Michael Farley (formerly “CR”) v Paymaster (1836) Ltd (trading as Equiniti)
| Jurisdiction | England & Wales |
| Judge | Mr Justice Nicklin |
| Judgment Date | 23 February 2024 |
| Neutral Citation | [2024] EWHC 383 (KB) |
| Court | King's Bench Division |
| Docket Number | Case No: QB-2021-001497 |
[2024] EWHC 383 (KB)
THE HONOURABLE Mr Justice Nicklin
Case No: QB-2021-001497
QB-2022-002822
IN THE HIGH COURT OF JUSTICE
QUEEN'S BENCH DIVISION
MEDIA & COMMUNICATIONS LIST
Royal Courts of Justice
Strand, London, WC2A 2LL
Oliver Campbell KC, Pepin Aslett and Alex Platts (instructed by Keller Postman UK Limited) for the Claimants
Andrew Sharland KC and Hannah Ready (instructed by Freeths LLP) for the Defendant
Hearing dates: 27–28 February 2023
Further written submissions: 18/19 May 2023 and 1 June 2023
Approved Judgment
This judgment is divided into the following sections:
A: Parties and background
| Section | Paragraphs | |
| A. | Parties and background | [2]–[12] |
| B. | The original claims | [13] |
| C. | The Anonymity Application | [14]–[24] |
| D. | Statements of case | [25]–[42] |
| (1) | Particulars of Claim | [25]–[36] |
| (2) | Defence | [37] |
| (3) | Reply | [38] |
| (4) | Further Information of the claims and Individual Schedules | [39]–[42] |
| E. | Further claims | [43]–[54] |
| F. | Applications | [55]–[72] |
| (1) | Dismissal Application | [55]–[62] |
| (2) | Striking Out Application | [63]–[65] |
| (3) | Application by the Claimants in the Second Claim | [66]–[72] |
| G. | Events following the hearing on 27–28 February 2023 | [73]–[83] |
| (1) | Anonymity Order substantially discharged | [73] |
| (2) | Further Application and evidence in respect of derogations from open justice | [74]–[80] |
| (3) | Application to amend the MPoC in the First Claim to advance personal injury claims | [81]–[83] |
| H. | Legal principles | [84]–[122] |
| (1) | Striking out | [84]–[86] |
| (2) | Summary judgment | [87] |
| (3) | Misuse of private information | [88]–[100] |
| (4) | Data protection | [101]–[110] |
| (a) ‘Damage’ in data protection cases | [102]–[103] | |
| (b) Threshold of seriousness | [104]–[105] | |
| (c) The ECJ decision in UI v Österreichische Post AG | [106]–[110] | |
| (5) | Jameel abuse of process | [111]–[115] |
| (6) | Anonymity and derogations from open justice | [116]–[122] |
| I. | Anonymity Application | [126]–[136] |
| (1) | Submissions | [126]–[128] |
| (a) Claimants | [126]–[127] | |
| (b) Defendant | [128] | |
| (2) | Decision | [129]–[136] |
| J. | Dismissal Application | [137]–[165] |
| (1) | Submissions | [137]–[142] |
| (a) Defendant | [137]–[138] | |
| (b) Claimants | [139]–[142] | |
| (2) | Decision | [143]–[165] |
| K. | Conclusion and next steps | [166]–[167] |
In this action, the Claimants, over 400 current or former police officers of Sussex Police, bring claims for breach of the General Data Protection Regulation (“GDPR”) and/or Data Protection Act 2018 (“the DPA”) and/or misuse of private information. In August 2018, the pension function of Sussex Police was transferred to the Defendant who, from that date, has been the administrator of the pension scheme to which the Claimants belonged.
In late August 2019, the Defendant sent to each member of the scheme an annual pension benefit statement (“the ABS”). The ABS provided an overview of the relevant member's accrued benefits under the pension scheme. The information contained in each ABS necessarily varied, officer by officer, but broadly it contained his/her name, date of birth, national insurance number, and details of the officer's salary and pension details (the particular information the Claimants contend was included in the ABS is set out in [26] below). It would have been apparent to any third party reading the ABS, from the information it contained, that the intended recipient of the ABS was a police officer.
It is common ground that, unfortunately, the ABSs were sent to out-of-date addresses (i.e. an address that had previously been provided by the relevant officer as his/her address for correspondence, but which had become out of date). This error appears to have happened because of the way in which the relevant Claimant's address details were stored and processed in the database used by the Defendant. A complaint made by the Claimants is that this was not the first time that ABSs had been sent to the wrong addresses. They say that there was another incident earlier in 2019.
