NEWS

Recent Developments in the Area of Data Protection Claims in Ireland

Written By Deirdre Miller B.L.

On 11 July 2023 at the Dublin Circuit Court, the plaintiff in Kaminski v Ballymaguire Foods Limited [2023] IECC 5 was awarded €2,000 compensation for non-material damage arising from the further processing of his personal data collected via CCTV contrary to the GDPR, which was held to be a breach of his data protection rights. The plaintiff brought the claim against his employer, after CCTV footage in which the plaintiff was identifiable was used in a meeting of managers and supervisors to demonstrate instances of poor food safety practices in the organisation. As a result, the plaintiff, who was employed as a supervisor, suffered damage and distress (anxiety and embarrassment) due to the comments of colleagues, that the Court found went beyond mere upset.

A person who has suffered material or non-material damage because of an infringement of their data protection rights, can seek compensation from the controller or processor of the data for the damage suffered.

This decision is significant as it is the first written judgment in Ireland addressing the question of non-material damage under Article 82 of the GDPR and the statutory claim mechanism established by section 117 of the Data Protection Act 2018. The decision was given in a legal context where there are preliminary references, from courts across the European Union, before the Court of Justice of the European Union (CJEU) concerning questions on the application of Article 82 of the GDPR and the determination of non-material damage. In a number of cases before the Irish Courts, stays have been granted pending the CJEU’s decisions on the preliminary references.

However, in Kaminski v Ballymaguire Foods Limited, the parties had not sought to stay proceedings pending the outcomes of the preliminary references, and instead, as Judge O’Connor observed, sought to have the case dealt with “as quickly and efficiently as possible”. The plaintiff had not waited for the outcome of his complaint to the Data Protection Commission (DPC) before taking court proceedings.

Judge O’Connor applied the recent decision of the CJEU in UI v Osterreichische Post C-300/21, (Osterreichische Post), which set the test for non-material damages under the GDPR, as follows:

• mere infringement of the GDPR will not give rise to a right to compensation for material or non-material damage;
• there is no de-minimis standard of loss to be suffered for an individual to recover compensation under the GDPR;
• there must be a causal link between an infringement of data protection law and damage suffered to recover compensation under the GDPR.

The decision in Kaminski v Ballymaguire Foods Limited provides helpful guidance on what damage will be eligible for compensation under the GDPR in Ireland and the level of compensation that is likely to be awarded where claims are successful. Judge O’Connor provided a list of factors relevant to an assessment of non-material damage under Article 82 of the GDPR and section 117 of the Data Protection Act 2018, as follows:

1. A “mere breach” or mere violation of the GDPR is not sufficient to warrant an award of compensation.
2. No minimum threshold of seriousness is required for a claim for non-material damage to exist. However, compensation for non-material damage does not cover “mere upset”.
3. There must be a link between the infringement and the damages claimed.
4. If the damage is non-material, it must be genuine, not speculative.
5. Damages must be proved. Supporting evidence is strongly desirable.
6. Data protection policies should be clear and transparent, and accessible by all parties affected.
7. Employers should ensure privacy notices and CCTV policies are clear to employees.
8. Where a personal data breach occurs, it may be necessary to ascertain what steps the relevant parties took to minimise the risk of harm from the breach.
9. An apology, where appropriate, may be considered in the mitigation of damages.
10. Delay in dealing with a data breach by either party is a relevant factor in assessing damages.
11. A claim for legal costs may be affected by these factors.
12. Even where non-material damage can be proved and is not trivial, damages in many cases will probably be modest.

Key Takeaways for DPOs from the Judgment in Kaminski v. Ballymaguire Foods Limited

• Assessment of Damages: We now have Irish guidance from the courts on the assessment of claims for non-material damage. However, further developments in this area are expected with each decision of the CJEU on the preliminary references currently before it.
• Legitimate Interest Assessments: This judgment highlights the importance of completing and documenting a legitimate interest assessment (LIA) where the controller or processor seeks to rely on legitimate interests as a lawful basis for processing data. In this case, the employer had sought to rely on legitimate interests as a lawful basis for processing its employee’s data. However, the Court was critical of the lack of a LIA and the failure to consider the interests, rights, and freedom of the employee against a clear legitimate interest of the employer.
• Data Protection Policies: This judgment serves as a reminder to controllers to ensure that it is clear to data subjects what data protection policy applies to their data. In this case four conflicting policies on use of CCTV applied, which created confusion and it was not clear to the employee what policy applied or on what lawful basis the employer was processing his data. The Court commended the employer for updating its policies and making them available in the various first languages of its employees.
• Potential for claims to be taken in the District Court: This claim was taken under the statutory claim mechanism established by section 117 of the Data Protection Act 2018, which provided for data protection claims to be taken in the Circuit Court. It should be noted that the Courts and Civil Law (Miscellaneous Provisions) Act 2023, which was signed into law on 5 July, has amended section 117 of the Data Protection Act 2018 to allow for data protection claims to be taken in the District Court (which has a monetary jurisdiction of up to €15,000). The relevant section has not yet commenced, which means for now, data protection claims will continue to be taken in the Circuit Court. An award of €2,000 compensation for non-material damage (such as in this case) would fall within the jurisdiction of the District Court, which would also mean lower legal costs for the parties in future cases once this provision is commenced.
• DPC Complaints Mechanism: This case is a reminder that a data subject does not have to wait for the outcome of their complaint to the DPC before bringing a claim against a controller or processor in the Circuit Court.
• Security of Personal Data: The Court commented on the significant risk created by the storing of the CCTV footage on a communal work computer without password protection for two weeks after the incident. Although the CCTV did not appear to be accessed by any unauthorised persons during this time and there were no allegations of unlawful processing, it nonetheless highlights the importance of implementing appropriate technical and organisational measures to ensure all personal data are held securely. It also highlights the significant risk created by a delay in dealing with the data breach incident. Controllers have an obligation to respond promptly to data breach incidents and report a personal data breach within 72 hours to the DPC. This judgment makes it clear that any delay in responding to a data breach incident will be relevant to the assessment of non-material damages. (Note, this is separate to any administrative fine which may be imposed by the DPC.)