The General Data Protection Regulation (GDPR) came into force on 25 May 2018. Article 82 of the GDPR expressly provides that a data subject has a right to receive compensation for material and non-material damage suffered as a consequence of any infringement of the Regulation.
On 11 July 2023, Judge John O’Connor gave the first written assessment of how compensation arising from a breach of the GDPR ought to be assessed by an Irish Court.
This article considers how Judge O’Connor applied the decision of the CJEU in Case C-300/21 – UI v Österreichische Post AG. In Case 300/21, the Austrian Supreme Court referred the matter to the CJEU for a preliminary reference on the interpretation of Article 82 and the requirements of Union Law in the determination of damages. The Supreme Court referred three questions. Importantly, the CJEU noted at a breach of the GDPR, in of itself, does not give rise to that right to compensation. In Paragraph 36, the CJEU lists the three conditions that give rise to compensation as being:
- Treatment of personal data carried out in violation of the provisions of the GDPR
- Damages or prejudice suffered by the person concerned
- Causal link between this unlawful processing and this damage
The CJEU went on to analyse the right to non-material damage and held that there is no threshold that must be met prior to an award of compensation. This is not to say that individual countries cannot have procedures in place to regulate such breaches. The Court was of the opinion that having a certain threshold would undermine the consistency of the regime established by the GDPR. However, the CJEU did hold that the effectiveness of the remedy cannot be undermined by any domestic rule. In Kaminski v Ballymaguire Foods Limited  IECC 5, Judge O’Connor applied that rationale.
Kaminski v Ballymaguire Foods
The Plaintiff sought an award of damages pursuant to s.117 of the Data Protection Act 2018(the “2018 Act”) from the Defendant arising from certain alleged breaches of the GDPR and/or the 2018 Act. The Defendant denied any breach occurred. The Defendant pleaded that it had applied the data protection procedures to which the Plaintiff was on notice. Alternatively, the Defendant also pleaded that the non-material damage claimed by the Plaintiff amounts to no more than mere “upset, anxiety and embarrassment” and therefore, compensation for such damage is not recoverable.
The Plaintiff was an employee of the Defendant company. In March 2019, he was an acting supervisor of some twenty employees when CCTV footage was shown to certain employees (including several managers and supervisors). The Defendant stated that the purpose of the meeting was to demonstrate poor food safety practice. Several clips of CCTV footage were shown by the Quality Control Manager to highlight poor practices. The Plaintiff was readily identifiable (the Defendant originally denied this) in a clip used to demonstrate the poor practice of persons moving from an area of low care to an area of high care.
During the course of the trial, the Defendant accepted that the Plaintiff was identifiable from the CCTV but sought to downplay the issue. The Plaintiff was not present at the meeting and was only informed by other employees. The CCTV footage was stored on a communal work computer for a period of time which was not password protected, although there was no evidence of access to the CCTV footage.
The Plaintiff gave evidence that in his opinion, he was laughed at. He was “more stressed at work because of it. [He] wasn’t so glad to go to work every morning. [He] was so limited, all our social meeting with [his] colleagues from work. [He] felt humiliated and [he] felt [he] was being mocked. [He] – for a while [he] had problems with [his] sleep…”
The Defendant discovered four different Data Protection Policies, only one of which, the 2018 policy, referred to the use of images from CCTV footage for training. The employee who designed the training in question in this case, gave evidence that she did not rely on the 2018 policy. The Plaintiff submitted that the 2018 policy should therefore be disregarded. The Defendant denied any breach and placed the Plaintiff on full proof. It also sought to rely on its claim that there was a legitimate interest in processing the data.
Judge O’Connor, stated that the private enforcement of the GDPR is achievable through damages. “[T]he whole trust of GDPR is that once rights have been infringed there is a right to an effective remedy pursuant to Article 47 of the Charter of Fundamental Rights. In examining the “effective remedy”, Judge O’Connor was cognisant of Recitals 146 and 85 of the GDPR. He noted that the CJEU will further clarify the law in respect of Article 82 and that he had not been asked to stay the case pending further clarification or to state a case to the Court of Appeal.
Prior to concluding, Judge O’Connor looked at the ruling in Case C-300/21 and recent decisions from other jurisdictions, most notably the United Kingdom (Lloyd v Google LLC UKSC 50). The UK Supreme Court reversed the earlier decision of the UK Court of Appeal and found that a claim for damages for the unlawful processing of data under the English Data Protection Act 1998 can only be made if the data subject has suffered some form of material damage or mental distress. The damage could not be the unlawful processing itself.
