Circuit Court - 2019/04546: Difference between revisions
No edit summary |
No edit summary |
||
Line 105: | Line 105: | ||
== Comment == | == Comment == | ||
Simillarly, a German court recently held that “mere annoyance” and “emotional discomfort” are not sufficient to substantiate a claim for damages ([[LG Köln - 28 O 138/22]]). | |||
== Further Resources == | == Further Resources == |
Revision as of 14:57, 17 July 2023
Circuit Court - 2019/04546 | |
---|---|
Court: | Circuit Court (Ireland) |
Jurisdiction: | Ireland |
Relevant Law: | Article 5(1)(a) GDPR Article 6 GDPR Article 82 GDPR |
Decided: | 11.07.2023 |
Published: | 12.07.2023 |
Parties: | |
National Case Number/Name: | 2019/04546 |
European Case Law Identifier: | |
Appeal from: | |
Appeal to: | Unknown |
Original Language(s): | Spanish |
Original Source: | Circuit Court (in Spanish) |
Initial Contributor: | Bernardo Armentano |
Notwithstanding the CJEU's decision on Case C-300/21, an Irish Court held that compensation for non-material damage does not cover “mere upset”. However, in the specific case, it found that the loss went beyond that and imposed a compensation of €2,000.
English Summary
Facts
The data subject was an employee of the company Ballymaguire Foods, the controller, and was responsible for supervising other 20 employees.
During a meeting in March 2019, the Quality Control Manager showed CCTV footages to several managers and supervisors as an instance of poor food safety practice for the purpose of identifying corrective actions. While the data subject was not present in the meeting, they were informed about it by other employees.
The data subject initially filed a complaint with the Irish DPA, but was not assigned to a complaint handler due to a backlog of complaints. Then, they filed a lawsuit before the Circuit Court, pursuant to section 117 of the 2018 Irish Data Protection Act.
In addition to claiming that the further processing of the CCTV footage was illegal, the data subject requested compensation for non-material damages on the grounds that they felt humiliated and more stressed at work after the incident.
In response, the controller argued that employees were aware of the purposes of the CCTV system as informed in its privacy policy. In addition, it maintained that there was a legitimate interest in the use of the images and classified the alleged damages as mere "upset, anxiety and embarrassment".
Holding
First, the Court found that the controller had failed in its duty of transparency as it had four different privacy policies in place, none of which were in the native language of the data subject. In addition, the Court highlighted that the controller cannot rely on legitimate interest without first carrying out an assessment of that interest in relation to the rights and freedoms of the data subject. For these reasons, it held that there was a violation of the data subject’s rights under the GDPR.
Second, the Court referred to the decision rendered by the CJEU in the the UI v Österreichische Post case (Case C-300/21), in which it ruled that while there is no automatic right to compensation once an infringement is proven, a de minimis threshold (degree of seriousnss) cannot be imposed.
Third, it went on to outline some relevant factors to ascertain damages for non-material loss. According to the Court:
- A “mere breach” or a mere violation of the GDPR is not sufficient to warrant an award of compensation; - There is not a minimum threshold of seriousness required for a claim for non- material damage to exist. However, compensation for non-material damage does not cover “mere upset”; - There must be a link between the data infringement and the damages claimed; - If the damage is non-material, it must be genuine, and not speculative; - Damages must be proved. Supporting evidence is strongly desirable. Therefore, for example in a claim for damages for distress and anxiety, independent evidence is desirable such as for example a psychologist report or medical evidence; - Where a data breach occurs, it may be necessary to ascertain what steps were taken by the relevant parties to minimise the risk of harm from the data breach; - An apology where appropriate may be considered in mitigation of damages; - Even where non-material damage can be proved and is also not trivial, damages in many cases will probably be modest. In the absence of other guidelines, it has taken cognisance of the factors as outlined in the Judicial Council Personal Injuries Guidelines 2021 in respect of the category of minor psychiatric damages as instructive guidance, though noting in some cases non-material damage could be valued below €500.
Then, the Court found that there was non-material damage resulting form the infringement and that there was a causal link between this damage and the infringement. It recalled that the data subject was in a supervisory role at the time of the incident and pointed out that the damage resulted in some slagging by employees culminating on the data subject’s own evidence in some serious embarrassment and sleep loss.
For theses reasons, it concluded that the damages went beyond mere upset and created an emotional experience and negative emotions of insecurity which did affect the data subject for a short period of time. While this was not backed up by a medical report, the Court highlighted that the data subject was subject to examination and cross examination and was viewed as a truthful and conscientious witness who did not exaggerate the effect of the data breach on them.
Based on the above, the Court awarded a compensation of €2,000 for non-material damages.
Comment
Simillarly, a German court recently held that “mere annoyance” and “emotional discomfort” are not sufficient to substantiate a claim for damages (LG Köln - 28 O 138/22).
