Data Protection Day 2025: “Look Back” & Trends
William Fry LLP is celebrating the Council of Europe's annual Data Protection Day. As we approach the 7-year mark of GDPR, Europe's data protection regulatory regime remains a headline staple, featuring twists and turns in many areas. In 2024, there was a renewed focus on data protection compliance because of: (i) the interplay between GDPR and emerging digital reforms legislation across the EU; and (ii) guidance and decisions from courts and data protection authorities continued to emerge and, in some cases, moved the goal posts of the application of certain data protection rules.
In this update, our Data Protection & Cybersecurity group explore the most significant data protection developments from the past year, and take stock of expected trends for 2025. Whilst data protection law comes to the fore for organisations in many ways, each should consider the following key areas with scrutiny:
1. Increased Privacy Litigation
2. International Data Transfers
3. Protection of Children's Data Online
4. GDPR and the EU Digital Reforms Package
5. Data Protection and Artificial Intelligence
6. GDPR and Cybersecurity
1. Increased Privacy Litigation
Throughout 2024, there was an increase in data protection and privacy litigation at both a national and EU level. This section covers some of the most notable decisions in 2024. As a general theme, we have seen both national courts and the Court of Justice of the European Union (CJEU) adopt a data subject centric approach in decisions and opinions.
NATIONAL
January
The Commencement of Courts and Civil (Miscellaneous Provisions) Act 2023
The commencement of the Courts and Civil (Miscellaneous Provisions) Act 2023 now provides jurisdiction to the District Courts to adjudicate on data protection actions. It also provides a guide to possible compensation recoverable in a data protection action in the District Court. The impact of this legislation is that the quantum of damages in privacy litigation will likely remain low.
Keane v Central Statistics Office [2024] IEHC 20
In the Keane decision, the High Court clarified the procedural steps in data breach cases where the applicant claimed to have suffered anxiety and distress. O'Donnell J held that the plaintiff was required by the Personal Injuries Assessment Board Act 2003 (PIAB Act) to make an application to PIAB for an assessment of her claims prior to commencing proceedings.
April
Dillon v Irish Life [2024] IEHC 203
In Dillon, the High Court considered whether the applicant's claim for damages due to alleged distress, upset, and inconvenience resulting from breaches of data subject rights constituted a ‘civil action' requiring authorisation from PIAB under the PIAB Act. O'Donnell J, in revisiting his previous judgment of Keane, held that the proceedings brought by the plaintiff were a form of civil action within the meaning of the PIAB Act and as such required prior authorisation from PIAB.
July
McCabe v AA Ireland [2024] IECC 6
In McCabe, the Dublin Circuit Civil Court awarded the plaintiff €5,500 together with costs to the plaintiff as non-material damages for a GDPR infringement in circumstances where the plaintiff had not made a prior application to PIAB. This decision follows the earlier Dillon decision (above); a ruling by the Supreme Court on appeal in the latter may bring further clarity on how these cases can be reconciled.
EU
May 2023
Financial compensation for non-material damage sought in multiple decisions
Following delivery of judgment in UI v Österreichische Post AG (the “Austrian Post” case) in May 2023, in which the CJEU established the parameters of non-material damage claims under Article 82 of the GDPR for the first time, the EU courts have seen an increase in claims by individuals who have suffered non-material damage as a result of infringement of the GDPR. Read our insights on the Austrian Post case here.
September
- Case-768/21 held that data protection authorities are not always obliged to exercise their corrective powers, specifically to impose an administrative fine, where such an action is not “necessary and proportionate to remedy the shortcoming found and to ensure that that regulation is fully enforced”.
- Case C-383/23 considered that the meaning of ‘undertaking', as defined in Articles 101 and 102 of TFEU, should be considered in calculating fines. The implication of the decision means that the total annual worldwide turnover of an undertaking of which the controller or processor forms part could be taken into account.
October
- In Case C-507/23, the CJEU held that making an apology can constitute sufficient compensation for non-material damage in certain circumstances and an infringement alone does not constitute damage requiring compensation.
- Case C-200/23 held that a “loss of control” for a limited period by a data subject may be sufficient to constitute non-material damage.
- Case C-21/23 held that products concerning health can be categorised as special category data.
- Case C-621/22 held that purely commercial interest can be a valid legitimate interest, which is a positive outcome for organisations.
2025 Trends
PIAB Authorisation needed prior to commencing a claim in the Irish courts?
In Dillon, the Supreme Court granted the plaintiff leave to appeal on the grounds of constituting an issue of ‘general public importance'. If the decision is upheld, future plaintiffs must continue to seek PIAB authorisation prior to commencing a claim, again setting a clear recognition for similar claims regarding breach of privacy rights for data subjects in the context of non-material damage (claims relating to stress, humiliation or embarrassment). The case is scheduled for hearing in the Supreme Court on 30 January 2025.
Increased litigation on right to non-material damages
Following delivery of judgment in the Austrian Post case, both EU and national courts may continue to see an increase in claims by persons who have suffered non-material damage as a result of infringement of the GDPR and are seeking compensation from the controller or processor. Court decisions will continue to shape an appropriate compensation framework. In January 2025, Case T-354/22 (Bindl v European Commission) entitled the data subject to €400 in compensation resulting from the transfer of that data subject's personal data to a third country without an adequate safeguard in place in relation to the data transfer. Equally, we may witness an increased sentiment in decisions that actual damage must be suffered in order to give rise to compensation; and that a mere infringement of the GDPR is not, in itself, sufficient for compensation (as per Austrian Post).
Broader approach of regulators to Anonymisation
Back in 2023, in Case T-557/20 (SRB vs SDPS), the European General Court held that pseudonymised data will be considered anonymised data if the holder of such data has no means to (re-) identify the individuals about whom such data relates. The decision, which is currently under appeal to the CJEU, could arguably be a game-changer for organisations sharing data, as it marks a departure from the high bar of data anonymisation established in previous CJEU case law (in the Breyer decision). If upheld, the impact will mean that the GDPR will not apply to any personal data transferred where the recipient has no legal means to identify individuals from the data. Organisations will be watching closely as the appeal is expected to be heard by the end of January 2025.
To view the full article, click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
