox and deleted items folders. On learning of this, the Claimants brought a claim for damages under, among other things, section 82 of the General Data Protection Regulation (GDPR) and section 169 of the Data Protection Act 2013.
To succeed in their claim, the Claimants had to show they suffered actual loss, such as financial loss, or distress, which in the circumstances would be reasonably expected.
The Claimants were unsuccessful. The court said the inadvertently shared data was no more than minimally significant, and steps were taken quickly to remedy the error. No actual loss was suffered. Although the claimants said they had felt ‘ill’ from significant distress, the judge found it “frankly inherently implausible… [that a] person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st century…” In other words, as the circumstances of the data breach were not sufficiently serious, it would not be reasonable to anticipate, nor compensate for, any distress suffered. Therefore, there was no damages claim.
Although not binding on a Scottish Court, this decision may be of some relief for data controllers (and processors) who fear actions based on minor data breaches. If inadvertently shared data is not sensitive, and is promptly destroyed, it is unlikely there would be an actionable claim.
Both data controllers and processors should remember that, in the event of a data breach, the sensitivity of the information, and the duration for which that data is held by an unintended party, can make a claim for distress actionable, even if no actual losses are suffered.
For more information on data protection or beaches, contact our team.