The Court of Appeal recently handed down a judgment that has changed what were, until recently, considered to be settled principles regarding damages claims under the General Data Protection Regulation (GDPR) in the case of Farley and others v Paymaster (1836) Ltd (trading as Equiniti) [2025] EWCA Civ 1117.
The previous test
Since the judgment in Lloyd v Google LLC [2021] uksc 50, there are two key principles which have found acceptance generally and these have been repeatedly upheld. The first of these is that compensation can be awarded if a subject can prove that they have suffered distress, but not for something less such as mere upset or inconvenience. The second is that before any harm can be compensated, it must cross a threshold of seriousness.
So what did findings in Farley do?
In short, Farley rejected both arguments and the court stated that Parliament, through section 168(1) of the Data Protection Act 2018, made it clear that non-material harm includes distress and confirms that people have a broad right to claim compensation. Critics to the finding state that section 168 was intended to set a limit on what counts as harm, not to open the door to a far greater volume of claims.
The court also stated that the word “distress” isn’t usually used to separate different types or levels of emotional harm, even though the Supreme Court in Lloyd did make that distinction. The court relied on wording from the GDPR to back up its position, but seemed to gloss over the fact that, in practice, the GDPR stresses that non-material damage should involve a “significant economic or social disadvantage”.
The court’s decision dismisses the idea of a minimum threshold of seriousness to the contravention itself and not to the level of harm suffered. This interpretation of the findings in Lloyd hasn’t been put forward before and feels strained at times. This could possibly have been found because the court wanted to support its main conclusion: that the European Court of Justice has ruled there should be no minimum threshold for harm in the case of UI v Österreichische Post AG, and the UK should follow that approach.
The only limit held to apply to harm claims is that the negative emotion must be “objectively well-founded”. The court stated that this means a fear or concern that is “more than purely hypothetical or speculative”. The challenge for defendants to these types of claim going forward will be showing that any concern is ill-founded, especially in the early days following a data breach when uncertainty surrounds the incident and things can seem worse than they turn out to be.
Final thoughts
As a result of the change in stance of the courts following Farley, parties to a data breach claim will find themselves with new challenges to face. In addition to the challenges around which negative emotions amount to non-material harm, and whether those emotions are well-founded, it seems likely that there will now be more attention on whether the controller’s actions when breaching the GDPR reach the minimum threshold of seriousness that applies for a violation.
How can we help?
Giacomo Ciccognani is a solicitor in our expert Dispute Resolution team.
If you have concerns about the above subject, please contact Giacomo or a member of our expert team in Derby, Leicester, or Nottingham on 0808 239 3916 or via our online enquiry form.
Contact us