Darren Lee Warren v. DSG Retail Limited
 EWHC 2168 (QB)
In the High Court of Justice, Queen’s Bench Decision, Media and Communications List
Before Justice Saini
Decided on July 30, 2021
Relevancy of the Case: Claim of compensation for misuse of personal data, breach of confidence, and violation of data protection obligations in a data breach
Statutes and Provisions Involved
- The Data Protection Act 1998 (Section 15)
Relevant Facts of the Case
- DSG is a well-known retailer operating brands such as Currys PC World and Dixons Travel. The company became a victim of a cyber attack wherein the attackers installed a malicious software. The claimant contends that the company has violated Principle 7 of Data Protection, as given in DPA 1998.
- The claimant is one of the individuals whose personal data was compromised in this attack. He is claiming a compensation of £5000 for the distress caused by the incident.
- The cause of action emerges from misuse of personal information (MPI), breach of confidence (BoC), violation of DPA 1998, and common law negligence.
Prominent Arguments by the Counsels
- The claimant’s counsel argued that the defendant intentionally and recklessly left his personal information exposed to a possible risk of intrusion. They also had a duty of reasonable care, which was breached negligently. However, the counsel withdrew the claim for breach of confidence.
- The defendant’s counsel submitted that a claim for misuse of personal information requires a party to take some positive wrongful action for liability. However, the defendant has not taken any such action. Also, the Court of Appeal has previously held that a negligence claim is not required for a claim under data protection law.
Opinion of the Bench
- Neither BoC nor MPI impose a data security duty on the information holder. They only focus on a negative obligation to not disclose confidential information.
- DGS did not disclose the claimant’s personal data. A common law duty of care does not exist to allow for a tortious claim of negligence.
- The bench dismissed all claims except the claim of statutory duty under the DPA 1998. Thereafter, the court transferred the claim to the County Court.
Ojasvi Gupta, an undergraduate student at the Faculty of Law, Banaras Hindu University, prepared this case summary during her internship with The Cyber Blog India in May/June 2022.