Circuit Court - 2019/04546
From GDPRhub
| Circuit Court - 2019/04546 | |
|---|---|
 | |
| Court: | Circuit Court (Ireland) |
| Jurisdiction: | Ireland |
| Relevant Law: | Article 5(1)(a) GDPR Article 6 GDPR Article 82 GDPR |
| Decided: | 11.07.2023 |
| Published: | 12.07.2023 |
| Parties: | |
| National Case Number/Name: | 2019/04546 |
| European Case Law Identifier: | |
| Appeal from: | |
| Appeal to: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | Circuit Court (in Spanish) |
| Initial Contributor: | Bernardo Armentano |
Notwithstanding the CJEU's decision on Case C-300/21, an Irish Court held that compensation for non-material damage does not cover “mere upset”. However, in the specific case, it found that the loss went beyond that and imposed a compensation of €2,000.
English Summary
Facts
The data subject was an employee of the company Ballymaguire Foods, the controller, and was responsible for supervising other 20 employees.
During a meeting in March 2019, the Quality Control Manager showed CCTV footages to several managers and supervisors as an instance of poor food safety practice for the purpose of identifying corrective actions. While the data subject was not present in the meeting, they were informed about it by other employees.
The data subject initially filed a complaint with the Irish DPA, but was not assigned to a complaint handler due to a backlog of complaints. Then, they filed a lawsuit before the Circuit Court, pursuant to section 117 of the 2018 Irish Data Protection Act.
In addition to claiming that the further processing of the CCTV footage was illegal, the data subject requested compensation for non-material damages on the grounds that they felt humiliated and more stressed at work after the incident.
In response, the controller argued that employees were aware of the purposes of the CCTV system as informed in its privacy policy. In addition, it maintained that there was a legitimate interest in the use of the images and classified the alleged damages as mere "upset, anxiety and embarrassment".
Holding
First, the Court found that the controller had failed in its duty of transparency as it had four different privacy policies in place, none of which were in the native language of the data subject. In addition, the Court highlighted that the controller cannot rely on legitimate interest without first carrying out an assessment of that interest in relation to the rights and freedoms of the data subject. For these reasons, it held that there was a violation of the data subject’s rights under the GDPR.
Second, the Court referred to the decision rendered by the CJEU in the the UI v Österreichische Post case (Case C-300/21), in which it ruled that while there is no automatic right to compensation once an infringement is proven, a de minimis threshold (degree of seriousnss) cannot be imposed.
Third, it went on to outline some relevant factors to ascertain damages for non-material loss. According to the Court:
- A “mere breach” or a mere violation of the GDPR is not sufficient to warrant an award of compensation;
- There is not a minimum threshold of seriousness required for a claim for non- material damage to exist. However, compensation for non-material damage does not cover “mere upset”;
- There must be a link between the data infringement and the damages claimed;
- If the damage is non-material, it must be genuine, and not speculative;
- Damages must be proved. Supporting evidence is strongly desirable. Therefore, for example in a claim for damages for distress and anxiety, independent evidence is desirable such as for example a psychologist report or medical evidence;
- Where a data breach occurs, it may be necessary to ascertain what steps were taken by the relevant parties to minimise the risk of harm from the data breach;
- An apology where appropriate may be considered in mitigation of damages;
- Even where non-material damage can be proved and is also not trivial, damages in many cases will probably be modest. In the absence of other guidelines, it has taken cognisance of the factors as outlined in the Judicial Council Personal Injuries Guidelines 2021 in respect of the category of minor psychiatric damages as instructive guidance, though noting in some cases non-material damage could be valued below €500.
Then, the Court found that there was non-material damage resulting form the infringement and that there was a causal link between this damage and the infringement. It recalled that the data subject was in a supervisory role at the time of the incident and pointed out that the damage resulted in some slagging by employees culminating on the data subject’s own evidence in some serious embarrassment and sleep loss.
For these reasons, it concluded that the damages went beyond mere upset and created an emotional experience and negative emotions of insecurity which did affect the data subject for a short period of time. While this was not backed up by a medical report, the Court highlighted that the data subject was subject to examination and cross examination and was viewed as a truthful and conscientious witness who did not exaggerate the effect of the data breach on them.
Based on the above, the Court awarded a compensation of €2,000 for non-material damages.
Comment
Simillarly, a German court recently held that “mere annoyance” and “emotional discomfort” are not sufficient to substantiate a claim for damages (LG Köln - 28 O 138/22).
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
THE CIRCUIT COURT [2023] IECC 5
AN CHÚIRT CHUARDA
DUBLIN CIRCUIT COUNTY OF THE CITY
OF DUBLIN
Record No. 2019/04546
Between:
ARKADIUSZ KAMINSKI
PLAINTIFF
AND
BALLYMAGUIRE FOODS LIMITED
DEFENDANT
Judgment of His Honour Judge John O’Connor delivered on the 11th day of July, 2023
1. Introduction
1.1 This case concerns proceedings brought by the Plaintiff pursuant to the provisions of
section117oftheDataProtectionAct2018(“the2018Act”)allegingabreachoftheprovisions
of the 2018 Act and/or the General Data Protection Regulation (“GDPR”) on the part of the
Defendant. The Plaintiff seeks damages against the Defendant.
1.2 The Defendant denies any breach of the 2018 Act or GDPR occurred in this case. They
submitthattheprocessingofthePlaintiff’sdataoccurredinaccordancewith thedataprotection
policy of the Defendant, which had been previously provided to the Plaintiff. In the alternative
the Defendant submits that even if the court determines that the processing of the Plaintiff’s
data was in breach of the 2018 Act or the GDPR, then in such a case the Plaintiff is not entitled
to recover damages. This is because, in the Defendant’s submission, the non-material damage
claimed by the Plaintiff amounts to no more than mere “upset, anxiety and embarrassment”,
and therefore, compensation is not recoverable for such damages.
