The Court of Appeal has handed down its judgment in Farley & Ors v Paymaster (1836) Limited t/a Equiniti, a landmark decision which strengthens the rights of individuals bringing claims for data breaches.
In February 2024, the High Court struck out the data protection claims of all but 14 claimants on the basis that there was no proof their mis-sent pension statements had been opened by third parties. The Court of Appeal has now overturned that ruling, holding that the High Court was wrong to require proof of disclosure for a GDPR infringement to be established.
About the data breach
In August 2019, Equiniti distributed 750 annual pension benefits statements on behalf of Sussex Police force after receiving updated contact details for the officers. Equiniti failed to properly update its database, resulting in pension statements being sent to the wrong addresses, including personal information such as names, National Insurance numbers, salary bandings and police service details. 474 officers joined KP Law’s group action against Equiniti.
About the Court of Appeal judgment
The Court of Appeal’s judgment has significant implications for future data breach litigation.
The Court of Appeal confirmed that proof of disclosure to third parties is not required for a GDPR infringement. Data protection rights are breached by unlawful “processing” alone. This reinstates the claims of over 400 appellants who were wrongly struck out.
The Respondent’s argument that claims must pass a threshold of seriousness was also dismissed. The Court held that there is no legal requirement for a threshold of seriousness in GDPR claims (following CJEU jurisprudence). Compensation is available for any non-material damage, including objectively well-founded fears of misuse, without the need to meet a minimum seriousness bar.
The Respondent’s contention that these claims were inherently an abuse of process because of their modest value was also rejected. The Court confirmed that:
- ‘Low-value claims’ should not be struck out as abusive
- Proportional case management is preferred over a strike-out
- The abuse must be assessed individually, not in bulk.
The case has been remitted to the High Court to assess whether individual fears of misuse were well-founded.
Kingsley Hayes, partner and head of data and privacy litigation at KP Law, commented: “This judgment is a landmark win for data breach victims. The Court of Appeal has confirmed that unlawful processing is enough to bring a claim, and that even claims of modest value deserve to be heard. It’s a clear message that people’s data rights must be taken seriously.”
As the Information Commissioner, who intervened in the case, observed: low-value claims can and should be managed within the CPR framework, rather than excluded entirely.
This decision provides welcome clarity for claimants and is expected to have a positive impact on a wide range of data breach cases moving forward.
