Summary of the Farley v Equiniti Court of Appeal Decision (February 2024)
This case concerns a group claim brought by police officers (“the appellants”) against equiniti (“the respondent”) following a data breach where annual Benefit Statements (ABS) were sent to incorrect addresses. Here’s a breakdown of the key points:
Background:
Initial Ruling: Mr Justice Nicklin initially struck out most of the claims, finding claimants needed to demonstrate a “real prospect” that a third party opened and read the ABS to prove “processing” under GDPR.
Appeal Focus: The appellants didn’t dispute no one actually read the statements, but argued that disclosure wasn’t necessary for a GDPR claim. they contended that Equiniti’s actions (database handling, incorrect mailing) were processing in themselves, and sought damages for non-material damage (anxiety and fear of misuse).
Equiniti’s Argument: Equiniti didn’t defend the High Court’s reasoning but sought to uphold the strike-out based on factual incredibility, legal insufficiency, and Jameel dismissal (claims being disproportionate and serving no legitimate purpose). They argued distress over a pensions forecast sent to an old address was “simply unreal.”
The Court of Appeal’s Decision:
“Processing” Definition: The Court of Appeal rejected the High Court’s requirement of third-party disclosure for “processing” under GDPR/DPA. They agreed with the appellants that processing doesn’t depend on the statement being read.
Fanciful Claims: The court refused to dismiss the claims as inherently amazing, stating individual statements of emotional impact couldn’t be dismissed without evidence.
Damages & Non-Material Harm: The court aligned with post-Brexit CJEU jurisprudence, confirming there’s no threshold of seriousness required for claiming damages under GDPR for non-material damage. Though, claimants must prove this damage, and fear of future misuse can qualify if it’s objectively “well-founded.”
Remittal to Lower Court: The Court of Appeal refused a blanket strike-out. They determined some claimants may have tenable claims based on well-founded fear, while others may not. The decision on compensation will be made on a case-by-case basis by the High Court (or County Court). Impact: Kingsley Hayes (KP Law) predicted the decision would positively impact data breach claimants.
In essence, the Court of Appeal broadened the scope of what constitutes “processing” under GDPR, making it easier for claimants to pursue cases even without proof of third-party access to the breached data. Though, they also emphasized the need to prove actual, objectively reasonable harm.
