Fear of identity theft - compensation

Fear of identity theft - claims for compensation from police officers

Farley and others v Paymaster (1836) Limited (trading as Equiniti) [2025] EWCA Civ 1117

How much damage is required to make someone liable for a data breach? Does the person whose data was wrongly shared have to show actual harm? Will a realistic fear of possible harm be enough and if so what level of compensation could they receive? The Court of Appeal has recently considered these questions and on 17 December 2025 the Supreme Court granted leave to appeal so that it, too, could consider some of these points.

Introduction

The basis for a data breach claim is that any person who has suffered damage because of a data breach may claim compensation for “material” and “non-material damage” by issuing proceedings in the High Court or County Court. Material damage is generally financial loss. Section 168 (1) Data Protection Act 2018 confirms that “non-material damage” includes “distress”. The amounts recovered tend to be very low, and consequently data protection litigation usually involves collective actions.

Leave to appeal to the Supreme Court

In one such action the Supreme Court recently granted the defendant, Paymaster, leave to appeal. The defendant is a pension administrator defending data breach claims for compensation from 432 Sussex police officers.

The question the Supreme Court will decide is:

Does a threshold of seriousness apply to claims for damages under the General Data Protection regulations (“GDPR”) and the Data Protection Act 2018 (“DPA 2018”)?

Facts

The police officers claim compensation after Paymaster sent their annual pension statements to out of date addresses. They maintain this mistake is a data breach, and they have suffered injury to feelings, and in some cases psychiatric injury, due to fear of misuse of their personal data by others. In most cases they each claim £1,250 for both the data breach, and for misuse of private information, which is a separate cause of action.

The personal information contained in the pension statements included:

• date of birth

• national insurance number

• salary details

• accrued and forecast pension benefits

Brexit

The breach occurred before Brexit was implemented in January 2020, and before the UK GDPR came into force on 1 January 2021, so the unamended versions of the General Data Protection Regulation and Data Protection Act 2018 (“the data protection legislation”) apply. The law relevant to this case remains the same post Brexit and so can be expected to give similar results on similar facts, subject to the decision of the Supreme Court.

High Court

Initially the claims went nowhere. Mr Justice Nicklin ,in the High Court, struck the case out as showing no reasonable basis for a compensation claim. See Farley & Ors v Paymaster (1836) Ltd (Trading As Equiniti) [2024] EWHC 383 (KB) (23 February 2024)

Court of Appeal

The police officers then appealed to the Court of Appeal in Farley & Ors v Paymaster (1836) Ltd (t/a Equiniti) [2025] EWCA Civ 1117 (22 August 2025) on three issues:

1. The infringement issue: whether the police officers had set out a reasonable basis for claiming that Paymaster’s mistake involved infringement of the GDPR. Only fourteen claimants out of the 432 were able to present an arguable case that the envelopes addressed to them had been opened and their statements read by others.

   
   

   The Court of Appeal decided that a reasonable basis had been set out. It was not essential to prove that the data had been disclosed to others to establish a viable data breach and the High Court had been wrong to strike the cases out on this basis.

The compensation issue: whether the police officers had stated a basis for claiming compensation under the data protection legislation, that was reasonable and had a reasonable prospect of success at trial. Paymaster had argued that it simply cannot be the case police officers, used to contending with dangerous and upsetting situations, have been genuinely distressed over a pensions forecast sent to the wrong address.

The Court of Appeal decided that the High Court had been wrong again when it dismissed the claims for failing to meet a threshold of seriousness. There is no such threshold in EU data protection law.

However, the Court of Appeal concluded Paymaster might still contend that the police officers’ fears were not objectively “well-founded” as required by EU case law and hence could not qualify as “non-material damage” for which compensation is recoverable under the GDPR. This was a question of fact to be answered on a case-by-case basis.

In reaching his conclusions Warby LJ referred to a series of post Brexit decisions in 2023 and 2024 when the Court of Justice of the European Union (“CJEU”) “has consistently held that it is impermissible for the domestic courts of EU countries to require proof that the damage suffered reaches a minimum degree of seriousness”. He noted that “the principles enunciated in this line of decisions would seem to rule out not only the …contention that “distress” is an essential element of a viable claim but also the … alternative submission that the …claims should be dismissed as falling short of a threshold of seriousness.” Although the Court of Appeal was not bound by these CJEU decisions, he did not agree that the court should not have regard to them and follow them. He explained that “the GDPR is an international legal instrument which had direct effect in this jurisdiction at the material time. Further, its domestic successor the UK GDPR is post-Brexit legislation in which Parliament decided to adopt the identical language, so far as is material to this case.”

He elaborated: I would put it this way: in principle a claimant can recover compensation for fear of the consequences of an infringement if the alleged fear is objectively well-founded but not if the fear is (for instance) purely hypothetical or speculative… I take the language used by the Court in VB and BL to import an objective standard or test of reasonableness.  What is meant by “well founded”? In the case of VB, the CJEU decided that a data subject’s fear of possible misuse of his or her personal information by third parties because of a breach of the GDPR could constitute “non material damage” so long as it was well founded on the facts of the individual case.

In the subsequent case of BL the European court affirmed that “non material damage” covers the situation where “…the data subject experiences the well-founded fear, which is for the national court to determine, that some of his or her personal data be subject to dissemination or misuse by third parties in the future, on account of the fact that a document containing those data was provided to an unauthorised third party who was afforded the opportunity to take copies before returning it.”

The court in BL then qualified this statement by explaining that a purely hypothetical risk of misuse by an unauthorised third party could not give rise to compensation such as where no third party became aware of the personal data at issue.

Warby LJ then turned to the circumstances of this case: "The fact that these appellants cannot prove that their ABS were opened and read does not of itself show that the fears they entertained were not well founded. The test of reasonableness cannot depend on hindsight. It must be applied with reference to the facts and matters which were or should have been known to the appellant at the time they experienced the stated fear. "

He seemed to attach some weight to the following factors:

• the envelopes were marked “Private and Confidential” and unlikely to be opened in the absence of further evidence on this point;

• the changes of a police officer’s former home being occupied by a criminal or other “malevolent actor” are slight.

• only 37 of the 750 police officers affected took up Paymaster’s offer of free fraud insurance and almost six years after the breach there had been no indications that the information had been misused in any way.

3. The Jameel issue: whether the claims are nonetheless an abuse of process where, even if proceedings raise an arguable cause of action, they are objectively pointless and wasteful. The Court of Appeal decided that the large group of claims could not be classified as a Jameel abuse of process.

Conclusion

I am looking forward to the judgement of the Supreme Court. Will it plot a different course from the CJEU? Will it decide that there is a threshold of seriousness after all?

There may be definitive guidance on:

• whether there is a threshold of seriousness before a claim can be made and, if so, how it is identified;

• whether actual damage must be proved or whether fear of possible future damage suffices and if so how likely does that have to be.

Whatever guidance there is I doubt the Supreme Court will rule on the potential damage from a misaddressed envelope being opened; more likely it will use RSC 32 (1) (b) to send the case back to the High Court or County Court for that to be determined.

Mariel Irvine

11 January 2026