GDPR & Data Breach Claims in Ireland

The General Data Protection Regulation (GDPR) is a piece of European legislation that came into force across the EU on 25^th May 2018. It is mirrored by an Irish piece of legislation the Data Protection Act 2018, most of which also came into effect on 25^th May 2018.

Its primary purpose is to provide rights to “data subjects” concerning their “personal data”. The term “personal data” is defined as meaning any information concerning or relating to a living person who is either identified or identifiable (such a person is referred to as a “data subject”).

An individual could be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier (such as an IP address) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

Rights of a Data Subject

As the General Data Protection Regulations (GDPR) and the Data Protection Act 2018 (the 2018 Act) come into force over five years ago, many will be aware of their rights as data subjects under GDPR and the 2018 Act.

The right of a data subject to claim compensation for a breach of their personal data is enshrined in Article 82 of the GDPR and Section 117 of the 2018 Act. In particular Article 82 provides that;-

• “Any person who has suffered material or non-material damage as a result of an infringement of this regulation shall have the right to receive compensation from the controller or processer from the damage suffered.”

A personal data breach is defined under Article 4 of GDPR as:-

• “A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.”

Further personal data is defined as:-

• “Any information relating to an identified or identifiable natural personal (‘data subject’) ….who can be identified, directly or indirectly, .in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physiological, genetic, mental, economic, cultural or social identify of the natural person.”

Similarly, Section 117 (1) of the 2018 Act allows a data subject to bring an action against a data controller or processer where his/her rights have been infringed as a result of the processing of his/ her personal data.

Section 117 (4) allows a data subject to seek, inter alia, compensation for any material or non-material damage (s) as a result of the breach.

While a data subject is entitled to seek compensation for a data  breach there has been a lack of guidance in the Irish Courts as to what compensation a person may be entitled to in the event of a data breach and whether they are entitled to compensation for material or non-material damage.

The EU Position

In the case of UI v Österreichische Post AG (C-300/21), the Austrian postal service labelled an individual as having right wing political views as an extrapolation from data it held. It sold lists of persons thought to have an affinity for various political parties to organisations to enable them to send targeted advertising. He claimed damages for breach of GDPR for upset and exposure, though he had not suffered any monetary loss. The Austrian Supreme Court referred three questions to the CJEU seeking clarification on the scope of compensation for non-material damage including whether a data subject is entitled to damages for the mere infringement of the provisions of the GDPR and whether a data subject suffered harm. In particular the Austrian Supreme Court sought clarification on the below points;

1. Is the mere breach of provisions of the GDPR in and of itself sufficient for the award of damages.
2. In addition to the principles of effectiveness and equivalence does EU Law impose further requirements that National Courts must observe when assessing damages under Article 82.
3. Does non-material damage require an impairment (or other consequence of the infringement of at least some weight) that goes beyond the annoyance caused by the infringement.

The claimant in that case sought compensation of a €1,000.00 from Österreichische Post AG for non-material damage arising from a breach of its personal data rights.

The Advocate General provided an opinion in October 2022 which advised that GDPR infringements do not themselves warrant compensation and non-material damage should meet a minimum threshold of seriousness. The level of compensation is a matter for law of the Member States.

The Court of Justice of the European Union in its decision of 4^th May 2023 held that:-

• There is no automatic right to compensation once an infringement is proven.
• However, there is no minimum threshold for damage in order to justify an award of compensation and that damage should be broadly interpreted to fully reflect the objectives of the Regulation.
• The amount of damages payable is to be determined by a national court applying domestic rules of each Member State.

Irish Position – The Kaminski Decision

A recent decision of the Circuit Court in a case of Kaminski v Ballymaguire Foods Limited (2023) IECC 5 of Judge O’Connor has clarified the Irish position. In this case the Plaintiff issued proceedings against his employer pursuant to Section 117 of the 2018 Act for breach of the 2018 Act and Article 82 GDPR seeking damages for non-material loss.

A data breach arose when the Defendant showed CCTV footage of the Plaintiff to other employees in a meeting with managers, the purpose of which was to address incidents of poor food safety practice and to highlight food quality and safety issues that needed to be addressed for the purpose of identifying corrective actions.

The Plaintiff appeared in one of the clips of the CCTV footage, which was used to identify an issue with persons moving from one area of the factory where unprepared food was maintained to another area where prepared food was handled, which gave rise to dangers of food contamination.

The Defendants did not identify the specific individuals by name or deal with the actions of specific individuals shown on the CCTV footage in the meeting. However, the Plaintiff alleged his rights had been breached as he was clearly identifiable from the CCTV footage and from related audio commentary that he said identified him by name.

The Court held that the Plaintiff was identifiable from the CCTV footage and that the use of the footage in this way amounted to the breach of the Plaintiff’s GDPR rights.

Judge O’Connor provides a good analysis of the statutory provisions under the 2018 Act and the GDPR regarding the right to compensation for data breach.

The Court noted that Article 82 (1) of the GDPR provides that a person who has suffered material or non-material damage as a result of an infringement of the regulation shall have the right to receive compensation for the damage suffered. It was also noted the compliance with GDPR is publicly enforced with fines and private enforcement by awarding of damages and/or other reliefs such as injunctions.

The Court acknowledged that one of the challenges was finding a way to evaluate the concept of non-pecuniary loss and how such damages should be calculated in Ireland.

The Court also acknowledged that “non-material damage” is not defined in the GDPR but the recitals provided some guidance, although same were not binding. The Court referred to recital 146 of the GDPR which provides that “the concept of damage should be broadly interpreted and that data subjects shall receive full and effective compensation for the damage they suffered”.

The Court also noted that Recital 85 provided that where personal data breach was not addressed in an appropriate or timely manner it may result in “physical, material or non-material damage to natural persons in circumstances where the natural person has suffered a loss of control over their personal data or limitation or their rights, discrimination, identify theft or fraud, financial loss…damage to reputation, loss of confidentiality, personal data or other significant economic or social disadvantage”.

The Court acknowledged the decision of the CJEU in the Österreichische Post AG case, as mentioned above.

The Court also noted the pre-GDPR position in the Irish courts which held that there was no right to compensation for non-material damage[1].

The Court in Kaminski also considered the relevant factors in ascertaining damages for non-material loss noting the absence of clarification from the Oireachtas, Superior Courts and the outstanding preliminary references pending before the CJEU. In particular the Court noted that CJEU determined that there was no de minimis standard of loss to be suffered for an individual to recover compensation.

The Court ruled that in settling damages for non-material loss the following factors are considered:-

• “Near breach” of the GDPR is not sufficient to warrant an award of compensation.
• There was not a minimum threshold of seriousness required for a claim of non-material damage to exist. However, compensation for non-material damage does not cover “mere upset.”
• There must be a link between the data infringement and the damages claimed.
• If the damage is non-material, it must be genuine and not speculative.
• Damages must be proved and in a claim for distress and anxiety, independent evidence is desirable such as for example a psychologist report or medical evidence.
• Data policies should be clear and transparent and accessible by all parties affected.
• Employers should ensure their employee privacy notices and CCTV policies are clear to employees.
• Where a data breach occurs, it may be necessary to ascertain what steps were taken by the relevant parties to minimise the risk of harm from the data breach.
• An apology where appropriate may be considered a mitigation of damages.
• Delay in dealing with a data breach by either party is a relevant factor in assessing damages.
• A claim for legal costs may be affected by these factors.
• Even where non-material damage can be proved and is also not trivial damages in many cases will probably be modest.

The Court accepted that the Plaintiff’s rights as a data subject were breached by the Defendant and that the Plaintiff’s loss went beyond mere upset and “created an emotional experience and negative emotions of insecurity which did affect him for a short period of time.” In particular the Court noted the Plaintiff suffered serious embarrassment and sleep loss arising from the breach. Accordingly, the Court awarded the Plaintiff €2,000.00 for non-material damages.

Implications

It will be interesting to see whether the decision of Judge O’Connor in the Kaminski case has now settled the law in this area or whether any judges will take a different approach in other cases. Certainly, each case will ultimately turn on its own facts. Whether damages are approved at the same level or a higher or lower level in future cases, it is worth noting that the use of pixelization techniques or hiring of professional actors for training videos would have avoided the claim and associated costs.

Another recent development is the amendment to Section 117 of the 2018 Act by the Courts and Civil Law (Miscellaneous Provisions) Act 2023 which provides that data protection actions may now be heard in the District Court. Previously data protection claims had to be brought in either the Circuit or High Court regardless of the value of such claims. However, given the level of award in the Kaminski case, it seems appropriate that such cases are now brought in the District Court which will also involve reduced legal costs for the parties.

Tara Nolan, Solicitor Litigation