Circuit Court - 2019/04546

From GDPRhub
Revision as of 14:42, 17 July 2023 by Ba (talk | contribs)
Circuit Court - 2019/04546
Courts logo1.png
Court: Circuit Court (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 5(1)(a) GDPR
Article 6 GDPR
Article 82 GDPR
Decided: 11.07.2023
Published: 12.07.2023
Parties:
National Case Number/Name: 2019/04546
European Case Law Identifier:
Appeal from:
Appeal to: Unknown
Original Language(s): Spanish
Original Source: Circuit Court (in Spanish)
Initial Contributor: Bernardo Armentano

Following the CJEU's decision on Case C-300/21, an Irish Court established some factors for the assessment of non-material damages. In the specific case, it found that the loss went beyond "mere upset" and imposed a compensation of €2,000.

English Summary

Facts

The data subject was an employee of the company Ballymaguire Foods, the controller, and was responsible for supervising other 20 employees.

During a meeting in March 2019, the Quality Control Manager showed CCTV footages to several managers and supervisors as an instance of poor food safety practice for the purpose of identifying corrective actions. While the data subject was not present in the meeting, they were informed about it by other employees.

The data subject initially filed a complaint with the Irish DPA, but was not assigned to a complaint handler due to a backlog of complaints. Then, they filed a lawsuit before the Circuit Court, pursuant to section 117 of the 2018 Irish Data Protection Act.

In addition to claiming that the further processing of the CCTV footage was illegal, the data subject requested compensation for non-material damages on the grounds that they felt humiliated and more stressed at work after the incident.

In response, the controller argued that employees were aware of the purposes of the CCTV system as informed in its privacy policy. In addition, it maintained that there was a legitimate interest in the use of the images and classified the alleged damages as mere "upset, anxiety and embarrassment".

Holding

First, the Court found that the controller had failed in its duty of transparency as it had four different privacy policies in place, none of which were in the native language of the data subject. In addition, the Court highlighted that the controller cannot rely on legitimate interest without first carrying out an assessment of that interest in relation to the rights and freedoms of the data subject. For these reasons, it held that there was a violation of the data subject’s rights under the GDPR.

Second, the Court referred to the decision rendered by the CJEU in the the UI v Österreichische Post case (Case C-300/21), in which it ruled that while there is no automatic right to compensation once an infringement is proven, a de minimis threshold (degree of seriousnss) cannot be imposed.

Third, it went on to outline some relevant factors to ascertain damages for non-material loss. According to the Court:

- A “mere breach” or a mere violation of the GDPR is not sufficient to warrant an award of compensation; - There is not a minimum threshold of seriousness required for a claim for non- material damage to exist. However, compensation for non-material damage does not cover “mere upset”; - There must be a link between the data infringement and the damages claimed; - If the damage is non-material, it must be genuine, and not speculative; - Damages must be proved. Supporting evidence is strongly desirable. Therefore, for example in a claim for damages for distress and anxiety, independent evidence is desirable such as for example a psychologist report or medical evidence; - Where a data breach occurs, it may be necessary to ascertain what steps were taken by the relevant parties to minimise the risk of harm from the data breach; - An apology where appropriate may be considered in mitigation of damages; - Even where non-material damage can be proved and is also not trivial, damages in many cases will probably be modest. In the absence of other guidelines, it has taken cognisance of the factors as outlined in the Judicial Council Personal Injuries Guidelines 2021 in respect of the category of minor psychiatric damages as instructive guidance, though noting in some cases non-material damage could be valued below €500.

Then, the Court found that there was non-material damage resulting form the infringement and that there was a causal link between this damage and the infringement. It recalled that the data subject was in a supervisory role at the time of the incident and pointed out that the damage resulted in some slagging by employees culminating on the data subject’s own evidence in some serious embarrassment and sleep loss.

For theses reasons, it concluded that the damages went beyond mere upset and created an emotional experience and negative emotions of insecurity which did affect the data subject for a short period of time. While this was not backed up by a medical report, the Court highlighted that the data subject was subject to examination and cross examination and was viewed as a truthful and conscientious witness who did not exaggerate the effect of the data breach on them.

Based on the above, the Court awarded a compensation of €2,000 for non-material damages.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

THE CIRCUIT COURT                         [2023] IECC 5
                             AN CHÚIRT CHUARDA
 DUBLIN CIRCUIT                                             COUNTY OF THE CITY
                                                                         OF DUBLIN


                                                                Record No. 2019/04546

 Between:
                           ARKADIUSZ KAMINSKI
                                                                         PLAINTIFF



                                      AND


                     BALLYMAGUIRE FOODS LIMITED
                                                                       DEFENDANT


Judgment of His Honour Judge John O’Connor delivered on the 11th day of July, 2023

1. Introduction

1.1    This case concerns proceedings brought by the Plaintiff pursuant to the provisions of

section117oftheDataProtectionAct2018(“the2018Act”)allegingabreachoftheprovisions


of the 2018 Act and/or the General Data Protection Regulation (“GDPR”) on the part of the

Defendant. The Plaintiff seeks damages against the Defendant.


1.2    The Defendant denies any breach of the 2018 Act or GDPR occurred in this case. They

submitthattheprocessingofthePlaintiff’sdataoccurredinaccordancewith thedataprotection


policy of the Defendant, which had been previously provided to the Plaintiff. In the alternative

the Defendant submits that even if the court determines that the processing of the Plaintiff’s

data was in breach of the 2018 Act or the GDPR, then in such a case the Plaintiff is not entitled

to recover damages. This is because, in the Defendant’s submission, the non-material damage


claimed by the Plaintiff amounts to no more than mere “upset, anxiety and embarrassment”,

and therefore, compensation is not recoverable for such damages.







