Tag Archives: litigation

May 14, 2026 · 8:27 am

Anonymity application in databreach proceedings fails

Rather unsurprisingly, a rather surprising application, in databreach proceedings, for anonymity for all 2502 claimants has been dismissed by the High Court.

In Secake & Ors v Shared Services Connected Ltd (Rev1) [2026] EWHC 1022 (KB), Mr Justice Saini was asked to grant the application by claimants who are current or former members of HM Crown Forces (or partners/children of such persons). 

The defendant is a processor (on behalf of the Ministry of Defence) which administers pensions schemes of the claimants, and appears to have been subject to a third party attack leading to access to and exfiltration of the claimants’ data.

The claimants submitted that unless the order sought was made, their personal details would be disclosed to the public for an indeterminate period; and to disclose the names and other personal details of the victims of a personal data breach is not a neutral thing – by placing these details in the public domain and associating them with a data breach would ‘magnify’ the victims’ ‘harm and hurt’, and strike at the their privacy right”. Additionally, because the personal details are those of HM Armed Forces, and their immediate families, in relation to their service to the country, this placed a ‘premium’ on their anonymity, because otherwise their data could be exploited by “malicious persons”, including “hostile nation states”.

Saini J had little truck with this: the application failed “by some margin”. Firstly, there was no justification for the application being made on a general basis across the whole class of claimants. Secondly, the mere fact that the claimants work or worked in the forces was wholly inadequate as evidence to assert that their Convention rights were engaged. Thirdly, the proposition that anonymity was required so as not to exacerbate the effects of the data breach had the logical extension that the same would apply to *any* data breach claim: “That would be a major and unjustified encroachment on the open justice principle”. Fourthly, no specific evidence about individual claimants’ need for anonymity had been supplied. Fifthly, the “hostile nation state” argument was pure speculation. Sixthly, an argument advanced orally by counsel that malign third parties might try to buy the claimants’ data from the hackers was also speculative.

The risks of applying a general anonymity cloak across the class was illustrated by the fact that at least four of the claimants were shown to have LinkedIn profiles which announced that they were members of HM Forces.

Finally, the judge noted that prior notice of the anonymity application should have, but had not, been provided to the media.

As the judgment records, “The principle of open justice prevails.”

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Anonymity, Data Protection, judgments, litigation, Open Justice

Tagged as ,

June 6, 2024 · 7:45 am

The demise of portmanteau data breach claims

Many defendants in data protection proceedings will have experienced claims which also plead a misuse of private information (MPI). Often, on the face of things, the latter appears to add nothing to the data protection claim, but there can be procedural and costs/other financial implications. Importantly, where claimants have secured after-the-event (ATE) insurance, premiums can be recovered from losing defendants (as there is an exception for certain claims, including MPI ones, to the general rule introduced by the Legal Aid, Sentencing and Punishment of Offenders Act 2012, by which ATE premiums became generally irrecoverable between parties). This can be perceived as a factor which might impel defendants to settle otherwise weak claims.

The practice of bundling data protection and MPI claims (sometimes with a bonus breach of confidence claim) in “data breach” proceedings was struck a blow in 2021, when Mr Justice Saini, in Warren v DSG, held that, as both MPI and breach of confidence require there to have been a “use”, a “positive action”, they do not impose a data security obligation on a defendant, or create liability where the defendant was, instead, alleged to have failed to do something.

This inevitably led to a drop in claims pleading MPI (and breach of confidence) in data security cases, but not a complete stop: after all – I imagine some claimant lawyers thought, a claim can still be pleaded as a MPI claim – even if it might not look like one (following Warren v DSG).

However, in a costs judgment from September last year, but only recently published, Deputy Costs Judge Roy held that a “spurious” (as opposed to a “genuine”) MPI claim (in Saini J’s characterisation “an unconvincing attempt to shoehorn the facts of the data breach into the tort of MPI”) can’t avail itself of the ATE premium irrecoverability exception. (The claim was against Equiniti, but seems to be separate to the recent attempted group litigation against the same defendant.)

I suspect the story is not entirely over. Claimants will quite possibly say “yes, spurious MPI claims can’t be shoehorned into data protection claims, but this one – Judge – is not spurious on the facts”. Nonetheless, the days of portmanteau data breach claims seem to disappearing into the past.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, data security, judgments, litigation

Tagged as ,