CKT

2 George’s Quay, Cork T12 TR2A

Ormond Building, 31-36 Ormond Quay, Upper Dublin 7 D07 E303

Damages For Breaches of GDPR under S.117: Serious Breach Resulting in Retraumatisation

  • February 4, 2025
  • Posted by: Colm Hurley
  • Category: News
No Comments

Alison Kelleher, Partner and Sarah Biggin, Trainee Solicitor examine the complex law surrounding non-material damage in GDPR claims and a recent decision where damages were awarded for a serious breach resulting in “retraumatisation” in the Circuit Court. This decision is welcome edification on the more serious breaches whilst we await the Supreme Court Decision of Dillon v Irish Life which will provide clarity as to whether non-material damages for “distress, upset and anxiety” under the GDPR qualify as personal injury claims.

M.H. v The Child and Family Agency [2023] IECC 11

Background

The Plaintiff claimed she suffered upset and distress after the Defendant released her personal data, including sensitive details of childhood abuse suffered by the Plaintiff, to her now deceased brother. The information was subsequently shared with other family members, leading to significant emotional distress and damage to the Plaintiff’s familial relationships. The defendant acknowledged that a breach had occurred, and that the confidential information was inadvertently disclosed

Damages

The issue before the Court was the assessment of damages. The Court referenced the guidelines established in Kaminski v Ballymaguire Foods Limited [2023] IECC 5 concerning data protection and damages for non-material loss. The judgment reaffirmed that a mere breach of the General Data Protection Regulation (GDPR) does not automatically entitle a Plaintiff to compensation. However, on the facts of this case the Court determined that the breach was of a serious nature, given the highly sensitive nature of the information and “the unsatisfactory manner in which it had been handled by the Defendant”.

The Judge noted that the Plaintiff’s distress was not limited to mere upset but amounted to a ‘retraumatization’. The court emphasised the link between the data breach and the harm suffered, particularly the damage to the Plaintiff’s familial relationships. The Court noted that no medical evidence was required, as the Plaintiff had proved that she had suffered damage and upset “of a very distressing kind” as a result of the breach.

The court also noted that the Defendant had failed to take any steps taken to minimise the damage. Although an apology was issued, it came several months after the breach.

The Court ruled that whilst non-material damages in data protection cases are generally modest, this case warranted a higher award due to the significant harm caused. In awarding the Plaintiff €7,500 the Court recognised the very high level of trust a Plaintiff places in the Child and Family Agency and therefore the Agency had a duty to handle sensitive data with the highest level of care and propriety.

This ruling provides a helpful guide for parties as to the level of damages recoverable in cases where significant harm has been proved.  It is also helpful in guiding practitioners as to the appropriate jurisdiction for these S.117 claims which as of January 2024 can be issued in the District Court.

Dillon v Irish Life Assurance [2024] IESCDET 92

Practitioners in this area are eagerly awaiting the Supreme Court Decision in Dillon v Irish Life Assurance [2024] IESCDET 92 which raised significant questions regarding claims for non-material damage under the GDPR. That judgement is due shortly and will examine whether claims for distress, upset, and anxiety, constitute “personal injury” under Irish law, therefore requiring prior authorisation from the Personal Injuries Assessment Board (PIAB).

The Plaintiff alleged that Irish Life had wrongfully disclosed his personal data to an unauthorised third party over an extended period, causing him harm, distress, upset, anxiety and inconvenience. Irish Life argued that the Plaintiff’s claim constituted a “relevant claim” under Part 2 of the Personal Injuries Assessment Board Act 2003 therefore requiring prior authorisation from PIAB before legal proceedings could be initiated.

On appeal from the Circuit Court, the High Court decided the Plaintiff’s claim was a “civil action” within the meaning of the PIAB Act and as such required prior authorisation from PIAB. This decision was then appealed to the Supreme Court who granted leave to appeal the decision on the basis that the case raised issues of general public importance and recognised the significance of the issue for litigants.  A ruling is expected this term, and its outcome could have far-reaching consequences for non-material damage in data protection claims.

Conclusion

This clarification of the potential value of claims where the damage proved is at the more serious end of the scale is to be welcomed. The judgement also serves as a reminder to Data Controllers that the steps taken to minimise and remedy the breach such as an apology may be taken into account when measuring damages.

The upcoming Supreme Court decision in Dillon is eagerly awaited and will provide crucial clarification on whether claims for non-material damage under the GDPR should be classified as personal injuries under the PIAB Act.