Irish court reaffirms Kaminski principle that ‘mere upset’ is insufficient to warrant compensation in data breach claims
Reading time: 4 mins
The recent decision in Walsh v Irish Prison Service [2025] IECC 8 provides useful insight into how the Irish Courts are approaching claims for damages under the data Protection Act and GDPR.
In a judgment delivered on 5 December 2025, Her Honour Judge Karen Fergus of the Circuit Court dismissed a Plaintiff’s claim for damages under Section 117 of the Data Protection Act 2018 and Article 82 of the General Data Protection Regulation. Judge Fergus found that whilst a data breach had occurred, the plaintiff failed to establish non-material damage beyond "mere upset".
Background
The Plaintiff, a Prison Officer employed by the Irish Prison Service, interviewed for a position as Chief Officer in November 2018 and following the interview, was placed at number 17 on the panel. A cover letter and scoring sheet were prepared following the interview, but instead of being sent to the Plaintiff, the email attaching the documents was sent to another Prison Officer of the same name. The unintended recipient contacted the Plaintiff on 28 December 2018 to advise him he had received the documents.
The Plaintiff requested an immediate investigation from the Assistant Governor, who in turn contacted the Data Protection Administrator. The Data Protection Administrator apologised and confirmed that the HR Directorate had been contacted, and assurances were made that this type of error would not occur again. On 3 April 2019, the recipient was contacted and asked to delete the email and confirm he had not disseminated it further.
The Plaintiff's Case
Proceedings issued in September 2019. At the hearing, the Plaintiff gave evidence that he had applied for the role without telling anyone and having been unsuccessful in previous interviews, he was subjected to taunts from unidentified colleagues. He stated that he suffered from anxiety and distress for about a year after the incident as well as disturbed sleep. The Plaintiff also stated in evidence that he felt the apology did not issue from a senior enough source within the Irish Prison Service.
Mark Finan BL, appearing on behalf of the Defendant, put it to the Plaintiff that he did not identify any specific persons who had taunted him and that there were workplace bullying procedures available should he have chosen to avail of them. The Defence further highlighted the distinct lack of medical evidence to support his claim of sleep disturbance and that he did not miss any work or suffer other adverse consequences. The Defendants submitted that the height of the Plaintiff’s nonmaterial damage claim was that he experienced annoyance, embarrassment and upset. The Court heard that the Plaintiff went on to achieve the position of Chief Officer some nine months later.
Relevant Legal Framework
The Court followed the approach in Kaminski v Ballymaguire Foods Limited [2023] IECC 5 where Judge O’Connor set out three questions with regard to the law on data protection and in particular, in relation to damages for non-material loss:
- Was the email a breach constituting unlawful processing under the 2018 Act and GDPR;
- If yes, did the damage go beyond mere upset or displeasure;
- If yes, what compensation is recoverable.
The Kaminski judgment established key principles including that a mere breach of GDPR is not sufficient to warrant compensation, there is no minimum threshold of seriousness required for a claim of non-material damage but claims do not cover "mere upset", there must be a link between the data infringement and the damages claimed, the damage must be genuine and proved (not speculative), an apology may be considered in mitigation of damages, and delay in dealing with the breach is a relevant factor.
The Decision
The Court was satisfied that a data breach had occurred (which was admitted) and that the non-material damage resulted in some discomfort and embarrassment for the Plaintiff in the workplace. However, the Court was not satisfied that a threshold beyond mere upset had been reached and there was no evidence of a causal link between the breach and the damage claimed.
Judge Fergus was satisfied that the apology issued some three weeks after the matter came to light acknowledged the breach, apologised for any delay in responding and provided assurance that this would not happen again. Judge Fergus further held that the steps taken to ensure the material was deleted addressed the Plaintiff’s concerns in a reasonable timeframe. The apology to the Plaintiff was deemed “fulsome”.
The Plaintiff’s claim was dismissed, with no order as to costs.
Key Takeaways
- Consistency in Judicial Approach
The Court noted the Plaintiff's description of the impacts on him was "almost identical" to that experienced by the Plaintiff in Kaminski. This suggests a growing consistency in how Irish courts assess the "mere upset" threshold in data protection cases.
- Need for Evidence
The Plaintiff’s failure to identify specific instigators of the alleged taunting and lack of medical evidence undermined the claim. He also failed to show that he required time off work. The Court placed a focus on the need to prove a causal link between the breach and alleged damage.
- Breach of GDPR does not guarantee Compensation
Even where a breach is admitted, it does not automatically entitle a victim to compensation and non-material damage must be proven beyond “mere upset”.
- Appropriate Response
The Court found the Defendant’s response to be critical in the overall outcome of the claim. It was noted that an apology was issued quickly, the breach was acknowledged, assurances were made that a breach would not happen again and steps were taken to delete the material which was the subject matter of the claim.
Practical Guidance
For organisations facing potential data protection claims, this case highlights the importance of:
- Responding in a timely manner;
- Acknowledging the breach and issuing an apology with the assurance that it will not occur again;
- Following steps to negate the effects of the breach;
- Recording the steps taken in investigating and responding to the complaint.
Related Insights
For further reading on this topic, please see:
- Non-Material Damage Compensation: The CJEU Enters the Fray
- Data Breach Claim Struck Out in Cork Circuit Court as Minor Incident
- Data Breach Claims: Supreme Court Decision Clarifies the Law Regarding Data Breach Claims for Mental Distress