Rachel Hayes, Adele Hall and Aoife Keenan

In M.H. v Child and Family Agency, a 2023 ex tempore judgment, the Circuit Court awarded the plaintiff €7,500 for non-material damages under the General Data Protection Regulation (GDPR). The case concerned a personal data breach claim against the government agency, Tusla.

The plaintiff instituted proceedings for damages arising from a personal data breach caused by the negligence and breach of duty on the defendant’s part. The personal data included the plaintiff’s highly sensitive and confidential data, which was processed and circulated by the defendant to a third party without the plaintiff’s consent. 

Unlawful disclosure to a third party 

The personal data which was the subject of the breach related to abuse suffered by the plaintiff during her childhood.

The defendant accepted that a personal data breach occurred and that sensitive information was released to the person, the subject of the abuse allegations, and other family members of the plaintiff.

The information disclosed included a detailed attendance note on the abuse.

The plaintiff alleged that the unlawful disclosure caused damage to her relationship with her family and that she suffered upset and distress as a result.

Following Kaminski v Ballymaguire Foods

Kaminski v Ballymaguire Foods guided the court regarding the law on data protection and damages for non-material loss. In that case, €2,000 was awarded for non-material damages under Article 82 of the GDPR. In Kaminski, the plaintiff’s personal data, captured via CCTV, was used without his consent for workplace training. 

Applying Kaminski, the court in MH held that given the private and sensitive nature of the childhood sexual abuse allegations, the data breach was sufficiently serious to justify awarding compensation. You can read more on the Kaminski v Ballymaguire Foods Limited [2023] IECC 5 judgment in our update here.

PIAB authorisation – not required?

The decision did not follow Keane v Central Statistics Office [2024] IEHC 20. In Keane, the High Court clarified the procedural steps in personal data breach cases where the applicant claimed to have suffered anxiety and distress (i.e. non-material damage). O’Donnell J held that the plaintiff was required by the Personal Injuries Assessment Board Act 2003 to apply to PIAB for an assessment of her claims before commencing proceedings.

Currently, the requirement for a PIAB authorisation for non-material damages claims under the GDPR is in a state of flux within the Irish courts. This issue is currently under review by the Supreme Court under the case Dillon v Irish Life.

Evidence provided by plaintiff and defendant

Given the subject matter and the highly sensitive nature of the personal data mishandled, the court classified the breach as serious.

The plaintiff testified that the breach caused substantial emotional distress. The Court accepted the plaintiff’s testimony as sufficient evidence of the damage suffered without requiring any further medical evidence. It found that the plaintiff was well-placed to give evidence of the unlawful disclosure’s impact (and causal link) on her emotional well-being and that no further medical evidence was required.

The court also noted that the defendant provided no evidence regarding the steps taken to mitigate the damage caused to the plaintiff by the personal data breach. Although the defendant apologised to the plaintiff, that was several months after the personal data breach occurred. 

Key takeaways for controllers/processors

1. The decision applies the Kaminski decision and the Austrian Post case, emphasising that only breaches of a serious nature warrant an award for non-material damages.

2. The fact that the defendant had not taken any steps to mitigate or rectify the damage caused by the personal data breach was considered by the court, indicating the importance of such measures.

3. Notably, the court did not require medical evidence to assess the plaintiff’s mental state. It accepted the plaintiff’s testimony, indicating that a first-hand account of stress or trauma can serve as compelling evidence in cases involving non-material damages for GDPR breaches. This suggests that courts may give considerable weight to the subjective experiences of data subjects, which could result in higher awards for non-material damages. However, every case will be determined on its own individual facts. 

Analysis: An evolving GDPR environment

This case marks the highest award of damages under the GDPR in the Irish courts to date.

The plaintiff successfully demonstrated that the personal data breach, which involved the unlawful disclosure of sensitive information to a family member, caused substantial damage to her familial relationships. The court concluded that the damage was genuine and not trivial, warranting an award of €7,500 for non-material damages.

The court’s decision demonstrates the serious nature of the breach and sets a precedent for future GDPR-related claims in the Irish courts.

As data protection claims become more common in the Irish courts, the compensation framework continues to evolve — particularly with regard to PIAB authorisations for non-material damage claims. It is expected that this issue will be determined by the Supreme Court in Dillon. 

The decision demonstrates the importance of businesses not disclosing personal data unlawfully and mitigating (where possible) any potential non-compliance (such as seeking a data subject’s consent before further processing or disclosing). It also solidifies the importance of complying with transparency, lawfulness and fairness principles.

• Rachel Hayes is a partner in William Fry’s technology department, Adele Hall is a senior associate in the firm’s litigation and investigations department and Aoife Keenan is an associate in the firm’s technology department.