Internet Explorer 11 (IE11) is not supported. For the best experience please open using Chrome, Firefox, Safari or MS Edge

Following on from the CJEU Post AG decision regarding non-material damage in data protection claims, a recent decision of the Irish courts has provided guidance on how this concept of non-material damage will be assessed in Ireland. Our Insurance & Risk, Dispute Resolution, and Privacy & Data Security teams examine this recent decision and some of the key takeaways for data protection claims.


The EU’s General Data Protection Regulation provides for compensation for “non-material damage”. However, there has been real lack of clarity as to what, exactly, constitutes “non-material damage”.

The Irish Circuit Court decision in Kaminski v Ballymaguire Foods Limited[1] goes some way towards outlining the principles which will apply in Ireland regarding the assessment of non-material damage claims.

Background

The plaintiff was employed by the defendant company as a supervisor in a chilled ready-meal factory in Lusk, Co Dublin. In the course of a training session involving supervisors and managers, several CCTV clips were shown which purported to highlight unapproved food safety practices.

As ultimately admitted by the defendant, the plaintiff was identifiable in one of the clips shown, though he was not present at the session. The plaintiff claimed that the use by the defendant of CCTV footage amounted to unlawful processing under the GDPR and Data Protection Act 2018, and that, as a result of this unlawful processing, he suffered non-material damage, as defined by the GDPR. In that regard, he claimed that it had made him ‘more stressed at work’, he felt ‘humiliated’ and he had problems with his sleep for a short time.

Position of data breach claims following Post AG case

Over the course of 2023, there have been a number of decisions which have provided some guidance as to how the courts will approach claims for non-material damages arising out of a breach of the GDPR.

January 2023 saw the delivery of the judgment in Gary Cunniam v Parcel Connect Ltd t/a Fastway Couriers Ireland & Others. This saw a stay placed on a data breach claim until certain questions on non-material damage under GDPR had been determined by the Court of Justice of the European Union (CJEU). This case became the basis for many similar claims to be stayed by agreement.

The much-awaited CJEU decision in UI v Österreichische Post AG, Case C300/21 (commonly referred to as the Post AG case) was then delivered in May 2023, which provided some limited clarity on how non-material damage claims are to be assessed. The Court determined that:

  • A right to compensation for non-material damage does not automatically arise from a mere infringement of the GDPR;
  • The GDPR does not provide for a de minimis threshold for non-material damage, a threshold which requires a certain degree of seriousness before a claim can succeed; and
  • The non-material damage must be causally linked to the alleged data breach.

Of significant importance, the decision also determined that the assessment of non-material damage is a matter for the national courts of EU member states. This meant that the position of Irish claims for non-material damage remained uncertain, in the absence of judicial guidance.

Decision

The judgment of Judge O’Connor in Kaminski is the first judgment following the Post AG decision which provides guidance on the treatment of claims for non-material damage in Ireland.

The judgment dealt first with the issues of whether or not the use of the CCTV in the training session constituted unlawful processing under the Data Protection Act 2018 and the GDPR, and whether or not the damage suffered went beyond mere upset or displeasure.

The judgment then considered the factors which a court must consider when assessing compensation for non-material damage, which were outlined as follows:

  • A mere violation of the GDPR is not sufficient to warrant an award of compensation;
  • There is not a minimum threshold of seriousness required for a claim for non-material damage to exist but compensation for non-material damage does not cover “mere upset”;
  • There must be a link between the data infringement and the damage claimed;
  • Non-material damage must be genuine and not speculative;
  • Damage must be proved and supporting evidence is strongly desirable;
  • An apology where appropriate may be considered in mitigation of damages;
  • Delay in dealing with a “data breach” by either party is a relevant factor in assessing damages;
  • A claim for legal costs may be affected by these factors; and
  • Even where non-material damage can be proved and is also not trivial, damages in many cases will probably be modest.

Regarding the final point, the judgment stated that in the absence of guidance from the Oireachtas, the Superior Courts, or the Judicial Council, the Court considered the Personal Injuries Guidelines 2021. The Court referred to the category of minor psychiatric damages, though it noted that in some cases non-material damage could be valued below the lowest Guidelines valuation of €500. This is interesting in circumstances where the Guidelines relating to psychiatric injury apply for “recognisable psychiatric injury” and specifically state that “upset, distress, grief, disappointment and humiliation, do not attract compensation.”

Having considered the facts of the case, Judge O’Connor accepted that the plaintiff’s reaction to the incident went beyond mere upset and awarded him €2,000.

Commentary

This is certainly an interesting decision. Unless it is appealed, it will stand as a precedent for the courts in the assessment of non-material damage in data privacy claims. It is positive that Judge O’Connor referred to awards for non-material damage as being “modest”. It is also likely that going forward that most claims of this nature will be more properly issued in the District Court once this is permitted by the commencement of part 10 of the Courts and Civil Law (Miscellaneous Provisions) Act 2023. This should lower the costs awarded to a successful claimant as such costs would fall to be assessed on the District Court scale, which is substantially lower than costs awarded in the Circuit Court.

For more information on successfully defending similar claims, contact a member of our Insurance & Risk, Dispute Resolution, or Privacy & Data Security teams.

[1] [2023] IECC 5

People Also Ask

What are the practical takeaways for companies who may be faced with data protection claims?

The factors outlined by the court provide some much-needed guidance as to the potential exposure for non-material damage claims. Companies should note the court’s reference to delay in dealing with a potential breach and the minimising of risk as factors in considering non-material damage, as well as the potential mitigating effect of an apology.

Will claimants be required to submit medical evidence in order to succeed in a claim for non-material damage?

Although the judgment does not state that medical evidence is mandatory, the factors outlined by the court for assessing these claims state that supporting evidence, such as a psychologist's report or medical evidence, is strongly desirable. This suggests that claimants who fail to provide such evidence will face a more difficult path to recovery.

Does the Irish position regarding non-material damage differ from that in the UK?

Yes, there is now a clear divergence between the two jurisdictions regarding non-material damage claims, concerning the imposition of a threshold of damage to be met by the plaintiff. The decision in Kaminski confirms the position outlined in Post AG that no threshold of damage applies, in contrast to the UK courts imposing a de minimis threshold before a plaintiff can recover, as seen in the decision in Rolfe & Others v.Veale Wasbrough Vizards LLP [2021] EWHC (QB).

Does this judgment impact the costs of bringing a claim for a GDPR breach for non-material damage?

Not directly, however, the court’s comments in relation to the likelihood of non-material damages being modest and the future commencement of part 10 of the Courts and Civil Law (Miscellaneous Provisions) Act 2023 mean that claims of this type will likely be brought in the District Court, which will result in lower costs than in the Circuit Court.

What are the next anticipated developments in relation to data protection claims?

It is possible that this judgment will be appealed to the High Court, where a different approach may be taken. There remain a number of important references pending before the Court of Justice on issues relating to non-material damage claims, which may refine the position to be taken by the Irish courts further.

The content of this article is provided for information purposes only and does not constitute legal or other advice.



Share this: