Irish Supreme Court appeal will significantly impact GDPR non-material damages claims

An upcoming Irish Supreme Court appeal will have significant impact on claims for ‘non-material’ damage under the General Data Protection Regulation (GDPR), an expert has said.

The case, Patrick Dillon v Irish Life Assurance Public Limited Company, revolves around the alleged wrongful disclosure of personal data and a subsequent claim for non-material damages under the GDPR.

Zara West, commercial litigation specialist at Pinsent Masons, said: “The applicant is looking to appeal and has identified a number of points which are a matter of general public importance and will have an impact on a significant number of cases and the procedural hurdles that claimants will need to follow in the future.”

The determination allowing the appeal decided that interaction between the concept of non-material damage under the GDPR and the concept of “personal injuries” in Irish law, and the definition of “personal injury” in the Civil Liability Act 1961 Act, are all novel and important issues.

The applicant claims the issues involved in the appeal have EU and constitutional significance in terms of ensuring the uniform application of GDPR and the right access to the courts.

Dillon initially brought proceedings against Irish Life Assurance PLC in the Dublin Circuit Court alleging that the company had wrongfully disclosed his personal data via letters sent to an unauthorised third party. This disclosure, according to Dillon, resulted in significant distress, upset and anxiety.

The Circuit Court dismissed the proceedings on the grounds that prior authorisation had not been obtained from the Personal Injuries Assessment Board (PIAB), as required by the Assessment Board Act 2003 (PIAB Act). Dillon argued that his claim was for non-material damages under GDPR, rather than a personal injuries action. However, the Circuit Court maintained that the damages sought, which included for distress and anxiety, fell within the definition of personal injuries and so required PIAB authorisation.

Dillion subsequently appealed the decision to the High Court. The High Court upheld the Circuit Court’s decision, finding that damages for distress, upset and anxiety arising from alleged GDPR infringement were indeed in the nature of personal injuries, referencing the Civil Liability Act 1961, the PIAB Act, and the Supreme Court’s 2017 decision in Murray v Budd, concluding that such impairments, even if non-material, fell within the scope of personal injuries requiring PIAB authorisation.

The ‘leapfrog’ appeal to the Supreme Court, bypassing the Court of Appeal, was justified by the applicant based on the exceptional circumstances of the case, in that there was no other appeal route open to him and only the Supreme Court could revisit the Murray v Budd decision. It indicated a potential reference to the Court of Justice of the European Union (CJEU) on the issue of whether a “requirement to obtain PIAB authorisation where damages were sought by distress, upset and anxiety failed to give full force and effect to the GDPR”.

Irish Life opposed the application contending that, amongst other arguments, a novel issue was not raised regarding the meaning of ‘personal injuries’ as that issue had been determined in previous case law. It argued that Dillon could have sought a reference to the CJEU during the appeal to the High Court. It maintained that any reference in relation to PIAB authorisation process was unnecessary as it did not contravene EU law. However, in making its initial decision to grant Dillon leave to appeal the High Court decision, the Supreme Court said it “has never had to consider the concept of ‘non-material damages’ and the interaction of that concept with the domestic procedural rules governing claims in tort” – including the provisions of the PIAB Act.

The Supreme Court also noted that the judgment of the High Court gives rise to an issue as to whether a requirement for PIAB authorisation is compatible with Article 82 of the GDPR. The court may also have to revisit its decision in Murray v Budd, although it noted that the circumstances of that case did not involve GDPR issues and the context was very different to the context in Dillon’s case.

The court added: “As well as raising important questions of principle, these issues are of significant practical importance for litigants and for the courts dealing with data protection claims.”

West said: “Regardless of the outcome, this case underscores the importance of robust data protection measures and the need for clear legal frameworks to address the complexities of modern data privacy issues.”