A Potential New Chapter in Data Privacy Litigation: Farley & Ors v Paymaster

A recent decision by the Court of Appeal in Farley & Ors v Paymaster (1836) Limited (trading as Equiniti) [2025] EWCA Civ 1117  represents a potential shift in English data protection law. The appeal overturned the first instance decision to strike out the claims of 432 claimants who had been unable to show that their personal data had come to anyone’s attention. The Court of Appeal found that proving the data had been disclosed was not required to establish a claim under the GDPR, but perhaps more importantly for the future of data breach claims, the Court of Appeal held that there was no “threshold of seriousness” for data privacy claims. The decision harmonises the UK approach with existing CJEU jurisprudence, and marks a departure from the previous position under Lloyd v Google.

Background

The claimants, 432 former police officers who were members of a pension scheme administered by the respondent, alleged misuse of their personal information and an infringement of the GDPR which arose when the defendant mistakenly sent the claimants’ pension benefit statements to out-of-date addresses. The statements included information such as date of birth, salary, pension benefits, national insurance numbers and length of service. 

In the first instance, the High Court struck out all but 14 of the claims. Mr Justice Nicklin held that to have a viable claim for misuse of private information and/or data protection, each claimant needed to show that they had a real prospect of demonstrating that their data was accessed by unauthorised third parties. Only 14 of the 432 claimants had a real prospect of establishing that their benefit statements had been opened and read. He further held that if the benefit statements had not been opened or read by a third party, there had been no real “processing” of the data. The claimants appealed the decision to the Court of Appeal. 

Court of Appeal decision 

The Court of Appeal allowed the appeal, finding that Mr Justice Nicklin was wrong to strike out the claim. In doing so, it reached the following three key conclusions:

1. Proof that a claimant’s data was disclosed is not an essential ingredient of an allegation of processing or infringement. The Court of Appeal confirmed that the judge at first instance was wrong to find that the claimants’ data had not been processed simply because no unauthorised third party had opened and read the correspondence. The Court of Appeal considered the wording of the GDPR (in which the definition of processing includes “any operation or set of operations”, including those that are automated) and found that the defendant’s conduct (in collecting, organising, and storing the data, and printing the benefit statement and placing it into an envelope) constituted processing of the claimants’ data for the purposes of the GDPR and this was sufficient for their data protection claims. 
2. There is no “threshold of seriousness” in English data protection law. The Court of Appeal confirmed that while the threshold exists in the law of misuse of private information (per the Court of Appeal’s decision in Prismall), there was no persuasive reasoning to introduce such a threshold in the context of the separate and distinct legal regime for the protection of personal data. The Court of Appeal considered existing case law from the CJEU, finding no such threshold exists in EU data protection law. While the Court of Appeal is not required to follow post-31 December 2020 rulings from the CJEU, it is entitled to have regard to them in so far as relevant, and in this case the Court held that there was no sufficiently weighty reason for departing from the settled CJEU jurisprudence. The defendant’s case on appeal had been focused on the application of the previous authority for meeting a “threshold of seriousness” test set out in Lloyd v Google. The defendant argued that the claims for compensation under data protection law in this case did not meet that threshold. In dismissing this argument, the Court of Appeal distinguished the present case from Lloyd v Google on the basis that the latter was concerned with the interpretation and application of the Data Protection Act 1998, rather than the current legislation, namely the GDPR and Data Protection Act 2018. The Court of Appeal further confirmed that, while mere “loss of control” would be sufficient, a claimant can recover compensation for “fear of the consequences of an infringement”, if the alleged fear is objectively well-founded, but not if the fear is purely hypothetical or speculative. 
3. These claims as a class action cannot be categorised as an abuse of process, and each case must be considered individually. The defendant had sought to argue that the first instance decision should be upheld on the basis that the claims for compensation are factually incredible, insufficient or untenable as a matter of law, or so trivial that they should be dismissed as an abuse of process of the kind identified in Jameel v Dow Jones Inc. However, the Court of Appeal found that a generic or bulk answer about abuse of process cannot be provided on the claims as a whole but the question of whether any individual case is abusive is a matter to be remitted to the High Court. 

The Court of Appeal has therefore sent the case back to the High Court to determine whether data breaches have occurred and the level of compensation which may be owed.

What does this mean for data protection claims going forward?

Given the importance of the decision to the landscape of data breach claims, it is likely to be appealed to the Supreme Court. 

Until then, the removal of the “threshold of seriousness” and the viability of claims based on mere fear of misuse could in theory open the door once more to a new wave of trivial data breach claims (whether group or individuals claims). That said, such claims still face significant hurdles, including the requirement to establish that the alleged “fear of an infringement” is not purely hypothetical or speculative by reference to evidence, as well as existing hurdles including the difficulty in bringing a misuse of private information claim in relation to a data breach and the allocation of low-value claims to the small claims track. 

Time will tell how claimants (and particularly claimant firms) respond to the decision and whether or not we will see the return of a bygone claim-happy culture.