Court of Appeal’s ruling on strengthened data privacy rights
Farley v paymaster – How the Court of Appeal Enhances Data Subjects’ Compensation Claims
Farley v Paymaster – Court of Appeal Boosts Data Subjects’ Rights to Compensation for Non-Material Harm
Senior Privacy Lawyer
The recent case of Michael Farley & Anor v Paymaster (1836) Limited (trading as “Equiniti”) [2025] EWCA Civ 1117 otherwise known as (Farley v Paymaster) has significantly strengthened the rights of data subjects when seeking compensation for non-material harm for infringement of data protection rights.
In August of 2019, Equiniti, the pension administrator for Sussex Police’s pension scheme sent annual benefit statements to members of the pension scheme. In excess of 750 of the annual benefit statements were sent out in windowed envelopes to out of date residential addresses of the members of the pension scheme. Sussex Police had provided Equiniti with the correct addresses but an error from Equiniti had led to the statements being sent to members’ old addresses.
The statements were headed “Private and Confidential”, had the pension scheme name on them and the incorrect postal addresses for the members. Underneath the subject line “Sussex Police Pension Annual Benefit Statement”, the statements included further personal information about members such as date of birth, national insurance numbers, the police service that members were part of, salary details and accrued and forecasted pension benefits. The details that were visible through the envelope window were “Private and Confidential”, the name of the member and a postal address. The outside of each envelope had a return to sender address on them.
In September 2019 the mistake with respect to the incorrect address being used by Equiniti became apparent, 102 statements were sent back to Equiniti in unopened envelopes with 60 members also obtaining the statements themselves.
Sussex Police informed affected members of the breach and whether the statements were sent back to Sussex Police or Equiniti. Sussex police stated that “the risk of harm arising from the breach is assessed as low” but provided advice on protective measures that affected members could take and informed members that the matter had been reported to the Information Commissioner’s Office (“ICO”). Equiniti also sent out letters apologising for the breach and issued replacement statements.
The affected Police officers issued a letter of claim to Equiniti with a schedule of damages covering misuse of private information and for infringement of data protection rights. On 22 April 2021 a claim form was issued on behalf of 474 current and former Police officers to Equiniti. The claimants sought damages for misuse of private information and breach of statutory duties under the GDPR and Data Protection Act 2018 for failing to keep the personal data of the claimants secure by posting such information to incorrect addresses.
Among other things, the claimants claimed “anxiety, alarm, distress and embarrassment” due to the fact that personal data “had passed and/or may have passed into the hands of unknown third parties”, it was submitted that Equiniti was liable for compensation for “moral and/or non material damage”. It was also claimed that in some instances that “certain number of the claimants have suffered an aggravation of pre-existing medical conditions”.
In response, Equiniti made an application to the High Court to strike out all of the claims. The court struck out all but 14 of the claimants’ claims. The High Court held that to claim misuse of private information and/or the claimants’ data protection rights, a claimant must show that the statements were opened and read by third parties. Where claimants could not show this, then there was no processing of the personal data. The claimants appealed the High Court decision to the Court of Appeal.
Court of Appeal
The Court of Appeal allowed the claimants’ appeal and reversed the High Court’s decision which had stuck out the claimants’ claims. The case has been sent back to the High Court to determine if breach of claimants’ data protection rights occurred.
The Court of Appeal also held that:
- The sending of the claimants’ statements to the incorrect addresses was processing. This meant that irrespective of whether the envelopes containing the annual pension statements were opened and disclosed to a third party or not, the claimants still had a right to pursue a claim for breach of data protection law. Equiniti had printed the statements, placed them in envelopes and thus processed the personal data of the claimants.
- EU and UK GDPR had a common origin and therefore it would be sensible to follow EU’s case law in relation to interpretation of Article 82 of UK GDPR. The Court of Appeal followed the CJEU decision in UI v Osterreichische Post AG Case C-300/21 which held that there was no minimum threshold of seriousness test to bring a claim under the GDPR. The claimants simply having a fear of losing control of their personal data would be sufficient, if this was objectively founded.
- Section 168 (1) of the Data Protection Act 2018 states that distress is included under Article 82 of GDPR, Parliament’s intention was to have a broad interpretation of non material damages under GDPR. Damages for emotional responses to data breaches can be recovered under UK GDPR and the Data Protection Act 2018.
Key conclusions
The case is a reminder of the importance of the need to have rigorous technical and operational measures in place to prevent data breaches.
It is strongly recommended that businesses audit their data protection processes, conduct data protection staff training and put in place strict guard rails around the processing of personal data.
The Court of Appeal in following CJEU’s jurisprudence especially has further strengthened data subject rights given that there is no minimum threshold of seriousness to bring a claim under UK data protection laws.
Appeal to Supreme Court
Equiniti has now sought to appeal the Court of Appeal’s decision to the Supreme Court. Given its importance, WDPS will be keeping a close eye on the Supreme Court case.
WDPS has helped clients to enforce their rights to rectify erroneous personal data so as to ensure that their personal data is accurate.
Need help correcting inaccurate data?
If you have any questions about your own data or assistance with correcting inaccurate personal data please send us an email call us on +44 (0)79769 39016
(9.00am – 6pm)
Westbrook Data protection Services Limited
2nd Floor, Midas House, 62 Goldsworth Road
Woking, Surrey, GU21 6LQ
Frequently Asked Questions
What was the significance of the Court of Appeal’s decision in the case of Michael Farley & Anor v Paymaster?
The Court of Appeal strengthened data subjects’ rights to seek compensation for non-material harm caused by data protection infringements, even if their personal data was not opened or read by third parties.
How did the Court of Appeal reinterpret the process of data protection violations in the case involving Equiniti?
The Court of Appeal ruled that sending personal data to the wrong addresses constitutes processing under GDPR, granting victims the right to claim damages regardless of whether the data was accessed by third parties.
What are the implications of the Court of Appeal’s ruling for businesses handling personal data?
Businesses must ensure rigorous technical and operational measures are in place to prevent data breaches, and they should regularly review and improve their data protection processes to avoid liabilities.
Can emotional distress caused by data breaches lead to damages under UK law?
Yes, damages for emotional distress or non-material harm are recognized under UK GDPR and the Data Protection Act 2018, and these can be claimed even if the data was not opened or read by third parties.
What are the upcoming legal steps regarding the case of Equiniti after the Court of Appeal’s decision?
Equiniti has appealed the Court of Appeal’s decision to the Supreme Court, and WDPS is closely monitoring the case for further developments that could impact data protection rights.
