EWHC (UK) - Johnson v Eastlight Community Homes Ltd

From GDPRhub
Revision as of 15:47, 6 December 2021 by FA (talk | contribs)
EWHC (UK) - QB-2021-000923
Courts logo1.png
Court: EWHC (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 82 GDPR
Article 8 ECHR
Section 169 DPA 2018
Decided: 16.11.2021
Published: 16.11.2021
Parties: Emma Louise Johnson
Eastlight Community Homes Ltd
National Case Number/Name: QB-2021-000923
European Case Law Identifier:
Appeal from:
Appeal to:
Original Language(s): English
Original Source: BAILII (in English)
Initial Contributor: Florian Wuttke

The High Court struck out all but one claims by a data subject whose social housing provider accidentally disclosed two (out of 6941) pages containing their personal data, but notably held that the de minimis and Jameel principles apply to claims under Article 82(1) GDPR.

English Summary

Facts

The defendant is a provider of social housing, the claimant is one of its tenants. A third party requested a rent statement from the defendant. In response to the request, the defendant sent a compilation of 6,941 pages unrelated rent statements by e-mail to the third party. The e-mail also included two pages of the claimant's rent statement with name, email address, and recent rent payments made to the defendant. The inadvertent disclosure was to a single person who immediately notified the defendant of the error and was asked by the defendant to delete the e-mail. Subsequently, the defendant informed the claimant of the error and the fact that the recipient had deleted the information. The matter was also reported to the Information Commissioner's Office, who confirmed that no action was required or would be taken as a result of the inadvertent data breach.

At the time of the disclosure the claimant moved home to escape an abusive relationship and was concerned that the address would somehow become known to the claimant’s former partner. The claimant brought the case to the High Court and claimed “damages for Misuse of Private Information, Breach of Confidence and Negligence, together with damages for breach of Article 8 ECHR rights as incorportated in the HRA 1998 as well as damages pursuant to Article 82 GDPR and damages pursuant to section 169 of the Data Protection Act 2018. (…) Further, the Claimant claims injunctive relief to prevent the recurrence of this type of breach and declaratory relief stating that the Defendant has breached the principles enshrined in the abovementioned legislation." In support for issuing the case in High Court, the claimant argued that the matter concerned an evolving area of law which required elaborate and complex legal reasoning.

The defendant denied that the claimant is entitled to any damages at all or any other relief because the claimant suffered no loss or damage above the de minimis threshold. The defendant applied to strike out the claim under the Jameel principle and/or for transferral to the County Court.

Holding

The court saw no basis for this claim being issued in the High Court, partially struck out the claims collateral to the GDPR claim and transferred the remaining claims to the County Court. The Jameel principle and de minimis threshold continue to apply under the GDPR.

Comment

On the seriousness of the breach:

The court held, that the disclosed information was not of an obviously sensitive nature and did not concern matters such as health, sexual relationships or bank details. The disclosure could not have given rise to any fraudulent purpose. The period of disclosure was very short. The only evidence of consequence is solely to the claimant and both subjective and finite in time. Regarding the remoteness of the ex-partner locating the claimant because of the data breach, the court gave an example: As the claimant had not chosen to make her contact details ex-directory, the ex-partner could have easily searched the phone book to locate the claimant’s whereabouts. In conclusion, the Claimant's distress seemed more hypothetical than real.

On the question of injunctive and declaratory relief:

Injunctions or declarations by the court are discretionary remedies granted only where it is demonstrated that defendants to commit further torts. The facts of the case do not suggest that ongoing threats exists to the claimant’s personal data. No evidence was put forward to maintain that this was anything other than a one-off error. Therefore, the court refused to grant injunctive and declaratory relief. The court also refused to award damages under s.169 DPA 2018 in relation to infringements of data protection legislation other than GDPR. For the court it was unclear on what additional infringement the claimant relied upon and to what effect.

On the application of de minimis and Jameel:

The court analysed the application of the de minimis threshold and Jameel principle to cases relating to the Data Protection Directive (95/46/EC) and the DPA 1998 (pre-GDPR legislation). The court confirmed with reference to Vidal-Hall v Google [2016] QB 1003 that the Jameel principle not only applies to non-statutory torts. Regarding the de minimis threshold, the court pointed out that previous courts applied the threshold in relation to the Directive and the DPA 1998, even though these pieces of legislation did not provide for a de minimis threshold. In comparison to pre-GDPR legislation, the court found no difference in the wording of Article 82(1) GDPR which would prevent the continued application of the Jameel principle or the de minimis threshold to an action for damages brought under it.

