Dispute Resolution partner, Colin Monaghan considers the latest developments in the treatment of data breach claims by Irish courts. He also looks at their impact on financial institutions.
How claims for non-material damage following data breaches are treated by the Irish courts has been a hot topic in recent years. This is a significant area of interest for companies that handle significant volumes of sensitive customer information. Non-material damage claims are of particular note for data controllers and processors, as multiple claims can often be brought for upset or worry following data breaches where no material damage is suffered by a plaintiff. 2023 and early 2024 has seen a significant number of developments in how these claims are dealt with, which financial institutions should be aware of.
We examine developments in the treatment of claims where the plaintiff has suffered only non-material damage, and a change to the jurisdiction of the Irish courts to hear lower value claims.
Background
Following a long period of uncertainty as to how claims for non-material damage were to be treated under both Irish and EU law, a degree of certainty emerged in May 2023, with delivery of the eagerly-awaited judgment of the Court of Justice of the European Union (CJEU) in UI v Osterreichische Post AG. In that judgment, the CJEU determined that:
- A right to compensation for non-material damage does not automatically arise from a mere infringement of the GDPR
- The GDPR does not provide for a minimum threshold for non-material damage – there is no requirement to meet a threshold which requires a certain degree of seriousness before a claim can succeed, and
- The cause of non-material damage suffered must be linked to the alleged data breach
The CJEU has considered how non-material damage is to be assessed and ultimately determined that the level of non-material damage is a matter for the national courts of EU Member States to rule upon.
Further guidance provided by Irish decisions
The Irish courts provided subsequent guidance relating to non-material damages in the Circuit Court decision of Kaminski v Ballymaguire Foods Limited, delivered in July 2023. The claimant was employed by a food company. During a training exercise, CCTV clips which purported to highlight unapproved work practices were shown to a group of employees. The claimant, who was identifiable in the CCTV footage, alleged that the processing and use of the CCTV footage amounted to unlawful processing of his data and a violation of both the Irish Data Protection Act 2018 and the GDPR.
Regarding the non-material damage suffered, he alleged that it had made him ‘more stressed at work’, he felt ‘humiliated’, and he had problems with his sleep for a period of time.
The Circuit Court determined that there are several factors which a court must consider when assessing compensation for non-material damage as follows:
- A mere violation of the GDPR is not sufficient to warrant an award of compensation
- There is no minimum threshold of seriousness required for a claim for non-material damage to exist, but compensation for non-material damage does not cover “mere upset”
- There must be a link between the data infringement and the damage claimed
- Non-material damage must be genuine and not speculative
- Damage must be proved and supporting evidence is strongly desirable
- An apology, where appropriate, may be considered in mitigation
- Delay in dealing with a “data breach” by either party is a relevant factor in assessing damages
- A claim for legal costs may be affected by these factors, and
- Even where non-material damage can be proved and is also not trivial, damages in many cases will probably be modest
The question of appropriate compensation
In determining the appropriate amount of compensation, in the absence of guidance from the Irish Parliament, Superior Courts, or the Judicial Council, the court considered the Personal Injuries Guidelines 2021. The court referred to the category of minor psychiatric injuries, though it noted that in some cases non-material damage could be valued below the lowest Guidelines’ valuation of €500. The claimant was awarded €2,000 on the basis that his reaction had gone beyond mere upset.
Fear of future misuse
Further CJEU guidance has since issued which has determined that “non-material damage” can include fear of future misuse of a data subject’s personal data. However, it also emphasised that data subjects must demonstrate that the negative consequences suffered constitute non-material damage.
A change in jurisdiction
Regarding the court in which these claims can be issued, it had originally been the case under the Data Protection Act 2018 that relevant claims could only be brought before the Circuit Court or High Court, even where the quantum claimed fell below the threshold of the Circuit Court. In early 2024, the Government commenced Part 10 of the Courts and Civil Law (Miscellaneous Provisions) Act 2023. This provision allows data breach claims under the 2018 Act to be brought in the District Court. Costs in these cases would be assessed on the District Court scale, which is substantially lower than costs awarded in the Circuit Court. In light of the developments in case law regarding non-material damage, in future, it is likely that most claims of this nature will be more properly issued in the District Court.
Conclusion
There is now a greater degree of certainty as to how data breach claims for non-material damage will be dealt with by the Irish courts,. This is helpful for data controllers and processors. Although a minimum threshold for recovery has not been imposed, encouragingly, it appears any awards for non-material damage will be modest. It is also of note that these claims will now likely be brought before the District Court, which should mean lower costs in defending a claim of this type.
Given the prevalence of claims following data breaches, financial institutions should ensure that customer data is secured appropriately and that a proactive plan is put in place in the event that a data breach occurs.
For more information, please contact a member of our Dispute Resolution or Privacy & Data Security teams.
The content of this article is provided for information purposes only and does not constitute legal or other advice.
