Expert Witness Journal Dec 24 - Journal - Page 88
Farley v Equiniti - the Challenges
Facing Low-Value Data Breach Claims
by Jenny Gibbs and Simon Davis - www.womblebonddickinson.com
The recent judgment in Farley v Paymaster (trading as
Equiniti)[2024] EWHC 383 (KB) confirms the courts'
growing impatience with exaggerated data breach
claims brought for alleged distress. It also serves as a
reminder that cases where there is no evidence of
personal data being at risk of misuse should not be
pursued.
The Judge noted that whilst putting data 'at risk' of
misuse could, in principle, amount to a regulatory infringement by the data controller or processor at fault,
it did not amount to a misuse of private information,
or provide a sufficient basis for a claim to be brought
for a breach of data protection legislation. This is because a 'near miss, even if it causes significant distress, is
not sufficient' to amount to a claim for compensation.
Background
Equiniti administered the pension scheme for the
Sussex Police Force. In August 2019, Equiniti posted
the claimants' annual pension statements to their former addresses, as opposed to their current addresses,
in error. The letter broadly contained the individual's
name, date of birth, occupation as a current or former
police officer, salary, pension details and national
insurance number.
Regarding the remaining 14 claims, the Judge
commented that in these cases where the letters were
opened they 'would appear to be very far from being
serious cases' and some of the remaining cases 'may
ultimately be found to be trivial and fall to be dismissed on the basis that they fail to surmount the
threshold of seriousness' (paragraph 155 of the Judgement). Further, where the third party that did open a
letter was a family member that then returned that
letter to the relevant claimant, the Judge noted such
claims for loss and damage were 'hopeless' unless evidence could be provided that the family member had
copied the letter so as to misuse the data.
In response, Equiniti offered the affected individuals
fraud protection through CIFAS, with these fees paid
by Equiniti. Only 37 individuals took up the CIFAS
protection. In addition, the matter was reported to the
Information Commissioner's Office (ICO), but the
ICO confirmed to Sussex Police that it was taking no
further action.
Regarding quantum, the Judge confirmed that 'if
successful, the claims of the remaining 14 Claimants
will only achieve very modest damages'. This reiterates recent cases such as Driver, where damages
awarded for minor breaches of data protection obligations are minimal (the claimant in Driver was
awarded £250).
As a result of this error, 474 Sussex Police Force
officers brought a claim against Equiniti. The claims
were submitted in a single claim form and the
claimants proposed that a selection of lead claims be
taken forwards. The vast majority of the claimant's
cases relied on the Court inferring that their letter had
been opened and read by a third party and thus that
the claimant's personal data contained in the letter was
at risk of misuse. The individual claimants brought
claims for 'anxiety, alarm, distress and embarrassment
by the fact that the Personal Data has passed and/or
may have passed into the hands of unknown third
parties'.
The future of minor data breach claims
This judgment draws together and reiterates
previous decisions regarding claims brought for
breaches of data protection law, namely that:
l The claimant must show the matter overcomes the
'threshold of seriousness' in order to warrant a claim
being pursued at Court
l The burden of proof is firmly on the Claimant to
Of the 474 claimants, only 14 pleaded that their letters
had been opened by a third party (beyond the above
inference on which all claimants relied), and only 2
claimants could evidence that their letters had been
opened by a third party who was not a family member
or colleague.
show that the breach has occurred and caused the loss,
damage or distress pleaded, and
l The breach has, in fact, caused distress that
warrants compensation. The Judge made plain that a
'Claimant's prospects of success are not going to be improved by making exaggerated claims as to the impact of the [letter] being opened (and read) by a third
party.' (Paragraph 157 of the Judgement). This reinforces the Supreme Court's judgment in Lloyd v
Google, where it confirmed that individuals are
not given a 'right to compensation without proof of
material damage or distress'.
Judgment
The Judge struck out 460 of the 474 claims, only
leaving the 14 claims which had pleaded that the letter had in fact been opened by a third party. In doing
so, the Court confirmed that each claimant 'must
demonstrate that his/her [letter] was opened and read
by a third party'. Cases where there was no evidence
of a letter having been opened and who relied 'solely
upon this inferential case' had 'no real prospect of
success.' (paragraph 153 of the Judgement).
EXPERT WITNESS JOURNAL
Practical considerations
It is becoming increasingly difficult to succeed on data
claims which have caused seemingly minimal distress
86
DECEMBER 2024
