Data Breach as Personal Injury?
Our Commercial Disputes team examines a recent Circuit Court decision whichs addressed the proper procedure for a claim for damages arising from alleged stress, anxiety and physical consequences. These were said to have resulted from a breach of privacy rights due to a personal data disclosure. The court decided that the nature of the claim advanced should have been advanced by way of personal injury summons rather than by ordinary civil bill for Circuit Court matters. This has limitation and PIAB approval implications.
According to the GDPR, claims for material or non-material damage may be brought for infringement of personal data rights.[1] The level of compensation for non-material damage claims has been given greater clarity following the decision earlier this year in Kaminski v Ballymaguire Foods Limited.[2]
In that decision, the case which is the subject of this article was specifically referenced and acknowledged to be “important for potential future actions concerning data breaches and claims for damages.” However, it was alleged the data breach caused severe stress and anxiety with physical manifestations, so it was not merely a non-material damages claim. The court therefore had to consider:
- Whether the claim in this respect, at least, was properly a personal injury claim and, if so,
- Should the claim have been brought by way of a personal injuries summons following application to the Personal Injuries Assessment Board (PIAB).
Background
The case involved proceedings[3] brought by a census enumerator, Ms Keane, by way of ordinary civil bill. This is the originating document for conventional tort and contract claims in the Circuit Court. As an enumerator for Census 2016, she provided personal data for salary and tax purposes. At the end of her employment, she received her P45. In 2017, some 3,000 enumerators’ P45s, including Ms Keane’s, were allegedly unlawfully disclosed by the Central Statistics Office (CSO). This was claimed to be a complete breach of Ms Keane’s privacy rights, which caused her to suffer anxiety and distress. This affected her in her daily life, in that it impacted her sleep and appetite, and exacerbated symptoms of psoriatic arthritis. Ms Keane sought “damages for the stress and anxiety caused as a result of this data breach”. Ultimately damages were sought for:
- Breach of confidence
- Breach of privacy rights, and
- Breach of data protection rights
Following discovery of Ms Keane’s medical records, the CSO successfully applied to amend its defence. Until then, it had broadly denied liability. Instead, a preliminary issue was raised regarding whether, insofar as the proceedings involved a personal injuries claim, they had been authorised by PIAB. The decision here involved the determination of that preliminary issue.
The decision
The CSO argued that the legal action aimed to seek compensation for personal injuries and it was consequently a 'civil action' under the Personal Injuries Board Act 2003. The court accepted that proposition. It held that a wrongdoing could be considered a civil action for personal injury if the remedy sought is damages for personal injuries.
The court differentiated between causes of action (e.g., breach of confidence) and the cause for the action, noting that the data breach was the basis for the case here. The court emphasised that personal injuries are not a cause of action but the injuries suffered that may lead to a remedy. Although it acknowledged that this case didn't have the typical characteristics of a personal injuries action, it recognised that legal descriptions may not always align with legal reality. In such cases, the court considers the overall context “in the round”, using both common sense and applicable law.
In this case, after scrutinising the pleadings, the court determined that the primary remedy sought was damages for personal injuries. It concluded that none of the causes of action escaped the obligation to apply to PIAB as required by the 2003 Act. The judge concluded that the claim fell within the definition of a 'civil action' under the 2003 Act and that PIAB authorisation should have been obtained. Therefore, the main remedy seeking damages for personal injury was “doomed to failure” due to non-compliance with the 2003 Act. This meant that what was left of Ms. Keane's claim would be limited to other damages, if any, that might be awarded for the unintentional data breach. Effectively, this meant that non-material damages under Article 82 GDPR and Section 117 of the Data Protection Act 2018, as relied on in Kaminski's case, could still be available.
Conclusion
Based on this decision, claims for stress, anxiety and consequential physical conditions arising from data right infringements, and not just non-material damage claims for upset or embarrassment like in Kaminski, ought to be brought as formal personal injury proceedings. For such claims, the originating document should be a personal injury summons and PIAB approval should be obtained prior to issue. Failure to pursue that route could be fatal to the claim if a limitation defence were available to any fresh summons issued under the proper mechanism. Conversely, for defendants to actions seeking such recoveries, beyond non-material damages, consideration should be given to raising a similar objection could be used. If successful, this could effectively preclude the claim entirely or at least restrict it to a non-material damage claim.
For more information on successfully defending similar claims, contact a member of our Dispute Resolution team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.
[1] Recognised by GDPR (Article 82) and the Data Protection Act 2018 (S.117).
[2] [2023] IECC 5. The decision in Kaminski is considered at https://www.mhc.ie/latest/insights/assessing-non-material-damage-in-data-protection-claims
[3] Keane v Central Statistics Office [2023] IECC 7
Share this: