Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

What Recent EU and UK Decisions Tell Us About GDPR Lawsuits

Skadden Publication / Cybersecurity and Data Privacy Update

Nicola Kerr-Shaw Aleksander J. Aleksiev Alex Smallwood William E. Ridgway David A. Simon Susanne Werry

Executive Summary

  • What’s new: Two recent cases — one in the UK and the other in the EU courts — provide important insight about how individuals may claim damages for GDPR breaches in private GDPR lawsuits. 
  • Why it matters: To date, GDPR infringements have primarily been handled by regulators. However, recent European case law is paving the way for private lawsuits seeking damages for GDPR infringements. When combined with the EU’s Representative Actions Directive, which introduces a “class action” style collective action regime in Europe, large companies need to be prepared for US-type class actions related to data breaches. 
  • What to do next: Companies should consider the increasing frequency of private GDPR claims in setting their GDPR compliance posture. For example, companies should revisit their data breach response plans to ensure that the risks of triggering private claims are considered before issuing data breach notifications to individuals, and to ensure that their responses to data breaches will support the company’s defense in any eventual litigation. 

__________

Farley: The UK Decision

On 22 August 2025, the UK Court of Appeal issued its judgment in Farley v Paymaster.1 The case related to the Sussex Police, whose pension scheme members’ “annual benefit statements” were posted to out-of-date addresses. The statements contained (among other things) the pension scheme members’ salaries, date of birth and accrued pension entitlements.

Although there was no evidence that the relevant members’ statement had been opened or that the data had been misused, members brought a collective action claiming compensation under the UK’s version of the General Data Protection Regulation (GDPR), alleging that the delivery of their pension benefits statement to the wrong address caused them “psychiatric injury” and “fear of third-party misuse.” At the time the matter reached the court, each claimant sought £1,250.2

The court’s key findings on damages were that:

  • Emotional responses to UK GDPR breaches should be interpreted broadly and beyond the strictures of simple “distress.” A mere fear of third party misuse of personal data, for example, can therefore constitute non-material damage under UK GDPR, even if there is no evidence that such misuse in fact occurred. However, such fear must be objectively well founded.
  • It is not necessary to establish a minimum threshold of seriousness to bring a successful claim for non-material damage for a breach of the UK GDPR.
  • The court nonetheless maintained that a causal link between the GDPR breach and non-material damage allegedly incurred must be established to bring a successful claim.

This suggests that there may now be fewer hurdles for claimants to bring mass claims in the UK for data breaches than claimants had thought following Lloyd v Google. Companies will watch with interest how readily the UK courts apply these principles in future data breach claims.

It is also notable that the court’s findings on damages mirrored recent EU case law,3 and the Court cites recent European Court of Justice (ECJ) case law at length in reaching the conclusions above, saying that “it makes good legal sense for the court to interpret and apply the GDPR in conformity with settled [ECJ] jurisprudence” and that “divergent interpretations of the same legislative text tend to undermine legal certainty.”

In light of the court’s desire to remain aligned with EU courts, UK businesses should continue to monitor emerging EU case law (see below), though the Court of Appeal’s approach does represent a tension with the UK government’s ambition to loosen UK data protection law to “promote innovation and economic growth and make things easier for organizations.”

Quirinbank: The EU Decision

Meanwhile, the ECJ has issued its own judgment on GDPR claims in Quirinbank.4 The case concerned a job applicant who applied for a job at a company using an online jobs website. The company sent its response, informing the applicant that their salary expectations could not be met, to a third party who had previously worked with the applicant.

The applicant initiated proceedings in Germany, claiming compensation under the GDPR for the non-material damage allegedly suffered, alleging that the infringement had caused them humiliation and had placed them at a disadvantage in potential recruitment situations. The applicant also sought an inunction to prevent any further processing of their personal data.

On the damages claim, the ECJ reiterated its (now quite extensive) existing case law on GDPR damages and held that “mere negative feelings” such as “fear or annoyance [which] form part of the general risk inherent in everyday life” are capable of constituting non-material damage for the purposes of compensation under the GDPR.5

On the request for an injunction, the ECJ found that:

  • The GDPR does not prevent a data subject from seeking an injunction against a controller on the basis of member state law, meaning that, if a member state’s laws allow for injunctions, that can include GDPR injunctions.
  • When assessing compensation for non-material damages under the GDPR, the granting of an injunction under member state law should have no impact on the level of compensation. That is, the granting of an injunction (the purpose of which is to prevent future breaches) is a separate remedy to the payment of damages (the purpose of which is to provide “full and effective” compensation for harms suffered.6

What To Do Next

Although mass data breach claims in Europe remain the exception rather than the norm, companies should consider the increasing prevalence of private data breach claims when implementing their GDPR compliance regimes and responding to data breaches. For example, companies should revisit their data breach response plans to ensure that the risks of triggering private claims are considered before issuing data breach notifications to individuals, and should ensure that communications and documentation prepared during data breach responses support any eventual litigation.

_______________

1 [2025] EWCA Civ 1117.

2 The court’s decision notes that the Sussex Police informed the UK Information Commissioner and sent a personal data breach letter to the affected members despite determining that there was a low risk of harm to them. That in turn triggered the class action claim. Companies often issue GDPR notifications in low-risk cases “out of an abundance of caution” or in the interests of transparency, but as the Farley facts show, issuing those notifications carries risks too.

3 See paragraphs 55-59 of judgment.

4 Case C-665/23, EU:C:2025:655.

5 See paragraph 62 of judgment.

6 See paragraph 81 of judgment.

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.

BACK TO TOP