This High Court case law sets a new standard for all of those trivial claims being made by data subjects for minor breaches of their data. This doesnt mean the ICO won’t take enforcement action against the data controller though.

The High Court has imposed indemnity costs on a family that claimed damages for distress after a law firm accidentally sent an email about outstanding school fees to the wrong person.

Describing the data breach as “trivial”, Master McCloud said the person who received the email, sent by a paralegal, was unknown and confirmed to Veale Wasbrough Vizards that the email had been deleted the following day.

According to the Rolfe family’s solicitor at North-West firm Forbes, they had “lost sleep worrying about the possible consequences of the data breach” and it had made them feel ill.

The master went on: “Much of the alleged distress stemmed here from the ‘fear of the unknown’, too, it was said, by the parents in terms of who the recipient might have been, given Mr Rolfe’s profession as an IT specialist.”

Ruling it was “more than fanciful to suppose either that actual loss has been suffered or that distress has been suffered above a de minimis level”, the master said: “What harm has been done, arguably?

“We have here a case of minimally significant information, nothing especially personal such as bank details or medical matters, a very rapid set of steps to ask the incorrect recipient to delete it (which she confirmed) and no evidence of further transmission or any consequent misuse (and it would be hard to imagine what significant misuse could result, given the minimally private nature of the data).

“We have a plainly exaggerated claim for time spent by the claimants dealing with the case and a frankly inherently implausible suggestion that the minimal breach caused significant distress and worry or even made them ‘feel ill’.

“In my judgment no person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st century, in a case where a single breach was quickly remedied.

“There is no credible case that distress or damage over a de minimis threshold will be proved. In the modern world it is not appropriate for a party to claim, (especially in the in the High Court) for breaches of this sort which are, frankly, trivial.”

Delivering judgment in Rolfe and others v Veale Wasbrough Vizards [2021] EWHC (QB), Master McCloud said the case related to a “single email with attachments” sent by the law firm in July 2019.

Alan and Karen Rolfe owed “a sum of school fees” to a school represented by Veale Wasbrough Vizards, which was instructed to write to them with a demand for payment.

The master said the email consisted of a letter and copy of the statement of account for their daughter. Due to a “one-letter difference” in the mother’s email address, the email went by mistake to someone with an identical surname and the same first initial.

The recipient of the email “responded promptly”, the law firm “replied promptly” to that and the recipient confirmed that it had been deleted.

The family claimed damages for misuse of confidential information, breach of confidence, negligence and under section 82 of the GDPR and section 169 of the Data Protection Act 2013. The law firm applied for summary judgment in January this year.

Granting summary judgment, Master McCloud said the case law provided “ample authority that whatever cause of action is relied on the law will not supply a remedy in cases where effectively no harm has credibly been shown or be likely to be shown”.

She imposed indemnity costs on the basis of the “strong observations of this court as to the nature of the claim in terms of exaggeration” and “lack of credible evidence of distress”.

She said the High Court regarded the claim as “speculative given its de minimis nature” and took into account a part 36 offer made by the defendant which it beat.

Master McCloud ordered the claimants to make an interim payment on account of costs of £11,000, which she described as a “conservative sum”.