To Equiniti and beyond: Court of Appeal breathes life into low value data protection claims in UK

The Court of Appeal has decided, in Farley v Paymaster (1836) Limited (trading as Equiniti) [2025] EWCA Civ 1117, that there is no "minimum threshold of seriousness" for data protection claims in the UK and that fear alone can be sufficient to found a claim for compensation for non-material damage caused by data breaches. The decision is a blow to data controllers looking to strike out what often seem like trivial claims for only a few hundred pounds, including the group claims that typically follow large data breaches.

There is lots to unpack in the judgment but some of the key points are highlighted below, including what the impact on the data litigation market is likely to be.

Background

The claims for compensation were brought (before the UK GDPR came into force post-Brexit) by 432 police officers who were members of a pension scheme administered by Equiniti. An Annual Benefit Statement (ABS) relating to each of the claimants had mistakenly been sent by post to a previous residential address. The claimants claimed damages for the distress that they allegedly suffered as a result.
In the High Court, the 432 claims were struck out because the claimants could not prove that the envelope containing the ABS has been opened by a third party. As a result, the judge, Nicklin J found that there was no "processing" of the address data for the purposes of the claim in question.14 claims were allowed to continue on the basis that they had a chance of proving that the envelope was opened. 

Did opening envelopes amount to 'processing'?

A core question was whether the disclosure of personal data through the act of opening an envelope and reading its contents amounted to "processing" for the purposes of the General Data Protection Regulation (GDPR).

The Court of Appeal considered that proof of disclosure of the relevant data to a third party (that is, proof that the envelopes were opened and read) was not an essential ingredient of a claim for damages for an infringement of the GDPR, provided there had been processing of the personal data up to that point. In other words, the storing of the inaccurate address data, and the creation and posting of the letters all amounted to sufficient processing for these purposes.

It would still be necessary for a claimant to show that the relevant breach of the legislation (for example failure to put in place "appropriate technical and organisational measures") caused the alleged damage.

Fear of harm is sufficient if objectively well-founded

The Court of Appeal went further and found that a claimant can recover damages simply for fearing the consequences of an infringement, even if no personal data was accessed or disclosed to a third party as a result of the breach. Importantly, however, that  fear must be "objectively well-founded" on facts and matters known to them at the time of experiencing their stated fear. It is not permissible for claimants to seek to recover compensation for fears that are "purely hypothetical or speculative".

This is the silver lining in an otherwise difficult judgment for data controllers. In order to assess the reasonableness of a compensation claim based on the fear of consequences that may arise from a breach, claimants will be required to plead a specific and reasonable basis for the alleged fear and the particular circumstances reasonably giving rise to it. In many cases of trivial breaches, that might be a tall order.

No threshold of seriousness for data protection claims

The Court of Appeal held that compensation claims for non-material damage under the GDPR do not need to meet a threshold of seriousness.

In reaching its decision, the Court of Appeal declined to depart from recent Court of Justice of the EU case law. It noted that the GDPR had direct effect in the UK at the relevant time and taking a divergent approach would undermine legal certainty. This was despite the fact that there is a close relationship between data protection law and privacy and there is a well-recognised threshold of seriousness in privacy claims under English law.

In dismissing the threshold of seriousness for compensation claims under the GDPR, the Court of Appeal acknowledged that such a threshold does exist for damages claims for misuse of private information (a tort based on privacy rights under the European Convention on Human Rights). However, the Court of Appeal considered there to be no good reason why the threshold should carry over to the data protection regime under the GDPR.

The Court of Appeal suggested that the position would likely be the same under the UK GDPR because it adopted the "same language" as the relevant provisions of the GDPR. However, no mention was made of the fact that while the language of the UK GDPR may be the same, its foundations are different: the UK GDPR is now underpinned by Convention rights within the meaning of the Human Rights Act 1998. So it may still be open to argue that the position under the UK GDPR ought to be different and more closely matched to Article 8 privacy law.

Further, while the Court of Appeal found there to be no threshold of seriousness in terms of harm suffered, it did not consider whether there is a threshold of seriousness in terms of the breach. So, for example, if there is a lapse in security that is quickly remedied by the data controller, it might still be open to argue that a threshold of seriousness has not been met even if a data subject can make a convincing argument that they feared the consequences of such a momentary lapse.

No 'abuse of process' to conduct a group action in relation to low value claims

The defendant sought to rely on the level of costs being incurred by the claimants' lawyers in pursuit of low value compensation claims as a reason for the court to exercise its discretion to strike out the litigation as an abuse of process on the basis that it was disproportionate.

The Court of Appeal rejected this argument. It considered that the claimants' stated objectives in pursuit of the litigation were legitimate (seeking compensation for non-material damage arising from the infringement) and that a successful outcome in the case would achieve those objectives. The Court of Appeal agreed with the judge below that if the claims were to proceed to trial then they would be appropriate candidates for being transferred to the small claims track of the County Court where they could be managed proportionately.

Osborne Clarke comment

After a number of favourable decisions for data controllers, the pendulum has swung back towards claimants. Although the requirement for the emotional reaction to be objectively justified will be an important evidential hurdle, claimants and their lawyers have become adept at describing, at scale, the consequences of individuals finding out that they have been the victim of a data breach. This means that it will often be difficult for defendants to mass claims to separate the viable claims from the non-viable ones.

It will be the role of the court to do that: both when assessing whether the "objectively justifiable" test is met and, if it is, in determining the amount of compensation to be awarded. In some cases, the court will need to examine doctors' reports and expert evidence, which becomes very expensive in aggregate.

Data controllers should therefore think about strategies to minimise their litigation risk and exposure. Such strategies may include, in appropriate cases, applying for cases to be transferred to the small claims court of the County Court (where there is typically no costs recovery), or making early offers to settle (whether on a without prejudice or open basis). The more robust data controllers may seek to distinguish the Equiniti judgment.

One thing is for certain: managing thousands of data protection claims on a case for case basis is disproportionately complex and expensive. We are likely to see more of these group claims litigate a small number of test cases to see if some principles can be established on which to settle or dispose of the remainder (see: Beck v Police Federation of England and Wales [2023] EWHC 685 (KB) (costs) in which Osborne Clarke acted for the Police Federation). However, even this "lead claimant model" is not without its complexity.

So what is the answer to managing these claims in a proportionate way? The debate will continue and, absent an appeal to the Supreme Court,  there may need to be legislation to avoid disproportionate data litigation clogging up the courts. We may eventually see these types of claims become standardised and there may be further scrutiny of whether such claims are suitable for "no win, no fee" deals.