Share

15 May 2023

Data Breach Compensation Claims: Non-Material Damage

briefing

Litigation and Dispute Resolution

Download PDF here

For further information on any of the issues discussed in this publication please contact the related contact(s) on this page.

The General Data Protection Regulation 2016/697 (“the GDPR”) and the Irish Data Protection Act 2018 (“the DPA”) expressly provide that an individual (“the data subject”) has the right to compensation in respect of material and non-material damage suffered because of a personal data breach. To date, the Irish Courts have not published a written judgment on what constitutes “non-material” damage pursuant to the GDPR. However, a recent judgment delivered by the Court of Justice of the European Union (“the **CJEU ) on 4 May 2023 now provides some clarity for practitioners and data controllers when dealing with such claims.

In this article, we will consider the recent judgment delivered by the CJEU that will have direct effect on all claims that are currently pending and/or stayed before the Irish Courts.

Right to compensation

A ‘personal data breach’ is defined by the GDPR as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. A data breach can happen in a number of ways, including inadvertently or due to a cyber-attack by a third party. Article 82 of the GDPR provides for a right to compensation for any person who has suffered material or non-material damage as a result of an infringement of the GDPR.

Data Protection Actions in Ireland

Section 117 of the DPA incorporates Article 82 of the GPDR into Irish law, which provides for an individual to seek compensation for damage arising out of a data breach. Under section 117, if an individual believes his or her rights under the GDPR have been infringed as a result of an organisation’s failure to comply with its obligations under the GDPR, he/she may bring an action against the organisation, known as a ‘data protection action’.

The Circuit Court and High Court have jurisdiction in Ireland to hear and determine data protection actions and can grant reliefs by way of injunction, declaration or “compensation for damage suffered by the plaintiff as a result of the infringement of the relevant enactment”. Damage includes “material” damage and “non-material” damage. A party bringing a claim pursuant to the DPA should be aware that the statute of limitations period of 6 years applies to a claim being made pursuant to section 117 of the DPA.

UI v Österreichische Post AG – Case C – 300/21

The claimant in this case sought compensation of €1,000 from Österreichische Post AG for alleged “non-material” damage arising from the actions by Österreichische Post AG in processing his personal data for political advertising purposes.

The claim was dismissed by the Austrian lower courts and on appeal, the Austrian Supreme Court referred a series of questions to the CJEU seeking clarification on the scope of compensation for “non-material” damage. The questions included, inter alia, whether a data subject is entitled to damages for the mere infringement of the provisions of the GDPR and whether a data subject must have suffered harm. The Austrian Supreme Court sought clarification on whether a data subject must have suffered more than “mere upset” to be entitled to compensation for “non-material” damage caused by the infringement.

Advocate General Opinion

On 6 October 2022 the CJEU published an opinion of the Advocate General Sanchez-Bordona (“the Advocate General”), stating that a de minimis approach should be followed. In his opinion, the Advocate General concluded that mere infringement of GDPR, without accompanying damage, is not sufficient for the purposes of awarding compensation. The Advocate General further concluded that compensation for “non-material” damage does not cover ‘mere upset’.

The opinion of the Advocate General was aligned with a number of decisions in the English courts which confirmed that the de minimis threshold must be exceeded for a claim of damages in data breach cases (see Lloyd v Google LLC [2021] UKSC 50).

While the CJEU judgment (discussed below) followed the opinion of the Advocate General in some respects, in contrast to the opinion, the CJEU did not explicitly state that “non-material” damage in the form of “mere upset” or an “unpleasant feeling” would be incapable of constituting a breach for which a right to compensation under Article 82 of the GDPR could arise. The CJEU did clarify, however, that the right to compensation is conditional on damage being suffered, the existence of an infringement of the GDPR and a causal link between that damage and that infringement.

The CJEU Judgment

The CJEU confirmed that:

  • A mere infringement of the provisions of the GDPR is not a sufficient threshold to confer a right to compensation for material or non-material damage;

  • There is no de-minimis threshold for an individual to have suffered in order to be awarded compensation under the GDPR but there must be a causal link between the damage suffered and the data breach in question;

  • For the purposes of determining the amount of damages, national courts must apply the internal rules of each Member State relating to the extent of pecuniary compensation, provided that the principles of equivalence and effectiveness of EU law are respected (i.e. there is no guidance in the judgment for the assessment of damages with the exception of the aforementioned principles); and

  • Article 82(1) of the GDPR precludes a national rule or practice which makes compensation for non-material damage, within the meaning of that provision, subject to the condition that the damage suffered by the person concerned has reached a certain degree of gravity.

Conclusion

While the judgment provides clarity on the entitlement of a data subject to seek compensation for “non-material” damage for a data breach pursuant to Article 82 of the GDPR, we must now await a judgment of the Irish Superior Courts to see how this decision will be interpreted in Ireland.

If you require advice in relation to the matters covered in this briefing, please contact a member of our Commercial Litigation Team.

The authors would like to thank Jack Doyle and Andrew Finlay for their contribution to this article.

DISCLAIMER: This document is for information purposes only and does not purport to represent legal advice. If you have any queries or would like further information relating to any of the above matters, please refer to the contacts above or your usual contact in Dillon Eustace.


Copyright Notice: © 2024 Dillon Eustace LLP. All rights reserved.