ByteSize: Court of Appeal reshapes the foundations of data breach litigation

Speed read

Farley is a group data breach claim brought by 432 members of a Police pension scheme administered by Equiniti. In error, Equiniti posted annual benefits statements relating to each of the claimants to out-of-date addresses. The claimants allege that they have suffered material and non-material damage as result of that error.

The High Court struck out most of the claims. The claimants appealed against that decision. The Court of Appeal held that:

• The mere fact that the documents were posted to the wrong address was sufficient to give rise to an infringement of the UK GDPR/Data Protection Act 2018: it was not necessary for the claimants to show that the envelopes were opened or that the documents were actually seen by a third party.
• There is no de minimis threshold of seriousness for GDPR compensation claims: a claimant must prove that non-material damage has been suffered, but there is no minimum level of seriousness for damage to be actionable, so it is sufficient for the damage to be trivial or transient. This aligns the position in England and Wales with that in the EU.
• “Non-material damage” might include the fear of what could happen as a consequence of a data breach even if that fear did not actually come to pass, as long as “the alleged fear is objectively well-founded but not if the fear is… purely hypothetical or speculative”.

What this means

• It was generally considered that claims for compensation under the UK GDPR were subject to a “threshold of seriousness” (i.e. minimum bar) in respect of either or both of the alleged breach the alleged damage suffered. This meant it was generally taken that claims in respect of minor or trivial breaches of the UK GPDR, or where the alleged damage was trivial, ought not to be actionable. This decision makes clear that no such threshold applies. Although the Court of Appeal stated in its judgment that this was not a change in the law and did not contradict previous decisions, in practice this is a significant change in the English-law approach to data breach compensation claims.
• The Court also stated that compensation may be payable in respect of a data subject’s fear of what could have happened following a data breach (even if it did not happen), so long as that fear has a proper basis.
• Finally, the Court found that disclosure or publication to a third party is not an essential ingredient for claims under the GDPR.
• Claimants still need to prove that they have suffered material or non-material damage in order to bring a claim for compensation as a result of an alleged breach of the UK GDPR or Data Protection Act 2018, but this decision has lowered the bar for such claims by permitting claims to be brought even if any damage allegedly suffered is entirely trivial.

Background and the parties’ arguments

The case arose out of Equiniti’s administration of Sussex Police’s pension scheme. In its administrative role, Equiniti sent each member of the scheme an annual pension benefit statement (the “ABS”). The ABS contained personal information such as the name, date of birth, national insurance number, and pension details of the relevant officer. In each case, it would have been apparent to any third party reading the ABS that the intended recipient was a police officer. As a result of an error in the way in which the address data was stored and processed, Equiniti inadvertently sent ABSs to the previous postal addresses of certain scheme participants.

Proceedings were issued by 432 of the affected parties, with those 432 claims being case managed together as a group action. The claimants contended that the sending of the ABS to an incorrect postal address amounted to unlawful processing under the UK General Data Protection Regulation (“UK GDPR”) and/or Data Protection Act 2018 (“DPA”) and/or a misuse of their private information.

As a result of the alleged infringements, the claimants claimed they had each suffered “non-material damage” (anxiety, alarm, distress and/or embarrassment), and in a smaller number of cases, personal injury. In all but 14 cases, there was no positive evidence that the ABS had actually been opened or read by an unauthorised third party, and so the claimants advanced an inferential case – they said that unless the defendant could prove that any of the statements had been returned unopened, it should be inferred that each envelope was opened, and that each ABS was read by a third party. The claimants originally included claims for damage for the mere loss of control over their personal data/private information, but these claims were abandoned following the Supreme Court decision in Lloyd v Google.

The defendant denied the claims, saying that each envelope containing an ABS was addressed to the relevant claimant and marked “Private and Confidential” with a return address for the defendant. The defendant denied that posting an opaque envelope to an incorrect address in this way could constitute misuse or UK GDPR “processing” and that the Court should not infer that the ABS had been opened by a third party in the absence of evidence to the contrary. The defendant also argued that any damage suffered fell well below the requisite seriousness threshold.

