Data breach claim struck out in Cork Circuit court as ‘minor’ incident

In December 2023, Judge McCourt struck out a data breach in Sankowski v Musgrave Retail Partners Ireland Limited affirming that a certain minimum level of severity must be obtained in order for a Plaintiff to qualify for compensation under Article 82 of the GDPR. The decision offers further guidance for practitioners when considering and assessing claims for non-material damage under the GDPR and Data Protection Act 2018.

Background

• Proceedings were initiated by an employee of the Defendant for alleged damage suffered because of the ability of fellow employees to access the Plaintiff’s training records containing a copy of his signature. The plaintiff reported the incident to Musgraves, who further restricted access and responded to request details from the plaintiff as to the parties that had access to which there was no response until proceedings issued.
• The Plaintiff pleaded that a result of unlawful access to the Plaintiff’s training records, he became upset and distressed. He claimed that the data breach “seriously interfered” with his peace and privacy and caused him alarm and distress about the risks of various parties having access to his private information including an electronic copy of his signature which he pleaded was capable of being copied.
• Section 117 of the Data Protection Act 2018 which implements Article 82 of the GDPR, provides for the right to compensation for damage under the GDPR. To establish a claim for non-economic loss, such as is the case here, the Plaintiff must provide evidence that demonstrates the severity of the injury together and must prove that the damage they have suffered is more than a mere upset or hurt.
• However, the Plaintiff in this case had not advanced any particulars of damage. The Defendant argued that because the breach was so minor, the Plaintiff should not be entitled to any compensation.

PIAB authorisation: It was further argued before the court that where a Plaintiff is claiming a civil action within the meaning of the 2003 Act, that an authorisation from PIAB under s.12 of the 2003 Act is required.

This argument was not considered as Judge McCourt struck out the claim and was satisfied that the incident was so minor, it did not justify an award for non-material damages. He reaffirmed the Kaminski principals, which are as follows :

1. “mere breach” or a mere violation of the GDPR is not sufficient to warrant an award of compensation.
2. While there is not a minimum threshold of seriousness required for a claim of non-material damage to exist, compensation for non-material damage does not cover “mere upset”.
3. If the damage is non-material, it must be genuine, and not speculative.
4. There must be a link between the data infringement and the damages claimed.
5. Supporting evidence such as medical report is strongly desirable when proving damages for distress or anxiety.

This decision provides welcome clarification on the direction the Irish courts are taking where claims for non-material damage compensation arise.[1]

The future of damages in Data Protection Actions

In January 2024, the CJEU delivered a further judgment concerning article 82 GDPR.

In AT v Gemeinde Ummendorf (Case C-457/22, VT) the CJEU was satisfied that there had been a breach of the GDPR but held that mere loss of control over the personal data was not sufficient to constitute non-material damage under Article 82 of the GDPR. The Irish courts have adopted the same approach where claims of this nature arise. The CJEU ultimately held that notwithstanding the absence of any de minimis threshold, a data subject alleging non-material damage is required to demonstrate that the infringement of the GDPR has had negative consequences which constitute non-material damage.

As of 11 January 2024, the District Court now has jurisdiction to hear data protection actions. Section 117 of the Data Protection Act amended Section 77 of the Courts and Civil (Miscellaneous Provisions) Act 2023 extending the District Court’s jurisdiction.

This extension is a welcome development for data controllers from a legal costs perspective. Many claims for non-material damages under Section 117 of the Data Protection Act 2018 will now fall within the jurisdiction of the District Court.

On the 10^th of January 2024, Justice McDonald provided further guidance on the direction the Irish Courts are adopting in claims for damages in Data Breach claims. In a commercial court case[2], a modest sum of €500 of damages was awarded to the plaintiffs for a data breach. While there was no evidence of any actual damage suffered by any of the plaintiffs, the court highlighted that the damages were awarded simply to mark the fact that the plaintiff’s rights had been infringed. The plaintiffs had not demonstrated that the breach caused them to suffer and were unable to provide evidence that the disclosure of the data had any adverse consequences for the plaintiffs.

While this decision is good indicator of the High Court’s view of the level of damages for data breaches deemed to be technical or trivial in nature, it is likely to be distinguished insofar as the judge accepted he was not addressed on the law in this area.

However, with the District Court’s extended jurisdiction to hear these claims coupled with recent European and Irish jurisprudence affirming the approach adopted in the Austrian-Post case by the CJEU (see previous insight here), there is at last some increasing clarity as to how the Irish courts will treat such claims for non-material damages.

____________________________________________________________________________

[1] In the Kaminski case, the Plaintiff was awarded a mere €2,000 in damages where an infringement of the plaintiff’s rights under the GDPR occurred. The decision demonstrated the Irish Court’s position that compensation for non-material damages is likely to be ‘modest’.

[2] Ann Nolan & Others v Dildar Limited, Ciaran Desmond, Colm S. McGuire, Derval M. O’Halloran formerly trading under the style and title of McGuire Desmond Solicitors, A Firm, John Millett, Pinnacle Pensioner Trustees Limited, Dildar Limited and John Millett Independent Financial Advisors Limited and by Order Dillon Kenny and Darren Kenny and by Order Paul Kenny Defendants