On the case allocation to the High Court:

The court saw no basis for this claim being issued in the High Court. The court held that the Particulars of Claim comprised several overlapping and inadequately pleaded causes of action and the presentation of this case constituted a form of procedural abuse. The claims collateral to the GDPR claim were likely to obstruct proceedings, take up unreasonable court time and costs and should be struck out. However, the case ought not to be entirely struck out. The remaining claims have all of the hallmarks of a Small Claim Track and should be redirected to the County Court.


Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

IN THE HIGH COURT OF JUSTICEQUEEN'S BENCH DIVISIONMEDIA AND COMMUNICATIONS LIST



Master Thornett: 

On 15 March 2021, the Clamant issued a Part 7 Claim Form in the High Court seeking damages limited to £3,000. 



The endorsement on the Claim Form states that she is claiming:

"(Including aggravated damages), damages for Misuse of Private Information, Breach of Confidence and Negligence, together with damages for breach of Article 8 ECHR rights as incorportated [sic] in the HRA 1998 as well as damages pursuant to Article 82 GDPR and damages pursuant to section 169 of the Data Protection Act 2018." 

"Further, the Claimant claims injunctive relief to prevent the recurrence of this type of breach and declaratory relief stating that the Defendant has breached the principles enshrined in the abovementioned legislation."

Supporting lengthy Particulars of Claim plead matters more widely, additionally seeking damages pursuant to s.169 of the Data Protection Act 2018, declarations that the processing of the Claimant's personal data amounted to (i) a breach of her Article 8 ECHR rights to privacy and/or family life; and (ii) a breach of Article 5(1) General Data Protection Regulation ["GDPR"].

Although the case had not been allocated and so no CCMC had been listed (assuming allocation justified such a hearing), the Claimant's solicitors filed a Precedent H Form  confirming over £15,000 has already been incurred in costs and a total figure for costs  just in excess of £50,000. Such costs are, as is required in a Precedent H, certified by the Claimant's solicitors as "reasonable and proportionate for my client to incur in this litigation". 

The Claimant's Directions Questionnaire suggests a 2-day trial is appropriate. 



  	Despite these features, the factual background to the claim is very straightforward. 





   	The Defendant is a provider of low-cost social housing and the Claimant is one its tenants. On 1 September 2020, one of the Defendant's other customers ["the Third Party"] requested a rent statement. Around 1.22pm, one of the Defendant's employees replied by e-mail with the information but inadvertently also attached a compilation of rent statements of other customers of the Defendant, including the Claimant. The Attachment included the Claimant's name, email address, and recent rent payments made to the Defendant. The Third Party, as sole recipient of the e-mail, immediately notified the Defendant of the error by phone and was asked by the Defendant to delete the e-mail. At 3.45pm, the Third Party confirmed they had deleted it. 





	The inadvertent disclosure therefore was to a single person, who took apparently no issue with it, and lasted less than three hours. 



 	The Defendant admits sending the attachment was a mistake, as occurred owing purely to human error. It e-mailed the Claimant on 20 September 2020 to (i) inform her of the error and the fact that the recipient had deleted the information (ii) apologise and (iii) state that the matter had been reported to the Information Commissioner's Office. Whilst the Defendant does not accept reporting to the Commissioner was necessary anyway, it chose to do so. The Information Commissioner's Office confirmed only a few weeks' later that no action was required or would be taken as a result of the inadvertent data breach.





The extent to which the Claimant's personal information was ever considered by the Third Party has to be assessed in the context of the size of the attachment. The Claimant's details appeared at pages 880-882 into a document of almost 6,941 pages long, a point the Defendant says invites inference that it is highly unlikely that the Third Party read the Claimant's information at all.

By 16 November 2020, nonetheless, the Claimant had instructed solicitors and a letter before claim had been sent to the Defendant. 

	The Defendant applies to strike out the claim under CPR 3.4(2)(a) and/or (b) and/or for summary judgment. As it set out in much fuller detail in its filed Defence, the Defendant denies the Claimant is entitled to any damages at all or any other relief in the circumstances. It describes this a purely a technical breach of Article 5 of the GDPR. The Defendant contends that (a) the Claimant has suffered no loss or damage above the de minimis threshold, and therefore the Claimant has no real prospect of success on the claim such that the court should enter summary judgment for the Defendant; and (b) even if the damage were to be found by the court to be above de minimis, the 'game is not worth the candle' and so still ought to be struck out under the Jameel[1] principle. 



General observations about the alleged importance and severity of the claim in the context of an admitted breach 





1 The disclosed information plainly was not of an obviously sensitive nature in itself. It did not concern, for example, matters such as health, sexual relationships or bank details. The disclosure could not have given rise to any fraudulent purpose. Indeed, the Claimant confirms that after she was informed of the matter, she checked her online banking and found there was no suspicious or unauthorised activity.


2 At least in objective terms, the information was simply routine: the Claimant's name, address[2] and postcode, her account reference number, account balance and details of recent rent transactions.


3 The Claimant's personal version about the significance of this information is set out in a witness statement dated 16 November 2020, and so as prepared very shortly after the event and still four months before the issue of the Claim Form.


As a Witness Statement ordinarily features, the Claimant provides her personal address (which is in Essex) in the opening paragraph. She acknowledges that the data breach admitted by the Defendant was caused by human error but refers to having moved to her current home in around 2017, as let to her by the Defendant, to escape an abusive relationship "and, as such, had avoided making my new address "public" for fear of further contact with my former partner". Therefore, upon learning that her address had been given to an unknown third party "I was immediately concerned that the information would somehow become known to my former partner. I was aware that the chances of my former partner receiving the information, either first hand or otherwise, were extremely low, however the thought of such an occurrence left me stressed, worried and very anxious". The Claimant reiterates the comparatively low risk of her ex-partner learning of her address by reason of the Defendant's disclosure at Para 41: "I was aware that the chance of such an occurrence was extremely low". However, she maintains that this possibility, combined with the general feature of the disclosure, has played upon her pre-existing depression and anxiety. 

4 The statement develops and illustrates this latter assertion but, critically, no personal injury claim was presented at issue and none was suggested at the hearing as might still be contemplated.


5 As stated, the remoteness of the Claimant's ex-partner locating her as a result of the disclosure is appropriately and realistically acknowledged by the Claimant.


What is not acknowledged by her (and remains so through to the date of the Defendant's Application, despite the point being pleaded in the Defence dated 21 April 2021) is the objective and entirely realistic possibility that the ex-partner had been for the three years prior to the Defendant's disclosure (and indeed has remained since) far more likely and able to locate her whereabouts simply utilising publicly available channels. The Defendant's properties are only in Essex and Suffolk and so, had the ex-partner wished to, a simple search on the BT Phone Book website or 192.com for those locations would have led to her. The Claimant had not elected for her details to be made "ex-directory", a free and well publicised service offered by BT.

6 Similarly, despite the asserted aggravation of an existing sensitivity, the Claimant has taken no steps at all to apply to withhold her personal address from the very claim she brings. Her full address, for example, appears on the Claim Form and her original witness statement that has been disclosed, not a redacted or amended version. Accordingly, as the Defendant submits, the Claim Form and Particulars of Claim are currently accessible to the public under CPR 5.4C. As this claim continues, there can be no reasonable expectation of privacy in relation to matters proceeding in open court: Khuja v Times Newspapers Limited [2017] UKSC 49 and HMRC v Banerjee [2009] EMLR 24.


7 The Claimant's election to issue her claim in a publicly identifiable form far eclipses, in my judgment, somewhat after the event academic submissions on behalf of the Claimant that (i) the probability of her former partner identifying her through of the Court File is lower, not least because inspection of the Court File incurs a fee[3] (ii) there had been no publicity of such information in open court by way of trial process. The point there being that the attended hearing of the Defendant's Application on 14 October 2021 was nonetheless a public hearing and published in advance as such on the Court List.


8 That election also seems not simply to run contrary but, in my view, to negate any argument that her subjective response to the Defendant's disclosure still continues. Her account, to reiterate, is to be found in a statement prepared very shortly after the event. The notion that it remained a significant state of mind even shortly before issue may be debatable but surely can have no application as from issue. Even if this is too chronologically strict a view, the continuing disclosure and steps taken by her publicly to bring her claim will by now have diminished to extinction her asserted state of mind in response to the disclosure. This claim therefore concerns not only a very short period of disclosure with the only evidence of consequence being solely to the Claimant and both subjective and finite in time.


9 I agree with the Defendant's submission that the Claimant's distress seems more in the realms of the unknown or the hypothetical than in reality. I also treat it as historic rather than current.




Injunction and other relief?



On these facts, I struggle to understand how the Claimant can maintain this is a case where relief other than damages could realistically be under consideration. The claim for an injunction seems misconceived. An injunction is a discretionary remedy granted usually only where it is demonstrated a defendant threatens to commission further torts: Monir v Wood [2018] EWHC 3525 (QB) at [237]. There is no evidential basis put forward to maintain that this was anything other than a one-off error. There cannot realistically be suggested to exist an ongoing threat to the Claimant's  personal data, such as to justify an injunction. 

The prospect of an award of an injunction seems non-existent. I am quite satisfied the pleading of a claim for an injunction is merely an attempt to add credibility to the claim and to convey a greater impression of its importance. 

As does, for the same reasons, the claim for a declaration. I recognise no such need. 

I am satisfied that the claim has to be treated as only a claim for damages of, at best, modest damages. I am satisfied this should have been recognised and reflected at issue. 

Observation also has to be made to the pleading of technical but seemingly non progressive statutory breaches as part of the claim. 



Article 82 of the GDPR which provides:



Article 82	

Right to compensation and liability

1.   Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

Nonetheless, the Particulars of Claim goes on to rely upon s.169 Data Protection Act 2018 ("DPA 2018"). This section relates to infringement of data protection legislation other than GDPR. However, it is not clear exactly what additional infringement is relied upon by the Claimant and to what effect. In any event, this provision of the DPA is equivalent to the GDPR, save that it says "damage" rather than "material or non-material damage". On the facts of this case, I am therefore not sure what such additional pleading adds unless, the intention is (again) to convey an impression that the claim is more complex than it need be.

The proportionality and relevance of pleading matters that add little if anything is plainly relevant to consideration of this Application. 





The Defendant's Application : as issued and as subsequently mollified



To analyse further, the Defendant's Application is for (a) summary judgment on the whole claim under the de minimis principle; (b) strike out of the whole claim under CPR 3.4(2)(b) under the Jameel jurisdiction; and (c) strike out of the claim in negligence under CPR 3.4(2)(a). 

The Defendant relies upon what it describes as a threshold of seriousness, below which any claim cannot be expected to succeed. The Defendant maintains that irrespective of which cause of action is drawn upon by the Claimant, that threshold is not satisfied. This is, to the contrary, precisely the type of trivial data protection breach claim as acknowledged by Sir Geoffrey Vos at [55] in Lloyd v Google [2020] QB 747: 



"I understood it to be common ground that the threshold of seriousness applied to section 13 as much as to MPI [misuse of private information]. That threshold would undoubtedly exclude, for example, a claim for damages for an accidental one-off data breach that was quickly remedied".

So too in the context of misuse of private information and breach of confidence. See Baroness Hale at [157] in Campbell v MGN [2004] 2 AC 457: 

"Not every statement about a person's health will carry the badge of confidentiality or risk doing harm to that person's physical or moral integrity. The privacy interest in the fact that a public figure has a cold or a broken leg is unlikely to be strong enough to justify restricting the press's freedom to report it. What harm could it possibly do?"

Similarly, in Ambrosiadou v Coward [2011] EWCA Civ 409 Lord Neuberger MR said at [30]:

"Just because information relates to a person's family and private life, it will not automatically be protected by the courts: for instance, the information may be of slight significance, generally expressed, or anodyne in nature. While respect for family and private life is of fundamental importance, it seems to me that the courts should, in the absence of special facts, generally expect people to adopt a reasonably robust and realistic approach to living in the 21st century".

The Claimant's position on the Application, briefly summarised, is to endorse that the disclosure and hence obligations under the GDPR is admitted, such that the Clamant is bound to be awarded at least some damages. When pressed by me during the hearing to provide at least an approximation, Mr Metcalfe was reticent to indicate anything other than that he considered the £3,000 threshold certified to be realistic.





The Claimant says that her personal concerns expressed in consequence to the disclosure are real and not de minimis. The Claimant submits that she cannot be described as having "no reasonable grounds" for bringing her claim under CPR 3.4(2)(a). This is not a case as is plainly and obviously bound to fail. Further, it has at least "realistic" as opposed to a "fanciful" prospect of success, given the breach, and so is more than merely arguable. 



