GDPR Non-Material Damages Claims in Ireland: Procedure Clarified, Expectations Lowered

What You Need to Know

The Irish Supreme Court¹ has clarified that data breach claims for damages consisting solely of “distress, upset, and anxiety”, but short of a medically recognised psychiatric injury (“distress-only GDPR claims”), are not personal injuries and so fall outside the statutory personal injury assessment scheme. Instead, claimants seeking damages for such injuries may pursue their claims directly through the courts system.

However, the court observed that such claimants cannot expect anything other than “very, very modest awards”.

The decision provides welcome clarity for organisations and individuals on the appropriate procedural route for such data breach compensation claims and the modest quantum of damages likely to be recoverable.

Legal Background

The General Data Protection Regulation (the “GDPR”)², and Irish legislation implementing it³, provides for a right to compensation for “material or non-material” damage in the event of an infringement of the regulation. What constituted ‘non-material damage’ was the subject of considerable debate and concerns of unmeritorious compensation claims for technical infringements of GDPR rights.

The Court of Justice of the European Union recently clarified⁴ that, in respect of “non-material” damage: (1) a claimant must show actual harm caused by the infringement to be entitled to compensation, which may include temporary adverse emotional effects, such as fear of possible misuse of personal data by a third party; (2) a national rule requiring damage of a certain degree of seriousness to qualify for compensation was precluded; and (3) as to quantum, the domestic rules of each Member State applied subject to the principles of equivalence and effectiveness.

Separately, in 2003, the Irish legislature introduced a mandatory scheme for the assessment of personal injury claims. Claimants must submit their claim to an assessment board and, if the process does not resolve the claim, they then must obtain an authorising certificate from that board before proceeding to litigate in the courts, and use a particular form of initiating court document, or risk their claim being barred. For this scheme, a relevant claim was one based on “tort, breach of contract or breach of trust”, and ‘personal injury’ was defined as “including any disease and any impairment of a person’s physical or mental condition.”

In this case, the interpretation issue to be decided was whether distress-only GDPR claims constituted a personal injury action for the purposes of the relevant Irish legislation, and so should proceed through the statutory personal injuries assessment scheme before they could be litigated.

Factual Background

Mr Dillon held a life insurance policy with Irish Life Assurance plc (“Irish Life”). At various points between May 2008 and May 2020 Irish Life issued six letters in relation to the policy to a third party in error, that contained Mr Dillon’s personal and financial data. In 2021, Mr Dillon issued proceedings in an Irish Circuit Court seeking a declaration that his GDPR rights had been infringed; and (2) damages for “distress, upset and anxiety”.

At a pre-trial hearing, Irish Life successfully requested that the court dismiss the claim on the grounds that it was vexatious, frivolous and bound to fail: it argued, and the court agreed, that Mr Dillon’s claim constituted a personal injury action, he had not obtained an authorising certificate from the personal injuries assessment board and he had used the incorrect initiating court document. On appeal, the High Court agreed that Mr Dillon’s GDPR infringement claim and his alleged injuries constituted a personal injury action, and so was bound to fail. An additional argument, that to require authorisation from the assessment board before initiating proceedings excessively limited the GDPR right to compensation, was rejected. Mr Dillon was then granted leave to appeal to the Irish Supreme Court.

Decision

Mr Justice Murray gave the unanimous judgment of the court. Overturning the High Court, and so disagreeing with the Circuit Court, the Supreme Court held that distress-only GDPR claims did not constitute a personal injury action for the purposes of the personal injury assessment scheme.

• The court considered the statutory and common law definitions of ‘personal injury’, and appeal court decisions on claims for psychological injury, mental distress and anxiety. It considered the principles on recovery in negligence for
  cases involving solely psychological injury, in particular the distinction between recognised psychiatric injuries (recoverable) and distress, anguish, upset, fear, anxiety etc. (irrecoverable). It also considered that distress etc. was recoverable where it was consequent on other damage to persons or property, and whether based in tort or contract. In contract, damages for distress are available only where their recovery is envisaged by the contract.
• It considered that the personal injury assessment scheme did not intend to expand on the common law understanding of ‘personal injury’. Adopting a contextual and purposive interpretative approach, the court recorded the consequences and inconsistencies if distress-only GDPR claims constituted a personal injury action, including that the personal injuries assessment board’s function would extend to claims that were not legally valid or that did not neatly fit within the commonly understood concept of a personal injury claim (e.g. defamation, professional negligence, package holiday claims).

As the court had decided that Mr Dillon’s claim was not a personal injury action, the question of whether the personal injury assessment scheme excessively limited his GDPR right to compensation was moot.

Take Aways

Where a claimant seeks damages for a medically recognised psychiatric injury allegedly caused by a GDPR infringement, the claim is a personal injuries action and should proceed through the personal injuries assessment scheme.

The personal injuries assessment scheme does not apply to distress-only GDPR claims. Such claimants should not use personal injury initiating documents. And they should clearly base their claim on section 117 of the Data Protection Act 2018 rather than negligence or generic breach of duty.

But such section 117 distress only GDPR claimants should expect no more than “very, very modest” awards from the Irish courts.

Further Information

For further information, please liaise with your usual Maples Group contact or any of the persons listed on this page.