Graeme Smith & Others v Talktalk Telecom Group Plc
| Jurisdiction | England & Wales |
| Judge | Mr Justice Saini |
| Judgment Date | 27 May 2022 |
| Neutral Citation | [2022] EWHC 1311 (QB) |
| Docket Number | Case No: QB-2020-003019 |
| Court | Queen's Bench Division |
[2022] EWHC 1311 (QB)
THE HONOURABLE Mr Justice Saini
Case No: QB-2020-003019
IN THE HIGH COURT OF JUSTICE
QUEEN'S BENCH DIVISION
MEDIA AND COMMUNICATIONS LIST
Royal Courts of Justice
Strand, London, WC2A 2LL
Phillippa Kaufmann QC and Conor McCarthy (instructed by Leigh Day) for the Claimants
Anya Proops QC and Zac Sammour (instructed by Mason Hayes Solicitors) for the Defendant
Hearing date: 19 May 2022
Approved Judgment
This judgment was handed down by the judge remotely by circulation to the parties' representatives by email and release to The National Archives. The date and time for hand-down is deemed to be Friday 27 May 2022 at 2pm.
THE HONOURABLE Mr Justice Saini
This judgment is in 6 main parts as follows:
| I. Overview: | paras. [1]–[5] |
| II. Procedural Law: | paras. [6]–[9] |
| III. The Claimant Groups: | paras. [10]–[12] |
| IV. The Misuse of Private Information Claim: | paras. [13]–[63] |
| V. The “Unconfirmed” Breaches Claim: | paras. [64]–[76] |
| VI. Conclusion: | para. [77]. |
I. Overview
This is my judgment in relation to a number of applications in a claim based on alleged “mass” data breaches. The Claim Form was issued on 27 August 2020 on behalf of Graeme Smith and a number of additional Claimants. The Defendant is the telecommunications provider TalkTalk. The claims are for compensation for breach of statutory duty under the Data Protection Act 1998 (“the DPA”), and damages in the tort of misuse of private information (“MPI”).
The legal viability of the DPA claim is not in issue, subject to a pleading complaint about one aspect of that claim. There is a substantial dispute in relation to the MPI claim, which the Defendant seeks to have dismissed. The MPI claim is not a conventional one. The Defendant is described in the Particulars of Claim as having a “duty to avoid the misuse of private information”. This reflects the nature of the MPI claim before me — which is essentially that the Defendant's conduct permitted or “facilitated” (to use the words of Leading Counsel for the Claimants) third party criminal actors to access the Claimants' private information such as their names, addresses and confidential banking details. That information was then misused, it is alleged, by criminal actors to seek to defraud the Claimants by seeking to “scam” them.
There have been a number of drafts of the Particulars of Claim and the final iteration for the purposes of the applications (the draft Re-Amended Particulars of Claim — “the RAPOC”) was served on the evening before the hearing. It contains a substantial reformulation of the MPI claim. In accordance with the normal approach, it is that document which has been the focus of the submissions in relation to the legal viability of the MPI claim. The Claimants seek permission to amend the claim in the form of the RAPOC.
The Defendant argues that the MPI claim, even as reformulated in the RAPOC, is bad in law. The Claimants say that, in the draft amended form before the court, it is legally viable and should be permitted to go to trial. I record at the outset that the Claimants originally also pleaded a claim in breach of confidence. This was based on the contention that the Defendant was liable for failures which led to third parties obtaining unauthorised access to the relevant private information. By consent the Claimants have discontinued that claim. There is also no suggestion that any common law duty under the law of negligence was owed to the Claimants to secure their data. That reflects the state of the law in this field.
There are three contested and connected applications before me:
i) First, the Defendant's application to strike out: (a) the Claimants' MPI claim, and (b) references in the Particulars of Claim to what are pleaded as “unconfirmed breaches”, pursuant to CPR 3.4 (2). As regards the MPI claim, the Defendant also brings a parallel application for “reverse” summary judgment pursuant to CPR 24.2.
ii) Second, the Claimants' application for permission to amend the Particulars of Claim to, in the words of the Application Notice, “update the POC in light of recent case law on misuse of private information”. That is a reference to my decision in Warren v DSG Retail Ltd [2021] EWHC 2168 (QB); [2021] E.M.L.R. 25 (“ Warren”), in which I struck out an MPI claim in a data breach claim. There is an issue as to whether Warren is to be distinguished on the basis of the facts now pleaded in the RAPOC and/or was wrongly decided.
iii) Third, the Claimants' application pursuant to Part 18 CPR for further information (“the RFI Application”). This is related to what are said by the Defendant to be fatal deficiencies in the claim concerning the pleading of “unconfirmed breaches”, as I describe further below. The RFI Application depends on the outcome of the Defendant's strike-out application which seeks the dismissal of those allegations. With the agreement of the parties, I adjourned consideration of the RFI Application to be dealt with by me after judgment on the other applications. That was because it might have become academic and also because certain of the arguments made (for the first time in the Claimants' skeleton) justified the Defendant being permitted to serve evidence in response. These matters concerned in particular the reporting obligations of the Defendant under the Privacy and Electronic Communications Regulations 2003 and whether the breach information sought in the RFI would be (or should be) readily accessible to the Defendant.
