法律翻译 | Warren v DSG Retail Ltd 沃伦诉DSG零售有限公司案

译者 | 田薇 吉林大学本科

一审 | 岳文豪 上海交通大学硕士

二审 | 胡婧卓 UCLA  LL.M.

编辑 | 王妮茜 新疆农业大学本科

         邵娅绮 浙江工商大学本科

责编 | 王有蓉 中国政法大学硕士

Warren v DSG Retail Ltd

沃伦诉DSG零售有限公司案

目录

I. Overview案情概要

II. Discussion and conclusions讨论与结论

III. Conclusion裁判结果

I. Overview 

案情概要

The Defendant (“DSG”) is the well-known retailer operating the ‘Currys PC World’ and ‘Dixons Travel’ brands. Between 24 July 2017 and 25 April 2018, DSG was the victim of a complex cyber-attack (the "Attack"), carried out by sophisticated and methodical criminals (the "Attackers"). The Attackers infiltrated DSG’s systems and installed malware which was running on 5,930 point of sale terminals at the stores. In the course of the Attack, the Attackers accessed the personal data of many of DSG's customers.

被告（“DSG”）是经营“Currys PC World ”和“Dixons Travel”两大品牌的知名零售商。在2017年7月24日至2018年4月25日期间，DSG遭受了一次由精明老练且有组织的犯罪分子（以下简称“攻击者”）实施的复杂网络攻击（以下简称“攻击”）。攻击者渗透进DSG的系统中，在商店的5930个销售点终端上安装了恶意程序。在攻击过程中，攻击者获取了大量DSG客户的个人数据。

The Claimant, Darren Lee Warren, hasud purchased goods from Currys PC World and claims that the following personal information or data concerning him was compromised in the Attack: his name, address, phone number, date of birth and email address.

原告达伦•李•沃伦（Darren Lee Warren)曾在Currys PC World购买过商品，并声称其下述个人信息或数据在此次攻击中被泄露：姓名、地址、电话号码、出生日期和电子邮件地址。

As a result of that event, the Claimant has brought this claim against DSG as the relevant data controller for damages limited to £5,000.00. Those damages are not claimed as a result of any personal injury but, as described in more detail below, are damages in respect of distress the Claimant suffered as a result of his personal data being compromised and lost. The causes of action relied upon are breach of confidence (“BoC”), misuse of private information (“MPI”), breach of the Data Protection Act 1998 (“DPA”), and common law negligence.

由于该事件的发生，原告向作为相关数据控制者的DSG提出索赔，要求DSG向其赔偿5000英镑（£）。正如下文所述，这些损害赔偿不是因任何人身损害提出的，而是针对原告因个人数据泄露和丢失而遭受的精神痛苦提出的。原告所依据的诉讼理由包括违反保密责任（“BoC”）[2]、滥用个人信息（“MPI”）[3]、违反1998年数据保护法（“DPA”）[4]以及普通法上的过失。

II. Discussion and conclusions

讨论与结论

The BoC and MPI claims

（基于违反保密责任与滥用个人信息的诉讼）

It is clear that the Claimant’s claims are all based on the cyber-attack. So, the PoC §7 states that “the Defendant’s computer systems were infiltrated as a result of a cyber-attack and malware was installed onto the Defendant’s systems ... more than 10 million personal records being stolen by the attacker”. The PoC allege BoC and MPI comprising (at PoC §§12-13) “allowing a third party unauthorised access to personal data” (said to be “information in relation to which the Claimant had a reasonable expectation of privacy”), which “constituted an unjustifiable infringement of the Claimant’s right to privacy and a misuse of the Claimant’s private information which the Defendant failed to take any or any adequate steps to protect,” and that the “Defendant’s failures, aforesaid, caused the Claimant’s personal and private information to be unlawfully processed and disseminated to an unknown third party.”

