On 22 August 2025, the Court of Appeal handed down a landmark judgment in Farley & Ors v Paymaster (1836) Limited (trading as Equiniti). The case concerned a large-scale data breach in which over 750 annual pension benefit statements of Sussex Police officers were mistakenly sent to outdated addresses. More than 450 officers brought claims under the GDPR and Data Protection Act 2018, alleging distress, fear of misuse, and in some cases psychiatric injury.
The High Court had previously struck out most claims, holding that compensation was only available if the claimants could show that their data was actually accessed by unauthorised third parties, and that claims below a “threshold of seriousness” were not legally viable. Only 14 claims survived.
The Court of Appeal has now overturned that position, in a judgment with significant consequences for data protection litigation and organisational liability in the UK.
For organisations, the message is clear: even minor errors in handling personal data can now lead to liability. The ruling will likely fuel a rise in collective actions and reshape the litigation landscape for data protection in the UK. Businesses must treat data accuracy and security not just as compliance obligations, but as core risk management priorities.
Key findings by the Court of Appeal
Unlawful “processing” is enough — disclosure is not required
The High Court treated disclosure to a third party as a necessary condition for a data protection claim. The Court of Appeal disagreed, holding that “processing” under the GDPR is defined broadly and includes storing, altering, and sending data to the wrong address . Whether or not a third party actually opened the envelope was irrelevant, the unlawful processing itself was a breach.
This aligns UK law more closely with the CJEU’s interpretation of “processing”, which stresses its broad scope and does not require disclosure to complete the wrong.
There is no “threshold of seriousness” under GDPR
The Court of Appeal ruled that there is no minimum level of harm that must be crossed before compensation can be awarded. The High Court’s reliance on the “threshold of seriousness” test (drawn from Lloyd v Google) was misplaced.
Instead, the Court of Appeal followed recent CJEU decisions (Austria Post, VB v Bulgarian Revenue Agency, BL v MediaMarkt) which held that Article 82 GDPR precludes domestic courts from imposing such a threshold. A claimant must show actual damage, but that damage does not need to be “serious” to be compensable.
This also aligns with a case from Germany in 2024, that a mere loss of control over personal data can constitute non-material damage under Article 82 of GDPR.
Compensation for “fear of misuse” is possible
The Court held that fear of misuse of personal data can qualify as “non-material damage”, provided that fear is objectively well-founded. This expands the recognised scope of compensable harms beyond distress alone.
For example, police officers who feared that criminals might access sensitive pension and employment details could claim compensation, even if there was no evidence that the envelopes had been opened .
Low-value claims are not inherently abusive
The High Court had dismissed large numbers of claims as abusive because their value was too low. The Court of Appeal firmly rejected this, holding that modest claims should be managed proportionately (e.g., small claims track allocation) rather than struck out wholesale. Abuse must be assessed individually, not in bulk.
Why this ruling matters for UK data protection
Stronger rights for claimants
This decision lowers the bar for data breach victims. Claimants no longer need to prove actual access by unauthorised parties, nor that their distress crosses a judicially imposed “seriousness” threshold. Fear of misuse, if genuine and reasonable, is compensable. This makes claims more accessible, particularly in large-scale breaches where proof of access is often impossible.
Increased liability for organisations
Data controllers and processors now face greater litigation exposure. Even technical errors like outdated addresses or system flaws may lead to compensable harm. Organisations cannot rely on the argument that “no one actually saw the data” as a defence.
Firms must therefore strengthen data accuracy, system integrity, and breach response protocols, as even low-level mistakes may lead to liability.
Tension with Lloyd v Google
The ruling creates apparent friction with the Supreme Court’s 2021 decision in Lloyd v Google, which had emphasised seriousness and rejected “loss of control” damages. The Court of Appeal distinguished Lloyd as being about the Data Protection Act 1998 and representative actions, but the tension remains. Unless the Supreme Court revisits the issue, uncertainty could persist.
Case management pressures
The judgment recognises the risk of courts being flooded with low-value claims but insists that proportionality should be managed procedurally, not by striking out claims in bulk. This will likely accelerate the trend towards data breach group claims and raise questions about how courts handle hundreds or thousands of modest claims.
Practical takeaways for organisations following Farley
Review address and contact data integrity: As seen in this case, technical database errors can create significant liability. Regular audits and updates are essential.
Enhance breach notification protocols: Fear of misuse must be “objectively well-founded” meaning poor communication or vague reassurances can worsen organisational exposure.
Expect more claims: Law firms may be emboldened to bring mass actions for even minor breaches. Insurers and in-house legal teams should reassess exposure.
Don’t dismiss low-value incidents: Even if individual claims are worth £250–£1,000, collective actions can escalate costs and reputational risks dramatically.
