CA-2024-000578 - [2025] EWCA Civ 1117

This is an appeal from an order striking out most of the individual claims in a collective action arising from a data breach. It raises issues about the interpretation and application of the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 (“DPA”).

The appellants are 432 members of a pension scheme administered by the respondent. Their annual benefit statements (“ABS”) were mistakenly posted to addresses that were wrong because they were out of date. The appellants alleged that this was a misuse of their personal information and an infringement of the GDPR. They and others brought this action seeking compensation for injury to feelings, and in some cases psychiatric injury, suffered due to fear of third-party misuse of their personal data. Fourteen of the claimants could show an arguable case that the mis-addressed envelope had been opened and their ABS had been read. But the High Court held that none of the appellants had any tenable case that this had happened to them. For that reason, whilst allowing the 14 claims to go forward the court struck out the appellants’ statements of case as disclosing no reasonable basis for a claim. They now appeal against the dismissal of the data protection claims.

The appellants do not challenge the judge’s conclusion that they cannot show that their ABS came to anyone’s attention. They contend however that the judge was wrong to regard disclosure as an essential ingredient of a viable data protection claim. They say they have a tenable case that the mistake involved infringement of their data protection rights.

The respondent does not defend the judge’s finding or reasoning on the issue of infringement but invites us to uphold the judge’s decision to dismiss the claims on the basis that the claims for compensation are factually incredible, insufficient or untenable as a matter of law, or so trivial that they should be dismissed as an abuse of process of the kind identified in Jameel v Dow Jones Inc [2005] EWCA Civ 75, [2005] QB 946.These are all points which the respondent took before the court of first instance, but on which the judge did not rely. As the appellants have pointed out, the respondent needs the court’s permission to argue some of them in this court. The respondent has also modified its arguments to some extent. I would however grant the necessary permission, and I understand the other members of the court agree.

The main issues can therefore be summarised as follows: (1) have the appellants set out a reasonable basis for claiming that the respondent’s mistake involved infringement of the GDPR (“the infringement issue”); if so, (2) have the appellants stated a basis for claiming compensation under the GDPR and DPA that is reasonable, with a realistic prospect of success at a trial (“the compensation issue”); and if so (3) are the claims nonetheless an abuse of process of the Jameelvariety (“the Jameel issue”)?

We have read and heard argument on those issues on behalf of the appellants, the respondent, and the Information Commissioner, who intervened at the prompting of the court. Having reflected on the helpful submissions of Counsel, and for the reasons given below, I have reached the following conclusions.