As the General Data Protection Regulation (GDPR), has passed its third anniversary, questions still remain as to the operation of the compensation mechanism and liability for damages.
R. Caroline McGrath BL and Mark D Finan BL examine the issue of breach of duty of care, damages, the recent Court of Appeal decision in Shawl Property Investments Ltd. v A. & B., and the approach of the CJEU.
Introduction
Article 82 of the GDPR addresses the right to compensation and liability. Section 117 of the Data Protection Act 2018 aligns Irish statutory law with Article 82. Three significant questions arise in respect of this.
- First, does the GDPR provide for a scheme of strict liability for data breaches?
- Secondly, does the fact of a breach of the GDPR entitle a data subject to obtain compensation absent any apparent damage arising from the breach.
- Thirdly, what constitutes non -material damage to justify an award of compensation for a breach of the GDPR.
Data Protection Actions – A Tort of Strict Liability?
In the recent case, Shawl Property Investments Ltd v A. & B.[2021] IECA 53, the Court of Appeal considered an appeal against an order of the High Court to grant, by way of summary judgment, declarations that the Appellants had no estate, right, title or interest in various properties, and to dismiss the Appellant’s counterclaim. This counterclaim included a claim that the Respondent had breached the data protection rights of B. by putting into evidence before the High Court an unredacted version of a judgment marked with the stamp “Do not publish on website”. B. alleged the aforementioned judgment contained her personal data relating to previous family law proceedings which were held in camera, and the unredacted judgment had been put into evidence without her consent and in breach of the 2018 Act and the GDPR.
The Court of Appeal set aside the dismissal of the Appellants’ counterclaim as this was a matter which could only be determined by way of a plenary hearing. In the course of the judgment, Whelan J. gave some consideration to the interpretation of s.117 of the Act and made the following obiter comment, that “Nothing stated in s. 117 or indeed the Act itself suggests that a data protection action is a tort of strict liability.”[1]
When assessing liability, regard should be had to the language used in the GDPR, the recitals to the GDPR and the legal background to the GDPR.
Article 82(3) provides that a data processor or controller is exempt from liability where it is “not in any way responsible for the event giving rise to the damage” thereby anticipating a situation where a breach may occur for which a data processor or controller is not responsible. Further, in respect of data processors, liability is restricted to situations where the processor has acted contrary to the instructions provided to it by the data controller. The wording used is thus inconsistent with the position that a data protection action is a tort of strict liability.
There are a number of recitals to the GDPR which are relevant to the interpretation of Article 82. The clear statement in Recital 4 that the right to protection of personal data is not an absolute right and must be considered in accordance with the principle of proportionality is of particular relevance. A strict liability approach to the determination of actions seeking compensation for a data breach would restrict the ability of a court to balance the right of the data subject to protection of his / her personal data against other fundamental rights in a proportionate manner.
In Shawl Property Investments, Whelan J. noted the approach of the CJEU which has repeatedly held the right to protection of personal data is not an absolute right. Whelan J. concluded that “it is necessary to have regard to the principle of proportionality in evaluating claims for breaches of [the GDPR].”[2]
Does a breach constitute damage?
The second uncertainty which persists in respect of Article 82 is the extent to which a breach of the GDPR by itself constitutes damage sufficient to justify an award of damages. Collins v FBD Insurance PLC [2013] IEHC 137dealt with this issue in respect of the Data Protection Acts 1988 – 2003.
In Collins, Feeney J. considered an appeal by the Defendant insurance company against a decision by the Circuit Court to award damages to the Plaintiff. The Defendant appealed on the basis there was no evidence before the Court which proved any special damage. Feeney J. analysed s.7 of the Data Protection Acts 1988 – 2003 and concluded that s. 7 “is limited and goes no further than providing for a duty of care that is a duty of care within the law of torts.”[3]
Therefore, to achieve compensation in any action alleging a breach of the Acts, a claimant must prove the existence of a duty of care, a breach of that duty and that the breach has led to damage. This decision was subsequently endorsed in the Supreme Court by Baker J. in Murphy v Callinan [2018] IESC 59.
It is of note that in consideration of the proposal for the GDPR, clarification was sought by Belgium from the European Commission whether a violation of the GDPR was sufficient to constitute damage or whether the data subject had to prove specific damage. The response provided was that “the data subject had to prove the damage.”
In his blogpost, cearta.ie, Eoin O’Dell identifies that German courts have determined that no compensation was payable where there was an infringement of the GDPR without damage (Amtsgericht Diez, 07-11-2018, 8 C 130/18; Amtsgericht Bochum, 11-03-2019, 65 C 485/18; Oberslandesgericht Dresden, 4 Zivilsenat, Beschluss vom 11-06-2019, Az.: 4 U 760/19 and Landgericht Karlsruhe; 02-08-2019; 8 O 26/19). In Austria, the Higher Regional Court in Innsbruck overturned an earlier decision of the Regional Court to award compensation for a breach stating that a minimum level of impairment is required to justify an award for non-material damage caused by a breach. It should be noted that O’Dell also references certain Dutch decisions (Rechtbank Overijssel; 28-05-2019; AK 18 2047, Rechtbank Amsterdam; 02-09-2019; 7560515CV EXPL 19-4611, and Rechtbank Noord-Nedeland;15-01-2020; C/18/189406/HAZA 19-6) in contrast to this and which rely on Recital 146 GDPR which states that damage should be broadly interpreted and that data subjects should receive full and effective compensation.
