7 October 2025
Share Print

The Court of Appeal has lowered the bar for Claimants in the UK to pursue Data Breach Litigation

To The Point
(5 min read)

All organisations should take note of a recent judgment, explained in this briefing, which found in principle (and subject to proof of damage being suffered by the claimant on a case by case basis) that in data breach litigation, claimants can be compensated where the relevant data has not been disclosed or accessed by a third party, where there is a fear of the consequences of the breach (if the alleged fear is objectively well-founded, but not if the fear is hypothetical or speculative), and there is no minimum threshold of seriousness or triviality in data protection claims.

What happened?

The Court of Appeal has lowered the bar for claimants in the UK to pursue data breach litigation. Whilst all material and non-material damage must be proven on a case by case basis, in principle: organisations can face liability for compensation where data is not disclosed to or accessed by third parties; a claimant can recover compensation for fear of the consequences of the breach, if the alleged fear is objectively well-founded but not if the fear is hypothetical or speculative; and there is no de minimis threshold of seriousness or triviality in data protection claims. This heightens the importance of accuracy in processing systems, prompt remediation of errors, and proactive engagement with affected individuals to minimise both claims and regulatory scrutiny. 

The relevant claims, which were the subject of the appeal, have been remitted back to the High Court for assessment on a case-by-case basis. Subject to an appeal to the Supreme Court, the judgment will likely lead to more individual and group claims being issued, but it remains an open question whether it will result in more successful claims and compensation. 

Practical points
The incident
The claims
First instance decision
Appeal

Decision

The Court of Appeal found that the judge at first instance had erred in striking out the data protection claims on the basis provided. It held that each of the appellants had pleaded a reasonable basis for alleging that the respondent’s mistake constituted an infringement of the GDPR. Importantly, the Court clarified that proof of data disclosure was not an essential element of alleging processing or infringement under the GDPR.

On the issue of compensation for non-material damage, the Court of Appeal made several significant findings. It determined that "distress" is an umbrella term that encompasses various forms of emotional harm, including stress and anxiety, and that such harm is recoverable in principle. The Court also rejected the imposition of a threshold of seriousness for data protection claims, noting that no such threshold exists under EU law. The Court acknowledged that a threshold of seriousness applies in the context of the law of misuse of private information.

The Court of Appeal further held that compensation could be recovered for fear of the consequences of a data protection infringement, provided that the fear is objectively well-founded. Speculative or hypothetical fears would not qualify. The Court relied on jurisprudence from the Court of Justice of the European Union (CJEU). The appellants’ pleaded cases could not be dismissed as incredible, out of scope, or below a threshold of seriousness. However, the Court emphasised that the reasonableness of the fear must be assessed objectively, based on the facts and circumstances known or that should have been known to the appellants at the time they experienced the fear. It also noted that a person can hold well-founded fears about future harm even if no harm ultimately materialises.

The Court of Appeal made it clear that each appellant must plead and prove a reasonable basis for fearing that their ABS had been or would be opened and read by third parties, and that this would result in identity theft or other feared consequences. Without such proof, the claims could not succeed. In cases where the appellants’ fears were objectively well-founded, compensation for any consequential psychological harm, such as mental health impacts, would be recoverable. However, if the fears were not well-founded, the claims would fail entirely.

The Court of Appeal also addressed claims for annoyance or irritation caused by the fear of third-party misuse. It held that such claims are tenable if the fear is well-founded, but claims for annoyance or irritation stemming from other causes could not be maintained. It noted that many of the complaints of annoyance or irritation appeared to arise from other factors unrelated to the fear of third-party misuse. The Court rejected the argument that the claims as a class could be categorised as Jameel abuse. However, it left open the possibility that individual cases could be found to be abusive. The Court remitted the issue of whether the appellants’ fears were well-founded to the High Court (or County Court) for determination on a case-by-case basis. 

To the Point 


Subscribe for legal insights, industry updates, events and webinars to your inbox

Sign up now