With the recent landmark case of Lloyd v Google, where a claimant failed in his attempt to bring what was effectively a class-action lawsuit against Google for data privacy violations, and other cases, such as Johnson v Eastlight Community Homes and Rolfe v Veale, important clarification has been provided to the position of the law as to the de minimis threshold for data infringements and the bringing of representative (‘class-action’ in the American terminology) actions against companies. The net effect of the changes in the jurisprudence is to reduce the potential scope of data infringement claims, by affirming and clarifying the de minimis threshold and requiring that actual loss be shown. The Lloyd v Google case, especially, has also clarified the scope of representative lawsuits in future British jurisprudence, partially endorsing such litigation but also partially limiting such through the imposition of requirements to individually demonstrate the unlawful infringement as to specific individuals. With the European Court of Justice considering a case on the de minimis threshold raised to it by the Constitutional Court in Germany, it remains to be seen if the UK courts will interpret the protections provided by the GDPR less expansively than their continental counterparts.
The underlying law
Typically, claims for damages from data protection infringements are brought under the UK General Data Protection Regulations (UK GDPR), which were enshrined into domestic law as the United Kingdom exited the European Union, which first introduced these data protection regulations in 2016. Claims are typically brought, as cited in the case of Rolfe v Veale, under s 169 of the Data Protection Act 2018 and Article 82 of the General Data Protection Regulations. For the purposes of clarity, s 169 of the Data Protection Act 2019 allows for damages to be provided for data protection infringements of legislation other than the GDPR itself. Interestingly, damages for data protection infringements do not appear to be limited to that of pure economic loss, and emotional loss appears sufficient to found a cause of action, as quite explicitly stated in the relevant statute (s 169(5) of the Data Protection Act).
The de minimis standard
In a general sense, the concept of a de minimis claim is one that is so minimal and insignificant it should not be entertained by the courts. For example, the courts might find it unreasonable and de minimis for a company to sue another company for damages arising from a single typo in a document, especially if it cannot be showed that said typo occasioned more significant, material, damages. Outside of the scope of data protection, the Jameel case had previously established a form of de minimis rule for torts, saying that where the damage caused (through defamation in this specific case) was de minimis and it was not in the public interest to grant damages, that the claim should be struck out on account of being de minimis.
The Johnson v Eastlight case and the Rolfe v Veale case were both about cases of mistaken emails – where an email had been sent to a wrongful recipient, causing a data breach that was then sued over. In both cases, the wrongful recipient had swiftly and readily deleted the email, reducing presumed damages, yet a lawsuit was commenced. In both cases, the courts affirmed that there was a de minimis threshold, and that the holding in Jameel was cross-applicable to claims brought under data privacy legislation and the GDPR. In addition, the courts affirmed that the GDPR did not overrule the common law (affirming the general principle), and that Jameel was thus cross-applicable. However, the courts arrived at wildly different conclusions in both cases – in the matter of Johnson, the court refused to strike out the claim, saying it had crossed the de minimis threshold, while it did strike out the claim in Rolfe v Veale.
The factual distinction between both cases appears to have been that the petitioner in the Johnson matter was able to prove damage to a much more substantial extent than the petitioner in the Rolfe matter. In the Johnson matter, the petitioner successfully argued that the data infringement in that case had led to significant distress as the petitioner had moved to her new residence to escape an abusive relationship, and the data infringement led her to worry that her former partner would be able to contact her. Meanwhile, the claimants in the Rolfe matter, while claiming similar distress as a letter of demand had been sent to the wrong person, were unable to prove that their distress was not ‘trivial in nature’. The degree of distress appears to have been assessed as much more significant in the Johnson case, thus allowing the claim to proceed without being struck out on de minimis grounds. While this appears to accurately elucidate the dividing line for claims in determining if the de minimis standard should be met, more case law is needed to better define this classification.
Representative Actions and the Equality of Claimants
The Lloyd v Google case was much more informative on the courts’ positions on representative actions with relation to data protection and data breach/infringement claims. Typically, the United Kingdom has been less receptive in its courts to representative actions, or class-action suits, although the courts have long permitted actions to be brought on behalf of a group of persons, as long as damage can be proven for all individuals in the class represented by the claim. This has led to recovery on a mass-scale typically being easier and significantly more common in the United States, although class-action (or representative) actions do still exist within the British jurisprudence.
The courts have typically required that representative actions be made for the same quantum for all claimants. This means that even if some claimants have encountered more damage from the data breach than others, they cannot sue for more damages – and thus all claimants in the class have to sue for the same amount. This has the effect of causing any representative action predicated on a large class to be predicated on the damage suffered by the least injured members of said class, as more damaged parties are able to claim damages for part of the damage suffered but the least damaged members cannot reasonably claim damages for damages they did not suffer. In a claim as large as Lloyd v George, the least-affected members would not have suffered damages beyond any de minimis threshold, and thus it was impossible to find damages against a class as wide as defined by Lloyd in the claim.
It appears clear that for any such claim to succeed in the future, the class of claimants will have to be defined and identified in a much narrower fashion – so that the least-damaged claimant will have significant-enough damages to make the claim worthwhile. Furthermore, claims will likely be based off more egregious breaches such as to be able to prove damages. However, it is encouraging that the Supreme Court, in this case, recognised the mass nature of damages caused by data breaches in the modern technological era, and affirmed that within the limitations provided, representative actions could still be pursued for breaches under the GDPR and the Data Privacy Acts (although it is worth noting that Lloyd itself was brought under a separate, older act so that the claim would have a greater chance at success).
The intersection with the rulings in Johnson v Eastlight and Rolfe v Veale likely will mean that classes will also have to be more carefully selected to ensure that distress has, on a personal level, occurred. It appears unclear from the holdings whether distress is considered on subjective or objective grounds – there does appear to be some objectivity to the line drawn between both cases, but the fact that Johnson did not involve any public publication of the relevant details, the details were deleted swiftly and yet the distress caused to the claimant was found to be sufficient to form the grounds of the action indicate that there might be some consideration of the subjective elements of the distress caused. Perhaps, there is some consideration of the reasonability of the subjective distress caused by the data breaches – certainly, it is entirely reasonable for someone fleeing an abusive relationship to worry about any personally identifying data being published – much more so than it is for someone to be caused distress by the limited spread of a letter of demand, which was much less likely to cause said individual(s) material harm.
Recent rulings in the field of data protection have contributed to a significant advancement of the law on data protection, and the specifically-required threshold for claims to be brought for damages arising from data breaches or infringements of data privacy regulations. This has narrowed the scope for potential claims, but brings the UK into a state of jurisprudential clarity, and is likely to prevent frivolous, large claims from arising in the British courts, deterring litigation funders and protecting companies.
Lloyd v Google LLC  UKSC 50
Johnson v Eastlight Community Homes Limited  EWHC 3069 (QB)
Rolfe & Ors v Veale Wasbrough Vizards LLP  EWHC 2809 (QB)
Jameel & Another v Wall Street Journal Europe (No.2) (HL)  UKHL 44
UK: Important judgment on de minimis threshold in data protection compensation claims – Rolfe -v-
UK: Lloyd v Google – Game over for privacy class actions? – Linklaters - https://www.linklaters.com/en/insights/blogs/digilinks/2021/november/uk-lloyd-v-google-game-over-for-privacy-class-actions
Compensating non-material damages based on Article 82 GDPR – is there a de minimis threshold? – White and Case - https://www.whitecase.com/publications/alert/compensating-non-material-damages-based-article-82-gdpr-there-de-minimis