11.3 The questions for the court are as follows:
1. Was the use of the CCTV footage by the Defendant, in a demonstration of work
practice, a breach of the Plaintiff’s personal data, such as to constitute an unlawful
processing under the 2018 Act and GDPR?
2. If the answer to question 1 is yes, did the damage [in this case non-material damage]
go beyond mere upset or displeasure as a result of the infringement of the Plaintiff’s
personal data?
3. If the answer to question 2 is yes, what [if any] compensation is recoverable for such
damages, and how is same to be calculated?
2. Relevant Legislation
The following legislation was referred to:
2.1 General Data Protection Regulation (GDPR)
Articles 5.1: Principles relating to processing of personal data
Personal data shall be:
(a) Processed lawfully, fairly and in a transparent manner in relation to the data subject
(‘lawfulness, fairness and transparency);
Article 6: Lawfulness of processing
Processing shall be lawful only if and to the extent that at least one of the following
applies
(a) the data subject has given consent to the processing of his or her personal data for
one or more specific purposes;
2 (b) processing is necessary for the performance of a contract to which the data subject
is party or in order to take steps at the request of the data subject prior to entering
into a contract.
(c) processing is necessary for compliance with a legal obligation to which the
controller is subject.
(d) processing is necessary in order to protect the vital interests of the data subject or
of another natural person.
(e) processing is necessary for the performance of a task carried out in the public
interest or in the exercise of official authority vested in the controller.
(f) processing is necessary for the purposes of the legitimate interests pursued by the
controller or by a third party, except where such interests are overridden by the
interests or fundamental rights and freedoms of the data subject which require
protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities
in the performance of their tasks.
Article 82: Right to compensation and liability
1. Any person who has suffered material or non-material damage as a result of an
infringement of this Regulation shall have the right to receive compensation from
the controller or processor for the damage suffered.
2. Any controller involved in processing shall be liable for the damage caused by
processing which infringes this Regulation. A processor shall be liable for the
damage caused by processing only where it has not complied with obligations of
this Regulation specifically directed to processors or where it has acted outside or
contrary to lawful instructions of the controller.
3 3. A controller or processor shall be exempt from liability under paragraph 2 if it
proves that it is not in any way responsible for the event giving rise to the damage.
4. Where more than one controller or processor, or both a controller and a processor,
are involved in the same processing and where they are, under paragraphs 2 and 3,
responsible for any damage caused by processing, each controller or processor shall
be held liable for the entire damage in order to ensure effective compensation of the
data subject.
5. Where a controller or processor has, in accordance with paragraph 4, paid full
compensation for the damage suffered, that controller or processor shall be entitled
to claim back from the other controllers or processors involved in the same
processing that part of the compensation corresponding to their part of
responsibilityforthedamage,in accordancewiththeconditionssetoutinparagraph
2.
6. Court proceedings for exercising the right to receive compensation shall be brought
beforethecourts competent underthelawoftheMemberStatereferredto in Article
79(2).
Article 79: Right to an effective judicial remedy against a controller or processor
1. Without prejudice to any available administrative or non-judicial remedy, including
the right to lodge a complaint with a supervisory authority pursuant to Article 77,
each data subject shall have the right to an effective judicial remedy where he or
she considers that his or her rights under this Regulation have been infringed as a
result of the processing of his or her personal data in non-compliance with this
Regulation.
2. Proceedings against a controller or a processor shall be brought before the courts of
the Member State where the controller or processor has an
4 establishment. Alternatively, such proceedings may be brought before the courts
of the Member State where the data subject has his or her habitual residence, unless
the controller or processor is a public authority of a Member State acting in the
exercise of its public powers.
2.2 The Data Protection Act 2018
Section 71: Processing of personal data
(1) A controller shall, as respects personal data for which it is responsible, comply with the
following provisions:
(a) the data shall be processed lawfully and fairly;
(b)thedatashallbecollectedforoneormorespecified,explicitandlegitimatepurposes
and shall not be processed in a manner that is incompatible with such purposes;
(c) the data shall be adequate, relevant and not excessive in relation to the purposes for
which they are processed;
(d) the data shall be accurate, and, where necessary, kept up to date, and every
reasonable step shall be taken to ensure that data that are inaccurate, having regard to
the purposes for which they are processed, are erased or rectified without delay;
(e) the data shall be kept in a form that permits the identification of a data subject for
no longer than is necessary for the purposes for which the data are processed;
(f) the data shall be processed in a manner that ensures appropriate security of the data,
including, by the implementation of appropriate technical or organisational measures,
protection against—
(i) unauthorised or unlawful processing, and
5 (ii) accidental loss, destruction or damage.
(2) The processing of personal data shall be lawful where, and to the extent that—
(a) the processing is necessary for the performance of a function of a controller for a
purpose specified in section 70(1)(a) and the function has a legal basis in the law of the
European Union or the law of the State, or
(b) the data subject has, subject to subsection (3), given his or her consent to the
processing.
(3) Where the processing of personal data is to be carried out on the basis of the consent of the
data subject referred to in subsection (2)(b), the processing shall be lawful only where, and to
the extent that—
(a) having been informed of the intended purpose of the processing and the identity of
the controller, the data subject gives his or her consent freely and explicitly,
(b) the request for consent is expressed in clear and plain language, and where such
consent is given in the context of a written statement that also concerns other matters,
the request for consent is presented to the data subject in a manner that is clearly
distinguishable from those other matters, and
(c) the data subject may withdraw his or her consent at any time, and he or she shall be
informed of this possibility prior to giving consent.
