English Court of Appeal Rules on Compensation for Data Breaches cyberdataprivacy insights

pcyberdataprivacy insightsppLegal insight for market innovatorsppThe English Court of Appeal has handed down an important judgment in Farley v Paymaster Equiniti1 on when compensation may be claimed for nonmaterial damage such as distress or anxiety arising out of breaches of the General Data Protection Regulation GDPR and the Data Protection Act 2018 DPAppThe English Court of Appeal has handed down an important judgment in Farley v Paymaster Equiniti 1 on when compensation may be claimed for nonmaterial damage such as distress or anxiety arising out of breaches of the General Data Protection Regulation GDPR and the Data Protection Act 2018 DPAppThe case arose from misaddressed annual pension benefit statements sent to current and former Sussex police officers The High Court had previously struck out the claims on the basis that there was no evidence that the statements were ever opened or read by third parties The Court of Appeal confirmed both that disclosure was not essential for a GDPR infringement and that claimants could recover compensation for fear of the consequences of an infringement if that fear was objectively wellfounded rather than hypothetical or speculativeppNote The breach occurred in 2019 before the end of the Brexit transition period 31 December 2020 At that time the European Union GDPR applied directly in the UK so claims were assessed under the EU GDPR rather than the UK GDPR However the Court of Appeal noted that there are no material differences between the two regimes for these purposesppCase backgroundppIn 2019 Equiniti acting as administrator of the Sussex Police pension scheme posted pension statements in window envelopes to more than 750 outofdate residential addresses The statements contained personal details including dates of birth national insurance numbers and information on salaries and accrued benefits Sussex Police had provided Equiniti with uptodate addresses which were uploaded to Equinitis database but when the statements were produced Equinitis system used the outofdate addresses in errorppThe Information Commissioners Office ICO was notified and concluded that the risk of individuals suffering significant consequences was unlikely It took no enforcement action 474 officers brought claims seeking 1250 each They allegedppAt first instance the High Court struck out most claims on the basis that unless a claimant could show that the statement was openedread by a third party there was no viable case as there was no processing under the GDPRppCourt of Appeal decisionppGDPR claim Processing without disclosureppThe Court of Appeal held that the judge was wrong to require the statements to have been openedread by a third party Mailing statements to the wrong addresses was itself processing under the GDPR which covers any operation on personal data not just disclosure Equinitis database handling printing and posting all fell within the definition of processingppCompensation principlesppWhat this means for businessesppNotification and litigation riskppA paradox highlighted by this case is that breach notification itself can create liabilities and generate claims Informing individuals of a breach may give rise to anxiety distress or other nonmaterial damage based on wellfounded fears In Farley many officers said the notification letters triggered their concerns about identity theft or misuseppBottom lineppThe Court of Appeal did not decide whether these claims were successful instead it remitted them to the High Court for a detailed review Some may ultimately fall away and even successful claims are likely to result in modest awardsppHowever Farley confirms that organisations may face litigation risk for data breaches even where disclosure never occurs and the alleged harm is modest Businesses should maintain robust accuracy and security controls consider their communications carefully when breaches arise and be prepared to defend claims based on wellfounded fearspp1 2025 EWCA Civ 1117ppAuthorsppAnn Bevitt Partner LondonppMorgan McCormack Associate Londonpppppp1 844 476 1248
1 415 693 2888
44 0 20 7556 4567
email us
ppdownload vcard
ppCybersecurity Governance for Maturing Companies
ppVisit On the Record
Key insights on disputes and the issues that drive themppRead more about our leading global CyberDataPrivacy practiceppCooleycomppDisclaimerThis content is provided for general informational purposes only and your access or use of the content does not create an attorneyclient relationship between you or your organization and Cooley LLP Cooley UK LLP or any other affiliated practice or entity collectively referred to as Cooley By accessing this content you agree that the information provided does not constitute legal or other professional advice This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content This content may be changed without notice It is not guaranteed to be complete correct or up to date and it may not reflect the most current legal developments Prior results do not guarantee a similar outcome Do not send any confidential information to Cooley as we do not have any duty to keep any information you provide to us confidential When advising companies our attorneyclient relationship is with the company not with any individual This content may have been generated with the assistance of artificial intelligence Al in accordance with our Al Principles may be considered Attorney Advertising and is subject to our legal noticesp