Data breach claims: Supreme Court decision clarifies the law regarding data breach claims for mental distress

The much-anticipated decision of the Supreme Court in the case of Dillon v Irish Life Assurance was published on the 24 July 2025. The Supreme Court overturned the High Court decision and determined that a claim in tort to recover damages for emotional disturbances such as anxiety, mental distress, and upset that fall short of a recognised psychiatric disorder is not a Personal Injury claim within the meaning of the Personal Injuries Assessment Act 2003 (‘2003 Act’) and therefore does not require an Authorisation  from the Personal Injuries Assessment Board (PIAB) (now known as the Injuries Resolution Board (IRB)).

Of importance, Justice Brian Murray did remark in his judgment that a claim for mental distress, upset or anxiety would not attract anything other than ‘very, very modest awards’.

Background

The plaintiff issued proceedings in Dublin Circuit Court seeking non material damages under GDPR and section 117 of the Data Protection Act 2018 for mental distress, anxiety, upset and inconvenience as a result of an alleged breach of his personal data. The alleged breaches related to a number of letters containing his personal and financial data being sent to a third party. 

The Defendant issued a Motion to strike out the Plaintiffs case for failure to obtain an Authorisation from and/or an Order under section 10(3) of the Civil Liability Act 2004 prior to issuing his proceedings.

Authorisations are a statutory requirement under the 2003 Act in any matter where a claimant wishes to pursue a claim for Personal Injury. Personal Injury is defined in Section 2 (1) of in the Civil Liability Act 1961 (‘1961 Act’) as ‘any disease and any impairment of a person's physical or mental condition’.

It was successfully argued by Irish Life that this definition would encompass a claim for distress, anxiety and upset, and on 3 May 2022, the Circuit Court dismissed the Plaintiff’s action. Mr Dillon appealed this decision to the High Court who, in April 2024 upheld the decision of the Circuit Court and dismissed the appeal.

Mr Dillon successfully sought leave to appeal this decision to the Supreme Court. The scope of appeal was limited to the question of whether a claim for damages under data protection law comes within the scope of the 2003 Act, whether the requirements of the 2003 Act are compatible with Data Protection Law and whether distress, upset or anxiety are a form of Personal Injury.

The appeal was heard by the Supreme Court in January 2025 and Justice Brian Murray issued his Judgment on Thursday 24 July.  

Supreme Court Judgment

The Court considered the plaintiffs’ claim in negligence was misconceived and that it was a claim for non-material damage and noted such claims should be pleaded as such pursuant to section 117 of the Data Protection Act 2018. 

In his judgment, Justice Murray considered the various statutory definitions of Personal Injury dating back to the Employers Liability Act 1880 up to the definition adopted in the 2003 Act, noting that while they are comprehensive, none of the statutes purport to replace the common law definition of Personal Injury. This is the test applied by the courts to determine if there is damage to the person that will complete the tort of negligence, or that will be of such substance that it can support an award of damages were sought on a standalone basis in claims based on torts other than negligence. The judgment then reviewed the common law definition of Personal Injury and distress, upset, anxiety, and inconvenience stating that the relationship between the common law definition of Personal Injury, and that appearing in s. 2(1) the 1961 Act  is key to this case, noting that this section reflected, but did not supplant, the common law definition.

Whilst the Court acknowledged that damages for worry and stress alone, not giving rise to a psychiatric injury are not recoverable in tort[1], damages for mental distress and upset may be recovered for other actionable wrongs, where these are consequent upon proven and recognised damage. The court noted this is consistent with claims for aggravated damages and equated the position to one of economic loss being a consequential and foreseeable result of damage caused to a person. The court noted that to accept the defendant’s position would mean that any case in which a plaintiff seeks damages for mental distress or anxiety consequent upon other damage would be a Personal Injury. Claims for distress based on defamation, trespass, negligence against their solicitor or a ‘ruined holiday’ would have to exhaust the PIAB route.

