A significant ruling on compensation claims relating to the misuse of personal data, the Court of Appeal's recent judgment in Farley v Paymaster [2025] EWCA Civ 1117 establishes important principles for UK data protection law. The decision is likely to put claimants on a surer footing and will have implications for how group actions are brought and managed in the future.
Background
In August 2019, Equiniti, the trading name of Paymaster (1836) Ltd, sent highly sensitive pension statements to hundreds of Sussex Police officers but incorrectly posted a substantial number of them (over 750) to outdated addresses. The pension statements contained personal information including the member's name, postal address, date of birth, national insurance number, police service details and salary details, among other information. This led to concerns that the information may have fallen into the wrong hands and resulted in 474 officers bringing a group action against Equiniti. Claims were brought under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA) for breach of statutory duty and/or for misuse of private information. The claimants sought approximately £1,250 per person for both heads of claim, citing distress, anxiety, and in some cases, psychiatric harm.
The High Court Judgment
In February 2024, Nicklin J struck out all but 14 of the claims, holding that 'to have a viable claim for misuse of private information and/or data protection, each Claimant must show that s/he has a real prospect of demonstrating that the statement was opened and read by a third party'. The judge rejected the submission that claimants could advance a claim on the basis that their personal information was 'in danger' or 'at risk', holding that if the statement had not been opened or read by a third party, there had been no real 'processing'. Nicklin J stated that "the general law of tort does not generally allow recovery for the apprehension that a tort might have been committed" and that "a near miss, even if it causes significant distress, is not sufficient".
The High Court also raised serious doubts as to the viability of the remaining 14 claims which Nicklin J concluded were "very far from being serious cases". You can read more about the details of the original claims and the High Court's findings in our previous article on this case, 'Paymaster and the Post'.
Main Issues on appeal
The appeal challenged Nicklin J's decision to strike out the majority of the claims in the High Court. The three main issues to be decided by the Court of Appeal (the Court) were:
- Infringement: whether proof of disclosure is an essential ingredient of a data protection claim.
- Compensation: whether claims for compensation need to meet a seriousness threshold and whether claims can be based upon the mere fear of third-party disclosure.
- Abuse of Process: whether the claims were so trivial as to amount to an abuse of court process.
The Court of Appeal Decision
The Court of Appeal, comprising Lady Justice King, Lord Justice Warby and Lady Justice Whipple, allowed the appeal in part and remitted the case to the High Court for further consideration.
In relation to infringement, Warby LJ found that the High Court judge was wrong to strike out the data protection claims for lack of proof that the data had actually been passed to any third parties. This decision clarifies that evidence of disclosure to a third party is not required for a viable claim. Fear alone could suffice.
The Court clarified that there is no threshold of seriousness that data protection claims must meet. The Court noted that in a series of decisions in 2023 and 2024, the CJEU has consistently held that it is impermissible for domestic courts of EU countries to require proof that damage suffered reaches a minimum degree of seriousness. In UI v Österreichische Post AG, the CJEU held that 'article 82(1) of the GDPR must be interpreted as precluding a national rule or practice which makes compensation for non-material damage, within the meaning of that provision, subject to a condition that the damage suffered by the data subject had reached a certain degree of seriousness'.
The Court followed this EU jurisprudence because the GDPR applied directly in the UK at the material time in 2019. The UK GDPR, which succeeded it post-Brexit, adopted identical language for compensation provisions. The Court's view was that this approach would ensure consistency in interpreting the same legislative text, given that the UK GDPR was essentially inherited from and modelled on the EU GDPR.
However, the Court decided that the question of whether compensation claims can be based on the mere fear of disclosure should be determined on a case-by-case basis. The Court found that Equiniti was entitled to argue that the officers' fears were not "well-founded" and could not therefore qualify as "non-material damage", but recommended that, in this case, the claims should be remitted to the High Court, either for review in that Court or to be determined at County level.
The Court held that none of these claims can succeed unless the individual appellant pleads and ultimately proves a reasonable basis for fearing that their statement had been or would be opened and read by third parties and that this would result in the consequences feared. The Court held that generic factual allegations cannot provide the necessary objective foundation for the fears alleged. Regarding abuse of process, the Court held that the Jameel jurisdiction does not provide a reason to bypass individual assessment, holding that these claims as a class should not be categorised as Jameel abuse although individual cases may still be considered abusive.
The Court's conclusion that an individualised assessment would be required to determine whether any of the claims are well-founded is another signal of the potential difficulties of bringing group actions. The different vehicles for group claims have been hotly debated since the Supreme Court considered the issue in Lloyd v Google. Despite dismissing the claimants in that case, the Supreme Court was broadly encouraging of the use of similar representative (opt-out) actions. In Farley v Paymaster, an alternative method was used, bringing the claims under a single claim form, but the Court of Appeal's decision can be seen as a further indication that the Courts are generally willing to hear group actions.
Key Legal Principles Established
The Court's decision in Farley v Paymaster sets down the following important principles, which will apply in the context of day-to-day data handling, as well as future litigation:
- Processing does not require disclosure: unlawful processing of personal data (for example, sending a letter to the wrong address) is enough to amount to a breach of data protection law, even without proof of disclosure to or access by a third party.
- No threshold of seriousness: the harm suffered can include "distress", which is widely interpreted and does not need to meet any specified level of seriousness.
- Well-founded fear test: fears must be objectively well-founded rather than purely hypothetical or speculative, requiring individual assessment of whether there is a reasonable basis for fearing that the statement would be opened and read by third parties and that this would result in the consequences feared.
- Distress is not essential: section 168 of the Data Protection Act 2018 does not purport to define or limit the scope of the term "non-material damage", and was in fact intended to allow broad types of damage to be claimed.
Trowers' comment
The Court of Appeal's decision confirms that data protection claims may be viable even without proof of actual disclosure but emphasises the need for specific evidence to support claims for compensation on an individual basis. This means that this is not the last word on the case – the question of whether the claims are in fact viable is still open for determination.
However, questions remain about how such high-volume, low-value claims should be dealt with in practice. The Court's requirement for claims to be individually assessed in order to determine whether fears are "well-founded" clearly presents both an administrative and pleading challenge when it comes to grouping claims under a single claim form, as was done in this case. On a practical level, it may be that it is simply not cost effective for claimants to pursue claims in this way.
Whether and how such claims can be brought in a way that manages the court's limited resources and the costs associated with litigation of this nature will need to be carefully considered. The Court's emphasis on proportionate case management and its rejection of blanket dismissal suggests that the courts will seek to facilitate access to justice for data breach victims, whatever procedural framework is chosen. This approach makes sense in the context of growing digitalisation, a trend which is accelerating and expanding the potential scope for data protection claims.
The judgment represents a careful balancing act: preserving access to justice for victims of data breaches while guarding against speculative or unmeritorious claims. For organisations, the judgment underscores the importance of robust data management systems and keeping them up to date.
The case will now return to the High Court for individual assessment of whether each appellant has pleaded a reasonable basis for their fears being well-founded.
