Mass Data Breaches and the Limits of Privacy Claims

There have been a few recent cases in the High Court that have dealt with the question of whether misuse of private information can be claimed against companies that have experienced a data breach for which they have found to be responsible by the Information Commissioner. In both, the claimants failed to persuade the court that they could bring a claim in misuse of private information (“MPI”) alongside a claim for breach of data protection legislation. 

MPI is a tort that recently emerged in the common law to address a shortfall in the law of breach of confidence, under which a claim can only be brought in limited circumstances. MPI protects information that is private, but where a formal contractual relationship does not necessarily exist between the parties. It can be a more appealing cause of action than breach of data protection legislation because it tends to attract higher damages awards (see the case of Gulati). Further, unlike in data protection, MPI claims must be brought in the High Court and after-the-event insurance premiums are recoverable.

There is a two-stage test in a MPI claim. First, the claimant must show that there is a reasonable expectation of privacy in the information in question. That is, Article 8 of the European Convention on Human Rights (“the Convention”) must be engaged. If a reasonable expectation of privacy is established, the next stage is to consider the balance between the claimant’s privacy rights and the defendant’s countervailing rights. Usually, this countervailing right is the freedom of expression under Article 10 of the Convention, but other rights could also be relevant. 

Most MPI cases involve a defendant who has used or published private information without the claimant’s consent. In a data protection context, claimants have recently argued that the failure to take appropriate security measures has led to the misuse of their private information by third parties. The defendant in Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) operated the retail brands ‘Currys PC World’ and ‘Dixons Travel’. Between July 2017 and April 2018, the company was the victim of a complex cyber-attack that infected the ‘point of sale’ terminals at its stores with malware. As a result, the hackers were able to access the personal data of customers and their credit card details. It was estimated that around 14 million people were affected. The ICO concluded that “the deficiencies in DSG’s technical and organisational measures created real risks of such data breaches, and that they played an essential causal role”.[1]  The ICO issued a fine of £500,000, which was later reduced to £250,000 on appeal. The claimant brought a claim for breach of data protection legislation, breach of confidence, common law negligence and MPI.

A more recent case of this kind to reach the High Court is Graeme Smith & Others v TalkTalk Telecom Group Plc [2022] EWHC 1311 (QB). This case was similar to Warren. TalkTalk had also experienced serious data breaches and had been found by the ICO to have failed to put in place sufficient technical and organisational measures. TalkTalk had used a company called Wipro, based in India, to provide its IT customer services. Through a portal designed by TalkTalk, Wipro employees were able to access the personal data of between 25,000 and 50,000 TalkTalk customers at any point in time. They were also able to export data to separate files and applications. 

In September 2014, TalkTalk became aware that there had been a data breach when customers started to complain that they were receiving scam calls. The callers were quoting their TalkTalk account numbers to them. TalkTalk reported the breach to the ICO. Wipro employees had been stealing and selling the data, which was then used to scam TalkTalk customers. TalkTalk was found to have breached the seventh data protection principle by failing to adequately protect their customers’ data. The breach was found to have lasted a decade and affected some 21,000 customers. The ICO imposed a fine of £100,000. 

There was a further data breach in 2015. TalkTalk had bought the UK operations of the Italian telecommunications company Tiscali in 2009 and began to use some of its IT infrastructure. Webpages which were linked to an underlying customer database were run on outdated MySQL software. The vulnerability of the software was well known in the IT industry and in 2012 the software vendor had made a fix available. However, TalkTalk did not update the relevant software and the webpages were hacked by third parties. The breach affected some 156,000 customers. Hackers could access customers’ names, addresses, dates of birth, phone numbers, email addresses and for a portion of the customers, their bank account information too. In 2016, the ICO imposed a fine of £400,000, concluding that TalkTalk had breached the seventh data protection principle. The claimants brought a claim for compensation for breach of data protection legislation and MPI.

The judgment in Smith related to multiple applications made by the parties, attempting to strike out the claim, re-formulate the claim and make a request for further information. The judgment in Warren related to the defendant’s application to strike out all causes of action except the data protection claim. Mr Justice Saini was the presiding judge in both cases. 