(4) Where a data subject withdraws his or her consent to the processing of personal data
pursuant to subsection (3)(c), the withdrawal of consent shall not affect the lawfulness of
processing based on that consent prior to the consent being withdrawn.
6(5) Where a controller collects personal data for a purpose specified in section 70(1)(a), the
controller or another controller may process the data for a purpose so specified other than the
purpose for which the data were collected, in so far as—
(a) the controller is authorised to process such personal data for such a purpose in
accordance with the law of the European Union or the law of the State, and
(b) the processing is necessary and proportionate to the purpose for which the data are
being processed.
(6) A controller may process personal data, whether the data were collected by the controller
or another controller, for—
(a) archiving purposes in the public interest,
(b) scientific or historical research purposes, or
(c) statistical purposes,
provided that the said processing—
(i) is for a purpose specified in section 70(1)(a), and
(ii) is subject to appropriate safeguards for the rights and freedoms of data
subjects.
(7) A controller shall ensure, in relation to personal data for which it is responsible, that an
appropriate time limit is established for—
(a) the erasure of the data, or
(b) the carrying out of periodic reviews of the need for the retention of the data.
(8) Where a time limit is established in accordance with subsection (7), the controller shall
ensure, by means of procedural measures, that the time limit is observed.
7(9) A processor, or any person acting under the authority of the controller or of the processor
who has access to personal data, shall not process the data unless the processor or person is—
(a) authorised to do so by the controller, or
(b) required to do so by the law of the European Union or the law of the State,
and then only to the extent so authorised or required, as the case may be.
(10) A controller shall ensure that it is in a position to demonstrate that the processing of
personal data for which it is responsible is in compliance with subsections (1) to (8) of this
section.
Section 117: Judicial remedy for infringement of relevant enactment
(1) Subject to subsection (9), and without prejudice to any other remedy available to him or
her, including his or her right to lodge a complaint, a data subject may, where he or she
considers that his or her rights under a relevant enactment have been infringed as a result of
the processing of his or her personal data in a manner that fails to comply with a relevant
enactment, bring an action (in this section referred to as a “data protection action”) against the
controller or processor concerned.
(2) A data protection action shall be deemed, for the purposes of every enactment and rule of
law, to be an action founded on tort.
(3)TheCircuitCourtshall,subjecttosubsections(5)and(6),concurrentlywiththeHighCourt,
have jurisdiction to hear and determine data protection actions.
(4) The court hearing a data protection action shall have the power to grant to the plaintiff one
or more than one of the following reliefs:
(a) relief by way of injunction or declaration; or
8 (b) compensation for damage suffered by the plaintiff as a result of the infringement of
a relevant enactment.
(5) The compensation recoverable in a data protection action in the Circuit Court shall not
exceed the amount standing prescribed, for the time being by law, as the limit of that court’s
jurisdiction in tort.
(6) The jurisdiction conferred on the Circuit Court by this section may be exercised by the
judge of any circuit in which—
(a) the controller or processor against whom the data protection action is taken has an
establishment, or
(b) the data subject has his or her habitual residence.
(7)A data protection action maybebrought onbehalfof a data subject by a not-for-profit body,
organisation or association to which Article 80(1) applies that has been mandated by the data
subject to do so.
(8) The court hearing a data protection action brought by a not-for-profit body, organisation or
association under subsection (7) shall have the power to grant to the data subject on whose
behalf the action is being brought one or more of the following reliefs:
(a) relief by way of injunction or declaration; or
(b) compensation for damage suffered by the plaintiff as a result of the infringement of
the relevant enactment.
(9) A data subject may not bring a data protection action against a controller or processor that
is a public authority of another Member State acting in the exercise of its public powers.
9(10) In this section—
“damage” includes material and non-material damage;
“injunction” means—
(a) an interim injunction,
(b) an interlocutory injunction, or
(c) an injunction of indefinite duration.
2.3 Article 29 Working Party (Art. 29 WP)
Article 29 Working Party (Art. 29 WP) was the independent European working party that dealt
with issues relating to the protection of privacy and personal data until 25 May 2018 (entry into
application of the General Data Protection Regulation (GDPR)) when it was replaced by the
European Data Protection Board (EDPB). During its first plenary meeting the EDPB endorsed
the GDPR related Article 29 Working Party Guidelines.
3. Recent Case Law
3.1 The recent decision from the Court of Justice of the European Union (CJEU), UI v
Österreichische Post (the “Österreichische Post decision”) Case C-300/21, was brought to the
court’s attention and will be discussed later in this judgment.
4. Facts
4.1 The Plaintiff is an employee of the Defendant, having been first employed in March
2009. In October 2015, the Plaintiff was promoted to Goods Inwards Line Lead and entered
into a new contact of employment with the Defendant. In March 2019, the Plaintiff was an
acting supervisor of 20 employees.
104.2 In March 2019, CCTV footage was shown to employees of the Defendant as part of a
meeting between the Quality Control Manager and several managers and supervisors. The
purpose of the meeting, according to the Defendant, was to address instances of poor food
safety practice and to highlight food quality and safety issues that needed to be addressed for
the purpose of identifying corrective actions.