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
THE CIRCUIT COURT [2023] IECC 5 AN CHÚIRT CHUARDA DUBLIN CIRCUIT COUNTY OF THE CITY OF DUBLIN Record No. 2019/04546 Between: ARKADIUSZ KAMINSKI PLAINTIFF AND BALLYMAGUIRE FOODS LIMITED DEFENDANT Judgment of His Honour Judge John O’Connor delivered on the 11th day of July, 2023 1. Introduction 1.1 This case concerns proceedings brought by the Plaintiff pursuant to the provisions of section117oftheDataProtectionAct2018(“the2018Act”)allegingabreachoftheprovisions of the 2018 Act and/or the General Data Protection Regulation (“GDPR”) on the part of the Defendant. The Plaintiff seeks damages against the Defendant. 1.2 The Defendant denies any breach of the 2018 Act or GDPR occurred in this case. They submitthattheprocessingofthePlaintiff’sdataoccurredinaccordancewith thedataprotection policy of the Defendant, which had been previously provided to the Plaintiff. In the alternative the Defendant submits that even if the court determines that the processing of the Plaintiff’s data was in breach of the 2018 Act or the GDPR, then in such a case the Plaintiff is not entitled to recover damages. This is because, in the Defendant’s submission, the non-material damage claimed by the Plaintiff amounts to no more than mere “upset, anxiety and embarrassment”, and therefore, compensation is not recoverable for such damages. 11.3 The questions for the court are as follows: 1. Was the use of the CCTV footage by the Defendant, in a demonstration of work practice, a breach of the Plaintiff’s personal data, such as to constitute an unlawful processing under the 2018 Act and GDPR? 2. If the answer to question 1 is yes, did the damage [in this case non-material damage] go beyond mere upset or displeasure as a result of the infringement of the Plaintiff’s personal data? 3. If the answer to question 2 is yes, what [if any] compensation is recoverable for such damages, and how is same to be calculated? 2. Relevant Legislation The following legislation was referred to: 2.1 General Data Protection Regulation (GDPR) Articles 5.1: Principles relating to processing of personal data Personal data shall be: (a) Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency); Article 6: Lawfulness of processing Processing shall be lawful only if and to the extent that at least one of the following applies (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; 2 (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. (c) processing is necessary for compliance with a legal obligation to which the controller is subject. (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person. (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks. Article 82: Right to compensation and liability 1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. 2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller. 3 3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage. 4. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject. 5. Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibilityforthedamage,in accordancewiththeconditionssetoutinparagraph 2. 6. Court proceedings for exercising the right to receive compensation shall be brought beforethecourts competent underthelawoftheMemberStatereferredto in Article 79(2). Article 79: Right to an effective judicial remedy against a controller or processor 1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation. 2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an 4 establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers. 2.2 The Data Protection Act 2018 Section 71: Processing of personal data (1) A controller shall, as respects personal data for which it is responsible, comply with the following provisions: (a) the data shall be processed lawfully and fairly; (b)thedatashallbecollectedforoneormorespecified,explicitandlegitimatepurposes and shall not be processed in a manner that is incompatible with such purposes; (c) the data shall be adequate, relevant and not excessive in relation to the purposes for which they are processed; (d) the data shall be accurate, and, where necessary, kept up to date, and every reasonable step shall be taken to ensure that data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay; (e) the data shall be kept in a form that permits the identification of a data subject for no longer than is necessary for the purposes for which the data are processed; (f) the data shall be processed in a manner that ensures appropriate security of the data, including, by the implementation of appropriate technical or organisational measures, protection against— (i) unauthorised or unlawful processing, and 5 (ii) accidental loss, destruction or damage. (2) The processing of personal data shall be lawful where, and to the extent that— (a) the processing is necessary for the performance of a function of a controller for a purpose specified in section 70(1)(a) and the function has a legal basis in the law of the European Union or the law of the State, or (b) the data subject has, subject to subsection (3), given his or her consent to the processing. (3) Where the processing of personal data is to be carried out on the basis of the consent of the data subject referred to in subsection (2)(b), the processing shall be lawful only where, and to the extent that— (a) having been informed of the intended purpose of the processing and the identity of the controller, the data subject gives his or her consent freely and explicitly, (b) the request for consent is expressed in clear and plain language, and where such consent is given in the context of a written statement that also concerns other matters, the request for consent is presented to the data subject in a manner that is clearly distinguishable from those other matters, and (c) the data subject may withdraw his or her consent at any time, and he or she shall be informed of this possibility prior to giving consent. (4) Where a data subject withdraws his or her consent to the processing of personal data pursuant to subsection (3)(c), the withdrawal of consent shall not affect the lawfulness of processing based on that consent prior to the consent being withdrawn. 