Darren Lee Warren v DSG Retail Ltd
| Jurisdiction | England & Wales |
| Judge | Mr Justice Saini |
| Judgment Date | 30 July 2021 |
| Neutral Citation | [2021] EWHC 2168 (QB) |
| Docket Number | Case No: QB-2021-001711 |
| Court | Queen's Bench Division |
[2021] EWHC 2168 (QB)
THE HONOURABLE Mr Justice Saini
Case No: QB-2021-001711
IN THE HIGH COURT OF JUSTICE
QUEEN'S BENCH DIVISION
MEDIA AND COMMUNICATIONS LIST
Royal Courts of Justice
Strand, London, WC2A 2LL
Clare Duffy (instructed by Pure Legal Limited) for the Claimant
Antony White QC and Rupert Paines (instructed by Pinsent Masons LLP) for the Defendant
Hearing dates: 27 July 2021
Approved Judgment
This judgment is in 4 parts as follows:
| I. Overview: | paras. [1–12] |
| II. The Arguments: | paras. [13–17] |
| III. Discussion: | paras. [18–42] |
| IV. Conclusion: | para. [43–44]. |
I. Overview
The Defendant (“DSG”) is the well-known retailer operating the ‘Currys PC World’ and ‘Dixons Travel’ brands. Between 24 July 2017 and 25 April 2018, DSG was the victim of a complex cyber-attack (the “Attack”), carried out by sophisticated and methodical criminals (the “Attackers”). The Attackers infiltrated DSG's systems and installed malware which was running on 5,930 point of sale terminals at the stores. In the course of the Attack, the Attackers accessed the personal data of many of DSG's customers.
The Information Commissioner investigated the circumstances of the Attack and decided that DSG breached the seventh data protection principle (DPP7). She issued a Monetary Penalty Notice (MPN) in the amount of £500,000. That is subject to an appeal to be heard later this year before the FTT.
The Claimant, Darren Lee Warren, had purchased goods from Currys PC World and claims that the following personal information or data concerning him was compromised in the Attack: his name, address, phone number, date of birth and email address.
As a result of that event, the Claimant has brought this claim against DSG as the relevant data controller for damages limited to £5,000.00. Those damages are not claimed as a result of any personal injury but, as described in more detail below, are damages in respect of distress the Claimant suffered as a result of his personal data being compromised and lost. The causes of action relied upon are breach of confidence (“BoC”), misuse of private information (“MPI”), breach of the Data Protection Act 1998 (“ DPA”), and common law negligence.
By an Application Notice dated 17 June 2021, DSG seeks summary judgment and/or an order striking out each of these claims apart from the claim for breach of statutory duty arising out of alleged breach of DPP7. DPP7 requires “appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of data”. Just before the hearing before me the Claimant undertook to discontinue his claims in respect of other alleged breaches of data protection principles.
In short, DSG argues that the BoC, MPI and negligence claims have no realistic prospect of success on the basis of the uncontroversial facts and/or are not tenable as a matter of law. The Claimant argues that such claims are properly arguable and should be resolved at trial following full factual investigation. Counsel for the Claimant (who did not settle the pleadings) volunteered that there were manifest deficiencies in the Particulars of Claim and indeed that the pleading was embarrassing in various respects. She submitted however that these were matters that could be resolved by a future application to amend following the appeal to the FTT. No draft amended pleading was before me.
There was a minor issue as to whether the negligence claim should be struck out because it did not appear in the Claim Form although it was within the Particulars of Claim. I have proceeded on the basis that if such a claim were viable, permission to amend the Claim Form would be granted.
The parties are agreed that whatever the outcome of this application, the claim should be stayed pending final determination of DSG's appeal against the Information Commissioner's Monetary Penalty Notice of 7 January 2020, which is presently listed to be heard over 7 days commencing on 15 November 2021 before the First-tier Tribunal ( EA/2020/0048). I made such an order at the hearing.
There was no dispute as to the principles to be applied in considering an application for summary judgment and an application to strike out a claim. The test on an application under CPR 24 is set out in CPR 24.2:
“The court may give summary judgment against a claimant or defendant on the whole of a claim or on a particular issue if –
(a) it considers that –
(i) that claimant has no real prospect of succeeding on the claim or issue; or
(ii) that defendant has no real prospect of successfully defending the claim or issue; and
(b) there is no other compelling reason why the case or issue should be disposed of at a trial.”
The principles on the application of that test are well-known and conveniently summarised in Easyair Ltd v Opal Telecom Ltd [2009] EWHC 339 (Ch) at [15]. They are well-known and do not need to be recited.
As regards strike out, by CPR 3.4(2):
“(2) The court may strike out a statement of case if it appears to the court–
(a) that the statement of case discloses no reasonable grounds for bringing or defending the claim;
(b) that the statement of case is an abuse of the court's process or is otherwise likely to obstruct the just disposal of the proceedings; or
(c) that there has been a failure to comply with a rule, practice direction or court order.”
As summarised in Duchess of Sussex v Associated Newspapers Ltd [2020] EMLR 21 at [33(2)]:
“(2) An application under CPR r.3.4(2)(a) calls for analysis of the statement of case, without reference to evidence. The primary facts alleged are assumed to be true. The Court should not be deterred from deciding a point of law; if it has all the necessary materials it should “grasp the nettle”: ICI Chemicals & Polymers Ltd v TTE Training Ltd [2007] EWCA Civ 725, but it should not strike out under this sub-rule unless it is “certain” that the statement of case, or the part under attack discloses no reasonable grounds of claim: Richards (t/a Colin Richards & Co) v Hughes [2004] EWCA Civ 266; [2004] P.N.L.R. 35 [22]. Even then, the Court has a discretion; it should consider whether the defect might be cured by amendment; if so, it may refrain from striking out and give an opportunity to make such an amendment.”
