Data breach claims boosted

The Court of Appeal judgment in Farley and Others v Paymaster (1836) Limited (trading as Equiniti) [2025] has given life to low level data breach claims – bad news for those organisations careless or unfortunate enough to suffer a data breach (and their insurers, and the county courts), good news for claimants (and lawyers). The Supreme Court decision in Lloyd v Google [2021] had been seen to require such claims to reach a threshold of seriousness, but that was decided in relation to the former data protection regime.

In August 2019 Equiniti, serving as the administrator for the Sussex Police pension scheme, inadvertently mailed annual benefit pension statements for about 750 officers to outdated (in one case by 18 years) residential addresses. The statements, headed “Private and Confidential”, were in window envelopes with a return address and included date of birth, national insurance number, police service, salary details and pension benefits. Sussex Police notified the ICO and the officers as to what had happened, offered the officers the opportunity to sign up to a fraud protection service at Sussex Police’s expense, and Equiniti wrote letters of apology with replacement statements. Some of the original statements were returned or recovered, the majority were not. Based on Sussex Police’s conclusion that the risk of data subjects suffering significant consequences was unlikely, the ICO concluded that no further action was required.

474 officers nevertheless brought claims against Equiniti for damages for breach of statutory duty under General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA), and misuse of private information. By the time the case reached the Court of Appeal the claimants had abandoned claims to misuse of private information (following the Court of Appeal judgment in Prismall v Google [2024] to the effect that a level of seriousness is required for such claims), and (under the data protection claim) for loss of control of their personal data. They sought damages for “anxiety, alarm, distress and embarrassment” at the possibility that their personal data may have been accessed by unauthorised third parties (those on “the other side of the law”) including for fraud or identity theft, ex partners with whom there had been a financial dispute and so on; and in 42 cases (supported by medical reports) aggravation of a pre-existing medical condition. Equiniti contended that police officers, used to contending with dangerous and upsetting situations, would not be genuinely distressed over a pension forecast sent to an old address. It asked the Court of Appeal uphold the High Court decision to strike out virtually all the data protection claims. The ICO disagreed.

Court of Appeal judgment

The Court declined to strike out the claims. There was “processing” of personal data for the purposes of GDPR, the printing and dispatch of the wrongly addressed statements being part of a series of operations starting with processing by automatic means (the Court noting that any subsequent oral disclosure might likewise be part of “processing”), even if the envelopes were not opened.

On damage, Article 82 GDPR provides a right to damages to “any person who has suffered material or non-material damage as a result of an infringement”, and the DPA provides that “non-material damage includes distress”. The Court noted that whilst not bound by decisions made by the Court of Justice of the EU (CJEU) after 31 December 2020 (see section 6 of European Union (Withdrawal) Act 2018), it “may have regard” to such decisions insofar as relevant, GDPR is an international legal instrument which the UK subsequently adopted insofar as relevant in identical language (in UK GDPR), and it would undermine legal certainty for the UK to chart a different course. The Court, like the CJEU, would not therefore mandate a level of seriousness for non-material damages claims. So, “in principle a claimant can recover compensation for fear of the consequences of an infringement”. The fear cannot be judged with hindsight, the fact it subsequently became clear that an envelope was not in fact opened and read does not mean the fears entertained were not well founded. But the alleged fear must be “objectively well-founded”, and not simply “(for instance) purely hypothetical or speculative”. Most people do not open private correspondence which has been clearly misaddressed. In only a handful of cases was there evidence that the statement had been opened, in only 2 cases was there evidence that it was opened by someone other than a family member or colleague, and 6 years later there was no evidence of actual misuse.

The case was remitted back to the High Court to determine which of the 450 claimants should proceed to trial (in the High Court or County Court) as disclosing a reasonable basis for fearing (1) that their statement had been or would be opened and read by one or more third parties and (2) that this would result in identity theft or one or the other consequences which that claimant feared might follow.

Commentary

The current position in UK law is therefore:

• Unopened mail sent to an outdated address counts as processing for UK GDPR purposes.
• Damages can be recovered for emotional distress resulting from data breaches.
• Low value claims for £100s will not be automatically abusive and require individual assessment.

It is right that data controllers which process substantial amounts of personal data should be held to account when they fail to take adequate measures to prevent personal data falling into the wrong hands. But where the data controller and processor have apologised and taken steps towards putting matters right, the regulator is apparently satisfied, no special category data is involved, and there is little likelihood and no evidence of data having fallen into the wrong hands, it must be open to question whether allowing low value claims for damages for emotional distress in the hard pressed County Courts is a productive use of the state’s resources. The Court could have departed from the position of the CJEU. Claims for emotional distress are easy to mount and difficult to contest (particularly if supported by a medical report) and making a well-judged early offer to settle in low value claims (where there are few reported cases on damages awards) is notoriously difficult.

The courts may have cause to look at this again. In the meantime, controllers should ensure mailing databases are up to date and where there is a breach which meets the relevant tests for reporting, move swiftly to inform the ICO and data subjects and recommend appropriate security measures.

The material in this article is provided for guidance and general information only and is not intended to constitute legal or other professional advice upon which you should rely. In particular, the information should not be used as a substitute for a full and proper consultation with a suitably qualified professional. Please do contact the Bates Wells team if you require further information.