6(5) Where a controller collects personal data for a purpose specified in section 70(1)(a), the controller or another controller may process the data for a purpose so specified other than the purpose for which the data were collected, in so far as— (a) the controller is authorised to process such personal data for such a purpose in accordance with the law of the European Union or the law of the State, and (b) the processing is necessary and proportionate to the purpose for which the data are being processed. (6) A controller may process personal data, whether the data were collected by the controller or another controller, for— (a) archiving purposes in the public interest, (b) scientific or historical research purposes, or (c) statistical purposes, provided that the said processing— (i) is for a purpose specified in section 70(1)(a), and (ii) is subject to appropriate safeguards for the rights and freedoms of data subjects. (7) A controller shall ensure, in relation to personal data for which it is responsible, that an appropriate time limit is established for— (a) the erasure of the data, or (b) the carrying out of periodic reviews of the need for the retention of the data. (8) Where a time limit is established in accordance with subsection (7), the controller shall ensure, by means of procedural measures, that the time limit is observed. 7(9) A processor, or any person acting under the authority of the controller or of the processor who has access to personal data, shall not process the data unless the processor or person is— (a) authorised to do so by the controller, or (b) required to do so by the law of the European Union or the law of the State, and then only to the extent so authorised or required, as the case may be. (10) A controller shall ensure that it is in a position to demonstrate that the processing of personal data for which it is responsible is in compliance with subsections (1) to (8) of this section. Section 117: Judicial remedy for infringement of relevant enactment (1) Subject to subsection (9), and without prejudice to any other remedy available to him or her, including his or her right to lodge a complaint, a data subject may, where he or she considers that his or her rights under a relevant enactment have been infringed as a result of the processing of his or her personal data in a manner that fails to comply with a relevant enactment, bring an action (in this section referred to as a “data protection action”) against the controller or processor concerned. (2) A data protection action shall be deemed, for the purposes of every enactment and rule of law, to be an action founded on tort. (3)TheCircuitCourtshall,subjecttosubsections(5)and(6),concurrentlywiththeHighCourt, have jurisdiction to hear and determine data protection actions. (4) The court hearing a data protection action shall have the power to grant to the plaintiff one or more than one of the following reliefs: (a) relief by way of injunction or declaration; or 8 (b) compensation for damage suffered by the plaintiff as a result of the infringement of a relevant enactment. (5) The compensation recoverable in a data protection action in the Circuit Court shall not exceed the amount standing prescribed, for the time being by law, as the limit of that court’s jurisdiction in tort. (6) The jurisdiction conferred on the Circuit Court by this section may be exercised by the judge of any circuit in which— (a) the controller or processor against whom the data protection action is taken has an establishment, or (b) the data subject has his or her habitual residence. (7)A data protection action maybebrought onbehalfof a data subject by a not-for-profit body, organisation or association to which Article 80(1) applies that has been mandated by the data subject to do so. (8) The court hearing a data protection action brought by a not-for-profit body, organisation or association under subsection (7) shall have the power to grant to the data subject on whose behalf the action is being brought one or more of the following reliefs: (a) relief by way of injunction or declaration; or (b) compensation for damage suffered by the plaintiff as a result of the infringement of the relevant enactment. (9) A data subject may not bring a data protection action against a controller or processor that is a public authority of another Member State acting in the exercise of its public powers. 9(10) In this section— “damage” includes material and non-material damage; “injunction” means— (a) an interim injunction, (b) an interlocutory injunction, or (c) an injunction of indefinite duration. 2.3 Article 29 Working Party (Art. 29 WP) Article 29 Working Party (Art. 29 WP) was the independent European working party that dealt with issues relating to the protection of privacy and personal data until 25 May 2018 (entry into application of the General Data Protection Regulation (GDPR)) when it was replaced by the European Data Protection Board (EDPB). During its first plenary meeting the EDPB endorsed the GDPR related Article 29 Working Party Guidelines. 3. Recent Case Law 3.1 The recent decision from the Court of Justice of the European Union (CJEU), UI v Österreichische Post (the “Österreichische Post decision”) Case C-300/21, was brought to the court’s attention and will be discussed later in this judgment. 4. Facts 4.1 The Plaintiff is an employee of the Defendant, having been first employed in March 2009. In October 2015, the Plaintiff was promoted to Goods Inwards Line Lead and entered into a new contact of employment with the Defendant. In March 2019, the Plaintiff was an acting supervisor of 20 employees. 104.2 In March 2019, CCTV footage was shown to employees of the Defendant as part of a meeting between the Quality Control Manager and several managers and supervisors. The purpose of the meeting, according to the Defendant, was to address instances of poor food safety practice and to highlight food quality and safety issues that needed to be addressed for the purpose of identifying corrective actions. 4.3 Several clips involving poor food quality and safety practices were shown by the Quality Control manager to the managers and supervisors present at the meeting. The Defendant appeared in one of the clips of CCTV footage which was shown. The meeting discussed the issues of poor food safety practice. It was not solely focused on the incident involving the Plaintiff. Specifically, the clip of the Plaintiff was used to identify an issue with persons moving directly from the low care area of the factory, where unprepared food is maintained, to the high care area where prepared food is dealt with. This, the Defendant submits, is not permittable due to the dangers of food contamination, which would be consumed by members of the public. 