Why The Paymaster Appeal Matters: A Wake Up Call for Every Organisation Handling Personal Data

The Supreme Court’s decision to hear Paymaster (t/a Equiniti) v Farley & Ors is one of the most significant developments in UK data protection law in recent years. 

The appeal concerns the threshold for compensation under the UK GDPR and the Data Protection Act 2018 following a data breach. Its outcome may materially affect how organisations assess risk, respond to incidents, and price litigation exposure. 

At issue is a central question under the General Data Protection Regulation: must a claimant prove that personal data was actually accessed by a third party, or is fear of misuse sufficient to establish compensable harm? 

The answer will influence the future trajectory of GDPR enforcement, group litigation and the scope of non material damage claims. 

Legal Context

The claim arises from a 2019 administrative error. Equiniti sent annual pension statements to outdated addresses affecting 432 police officers. 

The claimants alleged: 

• Misuse of private information 
• Infringement of the UK GDPR 
• Distress and psychiatric injury arising from fear of third party misuse 

Only 14 claimants could show a realistic prospect that their correspondence had been opened. The remainder accepted there was no evidence of disclosure but maintained that anxiety about potential misuse constituted compensable damage. 

The High Court struck out most claims. It held that a viable claim required a real prospect that the information had been accessed. 

The Court of Appeal reversed that approach in principle. It found that a claimant could pursue compensation for GDPR infringement even without proof of third party access, allowing the issue of harm to be tested at trial. 

The Supreme Court will now determine the correct threshold of harm under the UK GDPR and the wider framework of the EU General Data Protection Regulation. 

Implications for Data Controllers and Litigation Risk 

1. The Threshold for Non Material Damage

Article 82 of the GDPR permits compensation for both material and non material damage. Courts have struggled with what level of distress satisfies that threshold. 

If the Court of Appeal’s reasoning stands: 

• Proof of actual disclosure may not be required 
• Fear of misuse may constitute compensable harm 
• Early strike out applications may become more difficult 

That would significantly expand potential exposure for data controllers who process personal data at scale. 

The UK GDPR already permits fines of up to £17.5 million or 4 percent of total worldwide annual turnover for serious infringements. Regulatory exposure and private compensation claims often operate in parallel. 

Organisations must ensure they comply with the GDPR not only to avoid administrative fines imposed by data protection authorities, but also to mitigate civil claims. 

2. Collective Actions and Group Litigation

The case demonstrates how claimant firms aggregate modest individual claims into substantial group actions. 

Whilst each claimant may be seeking limited damages, the collective sum can be significant. Defence costs often exceed individual claim values. 

The Court of Appeal’s approach suggests that courts may allow more data breach claims to proceed beyond summary judgment, particularly where distress is alleged. 

3. Disclosure May Not Be Required for Infringement 

A central point on appeal is whether disclosure is necessary to establish infringement. 

The Court of Appeal indicated that insecure or inaccurate data processing activities may itself constitute an infringement of data protection principles. 

If upheld, liability could arise from: 

• Address validation failures 
• Inaccurate data processing 
• Weak internal audit mechanisms 
• Systemic data quality issues 

Data controllers must monitor compliance carefully. Data protection audits, data protection impact assessments, and DPIA reviews should form part of operational governance. 

4. Interaction with Regulatory Enforcement 

Although this appeal concerns private compensation, it sits within the wider enforcement landscape shaped by the Information Commissioner’s Office, national data protection authorities, and the European Data Protection Board. 

Under the GDPR enforcement tracker published across Member State regulators, data protection authorities within the EU have imposed substantial fines and penalties for breaches of data protection principles. 

Regulators possess: 

• Investigative powers 
• Corrective powers 
• Power to impose administrative fines 
• Power to issue warnings and reprimands 
• Power to impose temporary or definitive limitation on processing, including a ban 
• Assessment notices and audit powers 

Under the EU General Data Protection Regulation and UK GDPR, fines can reach €10 million or 2 percent of annual turnover for certain infringements, and 20 million or 4 percent for more serious violations. In the UK, the maximum is £17.5 million or 4 percent of global turnover. 

DPAs cannot reach every infringement immediately. However, enforcement actions and fines imposed across Europe demonstrate a consistent regulatory focus on data governance, data protection impact assessment failures, and non compliance in high volume processing. 

The European Commission, European Data Protection Supervisor and EDPB continue to issue general guidance and codes of conduct to encourage compliance and public awareness. 

The Supreme Court’s decision may indirectly affect how regulators view compensable harm and the broader application of data protection rights. 

What This Means for Clients

Organisations that process personal data should treat this appeal as a risk indicator. 

Steps to consider: 

• Review Data Accuracy Controls: Audit address validation systems and high volume data processing activities.

• Strengthen Governance: Ensure clear accountability structures. Where required, appoint a data protection officer and clarify reporting lines. 

• Conduct DPIAs Where Appropriate: A data protection impact assessment may reduce regulatory risk and demonstrate proactive compliance. 

• Stress Test Incident Response: Ensure documentation captures assessment of non material harm and evidential thresholds. 

• Prepare for Litigation, Not Only Regulatory Sanction: Administrative fines are only part of the exposure. Civil claims may follow even minor breaches of data. 

Frequently Asked Questions

What is the threshold for compensation under the UK GDPR? 

Compensation under Article 82 requires proof of damage. The Supreme Court will clarify whether distress without evidence of third party access satisfies that threshold. 

Can a data breach claim succeed without proof of disclosure? 

The Court of Appeal suggested it may. The Supreme Court will determine whether fear of misuse alone may constitute compensable harm. 

What fines can regulators impose for GDPR infringement? 

Under the UK GDPR, fines can reach £17.5 million or 4 percent of global turnover. Under the EU GDPR, maximum fines are €10 million or 2 percent, or 20 million or 4 percent depending on the infringement. 

Who enforces the GDPR in the UK? 

The Information Commissioner’s Office exercises investigative and enforcement powers, including the power to issue fines and penalties. 

How can organisations reduce risk? 

Organisations should monitor compliance, conduct data protection audits, carry out DPIAs where required, maintain accurate data processing records, and ensure operations are brought into compliance promptly following incidents. 

Closing Perspective

The Paymaster appeal goes beyond a single administrative mistake. It concerns the scope of compensable harm under modern data protection law and the balance between speculative distress and actionable infringement. 

If the Supreme Court lowers the evidential threshold, group data breach litigation is likely to increase. If it restores the High Court’s stricter approach, defendants may retain stronger tools to resist low value but large scale claims. 

Either outcome will influence how organisations price risk, structure insurance cover, and manage data processing operations. 

Our Commercial Litigation team continues to monitor developments closely. If you require advice on data breach exposure, enforcement risk, or litigation strategy, please contact us.