The English Court of Appeal has handed down an important judgment in Farley v. Paymaster (Equiniti) [1] on when compensation may be claimed for nonmaterial damage (such as distress or anxiety) arising out of breaches of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA).

The case arose from misaddressed annual pension benefit statements sent to current and former Sussex police officers. The High Court had previously struck out the claims on the basis that there was no evidence that the statements were ever opened or read by third parties. The Court of Appeal confirmed both that disclosure was not essential for a GDPR infringement, and that claimants could recover compensation for fear of the consequences of an infringement if that fear was objectively well-founded, rather than hypothetical or speculative.

Note: The breach occurred in 2019, before the end of the Brexit transition period (31 December 2020). At that time, the European Union GDPR applied directly in the UK, so claims were assessed under the EU GDPR rather than the UK GDPR. However, the Court of Appeal noted that there are no material differences between the two regimes for these purposes.

Case background

In 2019, Equiniti, acting as administrator of the Sussex Police pension scheme, posted pension statements in window envelopes to more than 750 out-of-date residential addresses. The statements contained personal details, including dates of birth, national insurance numbers and information on salaries and accrued benefits. Sussex Police had provided Equiniti with up-to-date addresses which were uploaded to Equiniti’s database, but when the statements were produced, Equiniti’s system used the out-of-date addresses in error.

The Information Commissioner’s Office (ICO) was notified and concluded that the risk of individuals suffering significant consequences was unlikely. It took no enforcement action. 474 officers brought claims, seeking £1,250 each. They alleged:

  1. Breaches of statutory duties under the GDPR/DPA, focusing on data minimisation, accuracy, fairness, integrity and confidentiality (Article 5) and appropriate technical/organisational measures (Articles 24, 25 and 32).
  2. Misuse of private information, centred on “anxiety, alarm, distress and embarrassment” amounting to nonmaterial damage, with some claimants also alleging aggravation of preexisting medical conditions.

At first instance, the High Court struck out most claims on the basis that, unless a claimant could show that the statement was opened/read by a third party, there was no viable case, as there was no “processing” under the GDPR.

Court of Appeal decision

GDPR claim – Processing without disclosure

The Court of Appeal held that the judge was wrong to require the statements to have been opened/read by a third party. Mailing statements to the wrong addresses was itself “processing” under the GDPR, which covers any operation on personal data, not just disclosure. Equiniti’s database handling, printing and posting all fell within the definition of “processing”.

Compensation principles

  • No threshold of seriousness. The Court of Appeal confirmed that there is no “de minimis” threshold for compensation under Article 82 of the GDPR. Following EU case law on this topic (e.g., Austrian Post), compensation cannot be denied simply because harm is modest.
  • Distress not the only label. Nonmaterial damage is broader than “distress” alone. While Section 168 DPA makes clear that “non-material damage” under Article 82 GDPR includes distress, this is an umbrella term for various forms of emotional harm, including those listed in Recital 85 GDPR. Claims framed as “stress” or “anxiety” are not automatically out of scope.
  • Fear of misuse must be “well-founded”. Claims based on fear of identity theft or misuse can succeed, but only if fears are objectively reasonable in the circumstances. Purely speculative or hypothetical risks will not qualify.
  • Psychiatric injury. Where well-founded fears lead to recognisable psychiatric conditions, compensation is also recoverable in principle.

What this means for businesses

  • Misaddressing or misdirecting personal data is still “processing” under the GDPR and may be an infringement even if nobody opens or reads the communication.
  • Claims for fear/anxiety can proceed if objectively reasonable, with the “well-founded fear” test as the filter.
  • Organisations cannot argue that a breach is “too minor” to generate liability under the GDPR.
  • Where anxiety escalates into psychiatric injury, compensation may be recoverable (subject to the “well-founded fear” test).

Notification and litigation risk

A paradox highlighted by this case is that breach notification itself can create liabilities and generate claims. Informing individuals of a breach may give rise to anxiety, distress or other nonmaterial damage based on well-founded fears. In Farley, many officers said the notification letters triggered their concerns about identity theft or misuse.

Bottom line

The Court of Appeal did not decide whether these claims were successful; instead, it remitted them to the High Court for a detailed review. Some may ultimately fall away, and even successful claims are likely to result in modest awards.

However, Farley confirms that organisations may face litigation risk for data breaches even where disclosure never occurs and the alleged harm is modest. Businesses should maintain robust accuracy and security controls, consider their communications carefully when breaches arise and be prepared to defend claims based on well-founded fears.

[1] [2025] EWCA Civ 1117.

Authors

Ann Bevitt, Partner, London

Morgan McCormack, Associate, London

Posted by Georgia Grisaffe

All Posts