Compensation or Compliance? The Courts’ Take on GDPR Breaches

In an ever-increasingly digital world, reducing the chance of data leaks is crucial. As technology is freely available and touches the lives of everyone in society in some manner, anyone can be at risk of being the victim of a data breach. Likewise, this issue can have an impact on countless industries. Since the General Data Protection Regulation ('GDPR') and the Data Protection Act 2018 ('the 2018 Act') came into force, courts across the jurisdiction have increasingly been called upon to clarify how such legislation operates in practice, and what the scope for claims under them is. The 2018 Act repealed and therefore replaced the previous legislation, the Data Protection Act 1998 ('the 1998 Act'). Whilst there are a number of means of bringing a claim under this legislative framework, this article focuses on civil claims for damages owing to distress.

It should be noted that, whilst news headlines often focus on multi-million pound fines against large organisations, the reality is completely different: individuals and businesses alike are turning to the courts to test the boundaries of privacy rights, damages, and compliance. This post examines the legislative framework surrounding data breaches, along with the key cases which have started to shape the legal landscape.

The Law

There are two statutes which are of relevance: the GDPR and the 2018 Act. The relevant provisions are briefly explained below.

Article 82 of the GDPR activates the right through EU law. The provision states that:

1. "Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered."

2. "Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller."

   
   

Section 167 of the 2018 covers "compliance orders". This section gives the Court the power to order someone to do (or not do) something to comply with data protection law. The Court has to be satisfied that there has been a breach of data protection law before this can be ordered, however.

Section 168 of the 2018 Act relates specifically to breaches of the GDPR, and incorporates this into domestic law. The sections outlines:

1. "In Article 82 of the GDPR (right to compensation for material or non-material damage), “non-material damage” includes distress."

Section 169 of the 2018 Act applies to all other data protection legislation. It provides the following:

1. "A person who suffers damage by reason of a contravention of a requirement of the data protection legislation, other than the GDPR, is entitled to compensation for that damage from the controller or the processor, subject to subsections (2) and (3).

2. Under subsection (1)

   1. A controller involved in processing of personal data is liable for any damage caused by the processing; and

   2. A processor involved in processing of personal data is liable for damage caused by the processing only if the processor:

      1. Has not complied with an obligation under the data protection legislation specifically directed at processors, or

      2. Has acted outside, or contrary to, the controller's lawful instructions.

         
         

3. A controller or processor is not liable as described in subsection (2) if the controller or processor proves that the controller or processor is not in any way responsible for the event giving rise to the damage."

Cases

There is ever-growing jurisprudence in this field. The Supreme Court decision of Lloyd v Google [2021] UKSC 50, which related to the 1998 Act, demonstrates that a claimant must evidence that they have suffered material or non-material damage as a result of the contravention. Further, any claimant alleging non-material damage must surmount a minimum threshold of seriousness (‘the de minimis rule’). The relevant paragraphs of that decision are [115] - [118], [144] and [153].

The following decisions are also notable:

• Rolfe & Ors v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB). In Rolfe, summary judgment was awarded to the Defendants, with a costs order on the indemnity basis being made. The case relates to a single email with attachments sent by the defendants on 17 July 2019. The defendants at the time represented a school run by Moon Hall Schools Educational Trust where the claimants owed a sum of school fees. The school had instructed the defendants to write to the first two claimants with a demand for payment. An email was sent to the child's parents but due to one letter difference in the email address of the mother, the letter went to a person with an identical surname and the same first initial. That person responded promptly indicating they thought that the email was not intended for them. The defendants replied promptly asking the (incorrect) recipient to delete the message. The recipient confirmed she had done so. This decision confirms that a claimant needs to satisfy the de minimis rule in order to be successful. The case concerned what the Court deemed “minimally significant” information which had been disclosed. The circumstances of the breach were also relevant: a rapid request that the recipient delete the data, and no evidence of onwards transmission or misuse. The Court held at [12] that it was an inherently implausible suggestion that the minimal breach caused significant distress and worry or even made the claimants feel "ill". The Court further held that in the 21st century “no person of ordinary fortitude” could suffer the distress claimed in circumstances where a single data breach was quickly remedied, and that it was not appropriate for similar “trivial” claims to be brought, “especially in the High Court”. This decision was made prior to Lloyd v Google (and was stayed whilst the Supreme Court made that determination) but has not been challenged.

