England and Wales court of appeal lowers barrier for data protection claims

The Court of Appeal in England and Wales has ruled that people bringing data protection claims do not have to prove that their personal data was disclosed to a third party. The decision, handed down on 22 August 2025 in Farley & Ors v Paymaster (1836) Ltd (t/a Equiniti) [2025] EWCA Civ 1117, could make it easier for individuals to bring claims and more costly for organisations to defend them.

The case arose from misdirected letters containing personal data that were sent to the wrong addresses. At first instance, the High Court struck out most of the 474 claims on the basis that the claimants could not show the letters had been opened or read by anyone else. Only 14 claims survived, where there was some evidence of disclosure.

On appeal, 432 claimants challenged this reasoning. The Court of Appeal agreed, holding that proof of third-party disclosure is not a prerequisite to establish a breach of the General Data Protection Regulation (GDPR) or the UK Data Protection Act 2018. It was enough that the defendant had processed the data and misprocessed it by sending it to the wrong recipient.

The court also confirmed that there is no “de minimis” threshold for compensation under data protection law. However, claimants must still show that they suffered genuine non-material damage, such as anxiety or distress, and that this harm is objectively well-founded rather than hypothetical. This differs from claims based on misuse of private information, where different thresholds apply.

On the issue of abuse of process, the Court rejected the argument that the claims were too trivial to be heard collectively. It did, however, leave open the possibility that individual weak claims might still be struck out as an abuse of process under existing case law.

The ruling builds on previous decisions, including the Court of Justice of the EU’s judgment in UI v Österreichische Post AG (C-300/21), which held that there is no minimum threshold of harm required for data protection claims. Analysts note that this case shows that precedent remains influential in UK law despite Brexit.

In practice, the decision broadens the scope for claimants. Companies facing cyber incidents or misdirected communications may now find it harder to have claims dismissed at an early stage. Instead, they will have to contest them on more detailed grounds, raising the cost of litigation. While defendants may still seek to move claims to lower-cost forums such as the County Court’s small claims track, they may face increasing pressure to settle claims rather than fight them in full.

The ruling does not alter the rules on collective actions: representative actions in data protection cases in England and Wales must still be brought on an opt-in basis, following the Supreme Court’s earlier judgment in Lloyd v Google LLC [2021] UKSC 50.

Source: CMS