4.4 The meeting did not identify specific individuals by name or deal with the actions of specificindividuals.The Defendant’soriginaldefencedeniedthatthePlaintiffwasidentifiable, and therefore denied that the CCTV constituted personal data. This claim was based on the fact that the Plaintiff was wearing protective wear on his face. 4.5 The Plaintiff’s submission is that he has always been identifiable. He further submitted that his entire face was not obscured. He has a distinctive physical presence and movements and is one of a limited pool of people who was working in the area concerned. The audio on the file contains two voices and provides: “Who’s this? Who’s that? …. it’s Arkadiusz, one of our supervisors.” 114.6 Accordingly, during this court hearing it was conceded by the Defendant that the Plaintiff was in fact identifiable. The Plaintiff submitted a considerable portion of the pretrial submission and the hearing was unnecessarily taken up with this issue. He also submitted that even when it was conceded it was stated it was just a meeting, to which the Defendant referred to as a “huddle meeting” and “toolbox talk”. In the course of cross examination by the Plaintiff’s counsel of Mr. O’Neill for the Defendant the following exchange took place which best describes how the Defendant saw the issue: “Q: You heard his evidence. So you’re unaware of any black marks and you spoke of glowing terms about my client. I put it to you: this was a black mark against my client. This was a black mark showing him being held up as somebody engaged in a serious food safety issue? A: Well, I don’t accept that. Fundamentally I don’t accept that it was a black mark because we’re a large business, we’re dealing with a large number of employees, we’re dealing with multiple incidents week in, week out, and if we were to go round carrying black marks around in our back pocket like that, we would never be able to run our business successfully. They’re what we call learning incidents. We would prefer to see them as learning incidents rather than disciplinary incidents where we can [i.e. where possible]. Let’s learn what we can from this, let’s correct, let’s put in a proper control or a better control and be better in what we do in future.” 4.7 The Plaintiff was not present at the meeting of supervisors and managers. It took place at the beginning of the morning shift. On that date, the Plaintiff was rostered on the night shift. However, the Plaintiff was informed about the CCTV clip after the meeting by other employees. Furthermore, for two weeks after the incident, the CCTV was stored on a communal work computer, without password protection. While this created a significant risk, 12it does not appear that the CCTV was in fact accessed by any unauthorised persons and no allegation of unlawful processing is made in that regard. 4.8 The Plaintiff’s version of the impact of the meeting on him was stated in evidence as follows: “In my opinion I was laughed at. I was more stressed at work because of it. I wasn’t so glad to go to work every morning. I was so limited, all our social meetings with my colleagues from work. I felt humiliated and I felt I was being mocked. I – for a while I had problems with my sleep. I don’t – I’m not sure if it was connected with the stress but I suppose so.” 4.9 The Plaintiff did not face any disciplinary consequences over the incident. His complaint in these proceedings relates to the alleged further processing of the CCTV footage as part of the meeting of supervisors and managers, and that the use of the CCTV footage in which he was identifiable amounts to an unlawful processing of his data in breach of the 2018 Act and/or GDPR. The Plaintiff alleges that as result he suffered damage and distress in the form of anxiety and embarrassment, due to the remarks made by work colleagues on foot of the alleged data breach. 4.10 The Plaintiff complained to the Data Protection Commission (“the DPC”) about the incident. However, as the complaint was not assigned to a complaint handler due to a backlog of complaints, the Plaintiff submits that he did not wish to delay this case further by awaiting the DPC’s outcome, hence the matter appeared before the Circuit Court de novo pursuant to section 117 of the 2018 Act. 5. The Plaintiff’s Submission on the Data Protection Policies 5.1 Four documents were discovered, in this regard the Plaintiff submits that four different policies with different purposes were said to have been in place. He also opines that the 13preponderance of the Defendant’s policy documentation is completely silent about the use of CCTV for training, and that this confusion was continued at the hearing regarding the data protection policies actually relied upon. 5.2 The Plaintiff outlines its argument as follows: (a) The Data Protection Policy of May 2018 (“the 2018 policy”) has one section on CCTV. It provides: “Closed circuit monitoring Country Crest Group has closed circuit television cameras located at various identifiable and visible locations throughout the site. CCTV is used for Health and Safety, Food Quality & Safety and general hazard identification purposes. This is necessary for the security and safety of staff and Group property and in order to protect against loss or damage. Access to the recorded material will be strictly limited to authorised personnel. Images may be used for training, quality and accident prevention purposes.” (b) The CCTV Notification Memo of 5 September 2016 (“the 2016 memo”) states CCTV cameras are operated “throughout the group premises and site”, in order to “comply with certain safety requirements”. It goes on to state that the recordings are “periodically reviewed” for the following purposes: “Health and Safety within the Workplace Food Safety and Quality General Site Security” (c) The CCTV Notification Memo of 20 July 2014 (“the 2014 memo”) states that CCTV is operated to comply with “certain business requirements”. It states: 14 “These CCTV recordings are for the following purposes:- Health and Safety within the workplace General Group Security” (d) The Site Security Procedure Document from March 2011 (“the 2011 document”) states its purpose is the prevention of access by unauthorised persons to production and storage areas. Oneof themethods is: “Sitesecuritymenarepresent out of hours along with CCTV cover 24 hours”. 5.3 Therefore, according to the Plaintiff, the 2018 policy is the only one which contains a reference to the use of images for training, but the Plaintiff submits that it was not relied upon and references the evidence furnished to the court in respect of the 2016 memo and the 2011 document. 