Recent Trends in Non-Material Loss Claims
A number of judgments regarding non material loss claims have been delivered by both the Irish and European Courts over the past 12 month. Our DEG team provide an overview of the recent trends and developments in this space.
Just over one year ago the CJEU handed down its decision in Osterreichische Post [1], concerning the rights of data subjects to seek compensation from data controllers for non-material loss arising from breaches of the GDPR. This was the first time that the CJEU had addressed private claims for non-material loss under the GDPR. The CJEU held that, provided there is a causal link between the infringement and the non-material loss suffered, a data subject may have the right to compensation. Of note, the CJEU also held that there is no requirement for the non-material damage suffered to reach a minimum threshold of seriousness in order to confer a right to compensation. This was a departure from the traditional position under Irish law, whereby de minimis breaches of the law do not give rise to a right to compensation.
Over the course of the past 12 months, a number of relevant judgments in respect of such claims have been delivered by both the Irish and European Courts and a number of trends have emerged, discussed in more detail below.
Liability for Controllers?
Whilst Osterreichische Post decided in what circumstances a controller is liable for damages for non-material loss – the question remained as to the extent to which controllers were liable for damages for infringements of the GDPR more generally, and in what circumstances. The CJEU has since delivered a number of decisions, and there have been a number of Advocate General opinions, that offer guidance on controller liability.
In ZQ v Medizinischer Dienst der Krankenversicherung Nordrhein,[2] the CJEU held that the purpose of Article 82 of the GDPR is to provide compensation to the data subject in full for damage actually suffered as a result of an infringement of the GDPR – it does not have a punitive function.
This decision was followed by the judgment in GP v Juris GMBH, [3] in which the CJEU confirmed that mere infringements of the GDPR – by themselves – do not confer a right to compensation for the purposes of Article 82 of the GDPR. Accordingly, whilst de minimis breaches may be actionable before the domestic courts of Member States, the actual compensation that data subjects may recover in respect of such infringements is likely to be limited.
Whilst the CJEU may offer interpretative guidance as to the application of the GDPR, assessing the appropriate quantum of damages owed by a controller to a data subject who suffers loss as a result of an infringement of the GDPR remains a matter for the domestic courts of each Member State. Breaches were spread amongst the public (2,707) and private (3,677) sector with a small proportion (232) coming from the voluntary and charity sector.
Non-material Loss Damages Trends Emerging From the Irish Courts
In Ireland, a number of data privacy actions, which had previously been stayed pending the outcome of Osterreichische Post and other CJEU references, have since proceeded through the Irish courts and a number of interesting themes have emerged.
The first such decision came in Kaminski v Ballymaguire Foods Limited [4], a Circuit Court case in which the claimant was awarded €2,000 in damages following the unlawful processing of his personal data by his employer, namely CCTV footage containing his image, for workplace training purposes. The Circuit Court assessed that the plaintiff's damages comprised minor psychiatric damages (anxiety, embarrassment and sleep loss), and awarded the sum of €2,000 in line with the Irish Personal Injuries Guidelines. The Court suggested (with some caution, in the absence of clarification from the Oireachtas, the Superior Courts and outstanding preliminary references pending before the CJEU) that the following factors would be considered in ascertaining damages for non-material loss:
- A "mere breach" or a mere violation of the GDPR is not sufficient to warrant an award of compensation.
- There is no minimum threshold of seriousness required for a claim for non-material damage to exist but compensation for non-material damage does not cover “mere upset”.
- There must be a link between the data infringement and the damage claimed.
- If the damage is non-material, it must be genuine, and not speculative.
- Damage must be proved. Supporting evidence, such as a psychologist report or medical evidence, is strongly desirable
- A claim for legal costs may be affected by these factors.
- Even where non-material damage can be proved and is also not trivial, damages in many cases will probably be modest.
Subsequent to Kaminski, in Nolan v Dildar [5] the Irish Commercial Court delivered judgment, one aspect of which included an award of damages following a breach of data subject rights under the Data Protection Acts 1988 and 20023. In that matter, the plaintiffs, who were related trustees of a familial pension fund, alleged that approximately €7 million of fund property was misappropriated by the defendants. The family further alleged that one of the defendants, a specialist pensions provider, had allegedly misused the plaintiffs’ personal data by way of providing it to a fund service provider in the Isle of Man. The defendant admitted that the transfer was made without the plaintiffs’ consent, and as such, was a breach of the data subjects’ rights. Accordingly, the Court examined the damages that flowed from such an event.
