GDPR – Welcome clarity for actions concerning non-material damage

Article 82 of the General Data Protection Regulation (“GDPR”), contains the right to compensation for damages under GDPR and was implemented into Irish law by Section 117 of the Data Protection Act 2018. It provides that data protection actions are to be founded in Tort.

For some time there has been uncertainty surrounding the concept of “non-material damage” arising from an infringement of GDPR. On 4 May 2023,  the case of [i]C-300/21- Ul v Osterreichische Post AG the Court of Justice of the European Union (“CJEU”) delivered its decision on this concept and set out the requirements to be applied by Member States when determining the amount of compensation payable.

• A mere infringement of GDPR is not sufficient to establish a right to compensation.
• In order to obtain compensation there must have been the processing of personal data that infringes the provisions of GDPR, damage suffered by the data subject, and a casual link between that unlawful processing and that damage.
• Each Member State can prescribe the criteria for determining the extent of compensation payable, provided that the principles of equivalence and effectiveness of EU law are complied with.

Irish case law

The issue of “non-material damage” has recently been addressed by the Dublin Circuit Court in the case of [ii]Arkadiusc Kaminski v Ballyguire Foods Limited [2023] IECC 5.

The proceedings in this case were initiated by a claim by the Plaintiff that there had been an unlawful processing of his data by the Defendant in the use of CCTV footage which identified the Plaintiff, and that as a consequence, he had suffered damage and distress, namely anxiety and embarrassment, due to remarks made by work colleagues.

The Plaintiff initially complained to the Data Protection Commission (“the DPC”) about the incident. However, as the complaint was not assigned to a complaint handler, the Plaintiff did not wish to delay his case by awaiting the DPC’s decision, so the matter went before the Circuit Court pursuant to Section 117 of the 2018 Act.

Judgment

In assessing damages for non-material loss, the Court stated that the following factors will be considered[iii]:

• Under GDPR, once rights have been infringed there is a right to an effective remedy pursuant to Article 47 of the Charter of Fundamental Rights.
• “Non-material damage” is not defined in the GDPR, however, Recital 146 of the GDPR provides that the “concept of damage should be broadly interpreted” and that data subjects should receive “full and effective compensation for the damage they have suffered”.
• A “mere breach” or a mere violation of the GDPR is not sufficient to warrant an award of compensation.
• While there is no minimum threshold of seriousness required for a claim for non-material damage to be successful, compensation for non-material damage does not cover “mere upset.”
• There must be a link between the data infringement and the damages claimed.
• If the damage is non-material, it must be genuine, and not speculative.
• Damages must be proved. Supporting evidence is strongly desirable.
• Data policies should be clear and transparent and accessible by all parties affected.
• Employers should ensure their employee privacy notices and CCTV policies are clear to employees.
• Where a data breach occurs, it may be necessary to ascertain what steps were taken by the relevant parties to minimise the risk of harm from the data breach.
• An apology where appropriate may be considered in mitigation of damages.
• Delay in dealing with a data breach by either party is a relevant factor in assessing damages.
• A claim for legal costs may be affected by these factors.
• Even where non-material damage can be proved and is also not trivial, damages in many cases will probably be modest. In the absence of other guidelines, from the Oireachtas or the Superior Courts and/or the Judicial Council, the Court stated that it had taken cognisance of the factors outlined in the Judicial Council Personal Injuries Guidelines 2021 in respect of the category of minor psychiatric damages as instructive guidance, though noting in some cases non-material damage could be valued below €500

The Court in this case concluded that the Defendant had failed to plead a legal basis for the processing of the Plaintiff’s data, nor did it carry out a legitimate interest assessment to show if the processing was necessary to achieve it. Ultimately, the Court decided that there was an infringement of the Plaintiff’s rights under the GDPR and made an award to the Plaintiff of €2,000 for non-material damages.

Conclusion

With the judgment of the CJEU and the first written judgment in Ireland in this area, there is welcome clarification on the meaning of non-material damage. National courts now have confidence and a clear understanding of the factors needed to consider such an action for compensation.
In light of the award in the Arkadiusc Kaminski v Ballyguire Foods Limited [2023] IECC 5, it is likely that most claims of non-material damage will fall within the remit of the District Court. Interestingly, the judgment provided in the case mentioned above suggested that matters of this nature should consider seeking an alternative dispute resolution process such as an independent adjudicative process or conciliation as a means to resolve data breach assessments. In some cases where damages are likely to be low a prospective Plaintiff might be better off adopting this suggestion which, arguably, should be considerably less expensive than formal litigation.

[i] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62021CJ0300
[ii] https://www.courts.ie/view/Judgments/b29c0f8b-f732-47cf-85ef-37566b36f88c/60c1e7c8-a82b-4447-a919-111d788d2d12/2023_IECC_5.pdf/pdf
[iii] See Paragraph 11.6 of the judgment here