No Seriousness Threshold For Data Protection Claims — But The Courts Will Reject Speculative Claims

The recent Court of Appeal decision in Farley v Paymaster (t/a Equiniti) has confirmed that there is no seriousness threshold for harm to qualify for compensation in data protection claims. This potentially makes it more difficult for defendants to dispose of low-value claims at an early stage. The decision should not, however, be seen as a gift to claimants: the courts will give short shrift to far-fetched claims of harm that are not "well-founded". Our briefing sets out 3 key takeaways for businesses.

Background

In 2019, Equiniti (the defendant) sent over 750 pension statements containing personal information to out-of-date addresses after a database error. Over 400 members of the Sussex Police pension scheme brought a collective action, seeking damages for injury to feelings and, in some cases, psychiatric injury, stemming from fears of third-party misuse of their personal data — even where there was no proof anyone actually opened and read the mail.

The Court of Appeal considered three key issues:

1 Could there be an infringement of data protection law if there was no proof of third-party access?

Yes.

The Court of Appeal found that the actual disclosure to a third party was not an "essential ingredient" of an allegation of processing or infringement. Sending data to the wrong address, even if you don't know if anyone accesses it, is still potentially unlawful "processing" under the GDPR.

Key takeaway #1

Businesses can be liable under data protection law for administrative errors that they may categorise as "near-misses", where no third party accesses the data. The position is different for claims based on the tort of misuse of private information which requires actual disclosure of private data to a third party to be actionable.

2 Is the harm allegedly suffered sufficiently serious to claim compensation?

In principle, yes.

The Court of Appeal concluded that, as matters of principle, compensation for emotional responses other than distress can be recoverable and there is no minimum 'seriousness threshold' for non-material damage under the GDPR or the Data Protection Act 2018. However, there still needs to be proof of non-material damage. The Court emphasised that claimants can recover for fear or anxiety about possible misuse of their data, but only if those fears are well-founded.

The Court was unwilling to perform this detailed analysis itself due to the number of claims and left this question for determination by the High Court.

Key takeaway #2

Minor technical mistakes can land businesses in court and there is no 'de minimis' threshold for harm in data protection law. Compensation for fear or anxiety is possible provided the claimant has real, not merely hypothetical, grounds for their concerns given what was known at the time. The sensitivity of the data, risk of exposure, and the claimant's situation will be important factors to consider.

3 Will low-value claims be thrown out as an 'abuse of process'?

Not in this case.

The Court was asked to consider whether the claims amounted to "Jameel" abuse, which refers to the striking out of claims that, while technically viable, are so disproportionate in cost and effort to any possible benefit, that they are "pointless and wasteful" — or, as the judge put it in Jameel, "the game is not worth the candle".

The Court of Appeal emphasised:

• Each claim must be assessed individually, not struck out in bulk because of the aggregate cost or numbers.

• The minimal likely compensation for some claims did not render them abusive; low-value claims may be suitable for the County Court's Small Claims Track.

Key takeaway #3

The fact that claims are low value, and that there are many of them, does not in itself constitute an abuse of process. However, the Court has not closed the door on individual claims in this case being found to be an abuse of process.

What does this mean for data breach claims?

This case demonstrates that any mishandling of personal data can potentially give rise to claims, even following minor administrative errors — there is no need to show that a third party had actual access to the data. While there is no threshold of seriousness (unlike for misuse of private information claims), there is comfort for businesses in that the courts still require real harm that has been caused by the breach to be evidenced; claims based on vague or far-fetched worries will not be successful. However, Farley arguably makes it more difficult for businesses to dispose of trivial claims at an early stage, although it provides further support for those claims to be pushed down the Small Claims Track.

In terms of collective claims, it is clear from Farley that the mere fact that a large number of low-value claims are brought together does not make them automatically abusive or justify striking them out in bulk. That said, nothing in Farley reverses the fact that Lloyd v Google (see our briefing here), by bursting the bubble of opt-out representative actions, made mass data protection claims less attractive and more difficult to pursue in the UK.

Finally, in reaching the conclusion that there is no seriousness threshold, the Court of Appeal has chosen to follow the Court of Justice of the EU (CJEU) in the Austria Post case. There seems to be little judicial appetite for taking a different course from the CJEU in relation to data protection matters, despite the courts being at liberty to do so following Brexit.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.