4.3 Several clips involving poor food quality and safety practices were shown by the
Quality Control manager to the managers and supervisors present at the meeting. The
Defendant appeared in one of the clips of CCTV footage which was shown. The meeting
discussed the issues of poor food safety practice. It was not solely focused on the incident
involving the Plaintiff. Specifically, the clip of the Plaintiff was used to identify an issue with
persons moving directly from the low care area of the factory, where unprepared food is
maintained, to the high care area where prepared food is dealt with. This, the Defendant
submits, is not permittable due to the dangers of food contamination, which would be
consumed by members of the public.
4.4 The meeting did not identify specific individuals by name or deal with the actions of
specificindividuals.The Defendant’soriginaldefencedeniedthatthePlaintiffwasidentifiable,
and therefore denied that the CCTV constituted personal data. This claim was based on the fact
that the Plaintiff was wearing protective wear on his face.
4.5 The Plaintiff’s submission is that he has always been identifiable. He further submitted
that his entire face was not obscured. He has a distinctive physical presence and movements
and is one of a limited pool of people who was working in the area concerned. The audio on
the file contains two voices and provides: “Who’s this? Who’s that? …. it’s Arkadiusz, one of
our supervisors.”
114.6 Accordingly, during this court hearing it was conceded by the Defendant that the
Plaintiff was in fact identifiable. The Plaintiff submitted a considerable portion of the pretrial
submission and the hearing was unnecessarily taken up with this issue. He also submitted that
even when it was conceded it was stated it was just a meeting, to which the Defendant referred
to as a “huddle meeting” and “toolbox talk”. In the course of cross examination by the
Plaintiff’s counsel of Mr. O’Neill for the Defendant the following exchange took place which
best describes how the Defendant saw the issue:
“Q: You heard his evidence. So you’re unaware of any black marks and you spoke of
glowing terms about my client. I put it to you: this was a black mark against my client.
This was a black mark showing him being held up as somebody engaged in a serious
food safety issue?
A: Well, I don’t accept that. Fundamentally I don’t accept that it was a black mark
because we’re a large business, we’re dealing with a large number of employees, we’re
dealing with multiple incidents week in, week out, and if we were to go round carrying
black marks around in our back pocket like that, we would never be able to run our
business successfully. They’re what we call learning incidents. We would prefer to see
them as learning incidents rather than disciplinary incidents where we can [i.e. where
possible]. Let’s learn what we can from this, let’s correct, let’s put in a proper control
or a better control and be better in what we do in future.”
4.7 The Plaintiff was not present at the meeting of supervisors and managers. It took place
at the beginning of the morning shift. On that date, the Plaintiff was rostered on the night shift.
However, the Plaintiff was informed about the CCTV clip after the meeting by other
employees. Furthermore, for two weeks after the incident, the CCTV was stored on a
communal work computer, without password protection. While this created a significant risk,
12it does not appear that the CCTV was in fact accessed by any unauthorised persons and no
allegation of unlawful processing is made in that regard.
4.8 The Plaintiff’s version of the impact of the meeting on him was stated in evidence as
follows:
“In my opinion I was laughed at. I was more stressed at work because of it. I wasn’t so
glad to go to work every morning. I was so limited, all our social meetings with my
colleagues from work. I felt humiliated and I felt I was being mocked. I – for a while I
had problems with my sleep. I don’t – I’m not sure if it was connected with the stress
but I suppose so.”
4.9 The Plaintiff did not face any disciplinary consequences over the incident. His
complaint in these proceedings relates to the alleged further processing of the CCTV footage
as part of the meeting of supervisors and managers, and that the use of the CCTV footage in
which he was identifiable amounts to an unlawful processing of his data in breach of the 2018
Act and/or GDPR. The Plaintiff alleges that as result he suffered damage and distress in the
form of anxiety and embarrassment, due to the remarks made by work colleagues on foot of
the alleged data breach.
4.10 The Plaintiff complained to the Data Protection Commission (“the DPC”) about the
incident. However, as the complaint was not assigned to a complaint handler due to a backlog
of complaints, the Plaintiff submits that he did not wish to delay this case further by awaiting
the DPC’s outcome, hence the matter appeared before the Circuit Court de novo pursuant to
section 117 of the 2018 Act.
5. The Plaintiff’s Submission on the Data Protection Policies
5.1 Four documents were discovered, in this regard the Plaintiff submits that four different
policies with different purposes were said to have been in place. He also opines that the
13preponderance of the Defendant’s policy documentation is completely silent about the use of
CCTV for training, and that this confusion was continued at the hearing regarding the data
protection policies actually relied upon.
5.2 The Plaintiff outlines its argument as follows:
(a) The Data Protection Policy of May 2018 (“the 2018 policy”) has one section on
CCTV. It provides:
“Closed circuit monitoring
Country Crest Group has closed circuit television cameras located at various
identifiable and visible locations throughout the site. CCTV is used for Health
and Safety, Food Quality & Safety and general hazard identification purposes.
This is necessary for the security and safety of staff and Group property and in
order to protect against loss or damage.
Access to the recorded material will be strictly limited to authorised personnel.
Images may be used for training, quality and accident prevention purposes.”
(b) The CCTV Notification Memo of 5 September 2016 (“the 2016 memo”) states
CCTV cameras are operated “throughout the group premises and site”, in order to
“comply with certain safety requirements”. It goes on to state that the recordings
are “periodically reviewed” for the following purposes:
“Health and Safety within the Workplace
Food Safety and Quality General Site Security”
(c) The CCTV Notification Memo of 20 July 2014 (“the 2014 memo”) states that
CCTV is operated to comply with “certain business requirements”. It states:
14 “These CCTV recordings are for the following purposes:-
Health and Safety within the workplace
General Group Security”
(d) The Site Security Procedure Document from March 2011 (“the 2011 document”)
states its purpose is the prevention of access by unauthorised persons to production
and storage areas. Oneof themethods is: “Sitesecuritymenarepresent out of hours
along with CCTV cover 24 hours”.
