The recent case of Rolfe and others v Veale Wasbrough Vizards LLP has provided much needed clarity around the threshold of the de minimis principle in data protection law.
The data breach
This case concerned an email sent by the Defendant law firm to a third party as a result of human error. The contents of the email consisted of a letter to the Claimant requesting payment of fees and a statement of account. The recipient quickly responded stating that they thought the email was not intended for them, and confirmed its deletion the next day.
The Claimant sought damages for breach of confidence, negligence, misuse of confidential information and damages under s.82 of the UK GDPR and s.169 of the Data Protection Act 2018. In response the Defendant applied for summary judgement on the grounds that any damage caused was too trivial and of insignificant importance to be above the de minimis threshold. Whilst there had been a breach, the information contained in the email was not substantial to cause significant distress.
In the summary judgment, Master McCloud stressed “it is not appropriate for a party to claim (especially in the High Court) for breaches of this sort which are, frankly, trivial.” The nature of the information shared, alongside the rapid response by the Defendants meant there is “no credible case that distress or damage over a de minimis threshold will be proved.” Furthermore, it was noted “no person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st Century.”
The judgment is a very welcome one regarding trivial compensation claims and minor data breaches as such claims are becoming commonplace. The judiciary has made it clear damages will not automatically be awarded where no significant distress has been caused and this is something we can now rely on when refuting minor data breach claims.