The Court noted that there was no suggestion that the unauthorised disclosure had any adverse effect on the plaintiffs. The data was not distributed more widely than to the fund, and there was no actual damage suffered by the plaintiffs. As such, the Court made an award of €500 to each of the six plaintiffs for infringement of their data privacy rights. Whilst the data breaches concerned took place prior to the introduction of the GDPR, it is perhaps instructive of how the Courts might assess quantum in respect of claims for compensation under Article 82 of the GDPR in a post-Kaminski world. Where the damage suffered by data subjects is low or de minimis in nature, compensation awards are unlikely to exceed the monetary jurisdiction of the Irish District Court (discussed further below). This will be of some relief to data controllers faced with tenuous data breach claims, in particular from a legal costs perspective.
Personal Injuries Aspects to Data Breach Claims
A further issue which has complicated the entitlement to damages for non-material losses arising from infringements of the GDPR is the framing of data breach claims as personal injuries actions. In particular, the Irish Courts have recently held that claims for psychiatric harm arising from infringements of the GDPR constitute personal injuries, which require authorisation from the Personal Injuries Assessment Board (“PIAB”), now known as the Injuries Resolution Board, prior to court proceeding issuing. Failure to seek PIAB authorisation can result in proceedings not being properly constituted and therefore, the personal injuries aspects of those proceedings falling away.
In Keane v CSO [6] the plaintiff sought to recover damages for symptoms of severe stress and anxiety, which she alleged arose as a result of a data breach in which her P45 was disclosed. At no stage did the plaintiff seek to have the claim assessed by PIAB (as it then was), in line with section 11 of the PIAB Act 2003, which requires that leave be granted by PIAB to bring a claim for personal injuries before the Courts. Whilst the matter concerned injuries arising as a result of breaches of the Data Protection Acts 1988 and 2003, prior to the implementation of the GDPR, the Court held that psychiatric injuries arising as a result of a data breach constitute personal injuries for the purposes of the PIAB Act 2003 and, as a result, require PIAB authorisation before the plaintiff can commence proceedings.
In practice, where a plaintiff pleads personal injury-type loss in the context of a claim under Article 82 of the GDPR, but fails to obtain PIAB authorisation, it may limit the amount of compensation payable in respect of the infringement, or may result in the plaintiff being awarded nothing if all that is left is a mere infringement but no damage. However, depending on the nature of the alleged breach, it can be quite common to see other heads of claim pleaded, such as defamation, alongside tortious or personal injury claims.
Jurisdiction of the District Court to Hear Article 82 GDPR Claims
As a further positive development from a data controller’s perspective, particularly from a legal costs perspective, Article 82 GDPR claims can now be brought before the Irish District Court following the commencement of Section 77 of the Courts and Civil (Miscellaneous Provisions) Act 2023. This allows for data breach claims of up to €15,000 to be brought before the District Court . Previously, only the Circuit Court and High Court had jurisdiction to hear and determine Article 82 GDPR claims, depending on the level of damages sought. The District Court has a scale of costs, which are typically far less than those in Circuit Court and High Court proceedings. This is likely to substantially reduce costs for both parties in de minimis data breach matters, where the costs of legal proceedings have traditionality disproportionality outweighed the value of the claims.
Conclusion
In summary, there has been much progress over the past 12 months in clarifying the scope of Article 82 of the GDPR. However, whilst there have been a number of decisions from both the CJEU and Irish Courts which may be perceived as beneficial from a controller’s liability perspective, there remains an element of uncertainty in how consistently the Irish Courts will assess damages for non-material loss claims. However, the prevailing sense suggests that, certainly insofar as de minimis type claims are concerned, the award of damages will be nominal.
The authors would like to credit Samuel Elliott, associate for his support and assistance in researching and producing this article.
References
[1] Case C-300/21
[2] Case C-667/21
[3] Case C-741/21
[4] [2023] IECC 5
[5] [2024] IEHC 4
[6] [2024] IEHC 20