5.3 Therefore, according to the Plaintiff, the 2018 policy is the only one which contains a
reference to the use of images for training, but the Plaintiff submits that it was not relied upon
and references the evidence furnished to the court in respect of the 2016 memo and the 2011
document.
5.4 The Plaintiff further submits that Ms. Meus (employee of the Defendant) gave evidence
that she devised the training in question. Mr. O’Neill confirmed that she alone was responsible
for the training. She gave evidence the data protection policies she relied on were the 2016
memo and the 2011 document. She was clear that she was not relying on the 2018 policy. The
2018 policy is the only policy which contains a reference to the use of images for training. This
is the policy relied on in the Defendant’s defence. Furthermore, it is the policy relied on in the
Defendant’s first set of submissions.
5.5 Considering the evidence actually provided at hearing, all reliance by the Defendant on
the 2018 policy and the one reference contained therein to “training” should, according to the
Plaintiff, be disregarded.
156. Defendant’s Submissions
6.1 The Defendant denies any breach of the 2018 Act or GDPR. It states that as required
under data protection legislation the Defendant had in place a data protection policy which was
provided to all employees of the Defendant. The relevant data protection policy which was
applicable at the time of the Plaintiff’s claim was dated May 2018. This policy included the
same stated purposes for collection as the Data Protection Memorandum issued to all staff in
2016. The policy states that the 2018 Act and GDPR apply to the processing of personal data.
The policy forms part of the staff handbook which is provided to all employees.
6.2 The Defendant also submits that no damage has been identified by the Plaintiff in
respect of this allegation, as a result it cannot form the basis for a claim under section 117 of
the 2018 Act.
6.3 In respect of the alleged breaches of the 2018 Act and/or GDPR, the Plaintiff alleges
that he suffered damage and distress, which is limited to a claim for non-material damage. The
Defendant states that the height of the Plaintiff’s non-material damage claim is that he
experienced “upset, anxiety and embarrassment”.
6.4 In legal submissions the Defendant also claims that there was legitimate interest in
processing the data.
7. Court’s consideration of the law
7.1 Article 82(1) of the General Data Protection Regulation (GDPR) provides that any
person who has suffered material or non-material damage as a result of an infringement of the
Regulation shall have the right to receive compensation from the controller or processor for the
damage suffered. As a consequence, compliance with the GDPR is publicly enforced e.g. with
fines, and private enforcement is enforced with damages, of course there are other remedies
16such as injunctions for ongoing breaches, but we are not concerned with that issue in this case,
as the breaches alleged here are not ongoing.
7.2 Article 82(1) is therefore a critical part of understanding the enforcement process of the
GDPR and for this case it is at the core of understanding the basis for the private enforcement
of data protection rights. In this respect one of the many challenges is to find a way to evaluate
the concept of non-pecuniary loss. Unfortunately, there appears at present to be some
uncertainty in understanding how compensation for non-material loss should be calculated in
Ireland. There are a number of preliminary references pending before the Court of Justice of
the European Union (the “CJEU”).
7.3 The wording of Article 82(1) at first sight appears clear in that it appears to provide a
basisforacompensation claim.Howeveroncloserexamination,Article82(1)doesnot actually
state that a person who suffers a breach has a right to compensation, it states the person shall
have the right [italics added]. In other words, it is a contingent right. However, against that, the
whole trust of GDPR is that once rights have been infringed there is a right to an effective
remedy pursuant to Article 47 of the Charter of Fundamental Rights (CFR).
7.4 In addition, while “non-material damage” is not defined in the GDPR, the recitals are
informative, although not binding. Recital 146 of the GDPR provides that the “concept of
damage should be broadly interpreted” and that data subjects should receive “full and effective
compensation for the damage they have suffered”.
7.5 Recital 85 of the GDPR provides that where a personal data breach is not addressed
inan appropriateortimelymanner,itmayresultin “physical,materialornon-materialdamage
to natural persons” in circumstances where the natural person has “suffered a loss of control
over their personal data or limitation of their rights, discrimination, identity theft or fraud,
17financial loss…damage to reputation, loss of confidentiality of personal data or any other
significant economic or social disadvantage.”
7.6 Section 117 of the Data Protection Act 2018 is the relevant provision outlining the
parameters of judicial remedy for infringements of the Act. It provides that:
“without prejudice to anyother remedy, including the right to lodge a complaint, a data
subject may bring a data protection action against a controller or processor where his
or her rights under a relevant enactment have been infringed as a result of the
processing of his or her personal data in a manner that fails to comply with a relevant
enactment”
7.7 It is anticipated the CJEU will further clarify the law and that the legislature and/or the
Superior Courts will give guidance on how this provision is to be applied. In this case the court
has not been requested to stay proceedings pending the determination of the preliminary
references before the CJEU or to state a case to the Court of Appeal. This is perfectly
understandable as the parties would like their case disposed of as quickly and efficiently as
possible, and in view of the UI v Österreichische Post case discussed below.
8. UI v Österreichische Post (Case C-300/21) Decision
8.1 UI v Österreichische Post (Case C-300/21) was referred to the CJEU by the Austrian
Supreme Court on the interpretation of Article 82. In this case, the Defendant sold personal
data as a profile publisher for third party marketing purposes. The Defendant collected
information via an algorithm including details regarding the political affinity of the claimant.
The algorithm defined the target group’s profile according to socio-demographic
characteristics. No consent was given by the claimant to the processing and storing of data. The
claimant argued that the political affinity attributed to him was insulting and shameful and
made a claim for non-material damage under Article 82.
