A recent unanimous Supreme Court judgment has considered whether data breaches suffered by a Plaintiff constituted a form of personal injury, which would require him to have obtained authorisation from the Personal Injuries Assessment Board (“PIAB”) to initiate proceedings.

Facts of the case

• Between 2008 and 2020, correspondence held by Irish Life Assurance Plc (the “Defendant”) in relation to an assurance policy it had for Mr. Dillion (the “Plaintiff”) was erroneously shared with third parties. The Defendant was responsible for the sharing of the data, which contained personal and financial information of the Plaintiff.
• The Plaintiff issued proceedings in the Circuit Court by way of Equity Civil Bill (as opposed to Personal Injuries Summons). He claimed damages for negligence and breach of duty/breach of statutory duty by the Defendant, as a result of its breaches of data protection legislation. The Plaintiff claimed said negligence caused him emotional distress, upset, anxiety and inconvenience.
• The matter was heard on appeal from the Circuit Court and subsequently, the High Court. Both Courts had found that the case was one for damages arising from personal injury to the Plaintiff, and which required prior authorisation from PIAB. The Plaintiff had not sought or obtained such authorisation, and the Courts held that the claim should be dismissed on the basis it was frivolous, vexatious or bound to fail.

Right to damages pursuant to data protection legislation

•  Under EU data protection legislation, there is a right to seek compensation where a Plaintiff has suffered “material or non-material damage as a result of an infringement” of the legislation. However, the Court noted that there is not an automatic right to compensation merely due to an infringement of the legislation but there is provision for a right to compensation where a Plaintiff has suffered “no harm other than those adverse emotional effects of a temporary nature”.
• In the Irish context, the Court considered that the right to compensation as a result of breaches of the data protection legislation, can only arise from tortious actions i.e. negligence. 

Conclusion

• The Supreme Court found in favour of the Plaintiff and allowed the appeal from the High Court.
• The Court held that a claim in tort for emotional distress arising from a data breach, which does not come within the scope of a medically recognised psychiatric illness, does not amount to personal injury and does not require PIAB authorisation. However, the level of any award of damages would be minimal.  
• Where a Plaintiff suffers a medically recognised psychiatric injury due to an infringement of their rights under data protection legislation, the Court concluded this would be a personal injury and the Plaintiff would be required to have obtained authorisation from PIAB prior to issuing proceedings.
• This distinction is important, in the context of what Courts will consider in claims for data breaches and damage resulting from those breaches in the future.