High Court strikes out data breach claim for tort of misuse of private information

June 8, 2022

The High Court has ruled in the case of Smith and others v TalkTalk Telecom Group plc [2022] EWHC 1311 (QB).

The claimants issued proceedings against the defendant telecommunications provider TalkTalk following data breaches in 2014 and 2015. They were actual or prospective customers of TalkTalk and argued that their personal information was obtained from TalkTalk’s IT systems by unknown criminal third parties and then used for fraudulent purposes. They claimed for compensation for breach of statutory duty under the Data Protection Act 1998, and damages for the tort of misuse of private information (MPI).

The legal viability of the DPA claim was not in issue, subject to a pleading complaint about one aspect of that claim. The breaches had been investigated by the ICO.

However, there was a substantial dispute in relation to the MPI claim, which TalkTalk sought to have dismissed. The judge said that the MPI claim was not a conventional one. TalkTalk was described in the Particulars of Claim as having a “duty to avoid the misuse of private information”. This reflected the nature of the MPI claim, which was essentially that the TalkTalk’s conduct permitted or “facilitated” third party criminal actors to access the claimants’ private information such as their names, addresses and confidential banking details. It was alleged that the information was then misused by criminal actors to seek to defraud the claimants by seeking to scam them.

There were several versions of the Particulars of Claim and the final iteration (RAPOC) contained a substantial reformulation of the MPI claim. The claimants sought permission to amend the claim in the form of the RAPOC.

TalkTalk argued that the MPI claim, even as reformulated in the RAPOC, was bad in law. The claimants countered that, in the draft amended form before the court, it was legally viable and should be permitted to go to trial. I

The claimants had originally also pleaded a claim in breach of confidence. This was based on the contention that TalkTalk was liable for failures which led to third parties obtaining unauthorised access to the relevant private information. By consent the claimants discontinued that claim. In addition, there was no suggestion that any common law duty under the law of negligence was owed to the claimants to secure their data. 

There were three contested and connected applications before the court:

  • The Defendant’s application to strike out: (a) the Claimants’ MPI claim, and (b) references in the Particulars of Claim to what were pleaded as “unconfirmed breaches”, under CPR 3.4 (2). As regards the MPI claim, the Defendant also brought a parallel application for “reverse” summary judgment pursuant to CPR 24.2.
  • The Claimants’ application for permission to update the Particulars of Claim considering recent case law on misuse of private information – the decision in Warren v DSG Retail Ltd [2021] EWHC 2168 (QB); where the court struck out an MPI claim in a data breach claim. There was an issue as to whether Warren was to be distinguished and/or was wrongly decided.
  • The Claimants’ application under Part 18 CPR for further information (“the RFI Application”). This was related to what are said by TalkTalk to be fatal deficiencies in the claim concerning the pleading of “unconfirmed breaches”. 

The judge dismissed the existing MPI claim and refused permission to amend it on the basis pleaded in the draft RAPOC. The judge said that an alleged misuse must be viewed as a matter of substance and practical reality and not merely an omission. If a complaint is about behaviour which permitted other parties to misuse information, it is a matter for data protection law (or a claim for another tort like negligence). It does not come within the scope of the tort of MPI.

The judge also dismissed the “unconfirmed breaches” strike out application. Even though some of the claimants suffered scamming concerning the relevant personal information, they could not determine if they were affected by the 2014 or 2015 breaches or some other breach in relation to TalkTalk. However, it was a permissible inference that, if the personal information used by the scammers was not obtained in the 2014 or 2015 breaches, the source may have been some other unlawful accessing of TalkTalk’s systems. Even though disclosure may be difficult or cumbersome did not mean that the claim should be struck out.  Nor was it an abusive claim. As a result, the judge directed them to provide a more clearly pleaded data protection claim

This meant that the RFI Application was permitted to proceed. The judge invited the parties to agree a timetable for further submissions and evidence in relation to that application and consequential orders arising out of the judgment. The claimants were directed to prepare a draft RAPOC in relation to the unconfirmed breaches claim for consideration at the further hearing.