Data Breach Group Claims in Scotland – would the Scottish courts “return to sender”?

As cyber crime and incidents involving compromise of personal data become increasingly common, claims against data controllers are also on the rise.

We are yet to see group (or ‘mass’) claims for data breaches in the Scottish Courts, although we have written in previous blogs about this being a likely risk area for our clients.

In the last couple of years there have been a number of significant decisions from the English courts limiting the types of claims that can be brought as a result of cyber attacks or other data breaches, and casting doubt on whether these claims are really economically viable for claimants and litigation funders (Lloyd v Google; Warren v DSG; Rolfe v Veale Wasbrough Vizards etc). The latest in the series is a decision recently handed down by the High Court in a case concerning misdirected mail - Farley & Ors v Paymaster (1836) Ltd (Trading As Equiniti) (2024) EWHC 383 (KB).

The Equiniti judgment

Equiniti had sent the pension statement of a number of police officers to their old addresses. The letters were marked private and confidential. Some 446 police officers went on to sue Equiniti for distress damages for misuse of private information and breach of the GDPR. Only 14 of the 446 claimants asserted that the letters had been opened by third parties at their old addresses.

The court ruled that only those 14 claims could move forward. The court held that for the remaining claimants, there was no proof there had been a compromise of private information or personal data.

The judge indicated that even the 14 surviving claims, “would appear to be very far from being serious cases” and noted that at least some of these claims may ultimately prove to be trivial in nature and, therefore, be dismissed. In particular, the judge commented, that in some of the 14 surviving claims, there was no evidence that the letters had been read by the unintended recipient, and in some cases the letters had only been read by a family member.

What does this mean for Scotland?

The UK GDPR is a nation-wide regime and so, in the absence of a significant body of case law, authorities from south of the border are likely to be persuasive in the Scottish courts.

The Equiniti judgment is a reminder of a few important issues which we may see emerging in Scotland:

• Loss of control – the claimants in Equiniti did not dispute the principle (established by the Supreme Court in Lloyd v Google) that “loss of control” of personal data does not, in and of itself, give rise to a right to compensation - evidence of material damage or distress as a result of the loss of control of personal data is required.
• The seriousness threshold – ultimately, the judge in Equiniti didn’t reach a final decision on whether the UK GDPR imposes a “seriousness threshold” for material damage or distress as a result of a loss of control of personal data or, if so, whether that had been overcome in these claims. However, he expressed considerable scepticism over the seriousness of the remaining claims.
• Information required in respect of each claim – a feature of the English GLO procedure that is not expressly embedded in the Scottish Group Procedure is the provision of “Schedules of Information” for each individual claimant. This allows scrutiny of each claim – and in the case of Equiniti provided a basis for the court to strike out c.97% of the claims. In Scotland, the level of information required to be provided at an early stage is likely to continue to be a live issue.
• Suitability of collective proceedings – the judge commented that, if (or when) liability was admitted, the 14 remaining claims should be remitted to the Small Claims courts to decide on the amount of damages that should be awarded. One can see why determination of quantum in the context of individual low value claims should not remain in the High Court – which is an expensive forum, intended to deal only with higher value disputes. There is perhaps a wider question of whether a collective procedure in the English High Court or Court of Session in Scotland is ever the appropriate way to deal with low value individual data breach claims. There is some authority from the English High Court to support a different approach (Beck & Ors v Police Federation); however, in Scotland, the suitability of alternative case management models for these types of claims has yet to be debated.

Whilst there are clear similarities between the Scottish and English collective action procedures, there are also important differences. As such, had these claims been brought against Equiniti in Scotland, it is difficult to say whether the Scottish court would have the information available (or inclination) to dismiss so many of the claims at such an early stage. The Scottish Group Procedure is still in its infancy and there is a wide measure of judicial discretion on a case-by-case basis.

If your business has suffered a cyber attack or data breach incident, Burness Paull’s leading cyber security, data protection and group litigation experts are on hand to work with you in managing the incident and any follow-on claims which may arise. Please get in touch to discuss.