Understanding Data Protection Claims | Lessons from Farley and Others v Paymaster (2025)
One of the consequences of today’s technological environment is ensuring that sensitive information remains safe and protected from those who seek to cause harm.
Organisations handling substantial volumes of personal data are subject to controlling legislation such as the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. They are also required to comply with strict rules called ‘data protection principles.’
Data breaches are inevitable, often exposing affected individuals to potential risk, causing them stress and anxiety. It regularly falls to the civil courts to consider claims brought arising from data breaches for remedial action such as financial compensation.
We regularly act for companies in civil claims for data breaches as well as for organisations facing data protection investigations by the ICO.
Farley and others v Paymaster (1836) Ltd (trading as Equiniti) (Information Commissioner intervening) [2025] EWCA Civ 1117 is a prime example of the consequences that may follow due to a mistake or error in data processing.
This case recently came before the Court of Appeal which produced a detailed and complex Judgment which dealt with a number of issues of considerable significance, it ruled that:
- a data-controller’s processing error alone can amount to an infringement of the GDPR, even if no unauthorised person ever sees the data,
- the GDPR does not impose a ‘threshold of seriousness,’ to the extent that, in theory, any non-material damage may be compensated provided that the alleged harm, including fear, is well founded,
- the submission of a collection of low value claims by a number of claimants does not, in itself, amount to an abuse of process, but each should be dealt with proportionately by case management.
John Veale of KANGS outlines the circumstances surrounding this Judgment.
The Background
In 2019, over 750 Annual Benefit Statements (‘ABS’) for members of the Sussex Police Pension Scheme were sent to members’ addresses which were incorrect as they were out of date. Each ABS contained sensitive personal data, including names, dates of birth, national insurance numbers and pension details.
Some of the statements were delivered and may have been read, others were never delivered, some were returned, and the status of the remaining statements remained unknown. This was of relevance to the efficacy of various arguments concerning misuse submitted to the court.
The High Court
Proceedings were commenced seeking compensation for injury to feelings and, in some cases, for psychiatric injury arising from fear as to how the personal data may have been used.
When the case came before the High Court, only fourteen of those involved in the proceedings were able to provide an arguable case that their mis-addressed envelope had been opened and their ABS read. On this basis, their claims were allowed to proceed, while the other claims were dismissed and struck out.
At that time, it was reported that the High Court decision reflected the Civil Courts growing impatience with the proliferation of exaggerated data breach claims brought for alleged distress. It was the court’s view that cases lacking evidence of personal data being at risk of misuse, should not be pursued.
The Appeal Court
The Claimants whose cases had been dismissed and struck out appealed to the Court of Appeal, maintaining that the mistake of submitting each ABS to an incorrect address was sufficient infringement of their data protection rights to justify each claim.
The Respondents to the Appeal relied upon various contentions including the view that each claim was ‘so trivial that they should be dismissed as an abuse of process.’
The Court of Appeal Judgment
The Court of Appeal overturned the Judgment of the High Court and remitted the claims to the lower court to consider whether the fears expressed by each claimant are ‘well founded.’
Amongst many other matters dealt with in the Judgment, the Court found that:
- the Respondent admitted ‘processing’ data which was sufficient to constitute an infringement. The Judge was wrong in believing that access by a third party was essential and proof that data was disclosed is not an essential ingredient of an allegation of processing or infringement.
- an allegation of ‘distress’ is not an essential ingredient of a tenable claim and claims cannot be dismissed for failing to meet a ‘threshold of seriousness’ as no such threshold exists in domestic data protection law.
- compensation for fear of future misuse requires proof that such fear is well founded.
- when recognising the comments of Lewison LJ in Sullivan v Bristol Film Studios [2012], ‘The mere fact that a claim is small should not automatically result in the court refusing to hear it at all. If I am entitled to recover a debt of £50… it would be an affront to justice if my claim were simply struck out.’
How Can We Assist?
With the enormous volume of data which is being constantly processed, it seems inevitable that mistakes will happen which may result in substantial financial liabilities through civil claims and could expose organisations to potential prosecution for breaches of the governing data protection regulations.
If your organisation is facing legal action for a GDPR or data breach, getting expert legal support is essential. Our experienced solicitors defend those involved in complex data processing claims, providing strategic representation and practical guidance.
Please do not hesitate to contact our experienced Team who will be delighted to assist and guide you.
Tel: 0333 370 4333
Email: info@kangssolicitors.co.uk
We provide initial no obligation discussion at our three offices in London, Birmingham, and Manchester. Alternatively, discussions can be held through video conferencing or telephone.
Top ranked by leading legal directories Chambers UK and the Legal 500.
