Data Breach - Farley and Others v Paymaster (1836) Ltd

Brighton Town Hall

Author Hassocks5489  Licence CCO 1.0  Source Wikimedia Commons

Jane Lambert

Court of Appeal (Lady Justice King, Lord Justice Warby and Lady Justice Whipple)  Farley and others v Paymaster (1836) Ltd (t/a Equiniti) [2025] EWCA Civ 1117 (22 Aug 2025)

This was an appeal against the order of Mr Justice Nicklin in Farley and Others v Paymaster (1836) Ltd (Trading As Equiniti) [2024] EWHC 383 (KB) (23 Feb 2024), striking out most of the individual claims in a collective action arising from a data breach.  The appeal came before Lady Justice King, Lord Justice Warby and Lady Justice Whipple on 17 and 18 June 2025.  Counsels' arguments were filmed and can be viewed on YouTube at Farley (appellant) v Paymaster (1836) Limited (t/a Equiniti) (respondent) 17 June and Farley (appellant) v Paymaster (1836) Limited (t/a Equiniti) (respondent) 18 June. The Court of Appeal allowed the appeal on 22 Aug 2025 (Farley and Others v Paymaster (1836) Ltd (t/a Equiniti) [2025] EWCA Civ 1117 (22 Aug 2025).  Permission to appeal to the Supreme Court was granted on 17 Dec 2025.  The appeal is listed for 7 and 8 Oct 2026.

Background

The claimants were members of a pension scheme for officers of the Sussex Police administered by the defendant. In August 2019, the defendant administrator sent an annual benefit statement to each member of the scheme. The statement contained an overview of the member's accrued benefits together with his or her name, date of birth, national insurance number and details of his or her salary and pension details. It would have been apparent to anybody reading the statement that the member was or had been a police officer.   The defendant sent some 750 of those statements to wrong addresses. The members affected alleged that this was a misuse of their personal information and an infringement of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)
OJ L 119, 4.5.2016, pp. 1–88 ("the GDPR"). Those members complained that the infringement had led to injury to their feelings, and in some cases, psychiatric harm from fear of third-party misuse of their personal data. They sued the administrator for compensation for the damage that they had suffered under art 82 (1) of the GDPR.

The Defendant's Application

The defendant applied to strike out the claim for failing to disclose a cause of action, or alternatively summary judgment.  The application came on for hearing before Mr Justice Nickin on 27 and 28 Feb 2023.  The learned judge received written submissions on 18 and 19 May and 1 June 2023.   His lordship allowed the claims of 14 members to proceed as they could show that their statements had been read, but he struck out the remaining claims which numbered over 400.

The Appeal

The members whose claims had been struck out appealed on the ground that the judge had been wrong in law.   In particular, he had been wrong to regard disclosure of the benefit statement to a third party as an essential ingredient of a viable data protection claim. The appellants contended that posting the statement to the wrong address infringed their rights under the data protection legislation. The defendant argued that the compensation claims were factually incredible, insufficient or untenable as a matter of law, or so trivial that they should be dismissed as an abuse of process of the kind identified in Jameel v Dow Jones Inc [2005] EMLR 16, [2005] QB 946, [2005] 2 WLR 1614, [2005] EMLR 353, [2005] EWCA Civ 75.

The Issues

Lord Justice Warby, who delivered the lead judgment, summarized the main issues at para [5]:

"(1) have the appellants set out a reasonable basis for claiming that the respondent's mistake involved infringement of the GDPR ('the infringement issue'); if so, (2) have the appellants stated a basis for claiming compensation under the GDPR and DPA that is reasonable, with a realistic prospect of success at a trial ('the compensation issue'); and if so (3) are the claims nonetheless an abuse of process of the Jameel variety ('the Jameel issue')?"

The Data Protection Legislation

The learned Lord Justice condensed the data protection legislation in para [28] of his judgment:

"The GDPR is EU legislation with direct effect in all EU member states. It enacts a number of data protection rights and obligations and contains provision for their enforcement. Article 5 identifies six 'principles relating to processing of personal data' with which data controllers must comply. Articles 24, 25 and 32 require data controllers to 'implement appropriate technical and organisational measures' to ensure GDPR compliance. Article 82 confers a right to receive compensation for material or non-material damage suffered as a result of an infringement. The GDPR applied with effect from May 2018. By Part 2 of the [Data Protection Act 2018], Parliament enacted provisions supplemental to the GDPR. Those provisions also came into force in May 2018."