很明显，原告的诉讼都是基于网络攻击提出的。因此，申诉详情第7条指出，“由于网络攻击，被告的计算机系统被渗透并被安装了恶意程序......超过1000万份个人信息记录被攻击者窃取。”申诉详情中指控被告违反保密责任和滥用用个人信息的理由包括（见申诉详情第12-13条）允许第三方未经授权访问个人数据（“原告对其隐私信息能得到保护有合理期望”）、这“构成了对原告隐私权的不正当侵犯和对原告私人信息的滥用，而被告没有采取任何或任何充分的措施来保护这些信息”，并且“被告的上述失误导致原告的个人和私密信息被非法处理并泄漏给一个未知的第三方。”

(图片来源于网络）

In my judgment, the wrong is thus said to have been a ‘failure’ which allowed the Attacker to access the personal data. Despite the way in which Counsel for the Claimant has attractively sought to recharacterize her client’s case, it is clear that the Claimant does not allege any positive conduct by DSG said to comprise a breach or a misuse for the purposes of either BoC or MPI. That is unsurprising, given that DSG was the victim of the cyber-attack. There can be no suggestion that DSG purposefully facilitated the Attack, and that is not pleaded in the claim. In any event, there is no evidence to that effect, and it is contrary to common sense.

根据我的判断，这种错误据称是由于DSG的“失误”导致攻击者能够获取他们的个人数据。尽管原告律师巧妙地试图重述其当事人的案件，但很明显的是，原告并没有提出DSG有任何构成违反保密责任或者滥用个人信息的积极行为，因为DSG是网络攻击的受害者。不能认定DSG故意为这场攻击提供便利，而且诉讼中也没有这一指控。无论如何，没有任何证据支持该说法，而且这也是违反常理的。

Rather, the Claimant’s claim is that the DSG failed in alleged duties to provide sufficient security for the Claimant’s data. That is in essence the articulation of some form of data security duty. In my judgment, neither BoC nor MPI impose a data security duty on the holders of information (even if private or confidential). Both are concerned with prohibiting actions by the holder of information which are inconsistent with the obligation of confidence/privacy. Counsel for the Claimant submitted that applying the wrong of MPI on the present facts would be a “development of the law”. In my judgment, such a development is precluded by an array of authority.

原告主张DSG没有履行为原告数据提供充分安全保障的职责。这实质上阐述了某种形式的数据安全责任。根据我的判断，违反保密责任和滥用个人信息两种诉讼理由都没有要求信息（即使是私人或机密信息）的持有者承担数据安全责任。两者指涉的是禁止信息持有者采取不符合保密/隐私义务的行为。原告律师指出，本案能够适用滥用个人信息的过失将是一种“法律的进步”。根据我的判断，这种“进步”将被一系列权威的判例排除。

In Attorney General v Guardian Newspapers Ltd (No 2) [1990] 1 AC 109 at 281 Lord Goff formulated the general principle underlying BoC as follows: “I start with the broad general principle (which I do not intend in any way to be definitive) that a duty of confidence arises when confidential information comes to the knowledge of a person(the confidant) in circumstances where he has notice, or is held to have agreed, that the information is confidential, with the effect that it would be just in all the circumstances that he should be precluded from disclosing the information to others.”(emphasis added).

在Attorney General v. Guardian Newspapers Ltd案第281段中，戈夫大法官（Lord Goff）对保密义务的一般原则表述如下：“我从宽泛的一般原则开始阐述(我无意以任何方式让下述原则成为确定性原则)，即当一个人(被信托人或被委托人)得知保密信息时，如果他已经注意到或被推定为同意该信息是保密的，那么就会产生保密义务，那么在任何情况下，他都应当被禁止向其他人披露该信息。”

Similarly, Lord Neuberger in Vestergaard Frandsen A/S v Bestnet Europe Ltd [2013] 1 W.L.R. 1556 at [23], referred to “[t]he classic case of breach of confidence involves the claimant's confidential information, such as a trade secret, being used inconsistently with its confidential nature by a defendant, who received it in circumstances where she had agreed, or ought to have appreciated, that it was confidential ...” (emphasis added). To this one might add Lord Neuberger MR’s summary of the circumstances in which an unauthorised use might be identified in Imerman v Tchenguiz [2011] Fam 116 at [69].

