Skip to content

Court of Appeal lowers the bar for data protection compensation

Insight

Data protection

In a significant decision in Farley v Paymaster 1836 Ltd (trading as Equiniti) (Equiniti), the England and Wales Court of Appeal has lowered the bar for claimants seeking compensation for breaches of their data protection rights.

The Court decided that in England and Wales court proceedings the concept of “non-material damage” arising out of infringements of data protection law is aligned with the case law of the Court of Justice of the European Union (CJEU) (for example, as explained in 2023 in the Austria Post case). There is no so-called “threshold of seriousness” that a claimant has to overcome to be entitled to compensation.

This is a departure from the position prior to the introduction of the General Data Protection Regulation and the Data Protection Act 2018. Under the former Data Protection Act 1998 the UK Supreme Court had held in Lloyd v Google that there was a “threshold of seriousness” test which appeared to therefore block low-value claims.

Background

The Equiniti case arose out of the defendant sending the pension statements of approximately 750 police officers to their former residential addresses. The pension statements included details such as salary, pension benefits, national insurance numbers and length of service as police officers. Subsequently, 474 officers commenced proceedings against the defendant for misuse of private information and breach of their data protection rights.

The High Court struck out all but 14 of the claims because the vast majority of claimant police officers had no tenable case that the misaddressed envelopes had been opened. Mr Justice Nicklin decided that the privacy and data protection claims could not proceed where the data of the police officers had not been viewed by the recipients of the misaddressed envelopes. Nicklin J held that without this actual disclosure of the contents of the pension statements there was no misuse of private information or actionable processing of the police officers’ personal data.

On appeal, the claimants abandoned the misuse of private information claims. The appeal centred instead on the claims for compensation for data protection breaches. In responding to the claimants’ appeal, the defendant did not focus on Nicklin J’s proposition that there was no real processing of the police officers’ personal data in the absence of the content of the envelopes being read. The Court of Appeal found in any event that Nicklin J had been wrong and that there clearly had been acts of processing in the misaddressing of the envelopes. Instead, the defendant primarily focussed its case on the earlier Supreme Court decision in Lloyd v Google that any claim for compensation for data protection breaches had to pass a “threshold of seriousness” test (see our earlier article on this case here). The defendant said the claim made by the claimants that they were entitled to compensation simply based on the fear that their data might be misused as a result of it being sent to the wrong address did not satisfy this threshold test.

Court of Appeal decision

The Court of Appeal allowed the claimants’ appeal. It has sent the case back to the High Court to decide whether data protection breaches occurred and what the level of compensation should be in each case.

In reaching its decision, the Court of Appeal said that the Supreme Court made clear in Lloyd v Google that it was only determining the position on compensation under the provisions of the former UK Data Protection Act 1998 (which applied to the alleged breaches in that case which occurred between 2011 and 2012). That meant the Court of Appeal was free to consider whether the position had changed after the introduction of GDPR and the UK Data Protection Act 2018. The Court of Appeal considered the case law of the CJEU in interpreting Article 82 of GDPR, in particular the Austria Post case and subsequent decisions (see our earlier article here). The Court of Appeal noted that on a number of occasions the CJEU had made clear that there was no “threshold of seriousness” test that a claimant had to overcome in order to obtain compensation for non-material damage such as distress.

The Court of Appeal could have decided not to follow the CJEU case law. Post-Brexit it is not bound to follow those rulings. However, the Court of Appeal held that there was no reason to follow a different path. It decided that English law should be aligned with the position adopted by the CJEU. Accordingly, in court proceedings in England and Wales there is no “threshold of seriousness” test for a claimant to overcome in order to obtain compensation for non-material damage. Whether each individual claimant might obtain compensation would have to be assessed. Simply losing control over the personal data is not enough (a point conceded by the claimants earlier at the High Court stage of the case). However, it would be sufficient in this case if the claimants could show that they had an objectively rational fear that their data could have been misused (eg for identity theft) as a result of the defendant’s error (even if it later became apparent that it had not). The police officers are each claiming £1,250, but the Court of Appeal appears to accept that even awards as low as £50 should not be barred in principle.

In reaching its decision, the Court of Appeal also had to distinguish cases involving claims for misuse of private information. This is because in the earlier case of Prismall a different Court of Appeal panel had found that there is a “threshold of seriousness” test to be satisfied before compensation can be awarded for misuse of private information (see our earlier article on this case here). In Equiniti the Court of Appeal said that a claim for data protection breaches is distinct from one for misuse of private information. Though these claims have a lot in common and can sometimes be run together, each one has a different root. Accordingly, there was no inherent inconsistency in applying a “threshold of seriousness” test to one but not the other.

Similarly, the Court of Appeal said that importing concepts from other areas of the law about low-value claims being an abuse of process (from a line of case law starting with the defamation case in Jameel v Dow Jones) was also impermissible. 

Not the end of the story?   

Given its significance, it seems likely that the defendant will seek the permission of the UK Supreme Court to appeal the Court of Appeal’s ruling. It would be hoped that the Supreme Court will grant permission so that we can have a definitive determination of whether the position really has changed from the 1998 Act to the 2018 Act/GDPR.   

In addition, even if it remains that very low-value claims for non-material damage can be pursued in theory, the practicality of bringing such claims is likely to continue to be problematic for claimants. The Supreme Court decision in Lloyd v Google makes it extremely difficult for those claims to be pursued on an opt-out representative (class action) basis because each claim is individual in nature and therefore the represented claimants will struggle to satisfy the “same interest” test laid down by the Supreme Court. Opt-in group litigation might be pursued, but will claimants be persuaded to sign up for very low-value claims? Finally, claims might be pursued individually, but they are likely to be of such low value that they will be assigned to the County Court track where no costs recovery is available.   

Having said all of this, for now the Court of Appeal ruling in Equiniti removes the barrier of the “threshold of seriousness” test. This means that claimants who are sufficiently motivated can at least more easily seek compensation.   

The full case report is here.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, August 2025

Want to know more?

Contact us

About the authors

Ian De Freitas lawyer photo

Ian De Freitas

Partner

Ian has nearly 35 years' experience as a commercial litigator. He specialises in disputes involving data, technology and intellectual property. Ian leads the firm’s Data, IP and Technology Disputes team. Ian’s sector experience includes retail, hotels and leisure, financial services, technology, betting and gaming, sport, media and publishing, education and private wealth.

Ian has nearly 35 years' experience as a commercial litigator. He specialises in disputes involving data, technology and intellectual property. Ian leads the firm’s Data, IP and Technology Disputes team. Ian’s sector experience includes retail, hotels and leisure, financial services, technology, betting and gaming, sport, media and publishing, education and private wealth.

Email Ian +44 (0)20 3375 7471
Emily Waterhouse lawyer photo

Emily Waterhouse

Associate

Emily advises on a broad range of commercial disputes for businesses, private individuals, cultural organisations, schools and universities. She has extensive experience in matters including data protection, shareholder disputes, trade mark and passing off claims, contractual disputes and asset recovery.

Emily advises on a broad range of commercial disputes for businesses, private individuals, cultural organisations, schools and universities. She has extensive experience in matters including data protection, shareholder disputes, trade mark and passing off claims, contractual disputes and asset recovery.

Email Emily +44 (0)20 3375 7041

More by the authors

Further reading

Related sectors & services

Continue to next section
Back to top