188.2 The Austrian Supreme Court referred three questions to the CJEU for a preliminary
ruling:
1. Is themerebreach ofprovisions oftheGDPR,inandofitself,sufficient fortheaward
of damage?
2. In addition to the principles of effectiveness and equivalence, does EU law impose
further requirements that national courts must observe when assessing damages under
Article 82?
3. Does non-material damage require an impairment (or other consequence of the
infringement of at least some weight) that goes beyond the annoyance caused by the
infringement
8.3 The Advocate General opined that there should be no right to compensation for a mere
infringement of the GDPR. And that compensation should not be available for “mere
annoyance or upset”.
8.4 The decision of the CJEU is as follows:
1. The CJEU ruled that the GDPR must be interpreted as meaning that the mere
infringement of the provisions of the GDPR is not sufficient to confer a right to
compensation. In other words, there is no automatic right to compensation once an
infringement is proven.
2. The CJEU ruled that the GDPR must be interpreted as precluding a national rule or
practice which makes compensation for non-material damage subject to the condition
that the damage suffered by the data subject has reached a certain degree of seriousness.
In other words, a de minimis threshold cannot be imposed.
19 3. Finally, the CJEU ruled that the amount of damages payable under the right to
compensation is to be determined by the national court applying the domestic rules of
each Member State, provided that the principles of equivalence and effectiveness of EU
law are complied with.
9. Case Law from other Jurisdictions
9.1 In Lloyd v. Google LLC [2021] UKSC 50, the UK Supreme Court reversed the decision
of the UK Court of Appeal in Lloyd v. Google LLC [2019] EWCA Civ 1599, and unanimously
dismissed Lloyd’s representative action brought against Google. In brief summary, the UK
Supreme Court confirmed that a claim for damages for the unlawful processing of data under
the English Data Protection Act 1998 can only be made if the data subject has suffered some
form of material damage (such as financial loss) or mental distress. The damage could not be
the unlawful processing itself.
9.2 Mr Lloyd, a former director of Which?, brought a representative action against Google
using the procedure set out in Civil Procedure Rule (“CPR”) in England. Mr Lloyd’s claim was
funded by a third-party litigation funder. The claim alleged that between August 2011 and
February 2012, Google breached its duties as a data controller to over 4 million Apple iPhone
users’ resident in England and Wales. Mr Lloyd claimed that Google used a browser cookie
which could be activated on certain mobile phones without users’ knowledge or consent when
they visited certain websites (described as the ‘Safari Workaround’). Google allegedly used the
cookie to collect information about customers’ browser activity, which in turn enabled Google
to distribute targeted advertising to those users, generating significant profits for the company.
9.3 Mr Lloyd relied on Section 13 (1) of the Data Protection Act 1998 [DPA 1998] to bring
his claim. Section 13 of the DPA 1998 reads as follows:
“Compensation for failure to comply with certain requirements.
20 (1) An individual who suffers damage by reason of any contravention by a data
controller of any of the requirements of this Act is entitled to compensation from
the data controller for that damage.
(2) An individual who suffers distress by reason of any contravention by a data
controller of any of the requirements of this Act is entitled to compensation from
the data controller for that distress if—
(a) the individual also suffers damage by reason of the contravention,
or
(b) the contravention relates to the processing of personal data for the
special purposes.
(3) In proceedings brought against a person by virtue of this section it is a
defence to prove that he had taken such care as in all the circumstances was
reasonably required to comply with the requirement concerned.”
9.4 A representative action procedure in CPR allows an action to proceed on an “opt-out”
basis, meaning that individual class members do not need to elect to join the claim. The class
members and representative must share the “same interest” in the claim. If that test is satisfied,
then the court will use its discretion in deciding whether a claim that meets the test should be
permittedtoproceed.Ajudgmentwillbindall classmembersunlessthecourtordersotherwise.
9.5 Mr Lloyd argued that the “same interest” requirement was satisfied as all members of
the class could claim damages for “loss of control” and no proof of any further damage or
distress was required. Damages were framed on the basis of an equal, standard “tariff” award,
without the need for the individual assessment of loss.
9.6 Specifically, Mr Lloyd contended the following in his claim for damages:
21 • Theword “damage” in section 13(1)of theDPA 1998not only extendsbeyondmaterial
damage to include distress, which was established in Vidal-Hall v. Google Inc [2016]
QB 1003, but also includes non-trivial breaches of the DPA 1998, namely for “loss of
control” of data.
• The principles in the case Gulati v. MGN [2015] EWHC 1482 (CH), which were
applicable to the assessment of damages in the tort of misuse of private information
should also apply to section 13(1) of the DPA 1998, as both claims have a “common
source”(inseekingtoprotecttherighttoprivacyguaranteedbyArticle8oftheECHR).
Gulati v MGN established that claimants could be compensated for misuse of their
private information itself because they were deprived of “their right to control [its]
use”.
9.7 The UK Supreme Court [per Lord Leggatt] (with whom Lord Reed, Lady Arden, Lord
Sales and Lord Burrows agreed) rejected these arguments. It found that it is not enough to
simply prove a breach in order to recover compensation under section 13 of the DPA 1998. It
held that on a proper interpretation, the term “damage” in section 13 refers to material damage
(such as financial loss) or mental distress. This damage must be distinct from, and caused by,
unlawful processing of personal data in contravention of the DPA 1998. It cannot be the
unlawful processing itself. The UK Supreme Court also confirmed that even if Mr Lloyd could
pursue a claim for damages based on “loss of control”, his proposed lowest common
denominator approach could not be used as it would still be necessary to establish the extent
of the unlawful processing in each individual case to ensure that a “de minimis” threshold was
met.
