Recent developments in the area of data protection actions

There have been a number of recent developments in the area of data protection actions, which are actions brought under Section 117 of the Data Protection Act 2018.  The first is that claimants now have the option to bring claims in the District Court, rather than the Circuit or High Court.  Secondly, a decision of the Court of Justice of the European Union on these types of claims has been followed by a recent Circuit Court decision in Ireland which has given guidance on the factors to be considered when assessing the level of compensation to be awarded in these types of claims. In this article Emily Sexton, Partner, CKT gives an overview.

Courts and Civil Law (Miscellaneous Provisions) Act 2023

The Courts and Civil Law (Miscellaneous Provisions) Act 2023 was signed into law on 5^th July 2023 by the President.  It provides that data protection actions may now be initiated in the District Court, as well as the Circuit Court and High Courts.  Up to now a data protection action had to be brought in the Circuit Court, even where the claim was minor and the likely value of the claim was low.  Often the legal costs of such claims in the Circuit Court might exceed the value of the claim.   This change should now mean that the vast majority of such claims will be brought in the District Court, meaning lower legal costs for all parties.

Circuit Court Judgment – non-material damage in GDPR claims

A recent judgment of the Circuit Court in the case of Arkadiusz Kaminski v. Ballymaguire Foods Limited [2023] IECC 5 gives some guidance on the level of damages to be awarded in data protection actions for non-material damage and the factors to be taken into consideration by a court before awarding compensation.

In that particular case, the Court awarded damages of €2,000.00 to the affected data subject, where the damage alleged by the Plaintiff was in the nature of embarrassment/humiliation and sleep loss.

The Circuit Court decision follows on from a recent decision of the Court of Justice of the European Union in the case of UI v Österreichische Post (the “Österreichische Post decision”) Case C-300/21 which decided that:

1. The existence of a mere infringement of the GDPR is not sufficient to automatically entitled a data subject to compensation. There must be damage caused by an infringement before compensation will be awarded.
2. Nowhere in the GDPR is there a requirement for a minimum level of damage to be suffered by an affected data subject before compensation will be awarded for a data breach.
3. There are no rules governing the assessment of damages set out in the GDPR, and therefore each Member State must determine the criteria for determining the extent of compensation.

Background

The Plaintiff was an employee of the Defendant.  The case concerned the use of CCTV footage by the Defendant in a training demonstration.  The Plaintiff appeared in one of the clips of CCTV footage shown.   The clip was used to identify a particular food safety issue around food contamination between unprepared and prepared food.   Initially in its Defence, the Defendant denied that the Plaintiff was identifiable on the CCTV and so denied that the CCTV was personal data however, it was conceded at hearing that the Plaintiff was identifiable.

Although the Plaintiff was not in attendance at the demonstration in question, he was later informed about it by other employees.

The Plaintiff gave evidence that he was laughed at and was more stressed at work because of the impact of what had happened at the training demonstration.  He felt humiliated and as though he was being mocked.  His complaint in the proceedings related to what he alleged was unlawful processing of his data in breach of the 2018 Act and/or GDPR.  He alleged he suffered damage and distress in the form of anxiety and embarrassment due to remarks made by work colleagues on foot of the alleged data breach.  He also alleged some sleep loss as a result of the matter.

The Defendant argued that the height of the Plaintiff’s claim for damage (non-material) was that he experienced “upset, anxiety and embarrassment”.

The Court’s decision

The Circuit Court outlined some of the relevant factors pertinent in ascertaining damages for non-material loss:

• A “mere breach” or a mere violation of the GDPR is not sufficient to warrant an award of compensation.
• There is not a minimum threshold of seriousness required for a claim for non-material damage to exist. However, compensation for non-material damage does not cover “mere upset”.
• There must be a link between the data infringement and the damages claimed.
• If the damage is non-material, it must be genuine, and not speculative.
• Damages must be proved. Supporting evidence is strongly desirable. Therefore, for example in a claim for damages for distress and anxiety, independent evidence is desirable such as for example a psychologist report or medical evidence.
• An apology where appropriate may be considered in mitigation of damages. For example, it may reassure the affected individual that their employment is safe and not at risk.
• Delay in dealing with a data breach by either party is a relevant factor in assessing damages.
• Data policies should be clear and transparent and accessible by all parties affected.
• Employers should ensure their employee privacy notices and CCTV policies are clear to employees.
• Where a data breach occurs, it may be necessary to ascertain what steps were taken by the relevant parties to minimise the risk of harm from the data breach.
• A claim for legal costs may be affected by these factors.
• Even where non-material damage can be proved and is also not trivial, damages in many cases will probably be modest. In the absence of other guidelines, from the Oireachtas or the Superior Courts and/or the Judicial Council, the court took cognisance of the factors as outlined in the Judicial Council Personal Injuries Guidelines 2021 in respect of the category of minor psychiatric damages as instructive guidance, though noting in some cases non-material damage could be valued below €500.

In giving judgment, the Court outlined that in this case there was a lack of clarity and transparency in relation to the Defendant’s data protection policies.

The Court considered that the Plaintiff’s implied consent to processing the data for training was at best unclear and this should be construed against the Plaintiff’s employer.  In addition, the Defendant did not plead a legal basis for the processing the Plaintiff’s data.

The court was satisfied:

• That there was an infringement of the Plaintiff’s rights under the GDPR,
• There was non-material damage resulting from that infringement and
• There is a causal link between the damage and the infringement.

The court accepted that the damage caused to the Plaintiff went beyond mere upset. The Court noted the Plaintiff’s loss was not backed up by a medical report but remarked that the Plaintiff was viewed by the court as a truthful and conscientious witness who did not exaggerate the effect of the data breach on him.

The court decided that the appropriate award for non-material damages to the Plaintiff was €2,000.00.

Conclusions

It is interesting that the Court stated clearly that damages in many cases will probably be modest and even signalled that in some cases the value could be below €500.00.  This may discourage claimants from bringing actions for minor breaches but that remains to be seen.

This judgment is the first written judgment to give any sort of judicial guidance on the value of claims for non-material damage in the context of GDPR and it will be interesting to see how future claims for compensation are assessed in due course.

For any queries in relation to data protection/GDPR in your workplace, please contact Emily Sexton, Partner CKT