5.4 The Plaintiff further submits that Ms. Meus (employee of the Defendant) gave evidence that she devised the training in question. Mr. O’Neill confirmed that she alone was responsible for the training. She gave evidence the data protection policies she relied on were the 2016 memo and the 2011 document. She was clear that she was not relying on the 2018 policy. The 2018 policy is the only policy which contains a reference to the use of images for training. This is the policy relied on in the Defendant’s defence. Furthermore, it is the policy relied on in the Defendant’s first set of submissions. 5.5 Considering the evidence actually provided at hearing, all reliance by the Defendant on the 2018 policy and the one reference contained therein to “training” should, according to the Plaintiff, be disregarded. 156. Defendant’s Submissions 6.1 The Defendant denies any breach of the 2018 Act or GDPR. It states that as required under data protection legislation the Defendant had in place a data protection policy which was provided to all employees of the Defendant. The relevant data protection policy which was applicable at the time of the Plaintiff’s claim was dated May 2018. This policy included the same stated purposes for collection as the Data Protection Memorandum issued to all staff in 2016. The policy states that the 2018 Act and GDPR apply to the processing of personal data. The policy forms part of the staff handbook which is provided to all employees. 6.2 The Defendant also submits that no damage has been identified by the Plaintiff in respect of this allegation, as a result it cannot form the basis for a claim under section 117 of the 2018 Act. 6.3 In respect of the alleged breaches of the 2018 Act and/or GDPR, the Plaintiff alleges that he suffered damage and distress, which is limited to a claim for non-material damage. The Defendant states that the height of the Plaintiff’s non-material damage claim is that he experienced “upset, anxiety and embarrassment”. 6.4 In legal submissions the Defendant also claims that there was legitimate interest in processing the data. 7. Court’s consideration of the law 7.1 Article 82(1) of the General Data Protection Regulation (GDPR) provides that any person who has suffered material or non-material damage as a result of an infringement of the Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. As a consequence, compliance with the GDPR is publicly enforced e.g. with fines, and private enforcement is enforced with damages, of course there are other remedies 16such as injunctions for ongoing breaches, but we are not concerned with that issue in this case, as the breaches alleged here are not ongoing. 7.2 Article 82(1) is therefore a critical part of understanding the enforcement process of the GDPR and for this case it is at the core of understanding the basis for the private enforcement of data protection rights. In this respect one of the many challenges is to find a way to evaluate the concept of non-pecuniary loss. Unfortunately, there appears at present to be some uncertainty in understanding how compensation for non-material loss should be calculated in Ireland. There are a number of preliminary references pending before the Court of Justice of the European Union (the “CJEU”). 7.3 The wording of Article 82(1) at first sight appears clear in that it appears to provide a basisforacompensation claim.Howeveroncloserexamination,Article82(1)doesnot actually state that a person who suffers a breach has a right to compensation, it states the person shall have the right [italics added]. In other words, it is a contingent right. However, against that, the whole trust of GDPR is that once rights have been infringed there is a right to an effective remedy pursuant to Article 47 of the Charter of Fundamental Rights (CFR). 7.4 In addition, while “non-material damage” is not defined in the GDPR, the recitals are informative, although not binding. Recital 146 of the GDPR provides that the “concept of damage should be broadly interpreted” and that data subjects should receive “full and effective compensation for the damage they have suffered”. 7.5 Recital 85 of the GDPR provides that where a personal data breach is not addressed inan appropriateortimelymanner,itmayresultin “physical,materialornon-materialdamage to natural persons” in circumstances where the natural person has “suffered a loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, 17financial loss…damage to reputation, loss of confidentiality of personal data or any other significant economic or social disadvantage.” 7.6 Section 117 of the Data Protection Act 2018 is the relevant provision outlining the parameters of judicial remedy for infringements of the Act. It provides that: “without prejudice to anyother remedy, including the right to lodge a complaint, a data subject may bring a data protection action against a controller or processor where his or her rights under a relevant enactment have been infringed as a result of the processing of his or her personal data in a manner that fails to comply with a relevant enactment” 7.7 It is anticipated the CJEU will further clarify the law and that the legislature and/or the Superior Courts will give guidance on how this provision is to be applied. In this case the court has not been requested to stay proceedings pending the determination of the preliminary references before the CJEU or to state a case to the Court of Appeal. This is perfectly understandable as the parties would like their case disposed of as quickly and efficiently as possible, and in view of the UI v Österreichische Post case discussed below. 8. UI v Österreichische Post (Case C-300/21) Decision 8.1 UI v Österreichische Post (Case C-300/21) was referred to the CJEU by the Austrian Supreme Court on the interpretation of Article 82. In this case, the Defendant sold personal data as a profile publisher for third party marketing purposes. The Defendant collected information via an algorithm including details regarding the political affinity of the claimant. The algorithm defined the target group’s profile according to socio-demographic characteristics. No consent was given by the claimant to the processing and storing of data. The claimant argued that the political affinity attributed to him was insulting and shameful and made a claim for non-material damage under Article 82. 