On 27 January 2023, Judge O’Connor’s judgment in the case of Cunniam v Parcel Connect Limited trading as Fastway Couriers Ireland and Others  IECC 1 was published.
The case is one of several cases arising from a cyber-attack on Fastway Couriers’ systems in 2021, in which thousands of customers’ data became compromised. Mr. Cunniam’s personal data, including his name, address, email address and mobile number, were allegedly accessed by a third party as a result of this incident.
The plaintiff brought a claim for non-material damage, claiming he has suffered interference with his peace and privacy. He also states that he is apprehensive about how his personal data may have been used following the cyber-attack. The plaintiff asserts that he has been contacted by unknown third parties and has lost control over his data as he was unable to exercise any rights to erasure, rectification or restriction of processing of his personal data by these unknown third parties.
The plaintiff, Mr Cunniam, sought damages pursuant to Article 82 of the General Data Protection (GDPR) and Section 117 of the Data Protection Act 2018 (DPA 2018) which states that:
a data subject may, where he or she considers that his or her rights under a relevant enactment have been infringed as a result of the processing of his or her personal data in a manner that fails to comply with a relevant enactment, bring an action… against the controller or processor concerned.
The Irish superior courts have not yet dealt with Article 82 of the GDPR and Section 117 of the DPA 2018 in a written decision, apart from some obiter remarks by Judge Whelan in Shawl Property Investments Ltd v A & B . In this case, Judge Whelan stated that the DPA 2018 does not suggest “that a data protection action is a tort of strict liability” and that the principle of proportionality should be applied when evaluating claims for breaches of the GDPR.
The defendants, Fastway Couriers, did not deliver a defence and instead sought a stay of the plaintiff’s proceedings, pending the outcome of a number of preliminary references made to the Court of Justice of the European Union (CJEU) concerning the application of Article 82 of the GDPR. Of the awaited CJEU preliminary reference decisions, all eyes are on the outcome of Case-300/21 UI v Österreichische Post (the Österreichische Post Case).
On 6 October 2022, Advocate General Campos Sánchez-Bordona handed down an opinion in the Österreichische Post Case. The Advocate General opined that Article 82 of the GDPR is to be interpreted as meaning a mere infringement of a provision of the GDPR is not in itself sufficient to merit the award of compensation for damages if the infringement is not accompanied by the relevant material or non-material damage. He went on to state that compensation for non-material damage “does not cover mere upset” but that it was for the national courts to determine, in light of the facts, whether a subjective feeling of displeasure may be deemed to be non-material damage.
The decision of the CJEU in the Österreichische Post case will provide clarity on this important element of the law on non-material loss and damages for data protection claims. If the CJEU follows the opinion of the Attorney General, it will mean that claimants for non-material loss and damage will not automatically be entitled to compensation in every case. Such is the importance in the decision of the CJEU that Judge O’Connor was satisfied that the proper course of action was to stay the proceedings pending the conclusion of the CJEU cases. Of note for clients currently facing claims, Judge O’Connor did mention that in the circumstances of the case before him, should it be deemed that the plaintiff is entitled to compensation, the damages are likely to be small.
For more information about anything discussed above, please contact Adele Hall or Rachel Hayes, or your usual William Fry contact.
Contributed by Jane Gallagher & Paul Convery