Legal Updates

The Commercial Court has found a company director to be personally liable for the unauthorised disclosure of personal data in breach of data protection legislation. However, the court awarded only nominal damages after considering the issue of ‘actual damage’ suffered by the plaintiffs.

Background

In Nolan & ors v Dildar & Ors [2024] IEHC 4, the Commercial Court considered a number of claims by the plaintiffs, as trustees of a family pension fund, in respect of the alleged misappropriation of €6.96 million.

One aspect of the case related to a claim by the plaintiffs that the fifth defendant, Mr Millet, a pensions advisor, supplied personal data of the plaintiffs to an Isle of Man based fund, without their knowledge or consent.

The personal data included the names, dates of birth, home addresses and PPS numbers of each of the members of the family, which was provided in a letter on the headed paper of the eighth defendant, a limited company of which Mr Millet was a director. The letter was signed by Mr Millett personally. Copies of the plaintiffs passports were also provided.

In interrogatories exchanged in the course of the proceedings, Mr Millett accepted that the material had been disclosed without the plaintiffs’ permission.

Data Protection Legislation

The disclosure took place in 2013 and as such, the relevant legislation at the time was the Data Protection Acts 1988 to 2003 (this being at a time before the introduction of the General Data Protection Regulation (‘GDPR’)).The court held that there was an unauthorised disclosure of personal data under the relevant statutory provisions, which constituted a tort remediable by an award of damages.

Liability of the Fifth Defendant

While the disclosure was made under cover of a letter of the limited company, it was signed by Mr Millet. The court held that as the ‘human author’, he could not escape liability for the disclosure, noting that it is a well settled principle that where a company director procures the commission of a tort, the director will incur personal liability.

In terms of the quantum of damages, the court considered that there was no evidence that the disclosure of data had any adverse consequences for the plaintiffs nor had they suffered any actual damage. The data had not been disseminated more widely by the recipient and there was no evidence that Mr Millet had personally benefited from the disclosure.

The Commercial Court made an award of nominal damages of to each of the personal plaintiffs, a total of €3,000, to mark the fact that their rights had been infringed.

Comment

The judgement is notable in that it held Mr Millett liable in his personal capacity, despite the fact the data was sent under cover of a letter on the headed paper of another corporate defendant to the proceedings.

On the issue of quantum, the right to compensation for data breaches has been the subject of judgments from the Court of Justice of the European Union (‘CJEU’), including Case C – 300/21 UI v Osterreichishe and Case C-340/21 VB v. Natsionalna agentsia za prihodite, where it was held that in order to recover compensation, the data subject must have suffered material or non-material damage, with a causal link between that damage and a GDPR infringement. While a mere infringement of the GDPR, of itself, will not give rise to compensation, non-material damage arising from a breach of GDPR does not need to reach a certain level of seriousness to attract compensation. It is a matter for national courts to determine damages based on the level of harm caused by the breach. This approach has been reiterated in the April 2024 judgment in Case C‑741/21 GP v Juris GmbH, which held that a person seeking compensation for non-material damage is required to establish not only the infringement of GDPR, but also that the infringement caused him or her such damage.

This approach has been adopted in Ireland. The Circuit Court, ,in Kaminski V Ballymaguire Foods [2023] IECC5, held that a mere breach of GDPR is not sufficient to warrant compensation and damage must be proved. In Kaminski, the court held non-material damage had been suffered by the plaintiff but awarded a relatively low sum of €2,000 as compensation.

In the Nolan case, the Commercial Court held that there was no evidence that the plaintiffs had suffered any ‘actual damage’. However, the data breach was not determined pursuant to the GDPR and formed a minor part of the overall claim before the court.

The nominal level of the award directed by the Commercial Court is noteworthy in terms of data breach compensation, particularly in light of other modest awards for non-material damage following the Osterreichishe case and also, the recent statutory change, pursuant to s77 Courts and Civil (Miscellaneous Provisions) Act 2023, which allows data protection claims to be brought in the District Court, which has monetary jurisdiction to hear claims up to €15,000.