188.2 The Austrian Supreme Court referred three questions to the CJEU for a preliminary ruling: 1. Is themerebreach ofprovisions oftheGDPR,inandofitself,sufficient fortheaward of damage? 2. In addition to the principles of effectiveness and equivalence, does EU law impose further requirements that national courts must observe when assessing damages under Article 82? 3. Does non-material damage require an impairment (or other consequence of the infringement of at least some weight) that goes beyond the annoyance caused by the infringement 8.3 The Advocate General opined that there should be no right to compensation for a mere infringement of the GDPR. And that compensation should not be available for “mere annoyance or upset”. 8.4 The decision of the CJEU is as follows: 1. The CJEU ruled that the GDPR must be interpreted as meaning that the mere infringement of the provisions of the GDPR is not sufficient to confer a right to compensation. In other words, there is no automatic right to compensation once an infringement is proven. 2. The CJEU ruled that the GDPR must be interpreted as precluding a national rule or practice which makes compensation for non-material damage subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness. In other words, a de minimis threshold cannot be imposed. 19 3. Finally, the CJEU ruled that the amount of damages payable under the right to compensation is to be determined by the national court applying the domestic rules of each Member State, provided that the principles of equivalence and effectiveness of EU law are complied with. 9. Case Law from other Jurisdictions 9.1 In Lloyd v. Google LLC [2021] UKSC 50, the UK Supreme Court reversed the decision of the UK Court of Appeal in Lloyd v. Google LLC [2019] EWCA Civ 1599, and unanimously dismissed Lloyd’s representative action brought against Google. In brief summary, the UK Supreme Court confirmed that a claim for damages for the unlawful processing of data under the English Data Protection Act 1998 can only be made if the data subject has suffered some form of material damage (such as financial loss) or mental distress. The damage could not be the unlawful processing itself. 9.2 Mr Lloyd, a former director of Which?, brought a representative action against Google using the procedure set out in Civil Procedure Rule (“CPR”) in England. Mr Lloyd’s claim was funded by a third-party litigation funder. The claim alleged that between August 2011 and February 2012, Google breached its duties as a data controller to over 4 million Apple iPhone users’ resident in England and Wales. Mr Lloyd claimed that Google used a browser cookie which could be activated on certain mobile phones without users’ knowledge or consent when they visited certain websites (described as the ‘Safari Workaround’). Google allegedly used the cookie to collect information about customers’ browser activity, which in turn enabled Google to distribute targeted advertising to those users, generating significant profits for the company. 9.3 Mr Lloyd relied on Section 13 (1) of the Data Protection Act 1998 [DPA 1998] to bring his claim. Section 13 of the DPA 1998 reads as follows: “Compensation for failure to comply with certain requirements. 20 (1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage. (2) An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if— (a) the individual also suffers damage by reason of the contravention, or (b) the contravention relates to the processing of personal data for the special purposes. (3) In proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.” 9.4 A representative action procedure in CPR allows an action to proceed on an “opt-out” basis, meaning that individual class members do not need to elect to join the claim. The class members and representative must share the “same interest” in the claim. If that test is satisfied, then the court will use its discretion in deciding whether a claim that meets the test should be permittedtoproceed.Ajudgmentwillbindall classmembersunlessthecourtordersotherwise. 9.5 Mr Lloyd argued that the “same interest” requirement was satisfied as all members of the class could claim damages for “loss of control” and no proof of any further damage or distress was required. Damages were framed on the basis of an equal, standard “tariff” award, without the need for the individual assessment of loss. 9.6 Specifically, Mr Lloyd contended the following in his claim for damages: 21 • Theword “damage” in section 13(1)of theDPA 1998not only extendsbeyondmaterial damage to include distress, which was established in Vidal-Hall v. Google Inc [2016] QB 1003, but also includes non-trivial breaches of the DPA 1998, namely for “loss of control” of data. • The principles in the case Gulati v. MGN [2015] EWHC 1482 (CH), which were applicable to the assessment of damages in the tort of misuse of private information should also apply to section 13(1) of the DPA 1998, as both claims have a “common source”(inseekingtoprotecttherighttoprivacyguaranteedbyArticle8oftheECHR). Gulati v MGN established that claimants could be compensated for misuse of their private information itself because they were deprived of “their right to control [its] use”. 9.7 The UK Supreme Court [per Lord Leggatt] (with whom Lord Reed, Lady Arden, Lord Sales and Lord Burrows agreed) rejected these arguments. It found that it is not enough to simply prove a breach in order to recover compensation under section 13 of the DPA 1998. It held that on a proper interpretation, the term “damage” in section 13 refers to material damage (such as financial loss) or mental distress. This damage must be distinct from, and caused by, unlawful processing of personal data in contravention of the DPA 1998. It cannot be the unlawful processing itself. The UK Supreme Court also confirmed that even if Mr Lloyd could pursue a claim for damages based on “loss of control”, his proposed lowest common denominator approach could not be used as it would still be necessary to establish the extent of the unlawful processing in each individual case to ensure that a “de minimis” threshold was met. 229.8 Per Lord Leggatt at paragraph 153: “On the claimant’s own case there is a threshold of seriousness which must be crossed before a breach of the DPA 1998 will give rise to an entitlement to compensation under section 13. I cannot see that the facts which the claimant aims to prove in each individual casearesufficient to surmount this threshold. If(contraryto theconclusion Ihavereached) those