by Laura Fannin , John Deignan February-16-2023 in Data Protection
Since the implementation of the General Data Protection Regulation (“GDPR”) in May 2018, national courts in EU Member States have been grappling with a vexed question: what is meant by non-material damages for individuals who suffer a personal data breach? While there is not yet a definitive answer to this question, it appears that the issue is coming to a head in light of recent developments (discussed below).
Background
By way of brief overview, Article 82 of the GDPR, and section 117 of the Irish Data Protection Act 2018 (DPA), introduced a new right to compensation for individuals, namely a right to seek compensation for “non-material damage”. The difficulty with Article 82 is that it does not define what is meant by “non-material damage”. While it is clear that Article 82 has given rise to a number of data protection claims seeking damages as a result of breach of individuals’ data protection rights, there has not yet been any written decision of the Irish courts on this issue.
Recent Developments
Ireland is not the only country to grapple with the issue of damages for non-material loss in the context of data breach claims. In fact, this issue has come before the courts in a number of other EU Member States, and this has led to a number of cases being referred to the Court of Justice of the European Union (“CJEU”), pursuant to a process known as a “preliminary reference”. The preliminary reference procedure is used when a national court or tribunal refers a question of EU law to the CJEU for a preliminary ruling in order to facilitate the national court, upon receiving that ruling, to decide the case in question.
The recent case of UI v Österreichische Post AG (the “Austrian Postal Worker’s Case”) is one such case which has garnered which a bit of media attention in light of an opinion delivered by the Advocate General of the CJEU in October 2022. The Advocate General’s opinion, although not binding on the CJEU, is followed in a majority of cases. In this case, the Austrian Supreme Court availed of the preliminary reference procedure and referred the question of the right to compensation under Article 82 to the CJEU.
The background to the Austrian Postal Worker’s Case, is that the Austrian Postal Service used an algorithm to determine whether individuals had an affinity to a particular political party. Pursuant to the algorithm, the applicant, UI, was categorised as having an affinity to a far-right populist party and he was “angered and offended” by this. Accordingly, UI sought €1,000 in compensation for non-material damage arising from the processing of his personal data in this way.
The Austrian Supreme Court then referred a number of questions to the CJEU seeking clarification on a number of issues, including: i) whether the award of compensation under Article 82 requires, in addition to an infringement of the GDPR itself, that the claimant has suffered harm; and ii) in order to award compensation for non-material damage, must there be more than upset caused to the individual by the infringement?
The Advocate General held, among other findings, that: i) mere infringement of provisions of the GDPR in the absence of corresponding damage (be that material or non-material), is not sufficient to merit an award of compensation; ii) the breach must be accompanied by material or non-material damage; and iii) the GDPR does not allow compensation for “mere upset” or “vague, fleeting feelings or emotions connected with the infringement of rules on processing”.
Recent Circuit Court Decision - Cunniam v Parcel Connect Limited & Ors
In his judgment of 23 January 2023, Judge John O’Connor of Dublin Circuit Court acceded to the defendants’ request that the proceedings (which arose from a data breach) be stayed or paused pending the outcome of a number of preliminary references before the CJEU (including the Austrian Postal Worker’s case referred to above) which deal with the same issue, that is to say the question of damages for non-material loss or damage.
The background to the case is that in in or around February 2021, the defendants suffered a data breach resulting in the personal data of over 450,000 people being compromised, including the plaintiff’s. In these proceedings, the plaintiff claims, among other things, that he has suffered apprehension arising from the interference with his personal data. The plaintiff does not claim that the interference with his peace and privacy and concern over the unauthorised use of his personal data caused him to suffer any physical injury. Accordingly, the plaintiff’s claim is confined to “mere upset” or “subjective feelings of displeasure”.
In light of the preliminary references made to the CJEU regarding non-material damage, the defendants brought an application seeking to stay the proceedings on the basis that the CJEU’s ruling would clarify this issue.
In their application to stay the proceedings, the defendants also argued that: a) the plaintiff’s claim was low in value and if the Advocate General’s opinion in Austrian Post is followed, the plaintiff will not be entitled to any compensation; b) if the proceedings simply continue pending the CJEU’s decision, unnecessary legal costs will be incurred in the interim; and c) pending clarification from the CJEU, the defendants are not in a position to make a lodgement (i.e. to lodge money in court in an attempt to settle the claim) as it is currently impossible to quantify the value of the claim.
The defendants also argued that the proceedings ought to be stayed on the basis of a duty of “sincere cooperation”, which is enshrined in EU law by virtue of Article 4(3) of the Treaty of the Functioning of the European Union. In this regard, the Court also had regard to the need to avoid “irreconcilable judgments” emanating from different Member States.
In reaching his decision, Judge O’Connor considered a number of points in the context of the application to stay the proceedings including whether any party would be prejudiced by a delay, and the procedural efficiency of the proceedings.
Judge O’Connor held that while there would be no risk of prejudice to the plaintiff, if the application for a stay were refused there may be a risk of prejudice to the defendants as the costs incurred in preparing the case for hearing could exceed the value of the claim, given that the claim is low value coupled with the fact the plaintiff may not be entitled to any damages. In light of the foregoing, and in particular the principle of sincere cooperation, Judge O’Connor made an order staying the proceedings.
Conclusion
Taken by itself, the decision of the Circuit Court in Cunniam is certainly not a landmark decision in what was, after all, a procedural application. However, the significance of the decision lies in the fact that courts are now reluctant to allow data breach claims for non-material damage to proceed in the absence of clarification from the CJEU. While this is certainly not the death knell for data breach claims, if the Advocate General’s opinion in the Austrian Postal Worker’s is followed, then it is likely that some sort of de minimis (i.e. minimum) threshold will have to be reached in order to be awarded damages in claims of this nature. Such an approach would undoubtedly be welcomed by organisations defending these claims, in particular.
For more information on this topic, please contact Laura Fannin (lfannin@hayes-solicitors.ie) or John Deignan (jdeignan@hayes-solicitors.ie) of this office.
Back to Full News
Share this article:
About the Authors
Laura Fannin
Laura is a partner in the Commercial & Business team at Hayes solicitors. Laura advises clients on a diverse range of corporate and commercial matters and regulatory requirements. She is an experienced adviser on terms and conditions of sale and purchase, IT issues, data protection, product liability, advertising and promotions, intellectual property and a wide range of commercial agreements.
John Deignan
John Deignan is an associate solicitor in the Commercial & Business team at Hayes solicitors. John predominantly specialises in commercial litigation and dispute resolution, and has acted for a wide variety of private companies, State bodies and financial institutions in contract law cases, enforcement and recovery actions, commercial landlord and tenant disputes and defamation actions.