Key takeaways
Court of Appeal removes ‘seriousness’ barrier
Lower threshold makes data breach claims easier to pursue.
Sending data to wrong address counts as processing
Even unopened letters can trigger liability under GDPR rules.
Expect more small-value data protection claims
Businesses face increased risk and accountability after ruling.
In the most recent judgment in the Farley -v- Paymaster 1836 Ltd (trading as Equiniti) [2025] EWCA Civ 1117 dispute, the Court of Appeal has considered the ‘seriousness’ threshold required for claimants seeking compensation for a data protection breach.
Background
In late August 2019, the defendant, the administrator of the Sussex Police pension scheme, sent to each member of the scheme an annual pension benefit statement (ABS). Unfortunately, the ABSs were sent to out-of-date addresses. Data included within the ABS for each member varied but, generally, comprised the name, date of birth, national insurance number, salary and pension information.
The High Court’s judgment
Action was brought by 474 claimants for misuse of their personal data and seeking compensation for injury for to feelings and, in some cases, psychiatric injury, due to the fear of third party mis-use of their data. The High Court made the following findings;
If the ABS had not been opened by a third party this did not constitute a sufficient danger or risk to personal data to give grounds for a data protection claim.
Claims based on the inference that the ABS might have been opened were too speculative and there was no reasonable prospects of showing that they had actually been read.
If the ABS had not been opened this would not constitute data ‘processing’ and there could be no misuse of private information.
The danger or risk to personal data did not give grounds for a data protection claim. To be entitled to a remedy, a claimant must demonstrate that they are the victim of a wrong.
Some aspects of the Claimants’ claims for loss and damage were ‘hopeless’ and ‘exaggerated’.
The High Court’s judgment resulted in the vast majority of the claims being struck out and only 14 being allowed to proceed where the Claimant could show that the ABS had been opened by a third party.
The appeal
The claimants appealed to the Court of Appeal on the basis it was wrong for the High Court to dismiss their claims and that it should have been sufficient that they had suffered the distress of their data being sent to the incorrect address (even if the letter had not been opened).
The Court of Appeal agreed with the claimants and overturned the ruling of the High Court noting that;
The ABS being sent out to the wrong address is, in itself, data ‘processing’ and there was no need for the letters to have been opened by a third party.
There is no ‘seriousness’ threshold which has to be reached before compensation can be recoverable in a data protection claim and the court cannot dismiss a claim on the basis that an allegation by a claimant is ‘incredible’.
If a claimant is asserting that they have suffered psychiatric injury as a result of a data breach this will only be recoverable if it is objectively well-founded – this will be a question of fact for the Court to consider.
The claims should not be struck out under Jameel -v- Dow Jones & Co Inc [2005] QB 946 (concerning claims where the alleged harm is minimal, there is no substantial wrong and continuing the case would be a disproportionate use of court resources and an abuse of process).
In a post-Brexit landscape, the Courts should still generally interpret the GDPR in line with CJEU jurisprudence even when the case law post-dates Brexit.
Comment
The claims have now been sent back to the High Court for a final determination and the facts of the cases will be subject to further judicial consideration. The judgment from the Court of Appeal serves as a useful reminder to businesses about the importance ensuring data security. For a determined or disgruntled claimant, the criticism of the High Court’s use of a ‘threshold of seriousness’ test means that even a small or trivial claim may be a viable option for them to pursue, the case has therefore significantly lowered the bar for claimants seeking compensation for data protection breaches.
The decision is significant as it will inevitably facilitate more claims for compensation for data protection breaches without the need to establish that the data was actually misused. However, whilst the court has acknowledged that claims for a small amount of compensation, such as £50, might be valid in principle, the practicalities and legal costs of pursuing such a small claim may far outweigh the benefit.
Data controllers and processors will be increasingly risk adverse in the light of the decision as it undoubtedly increases the accountability of organisations handling personal data.
For assistance with GDPR issues please contact Kate Steele.
