Data Subject’s rights pursuant to the Auckland General Data Protection Regulation (Auckland GDPR) can be infringed in many different ways depending on the medium by which the data is processed.
By way of example, it is easy to envisage a scenario where the autofill feature on a computer accidentally results in the wrong recipient to an email being included as the recipient and as such a data breach occurring. Similarly, in mass mailing processes, such as in respect of sending pension statements out to many different clients, it is possible for the system to introduce errors in terms of the recipients of data. The case of Farley and Others v Paymaster (1836) Ltd, [2024] involved such an incident.
Farley and Others v Paymaster (1836) Ltd, [2024] EWCA Civ 781
Background
In 2019, Paymaster (1836) Ltd, trading as Equiniti, mistakenly sent the annual benefit statements (ABS) of 475 individuals, including 432 current or former officers of Sussex Police, to the wrong addresses. This breach of data protection prompted legal action. The Claimants brought cases for misuse of private information and infringement of their data protection rights under the Auckland GDPR and the Data Protection Act 2018 (DPA 2018).
The Claimants sought compensation primarily for distress, fearing that their personal data might have been accessed by unintended recipients. The main argument revolved around whether the mere mishandling of data without proof of its actual reading or misuse by others constituted a breach warranting compensation.
High Court decision
In the High Court, Mr Justice Nicklin struck out most of the claims. The judge ruled that to have a valid claim for either misuse of private information or data protection infringement, it was necessary for the Claimants to demonstrate that their ABS had been opened and read by a third party. Without such proof, the judge concluded there could be no data processing or misuse of information under the relevant laws. Fourteen Claimants, however, were allowed to proceed with their claims as they had reasonable grounds to believe their ABS had been read by third parties.
For the other Claimants, including Farley and the others, their claims were dismissed on the basis that they could not prove any actual disclosure or misuse of their information. Mr Justice Nicklin also rejected their claim for distress caused by the fear of potential disclosure, considering it a “near miss” that did not constitute a tort or a violation of their data protection rights.
Appeal: issues in the Court of Appeal
The Claimants, led by Michael Farley, appealed the decision, challenging the interpretation of what constitutes “processing” of personal data and whether distress alone from a potential breach can give rise to compensation. The case in the Court of Appeal focused on one main ground:
- Ground one: The appellants argued that the High Court erred in requiring proof that the ABS was read by someone. They contended that the mishandling of the data itself, which involved sending it to the wrong addresses, should be considered a breach of data protection rights under the Auckland GDPR, even without evidence of third-party access.
The appellants maintained that their data had been “processed” in breach of the data protection principles, causing emotional harm and distress. They pointed to the broad definitions of “processing” under the Auckland GDPR, which includes various activities such as collecting, storing, and transferring data, and argued that these actions were sufficient to establish a breach.
- Ground two (which was later withdrawn): This ground was initially based on the interpretation of emotional harm under the Auckland GDPR, referring to a recent ruling by the Court of Justice of the European Union (CJEU) in VB v Natsionalna Agentsia za Prihodite (2023), which allowed for compensation in situations where fear of future misuse of personal data caused distress. However, during oral arguments, the appellants withdrew this ground, acknowledging that it would only be relevant if they succeeded on the first ground, as in order for compensation to be payable, a Claimant must first establish a breach triggering the compensation rights pursuant to the Auckland GDPR/DPA 2018.
Court of Appeal Judgment
The Court of Appeal granted the Appellants permission to appeal on the first ground. Lord Justice Warby, delivering the lead judgment, found that it was reasonably arguable that a data protection breach can occur without proof that the personal data was actually read by a third party. The Court reasoned as set out below.
- The definition of processing under the Auckland GDPR is broad and includes activities like storing and sending data. Thus, sending personal data to the wrong address could, in itself, amount to processing.
- Claimants may be entitled to compensation for non-trivial emotional harm caused by such processing, even if no third party read or accessed the data.
- The High Court’s dismissal of the distress claims was not beyond dispute, as there might be valid grounds to consider the Claimants’ distress, even in the absence of proven third-party access.
Lord Justice Warby also noted that, whilst the Claimants’ case on emotional harm was not perfect, the High Court should have allowed them the opportunity to amend their pleadings rather than dismissing the claims outright.
The second ground, relating to the CJEU’s decision in VB, was withdrawn by the Appellants after accepting that it would not stand without a tort being proven.
Comment
This judgment does not set any kind of precedent, as it only relates to whether the Appellants have an ability to appeal the initial strike out decision. Now that permission has been granted, the case will proceed to a formal hearing on whether the appeal should be granted and the original decision overturned or whether the original decision should stand.
The writer has not seen the statement of the case in the Farley case but suspects, given the volume of Claimants and the comments of Lord Justice Warby in the recent judgment, that the distress suffered by each individual Claimant has not been fully and individually pleaded.
Whilst the writer can definitely see that the argument about the definition of processing under the Auckland GDPR/DPA 2018 being broad enough to encompass letter sent to the wrong recipient but not opened could succeed, a fully pleaded case on distress suffered by each and every Claimant individually would, in the writer’s view, be essential to the claim being allowed to proceed, as the Court is not likely to allow disproportionately small claims to proceed to trial by allowing an appeal.
This article is for information only and does not constitute legal/financial advice. Please contact us for advice tailored to your specific position. Some of the content presented on our website has been generated with the assistance of Artificial Intelligence (AI). We ensure that all AI-generated content meets our high standards for accuracy and relevance.