II. Procedural law
As to the relevant legal tests in relation to striking out/summary judgment and particularisation, there was no material dispute as to the law between the parties. I will accordingly not set out the now well-established principles governing CPR 3.4( 2), CPR 18.1 and CPR 24 (and the extent of its overlap with CPR 3.4(2)(a)). They are set out in some detail in the White Book (2022) Vol. 1 at paras. 3.4.2–3.4.3, para. 18.1.3, and para. 24.2.3, respectively. In relation to the strike-out application, I must assume the truth of the facts pleaded in the RAPOC. A statement of case which might be cured by amendment should not be struck out without giving the relevant party an opportunity to cure defects: Soo Kim v Young [2011] EWHC 1781 (QB). The Defendant also relies upon CPR 3.4(2)(b) and (c) as a basis for striking out the “unconfirmed breach” claim and drew to my attention a number of cases to which I will refer below.
As regards the Part 24 application, I will take a wider approach (not confined to the pleading) which requires assessment of whether the Claimants have a realistic (as opposed to fanciful) prospect of proving the pleaded facts and success at trial. That question must however be approached bearing in mind not only the current evidence but also the evidence which can reasonably be expected to be available at trial.
CPR 16.4 prescribes the matters which must be included within a Particulars of Claim and these include a statement of the facts relied upon as giving rise to the claim ( CPR 16.4(1)(a)). CPR 16 is supplemented in the Media and Communications List by CPR PD 53B, which makes further specific provision as to pleading of data protection and MPI claims. I will refer to this as “the Practice Direction” below and will turn to specific parts of it when considering each of the applications.
I will begin by describing the Claimant groups and background facts. My description is largely based on the Claimants' pleaded case (including the proposed amendments in the recent RAPOC), as supplemented by the short witness statements submitted on behalf of the parties.
III. The Claimant Groups
The Claimants are individuals who claim to have been customers or prospective customers of the Defendant and/or family members of such persons. They claim (and, in respect of the majority of Claimants, the Defendant admits) that the Defendant stored and processed their personal data in that context. At a high level, the Claimants' essential case is that their personal data was obtained from the Defendant's IT systems by unknown criminal third parties. They say that their personal data was then used by those third parties in furtherance of frauds perpetrated against them. The Claimants identify two specific incidents in the RAPOC which they say gave rise to unauthorised access to their personal data (the 2014 Breach and the 2015 Breach, as described below). They also rely upon a third category of breaches (referred to as “Unconfirmed Breaches”). That is a controversial category.
It is important to note that one needs to distinguish between “Breach” in this context and breach of the DPA. The Defendants more helpfully and accurately refer to the 2014 and 2015 matters as “Incidents” which allows one to distinguish between those events and breaches of the legislation. I will however use the Claimants' terms below because I will need to quote from their pleadings in some detail and confusion will be caused if I use the Defendant's defined terms.
The Claimants have been divided into three groups:
i) Group 1 — the 2014 Claimants. This group is defined in paragraph 4 (a) of the RAPOC and consists of 16 Claimants identified in Annex A to the RAPOC. It is said that they were affected by the 2014 Breach and, as a result, were “scammed” out of money by fraudsters who were able to pretend to be employed by the Defendant as a result of the data obtained and/or were victims of attempted scams.
ii) Group 2 — the Unconfirmed Breach Claimants. This group consists of 56 Claimants. It is said that these Claimants were also victims of “scamming” involving the use of data originally held by the Defendant, but the scamming incident occurred after the 2015...
To continue reading
Request your trial
-
Michael Farley (formerly “CR”) v Paymaster (1836) Ltd (trading as Equiniti)
...the tort of MPI”: [27]. 94 Saini J returned to consider this point in another cyber-attack case: Smith v Talktalk Telecom Group plc [2022] 1 WLR 5213. The Judge held: [46] I was taken to two more recent cases where the reasoning in Warren was applied in dismissing MPI claims: Stadler v Cur......