He explained at [29] that these are the legislative instruments that apply to the events with which the Court was concerned because the European Union (Withdrawal) Act 2018 provided for the GDPR to remain part of English law until 23:00 on 31 Dec 2020.

Interpretating the GDPR

Lord Justice Warby added at [30] that English courts are bound by principles laid down by the Court of Justice of the European Union ("CJEU") and decisions made by it before 31 Dec 2020 as these are "assimilated EU case law" but not by any principles laid down, or any decisions made, by the CJEU after that date.  English courts "may have regard" to such principles or decisions "so far as it is relevant to any matter before the court". In deciding how to approach the latter class of CJEU decisions, English courts are bound by the law of precedent.

Infringement Issue

His lordship said that the first question to be considered in determining whether the administrator's mistake amounted to an infringement of the GDPR was whether the claimants had set out a reasonable basis for alleging that the defendant had engaged in "processing" their "personal data" within the meaning of the regulation and of the Act.    

He considered the definitions of "personal data" in art 4 (1) of the regulation and s.3 (2) of the Act and described them as "language of extremely broad reach." He added that there had never been any dispute that the information at issue here fell within that language and concluded that clearly it did.  

He turned his attention to the definition of "processing" in art 4 (2) of the regulation and s.3 (4) of the Act. Their definitions, which were very similar, defined "processing" as "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means" with such illustrative examples as "collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction."  He recalled the CJEU's discussion of art 4 (2) in para [35] of its judgment in Case  C-175/20 “SS” SIA v Valsts ieneumu dienests, EU: C:2022:124, ECLI: EU:C:2022:124, [2022] EUECJ C-175/20:

"It is apparent from the wording of that provision, in particular from the expression 'any operation', that the EU legislature intended to give the concept of 'processing' a broad scope. That interpretation is corroborated by the non-exhaustive nature, expressed by the phrase 'such as', of the operations mentioned in that provision."

Lord Justice Warby noted at [36] that it was common ground that the defendant's operations amounted to "processing."

The learned Lord Justice observed that the defendant might have argued that printing out the statements, stuffing them into envelopes and posting them were manual operations after the processing had been completed, but it did not do so. It actually admitted that those steps did constitute processing.   On the basis of that admission, his lordship ruled that there was no basis for striking out those aspects of the claims.

Compensation Issue

Art 82 GDPR provides:

"(1) Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller ... for the damage suffered."
(2) Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation ..."

Before 31 Dec 2020, s.168 (1) of the Data Protection Act 2018 amplified art 82 (1) of the GDPR (right to compensation for material or non-material damage), by adding that 'non-material damage' included distress.

The claimants had pleaded that each of them experienced "anxiety, alarm, distress and embarrassment" at the prospect or possibility that their personal data may have come into the hands of third parties and been misused or exposed to the risk of misuse. That was expressly pleaded as "non-material damage". Secondly, 42 of them alleged that the infringements aggravated a pre-existing medical condition for which general damages were sought without particularizing such aggravation as material or non-material damage.   The administrator invited the Court of Appeal to dismiss those claims as incredible under CPR Part 24.  His lordship declined the invitation as it would have been a strong thing to reject statements of truth without hearing from the witnesses. He did not consider that the Court would be justified in taking that step.

The defendant's next point was that on the true construction of the GDPR and the Data Protection Act 2018, compensation was not recoverable for emotional responses other than distress. Lord Justice Warby rejected that submission. He said that the governing provision was art 82, which referred to "non-material damage" without limitation. S.168 (1) of the Act added that this term "included distress" but it was plain that that was an illustrative point. S.168 did not purport to define or limit the scope of the term "non-material damage" in art 82. Indeed, it seemed clear that Parliament's aim in enacting s.168 (1) was not to limit the ambit of the right to compensation but rather to confirm its breadth.

Despite such authorities as Case C‑300/2 UI v Österreichische Post AG [2023] WLR(D) 221, EU: C:2023:370, [2023] EUECJ C-300/21, ECLI:EU:C:2023:370, Case C‑340/21 VB v Natsionalna agentsia za prihodite EU: C:2023:986, ECLI:EU:C:2023:986, [2024] WLR(D) 17, [2023] EUECJ C-340/21, Case C-456/22 VX v Gemeinde Ummendorf EU: C:2023:988, ECLI:EU:C:2023:988, [2023] EUECJ C-456/22 and Case C‑687/21 BL v MediaMarktSaturn Hagen-Iserlohn GmbH, [2024] 1 WLR 2597, [2024] EUECJ C-687/21, ECLI:EU:C:2024:72, EU: C:2024:72, [2024] WLR(D) 53 to the contrary, the defendant administrator contended that there was a threshold of seriousness which the claimants had not cleared. It argued that the courts of the United Kingdom are no longer bound by decisions of the CJEU handed down after 23:00 on 31 Dec 2020, that they were bound by Lloyd v Google LLC  [2022] 2 All ER 209, [2022] HRLR 1, [2022] 1 All ER (Comm) 1107, [2022] AC 1217, [2021] 3 WLR 1268, [2022] EMLR 6, [2021] UKSC 50 and Prismall v Google UK Ltd [2024] EWCA Civ 1516, [2025] 2 WLR 1224 and that they should not follow the CJEU because its reasoning was flawed and that a threshold of seriousness would eliminate trivial claims and achieve coherence in the law.