229.8 Per Lord Leggatt at paragraph 153:
“On the claimant’s own case there is a threshold of seriousness which must be crossed
before a breach of the DPA 1998 will give rise to an entitlement to compensation under
section 13. I cannot see that the facts which the claimant aims to prove in each individual
casearesufficient to surmount this threshold. If(contraryto theconclusion Ihavereached)
those facts disclose “damage” within the meaning of section 13 at all, I think it impossible
to characterise such damage as more than trivial. What gives the appearance of substance
to the claim is the allegation that Google secretly tracked the internet activity of millions
of Apple iPhone users for several months and used the data obtained for commercial
purposes. But on analysis the claimant is seeking to recover damages without attempting
to prove that this allegation is true in the case of any individual for whom damages are
claimed. Without proof of some unlawful processing of an individual’s personal data
beyond the bare minimum required to bring them within the definition of the represented
class, a claim on behalf of that individual has no prospect of meeting the threshold for an
award of damage. I think it impossible to characterise such damage as more than trivial.
What gives the appearance of substance to the claim is the allegation that Google secretly
tracked the internet activity of millions of Apple iPhone users for several months and used
the data obtained for commercial purposes. But on analysis the claimant is seeking to
recover damages without attempting to prove that this allegation is true in the case of any
individual for whom damages are claimed. Without proof of some unlawful processing of
an individual’s personal data beyond the bare minimum required to bring them within the
definition of the represented class, a claim on behalf of that individual has no prospect of
meeting the threshold for an award of damages.”
9.9 In Rolfe & Others v. Veale Wasbrough Vizards LLP [2021] EWHC (QB) the English
High Court held that there is a de minimis threshold implicit in English case law which
23claimants have to show has been exceeded before they can seek damages for actual loss or
distress. In Johnson v. East light Community Homes Ltd [2021] EWHC 3069 (QB), the English
High Court also ruled that the de minimis concept applies to claims taken under the GDPR and
the UK Data Protection Act 2018.
10. Irish Case Law
10.1 In Ireland in the decision of Collins v. FBD Insurance plc [2013] IEHC 137, Feeney J
noted that no right to compensation for non-material damage (referred to as non-pecuniary
damage) existed. However, it is important to caveat that this case predates the implementation
of the GDPR.
10.2 In Shawl Property Investments Ltd v. A. & B. [2021] IECA 53, the Court of Appeal
(Whelan J.) held that “nothing stated in s. 117 or indeed the Act itself suggests that a data
protection action is a tort of strict liability.”
11. Relevant Factors in Ascertaining Damages for Non-Material Loss
11.1 Applying the law in this case, and in particular following the decision of UI v
Österreichische Post, this court outlines below some of the relevant factors pertinent in
ascertaining damages for non-material loss. While this is suggested with some caution in the
absence of clarification from the Oireachtas, the Superior Courts and the outstanding
preliminary references pending before the CJEU, it does facilitate a mechanism for this court
to take a consistent approach to data breach claims for non-material loss.
11.2 Importantly it appears from UI v Österreichische Post and in a departure from the
opinion of the Advocate General’s Opinion, the CJEU determined that there is no de minimis
standard of loss to be suffered for an individual to recover compensation. Damages are to be
interpreted broadly “and it would be contrary to that broad conception of damages favoured by
24the EU legislature, if that concept were limited solely to damage of a certain degree of
seriousness.”
11.3 Privacy is a human right and personal information is a key aspect of this right. It is self-
evident that some data breaches may have no impact or only a minor impact on affected
individuals, other data breaches can have serious consequences. By way of example only, an
unintended disclosure of an employee’s home address in a small organisation to employees’
where the address is already known would be a minor breach. A disclosure of the personal
address of a person in a witness protection programme would be a major breach. Many cases
fall in between these two extremes.
11.4 In addition, processing of personal data is only lawful where it is demonstrated to have
a ‘legal basis’. Article 6 of the GDPR sets out what the potential legal bases are, namely:
consent; contract; legal obligation; vital interests; public task; or legitimate interests.
11.5 To comply with Article 6(1)(f) of the GDPR the processing must be lawful and
necessary to achieve its aim. Therefore, a court will enquire if the processing was lawful. The
best way to achieve this is to demonstrate if a legitimate interest assessment was carried out. It
is also necessary to balance the processor’s legitimate interests against the individual’s
interests, rights and freedoms.
11.6 In assessing damages for non-material loss the following factors are proffered:
• A “mere breach” or a mere violation of the GDPR is not sufficient to warrant an
award of compensation.
• There is not a minimum threshold of seriousness required for a claim for non-
material damage to exist. However, compensation for non-material damage does
not cover “mere upset”.
• There must be a link between the data infringement and the damages claimed.
25• If the damage is non-material, it must be genuine, and not speculative.
• Damages must be proved. Supporting evidence is strongly desirable. Therefore, for
example in a claim for damages for distress and anxiety, independent evidence is
desirable such as for example a psychologist report or medical evidence.
• Data policies should be clear and transparent and accessible by all parties affected.
• Employers should ensure their employee privacy notices and CCTV policies are
clear to employees [Cormac Doolin v. The Data Protection Commissioner and Our
Lady’s Hospice and Care Services [2020] IEHC 90; [2022] IECA 117 and McVann
-v- Data Protection Commissioner [2023] IECC 3]
• Where a data breach occurs, it may be necessary to ascertain what steps were taken
by the relevant parties to minimise the risk of harm from the data breach.