Accordingly, Judge O’Connor identified certain relevant factors pertinent in ascertaining damages for non-material loss:
- A “mere breach” or a mere violation of the GDPR is not sufficient to warrant an award of compensation
- There is not a minimum threshold of seriousness required for a claim for non-material damage to exist. However, compensation for non-material damage does not cover “mere upset”
- There must be a link between the data infringement and the damages claimed
- If the damage is non-material, it must be genuine, and not speculative
- Damages must be proved. Supporting evidence is strongly desirable. Therefore, for example in a claim for damages for distress and anxiety, independent evidence is desirable such as for example a psychologist report or medical evidence
- Data policies should be clear and transparent and accessible by all parties affected
- Employers should ensure their employee privacy notices and CCTV policies are clear to employees [Cormac Doolin v. The Data Protection Commissioner and Our Lady’s Hospice and Care Services  IEHC 90;  IECA 117 and McVann– v – Data Protection Commissioner  IECC 3]
- Where a data breach occurs, it may be necessary to ascertain what steps were taken by the relevant parties to minimise the risk of harm from the data breach
- An apology where appropriate may be considered in mitigation of damages. For example, it may reassure the affected individual that their employment is safe and not at risk
- Delay in dealing with a data breach by either party is a relevant factor in assessing damages
- A claim for legal costs may be affected by these factors
- Even where non – material damage can be proved and is also not trivial, damages in many cases will probably be modest. In the absence of other guidelines, from the Oireachtas or the Superior Courts and/or the Judicial Council, the court has taken cognisance of the factors as outlined in the Judicial Council Personal Injuries Guidelines 2021 in respect of the category of minor psychiatric damages as instructive guidance, though noting in some cases non-material damage could be valued below €500
Whilst Judge O’Connor does urge caution with respect to the application of these principles, he states that they “facilitate a mechanism for this court to take a consistent approach to data breach claims for non-material loss.” The principles can be used by a Defendant to essentially mitigate downwards a claim for non-material loss being advanced by a Plaintiff.
In applying the principles to the facts of the case, the Court was satisfied that:
- There was an infringement of the Plaintiff’s rights under the GDPR,
- There was non-material damage resulting from that infringement and
- There is a causal link between the damage and the infringement.
In so noting, the Court awarded the sum of €2,000 to the Plaintiff.
Next Steps for Data Controllers
If a data controller issues an apology or seeks to offer some amends arising from a breach, the offer can be used by a Defendant against a Plaintiff when it comes to the assessment of costs. Similarly, if a Plaintiff fails to engage appropriately with the Defendant prior to the issuance of proceedings and does not detail the extent of the damage suffered, or worse, seeks to exaggerate it, then the Defendant can use this to their advantage during any subsequent hearing.
Consent is the hallmark of the GDPR. If data is being processed, then a valid consent must be obtained from the data subject. The consent only applies to the objective at hand and cannot be used on a broad basis. It must be validly and transparently obtained. It is therefore incumbent on employers, as data controllers, to ensure that their data protection policies are up to date and are presented to their employees. The consent to any new data protection policy cannot be implied by reason of the acceptance by the employee of the previous data protection policy. In light of this judgment, it would be prudent for employers to ensure that their data governance systems are not only up to date but are being implemented according to the principles enshrined in the GDPR.
Future Developments Expected
The preponderance of cases currently pending before the CJEU means that further developments regarding compensation for data breaches are imminent. Advocate general opinions in Case C-340/21 VB v Natsionalna agentsia za prihodite and Case C-667/21 ZQ v Medizinischer Dienst der Krankenversicherung Nordrhein, Körperschaft des öffentlichenRechts have been delivered and suggest that while Article 82(3) provides an exemption from liability for a data controller who can show that it was “not in any way responsible” for events giving rise to damage, this article may be construed narrowly such that actions of a third party without involvement from the data controller may not allow a data controller to avoid liability where the data controller’s systems were not sufficient to prevent access by such third party. Final judgments in these cases are expected in early course.
In passing, Judge O’Connor referenced the judgment of his colleague Judge Simon McAleese in the case of Siobhán Keane v Central Statistics Office delivered orally at Waterford Circuit Court on 30th June 2023 whereby Judge McAleese held that PIAB authorisation was required in a data protection action where relief was being claimed for personal injuries (stress, anxiety, distress). It is anticipated that the role of PIAB in data protection claims is likely to attract further scrutiny arising from this judgment. Consideration should be given by all parties to data protection claims as to whether PIAB authorisation is necessary based on the facts of each individual case.
S.77 of the Courts and Civil Law (Miscellaneous Provisions) Act 2023 amends s.117 of the 2018 Act to provide concurrent jurisdiction to the District Court to determine claims alleging breaches of the GDPR. While this section has yet to be commenced, this amendment together with the awards of damages made in Kaminski and other cases in the Irish courts signals that a significant proportion of successful claims for breaches of the GDPR and the 2018 Act will result in modest awards of compensation.
The views expressed above are the author’s own and do not reflect the views of The Bar of Ireland.
Discover the Media, Internet & Data Protection Bar Association
MIDBA seeks to advance knowledge in these dynamic and fast-developing areas of law.
Given the seismic changes in the media landscape in recent years, and with many of the largest technology companies having their European headquarters located in Ireland, it is essential that law practitioners are kept up to date on developments in these complex and fast-moving areas of law.