Having regard to the various data obligations on the Defendant [and Mr Metcalfe sought to apply broadly the same general principle to each], the Claimant says the court ought to find itself unable at this early stage in the proceedings to ascertain what damages might be awarded within the £3,000 cap adopted by the Claimant on issue. 



The Claimant submits that because the Defendant describes the disclosure as a one-off transient human error, the Defendant has offered no details to support the implied proposition the description brings that appropriate security had otherwise existed and applied to the Claimant's personal data. As such, there remains for consideration at trial the likelihood that the Claimant's personal data was read by the Third Party, disseminated further by the Third Party and whether any of the Claimant's personal data was already in, or has since been put in, the public domain by the Defendant. 



Mr Metcalfe confirmed during the hearing his case that the nature of the legislation underlying her claim entitled the Claimant to require the Defendant to set out and justify its data protection measures irrespective of whether actual loss to the Claimant could be proven or indeed could ever have existed even if hypothetically. The pursuit of what might to some seem like the Claimant taking on the greater role of statutory enforcer rather pursuing a modest personal claim for damages was according to Mr Metcalfe (and however one might choose otherwise to describe it) the effect of that legislation. Further, as was canvassed at the hearing, consequentially entitled her solicitors to treat and present that claim as one where costs could be awarded if successful.  



So, it follows the Claimant submits, there can be no concept of mere "technical breach" as can justify the Application. 



The Claimant submits that the threshold point relied upon by the Defendant is, correctly interpreted and applied, not a ground for strike-out under CPR 3.4(2)(b) but instead for transfer to the County Court. On this point, however, I note that whilst the Claimant's solicitors had indeed offered[4] to agree to transfer the case to the County Court, they have continued to maintain (a) that the claim had appropriately been issued in the High Court; and (b) the claim was not appropriate for the Small Claims Track in the County Court. 



This last point is significant. The Claimant's position as to the appropriate venue for the claim is qualified. Her solicitors have made quite clear they reserve argument as to allocation even if this transpires to be in the county court. As such, the offer of transfer is, I find, something less than as transparent as it might at first seem. Plainly, the Claimant still maintains that the case is worth of a higher Track than one might instinctively expect on hearing that damages were limited to £3,000. This stance, I am satisfied, there remains relevant and live to the Defendant's justification of its Application. 



The Defendant had not brought the strike out element of the application under 3.4(2)(a) other than for the negligence claim. The Defence very clearly denies the Claimant's proposition of there being a common law duty of care in relation to personal data. Para 12 in the Defence refers to the authority of Smeaton v Equifax [2013] EWCA Civ 108. Whilst the pleading of case law is not usually conventional in Statements of Case, given this authority pre-dates the issue of this claim by some years, I can follow why it is referred to in order not simply to endorse the point but to invite early reconsideration by the Claimant. 



Either way, the Claimant had chosen not to reconsider the negligence point until a point during the first 30 minutes of the hearing on 14 October 2021. Following my observations  at the commencement of the hearing to Mr Metcalfe that his skeleton argument seemed entirely to side step the Defendant's denial of the existence of a claim in negligence, and as further supported by way of the recent decision of Saini J in Warren v DSG Retail Limited [2021] EWHC 2168 QB)[5], ten minutes later Mr Metcalfe formally withdrew on behalf of the Claimant her claim based in negligence.  



Whilst submissions on this point therefore need no longer be determined, and the withdrawal may not have been entirely without anticipation of the Defendant[6], the considerable lateness of this decision [despite clear prior opportunity] does rather strike me as either the unreasonable maintenance of opportunism or simply the unreasonable maintenance of a claim without further consideration or reflection. In either case, this is not good litigation practice and has led to avoidable costs and time being incurred by the Defendant. 



The Defendant therefore has succeeded on its Application at least on this aspect alone. 



	In consequence to the withdrawal, the remainder of the Application essentially became focused upon: 



(a)	The applicability of the de minimis and Jameel principles to the GDPR;

(b)	The effect (if any) of the remaining claims – Article 5(1)(f) GDPR (the data security principle), the Article 8 claim and the breach of confidence claim – on damages beyond those that would be recoverable under 5(1)(a) and (b) of the GDPR.



 Jameel and de minimis 



	The Claimant's position in response is, in summary, that: 

(a) Jameel applies only to non-statutory torts; and 

(b) Neither the de minimis principle nor the Jameel jurisdiction apply under the GDPR[7].