                                           11.3     The questions for the court are as follows:


        1. Was the use of the CCTV footage by the Defendant, in a demonstration of work

        practice, a breach of the Plaintiff’s personal data, such as to constitute an unlawful

        processing under the 2018 Act and GDPR?


        2. If the answer to question 1 is yes, did the damage [in this case non-material damage]


        go beyond mere upset or displeasure as a result of the infringement of the Plaintiff’s

        personal data?


        3. If the answer to question 2 is yes, what [if any] compensation is recoverable for such

        damages, and how is same to be calculated?


2. Relevant Legislation


The following legislation was referred to:


2.1     General Data Protection Regulation (GDPR)


Articles 5.1: Principles relating to processing of personal data


        Personal data shall be:


        (a) Processed lawfully, fairly and in a transparent manner in relation to the data subject

            (‘lawfulness, fairness and transparency);


Article 6: Lawfulness of processing


        Processing shall be lawful only if and to the extent that at least one of the following

        applies


        (a) the data subject has given consent to the processing of his or her personal data for

            one or more specific purposes;





                                                2        (b) processing is necessary for the performance of a contract to which the data subject

            is party or in order to take steps at the request of the data subject prior to entering


            into a contract.

        (c) processing is necessary for compliance with a legal obligation to which the

            controller is subject.


        (d) processing is necessary in order to protect the vital interests of the data subject or

            of another natural person.

        (e) processing is necessary for the performance of a task carried out in the public


            interest or in the exercise of official authority vested in the controller.

        (f) processing is necessary for the purposes of the legitimate interests pursued by the

            controller or by a third party, except where such interests are overridden by the


            interests or fundamental rights and freedoms of the data subject which require

            protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities


in the performance of their tasks.


Article 82: Right to compensation and liability


        1. Any person who has suffered material or non-material damage as a result of an

            infringement of this Regulation shall have the right to receive compensation from

            the controller or processor for the damage suffered.


        2. Any controller involved in processing shall be liable for the damage caused by

            processing which infringes this Regulation. A processor shall be liable for the

            damage caused by processing only where it has not complied with obligations of


            this Regulation specifically directed to processors or where it has acted outside or

            contrary to lawful instructions of the controller.




                                                 3        3. A controller or processor shall be exempt from liability under paragraph 2 if it

            proves that it is not in any way responsible for the event giving rise to the damage.


        4. Where more than one controller or processor, or both a controller and a processor,

            are involved in the same processing and where they are, under paragraphs 2 and 3,

            responsible for any damage caused by processing, each controller or processor shall

            be held liable for the entire damage in order to ensure effective compensation of the


            data subject.

        5. Where a controller or processor has, in accordance with paragraph 4, paid full

            compensation for the damage suffered, that controller or processor shall be entitled


            to claim back from the other controllers or processors involved in the same

            processing that part of the compensation corresponding to their part of

            responsibilityforthedamage,in accordancewiththeconditionssetoutinparagraph

            2.


        6. Court proceedings for exercising the right to receive compensation shall be brought

            beforethecourts competent underthelawoftheMemberStatereferredto in Article

            79(2).


Article 79: Right to an effective judicial remedy against a controller or processor


        1. Without prejudice to any available administrative or non-judicial remedy, including

            the right to lodge a complaint with a supervisory authority pursuant to Article 77,

            each data subject shall have the right to an effective judicial remedy where he or

            she considers that his or her rights under this Regulation have been infringed as a


            result of the processing of his or her personal data in non-compliance with this

            Regulation.

        2. Proceedings against a controller or a processor shall be brought before the courts of


            the   Member      State    where    the    controller   or    processor    has    an


                                                4            establishment. Alternatively, such proceedings may be brought before the courts

            of the Member State where the data subject has his or her habitual residence, unless


            the controller or processor is a public authority of a Member State acting in the

            exercise of its public powers.

2.2     The Data Protection Act 2018


Section 71: Processing of personal data


(1) A controller shall, as respects personal data for which it is responsible, comply with the


following provisions:


        (a) the data shall be processed lawfully and fairly;


        (b)thedatashallbecollectedforoneormorespecified,explicitandlegitimatepurposes

        and shall not be processed in a manner that is incompatible with such purposes;


        (c) the data shall be adequate, relevant and not excessive in relation to the purposes for

        which they are processed;


        (d) the data shall be accurate, and, where necessary, kept up to date, and every


        reasonable step shall be taken to ensure that data that are inaccurate, having regard to

        the purposes for which they are processed, are erased or rectified without delay;


        (e) the data shall be kept in a form that permits the identification of a data subject for

        no longer than is necessary for the purposes for which the data are processed;


        (f) the data shall be processed in a manner that ensures appropriate security of the data,


        including, by the implementation of appropriate technical or organisational measures,

        protection against—


                (i) unauthorised or unlawful processing, and




                                                5                (ii) accidental loss, destruction or damage.


(2) The processing of personal data shall be lawful where, and to the extent that—


        (a) the processing is necessary for the performance of a function of a controller for a

        purpose specified in section 70(1)(a) and the function has a legal basis in the law of the

        European Union or the law of the State, or


        (b) the data subject has, subject to subsection (3), given his or her consent to the


processing.


(3) Where the processing of personal data is to be carried out on the basis of the consent of the

data subject referred to in subsection (2)(b), the processing shall be lawful only where, and to

the extent that—


        (a) having been informed of the intended purpose of the processing and the identity of

        the controller, the data subject gives his or her consent freely and explicitly,


        (b) the request for consent is expressed in clear and plain language, and where such


        consent is given in the context of a written statement that also concerns other matters,

        the request for consent is presented to the data subject in a manner that is clearly

        distinguishable from those other matters, and


        (c) the data subject may withdraw his or her consent at any time, and he or she shall be


        informed of this possibility prior to giving consent.


(4) Where a data subject withdraws his or her consent to the processing of personal data

pursuant to subsection (3)(c), the withdrawal of consent shall not affect the lawfulness of

processing based on that consent prior to the consent being withdrawn.







                                                6(5) Where a controller collects personal data for a purpose specified in section 70(1)(a), the

controller or another controller may process the data for a purpose so specified other than the


purpose for which the data were collected, in so far as—

        (a) the controller is authorised to process such personal data for such a purpose in


        accordance with the law of the European Union or the law of the State, and


        (b) the processing is necessary and proportionate to the purpose for which the data are

        being processed.


(6) A controller may process personal data, whether the data were collected by the controller

or another controller, for—


        (a) archiving purposes in the public interest,


        (b) scientific or historical research purposes, or


        (c) statistical purposes,


                provided that the said processing—


                (i) is for a purpose specified in section 70(1)(a), and


                (ii) is subject to appropriate safeguards for the rights and freedoms of data

        subjects.


(7) A controller shall ensure, in relation to personal data for which it is responsible, that an


appropriate time limit is established for—


        (a) the erasure of the data, or


        (b) the carrying out of periodic reviews of the need for the retention of the data.

(8) Where a time limit is established in accordance with subsection (7), the controller shall


ensure, by means of procedural measures, that the time limit is observed.

                                                 7(9) A processor, or any person acting under the authority of the controller or of the processor

who has access to personal data, shall not process the data unless the processor or person is—


        (a) authorised to do so by the controller, or


        (b) required to do so by the law of the European Union or the law of the State,


        and then only to the extent so authorised or required, as the case may be.


(10) A controller shall ensure that it is in a position to demonstrate that the processing of

personal data for which it is responsible is in compliance with subsections (1) to (8) of this


section.


Section 117: Judicial remedy for infringement of relevant enactment


(1) Subject to subsection (9), and without prejudice to any other remedy available to him or

her, including his or her right to lodge a complaint, a data subject may, where he or she

considers that his or her rights under a relevant enactment have been infringed as a result of

the processing of his or her personal data in a manner that fails to comply with a relevant


enactment, bring an action (in this section referred to as a “data protection action”) against the

controller or processor concerned.


(2) A data protection action shall be deemed, for the purposes of every enactment and rule of

law, to be an action founded on tort.


(3)TheCircuitCourtshall,subjecttosubsections(5)and(6),concurrentlywiththeHighCourt,


have jurisdiction to hear and determine data protection actions.


(4) The court hearing a data protection action shall have the power to grant to the plaintiff one

or more than one of the following reliefs:


        (a) relief by way of injunction or declaration; or



                                                 8        (b) compensation for damage suffered by the plaintiff as a result of the infringement of

        a relevant enactment.


(5) The compensation recoverable in a data protection action in the Circuit Court shall not

exceed the amount standing prescribed, for the time being by law, as the limit of that court’s


jurisdiction in tort.


(6) The jurisdiction conferred on the Circuit Court by this section may be exercised by the

judge of any circuit in which—


        (a) the controller or processor against whom the data protection action is taken has an

        establishment, or


        (b) the data subject has his or her habitual residence.


(7)A data protection action maybebrought onbehalfof a data subject by a not-for-profit body,

organisation or association to which Article 80(1) applies that has been mandated by the data


subject to do so.


(8) The court hearing a data protection action brought by a not-for-profit body, organisation or

association under subsection (7) shall have the power to grant to the data subject on whose

behalf the action is being brought one or more of the following reliefs:


        (a) relief by way of injunction or declaration; or


        (b) compensation for damage suffered by the plaintiff as a result of the infringement of


        the relevant enactment.


(9) A data subject may not bring a data protection action against a controller or processor that

is a public authority of another Member State acting in the exercise of its public powers.






                                                 9(10) In this section—


        “damage” includes material and non-material damage;


        “injunction” means—


               (a) an interim injunction,


               (b) an interlocutory injunction, or


               (c) an injunction of indefinite duration.


2.3     Article 29 Working Party (Art. 29 WP)


Article 29 Working Party (Art. 29 WP) was the independent European working party that dealt

with issues relating to the protection of privacy and personal data until 25 May 2018 (entry into

application of the General Data Protection Regulation (GDPR)) when it was replaced by the


European Data Protection Board (EDPB). During its first plenary meeting the EDPB endorsed

the GDPR related Article 29 Working Party Guidelines.


3. Recent Case Law


3.1     The recent decision from the Court of Justice of the European Union (CJEU), UI v

Österreichische Post (the “Österreichische Post decision”) Case C-300/21, was brought to the

court’s attention and will be discussed later in this judgment.


4. Facts


4.1     The Plaintiff is an employee of the Defendant, having been first employed in March


2009. In October 2015, the Plaintiff was promoted to Goods Inwards Line Lead and entered

into a new contact of employment with the Defendant. In March 2019, the Plaintiff was an

acting supervisor of 20 employees.





                                              104.2     In March 2019, CCTV footage was shown to employees of the Defendant as part of a

meeting between the Quality Control Manager and several managers and supervisors. The


purpose of the meeting, according to the Defendant, was to address instances of poor food

safety practice and to highlight food quality and safety issues that needed to be addressed for

the purpose of identifying corrective actions.


4.3     Several clips involving poor food quality and safety practices were shown by the

Quality Control manager to the managers and supervisors present at the meeting. The


Defendant appeared in one of the clips of CCTV footage which was shown. The meeting

discussed the issues of poor food safety practice. It was not solely focused on the incident

involving the Plaintiff. Specifically, the clip of the Plaintiff was used to identify an issue with


persons moving directly from the low care area of the factory, where unprepared food is

maintained, to the high care area where prepared food is dealt with. This, the Defendant

submits, is not permittable due to the dangers of food contamination, which would be

consumed by members of the public.


4.4     The meeting did not identify specific individuals by name or deal with the actions of


specificindividuals.The Defendant’soriginaldefencedeniedthatthePlaintiffwasidentifiable,

and therefore denied that the CCTV constituted personal data. This claim was based on the fact

that the Plaintiff was wearing protective wear on his face.


4.5     The Plaintiff’s submission is that he has always been identifiable. He further submitted


that his entire face was not obscured. He has a distinctive physical presence and movements

and is one of a limited pool of people who was working in the area concerned. The audio on

the file contains two voices and provides: “Who’s this? Who’s that? …. it’s Arkadiusz, one of

our supervisors.”






                                              114.6     Accordingly, during this court hearing it was conceded by the Defendant that the

Plaintiff was in fact identifiable. The Plaintiff submitted a considerable portion of the pretrial


submission and the hearing was unnecessarily taken up with this issue. He also submitted that

even when it was conceded it was stated it was just a meeting, to which the Defendant referred

to as a “huddle meeting” and “toolbox talk”. In the course of cross examination by the

Plaintiff’s counsel of Mr. O’Neill for the Defendant the following exchange took place which


best describes how the Defendant saw the issue:


        “Q: You heard his evidence. So you’re unaware of any black marks and you spoke of

        glowing terms about my client. I put it to you: this was a black mark against my client.

        This was a black mark showing him being held up as somebody engaged in a serious


        food safety issue?

        A: Well, I don’t accept that. Fundamentally I don’t accept that it was a black mark


        because we’re a large business, we’re dealing with a large number of employees, we’re

        dealing with multiple incidents week in, week out, and if we were to go round carrying

        black marks around in our back pocket like that, we would never be able to run our


        business successfully. They’re what we call learning incidents. We would prefer to see

        them as learning incidents rather than disciplinary incidents where we can [i.e. where

        possible]. Let’s learn what we can from this, let’s correct, let’s put in a proper control


        or a better control and be better in what we do in future.”


4.7     The Plaintiff was not present at the meeting of supervisors and managers. It took place

at the beginning of the morning shift. On that date, the Plaintiff was rostered on the night shift.

However, the Plaintiff was informed about the CCTV clip after the meeting by other

employees. Furthermore, for two weeks after the incident, the CCTV was stored on a


communal work computer, without password protection. While this created a significant risk,



                                               12it does not appear that the CCTV was in fact accessed by any unauthorised persons and no

allegation of unlawful processing is made in that regard.


4.8     The Plaintiff’s version of the impact of the meeting on him was stated in evidence as

follows:


        “In my opinion I was laughed at. I was more stressed at work because of it. I wasn’t so


        glad to go to work every morning. I was so limited, all our social meetings with my

        colleagues from work. I felt humiliated and I felt I was being mocked. I – for a while I

        had problems with my sleep. I don’t – I’m not sure if it was connected with the stress


        but I suppose so.”


4.9     The Plaintiff did not face any disciplinary consequences over the incident. His

complaint in these proceedings relates to the alleged further processing of the CCTV footage

as part of the meeting of supervisors and managers, and that the use of the CCTV footage in

which he was identifiable amounts to an unlawful processing of his data in breach of the 2018


Act and/or GDPR. The Plaintiff alleges that as result he suffered damage and distress in the

form of anxiety and embarrassment, due to the remarks made by work colleagues on foot of

the alleged data breach.


4.10    The Plaintiff complained to the Data Protection Commission (“the DPC”) about the


incident. However, as the complaint was not assigned to a complaint handler due to a backlog

of complaints, the Plaintiff submits that he did not wish to delay this case further by awaiting

the DPC’s outcome, hence the matter appeared before the Circuit Court de novo pursuant to

section 117 of the 2018 Act.


5. The Plaintiff’s Submission on the Data Protection Policies


5.1     Four documents were discovered, in this regard the Plaintiff submits that four different


policies with different purposes were said to have been in place. He also opines that the

                                               13preponderance of the Defendant’s policy documentation is completely silent about the use of

CCTV for training, and that this confusion was continued at the hearing regarding the data


protection policies actually relied upon.

5.2     The Plaintiff outlines its argument as follows:


        (a) The Data Protection Policy of May 2018 (“the 2018 policy”) has one section on


        CCTV. It provides:


               “Closed circuit monitoring


               Country Crest Group has closed circuit television cameras located at various

               identifiable and visible locations throughout the site. CCTV is used for Health

               and Safety, Food Quality & Safety and general hazard identification purposes.


               This is necessary for the security and safety of staff and Group property and in

               order to protect against loss or damage.


               Access to the recorded material will be strictly limited to authorised personnel.


               Images may be used for training, quality and accident prevention purposes.”


        (b) The CCTV Notification Memo of 5 September 2016 (“the 2016 memo”) states

           CCTV cameras are operated “throughout the group premises and site”, in order to

           “comply with certain safety requirements”. It goes on to state that the recordings


           are “periodically reviewed” for the following purposes:


               “Health and Safety within the Workplace


               Food Safety and Quality General Site Security”

        (c) The CCTV Notification Memo of 20 July 2014 (“the 2014 memo”) states that


           CCTV is operated to comply with “certain business requirements”. It states:



                                              14               “These CCTV recordings are for the following purposes:-


               Health and Safety within the workplace


               General Group Security”


        (d) The Site Security Procedure Document from March 2011 (“the 2011 document”)

           states its purpose is the prevention of access by unauthorised persons to production

           and storage areas. Oneof themethods is: “Sitesecuritymenarepresent out of hours


           along with CCTV cover 24 hours”.


5.3     Therefore, according to the Plaintiff, the 2018 policy is the only one which contains a

reference to the use of images for training, but the Plaintiff submits that it was not relied upon

and references the evidence furnished to the court in respect of the 2016 memo and the 2011


document.

5.4     The Plaintiff further submits that Ms. Meus (employee of the Defendant) gave evidence


that she devised the training in question. Mr. O’Neill confirmed that she alone was responsible

for the training. She gave evidence the data protection policies she relied on were the 2016

memo and the 2011 document. She was clear that she was not relying on the 2018 policy. The


2018 policy is the only policy which contains a reference to the use of images for training. This

is the policy relied on in the Defendant’s defence. Furthermore, it is the policy relied on in the

Defendant’s first set of submissions.


5.5     Considering the evidence actually provided at hearing, all reliance by the Defendant on


the 2018 policy and the one reference contained therein to “training” should, according to the

Plaintiff, be disregarded.








                                               156. Defendant’s Submissions


6.1     The Defendant denies any breach of the 2018 Act or GDPR. It states that as required

under data protection legislation the Defendant had in place a data protection policy which was

provided to all employees of the Defendant. The relevant data protection policy which was


applicable at the time of the Plaintiff’s claim was dated May 2018. This policy included the

same stated purposes for collection as the Data Protection Memorandum issued to all staff in

2016. The policy states that the 2018 Act and GDPR apply to the processing of personal data.


The policy forms part of the staff handbook which is provided to all employees.


6.2     The Defendant also submits that no damage has been identified by the Plaintiff in

respect of this allegation, as a result it cannot form the basis for a claim under section 117 of

the 2018 Act.


6.3     In respect of the alleged breaches of the 2018 Act and/or GDPR, the Plaintiff alleges

that he suffered damage and distress, which is limited to a claim for non-material damage. The


Defendant states that the height of the Plaintiff’s non-material damage claim is that he

experienced “upset, anxiety and embarrassment”.


6.4     In legal submissions the Defendant also claims that there was legitimate interest in

processing the data.


7. Court’s consideration of the law


7.1     Article 82(1) of the General Data Protection Regulation (GDPR) provides that any


person who has suffered material or non-material damage as a result of an infringement of the

Regulation shall have the right to receive compensation from the controller or processor for the

damage suffered. As a consequence, compliance with the GDPR is publicly enforced e.g. with

fines, and private enforcement is enforced with damages, of course there are other remedies




                                              16such as injunctions for ongoing breaches, but we are not concerned with that issue in this case,

as the breaches alleged here are not ongoing.


7.2     Article 82(1) is therefore a critical part of understanding the enforcement process of the

GDPR and for this case it is at the core of understanding the basis for the private enforcement


of data protection rights. In this respect one of the many challenges is to find a way to evaluate

the concept of non-pecuniary loss. Unfortunately, there appears at present to be some

uncertainty in understanding how compensation for non-material loss should be calculated in


Ireland. There are a number of preliminary references pending before the Court of Justice of

the European Union (the “CJEU”).


7.3     The wording of Article 82(1) at first sight appears clear in that it appears to provide a

basisforacompensation claim.Howeveroncloserexamination,Article82(1)doesnot actually

state that a person who suffers a breach has a right to compensation, it states the person shall


have the right [italics added]. In other words, it is a contingent right. However, against that, the

whole trust of GDPR is that once rights have been infringed there is a right to an effective

remedy pursuant to Article 47 of the Charter of Fundamental Rights (CFR).


7.4     In addition, while “non-material damage” is not defined in the GDPR, the recitals are


informative, although not binding. Recital 146 of the GDPR provides that the “concept of

damage should be broadly interpreted” and that data subjects should receive “full and effective

compensation for the damage they have suffered”.


7.5      Recital 85 of the GDPR provides that where a personal data breach is not addressed

inan appropriateortimelymanner,itmayresultin “physical,materialornon-materialdamage


to natural persons” in circumstances where the natural person has “suffered a loss of control

over their personal data or limitation of their rights, discrimination, identity theft or fraud,





                                               17financial loss…damage to reputation, loss of confidentiality of personal data or any other

significant economic or social disadvantage.”


7.6     Section 117 of the Data Protection Act 2018 is the relevant provision outlining the

parameters of judicial remedy for infringements of the Act. It provides that:


        “without prejudice to anyother remedy, including the right to lodge a complaint, a data


        subject may bring a data protection action against a controller or processor where his

        or her rights under a relevant enactment have been infringed as a result of the

        processing of his or her personal data in a manner that fails to comply with a relevant


        enactment”


7.7     It is anticipated the CJEU will further clarify the law and that the legislature and/or the

Superior Courts will give guidance on how this provision is to be applied. In this case the court

has not been requested to stay proceedings pending the determination of the preliminary

references before the CJEU or to state a case to the Court of Appeal. This is perfectly


understandable as the parties would like their case disposed of as quickly and efficiently as

possible, and in view of the UI v Österreichische Post case discussed below.


8. UI v Österreichische Post (Case C-300/21) Decision


8.1     UI v Österreichische Post (Case C-300/21) was referred to the CJEU by the Austrian

Supreme Court on the interpretation of Article 82. In this case, the Defendant sold personal


data as a profile publisher for third party marketing purposes. The Defendant collected

information via an algorithm including details regarding the political affinity of the claimant.

The algorithm defined the target group’s profile according to socio-demographic

characteristics. No consent was given by the claimant to the processing and storing of data. The


claimant argued that the political affinity attributed to him was insulting and shameful and

made a claim for non-material damage under Article 82.


                                              188.2    The Austrian Supreme Court referred three questions to the CJEU for a preliminary

ruling:


       1. Is themerebreach ofprovisions oftheGDPR,inandofitself,sufficient fortheaward

       of damage?


       2. In addition to the principles of effectiveness and equivalence, does EU law impose


       further requirements that national courts must observe when assessing damages under

       Article 82?


       3. Does non-material damage require an impairment (or other consequence of the

       infringement of at least some weight) that goes beyond the annoyance caused by the


       infringement


8.3    The Advocate General opined that there should be no right to compensation for a mere

infringement of the GDPR. And that compensation should not be available for “mere

annoyance or upset”.


8.4    The decision of the CJEU is as follows:


       1. The CJEU ruled that the GDPR must be interpreted as meaning that the mere

       infringement of the provisions of the GDPR is not sufficient to confer a right to


       compensation. In other words, there is no automatic right to compensation once an

       infringement is proven.


       2. The CJEU ruled that the GDPR must be interpreted as precluding a national rule or

       practice which makes compensation for non-material damage subject to the condition

       that the damage suffered by the data subject has reached a certain degree of seriousness.


       In other words, a de minimis threshold cannot be imposed.





                                              19        3. Finally, the CJEU ruled that the amount of damages payable under the right to

        compensation is to be determined by the national court applying the domestic rules of


        each Member State, provided that the principles of equivalence and effectiveness of EU

        law are complied with.


9. Case Law from other Jurisdictions


9.1     In Lloyd v. Google LLC [2021] UKSC 50, the UK Supreme Court reversed the decision

of the UK Court of Appeal in Lloyd v. Google LLC [2019] EWCA Civ 1599, and unanimously

dismissed Lloyd’s representative action brought against Google. In brief summary, the UK


Supreme Court confirmed that a claim for damages for the unlawful processing of data under

the English Data Protection Act 1998 can only be made if the data subject has suffered some

form of material damage (such as financial loss) or mental distress. The damage could not be

the unlawful processing itself.


9.2     Mr Lloyd, a former director of Which?, brought a representative action against Google


using the procedure set out in Civil Procedure Rule (“CPR”) in England. Mr Lloyd’s claim was

funded by a third-party litigation funder. The claim alleged that between August 2011 and

February 2012, Google breached its duties as a data controller to over 4 million Apple iPhone


users’ resident in England and Wales. Mr Lloyd claimed that Google used a browser cookie

which could be activated on certain mobile phones without users’ knowledge or consent when

they visited certain websites (described as the ‘Safari Workaround’). Google allegedly used the


cookie to collect information about customers’ browser activity, which in turn enabled Google

to distribute targeted advertising to those users, generating significant profits for the company.


9.3     Mr Lloyd relied on Section 13 (1) of the Data Protection Act 1998 [DPA 1998] to bring

his claim. Section 13 of the DPA 1998 reads as follows:


        “Compensation for failure to comply with certain requirements.


                                              20               (1) An individual who suffers damage by reason of any contravention by a data

               controller of any of the requirements of this Act is entitled to compensation from


               the data controller for that damage.

               (2) An individual who suffers distress by reason of any contravention by a data


               controller of any of the requirements of this Act is entitled to compensation from

               the data controller for that distress if—


                       (a) the individual also suffers damage by reason of the contravention,

               or


                       (b) the contravention relates to the processing of personal data for the


                       special purposes.


               (3) In proceedings brought against a person by virtue of this section it is a

               defence to prove that he had taken such care as in all the circumstances was

               reasonably required to comply with the requirement concerned.”


9.4     A representative action procedure in CPR allows an action to proceed on an “opt-out”

basis, meaning that individual class members do not need to elect to join the claim. The class


members and representative must share the “same interest” in the claim. If that test is satisfied,

then the court will use its discretion in deciding whether a claim that meets the test should be

permittedtoproceed.Ajudgmentwillbindall classmembersunlessthecourtordersotherwise.


9.5     Mr Lloyd argued that the “same interest” requirement was satisfied as all members of


the class could claim damages for “loss of control” and no proof of any further damage or

distress was required. Damages were framed on the basis of an equal, standard “tariff” award,

without the need for the individual assessment of loss.


9.6     Specifically, Mr Lloyd contended the following in his claim for damages:



                                               21    •  Theword “damage” in section 13(1)of theDPA 1998not only extendsbeyondmaterial

       damage to include distress, which was established in Vidal-Hall v. Google Inc [2016]


       QB 1003, but also includes non-trivial breaches of the DPA 1998, namely for “loss of

       control” of data.

    •  The principles in the case Gulati v. MGN [2015] EWHC 1482 (CH), which were


       applicable to the assessment of damages in the tort of misuse of private information

       should also apply to section 13(1) of the DPA 1998, as both claims have a “common

       source”(inseekingtoprotecttherighttoprivacyguaranteedbyArticle8oftheECHR).

       Gulati v MGN established that claimants could be compensated for misuse of their


       private information itself because they were deprived of “their right to control [its]

       use”.


9.7    The UK Supreme Court [per Lord Leggatt] (with whom Lord Reed, Lady Arden, Lord

Sales and Lord Burrows agreed) rejected these arguments. It found that it is not enough to


simply prove a breach in order to recover compensation under section 13 of the DPA 1998. It

held that on a proper interpretation, the term “damage” in section 13 refers to material damage

(such as financial loss) or mental distress. This damage must be distinct from, and caused by,

unlawful processing of personal data in contravention of the DPA 1998. It cannot be the


unlawful processing itself. The UK Supreme Court also confirmed that even if Mr Lloyd could

pursue a claim for damages based on “loss of control”, his proposed lowest common

denominator approach could not be used as it would still be necessary to establish the extent


of the unlawful processing in each individual case to ensure that a “de minimis” threshold was

met.









                                              229.8     Per Lord Leggatt at paragraph 153:


    “On the claimant’s own case there is a threshold of seriousness which must be crossed

    before a breach of the DPA 1998 will give rise to an entitlement to compensation under

    section 13. I cannot see that the facts which the claimant aims to prove in each individual


    casearesufficient to surmount this threshold. If(contraryto theconclusion Ihavereached)

    those facts disclose “damage” within the meaning of section 13 at all, I think it impossible

    to characterise such damage as more than trivial. What gives the appearance of substance


    to the claim is the allegation that Google secretly tracked the internet activity of millions

    of Apple iPhone users for several months and used the data obtained for commercial

    purposes. But on analysis the claimant is seeking to recover damages without attempting


    to prove that this allegation is true in the case of any individual for whom damages are

    claimed. Without proof of some unlawful processing of an individual’s personal data

    beyond the bare minimum required to bring them within the definition of the represented

    class, a claim on behalf of that individual has no prospect of meeting the threshold for an


    award of damage. I think it impossible to characterise such damage as more than trivial.

    What gives the appearance of substance to the claim is the allegation that Google secretly

    tracked the internet activity of millions of Apple iPhone users for several months and used


    the data obtained for commercial purposes. But on analysis the claimant is seeking to

    recover damages without attempting to prove that this allegation is true in the case of any

    individual for whom damages are claimed. Without proof of some unlawful processing of

    an individual’s personal data beyond the bare minimum required to bring them within the


    definition of the represented class, a claim on behalf of that individual has no prospect of

    meeting the threshold for an award of damages.”


9.9     In Rolfe & Others v. Veale Wasbrough Vizards LLP [2021] EWHC (QB) the English

High Court held that there is a de minimis threshold implicit in English case law which


                                              23claimants have to show has been exceeded before they can seek damages for actual loss or

distress. In Johnson v. East light Community Homes Ltd [2021] EWHC 3069 (QB), the English


High Court also ruled that the de minimis concept applies to claims taken under the GDPR and

the UK Data Protection Act 2018.


10. Irish Case Law


10.1   In Ireland in the decision of Collins v. FBD Insurance plc [2013] IEHC 137, Feeney J

noted that no right to compensation for non-material damage (referred to as non-pecuniary

damage) existed. However, it is important to caveat that this case predates the implementation


of the GDPR.


10.2   In Shawl Property Investments Ltd v. A. & B. [2021] IECA 53, the Court of Appeal

(Whelan J.) held that “nothing stated in s. 117 or indeed the Act itself suggests that a data

protection action is a tort of strict liability.”


11. Relevant Factors in Ascertaining Damages for Non-Material Loss


11.1   Applying the law in this case, and in particular following the decision of UI v

Österreichische Post, this court outlines below some of the relevant factors pertinent in


ascertaining damages for non-material loss. While this is suggested with some caution in the

absence of clarification from the Oireachtas, the Superior Courts and the outstanding

preliminary references pending before the CJEU, it does facilitate a mechanism for this court


to take a consistent approach to data breach claims for non-material loss.


11.2   Importantly it appears from UI v Österreichische Post and in a departure from the

opinion of the Advocate General’s Opinion, the CJEU determined that there is no de minimis

standard of loss to be suffered for an individual to recover compensation. Damages are to be

interpreted broadly “and it would be contrary to that broad conception of damages favoured by




                                             24the EU legislature, if that concept were limited solely to damage of a certain degree of

seriousness.”


11.3   Privacy is a human right and personal information is a key aspect of this right. It is self-

evident that some data breaches may have no impact or only a minor impact on affected


individuals, other data breaches can have serious consequences. By way of example only, an

unintended disclosure of an employee’s home address in a small organisation to employees’

where the address is already known would be a minor breach. A disclosure of the personal


address of a person in a witness protection programme would be a major breach. Many cases

fall in between these two extremes.


11.4   In addition, processing of personal data is only lawful where it is demonstrated to have

a ‘legal basis’. Article 6 of the GDPR sets out what the potential legal bases are, namely:

consent; contract; legal obligation; vital interests; public task; or legitimate interests.


11.5   To comply with Article 6(1)(f) of the GDPR the processing must be lawful and


necessary to achieve its aim. Therefore, a court will enquire if the processing was lawful. The

best way to achieve this is to demonstrate if a legitimate interest assessment was carried out. It

is also necessary to balance the processor’s legitimate interests against the individual’s


interests, rights and freedoms.


11.6   In assessing damages for non-material loss the following factors are proffered:


       •   A “mere breach” or a mere violation of the GDPR is not sufficient to warrant an

           award of compensation.

       •   There is not a minimum threshold of seriousness required for a claim for non-


           material damage to exist. However, compensation for non-material damage does

           not cover “mere upset”.

       •   There must be a link between the data infringement and the damages claimed.


                                             25•   If the damage is non-material, it must be genuine, and not speculative.

•   Damages must be proved. Supporting evidence is strongly desirable. Therefore, for


    example in a claim for damages for distress and anxiety, independent evidence is

    desirable such as for example a psychologist report or medical evidence.

•   Data policies should be clear and transparent and accessible by all parties affected.


•   Employers should ensure their employee privacy notices and CCTV policies are

    clear to employees [Cormac Doolin v. The Data Protection Commissioner and Our

    Lady’s Hospice and Care Services [2020] IEHC 90; [2022] IECA 117 and McVann


    -v- Data Protection Commissioner [2023] IECC 3]

•   Where a data breach occurs, it may be necessary to ascertain what steps were taken

    by the relevant parties to minimise the risk of harm from the data breach.


•   An apology where appropriate may be considered in mitigation of damages. For

    example, it may reassure the affected individual that their employment is safe and

    not at risk.


•   Delay in dealing with a data breach by either party is a relevant factor in assessing

    damages.

•   A claim for legal costs may be affected by these factors.


•   Even where non-material damage can be proved and is also not trivial, damages in

    many cases will probably be modest. In the absence of other guidelines, from the

    Oireachtas or the Superior Courts and/or the Judicial Council, the court has taken

    cognisance of the factors as outlined in the Judicial Council Personal Injuries


    Guidelines 2021 in respect of the category of minor psychiatric damages as

    instructive guidance, though noting in some cases non-material damage could be

    valued below €500.





                                     2611.7    Although not argued before this court, it is proffered that an independent adjudicative

or conciliation resolution process would be a suitable alternative dispute pathway to resolve


data breach assessments. Indeed, since this case was heard the court takes note of the judgment

of His Honour Judge Simon McAleese in the case of Siobhan Keane v. Central Statistics Office

deliveredorallyat WaterfordCircuitCourtonthe30 June2023.McAleeseJheldthatabreach


of privacy is essentially a tort which derives from breach of a constitutional right. The learned

judge also held in that case, the Plaintiff’s claim was a civil action by virtue of the definition

contained in the Personal Injuries Assessment Board Act 2003 [now Personal Injuries


Assessment Board Acts 2003 to 2022] [collectively “the 2003 Act”]. The principal remedy

sought in that case was damages for personal injuries and the learned judge held that the action

was bound to fail in respect of personal injuries, thus “restricting the Plaintiff’s claim to such


damages, if any, as might be awardable for the truly limited (in so far as it concerns the

Plaintiff) and accidental data breach which occurred in this case”. The court in that case also

expressed no view upon such defences as might be available to the Defendant or whether the


defence will prevail if what remains of the matter for trial. The significance of this judgment is

important for potential future actions concerning data breaches and claims for damages.


11.8    In Clarke v O’Gorman [2014] IESC 72, O’Donnell J (as he then was) held that section

12 of the 2003 Act, which provides a bar on bringing proceedings unless certain conditions are


satisfied, does not operate to deprive the court of jurisdiction in the event of non-compliance

with its provisions. Such non-compliance may be invoked by the defendant in its defence and

used as a shield. However, as in Clarke v O’Gorman, PIAB was not invoked by the defendant


in this case, and this is understandable as the data breach in this case was strongly denied.









                                               2712. Application of the law to the facts


12.1    The Plaintiff was identifiable, and this is now accepted by both parties. However, it was

only accepted by the Defendant at the trial.


12.2    Clarity in relation to data protection policies is a core principle of GDPR and the 2018

Act. However, in this case there was a lack of clarity and transparency in relation to the


Defendant’s data protection policies. This is due to the four policies outlined at paragraph 5.2.

In addition, the Defendant’s witness evidence at the trial confirmed this confusion.


12.3    The Plaintiff’s first language is Polish, but he was expected to navigate what was the

actual policy from the four documents provided to him in English. The principle of lawfulness,


fairness, and transparency is of particular relevance to the question of legal basis. It is noted

that the Defendant has updated its policies now and is available in the various first languages

of its employees. This is commendable.


12.4    The Plaintiff’s implied consent to processing the data for training was at best unclear

and this should be construed against the Plaintiff’s employer. It was the Defendant employer


who set out the four data policies. Consent is not the only basis by which the collection of data

will be lawful and various other legal bases are set out in Article 6 of GDPR. However, it is

also of note that the Defendant did not plead a legal basis for the processing, though in legal


submissions later it claimed it was operating on foot of a legitimate interest. However, a

legitimate interest assessment was not carried out to identify what the legitimate interest was

or to show if the processing was necessary to achieve it. It is clear even if a legitimate interest

was considered, notwithstanding the lack of assessment, it was not considered against the


Plaintiff’s interests, rights, and freedom.


12.5    The court is therefore satisfied:


    •   That there was an infringement of the Plaintiff’s rights under the GDPR,

                                                28    •   There was non-material damage resulting from that infringement and

    •   There is a causal link between the damage and the infringement.


12.6    The damage in this case resulted in some slagging by employees culminating on the


Plaintiff’s own evidence in some serious embarrassment and sleep loss. It is important to note

the Plaintiff was in a supervisory role at the time of the incident, though there is no claim for

any loss of employment. The Plaintiff was not present at the meeting of supervisors and

managers, and he did not know his image would be used in the meeting. The court is satisfied


the Defendant originally believed that the Plaintiff was not in fact identified, though this was

rightly conceded during the trial once the evidence became clear. However, the Plaintiff was

informed about the CCTV clip after the meeting by other employees.


12.7    Furthermore, for two weeks after the incident, the CCTV was stored on a communal


work computer, without password protection. While this created a significant risk it does not

appear that the CCTV was in fact accessed by any unauthorised persons.


12.8    The court accepts that the Plaintiff’s loss, bearing in mind his supervisory position in

the company and his own background already described, went beyond mere upset and created

an emotional experience and negative emotions of insecurity which did affect him for a short


periodoftime.Whilethisisnotbackedupbyamedicalreport,itisnoteworthythatthe Plaintiff

who was subject to examination and cross examination was viewed by the court as a truthful

and conscientious witness who did not exaggerate the effect of the data breach on him. It is


admirable that his employer has addressed the issues in relation to the data policies and the use

of CCTV for training in the workplace, and the data breach has not had any long-term effect

on the Plaintiff or his employment.


12.9    The court is of the opinion that the appropriate award for non-material damages in this


case is two thousand euros.


                                              29