In 2024 the High Court granted summary judgment to the defendant and struck out all but 14 claims, taking the view that without evidence of publication (i.e. a positive case that an ABS had been opened or read by a third party), there was no actionable misuse, and no UK GDPR “processing” necessary for a data breach claim.

The claimants appealed the High Court’s decision to strike-out their claims based on the GDPR.

Court of Appeal decision

The Court of Appeal reversed the High Court’s decision to strike-out the claimants’ claims, addressing the issues in the appeal as follows:

• The infringement issue. The Court of Appeal held that the claimants did not need to prove that their ABS had been accessed, seen or read by a third party to demonstrate that their personal data had been processed unlawfully: the act of sending the ABS in a misaddressed envelope was processing for the purposes of Article 4(2) of the UK GDPR.

• The compensation issue. The Court of Appeal held that:
  
  • First, that there is no “threshold of seriousness” for bringing claims in relation to “non-material damage” under the UK GDPR. This changes the position in the UK to align it with the position in the EU under the EU GDPR: the Court held that (contrary to what had been the generally accepted position for many years) English law did not currently include a threshold of seriousness for claims made under the UK GDPR and/or DPA, and that there was no good reason to depart from the EU position that no such threshold exists.
    In contrast, the Court accepted that English law does already impose a threshold of seriousness for claims in the tort of misuse of private information, and that position remains unchanged. This means there is now a new and significant divergence between the damages that can be claimed for breach of the UK GDPR and DPA on the one hand, and the damages that can be claimed for the tort of misuse of private information on the other.
  • Second, “non-material damage” under the UK GDPR, for which compensation may be payable, is not limited to distress and encompasses other negative emotions in response to a data breach. Examples of those other negative emotions may include stress or anxiety. The Court appeared to accept that “fleeting or transient subjective reactions” in the nature of “irritation or annoyance” do not constitute actionable “non-material damage”. There would not appear to be a clear line between the two: in any case it will be for the claimant(s) to prove that they have suffered damage.
  • Third, compensation is in principle payable in respect of the prospect or possibility that as data subject’s personal data may get into the hands of third parties and be misused, provided that has a basis in fact. The Court held that “in principle, a claimant can recover compensation for fear of the consequences of an infringement if the alleged fear is objectively well-founded but not if the fear is (for instance) purely hypothetical or speculative”.

• The Jameel issue. Under Jameel, a claim may be considered abusive if the costs of defending it will be wholly disproportionate to a very modest potential benefit to the claimant (is “the game worth the candle”?). Here, the Court found that the modest scale of the claimants’ potential recoveries did not justify the dismissal of their claims, and that position did not change because the claims were brought on a group basis.

Looking forward

This is a decision of significant importance, and we would be surprised if the defendant did not seek permission to appeal to the Supreme Court.

While the overall effect of the decision is to lower the bar for compensation claims in relation to distress, stress and anxiety following a data breach, it should be kept in mind that such “non-material damage” still needs to be proved by the claimant in every case.

In practice, and subject to any successful appeal, the impact of this case is likely to be to lower the bar for low-value claims relating to the (alleged) negative emotional consequences of a data breach. Claimants will however still need to prove any alleged damage suffered, and that their response to a data breach was more than “fleeting”. Claims of this nature are likely to be mainly brought in the County Court on an individual basis, but can be difficult to respond to in a cost-proportionate manner: while the costs of defending them may outweigh their (alleged) value, defendants will not wish to be seen as a “soft target” for compensation claims which have impacted large numbers of data subjects.

A more positive take on the Court of Appeal’s decision is that this is a reframing of the existing law rather than a change: the Court of Appeal suggested that while lower courts had previously referred to a threshold of seriousness when striking out or dismissing trivial claims, this judgment does not change the law because the earlier cases should instead be understood as claims which failed because there was no credible evidence at all of non-material damage—not claims which failed because non-material damage could be evidenced but the damage was insufficiently serious. If this is the interpretation adopted by lower courts the impact of the Court of Appeal’s decision may be more limited, but only time will tell.