Jameel was a defamation case and had to focus upon the extent to which some damage might be presumed in such claims. However, it drew upon general principles of the Overriding Objective and the Human Rights Act in recognising that any tangible or legitimate advantage to a litigant could be minimal and so entirely disproportionate to the greater disadvantages in terms of expense and the wider public in terms of court resources could be such that "the game is not worth the candle". [Or even "the wick", as per Lord Phillips MR at Para 69]. Such claim is accordingly abusive. 





	The principles of, and leading from Jameel, were helpfully summarised by Nicklin J in Higinbotham v Teekhungam & Anor [2018] EWHC 1880 (QB) at Para 44:





"i) 	The Court has jurisdiction to stay or strike out a claim where no real or 

substantial wrong has been committed and litigating the claim will yield no tangible or legitimate benefit to the claimant proportionate to the likely costs and use of court procedures: in other words, "the game is not worth the candle": Jameel [69]-[70] per Lord Phillips MR and Schellenberg -v- BBC [2000] EMLR 296, 319 per Eady J. The jurisdiction is useful where a claim "is obviously pointless or wasteful": Vidal-Hall -v- Google Inc [2016] QB 1003 [136] per Lord Dyson MR;



ii) 	Nevertheless, striking out is a draconian power and it should only be used in exceptional cases: Stelios Haji-Ioannou -v- Dixon [2009] EWHC 178 (QB) [30] per Sharp J;



iii) 	It is not appropriate to carry out a detailed assessment of the merits of the claim. Unless obvious that it has very little prospect of success, the claim should be taken at face value: Ansari -v- Knowles [2014] EWCA Civ 1448 [17] per Moore-Bick LJ and [27] per Vos LJ;



iv) 	The Court should only conclude that continued litigation of the claim would be disproportionate to what could legitimately be achieved where it is impossible "to fashion any procedure by which that claim can be adjudicated in a proportionate way": Ames –v- Spamhaus Project Ltd [2015] 1 WLR 3409 [33]-[36] per Warby J citing Sullivan –v- Bristol Film Studios Ltd [2012] EMLR 27 [29]-[32] per Lewison LJ".



Does Jameel apply only to non-statutory torts?





Authority is against any submission from the Claimant to this effect. It has been addressed by the Court of Appeal in Vidal-Hall v Google [2016] QB 1003 and more recently by Nicklin J Higinbotham in at [45]: 



"the Claimant contends that the Master was wrong to extend the Jameel abuse jurisdiction to Data Protection Act claims. No authority has been cited for that proposition and I am satisfied that it is not correct".



Nicklin J specifically referred to Vidal-Hall v Google at [134]-[136] where it was accepted that the Jameel jurisdiction could apply, though the Court of Appeal found it should not apply on the facts of that case (where there was commercial misuse of data).

Can the de minimis principle or Jameel apply at least in principle to the GDPR claim?





a.	The Claimant submits that the GDPR has direct effect and so supersedes  inconsistent provisions in the common law and other statutes. Hence Lloyd v Google can be distinguished as concerning claims under the Data Protection Act 1998 (as implemented under the Data Protection Directive) and when GDPR was not in force. Reference is made to observations in TLT v Home Office [2016] EWHC 2217 (QB) that the de minimis principle in data protection claims had been under the former regime.



b.	I am not persuaded, however, that either the de minimis or Jameel principles have been displaced.  



c.	Section 13 of the Data Protection Act 1998 sought to implement Article 23 of the (old) Data Protection Directive (95/46/EC) which provided:

"Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered."

d. 	The following underlined sections of section 13 were found in Vidal-Hall v Google to conflict with EU law: 

(1)	An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.

(2)	An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if—

(a)	the individual also suffers damage by reason of the contravention, or

(b)	the contravention relates to the processing of personal data for the special purposes.

	Nonetheless, whilst Vidal-Hall v Google held that "damage" under Article 23 of the Directive ought to have been given a broad interpretation to include non-pecuniary damage, at Para 136 the Court of Appeal acknowledged (although declined to apply it on the facts of that case) "the Jameel jurisdiction [which] is a valuable one where a claim is obviously pointless or wasteful". The principle as applicable to the 1998 Act was, as above, confirmed by Sir Geoffrey Vos in Lloyd v Google. 

e. 	Nothing strikes me as distinct in the wording of Article 82(1) of the GDPR as negates continued application (if appropriate) of Jameel or de minimis principles to a damages claim brought under it. 

