There has been a steady rise in the popularity of claims brought in data protection in recent years from large scale group litigation arising from mass data breaches to individual claimants seeking redress for inaccuracies published about them. In the first 10 months of 2021, there were 289 new data protection claims issued in the Media and Communications List. This amounts to an average of 29 new claims each month.

However, in the last 5 months, there has been a dramatic decline in the number of issued claims.  Only 10 claims have been issued in this period (an average of 2 per month). There have only been 6 new claims issued since the start of 2022. So, is the data protection juggernaut coming to a halt? And if so, what are the possible reasons for this downturn in data protection claims?

Perhaps reflecting a concern in some quarters that claimants were seeking to rely on data protection to litigate what might be considered relatively trivial claims, the courts have recently taken a more restrictive approach to data protection claims.

In Warren v DSG Retail [2021] EWHC 2168 (QB), the claimant brought claims under the Data Protection Act 1998, misuse of private information, breach of confidence, and negligence arising from a cyber incident. Saini J struck out all but a single aspect of the data protection claim, holding that in relation to both breach of confidence and misuse of private information some form of “positive conduct” would be required by a defendant. Neither cause of action imposed any data security obligation on data controllers. The negligence claim was struck out applying the principle in Smeaton v Equifax [2013] 2 All ER 959 that no tortious duty of care should be imposed on a data controller where a specific statutory regime (i.e., that under the DPA/GDPR) exists. The implications for claimants seeking redress for data breaches are potentially significant, as – without the inclusion of misuse of private information or breach of confidence – it means that ATE premiums will not be recoverable from unsuccessful defendants. Undoubtedly, this has caused many potential claimants to think twice before embarking upon litigation, particularly where the breach is itself relatively minor and damages likely to be low.

The second blow to data protection claims came from the Supreme Court in Lloyd v Google [2021] UKSC 50, which rejected the argument that every data subject affected by a non-trivial data breach can claim damages for the “loss of control” of their personal data. It also effectively rules out the possibility of bringing claims for large-scale data breaches as representative actions. This means that claimants not only have to be able to show that they have suffered distress (beyond de minimis) or tangible financial loss as a result of a data breach but, where multiple claimants are affected, they will either have to litigate individually or apply to do so under a Group Litigation Order. These are less attractive, more time consuming options where there may be hundreds of potential claimants with individually low value claims.

The combination of these decisions will certainly give claimant lawyers pause for thought. However, the data protection regime does continue to afford individuals a right to redress where their data rights have been breached. The decline in issued cases relate to those in the High Court – given the low value of many data breach claims, the County Court is likely to be the more appropriate forum, particularly in the absence of any misuse of private information or breach of confidence actions.

Kirsten Sjøvoll is a member of Matrix Chambers and specialises in media and information law.