ALERTER
Court of Appeal confirms no de minimis principle applies in data protection claims: Farley v Paymaster Limited

Click here to download this Alerter by Hannah Curtain & Freya Foster.

The Court of Appeal has overturned the decision of Mr Justice Nicklin to strike out a group action brought by more than 400 individuals under GDPR and the Data Protection Act 2018.  The Court held that there is no minimum level or threshold of seriousness that has to be reached before compensation can be awarded in a data protection claim.  Although such a threshold does exist for misuse of private information claims, the Court concluded that was not a reason to import such a threshold into data protection claims.  This removes a hurdle for the claimants seeking to bring group claims for low value data breaches.

Oliver Campbell KC, instructed by KP Law, acted for the successful appellants.

BACKGROUND

The appellants/claimants were members of a pension scheme administered by the defendant/respondent, Paymaster (1863) Limited, on behalf of Sussex Police.  Paymaster erroneously sent annual benefit statements, containing personal data, to outdated addresses in late August 2019.  The appellants were members of the scheme and were notified of the breach, which was reported to the Information Commissioner’s Office (ICO) in early October 2019 (at [9]).  No further action was taken by the ICO (at [10]).

The appellants instructed solicitors to bring claims under the Data Protection Act 2018 (DPA 2018).  All claimants sought compensation for “anxiety, alarm, distress and embarrassment” and certain claimants also advanced personal injury claims, alleging that pre-existing medical conditions had been aggravated (at [15]).  The appellants also produced individual schedules to provide further information as to their claims (at [16]).

The respondents brought an application seeking to strike out the claims and/or summary judgment on the grounds that the claimants had not suffered damage or distress above a de minimis level (the de minimis principle), and that the claims constituted an abuse of process according to the principles established in the defamation case Jameel v Dow Jones concerning low value claims, the costs of defending which are shown to be “wholly disproportionate” to the benefit to the claimants (at [96]).  Nicklin J struck out the great majority of the claims, and the appellants appealed.  The ICO intervened, arguing that Nicklin J had erred in finding both that there had been no ‘processing’ where the letters had been returned unopened, and that the Court should follow the approach of the CJEU that there is no de minimis principle or other threshold of seriousness in data protection claims (at [27]).

DECISION OF THE COURT OF APPEAL

The Court held that it was not required for the appellants to prove or allege that the letters had been opened or read by third parties for their claims to succeed, noting that in any event the respondents had accepted that their conduct had involved processing under the DPA 2018 (at [39]).

Warby LJ (with whom King and Whipple LJJ agreed), following recent decisions of the CJEU, including UI v Osterreichische Post AG Case C-300/21, held that a person seeking to recover compensation for a data breach under the Data Protection Act 2018 is not required to show that the breach has caused harm, distress or damage above a minimum level.  This principle, commonly referred to as the de minimis principle, had previously found support in a number of domestic decisions including in dicta of Lord Leggatt in Lloyd v Google [2021] UKSC 50.  However, those decisions all pre-dated the decision in Osterreichische and, notably in the context of Lloyd, involved the predecessor to the 2018 Act, the Data Protection Act 1998, and did not consider the GDPR.

The Court in Farley held that the domestic cases including Lloyd did not establish that a threshold of seriousness applies to data protection claims under GDPR and the 2018 Act.  Further, the Court considered that while it was not bound by the recent, post-Brexit CJEU decisions, there were no compelling reasons to depart from the approach taken by the CJEU, in particular given that Parliament has chosen to retain the same regime in the post-Brexit UK GDPR, the domestic successor to the EU GDPR.  The Court indicated that a judicial decision to depart from the approach of the CJEU when applying GDPR “would call for sufficiently compelling legal reasons”, and that such a departure would generally be “a political choice and a legislative option” (at [67]).

The Court also provided clarity on the Jameel principle as it applies in data protection cases.  The Supreme Court had considered this issue since the first instance decision in Farley, in the case of Mueen-Uddin v Home Secretary [2024] UKSC 21.  Warby LJ noted the Supreme Court had clarified, first, that in Jameel itself the claim involved balancing the defendant’s right to freedom of expression under the ECHR with the libel proceedings and, second, that it was not simply a case of weighing the value of the claim against the cost of the proceedings (at [97]).  While indicating that he did not consider that the principle was limited to defamation claims (at [97]), Warby LJ concluded that the correct approach was to focus on whether the individual claims were abusive in all the circumstances of the case, including any inequality of arms (at [104]).  The Farley claims as a class could not be categorised as Jameel abuse; the question of whether any individual claim is an abuse will remain for consideration by the High Court on remittal (at [6], [105]).

ANALYSIS

The decision increases the prospect of data protection group claims in the civil court, a route that had been significantly curtailed by the decisions of Lloyd and Prismall v Google [2024] EWCA Civ 1516.

While a welcome decision for claimants, defendants, whether facing a group claim or individual allegations of data breaches, will take little comfort from the effective removal of the de minimis principle and the warning against over-reliance on the Court’s Jameel jurisdiction when facing low value data protection claims.

The Court recognised that many such claims should be resolved on the small claims track (at [102]), however the limited cost recovery even for successful defendants in that context may make litigating such low value claims, even those with little merit, an unattractive prospect.

Ultimately, as Warby LJ appears to recognise (at [67]), it is for the legislature to intervene if it wishes to restrict the scope of the Data Protection Act 2018.

Hannah Curtain
Freya Foster
10 September 2025

This Alerter is available to download as a PDF below. 

To subscribe to Henderson Chambers news, alerters and updates please click here.