High Court considers responsibility for the security of data stored on a smart television when returned to a retailer for repair

February 17, 2022

In Stadler v Currys Group Ltd [2022] EWHC 160 (QB), the High Court considered the responsibility for the security of data stored on a smart television when it was returned to a retailer for repair.

The claimant purchased a smart television from the defendant in September 2016. The Smart TV allowed access to third party apps, one of which was for Amazon Prime. In September 2020, the claimant returned the Smart TV to the defendant for repair. Although faulty, the Smart TV had enough functionality to allow a user to log out from any apps.

The claimant was not asked by the defendant to clear and/or remove any of the apps on the Smart TV and was told to pass the device to the defendant’s employees, along with the remote control and power cable.

The claimant did not log out of his Amazon app (or any other apps) before leaving the Smart TV with the defendant.

The defendant’s technicians said that any repair of the Smart TV would be disproportionately costly and therefore said that they would write-off the unit. They compensated the claimant with a voucher. The claimant accepted this offer and used the voucher to purchase a new television. His understanding was that the Smart TV would be destroyed. However, the defendant sold the Smart TV to a third-party company. It did not perform a factory reset or data wipe.

On or around 31 December 2020, a movie was purchased for £3.49 by someone using the claimant’s Amazon account through the Smart TV.

The claimant telephoned the defendant. On 2 January 2021, the defendant reimbursed the claimant for the cost of the Amazon purchase (£5). On 4 January 2021, the defendant contacted the claimant again to make sure that he had changed his passwords for Amazon and any other apps, and the claimant confirmed that he had. On 11 January 2021, the defendant provided the claimant with a £200 shopping voucher as a gesture of goodwill.

The claimant brought proceedings seeking the following:

·      Damages (including aggravated and exemplary damages) up to £5,000 for (i) misuse of private information; (ii) breach of confidence; (iii) negligence; and (iv) breach of data protection law, in particular under Article 82 UK-GDPR and sections 168 and 169 of the Data Protection Act 2018.

·      An injunction requiring the defendant, if it continued to process the claimant’s personal data, to act in accordance with the requirements of the UK-GDPR and the DPA 2018.

·      A declaration that by processing the claimant’s personal data the defendant had breached Article 5(1) of UK-GDPR.

The defendant challenged the claimant’s case on three grounds, namely that: (i) the pleading disclosed no reasonable grounds for bringing a claim in any of the causes of action pleaded and the claim fell to be struck out under CPR 3.4(2)(a); (ii) given the compensation already provided, all that remained was the “distress” purportedly caused to the claimant during the short period in which he realised his accounts had not been logged out, and such a claim was “not worth the candle” and fell to be struck out pursuant to 3.4(2)(b); and/or (iii) the claim had no reasonable prospects of success such that summary judgment ought to be granted under CPR 24.2.

The claimant said that the facts remained disputed and controversial and needed to be determined at trial.

The court dismissed most claims, but allowed the claim for breach of data protection legislation to continue. It considered that the data protection claim had a reasonable prospect of success. On the basis of the claimant’s account of events, it seems that the defendant would or should have been aware that there was personal data on the device, and it was certainly arguable that it had duties as a data controller, particularly if at any point it became the owner of the Smart TV. If the defendant were a data controller, then it would have been under data protection duties in respect of the disposal of data, which is a form of processing, Article 7(2) GDPR. These were matters to be considered at a final hearing, and not determined on a summary basis. 

Further, it could not be characterised as a trivial breach given the nature of the information disclosed, and the fact that it appeared at least one of the apps had been used by a stranger since the Smart TV was re-sold. The fact that a claim is of low value does not mean that the court should necessarily refuse to hear it.

The court transferred the matter to the county court and recommended that it be held on the small claims track.