By Matthew Pascall, Senior Underwriting Manager
(Estimated reading time: 3 minutes 53 seconds)
A recent and widely reported case has emphasised the need for practitioners to think carefully before bringing misuse of private information and breach of confidence claims alongside claims under the Data Protection Act.
In Warren v DSG Retail Limited  EWHC 2168 (QB) Mr Warren sued DSG for damages limited to £5,000 – caused, he alleged, by DSG’s misuse of his private information and
breach of confidence as well as DSG’s negligence and failure to comply with the Data Protection Act 1998 (“DPA”).
DSG had been the victim of a cyber-attack during which the “attackers” had obtained access to the personal details of thousands of DSG customers. In Mr Warren’s case, his name, address, email address, date of birth and phone number had been obtained. The Information Commissioner imposed a penalty of £500,000 on DSG after she had determined that DSG had not complied with the DPA.
DSG applied to strike-out all Mr Warren’s common-law claims under CPR 24 and CPR 3.4. Mr Warren withdrew his breach of confidence claim but argued that the other common law claims should proceed to trial. Saini J disagreed and struck-out the common law claims. The central point concerned the tort of the misuse of private information and breach of confidence and their applicability in a situation where the Defendant may have failed to act to protect private information rather than taken a positive step to misuse that information and break a duty of confidence. Saini J characterized the position as follows: –
“22. …, the Claimant’s claim is that the DSG failed in alleged duties to provide sufficient security for the Claimant’s data. That is in essence the articulation of some form of data security duty. In my judgment, neither BoC [Breach of Confidence] nor MPI [Misuse of Private Information] impose a data security duty on the holders of information (even if private or confidential). Both are concerned with prohibiting actions by the holder of information which are inconsistent with the obligation of confidence/privacy. Counsel for the Claimant submitted that applying the wrong of MPI on the present facts would be a “development of the law”. In my judgment, such a development is precluded by an array of authority.”
“27. I accept that a ‘misuse’ may include unintentional use, but it still requires a ‘use’: that is, a positive action. In the language of Article 8 ECHR (the basis for the MPI tort), there must be an ‘interference’ by the defendant, which falls to be justified. I have not overlooked the Claimant’s argument that the conduct of DSG was “tantamount to publication”. Although it was attractively presented, I do not find it persuasive. If a burglar enters my home through an open window (carelessly left open by me) and steals my son’s bank statements, it makes little sense to describe this as a “misuse of private information” by me. Recharacterizing my failure to lock the window as “publication” of the statements is wholly artificial. It is an unconvincing attempt to shoehorn the facts of the data breach into the tort of MPI.”
The Temple Perspective
From a litigation insurers point of view, the case acts as a reminder that care needs to be taken by us when considering cases such as these. As has been pointed out in many of the reports about this case, the advantage to a litigant in bringing a misuse of information or breach of confidence claim is that he can obtain litigation/ATE insurance and if his claim is successful, the premium is recoverable.
The key questions that now arises is: Does the claim presented to us really include a claim for the misuse of private information that will succeed or is it simply a Data Protection Act claim “dressed up” as a common law claim?
At Temple we have the advantage of many years’ experience in this area of law. We have been proud to have supported several important cases on the misuse of private information and breaches of the Data Protection Acts. These have included the “right-to-forget” claims against Google – NT1 & NT2 v Google LLC  EWHC 799 (QB) and the leading case in the phone hacking litigation – Gulati v MGN Ltd  EWHC 1805 (Ch) &  EWCA Civ 1291.
We continue to be the principal insurer for phone hacking claims and insure other misuse of private information and Data Protection Act cases. This enables us to look at claims with an experienced eye.
We can offer premiums that include both recoverable and non-recoverable elements so that a client knows what their potential cost will be if their case is successful.
To find out more about litigation insurance with disbursement funding for your commercial disputes please call me on 01483 514428 or email firstname.lastname@example.org.
Matthew was called to the Bar in 1984 and joined Guildford Chambers two years later. Spending more than 30 years in practice there, he was listed as a Legal 500 Tier One barrister.
He joined the commercial team at Temple Legal Protection as Senior Underwriting Manager in 2017.
Matthew was appointed to Temple’s Board in December 2022 as Legal Director and Head of Commercial.
His knowledge of the commercial legal sector and litigation practice is invaluable to the business and our clients, providing specialist experience to lead the commercial litigation insurance team.
Read articles by Matthew Pascall