Guest post from Beverley Flynn, head of data protection, and Quintin Farley, associate, at Surrey firm Stevens & Bolton
Beverley Flynn
The Court of Appeal’s decision in Farley & Ors v Paymaster (1836) Limited (trading as Equiniti) [2025] EWCA Civ 1117 potentially marks an important moment in the evolution of data protection claims in the UK.
For claimants, particularly those seeking redress for emotional harm following data breaches, the judgment opens possible new avenues for compensation. For organisations, it signals a need for a reassessment of risk management and compliance strategies.
Breaking with precedent
The Court of Appeal considered a collective action brought by over 430 individuals whose annual pension benefit statements containing special category data were sent to outdated addresses.
The claimants alleged distress, fear of misuse and, in some cases, psychiatric injury, despite few of the claimants being able to prove that the documents had been accessed by third parties.
The High Court had previously struck out all but 14 of the claims, holding that the claims under the General Data Protection Regulation (GDPR)/Data Protection Act 2018 (DPA) required proof of actual disclosure (arguing no real processing had occurred). Alternatively, the claims had no real prospect of success.
The High Court decision did not provide a view on whether UK law sets a seriousness threshold for data protection claims.
The Court of Appeal has overturned this approach, albeit there is scope for a Supreme Court appeal. It held that processing includes the act of sending personal data to incorrect addresses, even if there was no evidence that a third party accessed it.
The court rejected the notion of a ‘threshold of seriousness’ for non-material damage and considered existing case law from the Court of Justice of the European Union, such as the 2023 case of Austria Post, finding no such threshold exists in EU data protection law.
Whether each individual claimant might obtain compensation would have to be assessed. Emotional harm, if objectively well-founded and caused by the infringement, can be compensatable – even where the harm is ‘modest’.
This contrasts with the 2021 ruling in Lloyd v Google, where the Supreme Court denied compensation for ‘loss of control’ of data due to absence of any demonstrable harm. The Farley v Paymaster ruling clarifies that fear of misuse, if reasonable, can constitute non-material damage under article 82 of the GDPR.
Quintin Farley
Impact for claimants
The decision affirms that:
- Evidence of disclosure may not be required to establish processing or infringement;
- Distress and anxiety can be compensatable even without psychiatric injury; and
- Low-value claims are not inherently abusive under the Jameel principles (i.e. proceedings may be abusive if the benefits from the claim being successful are wholly disproportionate to the costs incurred by the defendant in defending the claim).
This potentially reopens the door to individual and collective actions for data breaches that might have previously been dismissed as trivial.
The Court of Appeal emphasised that each claim must be assessed on its own merits; however, where fears are well founded, such as concerns about identity theft or misuse by known individuals, compensation may be considered.
Best practice for organisations
For data controllers and processors, the judgment underscores the importance of robust data governance. Organisations must:
- ensure the accuracy of personal data, especially contact details used for sensitive communications;
- ensure privacy policies are up-to-date and staff are adequately trained in the importance of data accuracy and procedures;
- implement technical and organisational safeguards under articles 24, 25 and 32 of the GDPR;
- maintain audit trails to demonstrate compliance and mitigate liability; and
- respond promptly and transparently to breaches and regularly review and test incident response plans, including offering protective measures (e.g. encouraging or mandating two-factor authentication for affected accounts to reduce the risk of unauthorised access).
To assess potential liability, organisations should ask:
- Was there a breach of GDPR principles (e.g. accuracy, integrity)?
- Did the breach cause emotional harm that is objectively reasonable?
- Is the claimant’s fear of misuse well-founded, not merely hypothetical?
What’s next?
The reputational risks of mishandling personal data are now coupled with potential and tangible legal exposure. The decision affirms the GDPR’s protective ethos and may lower the bar for affected individuals seeking compensation for breaches of their data protection rights.
Whilst the decision potentially paves the way for an increase in claims being asserted, it will require organisations to strengthen data governance and processes internally.
The downside for claimants, of course, is the challenge of pursuing the misuse of private information claims and the procedural limitations of the small-claims track for low-value cases.
It should be noted that given the implications of this decision on the data breach claim landscape, an appeal to the Supreme Court is likely.
Leave a Comment