Court of Appeal clarifies data protection claims for non-material damage: A win for claimants - But what are the implications for controllers and processors?

The Court of Appeal has recently handed down an important decision in respect of data protection law considerations in Farley & Others v Paymaster (trading as Equiniti) [2025] EWCA Civ 1117, providing clarity on the scope of infringement and compensation data protection claims under the UK GDPR and Data Protection Act 2018 (“DPA”). The judgment will be of particular interest to any service provider dealing with and processing large volumes of customer personal data.

In summary, the Court of Appeal overturned the High Court’s decision to strike out the majority of claims arising from a data breach involving misaddressed pension statements. The Court of Appeal rejected the idea that there is a de minimis threshold of seriousness to bring non-material damage claims for compensation for infringement of data protection law and held that a claim for infringement of UK GDPR did not require proof that personal data was disclosed to third parties. What this means in practice is that claimants will not be prohibited from bringing low value claims against a controller for possible misuse of their personal data for non-material damage in respect of claims of infringement, reshaping the accountability framework.

Background

The case concerned a 2019 data breach affecting over 750 members of the Sussex Police pension scheme. The officers’ annual benefit statements (“ABS”) were mistakenly sent to outdated and incorrect addresses due to a system error by Equiniti, the scheme’s administrator. As a result, over 750 ABS, which contained sensitive personal information such as officers’ names, addresses, dates of birth, National Insurance numbers, salaries and pension details, were sent to incorrect recipients. Fourteen of the officers could show that their ABS had been opened and read. Just over one hundred ABS were returned unopened but the majority were unrecovered, and it is still not clear what happened to these ABS and whether or not they were accessed by third parties; prompting fears among officers that their sensitive personal data may have been accessed or misused.

The incident was reported to the Information Commissioner’s Office (the UK data protection regulator), who acknowledged the breach but determined that the risk of harm to the affected officers (i.e., the data subjects) as low.

432 affected officers brought claims under the UK GDPR and DPA, seeking compensation for: (i) distress and anxiety; (ii) in some cases, psychiatric injury; (iii) fear of third-party misuse; and (iv) aggravation of pre-existing medical conditions.

The High Court struck out all but fourteen of the claims. The fourteen claims were allowed on the basis that these data subjects had evidence that their ABS had been read and opened, and therefore had the only clear arguable case of misuse of their personal data. The reason for the strike out for the remainder of the claims was essentially on the basis that they could not prove that their ABS had been opened and/or read, lacking sufficient evidence that a third party had accessed their ABS. The High Court held that:

1. a viable claim required proof that the ABS was opened and read by a third party;
2. claims based on ‘risk or apprehension’ without actual disclosure (noting the above) was insufficient;
3. without clear evidence of third-party access, no meaningful processing occurred; and
4. ‘distress’ must be serious to be actionable.

Court of Appeal decision

The Court of Appeal overturned the High Court’s decision, holding that:

• Disclosure is not required to establish infringement: The Court of Appeal confirmed that sending personal data to the wrong address constituted “processing” of data subjects’ personal data under the UK GDPR and was therefore a straight-forward processing breach. It did not matter whether or not there was disclosure to a third party as the mere act of sending personal data to the wrong address constituted “processing” under the GDPR and therefore could amount to an infringement.
• There is no ‘de minimis threshold’ in order for non-material damage to be capable of compensation: The Court of Appeal rejected the argument that distress must meet a ‘threshold of seriousness’ to bring a claim under Article 82 of the UK GDPR. Interestingly, the Court of Appeal drew on the Court of Justice of the European Union jurisprudence, holding that compensation is available for objectively well-founded fears and that claimants can recover compensation for fear of the consequences of an infringement. Claims must be assessed on an individual basis and the fear must not be purely hypothetical or speculative - if a claimant can demonstrate a reasonable basis for their concern, compensation may be awarded for emotional harm (i.e., irrespective of the materiality of the infringement).
• Collective actions remain procedurally viable: The Court dismissed arguments that the claims were an abuse of process due to their low value. It reaffirmed that modest claims should not be struck out solely on proportionality grounds, especially where legitimate legal rights are at stake.

Implications for data protection law

The Court of Appeal judgment provides clarity on several fronts as follows:

• Processing errors alone can constitute GDPR infringements, even without proven third-party access.
• Emotional harm, including distress, may be compensable under the UK GDPR, provided it is well-founded (i.e., the damage and distress must not just be speculative or hypothetical).
• There is no threshold of seriousness for non-material damage claims under the UK GDPR.
• Collective actions for data breaches remain viable, even where individual claims are low value.

Conclusion

This decision has practical implications for organisations handling personal data, particularly those operating outsourced services or managing large-scale communications. This is because processing errors alone can give rise to liability, even where the harm to individuals is low and individual claims are modest in value. The judgement also affirms the rights of data subjects to seek redress for distress caused by data mishandling - which unfortunately is becoming more of a concern with the rise of AI and companies having access to, and processing, large volumes of personal data without proper data governance procedures in place. The Court of Appeal’s decision reinforces the importance of compliance with data protection principles and the need for clear contractual and operational safeguards.

About the author 

Caroline joined the Corporate, Commercial & Finance team as an associate and specialises in advising on commercial matters. She advises entrepreneurs, startups and established businesses across a variety of sectors, with a focus on those in the technology sector.