Farley v Paymaster (1836) Ltd (t/a Equiniti) [2025] EWCA Civ 1117

31 August 2025

In Farley v Paymaster (1836) Ltd (t/a Equiniti) [2025] EWCA Civ 1117, the Court of Appeal issued a judgment which has significant consequences for data protection and misuse of private information claims.

The Facts

The case arose after the Respondent sent pension statements to over 400 addresses which were out-of-date. The statements contained sensitive information, such as the addressee’s national insurance number. The documents also revealed the fact that each intended recipient was a police officer. Those affected brought a civil claim.

The High Court’s Judgment

Nicklin J struck out the vast majority of the claims (see [2024] EWHC 383 (KB)). He held that:

Where statements were returned unopened, there had been no “processing” of personal data under the GDPR/DPA 2018 – and thus no breach. Those cases were struck out.
Claims based on the inference that recipients must have opened envelopes marked “private and confidential” were too speculative. Nor were there reasonable prospects of showing the statements had actually been read (indeed the evidence suggested the reverse was true).
Claims could not be brought on the basis that the Claimant’s data had been put ‘in danger’ or was ‘at risk’. The court reasoned that the law of tort does not permit recovery of damages on the basis that a tort might have been committed. It held that “a near miss, even if it causes significant distress, is not sufficient” (see [145] of the High Court’s judgment). The same logic applied to the MOPI/ DPA 2018 claims. Claims which fell into those categories were also struck out.
Only 14 Claimants, who had proof their statements were opened, were allowed to proceed.

The Court of Appeal’s Judgement

The Appellants appealed to the Court of Appeal. They argued it was sufficient to plead they had suffered distress as a result of their data being sent to incorrect addresses – regardless of whether the private letters had actually been opened.

The Court of Appeal agreed with this argument and reversed the lower court’s ruling on that basis. It held:

Sending the Appellants’ data to the wrong address was ‘processing’ by itself and a sufficient foundation for a claim – regardless of whether the statements were, in fact, read.
Damages for emotional responses other than distress are recoverable under the GDPR/ DPA 2018. Section 168(1) of the DPA 2018 states that non-material damages “includes distress”, but does not limit the scope of that type of damage.
There is no ‘minimum level of seriousness’ which has to be reached before compensation can be awarded in a data protection claim. Although such a threshold does exist for misuse of private information claims, that in itself was not a reason to import a seriousness threshold into data claims.
Compensation for anxiety is recoverable only if the fear is objectively well-founded, not hypothetical. On the facts, the court doubted such fears could be substantiated, given the low likelihood that a malicious actor lived at the wrong address. The Court of Appeal directed the lower court to consider whether this test was met on the pleadings of each individual case.
Cases should not be struck out under Jameel v Dow Jones & Co Inc [2005] QB 946 simply because litigation costs might exceed the potential damages. Otherwise, even small but valid claims (such as recovering a £50 debt) would be excluded, which would undermine justice. Instead, when applying Jameel, courts must ask questions such as: (a) can the action achieve, to any significant extent, the objective of the litigation; (b) are the legal fees disproportionate; (c) can the court fashion an approach which is proportionate to the remedy sought. In the present case the High Court could reconsider that issue after it had undertaken the exercise set out in the proceeding paragraph (i.e. identifying whether the pleadings contain an objectively reasonable basis for fearing misuse of data).
Courts should generally interpret the GDPR in line with CJEU jurisprudence- even where that case law arises after 31 December 2020 (i.e. post-Brexit).