Summary judgment confirms de minimis threshold continues to apply for data breaches

In October, the summary judgment in Rolfe and others v Veale Wasbrough Vizards LLP[2021] EWHC 2809 (QB) confirmed the principle that where there is an infringement of data protection law, there must also be damage or distress above a "de minimis threshold of triviality" in order for a damages claim to succeed.

In this case, the Defendant represented a school to which the first two Claimants owed a sum of money. Due to one misplaced letter in the email address of the intended receipt, an email demanding payment was not sent to the Claimants but instead was inadvertently sent to a person with an identical surname to the Claimants. The email itself contained a statement of account with the Claimant's personal data, specifically: their name, address, outstanding fees, and reference to proposed legal action. The incorrect recipient promptly responded to indicate they thought the email was not intended for them and confirmed its deletion.

The Claimants claimed damages under the UK GDPR and the Data Protection Act 2018, arguing that they had suffered harm from the incident, notably that the incident had "made them feel ill" and that they had "lost sleep with worry". Master McCloud held that it was "not credible" that this damage and distress was over the de minimis threshold of triviality and the claim was dismissed. This case reaffirms the principle that for data breaches, where no real harm or distress has been caused, or only trivial harm, no action will succeed. In the words of Master McCloud, "if it were not so, the court would be bound up with such cases, every time a minor error occurred".