Farley v Paymaster: A Turning Point in UK Data Protection Litigation
The Court of Appeal’s recent decision in Farley v Paymaster (1836) Ltd (t/a Equiniti) [2025] EWCA Civ 1117 (“Farley”) represents significant clarification of the legal framework governing compensation for data protection breaches in the United Kingdom.
There are two notable aspects to this case. First, the judgment confirms that no de minimis threshold applies to claims brought under Article 82 (the right to compensation) of the UK General Data Protection Regulation (the “UK GDPR”) and section 168 of the Data Protection Act 2018 (the “DPA 2018”). This clarification removes a longstanding barrier to recovery for claimants alleging non-material damage.
Secondly, and more helpfully for organisations, it confirms that a breach does not automatically entitle individuals to damages and that harm needs to be shown.
Both aspects have important implications for data controllers, processors, and legal teams managing risk and compliance.
The dispute in Farley arose from a data breach in which Equiniti, acting as administrator of the Sussex Police pension scheme, mistakenly sent over 750 annual benefit statements to outdated residential addresses. These documents contained sensitive personal data, including names, national insurance numbers, salary details, and pension forecasts.
Although there was no conclusive evidence that the majority of the statements were opened or read by unintended recipients, 474 officers brought claims for emotional distress, anxiety, and fear of misuse.
At first instance, Mr Justice Nicklin struck out the vast majority of the claims, holding that the absence of third-party access rendered them insufficiently serious.
He applied a de minimis principle whereby courts and regulators are allowed to disregard matters that are too minor or insignificant to warrant legal scrutiny or action, reasoning that only claims involving demonstrable harm or actual disclosure could proceed.
Mr Justice Nicklin’s approach reflected a broader judicial tendency to limit low-value data protection claims, particularly in collective actions, by importing a seriousness threshold akin to that used in misuse of private information cases.
The Court of Appeal decisively rejected this reasoning. It held that no minimum threshold of seriousness is required for compensation under Article 82 of the UK GDPR. The court emphasised that the UK GDPR does not impose a “de minimis rule”.
This does not, however, mean that any breach of UK GDPR automatically entitles claimants to compensation – the Court was clear that simply losing control over personal data is not enough to give rise to compensation.
The Court made it clear that some harm or loss would need to be shown to recover damages and that it needed to be objectively well-founded. Examples of the types of harm that could be compensated included distress, anxiety, alarm, fear of misuse and embarrassment, even where the data was not accessed by third parties.
The judgment aligns with European jurisprudence, particularly the decision of the Court of Justice of the European Union in UI v Österreichische Post AG (“Austrian Post”), which similarly rejected the notion of a seriousness threshold.
In the Austrian Post case it was also recognised that a mere infringement of the GDPR does not automatically confer a right to compensation. The judgment made it clear that there are three cumulative conditions that must be met, as follows:
- an infringement of the GDPR;
- material or non-material damage resulting from that infringement; and
- a causal link between the infringement and the damage.
The Court of Appeal in Farley has not deviated from that position; it has confirmed that UK law remains aligned with this approach, notwithstanding Brexit, and that the principles of EU data protection law continue to inform domestic interpretation of the same. [This is not surprising as Article 82 of both EU GDPR and UK GDPR refer to the ability of individuals to recover both material and non-material damage for breaches of GDPR/UK GDPR.
Implications
The practical implications of the Farley judgment are that organisations, particularly those in the consumer space are likely to face more claims for breaches of UK data protection laws. These may be well founded or may be claims with no merit. These claims are already on the rise, and this increase may continue if consumers make use of AI to assist in bringing such claims, and this case will do nothing to stem the tide.
What the Farley judgment does not mean is that organisations have no defence to these claims. The Court was clear that actual damage must be suffered in order for a claim to progress.
A lesson arising from this case is that organisations need robust and up to date data protection compliance programs to avoid errors such as misaddressing communications or system failures happening. Having a way to ensure data accuracy and putting in place compliant data retention and destruction programs are key. Having a procedure for quickly handling data breaches is also crucial.
The Farley judgment also addresses procedural concerns, rejecting the argument that collective low value claims are inherently abusive under the Jameel doctrine which held that if the harm alleged is minimal or trivial, and pursuing the claim would be disproportionate to the resources required, the court may dismiss it . The Farley judgment held that proportionality should be managed through case management rather than strike-out applications, thereby preserving access to justice for claimants with modest but legitimate grievances.
In conclusion, Farley provides significant clarity in relation to how data protection claims should be approached in the UK.
By eliminating the de minimis threshold, the Court of Appeal has confirmed that the UK will remain aligned with the EU and overturned pre-GDPR restrictions on the ability for individuals to bring small claims.
Whilst this may appear to be bad news for organisations, the Court has also made it clear that a breach of data protection laws does not automatically entitle individuals to compensation. Harm has to be established, and each case needs to be considered on its merits. Organisations do therefore have an ability to defend these claims.
If you have any queries relating to defending data protection claims, please contact Eleanor Bennett.
If you have any queries relating to the prevention of data protection claims, please contact our Data Protection Team.
