The Court of Appeal’s decision in this case has clarified and developed the legal framework for data protection claims in the UK. It’s findings could have far-reaching implications across many sectors.
Case background
Equiniti, acting as administrator of the Sussex Police pension scheme, mistakenly sent over 750 benefit statements to outdated addresses. These documents contained sensitive personal data. Despite there being limited evidence that the statements were accessed by unintended recipients, 474 officers brought claims for emotional distress and fear of misuse. At first instance, the High Court struck out most of the claims, applying the de minimis threshold reasoning that, without proof of third-party access, the harm was too minor to warrant compensation.
However, the Court of Appeal overturned this, on the basis that:
- Proof of third-party disclosure is not essential to establish a data protection infringement.
- There is no minimum threshold of seriousness required for compensation under Article 82 of the UK GDPR and section 168 of the Data Protection Act 2018 (albeit harm is still required). Notably, although the UK GDPR is derived from the EU GDPR (post Brexit), the principles relevant to compensation under Article 82 remain materially unchanged.
- Some form of harm must still be shown, and it must be objectively well-founded, for example, distress or anxiety must arise from real circumstances (e.g. a credible fear of misuse) and not merely hypothetical or speculative concerns.
Why this matters across sectors
Organisations across many industries, including credit reference agencies, healthcare providers, educational institutions, and financial services firms, routinely process large volumes of personal data. In many cases, individuals may share similar or identical identifiers, such as:
- Family members with the same name living at the same address.
- Multiple births (e.g. twins or triplets) with identical birth dates and similar names.
- Patients with similar demographic profiles in healthcare systems.
- Students with overlapping details in academic databases.
In such contexts, data mix-ups are not uncommon. For example, if one individual’s negative record is mistakenly attributed (linked) to another, such as in a credit check, medical history, or disciplinary file, the consequences can be serious. The issue can be considered on a more practical level, for instance, if one twin has a poor credit history and the other applies for a mortgage, incorrect data attribution can lead to rejection of the mortgage application. In these examples, mistaken attribution can cause distress, anxiety, and financial harm even if the data was not disclosed to a third party.
Under the Farley ruling, these types of errors, even if they don’t result in third-party disclosure, may give rise to compensation claims, provided the resulting harm is objectively well-founded and not merely speculative.
A notable shift from Lloyd v Google
The Farley decision marks a departure from the earlier Supreme Court ruling in this case, where the Court held that compensation required proof of material damage or distress and that loss of control alone was insufficient. In contrast, Farley confirms that no threshold of seriousness is required under the UK GDPR and DPA 2018, meaning even low-level, non-material harm such as distress or anxiety may be compensable, provided it is objectively well-founded.
This shift significantly broadens the scope for individuals to seek redress for data protection breaches, particularly in cases where the harm is real but not severe.
Key legal nuances to understand
- No automatic entitlement: A breach alone does not guarantee compensation. Claimants must still demonstrate actual harm, even if non-material.
- No de minimis rule: Courts can no longer dismiss claims solely because the harm appears trivial, but will assess whether the harm is credible and objectively reasonable.
- Well-founded fear matters: Compensation may be awarded for fear of misuse but only if that fear is objectively reasonable, not speculative.
- No need for third-party disclosure: The Court confirmed that a data protection infringement can occur even if personal data is not accessed or read by a third party. Misprocessing alone, such as sending data to the wrong address, can constitute a breach
What should organisations do now?
- Review data handling and matching processes to minimise the risk of misidentification and incorrect attributions, thereby limiting the risk of inadvertent mixing of data between individuals.
- Improve transparency and provide clear mechanisms for individuals to exercise their rights under the UK GDPR and DPA 2018, including in respect of rectification, erasure, and restriction of processing, and to correct inaccurate or incomplete personal data.
- Prepare for increased litigation risk by providing additional staff training, ensuring appropriate insurance coverage (including for claims involving emotional distress, anxiety, or financial harm,) and implementing robust internal processes for handling data subject rights requests under the UK GDPR and DPA 2018. Ensure such processes align with the organisation’s risk management policies or update such policies as appropriate.
- Review breach response processes to ensure timely and empathetic engagement with affected individuals and to ensure compliance with UK GDPR and DPA 2018.
Comment
The Farley decision represents a significant development for organisations that process data. With the removal of the de minimis threshold, even low-level errors such as incorrect attributions or inadvertent mixing of personal information can now lead to legitimate claims, provided the harm is real and objectively well-founded. Organisations should take proactive steps to promote data accuracy and minimise the risk of harm, not only to comply with the law, but to maintain trust, transparency, and accountability.
How can we help?
Cathy Clark is a Legal Director in our Dispute Resolution team, specialising in commercial agreements, including within the retail, technology, e-commerce, and data-oriented industries, data protection, contract interpretation, and disputes.
If you require further information on the subjects above, please do not hesitate to contact Cathy or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us