William Stadler purchased a Smart TV from Currys Group Ltd in September 2016. The Smart TV allowed the user to access third party apps, one of which was for Amazon Prime.

In September 2020, Mr Stadler returned the Smart TV to Currys for repair. Currys did not ask Mr Stadler to clear and/or remove any of the apps on the Smart TV. Mr Stadler did not log out of his Amazon app (or any other apps) before leaving the Smart TV with Currys.

Currys’ technical staff determined that any repair of the Smart TV would be disproportionately costly and so offered to write off the unit and compensate Mr Stadler with a voucher. Mr Stadler accepted this offer. His understanding was that the Smart TV would be destroyed. However, Currys then sold the Smart TV to a third-party company, without performing a factory reset or data wipe.

On or around 31 December 2020, a movie was purchased for £3.49 by someone using Mr Stadler’s Amazon account through the Smart TV. Currys reimbursed Mr Stadler for the cost of the Amazon purchase (£5). Currys later also gave Mr Stadler a £200 shopping voucher as a gesture of goodwill.

Mr Stadler issued proceedings seeking damages for various causes, including breach of data protection law pursuant to Article 82 UK-GDPR and ss 168 and 169 of the Data Protection Act 2018. He said that he was a data subject, and that Currys was the data controller. He said that Currys had breached its data protection duties in disposing of the Smart TV without first wiping any data stored on it.

Currys applied for an order striking out the claim pursuant to CPR rule 3.4(2)(a) (no reasonable grounds for bringing the claim) and (b) (abuse of process) and/or for summary judgment pursuant to CPR rule 24.2 (the claim had no reasonable prospects of success).

His Honour Judge Lewis declined to grant Currys summary judgment:

1. further factual information was needed to evaluate the extent of Currys’ duties to Mr Stadler under data protection legislation, in particular in respect of what was said between the parties when the device was handed over, and when it was agreed it would be scrapped, and what terms and conditions applied to the repair and subsequent disposal; and
2. the data protection claim had a reasonable prospect of success; on the basis of Mr Stadler’s account of events, it seemed that Currys would or should have been aware that there was personal data on the device, and it was certainly arguable that it had duties as a data controller, particularly if at any point it became the owner of the Smart TV; if Currys was a data controller, then it would have been under data protection duties in respect of the disposal of data, which is a form of processing under Article 7(2) GDPR; these were matters to be considered at a final hearing, and not determined on a summary basis.

As for Currys’ strike out application, HHJ Lewis said that a threshold of seriousness applies to claims under s 13 of the Data Protection Act 1998 and that damages for “non-trivial” breaches are not recoverable unless there is proof of damage or distress. This applies equally to claims under Article 82 UK-GDPR.

However, HHJ Lewis said that the fact that a claim was of low value did not mean that the court should necessarily refuse to hear it. Further, Mr Stadler’s pleaded case, which incorporated a statement of truth, was that his financial details were included in the personal data on the Smart TV. If what the pleading said was correct, then this could not be characterised as a trivial breach, especially as it appeared that at least one of the apps had been used since the Smart TV had been re-sold.

Since the case could be managed in a way that was proportionate to its value by allocating it to the small claims track, there was no reason to strike it out on Jameel principles. The case was transferred to the County Court. (William Stadler v Currys Group Ltd [2022] EWHC 160 (QB) (31 January 2022) — to read the judgment in full, click here).