Michael Farley & Anor v Paymaster (1836) Limited (trading as Equiniti)

The Court of Appeal allowed the appellants' challenge to the judge's decision to strike out most data protection claims on the basis that proof of disclosure to a third party was an essential element of an actionable infringement. The court held that "processing" under the GDPR/DPA is of broad scope and does not require third‑party disclosure, and that proof of disclosure was not necessary to plead an infringement of Articles 5, 24, 25 or 32 (or Article 82 in relation to compensation). The court rejected the existence of a domestic threshold of seriousness for GDPR non‑material damage, emphasising CJEU authority that no de minimis requirement should be imposed. It held that compensation for fear of misuse is in principle available but only where that fear is objectively well founded; the court remitted the factual assessment of which individual claims meet that test to the High Court. The court also held that the Jameel abuse jurisdiction did not permit wholesale summary dismissal of the class of claims, although individual claims may be abusive on their facts.

Background and parties:

• The appellants are members of a pension scheme administered by the respondent Equiniti. In August 2019 annual benefit statements were mailed in window envelopes to a substantial number of out‑of‑date addresses because the respondent's system used previous addresses in error. Some statements were returned unopened, some were retrieved by intended recipients, and the fate of many remains unknown.
• The respondent accepted a data breach and was notified to the Information Commissioner. The appellants (initially several hundred claimants across a collective claim) sought damages under the GDPR and the Data Protection Act 2018 and, originally, for misuse of private information.
• The Information Commissioner intervened in the appeal.

Nature of the claim / relief sought:

• The claimants sought compensation for non‑material damage (distress, anxiety, alarm and embarrassment) arising from the respondent's alleged breaches of data protection obligations (including Articles 5, 24, 25 and 32 of the GDPR) and for aggravation of pre‑existing medical conditions in some cases.

Procedural posture:

• At first instance Nicklin J struck out all but 14 of the claims on the basis that claimants could not show their statements were opened and read and that, absent such disclosure, there was no "misuse" or actionable processing.
• The appellants appealed. The respondent sought permission in this court to advance alternative grounds for dismissal; permission was granted.

Issues framed:

1. Whether the appellants had pleaded a reasonable basis for alleging an infringement of the GDPR/DPA (the "infringement issue");
2. Whether the appellants had pleaded a tenable claim for compensation under Article 82 and the DPA, including whether a claim based on fear of third‑party misuse could succeed (the "compensation issue");
3. Whether the claims were nonetheless an abuse of process under the Jameel principle (the "Jameel issue").

Court's reasoning and conclusions:

• Processing/infringement: the court held that the definition of "processing" in Article 4(2) GDPR (and the corresponding DPA provisions) is broad and covers the recording, organising, storing, printing and posting of the ABS. The judge was wrong to make proof of third‑party disclosure an essential element of an actionable GDPR infringement.
• Compensation: Article 82 provides a right to compensation for material or non‑material damage; section 168(1) DPA confirms that "non‑material damage" includes distress but does not limit the concept. The Court of Appeal followed CJEU authority that domestic courts may not impose a de minimis or threshold of seriousness for recovery under Article 82. However, the CJEU jurisprudence requires that a claimant relying on fear of misuse must show that the fear was objectively well founded; a purely hypothetical risk is insufficient.
• Application to these claims: the court held that the judge could not properly strike out the claims wholesale. The viability of each claim based on fear must be assessed case by case. The court declined to perform that extensive factual assessment itself and remitted the matter to the High Court to determine which individual claims (if any) disclose a well‑founded fear and are therefore capable of success; consequential psychiatric claims depend on that threshold finding.
• Jameel: the court concluded that the Jameel abuse jurisdiction did not justify bypassing a case‑by‑case factual assessment; the class cannot be characterised as abusive as a whole, though individual claims may be abusive depending on their facts and litigation conduct.

Appeal allowed in part. The Court of Appeal held that the judge was wrong to require proof of third‑party disclosure as a precondition of a viable GDPR/DPA claim: processing is of broad scope and may exist without disclosure. The court rejected a domestic de minimis threshold for non‑material damage, but held that fear of third‑party misuse is compensable only if objectively well founded. The court remitted to the High Court the task of assessing, claim by claim, whether the pleaded fears are well founded; it refused to strike out the class as Jameel abuse generally.

On appeal from the High Court of Justice, King’s Bench Division, Media and Communications List (Nicklin J), Order striking out all but 14 of the claims: [2024] EWHC 383 (KB). This Court ([2025] EWCA Civ 1117) allowed the appeal in part and remitted issues for further factual determination by the High Court.