• Driver v Crown Prosecution Service [2022] EWHC 2500 (KB). Driver concerned an email sent by the CPS to a member of the public which indicated that a charging decision was to be made in respect of a suspect in a criminal investigation and which indirectly enabled the suspect to be identified. The claim was brought under the Data Protection Act 2018, and the award made was £250. The Court took the view that the suspect's identity was already in the public domain as a result of press coverage, and the email did not amount to a misuse of his private information. This case also confirms that judges will not always take the Claimant’s own evidence on distress at face value without challenge.

  
  

• Warren v DSG Retail Ltd [2021] EWHC 2168 (QB). The facts of Warren are slightly different. The claim was brought following a complex cyber-attack on DSG's systems. The attackers infiltrated DSG's systems and installed malware which was running on 5,930 point of sale terminals at the stores. During this cyber-attack, the attackers accessed the personal data of many of DSG's customers. Mr Warren was one such customer affected by the cyber-attack, and sought to bring a claim for distress under breach of confidence ("BoC"), misuse of private information ("MPI"), breach of the 1998 Act, and common law negligence. The High Court dismissed all by the 1998 Act claims, and found that a retailer who held customers' personal data did not disclose or misuse the personal data when its security was breached and a third-party hacker accessed the data.

• Stadler v Currys Group [2022] EWHC 160 (QB). The High Court found that where a retailer had resold a customer's smart television without performing a factory setting or data wipe, and subsequently a third party had used the customer's saved bank details on one of the television's apps to purchase a movie, there was no proper basis for claims of misuse of private information, breach of confidence or negligence. Consequently, the claim was struck out.  

• Most recently, the Court of Appeal in the case of Farley & Others v Paymaster (1836) Limited (trading as Equiniti) [2025] EWCA Civ 1117 provided further clarification. The Court of Appeal found that it was wrong to strike out data protection claims because individuals could not show that their data had come to anyone's attention. Therefore, proof of disclosure of personal information to another person was not necessary for a claim under the GDPR; a claimant could potentially recover compensation for fear of the consequences of an infringement if the alleged fear was objectively well-founded (but not if the fear was purely hypothetical or speculative).

• Jameel v Dow Jones & Co Inc [2005] EWCA Civ 75. This case does not consider data breaches specifically, but provides a much broader concept: cases where the court believes the relief sought by the claimant does not justify the costs to all parties of running the case will be held to be an abuse of process. It has been held in Johnson v Eastlight Community Homes Ltd [2021] EWHC 3069 (QB) that this concept could apply to statutory torts, including under the GDPR.

Analysis and Implications

• A breach of data protection legislation can happen in almost any industry, which means that claimants and defendants alike can be from a variety of different sectors.

• Lloyd was decided under the old legislation, however, under the 1998 Act, damages for non-trivial breaches were not recoverable unless there was proof of damage or distress. That position appears to apply equally to claims under Article 82 of the GDPR.

• Under Lloyd, a claimant must persuade the Court and show proof that the distress is above the necessary de minimis (or minimum) threshold. This is supported by the case of Rolfe. Evidence of distress, possibly even through an expert, will be crucial in establishing this point.

• Driver highlights that claimants who look to bring claims for relatively trivial data incidents can expect to receive only minimal damages. It is a useful case in that it can demonstrate an appropriate figure as a starting point: £250. This should help reduce the likelihood of exaggerated claims; it is often the case that an award for thousands of pounds is sought by optimistic claimants at the earlier stages of litigation. The deployment of Part 36 offers at an early stage may also make defending such claims easier.

• Rolfe is indicative of a lack of appetite to encourage data breach claims which do not pass the necessary threshold of seriousness. Rolfe also demonstrates that indemnity cost orders can be made against an unsuccessful claimant, even at the more formative stages of litigation (this was an application for summary judgment, so there had not been a full trial and hearing of evidence). This will need to be considered as a part of the risk to litigating such points.

  
  

• Usually, where there is a cyber-attack, a company will not be liable: Warren seems to suggest that each of the causes of action pleaded required some positive wrongful action to be taken, such as the deliberate disclosure of personal data. In Warren, however, there was no positive wrongful action: the defendant had been a victim of a cyber-attack, had not deliberately created the data breach, and there was no evidence to suggest as much.

• The principle enunciated in Jameel could also apply to statutory torts, including the GDPR.

Please note that our posts should not be intended to be legal advice and should not be construed as such; they are merely discussions and therefore readers are encouraged to seek professional legal advice for their own matters.