同样，纽伯格大法官在Vestergaard Frandsen A/S v. Bestnet Europe Ltd案第23段中提到，“典型的违反保密责任的情形是原告方诸如商业机密一类的私密信息被被告以不符合其私密性质的方式使用，而被告收到该信息时已经同意或者应当保证其私密性...”，在这一点上，我们可以补充纽伯格大法官（Lord Neuberger MR）在Imerman v. Tchenguiz一案第69段中所总结出的可以被认定为未经授权使用的情形。

As a matter of principle, the law is clear that BoC imposes “a negative obligation not to disclose confidential information”: Sports Direct International plc v Rangers International Football Club plc [2016] EWHC 85 (Ch) at [26], emphasis added. Megarry J’s summary of the action in Coco v AN Clark (Engineers) Ltd [1969] FSR 415, 419 is also relevant in this regard:

作为原则问题，法律明确规定，“违反保密责任”包含着“不披露机密信息的消极义务”（可见 Sports Direct International plc v. Rangers International Football Club plc案第26段）。Megarry J在Coco v. AN Clark (Engineers) Ltd案中的诉讼总结也与此相关：

“Three elements are normally required if, apart from contract, a case of breach of confidence is to succeed. First, the information itself, in the words of Lord Greene, M. R. in the Saltman case on page 215, must "have the necessary quality of confidence about it". Secondly, that information must have been imparted in circumstances importing an obligation of confidence. Thirdly, there must be an unauthorised use of that information to the detriment of the party communicating it.”

“除了合同之外，通常需要三个要素才能构成对保密责任的违反。首先，用格林大法官（Lord Greene, M. R.）在萨特曼案[5]第215页中的话说就是信息本身必须‘具有必要的保密性质’。第二，该信息必须是在有保密义务的情况下传递的。第三，必须有一个未经授权使用该信息的行为且该行为对传递信息的一方造成损害。”

In my judgment, framing a case as MPI does not assist. That wrong, as is well-known, was developed out of BoC in order to comply with obligations under the Human Rights Act 1998: Murray v Express Newspapers [2009] Ch 481 at [24]-[28]. MPI also imposes an obligation not to misuse private information.

依我之见，将案件定性为滥用个人信息并无裨益。众所周知，滥用个人信息的不法行为是由违反保密责任发展而来的，目的是为了遵守1998年《人权法》所规定的义务（可见Murray v. Express Newspapers一案第24-28段）。该诉讼理由（MPI）也规定了禁止滥用个人信息的义务。

I accept that a ‘misuse’ may include unintentional use, but it still requires a ‘use’: that is, a positive action. In the language of Article 8 ECHR (the basis for the MPI tort), there must be an ‘interference’ by the defendant, which falls to be justified. I have not overlooked the Claimant’s argument that the conduct of DSG was “tantamount to publication”. Although it was attractively presented, I do not find it persuasive. If a burglar enters my home through an open window (carelessly left open by me) and steals my son’s bank statements, it makes little sense to describe this as a “misuse of private information” by me. Recharacterizing my failure to lock the window as “publication” of the statements is wholly artificial. It is an unconvincing attempt to shoehorn the facts of the data breach into the tort of MPI.

