Data breach claims - English courts continue to take restrictive approach
11 May 2022
In recent months we have noticed a trend in the courts' approach to data breach claims, with Judges taking a more restrictive approach when determining what constitutes a valid data breach claim. The recent decision in Underwood & Anor v Bounty UK Ltd & Hampshire Hospitals NHS Foundation Trust provides a further example, with the Court dismissing claims for breaches of the Data Protection Act 1998 (DPA) and misuse of private information (MPI).
What happened?
In October 2017, Mrs Underwood (the first Claimant) gave birth to her son Dominic (the second Claimant) at a hospital run by the Hampshire Hospitals NHS Foundation Trust (the Trust) (the second Defendant).
Bounty UK Limited (Bounty) (the first Defendant) claimed to be a pregnancy and parenting support club which provided information and marketed services to parents. Bounty also ran a data broking service, supplying lead data to third parties (such as Equifax and Sky) for marketing purposes. At the relevant time, which was pre GDPR, Bounty and the Trust had an agreement under which Bounty was able to access pregnant women on the Trust's premises and provide them with packs containing information and advice on pregnancy and caring for newborns with the Trust receiving financial payment from Bounty for each pack delivered. As stated by the Judge, Bounty's business model was based on "harvesting data from expectant mothers in order to sell that data on to third parties" and that the provision of their information packs was the "'hook', or incentive, to get expectant mothers to sign up and provide personal data."
Mrs Underwood had signed up to the Bounty app in April 2017. Shortly after the birth of her son, in October 2017, and while she was still on the hospital ward, a Bounty representative came to her bedside, spoke to her and her husband and looked at the medical documents located at the foot of her bed, before being asked to leave by Mr Underwood. Shortly after returning home, Mrs Underwood began receiving targeted emails and calls from a variety of companies.
In response to a subject access request, Bounty confirmed that it held data relating to her and her son and that it had shared some, or all, of the data with nine third party companies/organisations.
2019 Information Commissioner's Office Investigation
Between 2017 and 2018, Bounty was separately investigated by the Information Commissioner's Office (ICO). In April 2019, the ICO concluded that Bounty had breached the DPA (in particular its obligations to process personal data fairly and in the absence of a processing condition) and fined them £400,000. Following the ICO's decision, the Trust terminated their contractual relationship with Bounty and, in November 2020, Bounty went into administration.
What claims were bought?
Mrs Underwood and her son brought claims against both Bounty and the Trust for breaches of the DPA and for MPI. They claimed general, aggravated and exemplary damages. The claim against the Trust was limited to the fact that it had allowed Bounty representatives to access the hospital ward, and Mrs Underwood's medical records, thus enabling Bounty to distribute private information. As Bounty had gone into administration, it did not participate in the proceedings.
What decision was made?
Breach of the DPA by the Second Defendant
The Judge dismissed the Underwoods' claim for breach of the DPA on the basis that the Trust had not "made available to the public [or in this case Bounty]" private information by storing such information at Mrs Underwood's bedside. Instead it was found that Bounty had acted inappropriately and unlawfully by looking at such information. The information was stored there so that the hospital staff could perform their clinical duties. Furthermore, in finding that there hadn't been a breach of the Seventh Data Protection Principle (failing to take appropriate technical and organisational measures to prevent unauthorised processing of (or access to) the Claimants' personal data), the Judge held that steps had been taken by the Trust as controller to try to protect the personal information of their patients; specifically, the Judge pointed to the fact that Bounty were required to enforce a mandatory Code of Conduct which emphasised the need to respect the privacy of the patients and to abide by the DPA.
Misuse of information
The Judge also struck out the Underwoods' MPI claim. He referred to the recent decision in Warren v DSG Retail Ltd, in which it was held that "misuse" requires a positive act (see our previous Litigation Trending article). The Judge concluded that merely permitting access to Mrs Underwood and her son could not amount to the "misuse" of private information. Instead the real wrongdoer was pinpointed as being Bounty.
The nature of the information obtained
The Judge went on to hold that even if the Trust had been liable for MPI, the claim would have failed in any event because the information obtained (specifically, the name, gender and date of birth of Dominic Underwood) was trivial and, to be actionable for MPI, the information misuse must reach a level of seriousness before the tort is engaged. This is of particular interest as such categories of personal data are often affected in a data breach.
Exemplary damages
The Judge considered that the Claimants should not have sought exemplary damages. He held that such claims are "wholly exceptional" and that it is "never appropriate to add a claim for exemplary damages simply to mark how upset the claimant is about the defendant's conduct, or as some negotiating strategy."
What are the implications of this decision?
This decision provides useful guidance for future data breach litigation where it is common for claimants to bring MPI claims seeking exemplary damages as a matter of course. It also follows previous judgments in which the Courts have effectively narrowed the scope of what qualifies as a valid data breach claim (see our briefings on Warren v DSG Retail Ltd and Lloyd v Google LLC). By different means, these decisions have raised the bar for individuals to seek recompense for personal data breaches. Given that cyber-attacks (and resultant data breaches) are an increasing concern for large businesses, this is a trend that is likely to be welcomed by many.
Author: Catrin Southgate, Associate
Cases referred to:
Underwood & Anor v Bounty UK Ltd & Hampshire Hospitals NHS Foundation Trust [2022] EWHC 888 (QB)