II. The Arguments
The parties provided very helpful oral and written submissions. My conclusions will identify the points which I found persuasive, but I will summarise the broad thrust of the arguments at this stage. I will not refer to every authority cited to me but will, when I provide my conclusions, identify what I considered to be the governing case law.
As regards both MPI and BoC, Leading Counsel for DSG focussed on the fact that the Claimant brings a claim for distress damages arising out of a cyber-attack on DSG, in which an external, criminal third-party attacker obtained access to personal data by breaching DSG's security systems. So, it was argued, the breach alleged is a failure to keep the data secure from unauthorised third-party access. It was said that such an allegation does not amount in law to an allegation of BoC or MPI. It was submitted that both of those causes of action require the defendant to have taken some positive wrongful action in relation to the information in question (typically, disclosing it to a third party or making some other unauthorised use of it). Reliance is placed on the fact that DSG did not itself take any such positive wrongful action. As regards the claim in negligence, it was argued that it is established by Court of Appeal authority that where the duties under the DPA apply, there is neither need nor warrant for a duplicative action in negligence. It was also submitted that this claim failed because of a failure to plead recoverable loss.
Against this, Counsel for the Claimant submitted that his case on MPI and negligence had real prospects of success. It was conceded that the BoC claim was not tenable and should not have been pleaded.
As to the MPI claim, it was submitted this was a proper claim to go forward because the information which was compromised was prima facie private (full name, contact address, email address, telephone number, date of birth), being information which rendered the Claimant susceptible to identity fraud. Counsel argued that in providing this information to DSG the Claimant had a reasonable expectation that his information would be adequately protected and, thereby, kept private. It was argued that MPI encompasses not only the disclosure / publication of information, but also with privacy ‘intrusion’ and the means by which the information is obtained. As to DSG's submission that that a ‘misuse’ requires a positive action, Counsel for the Claimant argued that it is unsupported by authority. I was referred to the Information Commissioner's conclusion that DSG's culpability was “ striking” and that it had knowledge of some deficiencies from 2014 and others from on or around May 2017. It was said that notwithstanding the basic nature of some deficiencies and DSG's resources as a successful nationwide retailer, they were not remedied. It follows, it was argued, that DSG intentionally and recklessly left the Claimant's private information exposed to a real risk of intrusion and/or “tantamount to publication” to the world at large. Accordingly, it was argued that put in another way, the Claimant's case, properly understood, is a publication case: DSG's failure to implement basic security measures to protect his information meant that there was – in effect – publication to the third-party hacker. I was taken in some detail in the skeleton to the conclusions in the MPN and reminded that insofar as DSG disputes these that is a matter for trial.
To continue reading
Request your trial
-
Andrew Prismall v Google UK Ltd
...79 For these purposes “misuse” may include unintentional use, but a “use” does require a positive action: Warren v DSG Retail Ltd [2021] EWHC 2168 (QB), [2022] 1 All ER 1191, Saini J at para 27; see also Underwood at para 75 80 Intentionally obtaining information can amount to “misuse” for......
-
William Stadler v Currys Group Ltd
...data protection claims. Privacy and Confidence 46 I will consider next the claims for MOPI and BOC. 47 Warren v DSG Retail Limited [2021] EWHC 2168 (QB) was a case in which damages were sought against Currys for distress arising out of the loss of personal data on basis of breach of confid......
-
Graeme Smith & Others v Talktalk Telecom Group Plc
...the POC in light of recent case law on misuse of private information”. That is a reference to my decision in Warren v DSG Retail Ltd [2021] EWHC 2168 (QB); [2021] E.M.L.R. 25 (“ Warren”), in which I struck out an MPI claim in a data breach claim. There is an issue as to whether Warren is t......
-
Emma Louise Johnson v Eastlight Community Homes Ltd
...existence of a claim in negligence, and as further supported by way of the recent decision of Saini J in Warren v DSG Retail Limited [2021] EWHC 2168 QB) 5, ten minutes later Mr Metcalfe formally withdrew on behalf of the Claimant her claim based in 16 Whilst submissions on this point ther......
-
Data Protection Hot Topics - Thinkhouse (Video)
...by the Courts is that of a cyber-attack. Judgment in Warren v DSG Retail Limited was handed down at the end of July this year [[2021] EWHC 2168 (QB)]. It is a case which concerns a low value claim arising out of a data breach in 2018 in which DSG's systems were accessed by an unauthorised t......
-
Data Protection Hot Topics - Thinkhouse (Video)
...by the Courts is that of a cyber-attack. Judgment in Warren v DSG Retail Limited was handed down at the end of July this year [[2021] EWHC 2168 (QB)]. It is a case which concerns a low value claim arising out of a data breach in 2018 in which DSG's systems were accessed by an unauthorised t......
-
Welcome Guidance From The Court On Defending Minor Data Breach Claims
...data breach claims. Helpfully, that has now changed as a result of the three cases that we discuss below. In Warren v DSG Retail Ltd [2021] EWHC 2168 (QB), the defendant was the victim of a cyber-attack which resulted in the personal data of its customers being compromised. The claimant dul......
-
Welcome Guidance From The Court On Defending Minor Data Breach Claims
...data breach claims. Helpfully, that has now changed as a result of the three cases that we discuss below. In Warren v DSG Retail Ltd [2021] EWHC 2168 (QB), the defendant was the victim of a cyber-attack which resulted in the personal data of its customers being compromised. The claimant dul......