How courts in Ireland are dealing with ‘non-material’ damage claims rooted in data protection laws

The concept of ‘non-material’ damage

The issue of non-material damage arising out of a breach of data protection law has been a prominent subject of discussion in the EU since the introduction of the GDPR in 2018. Questions have arisen on whether a minimum level of loss is required to justify an award for non-material damage.

Article 82(1) of the GDPR provides individuals who suffer material or non-material damage as a result of an infringement of the GDPR with the right to receive compensation from the controller or processor for the damage suffered.

While the GDPR does not define "non-material damage", a non-binding recital in the regulation, recital 146, suggests that the "concept of damage should be broadly interpreted" and that data subjects should receive "full and effective compensation for the damage they have suffered".

The question of what constitutes ‘non-material’ damage under the GDPR has been considered by the Court of Justice of the EU (CJEU). In May 2023, the CJEU ruled that the mere infringement of the GDPR is not sufficient to confer a right to compensation but that EU member states are precluded from imposing rules or practices that require claims for compensation based on non-material damage to reach “a certain degree of seriousness”. The CJEU has confirmed that it is for member states to decide the rules on compensation for non-material damages.

The Irish court’s first written judgment on the issue was in the case of Kaminski v Ballymaguire Food Limited. The Circuit Court accepted that non-material damage caused to an employee by a data breach of his employer can be compensated, and on the facts of the case made an award of €2,000. The law in this area was developed further in the more recent case of Dillon v Irish Life Assurance PLC.

Dillon v Irish Life Assurance PLC and the question of procedure

Individuals wishing to bring a claim for a breach of the GDPR may face a procedural hurdle when seeking damages for personal injuries. This is because of the interaction between the Personal Injuries Assessment Board Act 2003 (PIAB Act), the Data Protection Act 2018 (DPA 2018) and the GDPR. In “civil actions” under the PIAB Act, individuals are required to obtain prior authorisation from the Personal Injuries Assessment Board (PIAB) before pursuing an action in court.

The relevant provisions of the PIAB Act do not deprive the court of jurisdiction to deal with the case in the event of non-compliance, but rather the non-compliance may be used by the defendant in its defence as a shield. This issue was not raised as a defence by the defendant in the Kaminski case as the data breach was strongly denied.

This, however, was a central issue in the most recent Dillon case. The court was asked to consider whether Dillon’s claims of “distress, upset, anxiety, inconvenience, loss, and damage” due to alleged data rights breaches constituted a “civil action” under the PIAB Act. If they did, Dillon would have needed prior authorisation from PIAB to bring the claim and proceedings would need to have been issued as a personal injury summons.

Dillon, owner of a life assurance policy, alleged that Irish Life Assurance PLC (Irish Life) unlawfully sent letters containing his personal data to an unauthorised third party. He claimed these actions amounted to data breaches caused by Irish Life’s negligence and breach of duty. Irish Life argued that Dillon’s claim should be struck out due to lack of PIAB authorisation. The Circuit Court agreed and dismissed the proceedings on the grounds they were frivolous, vexatious, or bound to fail.

This decision was appealed to the High Court, where Dillon sought to argue that the claims made by him were essentially claims for non-material damage provided for under the GDPR. The court, however, noted that his case was not pleaded exclusively in those terms. The court firmly rejected the argument that a claim made under the compensation provisions of the GDPR “would in and of itself” not require an authorisation under the PIAB Act. Dillon argued that application of the PIAB Act would be contrary to EU law but the court found no issue conceptually with a claim under the GDPR being subject to a PIAB application and authorisation insofar as the claim was properly construed as a “civil action”.

Dillon argued that “distress, upset and anxiety” is not captured by the definition of “personal injury” and was a way of describing non-material damage for the purposes of recovery under the GDPR. However, relying on an approach adopted in the Irish Supreme Court case of Murray v Budds & Anor in 2017, the judge said it was difficult to treat a claim for “distress”, “upset” and “anxiety” as substantially different to a claim that a plaintiff suffered “worry and stress”, which the Supreme Court found amounted to a form of claim for personal injuries.

On the procedural point specifically, the court held that while it may be cumbersome to have to make an application to PIAB for authorisation where assessment is unlikely, the process does not prevent the bringing of a claim for non-material damage in the circuit court.

The High Court dismissed Dillon’s appeal and held that the proceedings were a form of “civil action” within the meaning of the PIAB Act and therefore required prior authorisation from PIAB before issuing proceedings.

The judge made reference to his decision in the case of Keane v Central Statistics Office, noting the distinction in terms of fact and legal principles. That claim related to a data breach by the defendant where the court found that the only remedy being sought was damages for personal injuries and on that basis the plaintiff should have applied for authorisation from PIAB.

Outlook

For businesses, the ruling in the Dillon case provides helpful clarification of the procedural requirements individuals seeking to raise claims for non-material damages rooted in data protection law will need to consider in Ireland, if the remedy sought is for personal injuries.

Interestingly, in the case of Kaminski, the court proffered that an independent or conciliation resolution process would be a “suitable alternative dispute pathway to resolve data breach assessments”.

The relatively low level of damages awarded in that case indicates that most claims of non-material damage under section 117 of DPA 2018 will fall within the remit of the District Court, which now has jurisdiction to hear data protection claims in Ireland under the Courts and Civil Law (Miscellaneous Provisions) Act 2023. The current limit for compensation recoverable in the District Court is €15,000.