A freestanding claim in tort or contract seeking to recover damages for anxiety, distress, worry, fear, inconvenience and upset that fall short of a recognised psychiatric disorder is not a Personal Injury claim within the meaning of the 2003 Act and consequently do not require an Authorisation from PIAB. To construe otherwise was to impose a burden on PIAB of assessing categories of tort or contract that were not contemplated by the legislation

What is the impact of this judgment?

A number of important points can be taken from this judgment in terms of Data Breach Claims and how they will be approached by the Courts going forward.

1. When issuing proceedings for a data breach which results in mental distress, anxiety or inconvenience, practitioners must ensure that they specify that the claim being advanced by the Plaintiff is one pursuant to section 117 of the Data Protection Act 2018. This must be pleaded clearly with a confirmation that the claim is confined to a claim for non-material damages under that section (the court emphasized it is for the Plaintiff to know the claim they are making and to plead it correctly).
2. A non-material damage claim simpliciter made pursuant to section 117 of the 2018 Act will only attract awards that will be ‘very, very modest’. See our previous insights on the analysis of levels of compensation for non-material damages[2].
3. If the claim includes a claim for a medically recognised psychiatric injury, then it will be required to go through the PIAB/ IRB Authorisation process. Where such Authorisation has not been sought then that aspect of the claim will not proceed.
4. The absence of an Authorisation is fatal to a personal injuries claim, and Plaintiffs will not be allowed the option of retrospectively obtaining such Authorisations, or by seeking an amendment to proceedings. The judgment places a renewed emphasis on early-stage procedural compliance and will lead to stricter scrutiny of how claims are framed at the point of issue.
5. Where a claim is more complex, involving both elements of Personal Injury and a separate claim for damages, the Personal Injury element will not be actionable if a PIAB Authorisation has not been obtained. In such a scenario, only the non-personal injuries claim will survive. 

It is likely that there will be an attempt by Plaintiffs to mend their hand by attempting to amend proceedings by way of motion in order to exclude aspects of the claim which may be considered as falling within the requirements of the PIAB Act 2003. There have been some past cases showing a willingness to adopt a pragmatic or remedial approach in allowing amendment to proceedings[3]. However, the position remained inconsistent until the Dillon decision. The Supreme Court has now made it clear beyond doubt that there will be no margin of error or judicial discretion to regularise non-compliance with the 2003 Act.

Going forward, Plaintiffs who decide to issue proceedings as a result of an alleged data breach will have the following options:

1. They can issue a claim for a breach of their data protection rights under section 117 of the Data Protection Act 2018 claiming mental distress simpliciter. The court is now clear that this will result in a nominal award. Claimants will still have to reach a certain threshold of credibility to achieve such compensation, such that mere upset and annoyance as would be expected following a data breach will not alone be sufficient to obtain compensation. See our previous insights on analysis of claims for non-material damages.
2. If a plaintiff has suffered more severe consequences as a result of the breach (i.e. a recognised psychiatric illness), they can proceed to go through the PIAB authorisation process. This will require medical evidence to support this aspect of their claim. Once an Authorisation has been issued by PIAB, the Plaintiff can then proceed to issue a Personal Injuries summons seeking damages for the alleged injury.
3. A Plaintiff can issue a claim for material damages for a data breach, where the loss suffered is quantifiable. These types of claims do not require a PIAB Authorisiton (unless the Plaintiff is also pleading personal injury). 

A link to the full judgment can be found here. 

[1] Murray v. Budds [2017] IESC 4,

[2] (i) Change of approach by Germany to claims for non-material damage under the GDPR; (ii) Damages arising from a data breach: when is it really non-material?; (iii) Is distress, upset or anxiety a form of personal injury? - Supreme Court to hear appeal that will impact future of personal data breach claims

[3] See Murphy v Callanan [2013] IEHC 455 Croke v Waterford Crystal [2004] IESC 97, and Moorehouse v Governor of Wheatfield Prison [2015] IESC 21.