The Court of Appeal’s recent judgment in Farley v Paymaster (1836) Ltd [2025] EWCA Civ 1117 marks a significant and welcome development in UK data protection law.
Background
The case arose from a data breach involving the misdelivery of pension statements for over 750 Sussex Police officers to outdated home addresses. The pension scheme was administered by the Respondent on behalf of Sussex Police. These statements contained sensitive personal data, including birth dates, national insurance numbers and confirmation of police employment including service length, salary details and forecast and accrued pension benefits. A multi-party action was brought by 474 claimants, alleging distress, fear of misuse, and in some cases, psychiatric injury. The claims were brought for breach of DPA 2018/GDPR and the tort of misuse of private information (“MOPI”).
Sussex Police had provided the Respondent with up-to-date addresses but a computer error at the Respondent meant that when the pension statements were produced, they were accidentally sent to the out-of-date addresses. There was a mistake by the Respondent.
The pensions statements were sent in window envelopes through which could be seen a header that stated, “Private and Confidential”, the name of the recipient and the postal address. The mistake came to light and the ICO were informed.
Some of the pension statements were returned to the Respondent unopened; some statements were forwarded unopened to the police officers. Some officers were able to retrieve the statement themselves. However, the majority of statements were never recovered, and it is not known what happened to them.
A claim was issued in April 2021 on behalf of 474 current or former officers, seeking damages for breach of statutory duty under the UK GDPR and the DPA and/or misuse of private information. Individual schedules verified by statements of truth were provided in April 2022.
It was agreed between the parties that the posting of the pension statements involved processing personal data. In October 2022 the Respondent made an application to strike out the claims on the basis they amounted to an abuse of process on the basis that the claim values individually would be too low and therefore disproportionate to the cost of the proceedings (the “Jameel jurisdiction”).
High Court decision
The High Court (Nicklin J) struck out all but 14 of the claims, holding that disclosure to a third party was essential for a viable data protection claim, and that claims based on distress or fear without proof of actual access to the data were speculative. Nicklin J accepted the Respondent’s submission that the vast majority of police officers had no sustainable case that the envelopes sent to the old addresses had in fact been received and opened by a third party. Nicklin J held that without evidence demonstrating the actual disclosure of the contents of the pension statements there was no misuse of private information or actionable processing of the police officers’ personal data. The burden was on the Claimants to prove such disclosure, and they could not discharge this burden in the vast majority of cases, hence only 14 claims survived the strike out.
Court of Appeal
The Claimants appealed to the Court of Appeal. In so doing they jettisoned their MOPI claim. The Court of Appeal (King LJ, Warby LJ and Whipple LJ) overturned the decision of Nicklin J and prompted the ICO to intervene in the appeal. The Court of Appeal made the following findings:
- Nicklin J had been wrong and that the misaddressing of the envelopes was data processing. Proof that the data was disclosed is not an essential ingredient of an allegation of processing or infringement.
- The Respondent is not entitled to judgment on the grounds that the Appellants’ factual allegations are implausible. An allegation of “distress” is not an essential ingredient of a tenable claim.
- The claims should not be dismissed for failing to meet a threshold of seriousness. There is no such threshold in EU data protection law. The Court is not bound to hold that such a threshold exists in domestic data protection law (cf a threshold of seriousness does exist in MOPI claims).
- Compensation is recoverable for any “non-material damage” suffered whilst recognising, as submitted by the ICO, that not all emotional responses to an infringement will amount to non-material damage. “Distress” is an umbrella term for various forms of emotional harm (including, for instance, stress and anxiety) as distinct material damage, such as financial loss or physical or psychological injury.
- The Respondent is entitled to contend that the Appellants’ fears of third-party misuse were not “well-founded” and hence cannot qualify as “non-material damage” for which compensation is recoverable under the GDPR. But the question must be answered on a case-by-case basis. The case should be remitted to the High Court which may conduct the review itself or give directions for it to be carried out in the County Court.
Therefore, the Claimants’ appeal against the strike-out was allowed. Unlawful processing alone, such as sending data to the wrong address, is sufficient to establish a breach under UK data protection legislation. Importantly, the Court explicitly rejected the application of a de minimis threshold in UK data protection claims. However, the Court accepted that in order for the Claimants to recover damages, it will be up to each Claimant to show a well-founded fear (i.e. one based on an objective or reasonable standard as opposed to being a purely hypothetical risk) that: (1) the pension statement would or could be opened by third parties; and (2) that this would result in identity theft or one or the other consequences which that Claimants feared might follow.
Why this matters
For individuals, the Farley judgment is an important affirmation that data protection rights matter and there is no de minis threshold for claims for compensation for non-material damage. This is important in the context of litigation in England and Wales where so much turns on the quantum of claims and many large institutions seek to brush aside claims for data breaches on the basis that they are so low value as to be meaningless. These claims may well be allocated to the small claims track in the County Court, with limited costs recovery that reflects the value of the claim. But this is a welcome judgment in making clear individuals can pursue claims for data breaches regardless of what each individual claim might be worth, ensuring there is a greater chance of the vindication of rights under the DPA 2018/ GDPR.
This decision sends a clear reminder to organisations that they must handle personal data with care, and failing that, they could face claims which, even if not valuable, may pose significant reputational risk by highlighting any non-compliance.
At Austen Hays, we have a wealth of expertise in bringing claims to protect data subjects and holding organisations accountable. If your data has been mishandled, we can help you understand your rights and pursue fair compensation.