The Court of Appeal has delivered an important judgment, considering whether data protection claims brought under the Data Protection Act 2018 and GDPR are subject to a threshold of seriousness, as well as what might constitute “non-material damage” that gives rise to compensation. 

The case arose from the administrator of a pension scheme, Equiniti, sending annual benefit statements to the Claimants – over 400 current or former police officers of Sussex Police – using out-of-date information such that they were sent to the wrong addresses. Among other things, the statements indicated that the addressee was a police officer and included their name, date of birth, national insurance number, and details of their salary and pension details. 

On discovering this, the Claimants brought a claim against Equiniti, arguing that the sending of the statements to incorrect addresses was a misuse of their personal information and an infringement of data protection law.  

Equiniti sought to strike out the Claimants’ case on the basis that, in relation to the data protection claims, (i) damages cannot be awarded for ‘loss of control’ of data without proof of material damage or distress; and (ii) in respect of some of the claims, no pleaded case of actionable damage having been suffered was advanced. In relation to the claims generally, Equiniti argued that (i) the Claimants had not suffered damage or distress above a de minimis level or such as to cross the applicable level of seriousness and/or (ii) the claims were an abuse of process under the principles established in Jameel v Dow Jones & Co Inc [2005] QB 946. 

Delivering his judgment on Equiniti’s strike out application, Nicklin J drew the important distinction between the 14 Claimants who claimed that their statements were opened by a third party, and those who statements were either returned to or retrieved by Equiniti (or otherwise remained unopened).  

As for those whose statements remain unopened, Nicklin J struck out their case, holding that: “In my judgment, to have a viable claim for misuse of private information and/or data protection, each Claimant must show that s/he has a real prospect of demonstrating that the [statement] was opened and read by a third party”. 

Explaining his decision further, Nicklin J stated that “I reject the submission that these Claimants can advance a claim on the basis that, until returned, their personal information/data was “in danger” or “at risk”. The general law of tort does not generally allow recovery for the apprehension that a tort might have been committed; a person crossing a road cannot recover damages (whether for distress or otherwise) for almost being struck by a passing lorry or for a defamatory letter that was never actually received by its intended recipient. To be entitled to any remedy, a claimant must demonstrate that s/he is the victim of a tortious wrong. A near miss, even if it causes significant distress, is not sufficient…The same is true for a civil claim for data protection”. 

As for the 14 police officers who had pleaded cases that their statements were opened, Nicklin J allowed their claims to proceed, but noted that they faced evidential hurdles in proving that their statements were read by third parties.  

He also added that it was not necessary or desirable at that stage for him to reach a view on whether there is a threshold of seriousness in data protection claims since “whether each claimant could surmount a threshold of seriousness (were one found to apply in data protection claims) is a factual question that, like the similar question that applies in misuse of private information claims, can only fairly be resolved at trial”. Finally, on the question of Jameel abuse, Nicklin J pointed out that even if the 14 remaining claimants received only “modest damages”, that is “only one factor that the Court considers when deciding whether continued litigation of the claims would be Jameel abusive“. 

Those police officers whose data protection claims were struck out appealed Nicklin J’s judgment, arguing that he was wrong to hold that disclosure of the relevant information (i.e. the statements being opened and read) was an essential ingredient of a viable data protection claim. Instead, they argued that the mistake itself of sending the statements to the wrong address – and the consequent fear or apprehension that their personal data may be misused by a third party – constituted an infringement of their data protection rights that sounded in compensation.  

The Court of Appeal agreed. Delivering the judgment of the Court, Lord Justice Warby held that “proof that the data were disclosed is not an essential ingredient of an allegation of processing or infringement”.  

Furthermore, the Court held that Equiniti is “not entitled to judgment on the grounds that the appellants’ factual allegations are simply incredible. An allegation of “distress” is not, as [Equitini] has submitted, an essential ingredient of a tenable claim”.  

As to Equiniti’s position that the Claimants’ fears of misuse were not well-founded and therefore do not qualify as non-material damage for which compensation is recoverable under the GDPR, the Court held that that was a matter for the appropriate court to determine once the case is remitted, adding that “in principle a claimant can recover compensation for fear of the consequences of an infringement if the alleged fear is objectively well-founded but not if the fear is (for instance) purely hypothetical or speculative”. Similarly, whilst the claims as a class cannot be categorised as Jameel abuse, whether any single one is abusive is something that a lower court can consider. 

Importantly, the Court also addressed the question of whether there is a threshold of seriousness in data protection claims. Analysing in detail the CJEU case of UI v Österreichische Post AG (the Austrian Post case) which confirmed that no such threshold exists in EU data protection law, together with domestic cases of Prismall and Lloyd v Google (neither of which addressed data protection claims under the GDPR or Data Protection Act 2018), the Court was unpersuaded that a threshold of seriousness exists in UK data protection law.  

To read the judgment in full, click here.