我同意“滥用”可能包括非故意的使用，但它仍然需要一个“使用行为”：即一个积极的行为。用《欧洲人权公约》第8条（滥用个人信息侵权的基础条款）所规定的内容，必须存在被告的“干涉”，而这种干涉行为必须是有正当理由的。我没有忽视原告的论点，即DSG的行为“等同于发布”。虽然该论点很有新意，但我认为它并没有说服力。如果一个窃贼通过（我不小心打开的）窗户进入我的家，偷了我儿子的银行结单就把这说成是我“滥用个人信息”未免有些牵强。将我没有锁好窗户的行为定性为“公布”银行结单显然是强词夺理。这是一个没有说服力的主张，目的只是将数据泄露的事实强行套入滥用个人信息侵权的行为框架中。

（图片来源于网络）

I would add that the absence of any data security duty has been noted in leading textbooks. So, it is said in Toulson & Phipps at §5-011: “There is a distinction between an equitable duty of confidentiality and a duty to take care to prevent confidential information or documents from falling into the hands of someone else. The former is an obligation of conscience, which requires the recipient not to misuse the information or documents. The latter is a duty of a different character and is not an automatic concomitant of the former. In the absence of a relevant contract, it will arise only if there is a special relationship between the parties giving rise to a duty of care under the law of negligence.” (emphasis added)

我想补充的是，著名教科书中已经指出数据安全责任并不存在。Toulson & Phipps一书的第5-011节中这样写道：

“衡平法上的保密义务不同于注意防止保密信息或文件落入他人之手的义务。前者是一种良心上的义务，它要求信息接收者不滥用信息或文件。后者是一种不同性质的义务，不是前者的自动附随物。在没有相关合同的情况下，只有在当事人之间存在特殊关系从而触发过失法规定的注意义务时，才会产生后者的义务。”

And see similarly Gurry on Breach of Confidence, 2nd ed., §15.41:

“Strict liability for misuse of information by a defendant also serves to distinguish the duty of confidence from a duty of care. Negligence on the part of a defendant is relevant in determining whether a duty of confidence has been broken only if the negligence results in an unauthorised use or disclosure of the confidential information. Care on the part of the defendant is not the measure by which it is assessed whether a duty of confidence has been discharged.”

在Gurry on Breach of Confidence一书的第15.41节中也有相似表述：

“被告滥用个人信息的严格责任也是为了区分保密义务和注意义务。被告的过失只有在导致未经授权的使用或保密信息的披露时，才被用于确认是否违反保密义务。被告是否注意不是评估保密义务是否被履行的标准。”

Finally, I note that the existence or otherwise of a duty to protect the claimant from the actions of a third party in causes of action for BoC and MPI arose for decision in Various Claimants v Wm Morrison Supermarkets plc [2019] QB 772. In that case a wrongdoer employee copied personal data of Morrisons’ employees and later disclosed it online. The Claimants, individuals whose data had been disclosed online, sued Morrisons in BoC, MPI, and for breach of the DPPs. The Court held that the actions of the wrongdoer employee (Mr Skelton) could not found direct liability on Morrisons other than in relation to DPP7. Mr Skelton was the wrongful actor, and (save for the data security duty imposed by DPP7), any such causes of action were good only against him. As Langstaff J explained:

最后我注意到，在违反保密责任和滥用个人信息这两种诉讼理由中（被告）是否存在保护原告免受第三方行为影响的责任这一问题，在Various Claimants v. Wm Morrison Supermarkets plc一案中有所裁定。在该案中，一名违法雇员复制了莫里森公司雇员的个人资料，随后在网上披露。原告方作为数据被披露的个人以违反保密责任、滥用个人信息和违反数据保护原则的理由起诉了莫里森公司。法院认为，除与数据保护原则第7项相关的责任外，莫里森公司对该违法雇员（Skelton先生）的行为并不承担直接责任。Skelton先生是不法行为人，（除了数据保护原则第7项规定的数据安全责任），任何此类诉讼理由只对他有效。正如兰斯塔夫大法官（Langstaff J）在此案中所解释的那样：

