Although they do not focus the minds of many organisations in the same way as multi-million euro enforcement actions, the importance of low-value, non-material damages claims under the GDPR has gathered steam since the European Court of Justice's 2023 decision in UI v Österreichische Post AG.
Following that decision, the ECJ issued half a dozen judgments on the same topic, which I have written about here and here. Those judgments collectively established the principles that (1) there is no minimum threshold of harm for the purposes of awarding compensation, but (2) a breach of the GDPR does not, by itself, confer a right of compensation, and (3) there must be a causal link between the processing of personal data and the alleged damage suffered.
Meeting the third limb of the test is often difficult in practice, and doubly so where a large number of individuals allege that they have experienced the same, or similar, damage. Still, national courts on both sides of the English Channel have awarded compensation to individuals who suffer non-material damage as a result of the processing of their personal data, albeit the English judiciary has generally been reluctant to find that low-level breaches which cause minimal distress (e.g., sending a misdirected email to a single individual) should give rise to compensation.
That may now start to change. Last week, the Court of Appeal issued a decision in Farley and others v Paymaster (1836) Ltd (trading as Equiniti) that both aligns with — and indeed relies on — the ECJ's case law on non-material damages and breathes new life into the idea that large-ish data protection damages claims, at least in principle, may be viable in the United Kingdom.
Farley dates to August 2019, when Equiniti, the pension scheme administrator of the Sussex Police, sent an annual pension letter to scheme members. An error in Equiniti's database meant that more than 750 of the statements — containing information about each recipient's age, home address, occupation, salary, pension and national insurance number — were posted to out-of-date residential addresses. Upon discovering the breach, Sussex Police notified the affected individuals and the Information Commissioner's Office, which concluded that no further action was required.
In April 2021, more than 450 current or former police officers brought a claim against Equiniti, seeking monetary damages for breaches of statutory duty under the UK GDPR and the Data Protection Act 2018 and/or misuse of private information. Each claimant complained of "anxiety, alarm, distress and embarrassment" due to the fact that their statement had, or may have, been opened and further claimed that there ought to be an inference that this likely had been done. Only 14 of the officers could provide evidence that their letter had been read by a third party — and only two of these officers were able to prove that the letter had been opened by somebody other than a colleague or family member.
In February 2024, the High Court struck out all claims other than those of the 14 officers who had a "real prospect" of demonstrating that their letter had been opened and read by a third party. Crucially, the High Court found that a fear or apprehension that their personal data may be misused by a third-party was insufficient to entitle a claimant to compensation.
What Did The Court Decide?
In returning the issue of compensation to the High Court to determine, on a case-by-case basis, whether each claimant's fear of third-party misuse of their personal data (i.e., by opening the misdirected pension letter) was "well-founded", the Court of Appeal concluded that the claims as a group were not an abuse of process — although such a finding could subsequently be made in respect of individual cases. On the issue of awarding compensation to the claimants, the Court held that:
- There is no minimum threshold of "seriousness" for bringing a claim. "There is no such threshold in EU data protection law," the Court held. "We are not bound to hold that such a threshold exists in domestic data protection law. Nor is there any other good reason to do so." That said, mere infringement of the UK GDPR will not be sufficient to confer a right to compensation; rather, some damage must be proved. Such proof could be established through a medical practitioner's report, although formal evidence is not always necessary. Indeed, earlier this year, the claimant in M.H. v Child and Family Agency, an Irish case, was awarded EUR 7,500 as a result of the disclosure of sensitive information that caused them significant distress but which the court did not require to be substantiated by medical evidence. The Irish Circuit Court in Kaminski v Ballymaguire Foods similarly did not require the claimant to provide medical evidence of the anxiety that he suffered as the result of a breach, finding that Kaminski was a "truthful and conscientious witness who did not exaggerate the effect of the data breach on him".
- Fear arising from a data breach can be a sufficient harm. A claimant can in principle recover compensation for the fear of the consequences of a breach, provided that the alleged fear is objectively well-founded. As the Court puts it, "[p]roof that the [personal] data were disclosed is not an essential ingredient of an allegation of processing or infringement". That is to say, the pension statement did not have to be opened, so long as the fear of the consequences of it being, or having been, opened were not purely hypothetical or speculative.
What Does The Decision Mean?
The Court of Appeal's decision is unlikely to open the floodgates in the UK for low-value data protection claims. Indeed, despite the steady number of ECJ cases clarifying the parameters of the right to compensation for non-material damage under the GDPR, organisations on the continent are yet to see a wave of damages claims, whether on an individualised basis or through group actions.
That said, most organisations will have experienced data breaches that they — often rightly — consider to be low-risk, "near miss" events. Some of those organisations will also be familiar with the individuals who seek compensation for alleged distress suffered as a result of the organisation's non-compliance with (for example) the legal requirements around cookie placement and consent.
Farley doesn't make those individuals' lives easier, given the challenges that they will continue to face in establishing a causal link between the processing and the alleged harm and providing evidence of the distress or anxiety that they allegedly suffered. However, in the context of data breaches, where individuals may have stronger grounds to assert that the processing resulted in some form of psychological harm, organisations should be prepared for a greater number of those individuals to seek compensation in relation to that harm.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
