CA-2024-000578 - [2025] EWCA Civ 1117

The single ground of appeal is that the judge erred in law by striking out the data protection claims. In support of that headline contention Mr Campbell KC argued, in summary, that a cause of action under the GDPR and DPA is complete once there has been an infringement by a data controller or data processor and the data subject has suffered material or non-material harm; the appellants have a sufficiently pleaded case of infringement which the respondent has never alleged to be unarguable or untenable; and the judge was wrong to hold at [146] that in the absence of access to the data by a third party there had not been any “real” processing of the data; as to harm, the judge was wrong in law to reason that a fear or apprehension that personal data may be misused by a third-party is legally insufficient to ground recovery; and as the judge did not (and could not properly) reject the appellants’ factual cases as untenable he should have dismissed the respondent’s application.

The respondent acknowledged that the judge’s reasons for dismissing the claims did not reflect the grounds on which the respondent had applied for such an order. The respondent accepted that it was bound by its pleading and Mr Sharland KC advanced no argument in support of the judge’s reasoning. Instead, by a respondent’s notice, the respondent asked the court to uphold the judge’s decision on the three grounds that it had argued before him.

At least two of these grounds involve seeking a different order from the one made by the judge: we are invited to enter summary judgment for the respondent pursuant to CPR r 24 or alternatively to dismiss the claims as an abuse of process pursuant to CPR r 3.4(2)(b). For that reason the court’s permission was required: see CPR 52.13, PD52C para 8 and Braceurself Ltd v NHS England [2023] EWCA Civ 837, [2024] 1 WLR 669. Permission was not sought until the hearing before us. The reason was that the respondent had misunderstood what the rules require. By the time of the hearing all parties had set out in detail their submissions on the substance of all the issues. The appellants had full warning of the arguments the respondent wishes to advance and ample time to prepare. They suffered no prejudice. To enforce procedural discipline by debarring the respondent from presenting its full case would have wasted considerable costs and effort in a case that has already consumed a great deal of both. It was and is clearly in accordance with the overriding objective to grant permission.

In support of the respondent’s position Mr Sharland submitted that even if Nicklin J’s reasoning was mistaken his instincts were correct. He suggested that what the judge was driving at was that the present claims are not sufficiently serious, nor capable of giving rise to a “real and substantial” tort. Mr Sharland invited us to find, as a matter of evidence, that the pleaded claims are simply lacking in reality and credibility. As he put it, “it simply cannot be the case that police officers, used to contending with dangerous and upsetting situations, have been genuinely distressed over a pensions forecast sent to an old address.” Mr Sharland invited us to find, as a matter of law, that English data protection law sets limits on the recognised heads of non-material loss, and that many of the pleaded claims fail to assert any recognised head of loss. He also submitted that the law contains a threshold of seriousness, which these claims do not and cannot surmount. Further and alternatively, Mr Sharland submitted that to allow any of these claims to proceed to a full trial would be highly disproportionate and a concerning waste of valuable court time and costs. He characterised the breach as “an unintentional, one-off and quickly remedied incident of a non-damaging nature” and a trivial, technical breach which should not be troubling the courts.

For the ICO, Mr Knight submitted that on a proper analysis there was processing as defined by the UK GDPR; the judge was wrong to find otherwise simply because no unauthorised third party had opened and read the correspondence. On the respondent’s notice issues, Mr Knight submitted that we should follow the consistent case law of the CJEU to the effect that no de minimis principle or other threshold of seriousness should be applied in this context; compensation is recoverable for any “damage” suffered whilst recognising that “not all emotional responses to an infringement” will amount to non-material damage for this purpose. Mr Knight suggests that low value claims can and should be addressed as they are elsewhere in the law, through case management and appropriate track allocation under the CPR.