For the first time, the Irish courts have delivered a written judgment awarding damages for "non-material loss" suffered following an infringement of the GDPR. "Non-material loss" refers to damages for non-financial loss, sometimes also described as "pain and suffering".

In the Circuit Court case of Kaminski v Ballymaguire Foods [2023] IECC 5, Judge John O'Connor awarded the claimant €2,000 for non-material damages suffered following an infringement of the GDPR. The court found that the decision of the CJEU in UI v Österreichische Post AG ("the Austrian Post case")(previously discussed here) provides a mechanism for the Irish courts to take a consistent approach to claims for non-material loss under the GDPR.

By way of a reminder, in the Austrian Post case, the CJEU held that:

  • A right to compensation for non-material damage does not automatically arise from a mere infringement of the GDPR;
  • The non-material damage must be causally linked to the alleged data breach; and
  • The GDPR does not provide for a de minimis threshold for non-material damage, a threshold which requires a certain degree of seriousness before a claim can succeed.

The judgment is significant because the Irish courts have previously stayed a number of other non-material damages claims under the GDPR, pending delivery of a number of further decisions awaited from the Court of Justice of the European Union ("CJEU") on the factors pertinent in ascertaining damages for such loss (previously discussed here). In the Kaminski case, however, the court noted that it had not been requested to stay those proceedings pending the determination of the further references before the CJEU, nor had it been asked to state a case to the Court of Appeal.

Judge O'Connor noted that the factors outlined in Kaminiski as being pertinent in ascertaining damages for non-material loss, following the Austrian Post case, were "suggested with some caution, in the absence of clarification from the Oireachtas [Irish parliament], the Superior Courts and the outstanding preliminary references pending before the CJEU". On that basis, it is possible that the legal position outlined in his judgment might be subject to change in the future.

Background

In the Kaminski case, the plaintiff was employed as a supervisor in the defendant's factory. CCTV footage was shown to other employees of the defendant as part of a training exercise. The training exercise was required in order to address instances of poor food safety practice and to highlight food quality and safety issues at the factory.

While his face was obscured in the footage, the plaintiff submitted that he was identifiable due to his distinctive physical presence and movements. The plaintiff was also not present at the training exercise and was only informed of the CCTV clips by other colleagues after the meeting had taken place. The plaintiff alleged that the defendant's use of the CCTV footage for training purposes amounted to unlawful processing of his personal data under the GDPR and Data Protection Act 2018. He further alleged that he had suffered damage and distress in the form of anxiety, embarrassment, humiliation and sleep loss due to remarks made by work colleagues about him on foot of this unlawful processing of his personal data.

The claimant lodged a complaint with the DPC about the matter but due to a backlog of complaints in the DPC's office, the complaint was not assigned a complaint handler. The claimant submitted that he did not wish to delay his case by awaiting the DPC outcome and he therefore initiated the proceedings before the Circuit Court pursuant to section 117 of the Data Protection Act 2018.

Decision

The Court held that the following three cumulative conditions (which the CJEU's decision in the Austrian Post case confirms are necessary to recover compensation for non-material damages under the GDPR) had been satisfied:

  1. There was an infringement of the claimant's rights under the GDPR (in particular there was a lack of clarity and transparency with regard to the employer's four data protection policies (none of which were available in the claimant's native language which was Polish), and no lawful basis existed for using the CCTV footage of the claimant for training purposes);
  2. There was a causal link between the damage and the infringement; and
  3. There was non-material damage resulting from that infringement.

The court held that the appropriate award for non-material damages in this case was €2,000. In assessing compensation, in the absence of other guidelines, from the Oireachtas (Irish parliament) or the Superior Courts and/or the Judicial Council, the court took into account the factors as outlined in the Judicial Council Personal Injuries Guidelines 2021 in respect of the category of minor psychiatric damages "as instructive guidance", though noting that in some cases non-material damage could be valued below €500.

Non-Material damage resulting from the infringement

The Court set out a list of factors that it considered relevant when assessing damages for non-material loss under the GDPR and Data Protection Act 2018, including:

  • A "mere breach" or a mere violation of the GDPR is not sufficient to warrant an award of compensation.
  • There is no minimum threshold of seriousness required for a claim for non-material damage to exist but compensation for non-material damage does not cover "mere upset".
  • There must be a link between the data infringement and the damage claimed.
  • If the damage is non-material, it must be genuine, and not speculative.
  • Damage must be proved. Supporting evidence, such as a psychologist report or medical evidence, is strongly desirable.
  • Employers should ensure that privacy notices and CCTV policies are clear to employees.
  • An apology, where appropriate, may be considered in mitigation of damages.
  • Delay in dealing with a data breach by either party is a relevant factor in assessing damages.
  • A claim for legal costs may be affected by these factors.
  • Even where non-material damage can be proved and is also not trivial, damages in many cases will probably be modest.

In this case, the Court, without supporting medical reports, was satisfied that the damage suffered by the claimant "went beyond mere upset". The court noted that the claimant's loss "created an emotional experience and negative emotions of insecurity which affected him for a short period of time". The court noted that the claimant was subject to examination and cross-examination, and was viewed by the court "as a truthful and conscientious witness who did not exaggerate the effect of the data breach on him".

Comment

The judgment of Judge O'Connor in the Kaminski case is the first judgment following the Austrian Post case which provides guidance on the assessment of GDPR compensation claims for non-material loss in Ireland.

The award of damages provides some guidance for the future as to how claims of this nature will be valued by the Irish courts. It is noteworthy that Judge O'Connor stated that even where non-material damage can be proved, and are not trivial, damages will probably be modest.

The relatively low level of damages awarded in this case also indicates that the majority of non-material damage claims under the GDPR will likely proceed before the District Court, which has a jurisdictional limit of up to €15,000. The District Court will have jurisdiction to hear data protection claims following the commencement of the Courts and Civil Law (Miscellaneous Provisions) Act 2023, which is expected shortly.

Lastly, Judge O'Connor also noted, albeit not as part of his reasoning for the judgment, that an independent adjudicative or conciliation resolution process would be a suitable alternative dispute pathway to resolve data breach assessments. It remains to be seen whether such processes will be utilised in the future.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.