facts disclose “damage” within the meaning of section 13 at all, I think it impossible to characterise such damage as more than trivial. What gives the appearance of substance to the claim is the allegation that Google secretly tracked the internet activity of millions of Apple iPhone users for several months and used the data obtained for commercial purposes. But on analysis the claimant is seeking to recover damages without attempting to prove that this allegation is true in the case of any individual for whom damages are claimed. Without proof of some unlawful processing of an individual’s personal data beyond the bare minimum required to bring them within the definition of the represented class, a claim on behalf of that individual has no prospect of meeting the threshold for an award of damage. I think it impossible to characterise such damage as more than trivial. What gives the appearance of substance to the claim is the allegation that Google secretly tracked the internet activity of millions of Apple iPhone users for several months and used the data obtained for commercial purposes. But on analysis the claimant is seeking to recover damages without attempting to prove that this allegation is true in the case of any individual for whom damages are claimed. Without proof of some unlawful processing of an individual’s personal data beyond the bare minimum required to bring them within the definition of the represented class, a claim on behalf of that individual has no prospect of meeting the threshold for an award of damages.” 9.9 In Rolfe & Others v. Veale Wasbrough Vizards LLP [2021] EWHC (QB) the English High Court held that there is a de minimis threshold implicit in English case law which 23claimants have to show has been exceeded before they can seek damages for actual loss or distress. In Johnson v. East light Community Homes Ltd [2021] EWHC 3069 (QB), the English High Court also ruled that the de minimis concept applies to claims taken under the GDPR and the UK Data Protection Act 2018. 10. Irish Case Law 10.1 In Ireland in the decision of Collins v. FBD Insurance plc [2013] IEHC 137, Feeney J noted that no right to compensation for non-material damage (referred to as non-pecuniary damage) existed. However, it is important to caveat that this case predates the implementation of the GDPR. 10.2 In Shawl Property Investments Ltd v. A. & B. [2021] IECA 53, the Court of Appeal (Whelan J.) held that “nothing stated in s. 117 or indeed the Act itself suggests that a data protection action is a tort of strict liability.” 11. Relevant Factors in Ascertaining Damages for Non-Material Loss 11.1 Applying the law in this case, and in particular following the decision of UI v Österreichische Post, this court outlines below some of the relevant factors pertinent in ascertaining damages for non-material loss. While this is suggested with some caution in the absence of clarification from the Oireachtas, the Superior Courts and the outstanding preliminary references pending before the CJEU, it does facilitate a mechanism for this court to take a consistent approach to data breach claims for non-material loss. 11.2 Importantly it appears from UI v Österreichische Post and in a departure from the opinion of the Advocate General’s Opinion, the CJEU determined that there is no de minimis standard of loss to be suffered for an individual to recover compensation. Damages are to be interpreted broadly “and it would be contrary to that broad conception of damages favoured by 24the EU legislature, if that concept were limited solely to damage of a certain degree of seriousness.” 11.3 Privacy is a human right and personal information is a key aspect of this right. It is self- evident that some data breaches may have no impact or only a minor impact on affected individuals, other data breaches can have serious consequences. By way of example only, an unintended disclosure of an employee’s home address in a small organisation to employees’ where the address is already known would be a minor breach. A disclosure of the personal address of a person in a witness protection programme would be a major breach. Many cases fall in between these two extremes. 11.4 In addition, processing of personal data is only lawful where it is demonstrated to have a ‘legal basis’. Article 6 of the GDPR sets out what the potential legal bases are, namely: consent; contract; legal obligation; vital interests; public task; or legitimate interests. 11.5 To comply with Article 6(1)(f) of the GDPR the processing must be lawful and necessary to achieve its aim. Therefore, a court will enquire if the processing was lawful. The best way to achieve this is to demonstrate if a legitimate interest assessment was carried out. It is also necessary to balance the processor’s legitimate interests against the individual’s interests, rights and freedoms. 11.6 In assessing damages for non-material loss the following factors are proffered: • A “mere breach” or a mere violation of the GDPR is not sufficient to warrant an award of compensation. • There is not a minimum threshold of seriousness required for a claim for non- material damage to exist. However, compensation for non-material damage does not cover “mere upset”. • There must be a link between the data infringement and the damages claimed. 25• If the damage is non-material, it must be genuine, and not speculative. • Damages must be proved. Supporting evidence is strongly desirable. Therefore, for example in a claim for damages for distress and anxiety, independent evidence is desirable such as for example a psychologist report or medical evidence. • Data policies should be clear and transparent and accessible by all parties affected. • Employers should ensure their employee privacy notices and CCTV policies are clear to employees [Cormac Doolin v. The Data Protection Commissioner and Our Lady’s Hospice and Care Services [2020] IEHC 90; [2022] IECA 117 and McVann -v- Data Protection Commissioner [2023] IECC 3] • Where a data breach occurs, it may be necessary to ascertain what steps were taken by the relevant parties to minimise the risk of harm from the data breach. • An apology where appropriate may be considered in mitigation of damages. For example, it may reassure the affected individual that their employment is safe and not at risk. • Delay in dealing with a data breach by either party is a relevant factor in assessing damages. • A claim for legal costs may be affected by these factors. • Even where non-material damage can be proved and is also not trivial, damages in many cases will probably be modest. In the absence of other guidelines, from the Oireachtas or the Superior Courts and/or the Judicial Council, the court has taken cognisance of the factors as outlined in the Judicial Council Personal Injuries Guidelines 2021 in respect of the category of minor psychiatric damages as instructive guidance, though noting in some cases non-material damage could be valued below €500. 2611.7 Although not argued before this court, it is proffered that an independent adjudicative or conciliation resolution process would be a suitable alternative dispute pathway to resolve data breach assessments. Indeed, since this case was heard the court takes note of the judgment of His Honour Judge Simon McAleese in the case of Siobhan Keane v. Central Statistics Office deliveredorallyat WaterfordCircuitCourtonthe30 June2023.McAleeseJheldthatabreach of privacy is essentially a tort which derives from breach of a constitutional right. The learned judge also held in that case, the Plaintiff’s claim was a civil action by virtue of the definition contained in the Personal Injuries Assessment Board Act 2003 [now Personal Injuries Assessment Board Acts 2003 to 2022] [collectively “the 2003 Act”]. The principal remedy sought in that case was damages for personal injuries and the learned judge held that the action was bound to fail in respect of personal injuries, thus “restricting the Plaintiff’s claim to such damages, if any, as might be awardable for the truly limited (in so far as it concerns the Plaintiff) and accidental data breach which occurred in this case”. The court in that case also expressed no view upon such defences as might be available to the Defendant or whether the defence will prevail if what remains of the matter for trial. The significance of this judgment is important for potential future actions concerning data breaches and claims for damages. 11.8 In Clarke v O’Gorman [2014] IESC 72, O’Donnell J (as he then was) held that section 12 of the 2003 Act, which provides a bar on bringing proceedings unless certain conditions are satisfied, does not operate to deprive the court of jurisdiction in the event of non-compliance with its provisions. Such non-compliance may be invoked by the defendant in its defence and used as a shield. However, as in Clarke v O’Gorman, PIAB was not invoked by the defendant in this case, and this is understandable as the data breach in this case was strongly denied. 2712. Application of the law to the facts 12.1 The Plaintiff was identifiable, and this is now accepted by both parties. However, it was only accepted by the Defendant at the trial. 12.2 Clarity in relation to data protection policies is a core principle of GDPR and the 2018 Act. However, in this case there was a lack of clarity and transparency in relation to the Defendant’s data protection policies. This is due to the four policies outlined at paragraph 5.2. In addition, the Defendant’s witness evidence at the trial confirmed this confusion. 12.3 The Plaintiff’s first language is Polish, but he was expected to navigate what was the actual policy from the four documents provided to him in English. The principle of lawfulness, fairness, and transparency is of particular relevance to the question of legal basis. It is noted that the Defendant has updated its policies now and is available in the various first languages of its employees. This is commendable. 12.4 The Plaintiff’s implied consent to processing the data for training was at best unclear and this should be construed against the Plaintiff’s employer. It was the Defendant employer who set out the four data policies. Consent is not the only basis by which the collection of data will be lawful and various other legal bases are set out in Article 6 of GDPR. However, it is also of note that the Defendant did not plead a legal basis for the processing, though in legal submissions later it claimed it was operating on foot of a legitimate interest. However, a legitimate interest assessment was not carried out to identify what the legitimate interest was or to show if the processing was necessary to achieve it. It is clear even if a legitimate interest was considered, notwithstanding the lack of assessment, it was not considered against the Plaintiff’s interests, rights, and freedom. 12.5 The court is therefore satisfied: • That there was an infringement of the Plaintiff’s rights under the GDPR, 28 • There was non-material damage resulting from that infringement and • There is a causal link between the damage and the infringement. 12.6 The damage in this case resulted in some slagging by employees culminating on the Plaintiff’s own evidence in some serious embarrassment and sleep loss. It is important to note the Plaintiff was in a supervisory role at the time of the incident, though there is no claim for any loss of employment. The Plaintiff was not present at the meeting of supervisors and managers, and he did not know his image would be used in the meeting. The court is satisfied the Defendant originally believed that the Plaintiff was not in fact identified, though this was rightly conceded during the trial once the evidence became clear. However, the Plaintiff was informed about the CCTV clip after the meeting by other employees. 12.7 Furthermore, for two weeks after the incident, the CCTV was stored on a communal work computer, without password protection. While this created a significant risk it does not appear that the CCTV was in fact accessed by any unauthorised persons. 12.8 The court accepts that the Plaintiff’s loss, bearing in mind his supervisory position in the company and his own background already described, went beyond mere upset and created an emotional experience and negative emotions of insecurity which did affect him for a short periodoftime.Whilethisisnotbackedupbyamedicalreport,itisnoteworthythatthe Plaintiff who was subject to examination and cross examination was viewed by the court as a truthful and conscientious witness who did not exaggerate the effect of the data breach on him. It is admirable that his employer has addressed the issues in relation to the data policies and the use of CCTV for training in the workplace, and the data breach has not had any long-term effect on the Plaintiff or his employment. 12.9 The court is of the opinion that the appropriate award for non-material damages in this case is two thousand euros. 29