(5 min read)
All organisations should take note of a recent judgment, explained in this briefing, which found in principle (and subject to proof of damage being suffered by the claimant on a case by case basis) that in data breach litigation, claimants can be compensated where the relevant data has not been disclosed or accessed by a third party, where there is a fear of the consequences of the breach (if the alleged fear is objectively well-founded, but not if the fear is hypothetical or speculative), and there is no minimum threshold of seriousness or triviality in data protection claims.
What happened?
The Court of Appeal has lowered the bar for claimants in the UK to pursue data breach litigation. Whilst all material and non-material damage must be proven on a case by case basis, in principle: organisations can face liability for compensation where data is not disclosed to or accessed by third parties; a claimant can recover compensation for fear of the consequences of the breach, if the alleged fear is objectively well-founded but not if the fear is hypothetical or speculative; and there is no de minimis threshold of seriousness or triviality in data protection claims. This heightens the importance of accuracy in processing systems, prompt remediation of errors, and proactive engagement with affected individuals to minimise both claims and regulatory scrutiny.
The relevant claims, which were the subject of the appeal, have been remitted back to the High Court for assessment on a case-by-case basis. Subject to an appeal to the Supreme Court, the judgment will likely lead to more individual and group claims being issued, but it remains an open question whether it will result in more successful claims and compensation.
Practical points
1. Processing errors count: Even technical database or mailing errors can amount to unlawful “processing,” exposing organisations to liability for compensation.
2. The scope of compensation is broad: Distress, anxiety, and fear of potential misuse are all recoverable in principle, provided that the claims are well founded.
3. Third-party access is not essential: Data controllers cannot rely on the absence of proven disclosure to third parties to defend such claims.
4. Well-founded fears: Courts will scrutinise whether alleged fears of misuse are objectively reasonable, highlighting the importance of robust risk assessments and clear communications with affected individuals.
The incident
The appellants were members of Sussex Police’s pension scheme, administered by Equiniti. Their annual benefit statements (ABS) were mistakenly posted to out of date addresses. The ABS took the form of a letter, marked “Private and Confidential”, with the scheme member’s name and the postal address (Header). The body of the letter set out further personal information including date of birth, national insurance number, their police service details, salary details, and their accrued and forecast pension benefits. The ABS were sent in window envelopes, which showed the Header.
Over 750 ABS were posted to out-of-date addresses, due to a system error by Equiniti. When the mistake was discovered, Sussex Police notified impacted officers. Officers were offered the opportunity to sign up to a fraud protection service and 37 did so. The ICO was notified and concluded that no further action was required. Some 102 ABS were returned to Equiniti unopened. Some were forwarded unopened to the relevant officer. Around 60 officers were able to retrieve the ABS themselves. The majority of ABS were never recovered.
The claims
A claim form was issued on behalf of 474 current or former officers, seeking damages for breach of statutory duty under the GDPR (as it took place in 2019, before the UK GDPR replaced it in the UK) and the Data Protection Act 2018 (DPA) and/or misuse of private information. The generic data protection claims asserted that the respondent had acted in breach of its statutory duties as a data controller or alternatively as a data processor. There was a dispute as to which role Equiniti played, but it was common ground that the appeal was only concerned with the allegations of breach of duty as a data controller.
There were three generic allegations of damage: (i) being caused “anxiety, alarm, distress and embarrassment” by the fact that personal data has passed and/or may have passed into the hands of unknown third parties, giving rise to “moral and/or non-material damage”. The court was invited to infer that the envelope had been opened and its contents read unless the respondent could prove the contrary by providing an ABS that had been returned unopened; (ii) for “loss of control” over the content of the ABS and consequential distress; and (iii) aggravation of pre-existing medical conditions.
First instance decision
The Court struck out all but 14 of the claims, finding: (i) for a viable claim for misuse of private information, each claimant must show that they have a prospect of demonstrating that the ABS was opened and read by a third party. Without that, there would be no ‘misuse’; (ii) for those that eventually received the ABS unopened, an argument that it was opened and read by a third party was not sustainable; (iii) the law of tort did not generally allow recovery for the apprehension that a tort had been committed and so a claim advanced on the basis that, until returned, their personal data was “in danger” or “at risk” was rejected – a ‘near miss’ was not sufficient; and (iv) the claimants’ case in relation to data protection was essentially for unlawful processing by sending the ABS to the wrong address. If the ABS had not been opened or read by a third party, there had been no real ‘processing’. It was a ‘near miss’.
