A recent decision by the Court of Appeal in Farley & Ors v Paymaster (1836) Limited (trading as Equiniti) [2025] EWCA Civ 1117 represents a potential shift in English data protection law. The appeal overturned the first instance decision to strike out the claims of 432 claimants who had been unable to show that their personal data had come to anyone’s attention. The Court of Appeal found that proving the data had been disclosed was not required to establish a claim under the GDPR, but perhaps more importantly for the future of data breach claims, the Court of Appeal held that there was no “threshold of seriousness” for data privacy claims. The decision harmonises the UK approach with existing CJEU jurisprudence, and marks a departure from the previous position under Lloyd v Google.
Background
The claimants, 432 former police officers who were members of a pension scheme administered by the respondent, alleged misuse of their personal information and an infringement of the GDPR which arose when the defendant mistakenly sent the claimants’ pension benefit statements to out-of-date addresses. The statements included information such as date of birth, salary, pension benefits, national insurance numbers and length of service.
In the first instance, the High Court struck out all but 14 of the claims. Mr Justice Nicklin held that to have a viable claim for misuse of private information and/or data protection, each claimant needed to show that they had a real prospect of demonstrating that their data was accessed by unauthorised third parties. Only 14 of the 432 claimants had a real prospect of establishing that their benefit statements had been opened and read. He further held that if the benefit statements had not been opened or read by a third party, there had been no real “processing” of the data. The claimants appealed the decision to the Court of Appeal.
Court of Appeal decision
The Court of Appeal allowed the appeal, finding that Mr Justice Nicklin was wrong to strike out the claim. In doing so, it reached the following three key conclusions:
The Court of Appeal has therefore sent the case back to the High Court to determine whether data breaches have occurred and the level of compensation which may be owed.
What does this mean for data protection claims going forward?
Given the importance of the decision to the landscape of data breach claims, it is likely to be appealed to the Supreme Court.
Until then, the removal of the “threshold of seriousness” and the viability of claims based on mere fear of misuse could in theory open the door once more to a new wave of trivial data breach claims (whether group or individuals claims). That said, such claims still face significant hurdles, including the requirement to establish that the alleged “fear of an infringement” is not purely hypothetical or speculative by reference to evidence, as well as existing hurdles including the difficulty in bringing a misuse of private information claim in relation to a data breach and the allocation of low-value claims to the small claims track.
Time will tell how claimants (and particularly claimant firms) respond to the decision and whether or not we will see the return of a bygone claim-happy culture.