CA-2024-000578 - [2025] EWCA Civ 1117

By his reserved judgment and order dated 23 February 2024 the judge struck out all but 14 of the claims pursuant to CPR r 3.4(2)(a). He did so on the grounds identified in the following passages of the judgment.

“143.

In my judgment, to have a viable claim for misuse of private information and/or data protection, each Claimant must show that s/he has a real prospect of demonstrating that the ABS was opened and read by a third party. Without that, the relevant Claimant would have no real prospect of demonstrating that there had been “misuse”, an essential element of the tort of misuse of private information. ...

144.

For the purposes of clearly isolating the principle, it is helpful to consider the cases of the cohort of Claimants who ultimately did receive their ABS unopened. For those Claimants, an inferential case that the ABS was opened (and read) by a third party cannot be sustained. On the contrary, there is positive evidence that the ABS had not been opened (or read) by anyone else. Can these Claimants nevertheless bring a claim for misuse of private information and/or data protection in respect of the period before the ABS was returned? In my judgment, the answer is no.

145.

I reject the submission that these Claimants can advance a claim on the basis that, until returned, their personal information/data was “in danger” or “at risk”. The general law of tort does not generally allow recovery for the apprehension that a tort might have been committed; a person crossing a road cannot recover damages (whether for distress or otherwise) for almost being struck by a passing lorry or for a defamatory letter that was never actually received by its intended recipient. To be entitled to any remedy, a claimant must demonstrate that s/he is the victim of a tortious wrong. A near miss, even if it causes significant distress, is not sufficient. Without the contents of the ABS coming to the attention of a third party there is no viable claim for misuse of private information. In simple terms, there has been no interference with the Article 8 rights of the relevant Claimant because the privacy of the information contained in the ABS has not been compromised at any stage.

146.

The same is true for a civil claim for data protection. Data breach cases are premised on the personal data of the relevant claimant having been compromised; usually accessed by, or provided to, a third party. Shorn of the claim for “loss of control”, the Claimants’ claim is essentially one for Unlawful Processing by sending the ABS to the wrong address. But, if the ABS has not been opened or read by a third party, there has been no real “processing”. It was a near miss. I accept that there are wider policy considerations underpinning the data protection regime. Concepts of placing the data “at risk” have greater resonance in the regulatory context. A person who leaves a laptop on a train, from which unencrypted personal data could readily be accessed, may face regulatory action even if the laptop is recovered without any data having been compromised.

147.

In consequence, the claims in which the ABS was returned unopened fail to disclose reasonable grounds for bringing a claim for misuse of private information and/or data protection and will be struck out under CPR 3.4(2)(a). In the alternative, I would have found that these claims should be summarily dismissed under CPR Part 24 as having no real prospect of success.

148.

Next, I will consider the cases in which the ABS has not been safely returned and where the relevant Claimant relies upon an inferential case that the ABS has been opened and read by a third party (see [33]-[34] above). In my judgment, in these claims, the relevant Claimant has no real prospect of success. As pleaded, I would also hold that the bare inferential case on publication falls to be struck out pursuant to CPR 3.4(2)(a).

...

154.

The effect of the decisions I have made would be to leave 14 claims in which the relevant Claimant has a real prospect of demonstrating that his/her ABS was opened and read by a third party.”

This line of reasoning reflected the respondent’s arguments on misuse of private information and aspects of its pleaded case on damage; but it went beyond the three grounds on which the respondent had relied in support of its application to have the data protection claims dismissed. As to those grounds, the judge said that “whether the law in this jurisdiction imposes a threshold of seriousness in data protection claims” was an interesting and important point but he did not need to decide it in relation to these appellants, and in relation to the 14 remaining claimants it was a point which the court should resolve on the basis of facts found after a trial. As the Jameel issue now arose in relation to only 14 claims its nature had changed radically from what had been assumed in submissions. The judge had “no difficulty” in concluding that the court could fashion a procedure for adjudicating those claims and declined to strike them out as an abuse of process.