Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts.
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS United Kingdom
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in Focus View all
Insights by type
CMS Spotlight: join our events and webinars!
CMS News
Stay up to date with our growth, evolution and our many successes.
CMS Press Office
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

Court of Appeal removes key hurdle for data protection claimants

04 Sep 2025 England and Wales 7 min read

Summary

On 22 August 2025, the Court of Appeal handed down a judgment in Farley & Ors v Paymaster (1836) Ltd (t/a Equiniti) [2025] EWCA Civ 1117 that potentially lowers the bar to claimants making data protection claims. The costs of defending such claims are likely to increase and organisations and cyber insurers should take appropriate precautions to help minimise risk.

Background

The case related to letters containing personal data that were misdirected to the wrong addresses. The claim at first instance was a collective action made up of 474 individual claims. The claimants sought compensation for injury to feelings and, for some, psychiatric injury, suffered due to alleged fear of the misdirected personal data being misused by third parties.

The High Court struck out all but 14 of these 474 claims on the basis that the claimants could not show an arguable case that the misdirected letters had been opened and read (i.e., that their personal data had been disclosed to a third party). 

This decision was made on the basis that third party disclosure was an essential prerequisite to making such a claim because damage could not otherwise be established, as the defendant had argued. The 14 exceptions were for cases in which the claimants could make an arguable case that their personal information had been read.

The appeal

432 claimants appealed the decision on the basis that the High Court had been wrong to treat disclosure of their personal data as an essential component of a viable data protection claim. They did not dispute that they had been unable to establish that their personal data had been read.

The Court of Appeal allowed the appeal and considered three primary issues. These were:

  1. Infringement

    The Court held that proof that personal data had been disclosed to a third party was not an essential component of a data protection claim. The mere facts that the defendant (a) had been processing the claimants’ personal data and (b) had misprocessed it in the course of doing so were sufficient to establish an infringement of the provisions of the General Data Protection Regulation (“GDPR”) and to seek damages. 
     
  2. Compensation

    The Court held that whilst damage is required for there to be a claim, there is no seriousness or de minimis threshold for compensation in data protection claims under the GDPR or the Data Protection Act 2018.  However, a claimant still needs to provide proof of non-material damage and that any non-material damage is objectively well-founded. For example, anxiety or fear that personal data may be misused must be well-founded and cannot be purely hypothetical or speculative. This would also apply to claims for the exacerbation of a psychiatric injury or condition.

    Note, this does not apply in misuse of private information cases.
     
  3. Abuse of process

    The Court held that the claims were not so trivial that they could be said to amount to an abuse of process as a class. However, the question of whether a weak, individual claim might amount to an abuse of process as in Jameel (Yousef) v Dow Jones & Co. Inc [2005] EWCA Civ 75 has been left open.

What has changed

No disclosure

Whilst it will still be necessary to establish that there was a breach of the GDPR (e.g. failure to implement appropriate technical and organisational measures) in order to pursue a claim, claimants do not need to prove that their personal data was disclosed to a third party to establish a cause of action.

This potentially lowers the bar to making a claim and means that claimants may be able to bring claims in circumstances where there is no evidence of misuse of their personal data. Defendants will find it harder to strike claims out at the outset on this basis.

Evidencing damage

Claimants will need to establish that they suffered non-material damage and that this was objectively well-founded. This is likely to become claimants’ biggest early hurdle to making a successful claim, could be very case specific and may limit claimants’ prospects of success if claims are not settled on commercial grounds before being tested. 

Responding to this kind of claim and evidence will be fact specific. However, it may be more challenging for defendants in some cases, especially in respect of cyber breaches and particularly where data is confirmed to have been exfiltrated. It may be less so in lower risk circumstances (e.g., if post has been misdirected, like in this case) on the basis that it may be harder for claimants to argue that their distress is well-founded.

Trivial claims and abuse of process

The costs associated with defending personal data claims are generally comparatively high compared to the compensation sought by claimants. It may be possible for defendants to rely on this to help strike a weak, individual claim out on the basis that it is an abuse of process.

However, the judgment indicates that defendants may face difficulties when attempting to strike out claims of this type on proportionality grounds when such claims are brought as a class. This appears to set a difficult precedent, including because incidents like cyber breaches often affect whole classes of people’s personal data.

Even where it may be possible to strike multiple claims out en masse, each instance of alleged abuse would likely need to be assessed and addressed on an individual basis to do so.

The primary alternative to strike out, which the Court did explicitly leave the door open to, is that claims could be moved to more proportionate forums, like the County Court small claims track.

It is noteworthy that the Court did not take the opportunity to depart from the CJEU’s ruling in UI v Österreichische Post AG (C-300/21) that there is not a de minimis threshold to making data protection claims in terms of non-material damage. This tends to indicate that the decision in UI was a directional shift rather than an anomaly.

What the changes mean in practice

The changes potentially make it easier for claimants to make data protection claims and harder for defendants to defend them cost effectively. This is because:

  • The scope to make claims is now broader.
  • Defendants cannot now hope to strike as many claims out in the very early stages on the basis of proportionality (although they may be able to push claims towards the small claims track).
  • Defendants will now need to challenge claimants on much more cost intensive grounds (e.g., the detailed merits of individual and classes of individual claims), which is likely to make settling claims much more economic as a general rule.

Note, the mechanism for bringing representative actions has not changed because of this decision. These actions must still be brought on an opt-in basis. The case has not revived opt-out claims following the decision in Lloyd v Google LLC [2021] UKSC 50.

How CMS can help

CMS’s expert lawyers are on hand to help advise organisations on all cyber risk issues or respond to claims.

CMS also offers a market leading 24/7/365 Emergency Response Support Line that can help organisations respond to a cyber incident. This is a blended service through which CMS can both coordinate your organisation’s response to a cyber incident and provide the necessary legal advice.

More insights
Cyber Defendant Personal Injury Financial Services Professionals Insurance Brokers Pension Professionals Solicitors Surveyors Technology Reinsurance Warranty & Indemnity Liability Other Classes Fine Art, Specie and Jewellers' Block Trade Credit and Political Risk Practice Title Indemnity Aviation Construction & Energy Construction CAR/EAR Energy Property Directors’ & Officers’ Liability Financial Institutions Healthcare, Social Care and Life Sciences Marine Professional Negligence Accountants & Actuaries Construction PI Insurance Education TMT - Technology, Media & Telecommunications Data Protection & Freedom of Information Dispute Resolution Insurance Corporate Class Actions

Explore more

Expert Guide International

Data protection and cybersecurity laws in the United Kingdom

38 min read
Event United Kingdom

Cross-Border Financial Services 2026 webinar series

05 May 2026
Publication United Kingdom

Cyber risk management for senior leadership teams

02 Oct 2025 1 min read
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.