At Dublin Circuit Court (Court), Judge O’Connor has awarded a plaintiff €2,000 compensation for non-material damage arising from a breach of rights under the Data Protection Act 2018 (2018 Act).
The decision is significant as it is the first written judgment from the Irish courts under section 117 of the 2018 Act. It applies the decision in UI v Osterreichische Post C-300/21, (Osterreichische Post), in which the CJEU set the test for non-material damages under the GDPR (see our previous article here).
Under Article 82(1) GDPR and Section 117 of the 2018 Act, a person that suffers material or non-material damage because of an infringement of their data protection rights, can seek compensation from the controller of the data for damage suffered.
The plaintiff was employed as a supervisor at the defendant’s factory. He alleged that the use of CCTV footage by the defendant in a demonstration of work practice shown to other supervisors and managers, constituted unlawful processing of his personal data under the 2018 Act and the GDPR. The defendant accepted that the plaintiff was identifiable on the CCTV footage. The plaintiff learnt of the footage from his colleagues. For two weeks after the demonstration, the CCTV was stored on a communal computer, without password protection, although there was no evidence that authorised persons accessed the CCTV. The plaintiff claimed the use of the CCTV was an unlawful processing of his data and alleged that he suffered damage and distress, namely anxiety and embarrassment, because of subsequent remarks made by colleagues.
The plaintiff complained to the Data Protection Commissioner (DPC) but due to backlogs in the DPC office, the complaint was not assigned a complaint handler. The plaintiff did not wish to delay his case by awaiting the DPC outcome and initiated these proceedings before the Circuit Court.
Issues were raised about the defendant’s data protection policy governing the use of CCTV. The defendant had four different CCTV policies, available only in English at the relevant times, governing the use of CCTV. Only one of the policies expressly referred to using CCTV footage for training purposes.
The Court noted the inherent difficulty in private actions to enforce data protection rights is the calculation of non-material (or non-pecuniary) loss.
In the absence of clarity on pending CJEU preliminary references, the Oireachtas, and the Irish superior courts, and applying the Osterreichische Post test, Judge O’Connor cautiously set out the following list of factors relevant in ascertaining damages for non-material loss under the GDPR and 2018 Act:
- A “mere breach” or mere violation of the GDPR is not sufficient to warrant an award of compensation.
- No minimum threshold of seriousness is required for a claim for non-material damage. However, compensation for non-material damage does not cover “mere upset”.
- There must be a link between the infringement and the damages claimed.
- If the damage is non-material, it must be genuine, not speculative.
- Damages must be proved. Supporting evidence is strongly desirable.
- Data protection policies should be clear and transparent, and accessible by all parties affected.
- Employers should ensure privacy notices and CCTV policies are clear to employees. (See our article on the use of CCTV footage in disciplinary proceedings in McVann -v- Data Protection Commissioner  IECC 3 here).
- Where a personal data breach occurs, it may be necessary to ascertain what steps the relevant parties took to minimise the risk of harm from the breach.
- An apology, where appropriate, may be considered in the mitigation of damages. Delay in dealing with a data breach by either party is a relevant factor in assessing damages. A claim for legal costs may be affected by these factors.
- Even where non-material damage can be proved and is not trivial, damages will probably be modest.
The Court noted the lack of clarity in the defendant’s data protection policies and the lawfulness of the processing of the data for training purposes. It found that there was a breach of the plaintiff’s rights under the GDPR which resulted in non-material damage to the plaintiff.
Assessment of compensation
The plaintiff gave evidence of the effect of the personal data breach on him. In circumstances where the Court found him to be a truthful witness, the absence of a supporting medical report was not fatal to his claim.
In assessing compensation, the Court had regard to the factors in the Judicial Council Personal Injuries Guidelines 2021 in respect of the category of minor psychiatric damages as “instructive guidance”. Accordingly, compensation was assessed at €2,000.
Watch this space
There are preliminary references before the CJEU on the application of Article 82 of the GDPR, which should provide further clarity on the assessment of non-material damages in data protection claims. In the meantime, this judgment, for the first time in Ireland, offers long-awaited guidance in relation to compensation for non-material damages. Of note is Judge O’Connor’s remark that damages will most likely be modest in such claims. This coincides with the recent signing into law of the Courts and Civil Law (Miscellaneous Provisions) Act 2023, which amends the 2018 Act, giving the District Court jurisdiction to hear and determine data protection actions. Once commenced, it is likely that most data protection claims will proceed in the District Court, with lower legal costs for affected parties.
One final point of note from Judge O’Connor’s decision relates to his obiter comments about a preference for alternative dispute mechanisms to resolve personal data breach assessments. This would be welcome, although unlikely in the immediate future, given the expansion of the concurrent jurisdiction for data protection claims to the District Court.
Contributed by Gail Nohilly