Lord Justice Warby did not accept those arguments.  He reviewed the authorities on which the defendant relied and concluded that they did not support the contention that there was a threshold of seriousness for data protection claims in English law.  As for whether the English courts should take a different course from the CJEU, he accepted that it was an option for Parliament.  A judicial decision to do so would require compelling legal reasons.  He remarked at para [67] of his judgment:

"...... the GDPR is an international legal instrument which had direct effect in this jurisdiction at the material time. Further, its domestic successor, the UK GDPR, is post-Brexit legislation in which Parliament decided to adopt the identical language, so far as material to this case. Self-evidently, divergent interpretations of the same legislative text tend to undermine legal certainty. It seems to me that, other things being equal, it makes good legal sense for the court to interpret and apply the GDPR in conformity with settled CJEU jurisprudence."

He analysed the CJEU decisions mentioned above but could see no sufficiently weighty reason for departing on this appeal from the settled CJEU jurisprudence on the threshold of seriousness issue.

However, he said that it was clear from those cases that a claimant could recover compensation for fear of the consequences of an infringement, provided the alleged fear was objectively well-founded.

The Jameel Issue

The defendant relied on the Jameel principle in the strikeout application.   It was summarized by the Court of Appeal in para [175] of their judgment in Municipio de Mariana v BHP Group (UK) Ltd [2022] EWCA Civ 951, [2022] 1 WLR 4691, [2023] 1 All ER 611, [2022] WLR(D) 300, [2022] WLR 4691:

"[P]roceedings may ... be abusive if, even though they raise an arguable cause of action, they are (objectively) pointless and wasteful, in the sense that the benefits to the claimants from success [are] likely to be extremely modest and the costs to the defendants in defending the claims wholly disproportionate to that benefit" (citing Jameel (Yousef) v Dow Jones Co Inc [2005] EWCA Civ 75, [2005] QB 946)

The Supreme Court considered the principle further in Mueen-Uddin v Home Secretary  [2024] UKSC 21, [2024] EMLR 13, [2024] 3 WLR 244, CLW/24/23/1, [2024] 3 All ER 985, [2024] WLR(D) 283.

The administrator relied on the principle in its strikeout and summary judgment application, but Mr Justice Nicklin did not accept it.  It cross-appealed to the Court of Appeal with limited success.  Lord Justice Warby said at para [6 (3)] of his judgment:

"The Jameel jurisdiction does not provide a reason to bypass that process. These claims as a class cannot be categorised as Jameel abuse although the question of whether any individual case is abusive will remain for consideration."

The fact that a claim was small did not mean that it was abusive.  Lord Justice Warby quoted Lord Justice Lewison in Sullivan v Bristol Film Studios [2012] EWCA Civ 570, [2012] EMLR 27 at [29]:

"The mere fact that a claim is small should not automatically result in the court refusing to hear it at all. If I am entitled to recover a debt of £50 .... it would be an affront to justice if my claim were simply struck out."

The defendant had understandable concerns about costs and the difficulty of recovering them if it was successful, but that did not make the proceedings abusive.

The Supreme Court Appeal

The issue on which permission to appeal was granted is whether a threshold of seriousness applies to claims for damages under the GDPR and the Data Protection Act 2018.

Comment

This is an important decision on claims under art 82 (1) for compensation for material and non-material damage resulting from an infringement of the GDPR.  Should the Supreme Court allow Paymaster (1836) Ltd.'s appeal on thresholds of seriousness, its importance will be all the greater.  The Court of Appeal has ruled on what constitutes an infringement and whether concern over who may be reading confidential statement information of itself constitutes non-material damage.  The Court has also followed the CJEU's decisions on thresholds of seriousness and rejected the Jameel principle.  

Anyone wishing to discuss this case or this article may call me on +44 (0)20 7404 5252 during UK office hours or send me a message through my contact form at any time.