In Warren the MPI claim had been pleaded as a failure of the defendant to prevent the misuse of the claimant’s private information by third parties. Saini J highlighted that no positive conduct by the defendant had been alleged to have been a misuse of the claimant’s private information.[2] He concluded that the tort “imposes a positive obligation not to misuse private information” and while such a misuse could be unintentional, it still requires a positive action.[3] As such, it was found that MPI does not impose any “data security duty” on the part of the holder of private information.[4] The MPI claim was struck out.

In Smith, Saini J maintained this approach. He noted that the relevant Practice Direction for pleading MPI claims includes ‘the specific conduct that is a misuse of the information’.[5] In Smith, the claimants argued that TalkTalk had designed a system that enabled third-party actors to gain access to their personal data and use it for criminal purposes. In relation to the 2015 breach, it was pleaded that TalkTalk had failed to update its software. The case was pleaded to describe those acts as positive acts as opposed to omissions. This did not alter Saini J’s view. He concluded that pleading an omission as a failure to act or do something does not turn it into a positive act which could be characterised as a misuse. 

These cases suggest that in principle, a failure to adequately secure personal data will not amount to a tort of MPI. Saini J phrased the question for a court to consider in relation to a data controller’s conduct as: “was the conduct complained of by the claimant a misuse by the defendant of the information?”.[6]

Warren and Smith are among a number of data protection cases that illustrate that liability for third-party misconduct is extremely difficult to establish, even where a controller creates an environment that makes that misconduct possible. In WM Morrison Supermarkets Plc v Various Claimants [2020] UKSC12 the Supreme Court concluded that while vicarious liability for an act of an employee could apply in data protection cases, on the particular facts of the case, it had not been established (see my blog article here). Even though the employee had used his position at the company to steal data, there was not a sufficient nexus to satisfy the ‘close connection’ test required to establish liability.

In Underwood & Another v Bounty UK Ltd & Another [2022] EWHC 888 (QB) the claimants failed to succeed in a claim against the hospital that permitted a company’s representatives to engage with mothers on their maternity ward. In that case the representative had ignored the hospital’s policies and collected the claimant’s personal data covertly without the hospital’s knowledge and without the claimant’s consent. 

In Stadler v Currys Group Ltd [2022] EWHC 160 (QB), the failure to erase the claimant’s personal data from a ‘Smart’ television before selling it was also insufficient to establish a cause of action in MPI. In Collins v Ticketmaster UK Ltd [2022] Costs LR 123, the claimants managed to persuade the judge that Warren was either distinguishable or may have been wrongly decided by failing to examine the case of Swinney v Chief Constable of Northumbria Police Force [1997] QB 464; an application to amend the MPI claim was permitted. However, the case settled before this argument could be explored.

In Smith, Saini J confirmed that he had noted the case of Swinney when deciding Warren and concluded that it is not relevant in the absence of a relationship which gives rise to duties under both the law of negligence and the law of confidentiality.[7] He highlighted that Swinney also pre-dates the development of MPI and does not involve an analysis of misused information.

As the law currently stands, a data controller’s failure to apply sufficiently robust technical organisational measures – even where the failure is egregious and attracts a significant fine from the ICO – will not in itself give rise to circumstances in which an MPI claim can be brought. A misuse must be a positive act in relation to the information and be performed by the defendant, not a third party. While claimants may be able to pursue a controller for the data breaches that it has committed, an MPI claim will be narrowly construed.

If you are interested in any further information or advice, please contact my clerks on: 0300 0300 218 or mstock@privacylawbarrister.com 


[1] See the ICO’s notice here.

[2] Paragraph 21 of the judgment.

[3] Ibid., paragraphs 26 and 27.

[4] Ibid., paragraph 22.

[5] Ibid., paragraph 32.

[6] This is the judge’s emphasis, paragraph 34.

[7] See paragraphs 57 to 61 of the judgment in Smith.