Accordingly, the Court found that (a) the claims in which ABS was returned unopened failed to disclose reasonable grounds for bring a claim for misuse of private information and/or data protection and were struck out; (b) the claims in which the ABS had not been safely returned and where the relevant claimant relied on an inferential case that the ABS was opened and read by a third party were struck out. That left 14 which there was a real prospect of demonstrating that their ABS was opened and read by a third party and were not struck out. In only 14 of the 450 cases was there evidence that the ABS had been opened and in only 2 of those cases was there evidence that it was opened by someone other than a family member or colleague.
Appeal
The appellants were given permission to amended their claim – they abandoned their misuse of information claim and that personal data had actually passed into the hands of a third party. The claim was reduced to one that alleged that by processing their data in breach of statutory duty, Equiniti caused them to suffer “anxiety, alarm, distress and embarrassment” for fear that their personal data “may have” passed into the hands of unknown third parties, adding the words “and/or as a result of uncertainty as to what had become of their ABSs and who may have opened it, and/or by the fact that their personal data may be or may have been misused.” The single ground of appeal was that the judge erred in law by striking out the data protection claims.
There were therefore two generic claims: (i) the breaches complained of led each appellant to experience “anxiety, alarm, distress and embarrassment” at the possibility that their personal data may have come into the hands of third parties and been misused or exposed to the risk of misuse, pleaded as “non-material damage”; (ii) some of the appellants alleged that the breaches caused them to suffer an aggravation of a pre-existing medical condition. For this, general damages were claimed.
Decision
The Court of Appeal found that the judge at first instance had erred in striking out the data protection claims on the basis provided. It held that each of the appellants had pleaded a reasonable basis for alleging that the respondent’s mistake constituted an infringement of the GDPR. Importantly, the Court clarified that proof of data disclosure was not an essential element of alleging processing or infringement under the GDPR.
On the issue of compensation for non-material damage, the Court of Appeal made several significant findings. It determined that "distress" is an umbrella term that encompasses various forms of emotional harm, including stress and anxiety, and that such harm is recoverable in principle. The Court also rejected the imposition of a threshold of seriousness for data protection claims, noting that no such threshold exists under EU law. The Court acknowledged that a threshold of seriousness applies in the context of the law of misuse of private information.
The Court of Appeal further held that compensation could be recovered for fear of the consequences of a data protection infringement, provided that the fear is objectively well-founded. Speculative or hypothetical fears would not qualify. The Court relied on jurisprudence from the Court of Justice of the European Union (CJEU). The appellants’ pleaded cases could not be dismissed as incredible, out of scope, or below a threshold of seriousness. However, the Court emphasised that the reasonableness of the fear must be assessed objectively, based on the facts and circumstances known or that should have been known to the appellants at the time they experienced the fear. It also noted that a person can hold well-founded fears about future harm even if no harm ultimately materialises.
The Court of Appeal made it clear that each appellant must plead and prove a reasonable basis for fearing that their ABS had been or would be opened and read by third parties, and that this would result in identity theft or other feared consequences. Without such proof, the claims could not succeed. In cases where the appellants’ fears were objectively well-founded, compensation for any consequential psychological harm, such as mental health impacts, would be recoverable. However, if the fears were not well-founded, the claims would fail entirely.
The Court of Appeal also addressed claims for annoyance or irritation caused by the fear of third-party misuse. It held that such claims are tenable if the fear is well-founded, but claims for annoyance or irritation stemming from other causes could not be maintained. It noted that many of the complaints of annoyance or irritation appeared to arise from other factors unrelated to the fear of third-party misuse. The Court rejected the argument that the claims as a class could be categorised as Jameel abuse. However, it left open the possibility that individual cases could be found to be abusive. The Court remitted the issue of whether the appellants’ fears were well-founded to the High Court (or County Court) for determination on a case-by-case basis.