Farley & Ors v Paymaster (1836) Ltd (t/a Equiniti) [2025] EWCA Civ 1117—
No Need for Third-Party Disclosure; No “Seriousness” Threshold; Compensation for “Well-Founded Fear” under GDPR

1. Introduction

In August 2019 over 750 annual benefit statements (ABS) of Sussex Police officers were posted to out-of-date addresses by Equiniti, the scheme administrator. 432 officers who could not show that the mis-addressed envelopes were actually opened (the appellants) sued for damages under the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018), claiming emotional distress and, in some cases, psychiatric injury occasioned by fear of misuse of their personal data.

At first instance Nicklin J struck out every claim except 14, holding that disclosure to a third party was an essential ingredient of a viable data-protection or misuse-of-private-information claim. The officers appealed. The Court of Appeal (Sir Geoffrey Vos MR; Whipple LJ; King LJ) reversed most of the strike-outs and, in doing so, created three headline rulings:

1. A data-controller’s processing error alone can amount to an “infringement” of the GDPR even if no unauthorised person ever sees the data.
2. Article 82 GDPR does not impose a “threshold of seriousness”; any non-material damage is theoretically compensable, but the data subject must prove that the alleged harm (e.g. fear) was objectively well-founded.
3. Collective low-value claims are not automatically an abuse of process under the Jameel doctrine; proportionality should be achieved by case management rather than strike-out.

2. Summary of the Judgment

• Infringement: The judge erred in thinking that third-party access is a prerequisite to infringement. The respondent admitted “processing” (recording, storing, printing, posting) and that suffices.
• Compensation:
  • There is no EU or domestic “seriousness threshold”. “Distress” is not the sole head of recoverable non-material damage.
  • However, compensation for fear of future misuse is only available where that fear is well-founded. Each claimant must show objective reasonableness; purely speculative fears are irrecoverable.
  • 42 claimants alleging psychiatric injury stand or fall with the same “well-founded fear” test.
• Procedure: Global strike-out under Jameel is inappropriate; individual claims will be reviewed case-by-case on remittal.
• Disposal: Appeal allowed on infringement; respondent’s cross-appeal mostly dismissed. Part-heard issues remitted to the High Court for individual assessment and tailored case management.

3. Analysis

3.1 Precedents Cited and Their Influence

• EU (CJEU) decisions
  • UI v Österreichische Post (C-300/21) – established that Article 82 precludes national “de minimis” thresholds.
  • VB v Natsionalna agentsia za prihodite (C-340/21) – confirmed that fear of misuse can be “non-material damage” if well-founded.
  • BL v MediaMarktSaturn (C-687/21) – reinforced the “well-founded fear” test and dismissed compensation for “purely hypothetical” risks.
  • VX v Gemeinde Ummendorf (C-456/22) – repeated rejection of any seriousness threshold.
• Domestic appellate authority
  • Lloyd v Google [2021] UKSC 50 – no “loss-of-control” damages under DPA 1998; distinguished because GDPR text is broader and the case said nothing about seriousness thresholds.
  • Prismall v Google [2024] EWCA Civ 1516 – representative actions in misuse of private information (MPI); cited but not determinative.
  • Jameel v Dow Jones [2005] QB 946 – abuse-of-process framework; applied but found not to mandate strike-out.
  • Mueen-Uddin v Home Secretary [2024] UKSC 21 – clarified that Jameel is exceptional and not dictated by cost/quantum alone.
  • Campbell v MGN [2003] QB 633 – publication of hard-copy newspaper is still “processing”; used to support a wide definition of processing.
• First-instance cases (persuasive only) – Rolfe, Johnson, Driver etc. were held not to establish a binding seriousness threshold and pre-dated the decisive CJEU jurisprudence.

