Category: Insurance case law · Reviewed by Jake Leat, Associate Director · Last reviewed June 2026
The High Court struck out parts of a low-value claim arising from the resale of a customer’s smart television without first wiping personal data, holding that the misuse of private information and breach of confidence claims were not viable and that the residual data protection claim should be transferred to the County Court as disproportionate for High Court determination.
The claimant, Mr Darren Lee Stadler, took a faulty smart television to a Currys PC World store for repair under warranty. The defendant, Currys Group Ltd, determined that the television could not economically be repaired and provided the claimant with a voucher to obtain a replacement. The faulty television was not destroyed: it was repaired and resold to a third party. Crucially, the television’s internal memory had not been wiped or “factory reset” before resale. As a result, the claimant’s logged-in accounts (including, on the pleaded case, an Amazon Prime account and other linked applications) remained accessible to the new owner. The claimant became aware of the position when transactions appeared to take place on his Amazon account that he had not authorised.
The claimant issued proceedings in the High Court alleging breach of confidence, misuse of private information, negligence and breach of the Data Protection Act 2018 / UK GDPR. He sought damages of up to £5,000 together with declaratory and injunctive relief. The claim form valued the matter modestly but the proceedings were issued in the Media and Communications List of the Queen’s Bench Division, which is the customary forum for misuse of private information and reputation claims and which carries the costs and procedural overheads of High Court litigation.
The defendant applied to strike out the misuse of private information and breach of confidence claims as disclosing no reasonable cause of action and, in the alternative, to strike out or transfer the proceedings on the basis that they were an abuse of process given the modest value at stake and the disproportionate burden of High Court litigation. The defendant relied on the principles in Jameel v Dow Jones & Co Inc and the broader policy reflected in the Civil Procedure Rules of proportionate dispute resolution. The defendant did not, at this stage, seek to strike out the data protection or negligence claims on their substantive merits.
The court was required to consider whether the misuse of private information and breach of confidence claims, as pleaded, disclosed a reasonable cause of action. In particular, the question arose whether the defendant’s failure to wipe data from a device before resale could amount to a “misuse” of private information within the meaning of the tort recognised in Vidal-Hall v Google Inc and developed in subsequent authority. Misuse of private information requires conduct that interferes with a reasonable expectation of privacy in identifiable information; a failure to act in respect of data that remained on a device might not fit comfortably within that conceptual framework. Similar questions arose for breach of confidence, which traditionally requires positive use or disclosure of information.
A further issue was whether the claim, taken as a whole, was an abuse of process under the principles in Jameel: where the costs and resources required to litigate a claim in the High Court are wholly disproportionate to any vindication or compensation the claimant might realistically obtain, the court has jurisdiction to strike the action out. Even if the claim was not abusive in that sense, the question arose whether the proper forum for what was in substance a low-value consumer claim was the County Court rather than the Media and Communications List.
HHJ Lewis (sitting as a Judge of the High Court) gave judgment partly in favour of the defendant.
The court struck out the misuse of private information and breach of confidence claims. The judge held that the conduct alleged — failing to wipe data from a device before resale — did not amount to misuse of private information within the meaning of the tort. Misuse of private information involves positive interference with private information; a passive failure to delete data did not engage the tort, even though it might engage the data controller’s obligations under the data protection regime. The breach of confidence claim failed for analogous reasons: the defendant had not used, disclosed or otherwise dealt with the information in a manner inconsistent with its confidential character. The data protection claim was permitted to continue, as was the claim in negligence in so far as it could be substantively distinguished.
The court declined to strike out the residual claim as a Jameel abuse of process, but held that the proceedings were not appropriately constituted in the High Court Media and Communications List. The judge transferred the claim to the County Court as the proportionate forum for a low-value data protection dispute, with the costs and procedural consequences that flowed.
The decision establishes two important principles for low-value data breach litigation. First, the tort of misuse of private information and the equitable doctrine of breach of confidence require positive acts that interfere with private or confidential information; a mere omission to wipe or otherwise protect personal data does not, without more, give rise to a cause of action under either head. Data subjects whose information has been exposed through a controller’s failure to take adequate security measures must rely on the statutory data protection regime and, where applicable, negligence, rather than the privacy or confidence torts. Second, while the courts will not lightly strike out a data breach claim as a Jameel abuse, the courts will robustly police the appropriate forum and transfer low-value data protection claims to the County Court where the cost and procedural burden of the High Court is disproportionate to the value at stake.
Stadler is a key case in the post-Lloyd v Google landscape for cyber and data liability insurance underwriting. Together with Lloyd, it forms part of a developing line of authority that has materially constrained the value of, and routes to recovery in, individual data breach claims under English law. For cyber and data liability insurers and brokers placing such cover, the decision has several practical implications.
First, it narrows the heads of claim that an insured data controller is realistically exposed to following a data security incident. Where the alleged wrong is a security failure rather than a positive misuse of data, claims for breach of confidence and misuse of private information are unlikely to succeed, and claimants are restricted to data protection and negligence remedies. This has a direct effect on potential quantum, because distress damages under the data protection regime are typically modest and Lloyd v Google has constrained the availability of “loss of control” damages.
Second, the willingness of the High Court to transfer disproportionate low-value claims to the County Court has practical costs implications. County Court costs regimes (in particular fixed recoverable costs and small claims allocation) limit the legal spend that a successful claimant can recover, which in turn affects the economics of speculative or no-win-no-fee claims against insured data controllers. Brokers should bear in mind, however, that defence costs incurred by the insured may not be similarly capped, and policy wordings should be reviewed to ensure defence cover responds adequately in lower-value but procedurally protracted matters.
Third, the case underlines the importance for insured data controllers of operational data-handling procedures — in this case, a documented factory reset before resale or recycling of customer equipment. Brokers should encourage clients to evidence such controls during placement, both because it improves underwriting outcomes and because the existence of documented procedures supports a defence to allegations of negligence and to regulatory action by the Information Commissioner.
By Matt Bartlett, Director, on 2026-06-06. Next review: 2026-12-06.
This entry is part of the Apex Insurance Wiki. Last reviewed by Matt Bartlett on 2026-06-06. Apex Insurance Brokers Limited, FCA FRN 724952, Companies House 07014570. Not regulated advice — consult your broker on your specific position.
SEO meta: - Title: Stadler v Currys Group Ltd [2022] EWHC 160 (QB) | UK Insurance Wiki | Apex Insurance Brokers - Slug: /wiki/cases/stadler-v-currys/ - Schema: Article + LegalCase + BreadcrumbList
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote