The UK courts have been exploring the limits of litigation brought by or on behalf of data subjects where there has been unlawful transmission or disclosure of personal data: Fergus McCombie of 36 Commercial surveys the state of play
- The UK courts have shown a willingness to analyse damages and procedural matters in low-level data protection claims along traditional English law lines.
- There are challenges to that approach where there has been mere loss of control of personal data.
- This article considers cases of deliberate or inadvertent access gained by third parties, other than the controller or data subject, to personal data.
In Warren v DSG Retail Ltd [2021] EWHC 2168 (QB), Saini J considered a claim of low value brought against Dixons Carphone (DSG) arising from a cyber attack, perpetrated in 2018, by which the attackers gained credit card and other personal data. The Information Commissioner’s Office (ICO) had already issued a monetary penalty notice in the sum of £500,000. A private claim was brought by one victim in misuse of private information (MPI), breach of confidence
