It was therefore interesting to read the recent decision in the English Court of Appeal decision in Farley and Others v Paymaster (1836) Ltd (t/a Equinti).
The court allowed an appeal against an original decision to strike out data breach claims made by a number of current and former police officers against Equinti after pension benefit statements were sent to the old postal addresses of the officers.
The action focussed on claims for compensation for non-material damage (typically categorised as “distress”) as a result of the sending of the letter to outdated address. While it could not be established that the letters had been received or opened, claims were made in respect of the fear and distress caused by that possibility.
The Court of Appeal ruled that “non-material damage” did not necessarily need to constitute distress. Instead there were a number of emotional responses which could constitute non-material damage. While not all responses would give rise to damages, a claim could be stated where emotional harm is objectively suffered.
Further the court found that non-material damage could still be caused even in cases where the ultimate recipient of the data (if any) was unknown.
Interestingly, however, this is one area of data protection law that the Scottish courts had, in fact considered in 2023, in an action raised in Glasgow Sheriff Court in which BTO successfully represented the Claimant. In that case, the claim was made in respect of data which had been sent by post to the incorrect postal address. In that particular case, it was also impossible to confirm who, if anyone, had accessed the personal data. However, it was beyond doubt that the data had been sent to the wrong address and there would have been no basis for the recipient having sight of the data contained within the letter.
Damages were claimed in respect of the distress which was caused by personal data having been sent to the wrong address, rather than any particular recipient accessing that data and potentially using it for unlawful purposes. This case serves as a reminder that data protection legislation provides a right to damages for loss flowing from the failures of the data controller (sending to the wrong address) and not necessarily as a result of the use of the data by its unintended recipient.
In a digital age where data breaches involving the sending of emails to the incorrect email address frequently arise, it is becoming more and more difficult to ascertain if such information has been sent to a valid email address and, if so, if that information has actually been accessed. However, it does little to lessen the distress of those whose personal data has inadvertently been sent to an unintended recipient. In many cases, where the personal data is authorised without access, it can be months and sometimes years before any adverse effects are suffered. The decision in Equinti recognises the fact that many data subjects are left in limbo while attempts are made to try to ascertain what has happened to their personal data.
While this case undoubtedly reinforces the fact that data subjects are entitled to compensation for distress caused, claimants do still need to establish reasonable grounds for fearing the worst. The UK Courts have traditionally been unwilling to award large sums of damages for data breaches and must be persuaded that there is a real prospect of personal data which has inadvertently been disclosed becoming available to a third party. While cases like Equinti define the parameters for claims for non-material damage, the courts are likely to continue to take a pragmatic approach to limit the scope of such claims. Nonetheless, data controllers should be mindful of the fact that it is not enough to avoid a claim simply by arguing that there is no proof that any third party has actually accessed the data. If a real opportunity has been given to any third party to access that data as a result of a failure by a data controller, the resulting distress caused to the data subject could well result in a reputational and financial headache for the data controller.
© 2025 BTO Solicitors LLP | V.A.T. No: 260371482 | All rights reserved.
Stay informed