Article 82(1) reads: 

Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

Just as the Data Protection Directive and 1998 Act themselves had made no provision for a de minimis threshold and the courts (as above) have nevertheless found one applies, I am unpersuaded anything arises by which the same principles should apply to the GDPR. I see no practical distinction. Both claims under the 1998 Act and GDPR acknowledge the supremacy of EU law but operate through the prism of the law of this jurisdiction. 

f. 	This conclusion is entirely consistent with the application of the Regulation in other jurisdictions, as helpfully illustrated by Mr Hamer. In Germany (where the GDPR is directly effective) it has been found that Article 82 does have a de minimis threshold, and that the provision should be interpreted such that damages do not arise unless it reaches a threshold of seriousness (Dresden Higher Regional Court, 11 June 2019, Case no. 2-7 O 100/20). The Higher Regional Court here (the equivalent of the Court of Appeal in this jurisdiction) held that Art. 82 should not be construed in such a way that it justifies a claim for damages for every individually perceived inconvenience or for minor breaches without serious detriment.

	German law acknowledges that a claim can fall under the "Bagatellshaden", a 'bagatelle claim', equivalent to the concept of de minimis in this jurisdiction.

	It is the prerogative of the individual state in question to apply the principles of the Regulation subject to its own legal principles. Recital 146 of the GDPR provides: "The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation. […] Data subjects should receive full and effective compensation for the damage they have suffered".

g. 	As Mr Hamer submits, there is no tension or discrepancy in this approach. It is consistent with the broad and inherent power of the court to control its own proceedings in the interests of the administration of justice. 

h. 	Neither can it be argued that the principle of proportionality is one that only exists here within the common law. It is one of the general principles of EU law: see, for example Conserve Italia v Commission (Case T-306/00) EU:T:2003:339 at [127] and Article 5 of the Treaty on European Union.



	Do the other causes of action relied upon by the Claimant add anything?



	Despite an initial impression of sophistry, the Particulars of Claim ultimately comprises a number of overlapping and often inadequately pleaded causes of action. 

The primary focus of the revised Application engages the issues summarised at Para 17 above because, as I am satisfied, this case essentially concerns quantum of damages and in the procedural context elected by the Claimant. As was accepted by Mr Metcalfe and evident from the authority of TLT v Home Office, the test for damages on facts such as these is considered in the round, drawing upon all causes of action as relied upon. There is no separate or sequential process of assessment. Assuming, that is, the Jameel or de minimis threshold or gateway is satisfied. 

On this basis:

(i)	The Claimant's submission that the likely value of damages cannot be predicted at this stage because there necessarily first should be consideration of the Defendant's organisational and internal procedures for the extent of the breach to be appreciated seems ambitiously to inflate any realistic value the claim has. As I put to Mr Metcalfe in the hearing, such matters would not only be unknown to the Claimant but more particularly could never increase or aggravate her subjective distress or perception of loss. I am bound to comment that the suggestion of this being still a necessary and proportionate line of enquiry, despite the breach being admitted, seems more to justify the Claimant's position that even if her case is not suitable for retention in the High Court, it should continue upon transfer to the County Court and be allocated there;



(ii)	Nothing independently by way of entitlement seems to derive from reliance upon Article 8;



(iii)	The reference to misuse of private information appears only in the alternative to the Article 8 claim, which I take as a concession that it entirely overlaps with it. Therefore, nothing independent arises from it;



(iv)	Save for appearing as a reference in the Prayer, there is no identifiable expressly pleaded claim drawing upon "breach of confidence" as if an independent cause of action. Properly treating this as a potential cause of action and not a relief, I therefore entirely disregard it as insufficiently particularised. Further, even if that is too stringent an approach for being a pleading point, taking the claim as a whole, the breach of confidence claim and the claim in privacy fail to satisfy me they add anything useful and independent to the claim arising from the admitted breach of the GDPR. 



(v)	As such, I agree with the Defendant's submission that claims collateral to the GDPR claim are likely to obstruct the just disposal of these proceedings and take up disproportionate and unreasonable court time and costs. They are struck out under CPR 3.4(2)(b). By the same reasoning, they should be excluded under CPR 3.1(2)(k) and/or (m).



Discussion and conclusion 



.1	I see no basis for this claim having been issued in the High Court. 



