![CA-2024-000578 - [2025] EWCA Civ 1117](https://backend.juristeca.com/files/emisores/logo_Sjvxvlx.png){kind=logo}
The infringement issue
The infringement issue
The first question is whether the appellants have set out a reasonable basis for alleging that the respondent engaged in “processing” of their “personal data” within the meaning of the GDPR and DPA.
The appellants’ pleaded allegations can be summarised as follows. All the items of information that I have listed above were held by the respondent on its Compendia computer database. The original residential addresses were provided to the respondent, which processed them by “collecting, recording, organising, structuring and storing” them in two locations on that database. The way in which it did this was in breach of the data minimisation principle (Article 5(1)(c)) and the accuracy principle (Article 5(1)(d)). The revised residential addresses were then provided to the respondent and processed in the same ways. This was done in breach of the principle of lawfulness and fairness (Article 5(1)(a)) as well as the data minimisation and accuracy principles. When the respondent came to prepare and print the ABS there was a process flaw in the way it dealt with the addresses. In consequence, the printed ABS bore the original residential address rather than the revised one. That flaw involved a computer error of some kind. The direct result was that the ABS, containing all the other items of information I have listed, were sent to the wrong address. That was done in breach of the principles of lawfulness, fairness, accuracy, and the integrity and confidentiality principle (Article 5(1)(f)). Further and alternatively, there was a breach of Articles 24, 25 and/or 32.
The original allegation was that the breaches complained of resulted in the personal data being “passed ... into the hands of unknown third parties”. In the cases of these appellants, however, the judge held that they had no sustainable case to that effect. They have now abandoned that aspect of their claim. So the question is whether it can be said that the other alleged conduct involved processing personal data.
By Article 4(1) of the GDPR “personal data” means “any information relating to an identified or identifiable living individual ... ”. Section 3(2) of the DPA contains all those words, subject only to an immaterial exception. This is language of extremely broad reach. There has never been any dispute that the information at issue here falls within it. Clearly it does.
Article 4(2) GDPR defines “processing” as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means”. Illustrative examples are then given: “such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” Sections 3(4) of the DPA defines “processing” in identical terms, again subject to immaterial exceptions. As the CJEU said of Article 4(2) in ‘SS’ SIA v Valsts ieneumu dienests, Case C-175/20, EU: C: 2022:124, [35]:
“It is apparent from the wording of that provision, in particular from the expression ‘any operation’, that the EU legislature intended to give the concept of ‘processing’ a broad scope. That interpretation is corroborated by the non-exhaustive nature, expressed by the phrase ‘such as’, of the operations mentioned in that provision.”
The appellants’ pleaded case as to what happened up to the point at which the ABS were printed adopts some of the language of Article 4(2) GDPR and section 3(4) DPA (“collecting, recording, organising, structuring and storing”). The respondent admits that its dealings with the information involved operations of that kind and that they amounted to processing. The admissions are rightly made. These were “operations performed on” personal data “by automated means”. In an early passage of his judgment the judge appears to have recognised this. In paragraph [4] he observed that “The error appears to have happened because of the way in which the relevant [appellants’] address details were stored and processed in the database used by the [respondent].”
The next steps in the sequence of events involved the respondent printing hard copy documents in the form of the ABS, placing them in envelopes, and sending them by post. It might perhaps have been argued that although these steps followed the automated processing of the data they were essentially separate and distinct manual operations, applied to the ABS as a document, which did not involve “operations ... performed on personal data” and thus did not qualify as “processing”. But the judge did not rely on any such reasoning nor has the respondent ever advanced any such argument. On the contrary, its Defence expressly admits that these aspects of their operations did amount to processing. There is no basis for striking out these aspects of the claims.
For the ICO, Mr Knight has submitted that a segmented or atomised approach to what went on here would be artificial and wrong in principle. I can see the force of that. As the issue does not arise for decision, I confine myself to the as prevfollowing observations.
The definition of processing in the GDPR is essentially the same as it was in the predecessor Directive (95/46/EC), which was implemented in this jurisdiction viha the Data Protection Act 1998. Both definitions include “any operation or set of operations” performed on personal data. In Campbell v MGN Ltd [2002] EWCA Civ 1373, [2003] QB 633 the Court of Appeal rejected a submission that the publication of a hard copy newspaper fell outside the notion of “processing” for the purposes of the 1998 Act, holding (at [106]) that “where a data controller is responsible for the publication of hard copies that reproduce data that has previously been processed by means of equipment operating automatically, the publication forms part of the processing and falls within the scope of the Act”. The later Court of Appeal decision in Johnson v Medical Defence Union [2007] EWCA Civ 262, [2008] Bus LR 503seems to me to turn on the particular and unusual facts of that case.
The objectives of the GDPR include the protection of fundamental rights and in particular the right to the protection of personal data (Article 1(2)). The material scope of the GDPR encompasses the processing of personal data “partly by automated means” and “the processing other than by automated means of personal data which form part of a filing system” (Article 2(1)). Recital (15) states that “the protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained ... in a filing system.”
In Endemol Shine Finland Oy, Case C-740/22 (EU:C:2024:216) [29]-[39] the CJEU, having regard to these features of the GDPR, held that the oral disclosure of personal data falls within the concept of processing under the GDPR and comes within the material scope of the Regulation “where the information forms part of a filing system”. Put another way, where a data controller is responsible for the oral disclosure of personal data that have previously been processed by automated means the oral disclosure forms part of the processing. We are not bound by this decision but I see no reason to take a different view in this jurisdiction. The court’s reasoning is persuasive and appears consistent with the approach in Campbell.
In the present case there was no “publication” of the personal data which had previously been held and otherwise processed automatically. The claimants could not, therefore, legitimately assert that the processing here involved (to quote the definition) “disclosure by transmission [or] dissemination” of the data. On a strict analysis they did not make such an allegation. Their contention that the data “passed ... into the hands of unknown third parties” was not pleaded as part of their case on breach but only in support of the allegation that the pleaded breaches caused damage and distress. In any event, for the reasons I have given it was not essential for the appellants to allege or prove third-party disclosure. Despite the rejection of that aspect of their case the appellants are still entitled to complain that the respondent’s conduct involved processing of the appellants’ personal data. The respondent rightly accepts that this is so.
Mr Campbell advanced an alternative submission, that even if there was no processing there is a tenable case of infringement based on Articles 24, 25 and 32. This appears to be a novel proposition. It found no support from Mr Knight on behalf of the ICO who argued that it is the concept of processing that lies at the core of the data protection regime. There can certainly be infringements without disclosure or publication of personal data: see Data Protection Commissioner v Facebook Ireland Ltd (Case C-311/18) [2021] 1 WLR 751. But it does not follow that there can be infringement without processing. As I have shown, the concept of processing embraces a great deal more than disclosure or publication. It includes mere recording. For my part I have found it hard to envisage any circumstance in which a data subject could advance any tenable claim for compensation for an “infringement” that did not involve some form of “processing” of the subject’s personal data. But in the light of my conclusions on the question of processing it is unnecessary to decide the point.
- Heading
- LORD JUSTICE WARBY
- The background in more detail
- The claims
- The respondent’s application
- The judgment
- The draft Amended Master Particulars
- The appeal
- Data protection: the legal framework
- The infringement issue
- The compensation issue
- The pleaded claims
- Incredible?
- Out of scope (no distress)?
- Too trivial (below a threshold of seriousness)?
- Hypothetical or ill-founded? (Fear of third-party misuse)
- Aggravation of existing medical conditions
- Annoyance or irritation
- The Jameel issue
- Conclusions