Enquire Today

 

At Lacey Solicitors, with offices in Belfast and Dublin, our data protection solicitors represent clients affected by high-profile data breaches across the entire island of Ireland. The Court of Appeal ruling in Farley and Others v Paymaster (1836) Limited (trading as Equiniti) [2025] EWCA Civ 1117 has solidified the approach to compensation for data protection breaches in the UK – a development highly relevant for both clients and organisations seeking guidance from expert data protection solicitors on the issue of a data breach.

The focus of the Court of Appeal was the confirmation that there is no minimum threshold of harm for claims under Article 82 of the UK GDPR or section 168 of the Data Protection Act 2018 (DPA 2018).

A claimant can therefore seek compensation for a minor claim of distress or fear of misuse of personal data.

What Happened in Farley

 

The case arose after Equiniti, administrator of the Sussex Police pension scheme, accidentally sent over 750 annual benefit statements to outdated addresses. These statements contained sensitive information including names, dates of birth, National Insurance numbers, salaries, and pension entitlements.

Following the breach, a claim form was issued on behalf of 474 current and former officers, seeking damages for breach of statutory duty under the UK GDPR and the DPA and/or misuse of private informationarising from the [respondent’s] failure to keep the claimants’ personal data and private information secure by posting the same to incorrect postal addresses.

The High Court Decision

 

At first instance, Mr Justice Nicklin struck out most claims, leaving only fourteen claimants whose letters had been physically opened. Only two could show that someone outside their family or workplace had actually read the documents.

The High Court applied a “de minimis” principle, dismissing claims that weren’t considered sufficiently serious. The court concluded that the mere risk of disclosure—without evidence that the information had been seen—was not enough to support compensation.

The Court of Appeal

 

The Court of Appeal overturned much of the High Court’s decision, clarifying several important principles relevant for individuals consulting data protection solicitors:

  • Proof of disclosure is not required: Data does not need to have been accessed by a third party for processing or an infringement to occur. The term “processing” covers all steps, including collating, printing, and sending letters.
  • Distress is not essential: Non-material damage can be claimed even without proving distress, though compensation does not cover every emotional reaction to a breach.
  • No threshold of seriousness: Claims under the GDPR do not require a minimum level of harm.
  • Fear of misuse must be well-founded: Where claims are based on fear that personal data could be misused by third parties, the fear must be objectively reasonable, based on what the claimant knew or should have known at the time.
  • Future harm is compensable: A claimant may have a well-founded fear of future misuse, even if no actual harm occurs.

These findings emphasise that data protection claims focus on the unlawful processing of personal data, rather than solely on whether actual harm or disclosure occurred.

The Irish Supreme Court in Dillon v Irish Life

 

In a previous article, our office highlighted the Irish Supreme Court Decision in Dillon v Irish Life Assurance.  This Decision was referenced by the English Court of Appeal who acknowledge that victims of data breaches who seek compensation “solely for mental distress, upset and anxiety … cannot expect anything other than very, very modest awards”

But the English Court of Appeal went on to say that some of the claims in the case encompass psychiatric injury and the modest scale of the likely recovery cannot of itself be sufficient to justify dismissal of the claim.

The Judge referenced Lewison LJ  Sullivan v Bristol Film Studios [2012] EWCA Civ 570, [2012] EMLR 27, [29]:The mere fact that a claim is small should not automatically result in the court refusing to hear it at all. If I am entitled to recover a debt of £50 …. it would be an affront to justice if my claim were simply struck out.”

Data Protection Breach or Misuse of Private Information

 

At Lacey Solicitors, one of the key distinctions that we often have to make clear to our client’s is the difference between Data Breach Claims and Misuse of Private Information Claims.  Both are, in our opinion erroneously, used interchangeably.

What Is a Misuse of Private Information Claim?

 

A misuse of private information claim is a common law tort that has evolved in light of Article 8 of the Human Rights Act 1998, which protects the right to respect for private and family life.  It arises when private information is disclosed without consent, even if data protection laws are not breached. Key elements include:

  • Expectation of Privacy: The information must be private, and the individual must reasonably expect it to remain confidential.
  • Unauthorised Disclosure: The information must be shared without consent.
  • Harm or Distress: The disclosure must cause harm or distress.

 

How It Differs from a Data Protection Breach

 

  • Legal Basis: Data protection breaches are statutory claims under UK GDPR and DPA 2018; misuse of private information claims are common law.
  • Scope: Data protection claims cover lawful handling of personal data, including collection, storage, and sharing. Misuse of private information focuses on unauthorised disclosure.

What You Should Know About Data Protection Breaches in Northern Ireland & Ireland

 

For individuals, the decision is significant: even minor breaches can entitle them to compensation for distress or fear of misuse.

For organisations, the implications are clear: even small errors in handling personal data carry liability. Businesses should consult data protection solicitors to ensure robust data governance, clear processes, and effective breach communication.

At Lacey Solicitors, we advise clients on risk management, compliance, and breach response, and represent individuals affected by high-profile data breaches across the entire Island of Ireland.

Conclusion

 

Farley v Equiniti strengthens the rights of individuals affected by data breaches. By removing the de minimis threshold, the Court confirmed that fear of misuse and emotional distress are valid grounds for compensation, even without actual disclosure.

For organisations, the judgment highlights the importance of compliance and proactive breach management. For individuals, it demonstrates that personal data rights carry real legal protections.

At Lacey Solicitors, as experienced data protection solicitors, we continue to represent clients in high-profile data breach claims, helping them secure compensation and protections under the law. Cases such as Farley, Lloyd v Google [2021] UKSC 50, Prismall v Google UK Ltd [2024] EWCA Civ 1516, and Rolfe v Veale Wasbrough Vizards Ltd [2021] EWHC 2809 (QB) form a strong foundation for our work in this area.

HEAR BACK FROM A SOLICITOR WITHIN 24 HOURS

    Submit

    Speak to an Expert at Lacey Solicitors today.

    Are you missing out on quality advice? Get in touch today to speak to one of our experts.

    Send Message

    Quick Links

    Dublin

    Ormond Building, 31-36 Ormond Quay Upper, Dublin 7, D07 EE37
    +353 1 5134375

    Belfast

    3rd Floor, 18-22 Hill Street, Cathedral Quarter, Belfast, BT1 2LA
    +44 28 9089 6540

    © 2025 Lacey Solicitors. All Rights Reserved

    Made with by VINDICTA®