Brands face threat of new wave of data breach payouts

The Court of Appeal has paved the way for a potential barrage of compensation claims for breaches of data protection rights after abandoning the so-called “threshold of seriousness” that a claimant has to overcome to be entitled to a payout.

The ruling follows the case of Farley v Paymaster 1836 Ltd (trading as Equiniti) which was sparked when Equiniti sent the pension statements of approximately 750 police officers to their former residential addresses.

The statements included details such as salary, pension benefits, national insurance numbers and length of service as police officers. Subsequently, 474 officers commenced proceedings against Equiniti for misuse of private information and breach of their data protection rights.

However, the High Court struck out all but 14 of the claims because the vast majority of claimant police officers could not prove that the misaddressed envelopes had been opened.

But on appeal, the claimants abandoned the misuse of private information claims, concentrating instead on the claims for compensation for data protection breaches.

The Court of Appeal found in any event that the original judge, Mr Justice Nicklin, had been wrong and that there clearly had been acts of processing in the misaddressing of the envelopes.

Even so, Equiniti argued that claim that the police officers were entitled to compensation simply based on the fear that their data might be misused as a result of it being sent to the wrong address did not satisfy the “threshold of seriousness” test.

The Court of Appeal allowed the claimants’ appeal. It has sent the case back to the High Court to decide whether data protection breaches occurred and what the level of compensation should be in each case.

The police officers are each claiming £1,250, but the Court of Appeal appears to accept that even awards as low as £50 should not be barred in principle, ruling that there is no so-called “threshold of seriousness” that a claimant has to overcome to be entitled to compensation.

In a blog post by legal firm Farrer & Co, partner Ian De Freitas and associate Emily Waterhouse said: “Given its significance, it seems likely that Equiniti will seek the permission of the UK Supreme Court to appeal the Court of Appeal’s ruling. It would be hoped that the Supreme Court will grant permission so that we can have a definitive determination of whether the position really has changed from the 1998 Act to the 2018 Act/GDPR.”

However, they argue that if very low-value claims for non-material damage can be pursued in theory, the practicality of bringing such claims is likely to continue to be problematic for claimants.

They conclude: “It is extremely difficult for (class action) claims to be pursued because each claim is individual in nature… Opt-in group litigation might be pursued, but will claimants be persuaded to sign up for very low-value claims? Finally, claims might be pursued individually, but they are likely to be of such low value that they will be assigned to the County Court track where no costs recovery is available.

“Having said all of this, for now the Court of Appeal ruling in Equiniti removes the barrier of the ‘threshold of seriousness’ test. This means that claimants who are sufficiently motivated can at least more easily seek compensation.”

This will no doubt be music to the ears of the compensation lawyers; not quite such a great tune for brand owners caught breaching personal data protection rights.