![CA-2024-000578 - [2025] EWCA Civ 1117](https://backend.juristeca.com/files/emisores/logo_Sjvxvlx.png){kind=logo}
The claims
The claims
A substantial cohort of affected officers instructed solicitors who wrote a letter of claim. The respondent admitted that there had been a data breach and that the officers were “entitled to pursue the [respondent] for loss, damage and/or distress allowable at law”. The officers’ solicitors provided a schedule of damages claimed by those who did not claim to have suffered personal injury, seeking £2,000 each for misuse of private information and figures between £1,064.80 and £2,606.30 for infringement of their data protection rights. By the time of the hearing below the figure had been revised downwards to £1,250 per claimant for both heads of claim.
On 22 April 2021, a claim form was issued on behalf of 474 current or former officers, seeking damages for breach of statutory duty under the UK GDPR and the DPA and/or misuse of private information “arising from the [respondent’s] failure to keep the claimants’ personal data and private information secure by posting the same to incorrect postal addresses.” The claim form was accompanied by Master Particulars of Claim setting out the “common or generic claims” of the claimants, with “Heads of Damage” and other details relating to individual claimants to follow.
The generic data protection claims asserted that the respondent had acted in breach of its statutory duties as a data controller or alternatively as a data processor. There is a live dispute as to which role the respondent played. But it is common ground that on this appeal we are concerned only with the allegations of breach of duty as a data controller. These fell into four main categories: (1) breaches in August 2018 when the respondent was provided with the claimants’ “Original Residential Addresses” and entered these in its system; (2) breaches in August 2019 when, having been supplied with the updated address details, the respondent put these into its system; (3) breaches in August 2019, when it posted the ABS to the Original Residential Address; and (4) generally, failure to implement appropriate technical and organisational measures, (contrary to Articles 24, 25 and 32 of the GDPR).
Three generic allegations of damage due to the data protection breach were pleaded. First, each claimant complained of being caused “anxiety, alarm, distress and embarrassment” by “the fact that the Personal Data has passed and/or may have passed into the hands of unknown third parties” which was said to merit “compensation for moral and/or non-material damage”. In this regard, the court was invited to infer that the envelope had been opened and its contents read unless the respondent could prove the contrary by providing an ABS that had been returned unopened. Secondly, each claimant advanced a discrete claim for compensation for “loss of control” over the content of the ABS and consequential distress. Thirdly, it was said that “certain of the claimants have suffered an aggravation of pre-existing medical conditions.”
On 27 April 2022, the court made an order pursuant to CPR 18.1(1)(b) for the claimants to provide further information by way of claimant-specific statements of case. These took the form of individual schedules verified by statements of truth. Features of significance for present purposes are these:
Each claimant was ordered to state whether they had “suffered any annoyance and/or distress and/or anxiety”. Some of the schedules responded by using the word “distress” or the word “anxiety” or both. Other individual schedules did not use the word “distress”. Some 34 said in one way or another that the claimant had not suffered “distress”. Different forms of words were used to describe the officer’s emotional response to the breach, including “stress”, “annoyance” and “irritation”. Some schedules used qualifying adjectives, characterising their reactions as “mild”, “minor”, or “temporary”.
Some of the schedules gave explanatory or supporting details. For instance, the first claimant’s schedule explained that he had been distressed about “the potential consequences of the information falling into the hands of someone on the other side of the law”. Although he considered the risks to be “remote” he suggested they were “live and real”. He also said he suffered anxiety over the potential for other misuse of the data, such as its use to open bank accounts, or apply for credit cards in his name. Concern at what might happen if information was accessed by criminals was a common theme. So was concern at the prospect of identity theft. Other worries were identified. Another claimant (no 45) was also “concerned” because the Original Residential Address was owned by the parents of his ex-partner, with whom he had experienced “significant issues” particularly around financial matters. He was fearful of what his ex-partner might do with details of his income and other personal information.
Required to state whether they had “a medical condition caused (or exacerbated) by the misaddressed ABS” a substantial number of the claimants asserted that they did. Among those are 42 of the appellants, each of whom has served a medical report in support of that assertion. We have not been provided with all of these but have been shown three exemplars, each of which contains details of the kinds of distress or concern or other emotional reaction reported by the particular appellant.
The respondent’s Defence admitted that it processed the Personal Data by recording, organising, structuring and storing it, and by altering it in the course of uploading the revised address data. The respondent did not dispute that the mere posting of the ABS involved processing of the Personal Data. The respondent’s case as to infringement was that it undertook these activities as a data processor only, and in any event it denied acting in breach of any of the duties alleged. The respondent denied the pleaded case as to damage and distress and, in the alternative, pleaded that the action failed to overcome the applicable thresholds of seriousness and/or was an abuse of process under the Jameel principle. In support of this plea it was asserted, among other things, that the claimants’ case that the ABS had been opened and read was purely inferential and rested in part on “an entirely unreasonable inference” that this had occurred.
- Heading
- LORD JUSTICE WARBY
- The background in more detail
- The claims
- The respondent’s application
- The judgment
- The draft Amended Master Particulars
- The appeal
- Data protection: the legal framework
- The infringement issue
- The compensation issue
- The pleaded claims
- Incredible?
- Out of scope (no distress)?
- Too trivial (below a threshold of seriousness)?
- Hypothetical or ill-founded? (Fear of third-party misuse)
- Aggravation of existing medical conditions
- Annoyance or irritation
- The Jameel issue
- Conclusions