“65. The short answer therefore, to the claim that Morrisons is liable under the DPP for having broken the data protection principles (other than DPP7) is that it did not, as data controller, itself offend against those principles. The acts said to break those principles were those of a third party, and not its own. 66. Similarly, the assertion that there is direct liability in respect of breach of confidence or misuse of private information also fails: it was not Morrisons that disclosed the information or misused it: it was Skelton, acting without authority and criminally.” (emphasis added)

“65. 因此，对于莫里森公司因违反数据保护原则(除数据保护原则第7项外)应承担责任的诉讼请求，简短的回应是：莫里森公司作为数据控制者，本身并没有违反这些原则。违反这些原则的行为是由第三方而不是莫里森公司自己作出的。66.同样，关于莫里森公司应承担违反保密规定或滥用个人信息的直接责任之观点也是不成立的：披露或滥用信息的不是莫里森公司，而是Skelton，他未经授权作出不法行为。”

I respectfully adopt this reasoning and I reject the Claimant’s submission that his case is distinguishable on the facts. Here, it was not DSG that disclosed the Claimant’s personal data, or misused it, but the criminal third-party hackers.

我认同这一说理并拒绝原告的主张，即他的案件在事实上有所不同。就此案而言，并不是DSG披露或滥用了原告的个人数据，而是不法的第三方黑客。

For these reasons, I accept DSG’s submission that the Claimant’s claims in BoC and MPI are ill-founded. Those causes of action do not impose a data security duty upon DSG but that is what in reality is being claimed. They have no realistic prospect of success and also fall to be struck out based on the pleaded case.

基于这些原因，我接受DSG的主张，即原告基于违反保密责任和滥用个人信息提出的诉讼请求并不成立。这些诉讼理由并没有对DSG施以数据安全责任，但这正是现实中原告所诉请的。这些请求没有实现的可能性，并且应根据所辩述的案情被驳回。

基于过失的诉讼

（The negligence claim）

I also accept DSG’s submission that there are two fatal problems with the negligence claim.

此外，我也同意DSG对于过失诉讼的主张，即基于过失的诉讼存在两个致命的缺陷。

First, the Court of Appeal has held that there is neither need nor warrant to impose such a duty of care where the statutory duties under the DPA 1998 operate: Smeaton v Equifax Ltd [2013] 2 All ER 959 at [72]-[75], [81], [85]. Although I am not bound by that decision given the particular issue before me, in my judgment, the reasoning of the Court of Appeal is applicable.

首先，上诉法院认为，在1998年《数据保护法》规定的法定义务发挥作用的情况下，既没有必要也没有理由施加这样的注意义务（可见Smeaton v. Equifax ltd一案第72-75段,第81段，第85段）。虽然该决定对我并非具有约束力，但依我之见，上诉法院的推理也适用于本案。

So, just as in Smeaton: i) Imposing a duty owed generally to those affected by a data breach would potentially give rise to an indeterminate liability to an indetermined class;

ii)  Doing so would be otiose, given the obligations imposed by the DPA. It is notable that the Claimant’s particulars (§§15.1.1 – 15.1.4) simply apply the alleged DPA breaches as particulars of alleged negligence. There is nothing added; and

iii)  In my judgment, there is no room (nor indeed any need identified) to construct a concurrent duty in negligence when there exists a bespoke statutory regime fordetermining the liability of data controllers. That regime provides for relief of precisely the same nature as is claimed in negligence in this claim.

所以，正如Smeaton案中所述：

i）（如果要求数据控制者）对受数据泄露影响的人承担普遍的责任，有可能导致对一个不确定的群体承担不确定的责任。

ii）鉴于《数据保护法》中规定的义务，这样做是不恰当的。值得注意的是，原告的请求细节（第15.1.1-15.1.4节）只是将违反《数据保护法》的行为作为过失的事项。没有任何补充；且

iii）依我之见，当存在一个专门的法定制度来确定数据控制者的责任时，没有空间（实际上也没有必要确定）构建一个并行的过失责任。该制度所规定的救济与本案中基于过失提供的救济性质相同。

（图片来源于网络）

Accordingly, there is no duty of care in the circumstances of the present case. Proximity is not created by the customer relationship, and it would not be fair, just or reasonable to impose such a duty.