3.2 Legal Reasoning of the Court of Appeal

1. Processing without Disclosure
   Article 4(2) GDPR defines “processing” broadly (“any operation”). Printing and posting documents to a wrong address plainly fall within “collection, recording, organisation, structuring, storage, use”. Therefore an infringement can exist even if nobody outside the controller ever views the data.
2. Compensation Framework
   • Article 82(1): compensation for “material or non-material damage”.
   • s 168(1) DPA 2018 merely confirms that “distress” is included; it does not limit non-material damage to distress.
   • CJEU authority (post-IP Completion Day, but followed as persuasive) forbids a domestic seriousness threshold.
   • Nevertheless, the damage must be proved. “Fear” can qualify, but the fear must be objectively well-founded (per BL & VB). Purely speculative or hypothetical anxieties are non-recoverable.
3. Interaction with Jameel
   The Court stressed that strike-out for being “not worth the candle” is a last resort. Here, if even one claimant’s fear is well-founded, the claim is not pointless. Costs proportionality can be policed through allocation (likely the small-claims or fast track).
4. Remittal Directive
   Because the “well-founded fear” test is fact-sensitive, the Court remitted the respondent’s summary-judgment application so a first-instance judge can scrutinise each claimant’s individual schedule and medical evidence.

3.3 Anticipated Impact of the Judgment

• Wider Liability Exposure – Controllers can now be sued for mis-processing even without proof of disclosure. Merely sending data to the wrong recipient is potentially actionable.
• Damages Gate-Keeper – While removing the “seriousness threshold”, the Court installs a sturdier gate: claimants must demonstrate a reasonable (well-founded) fear or other concrete, non-material harm. Expect greater emphasis on early evidential vetting and targeted summary-judgment applications.
• Collective Redress – The decision signals that group, low-value data claims need not be strangled at birth; instead, granular case management (county-court transfer, sample trials, cost-capping) is preferred.
• Post-Brexit Alignment – Even though the CJEU line is only persuasive post-IP Completion Day, the Court of Appeal chose alignment for certainty. Divergence, if any, will be Parliamentary, not judicial.
• Misuse of Private Information (MPI) v GDPR – The Court underscores that the two regimes protect overlapping values but operate on distinct doctrinal tracks; MPI’s seriousness threshold does not migrate into GDPR jurisprudence.

4. Complex Concepts Simplified

• “Processing” – any operation carried out on personal data, from the moment it is collected or stored to the moment it is deleted. You do not need to show it was shared externally.
• “Non-material Damage” – intangible harm such as emotional distress, anxiety, or reputational impact. Post-Farley, any emotional reaction can in principle qualify, but only if an objective observer would consider the reaction reasonable in the circumstances.
• “Well-Founded Fear” – Anxieties that are supported by concrete facts (e.g. a known malicious neighbour received the letter) rather than abstract possibilities. The test is objective.
• “Seriousness Threshold” – A minimum intensity of harm which the court might require before awarding damages. The Court of Appeal, following the CJEU, says no threshold exists for GDPR claims.
• Jameel Abuse of Process – A claim is struck out where pursuing it would yield negligible benefit compared with the burden on the court and the defendant. Farley emphasises that the doctrine is sparingly applied and can often be avoided through efficient procedure.
• Post-Brexit Status of EU Case-Law – CJEU decisions made before “IP Completion Day” (31 Dec 2020) bind UK courts. Later decisions are persuasive but not binding. The Court chose to follow them for consistency.

5. Conclusion

Farley v Paymaster decisively clarifies three grey areas in UK data-protection litigation. First, it confirms that mis-processing alone suffices for an “infringement” claim. Second, it harmonises domestic law with modern CJEU authority by abolishing an implied seriousness threshold, while at the same time requiring claimants to establish a well-founded, objectively reasonable emotional reaction. Third, it reins in blanket use of the Jameel jurisdiction, signalling that proportionality concerns should be resolved by creative case management rather than wholesale strike-out.

Practitioners should expect more targeted scrutiny of evidence at an early stage (including medical and contextual facts) to test whether a claimant’s fears are rational. Controllers need to appreciate that even “near-miss” breaches—those in which the data never reaches a third party—can now expose them to liability, albeit typically modest in amount. The decision leaves the quantum of such damages for future authority, but the doctrinal landscape is now considerably clearer.