Under "Where to start proceedings", CPR PD7A Para 2.1 is explicit: 

"Proceedings (whether for damages or for a specified sum) may not be started in the High Court unless the value of the claim is more than £100,000".

Plainly, the value certified by the Claimant for her claim comes nowhere near this requirement. 

Neither, however, in my judgment does the subject matter of the claim elevate it to High Court status. By CPR 53.1(2), a "media and communications claim" is a claim that satisfies the requirements of paragraph (3) or (4) [sub-para (4) having no relevance here]. Sub-paragraph 3 does indeed include claims for misuse of private information or in data protection law. However, and significantly, the opening of paragraph 3 is clear this is only if the cited causes of action constitute "A High Court claim". As distinct from claims in defamation, jurisdiction of which is excluded from the County Court by section 15 of the County Courts Act 1984, the Claimant's causes of action therefore did not have to be brought in the High Court and so was not a High Court Claim.

.2	I can readily follow why the Claimant's decision nonetheless to issue in the High Court, claiming other relief in addition to damages and presenting a Precedent H indicating proposed costs in excess of £50,000 prompted the Defendant to challenge what this case is really all about, whether it has any value at all and, even if so, why the Claimant has issued and seeks to proceed procedurally in the way she has. 



	Here I repeat that the Claimant's offer to accept a transfer to the County Court is hardly complete and unequivocal. Further, by maintaining her claim in negligence until just into the first half hour of the Application, neither has the Claimant shown any appropriate  realism about the true scope of her claim.  

3	At least in the context of a purported High Court claim, I therefore can follow why the Defendant argues that it has no real value and so is abusive. No serious privately paying litigant would contemplate spending over £50,000 in costs, not all of which may prove recoverable even in the event of success, and similarly expose themselves to the risk of a significant adverse costs order following High Court litigation if unsuccessful, for a damages claim less than £3,000. The presentation and processing of this case to-date in this forum has, I am satisfied, constituted a form of procedural abuse. 



4	By a very narrow margin, however, I am satisfied that the real point in this case is whether the Claimant's entitlement is to purely nominal or instead extremely low damages. It is never going to be much more, a point that surely was [or ought to have been] obvious to the Claimant and her advisors from the outset. 



Nonetheless, mindful that the court should strive to provide a remedy to any litigant if it can ["to fashion any procedure by which that claim can be adjudicated in a proportionate way"], the claim ought not to be entirely struck out but instead redirected to the more appropriate forum, the County Court. As distinct from defamation, where the game may not be worth the candle because there is only one permitted venue for the match, this very modest claim can and should proceed but be concluded elsewhere. 

5	Everything about this case has all of the hallmarks of a Small Claim Track claim that should have been issued in the County Court and so allocated. The suggestion that this is a developing area of law or where, even if principle is established, requires elaborate and complex legal argument is unrealistic if not, at least arguably, opportunistic. 



Countless examples could be found daily in virtually every County Court in this jurisdiction where limited time and resources and the requirements of the overriding objective combine to oblige the pragmatic and proportionate application of legal principle. The lure of adopting a more elaborate and expensive approach just because the subject matter can so permit is simply unacceptable. Put bluntly, the garment must be cut according to the cloth. So, accordingly, is potentially complex law applied proportionately in lower value claims in a way compatible to the limited resources those cases justify. 

The only reason why the claim has been subject to detailed legal argument is because the Defendant is appropriately concerned to defend resolutely a claim brought in the High Court where the future costs and time to be incurred by a social housing client would always be grossly in excess of the matter in dispute and with little clear prospect of recovery even if successful. Clearly, the Defendant in raising such challenge also has to act proportionately. However, the Claimant can hardly complain if the Defendant's response has been contextually proportionate to the very venue chosen by the Claimant in which to litigate. 

6	 Directions are therefore required for Allocation and transfer of this case. I indicated during argument that if the case were to proceed, I would allocate the claim myself before, as seemed inevitable, transferring it to the County Court. If the Claimant wishes to address the court further as to Allocation other than the Small Claims Track then she may. 



7	As matters stand presently, however, the only obvious decision outstanding is the principle and summary assessment of costs. I would hope in the light of my conclusions that both can be agreed. If not, I ask the Defendant (as Applicant) to inform my clerk of preferred dates and time estimate(s) for the concluding hearing preferably within 14 days from handing down of this judgment.



?