Data Breaches: Navigating the Intersection of UK Data Protection Law, Misuse of Private Information and Breach of Confidence

The Basics 

The three areas of law, which have been considered in a series of cases where there has been a personal data breach due to a cyberattack or innocent error, are: 

Data Protection Law (UK GDPR/DPA 2018)

The UK General Data Protection Regulation (UK GDPR), implemented in the UK alongside the Data Protection Act 2018, mandates that personal data must be processed lawfully, fairly, and transparently, and collected for specified, explicit and legitimate purposes. 

Misuse of Private Information

This tort addresses the unauthorised use of private information and is derived from common law and related to the right to respect for private and family life under Article 8 of the Human Rights Act 1998. In order to establish misuse of private information, a claimant must establish that there was a reasonable expectation of privacy which is not outweighed by the defendant’s rights. 

Breach of Confidence

This is an equitable cause of action which arises when confidential information is disclosed without authorisation. To establish a claim for breach of confidence a claimant must prove that the information was confidential in nature, that it was communicated in circumstances where there was an obligation of confidence, and lastly that there was an unauthorised use or disclosure of the information which caused detriment to the claimant.

A Developing Legal Landscape 

There are several reasons why claimants have sought to bring claims in respect of data breaches under multiple causes of action. 

Aside from claimants simply wanting to ‘hedge their bets’, there have been examples of claimant law firms seeking to make claims appear more complex so that they can be litigated in the “multi-track” where there is more scope to recover legal costs. 

Some claimants have also sought to frame their claims as a misuse of private information (also referred to as “MPI”) in order to argue that the premium for their “after the event insurance” is recoverable from defendants, given that there is a statutory provision allowing for this in respect of “proceedings for … misuse of private information”.   

The courts have, however, been increasingly alive to such tactics deployed by claimants and have repeatedly cautioned against them. For example, there was the well-known case of Warren v DSG Retail Limited [2021] EWHC 2168, where a claimant sought to pursue multiple causes of action when his personal data was exposed during a cyberattack on the company operating the ‘Currys PC World’ brand. That particular claim has been described by one judge in a subsequent decision as "an unconvincing attempt to shoehorn the facts of the data breach into the tort of MPI".   

There are, nonetheless, cases where all three causes of action might validly be relied upon. However, will doing so lead to any greater success and recovery for claimants, or just increase the costs of defending such cases for businesses and organisations at the receiving end?    

The Case of Ms Ali 

In 2019, Ms Isma Ali reported concerns to Bedfordshire Police about her ex-husband, who she believed was carrying out illegal drug related activities. Ms Ali emphasised her need for anonymity due to safety concerns. Despite Ms Ali taking exceptional precautions to protect her identity and the police giving specific assurances that they would not do so, they subsequently disclosed her identity (citing safeguarding concerns) in a referral to Luton Borough Council’s Social Services Department. 

An employee of the Council then unlawfully accessed this information and informed Ms Ali’s ex-husband, leading to significant distress for Ms Ali. Ms Ali pursued legal action against the police, alleging breaches of the UK GDPR, the Human Rights Act 1998, misuse of private information and breach of confidence. 

The Outcome

The court found that the police violated Articles 5(1)(a) and (b) of UK GDPR by failing to anonymise Ms Ali’s identity without demonstrating that the disclosure was necessary. There had also been a failure to process Ms Ali’s data transparently, given that she was not even made aware of the disclosure.

The court further determined that Ms Ali had a reasonable expectation of privacy regarding her identity as an informant, especially given the assurances of anonymity. The police’s disclosure was, therefore, deemed a misuse of her private information.

The court dealt with the misuse of private information and breach of confidence causes of action together, concluding that the police’s actions also constituted a breach of confidence on the basis that the analysis required to establish breach of confidence and misuse of information in this case was one and the same. 

While Ms Ali succeeded in relation to all three causes of action, a critical aspect of the case was the consideration of causation and the quantification of damages. The court considered that it was important to keep the claim under UK GDPR separate from the claims for misuse of private information and breach of confidence for the purpose of determining causation. Ms Ali was not given permission to rely upon medical evidence and it was noted that her claim was for distress and anxiety only, with no claim pleaded for psychiatric injury in any event.

The court noted that insofar as the claim under UK GDPR was concerned, the Council employee’s criminal act of unlawfully accessing and disclosing the information to Ms Ali’s ex-husband broke the chain of causation concerning the police’s initial breach. However, it was determined that the police should not be absolved of liability entirely, as Ms Ali would have experienced distress upon learning that her identity had been disclosed to the council, irrespective of the Council employee’s actions thereafter.

In terms of the misuse of private information and breach of confidence claims, the court considered that even if the analysis regarding Ms Ali’s entitlement to damages for distress under UK GDPR was incorrect, Ms Ali would be entitled to compensation for misuse of private information and breach of confidence. In particular, the court noted that a successful claimant is entitled to damages for loss of control over their private information, provided that the loss of control is not trivial (as per the decision in Lloyd v Google LLC [2021] UKSC 50).

Ms Ali was awarded £3,000 in compensation for distress under UK GDPR. The court considered that if it were necessary to do so, the same amount would have been awarded for misuse of private information and breach of confidence. It is, however, important to note that the court did not consider it appropriate to award damages separately for each breach as this would amount to a double or even triple recovery. 

The Overlapping Factors

The Ms Ali case illustrates several important points of overlap between UK data protection law and causes of action such as misuse of private information and breach of confidence:

Distinct yet complementary legal frameworks 

While they are related, each cause of action serves a different purpose. UK data protection law focuses on the processing of personal data, misuse of private information protects privacy rights, and breach of confidence safeguards confidential relationships. Together, they provide a comprehensive framework for addressing wrongful disclosures. However, claimants will need to consider carefully whether they are all appropriate to the facts of their case. 

A Reasonable Expectation of Privacy 

Central to both misuse of private information and breach of confidence claims is whether the claimant has a reasonable expectation of privacy. In Ms Ali’s case, her explicit request for anonymity and the private nature of the information in question satisfied this requirement. 

Wrongful Disclosure

All three causes of action hinge on the claimant establishing wrongful disclosure of personal, sensitive or confidential information. The police’s failure to anonymise Ms Ali’s identity breached data protection principles, as well her rights to privacy and confidence.

Harm and Distress

The distress caused by a wrongful disclosure is relevant to the assessment of damages across all three causes of action.  The disclosure must also be more than trivial to ground a claim. The court acknowledged the serious nature of the wrongful disclosure and information and that there was significant distress experienced by Ms Ali due to the breach. However, it was only prepared to award one set of damages for the breach in question and the fact that Ms Ali was successful with three separate causes of action did not lead to any higher award of compensation. 

Conclusion

It is important for data controllers to rigorously assess whether disclosure of personal information is necessary and proportionate, especially when assurances of confidentiality have been provided. Failure to do so can result in claims arising from multiple causes of action which can then be difficult (and expensive) to defend, given that each cause of action addresses different aspects relating to wrongful disclosures and offers different remedies and protections to data subjects. 

Where data subject claimants have adopted a ‘scattergun’ approach of asserting multiple causes of action simply for tactical reasons, it may be appropriate to take countermeasures to limit costs exposure for defendants and to ensure that cases are dealt with proportionately and appropriately. 

This may include seeking summary determination (e.g. strike out and/or summary judgment) as well as seeking allocation to the ‘small claims’ track where appropriate.  

[Photo by Jan Huber on Unsplash]