We are closely following the evolving landscape of GDPR enforcement in the UK. The recent Court of Appeal ruling in Farley & Ors v Paymaster (1836) Limited (trading as Equiniti), [2025] EWCA Civ 1117, marks a pivotal moment for data privacy claims. This decision reverses a lower court’s dismissal of claims by 432 individuals whose personal data was mishandled, even without evidence of third-party access. In my view, it aligns UK law more closely with EU precedents and could reshape how we approach data breach litigation, potentially lowering barriers for claimants while raising new strategic considerations for defendants.
Background of the Case
The case involves 432 former police officers who participated in a pension scheme managed by the defendant, Paymaster (1836) Limited. These individuals alleged a violation of their privacy rights and the General Data Protection Regulation (GDPR) due to the defendant’s error in mailing pension benefit statements to outdated addresses. Each statement contained sensitive details, including dates of birth, salaries, pension entitlements, national insurance numbers, and years of service.
At the High Court level, Mr. Justice Nicklin dismissed most claims, retaining only 14. He reasoned that for a viable action in misuse of private information or data protection infringement, claimants must demonstrate a realistic chance that unauthorized parties accessed their data. Only those 14 could show their statements were opened and viewed. Furthermore, he determined that unopened mail did not constitute “processing” under data protection law. The claimants then appealed to the Court of Appeal.
The Court of Appeal
The Court of Appeal unanimously allowed the appeal, critiquing the High Court’s approach on several fronts. From my perspective as a practitioner, these findings provide much-needed clarity and could prevent overly restrictive interpretations that undermine GDPR’s protective intent. The court articulated three primary conclusions:
- Disclosure to third parties is not required for processing claims. The court rejected the notion that data must be accessed by outsiders to qualify as processed. Drawing on the GDPR’s broad definition of processing, which encompasses any operation or series of operations on personal data, including automated ones, the judges emphasized that the defendant’s actions, such as collecting, organizing, storing the data, printing statements, and enclosing them in envelopes, satisfied this criterion. This holding ensures that internal mishandling alone can ground a claim, a principle I have long advocated in client counseling.
- No threshold of seriousness applies to data protection claims. While English law recognizes such a threshold in misuse of private information cases (as affirmed in Prismall), the court declined to extend it to the distinct GDPR framework. Referencing consistent Court of Justice of the European Union (CJEU) jurisprudence, which imposes no such barrier, the decision notes that post-Brexit UK courts may consider EU rulings for their relevance. The judges distinguished this from Lloyd v Google, which interpreted the pre-GDPR Data Protection Act 1998, and clarified that compensation is available for objectively justified “fear of consequences” from an infringement, but not for mere speculative anxiety. In practice, this means claimants must substantiate their distress with evidence, a nuance that defendants can leverage in defenses.
- Class claims are not inherently abusive; individual assessments are needed. The defendant argued the claims were trivial or untenable, invoking the abuse of process doctrine from Jameel v Dow Jones Inc. to justify dismissal. However, the court ruled that abuse cannot be presumed across a group action. Instead, it remitted the matter to the High Court for case-by-case evaluation, promoting fairness while guarding against frivolous suits.
Consequently, the case returns to the High Court for fact-finding on breaches and damages assessment.
Implications for Future Data Protection Litigation
This ruling democratizes access to remedies under the GDPR, but it does not signal an unchecked flood of low-value claims. Organizations must now prioritize robust data governance to mitigate risks from even inadvertent errors. Here are the key takeaways for privacy practitioners and stakeholders:
- Enhanced claimant prospects: Without needing proof of external disclosure or a seriousness hurdle, more data mishandling incidents, such as mailing blunders or internal leaks, may proceed to trial. This could encourage group actions, particularly in sectors like finance and public services.
- Evidentiary burdens remain: Claimants must still prove non-speculative harm, such as verifiable anxiety or potential identity theft risks. Defendants can challenge weak evidence through summary judgment motions.
- Strategic litigation shifts: The distinction from misuse of private information claims persists, potentially routing more cases to data protection tracks. Low-value disputes may still land in small claims courts, limiting recoverable costs.
- Appeal potential: Given its far-reaching effects, I anticipate a Supreme Court challenge, which could refine or reverse these principles. Until resolved, parties should brace for uncertainty.
- Compliance recommendations: As I advise clients routinely, conduct regular data mapping audits, update addressing protocols, and train staff on GDPR obligations to avert such scenarios.
GDPR & The Farley Decision
The Farley decision underscores the GDPR’s role as a vigilant guardian of personal data, even in the absence of dramatic breaches. As a privacy lawyer you should be following closely on how this will affect your companies data handling practices. It’s yet another reason for businesses to elevate their data hygiene practices. While it may invite more litigation, it ultimately fosters accountability. Time will reveal whether this ushers in a more claimant-friendly era or if judicial safeguards temper the tide. For tailored advice on navigating these developments book a demo with one of our data privacy experts below.
