Darren Lee Warren v. DSG Retail Limited

The Cyber Blog IndiaCase Summary

Claim of compensation for misuse of personal data, breach of confidence, and violation of data protection obligations in a data breach

Darren Lee Warren v. DSG Retail Limited
[2021] EWHC 2168 (QB)
In the High Court of Justice, Queen’s Bench Decision, Media and Communications List
Case QB-2021-001711
Before Justice Saini
Decided on July 30, 2021

Relevancy of the Case: Claim of compensation for misuse of personal data, breach of confidence, and violation of data protection obligations in a data breach

Statutes and Provisions Involved

  • The Data Protection Act 1998 (Section 15)

Relevant Facts of the Case

  • DSG is a well-known retailer operating brands such as Currys PC World and Dixons Travel. The company became a victim of a cyber attack wherein the attackers installed a malicious software. The claimant contends that the company has violated Principle 7 of Data Protection, as given in DPA 1998.
  • The claimant is one of the individuals whose personal data was compromised in this attack. He is claiming a compensation of £5000 for the distress caused by the incident.
  • The cause of action emerges from misuse of personal information (MPI), breach of confidence (BoC), violation of DPA 1998, and common law negligence.

Prominent Arguments by the Counsels

  • The claimant’s counsel argued that the defendant intentionally and recklessly left his personal information exposed to a possible risk of intrusion. They also had a duty of reasonable care, which was breached negligently. However, the counsel withdrew the claim for breach of confidence.
  • The defendant’s counsel submitted that a claim for misuse of personal information requires a party to take some positive wrongful action for liability. However, the defendant has not taken any such action. Also, the Court of Appeal has previously held that a negligence claim is not required for a claim under data protection law.

Opinion of the Bench

  • Neither BoC nor MPI impose a data security duty on the information holder. They only focus on a negative obligation to not disclose confidential information.
  • DGS did not disclose the claimant’s personal data. A common law duty of care does not exist to allow for a tortious claim of negligence.

Final Decision

  • The bench dismissed all claims except the claim of statutory duty under the DPA 1998. Thereafter, the court transferred the claim to the County Court.

Ojasvi Gupta, an undergraduate student at the Faculty of Law, Banaras Hindu University, prepared this case summary during her internship with The Cyber Blog India in May/June 2022.