Court of Appeal clarifies rules on compensation for "non-material" damage in data protection breaches

The Court of Appeal has confirmed that proof of disclosure to third parties is not required for data protection law breaches and that individuals’ rights are breached by unlawful “processing” alone.

Last year, we reported how the High Court in Farley v Paymaster (1836) Ltd in February 2024 had struck out the data protection claims of all but 14 of 432 original claimants. The judge held there was no proof their pension statements had been opened by third parties when they were mistakenly sent to incorrect addresses. The Court of Appeal has now overturned that ruling, holding that the High Court was wrong to require proof of disclosure to the wrong recipients for a data protection infringement to be established. Data protection rights are breached by unlawful “processing” alone.

The Court agreed that that the appellants had a reasonable basis for alleging the respondent's mistake involved infringement of the General Data Protection Regulation (EU), which was the applicable law at the time of the data breach. The Court rejected the respondent's arguments that the claims should be dismissed for failing to meet a threshold of seriousness, as no such threshold exists in EU data protection law. The Court of Appeal’s decision clarifies that compensation is recoverable for data breaches involving "non-material" damage, including well-founded fears of data misuse, but not for purely hypothetical risks.  

The case was remitted to the High Court to determine whether each appellant had set out a reasonable basis for claiming that there was a concern the mis-sent information might be misused. Claims for psychiatric injury would stand or fall according to the Court's conclusions on the objective reasonableness of the stated fears.

The Court of Appeal found that the modest scale of likely recovery could not itself justify dismissal of the claims, and that the right approach to modest claims is to see whether there is a proportionate procedure by which their merits can be investigated. It also held that abuse of process should be assessed individually and that proportional case management was preferred over a bulk strike-out.

Comment

In this case, the pension statements were mistakenly sent to incorrect addresses as the relevant database had not been updated. Trustees should note that it is now clear that even minor errors in handling personal data can lead to liability. Data accuracy and security should be treated as core risk management priorities.

The interpretation of “processing” is broad in scope and does not require disclosure to be unlawful. Compensation for “fear of misuse” is possible as “non-material damage”, provided the fear is objectively well-founded. In this case, police officers who feared that criminals might access sensitive pension and employment details could claim compensation, even if there was no evidence that the envelopes had been opened.

The successful appeal lowers the bar for data breach victims as claimants no longer need to prove either access by unauthorised parties, nor that their distress exceeds a “seriousness” threshold. 

While there is a risk that courts could be flooded with low-value claims, the Court of Appeal said proportionality should be managed procedurally, not by striking out claims in bulk.