因此，在本案的情形中不存在注意义务。客户关系并不能产生相近关系[6]，对（商家）施加这种责任是不公平、不公正、不合理的。

Counsel for the Claimant drew my attention to a number of findings of the Information Commissioner in the MPN in support of the factual case the Claimant advances in relation to negligence. These included the following findings: (i) that ten deficiencies in relation to DSG’s computer system and POS terminals that (individually and cumulatively) created real risks of data breaches and that until November 2017 DSG stored passwords centrally in a ‘Group Policy’ which was a vulnerability exploited in the cyber-attack to retrieve a domain administrator name and password; (ii) DSG’s knowledge of those deficiencies dated back to May 2017, following an information security consultancy assessment between 9–11 May 2017 that found “critical vulnerabilities that would allow an adversary operating on the internet to compromise the confidentiality integrity”; (iii) the deficiencies were particularly serious, the resources available to DSG, the cost and ease of implementing measures, the nature of the data held by DSG and the amount of personal information on DSG’s systems; and (iv) the attack continued for 9 months before detection – “a relatively long period of time, given how a foundation level of security standard could have identified and remedied them”.

原告律师提请我注意信息专员在罚款通知中的一些调查结果，以支持原告提出的与过失责任有关的事实情况。这些调查结果包含以下内容：(i)与DSG的计算机系统和POS终端有关的十项缺陷（单独或共同地）创设了数据泄露的真正风险。直到2017年11月，DSG在“group policy”中集中存储密码，此次存储行为成为了网络攻击的漏洞，致使第三方黑客获取了主机的登录账号与密码；(ii)DSG在2017年5月就已经知晓这些缺陷，DSG网络部门2017年5月9日至11日的信息安全咨询评估中提到“关键漏洞，将允许网络黑客破坏系统的保密完整性”；(iii)这些缺陷非常严重，考虑到DSG可用的资源，实施措施的成本和难度，DSG持有的数据的性质以及DSG系统上的个人信息数量；(iv)这场攻击却持续了整整9个月才被发现——“考虑到基础级别的安全标准就可以发现和补救这些漏洞，9个月的时间相对较长。”

I have considered these points, but they do not answer the prior question as to whether a common law duty of care existed. These are points which are capable, at a general level, of supporting the case that a breach of a broadly based duty of care occurred but not whether a duty itself existed.

我已经考虑了这些观点，但它们并没有回答之前的问题，即普通法上的注意义务是否存在。这些观点在一般层面上能够支持在本案中存在违反广义上的注意义务的情况，但不能够支持注意义务本身是否存在的问题。

The second problem with the negligence claim is the nature of the claimed loss. The pleaded claim is as follows:

“PARTICULARS OF DAMAGE INJURY DISTRESS AND LOSS

16.1 The distress and anxiety has been exacerbated due to the sensitive personal nature of the data that was unlawfully processed by the Defendant and accessed by an unauthorised third party. Following the data breach the Claimant immediately became distressed and concerned for the safety of his personal data. As a result, he changed all of his passwords on his online accounts. The Claimant is concerned that his personal data can be used by a third party in an attempt to clone his identity and he is anxious about giving his details out to stores when shopping. The Claimant is also very reluctant to conduct further business with the Defendant following the data breach. Should the matter proceed to litigation, further particulars of the Claimant’s loss will be provided in his witness statement.

