Skip to main content

Non-material Damage for Data Protection Breaches before the Irish and EU Courts – Clarity Ahead?

|

Data protection claims are in the dock. The Irish Circuit Court has temporarily halted proceedings for non-material damage claims pending clarity from decisions by the Court of Justice of the European Union on compensation for non-material damage in relation to 'mere upset' as a result of data privacy infringement.

On 27 January 2023, Judge O’Connor's judgment in the case of Cunniam v Parcel Connect Limited trading as Fastway Couriers Ireland and Others [2023] IECC 1 was published. The case is one of several cases arising from a cyber-attack on Fastway Couriers' systems in 2021, in which thousands of customers' data became compromised. Mr. Cunniam's personal data, including his name, address, email address and mobile number, were allegedly accessed by a third party as a result of this incident.

The claim

The plaintiff brought a claim for non-material damage, claiming he has suffered interference with his peace and privacy. He also states that he is apprehensive about how his personal data may have been used following the cyber-attack. The plaintiff asserts that he has been contacted by unknown third parties and has lost control over his data as he was unable to exercise any rights to erasure, rectification or restriction of processing of his personal data by these unknown third parties.


The plaintiff, Mr Cunniam, sought damages pursuant to Article 82 of the General Data Protection (GDPR) and Section 117 of the Data Protection Act 2018 (DPA 2018) which states that:


"a data subject may, where he or she considers that his or her rights under a relevant enactment have been infringed as a result of the processing of his or her personal data in a manner that fails to comply with a relevant enactment, bring an action… against the controller or processor concerned."

 

Stay on proceedings

The Irish superior courts have not yet dealt with Article 82 of the GDPR and Section 117 of the DPA 2018 in a written decision, apart from some obiter remarks by Judge Whelan in Shawl Property Investments Ltd v A & B [2021]. In this case, Judge Whelan stated that the DPA 2018 does not suggest "that a data protection action is a tort of strict liability” and that the principle of proportionality should be applied when evaluating claims for breaches of the GDPR.


The defendants, Fastway Couriers, did not deliver a defence and instead sought a stay of the plaintiff’s proceedings, pending the outcome of a number of preliminary references made to the Court of Justice of the European Union (CJEU) concerning the application of Article 82 of the GDPR. Of the awaited CJEU preliminary reference decisions, all eyes are on the outcome of Case-300/21 UI v Österreichische Post (the Österreichische Post Case).

 

The Österreichische Post Case

On 6 October 2022, Advocate General Campos Sánchez-Bordona handed down an opinion in the Österreichische Post Case. The Advocate General opined that Article 82 of the GDPR is to be interpreted as meaning a mere infringement of a provision of the GDPR is not in itself sufficient to merit the award of compensation for damages if the infringement is not accompanied by the relevant material or non-material damage. He went on to state that compensation for non-material damage "does not cover mere upset" but that it was for the national courts to determine, in light of the facts, whether a subjective feeling of displeasure may be deemed to be non-material damage.

 

Potential impact of the decision in the Österreichische Post case

The decision of the CJEU in the Österreichische Post case will provide clarity on this important element of the law on non-material loss and damages for data protection claims.  If the CJEU follows the opinion of the Attorney General, it will mean that claimants for non-material loss and damage will not automatically be entitled to compensation in every case. Such is the importance in the decision of the CJEU that Judge O’Connor was satisfied that the proper course of action was to stay the proceedings pending the conclusion of the CJEU cases.  

 

What does this mean for businesses?

Of note for businesses currently facing claims in Ireland, Judge O’Connor did mention that in the circumstances of the case before him, should it be deemed that the plaintiff is entitled to compensation, the damages are likely to be small.

 

Article provided by INPLP member: Leo Moore (William Fry, Ireland)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

VIEW STREAM

About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.

{$page.footerData}