Compensation for data protection breaches: how to assess the amount and whether ‘trivial’ claims can be dismissed

If you or your business are facing an influx of data protection claims for fairly innocuous incidents, you are not alone.

In this article, we take a quick look at how to value compensation claims by data subjects and whether ‘trivial’ claims can be dismissed.

Compensation: when and how much

Individuals (aka ‘data subjects’) need to show they’ve suffered some damage, typically ‘non-material’ damage, like distress[i].

Putting a figure on it is not easy. It’s still an emerging area of law and there just aren’t that many Court decisions on the topic.

Here’s a rundown of what we’ve learned so far:

Lower end: Compensation awards tend to be modest for pure data protection claims. Typically, a few hundred pounds for very low impact incidents.

• Case 1[ii]: a CPS lawyer emailed a member of the public confirming a charging file had been referred to them by Lancashire police. A limited disclosure about a well-publicised investigation, to people who were overwhelmingly likely to already know what the situation was. Award: £250 in damages.

More serious breaches: compensation starts to rise into the low thousands for more intrusive or poorly handled incidents.

• Case 2[iii]: an employee of a small finance business disclosed three snippets of financial/account information to the claimant’s hostile neighbour who then used it in their dispute. Award: £1,500.
• Case 3[iv]: disclosure by the police of a complainant’s criminal allegations against her former husband, which ended up reaching the man in question, causing the complainant to fear for her safety. She had diagnosed psychological harm and became suicidal. Award: £3,000 in damages for distress.
• Case 4[v]: business‑intelligence report wrongly alleged two businessmen were funnelling “illicit cash” to the Kremlin. The report was shared with consultancies and US/UK politicians. Award: £18,000 to each claimant for distress and reputational harm.

Key takeaway: standalone data protection claims typically sit in the low hundreds or thousands of pounds, unless there’s wider exposure, highly sensitive data, procedural failings or aggravating conduct.

Often data protection claims will be rolled up with claims in misuse of private information, breach of confidence or ECHR Art.8. These claims tend to attract much higher awards, Max Mosley’s claim against the News of the World being a prime example.

Can lowest end ‘trivial’ claims be dismissed outright?

These claims can be tricky for businesses to handle.

If there must be ‘non-material’ damage like distress, it raises the question: if a breach is limited in scope, doesn’t involve sensitive data, and is an isolated incident quickly put right, can the effect on someone ever be more than fleeting?

Until last year, Judges had been ready in some cases to dismiss such claims for being too trivial and falling below a threshold of seriousness.

• Case 5[vi]: A law firm chasing unpaid school fees missent a single account statement to the wrong email address. The recipient confirmed deletion the next day with no evidence of onward misuse. Case dismissed: trivial – no credible case that distress hit the threshold.

However, in summer 2025, the Court of Appeal rejected that such a threshold exists in Farley and others -v- Paymaster (1836) Limited (trading as Equiniti) [2025] EWCA Civ 1117.

Farley v Paymaster

Letters containing pension data had been sent out to the wrong addresses, but it wasn’t clear if there had been any misuse or if the letters had even been opened. The question was whether the mere fear they had was enough.

Unsurprisingly, the sender of the letters argued it was all too trivial and not serious enough to hit the threshold, citing earlier Court decisions.

The Court of Appeal said it was not bound by the earlier cases and decided there was no reason not to follow the Court of Justice of the European Union (CJEU), finding no seriousness/de minimis threshold applied. There would be no blanket dismissal; each letter needed to be looked at individually. If the fear was well-founded and not purely hypothetical, regardless of triviality or seriousness, that would be enough.

As it stands then, controllers/processors cannot dismiss compensation claims outright for being too trivial.

However, the sender of the letters has now been granted permission to appeal to the Supreme Court.

Our courts are not bound by the CJEU decisions, since the GDPR only applies in the UK following post-Brexit legislation creating a ‘UK GDPR’ supplemented by further domestic laws.

The Supreme Court has a decision to make, then, and it’s one that’s needed.

Handling data protection claims for low impact incidents in a cost-effective way was already a significant challenge for businesses faced with them. If claims can’t be rebuffed for falling below a threshold, it only gets more difficult.

This could be the reason businesses are seeing an uptick in lower-value claims. The Court of Appeal decision was well-publicised, after all.

Unless it settles beforehand, the Supreme Court will now decide.

If you need any help or advice concerning data protection breach claims, please get in touch with our privacy and data protection team.

[i] Article 82(1) of the UK GDPR provides that right, and section 168 of the Data

[ii] Driver v Crown Prosecution Service [2022] EWHC 2500 (KB)

[iii] Saxby Finance Ltd v Baker [2025] EWHC 2919 (KB)

[iv] Ali v Chief Constable of Bedfordshire Police [2023] EWHC 938 (KB)

[v] Aven v Orbis Business Intelligence Ltd [2020] EWHC 1812 (QB)

[vi] Rolfe v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB)

Please note that this article is provided for information purposes only and is not legal advice. If you would like to discuss the merits of a particular claim, please get in touch.