The sending of the ABSs to out-of-date addresses was detected by the Defendant and notifications were sent to those affected in early October 2019. Each affected officer was offered the opportunity to sign up to CIFAS, a fraud protection service, the fees of which would be met by the Defendant. The Defendant's evidence is that 37 people took up the offer to sign up with CIFAS (which represented around 5% of those who were affected by the ABSs being sent to the wrong address).
The potential data breach was also reported to the Information Commissioner (“the ICO”) but, on 17 October 2019, the ICO confirmed to Sussex Police that no further action needed to be taken. The reasons given by the ICO for its decision were as follows:
“— The breach was caused by your [Sussex Police's] data processor [the Defendant]. You had notified them of the change of addresses and they failed to effectively update their systems.
— You have conducted a risk assessment and concluded that the risk of data subjects suffering significant consequences as a result of this incident is unlikely; the data disclosed is limited in nature and each data set has only been sent to one household, who can be identified.
— You have a contract with [the Defendant], which specifically states that all their staff should have received data protection training.
— You have undertaken to inform the data subjects and… have been provided with a link to the ICO's advice regarding identity theft. This can be forwarded to those data subjects to help them take any action they regard as necessary to protect their identities…”
Nevertheless, in these proceedings, the Claimants contend that the sending of the ABS to an incorrect address was a breach of the relevant data protection legislation by the Defendant and/or misuse of their private information entitling them to compensation. The Claimants have taken no action against Sussex Police.
Following a letter of claim, dated 28 February 2020, the Defendant (in a letter dated 2 April 2020) admitted that there had been a data breach and that the Claimants were “ entitled to pursue [the Defendant] for loss, damage and/or distress allowable at law”.
On 23 February 2021, the Claimants' solicitors sent a letter to the Defendant's solicitors proposing the issue of a single Claim Form for all the Claimants, a Master Particulars of Claim and the selection of “ test cases”, albeit not as a representative action under CPR 19.6. Accompanying that letter was a Schedule identifying the “ damages sought” for claims in misuse of private information and breach of data protection. Each claimant claimed damages of £2,000 for misuse of private information, and a range of £1,064.80 and £2,606.20 for the data protection claim. The basis used to calculate these figures (which, in respect of the data protection claim, were oddly precise) has not been explained.
The Claimants' solicitors' position is that, individually, each claim is relatively ‘low value’ and that the cohort of claims “ need[s] to be pursued in a cost-effective and proportionate way”. At the hearing, Mr Campbell KC estimated that the value of a typical claim (without a claim for personal injury) would be in the region of £1,250 to £1,500 (embracing both causes of action), representing a significant discounting of the figures provided with the letter of 23 February 2021.
The Claimants' pre-issue costs were around £1.2m. As a purely mathematical calculation, that equates to just over £2,500 per Claimant at the date of issue of the Claim Form. For most Claimants, therefore, even at the point of issuing the Claim (the very first step in the litigation) they had spent more in terms of costs than they hoped to achieve by way of an award of damages. Mr Campbell KC accepted that any individual Claimant, acting on his/her own, would have been expected to have brought that claim in the County Court and that the claim would almost certainly have been dealt with on the Small Claims Track. Nevertheless, he contends that the only practical way for the cohort of Claimants to obtain redress – and effective access to justice – was to pursue this claim on a class basis.
As a result of directions given by the Court, the parties have provided to the Court broad information about their costs. For the Claimants, in October 2022, they had incurred costs of around £1.8m. At the date of the hearing that figure had risen to just short of £2m. The Claimants' estimated budget for a trial of lead cases was £2.549m. The Defendant's estimated budget for a trial of lead cases was £2.7m. The Claimants have also taken out ATE insurance. The claim for misuse of private information means that, if that claim is successful, they can seek to recover the premiums for the ATE insurance from the Defendant. At the hearing, Mr Campbell KC was quite candid that the potential to recover ATE premiums was an advantage to the Claimants in advancing a misuse of private information claim, which would not have been available had the Claimants pursued a claim solely for alleged breach of data protection.
B: The original claims
The original Claim Form in QB-2021-001497 was filed on behalf of 474 Claimants on 22 April 2021 (“the First Claim”). 28 claims have been discontinued subsequently. As at the date of the filing of the Amended Claim Form, on 15 March 2023 (see [73] below), there were 446 active Claimants. The Claimants:
“… claim damages for...
To continue reading
Request your trial