16.2 Further, the private information has been disclosed and so lost to a third party”.

过失诉讼的第二个问题是损失的性质。原告声称的内容如下：

“损害、伤害、痛苦和损失的情况

16.1 由于这些被被告非法处理并被未经授权的第三方访问的数据具有敏感的个人性质，原告的痛苦和焦虑更趋恶化。在数据泄露事件发生后，原告立即对其个人数据的安全感到不安和担忧。因此，他更改了所有在线账户的密码。原告担心他的个人数据会被第三方用以克隆他的身份，于是对购物时需要向商家提供他的详细资料感到不安。原告也非常抵触在数据泄露后与被告继续开展业务。如果此事进入诉讼程序，原告将在证人陈述中提供有关其损失的进一步细节。

16.2 此外，该私人信息已被披露因此落入第三方之手。”

A cause of action in tort for recovery of damages for negligence is not complete unless and until damage has been suffered by the claimant. Some damage, some harm, or some injury must have been caused by the negligence in order to complete the claimant's cause of action. However, a state of anxiety produced by some negligent act or omission but falling short of a clinically recognisable psychiatric illness does not constitute damage sufficient to complete a tortious cause of action. Compare section 13 of the DPA which, as interpreted by the courts, allows compensation for “distress” by reason of contravention by a data controller of requirements under the Act (such as DPP7).

在侵权行为中，除非原告遭受了实际的损害、伤害、或损失，否则因过失索赔的理由并不完整。必须有一定程度的损害、伤害或损伤是由过失造成的，才能使索赔人的诉讼理由完整。然而，因某些过失作为或不作为产生的焦虑状态（没有达到临床上可识别的精神疾病的程度）并不构成足以使侵权诉讼理由完整的损害。相较于《数据保护法》第13条，根据法院的解释，该法规允许索赔人因数据控制者违反该协议规定（如数据保护原则第7条[7]）而对“痛苦 ”进行赔偿。

The Claimant does not allege personal injury, but only distress. The claim in para.16.2 also fails to allege any pecuniary loss and indeed the Claimant’s solicitors accepted in pre-claim correspondence that he had not suffered any pecuniary loss.

原告并未声称受到个人伤害，而只称其受到了困扰。第16.2段中的诉讼也没有提出任何金钱损失。事实上，原告律师在诉讼前的函件中也承认原告没有遭受任何金钱损失。

Accordingly, even if the Claimant had an arguable case on duty of care, the Claimant has suffered no loss: Rothwell v Chemical & Insulating Co Ltd [2008] 1 AC 281 at [2], [7]-[8], [65]-[66]. He does not plead a complete cause of action in common law negligence and that claim also falls to be dismissed and/or struck out.

因此，即使原告在注意义务方面有存在争议的法律观点，原告也没有遭受任何损失（可见Rothwell v Chemical & Insulating Co Ltd一案第2段，第7-8段，第65-66段）。原告没有提出一个完整的基于普通法过失的诉讼理由，因此该诉讼请求应被驳回或/或排除。

III. Conclusion

裁判结果

DSG’s application succeeds. All claims are dismissed and/or struck out save as regards the claim for breach of statutory duty in relation to DPP7. As indicated above, Counsel for the Claimant submitted that by amendment the claim might be saved or improved. It was said that this would be done after the FTT appeal and factual findings in that process. That is not an answer to DSG’s application which concerns the only current pleaded case before the court. This is not a case where I was presented with a draft pleading which sought to cure the problems.

DSG的申请获得支持。除了与违反数据保护原则第7条的法定责任的诉讼之外，所有原告的诉讼请求都被驳回和/或排除。如上所述，原告律师指出，该诉讼经过修正后可能会被保留或改进，修正将在一级审裁处的上诉和事实调查结果出来之后进行。这并不是对DSG请求的回应，而DSG的请求涉及本院目前唯一需要处理的案件。在本案中原告并未向我呈交解决这些问题的修正诉状。

That remaining claim is transferred to the County Court for directions following expiry of the stay pending the FTT appeal.

在一级审裁处上诉的中止期结束后，剩余的诉讼请求将被移交给民事法院[8]，以获得进一步的指示。

原文链接：

https://panopticonblog.com/wp-content/uploads/sites/2/2021/07/Warren-v-DSG-judgment.pdf

脚注