• An apology where appropriate may be considered in mitigation of damages. For
example, it may reassure the affected individual that their employment is safe and
not at risk.
• Delay in dealing with a data breach by either party is a relevant factor in assessing
damages.
• A claim for legal costs may be affected by these factors.
• Even where non-material damage can be proved and is also not trivial, damages in
many cases will probably be modest. In the absence of other guidelines, from the
Oireachtas or the Superior Courts and/or the Judicial Council, the court has taken
cognisance of the factors as outlined in the Judicial Council Personal Injuries
Guidelines 2021 in respect of the category of minor psychiatric damages as
instructive guidance, though noting in some cases non-material damage could be
valued below €500.
2611.7 Although not argued before this court, it is proffered that an independent adjudicative
or conciliation resolution process would be a suitable alternative dispute pathway to resolve
data breach assessments. Indeed, since this case was heard the court takes note of the judgment
of His Honour Judge Simon McAleese in the case of Siobhan Keane v. Central Statistics Office
deliveredorallyat WaterfordCircuitCourtonthe30 June2023.McAleeseJheldthatabreach
of privacy is essentially a tort which derives from breach of a constitutional right. The learned
judge also held in that case, the Plaintiff’s claim was a civil action by virtue of the definition
contained in the Personal Injuries Assessment Board Act 2003 [now Personal Injuries
Assessment Board Acts 2003 to 2022] [collectively “the 2003 Act”]. The principal remedy
sought in that case was damages for personal injuries and the learned judge held that the action
was bound to fail in respect of personal injuries, thus “restricting the Plaintiff’s claim to such
damages, if any, as might be awardable for the truly limited (in so far as it concerns the
Plaintiff) and accidental data breach which occurred in this case”. The court in that case also
expressed no view upon such defences as might be available to the Defendant or whether the
defence will prevail if what remains of the matter for trial. The significance of this judgment is
important for potential future actions concerning data breaches and claims for damages.
11.8 In Clarke v O’Gorman [2014] IESC 72, O’Donnell J (as he then was) held that section
12 of the 2003 Act, which provides a bar on bringing proceedings unless certain conditions are
satisfied, does not operate to deprive the court of jurisdiction in the event of non-compliance
with its provisions. Such non-compliance may be invoked by the defendant in its defence and
used as a shield. However, as in Clarke v O’Gorman, PIAB was not invoked by the defendant
in this case, and this is understandable as the data breach in this case was strongly denied.
2712. Application of the law to the facts
12.1 The Plaintiff was identifiable, and this is now accepted by both parties. However, it was
only accepted by the Defendant at the trial.
12.2 Clarity in relation to data protection policies is a core principle of GDPR and the 2018
Act. However, in this case there was a lack of clarity and transparency in relation to the
Defendant’s data protection policies. This is due to the four policies outlined at paragraph 5.2.
In addition, the Defendant’s witness evidence at the trial confirmed this confusion.
12.3 The Plaintiff’s first language is Polish, but he was expected to navigate what was the
actual policy from the four documents provided to him in English. The principle of lawfulness,
fairness, and transparency is of particular relevance to the question of legal basis. It is noted
that the Defendant has updated its policies now and is available in the various first languages
of its employees. This is commendable.
12.4 The Plaintiff’s implied consent to processing the data for training was at best unclear
and this should be construed against the Plaintiff’s employer. It was the Defendant employer
who set out the four data policies. Consent is not the only basis by which the collection of data
will be lawful and various other legal bases are set out in Article 6 of GDPR. However, it is
also of note that the Defendant did not plead a legal basis for the processing, though in legal
submissions later it claimed it was operating on foot of a legitimate interest. However, a
legitimate interest assessment was not carried out to identify what the legitimate interest was
or to show if the processing was necessary to achieve it. It is clear even if a legitimate interest
was considered, notwithstanding the lack of assessment, it was not considered against the
Plaintiff’s interests, rights, and freedom.
12.5 The court is therefore satisfied:
• That there was an infringement of the Plaintiff’s rights under the GDPR,
28 • There was non-material damage resulting from that infringement and
• There is a causal link between the damage and the infringement.
12.6 The damage in this case resulted in some slagging by employees culminating on the
Plaintiff’s own evidence in some serious embarrassment and sleep loss. It is important to note
the Plaintiff was in a supervisory role at the time of the incident, though there is no claim for
any loss of employment. The Plaintiff was not present at the meeting of supervisors and
managers, and he did not know his image would be used in the meeting. The court is satisfied
the Defendant originally believed that the Plaintiff was not in fact identified, though this was
rightly conceded during the trial once the evidence became clear. However, the Plaintiff was
informed about the CCTV clip after the meeting by other employees.
12.7 Furthermore, for two weeks after the incident, the CCTV was stored on a communal
work computer, without password protection. While this created a significant risk it does not
appear that the CCTV was in fact accessed by any unauthorised persons.
12.8 The court accepts that the Plaintiff’s loss, bearing in mind his supervisory position in
the company and his own background already described, went beyond mere upset and created
an emotional experience and negative emotions of insecurity which did affect him for a short
periodoftime.Whilethisisnotbackedupbyamedicalreport,itisnoteworthythatthe Plaintiff
who was subject to examination and cross examination was viewed by the court as a truthful
and conscientious witness who did not exaggerate the effect of the data breach on him. It is
admirable that his employer has addressed the issues in relation to the data policies and the use
of CCTV for training in the workplace, and the data breach has not had any long-term effect
on the Plaintiff or his employment.
12.9 The court is of the opinion that the appropriate award for non-material damages in this
case is two thousand euros.
29