A broad interpretation of damage still requires the presence of actual damage, and to the extent that an infringement of the GDPR arises without damage, it is contrary to the principle of proportionality expressed in Recital 4 to award compensation in the absence of damage.
The position set out in Collinsand endorsed in Murphyremains the law in respect of the requirement to demonstrate damage to ground a claim for compensation for a breach of the GDPR or the 2018 Act.
What amounts to non-material damage?
The GDPR and 2018 Act changed the legal landscape by expressly providing non-material damage is recoverable in a data protection action. While no definition of non-material damage is provided by the GDPR, the travaux prépatoires suggest it may include emotional injury and distress. The current Irish tort law position in Kelly v Hennessy [1995] 3 I.R. 253, that psychological injury short of a recognisable psychiatric illness does not attract damages, has been questioned in the context of compensation for non-material damage for breach of the GDPR.[4]
The jurisprudence of the UK Courts diverged from the position of the Irish Courts in respect of the availability of compensation for non-material damage arising for breaches of legislation implementing Directive 95/46/EC (the regime prior to the GDPR). In Google Inc v Vidal-Hall, Hann and Bradshaw [2015] EWCA Civ 311, the English Court of Appeal accepted that the concept of damage in the Directive included non-pecuniary losses including loss of personal dignity and autonomy, anxiety and distress. In Lloyd v Google LLC [2019] EWCA Civ 1599, loss of control over personal data was acknowledged as being damage capable of compensation under the Directive, subject to the qualification that no damage would be awarded for a trivial breach of the Directive. This decision has been appealed by Google, and a decision from the UK Supreme Court is awaited.
While the CJEU has not yet considered the meaning of non-material damage within the GDPR, it has given consideration to liability for non-material damage in data protection claims pursuant to Regulation 45/2001, the former EU Regulation which regulated the processing of personal data by Community institutions. In Case T-259/03 Nikolaou v Commission[5] and Case F-46/09 V v European Parliament, the Court accepted that both material and non-material damage could be recovered.
In Nikolaou, the Applicant was award €3,000 for non-material damage arising from the unlawful disclosure to media outlets of his personal information gathered during an investigation by the European Anti-Fraud Office (OLAF) in breach of Regulation 45/2001.
The case in V involved the transfer of the Applicant’s medical file from the Commission to the Parliament during a recruitment process without her consent and leading to the withdrawal of an employment offer on the basis of its contents. The Court held the Applicant had suffered both material and non-material damage as a result of the breaches of Regulation 45/2001. In considering the appropriate remedy for non-material damage, the Court acknowledged its previous case law providing that annulment of an act which is challenged may be appropriate and sufficient reparation to address such damage. It further stated that annulment would not be an appropriate remedy where the act complained of was particularly serious or annulment would have no practical effect. The Court determined, on the facts, the appropriate remedy was compensation of €20,000 for the non-material damage suffered by the Applicant.
The approach of the UK Courts and the CJEU to recovery for non-material damage in the context of data protection is broader than the approach of the Irish Courts to the assessment of recovery of damage for psychological injury in general tort law. These decisions may be of persuasive authority to an Irish court considering an award of compensation for non-material damage for a breach of the GDPR or 2018 Act.
Conclusion
Liability for damages under the GDPR and the Data Protection Act 2018 remains a vexed question. The obiter comments from Whelan J. in Shawl Property Investmentsprovide welcome clarification on the question of liability on the basis of strict liability.
The existing jurisprudence in Collins and Murphy, requiring the establishment ofdamage remains good law in respect of actions taken under the GDPR and the 2018 Act.
The jurisprudence of the UK Courts and the CJEU indicates that an Irish Court may have to adopt a more expansive approach to non-material damage than heretofore, but the precise contours of non-material damage and its appropriate compensation may require a referral to the CJEU for definitive guidance on this question.
R. Caroline McGrath BL is a member of The Bar of Ireland. Her full profile and contact details can be accessed here.
Mark Finan BL is also a member of The Bar of Ireland, and his contact details can be accessed here.
Views expressed by contributors are not necessarily those of The Bar of Ireland. The Bar of Ireland does not accept any responsibility for them.
[1] [2021] IECA 53 at para. 114
[2] [2021] IECA 53 at para.133
[3] [2013] IEHC 137 at para. 4.4
[4] Trevor Murphy, ‘The Justiciability of Data Protection Laws in Ireland: a New Dawn of Civil Litigation?’ (2020) 27 Commercial Law Practitioner 238,249
[5] Case T-259/03 Nikolaou v Commission. For summary of case, see Laraine Laudati, ‘Summaries of EU Court Decisions relating to Data Protection 2000-2015’ (2016) Available from ECJ decisions relating to data protection (europa.eu)