Analysis: Compensation for data breach claims – where are we now?
Uncertainty remains as to the correct interpretation of Article 82 of GDPR for the right of data subjects to obtain compensation for breaches of data. Rose Caroline McGrath BL and Mark Finan BL consider some of the approaches which are emerging from the references to the CJEU and the UK case law together with the continuing relevance of case law under the previous regime.
In the four years since the introduction of the GDPR, apart from obiter remarks by Whelan J in Shawl Property Investments Ltd v A. & B.[2021] IECA 53 that nothing stated in the Data Protection Act 2018 (which gives further effect to the GDPR in Irish law) “suggests that a data protection action is a tort of strict liability” and that regard should be had to “the principle of proportionality in evaluating claims for breaches of [the GDPR]”, there has been no consideration of Article 82 GDPR in any written decision of the Irish Superior Courts. Damages, consequential loss, inconvenience and expense cannot therefore be presumed out of the fact that there has been a breach of the Data Protection Act 2018.
Uncertainty remains as to the correct interpretation of Article 82 and the law in this area remains unsettled. At the time of writing, there are seven references from Member States to the Court of Justice of the European Union requesting preliminary rulings regarding the interpretation of Article 82. The Courts of the United Kingdom have also had reason to consider the award of damages for data breach claims pursuant to the GDPR notwithstanding the occurrence of Brexit.
This article considers some of the approaches which are emerging from the references to the CJEU and the UK case law together with the continuing relevance of case law under the previous regime (Directive 95/46/EC and the Data Protection Acts 1988 – 2003).
The CJEU References: Six to consider
The first reference to the CJEU was made by the Oberster Gerichtshof(Austria) in May 2021 in Case C-300/21 – UI v Österreichische Post AG and poses the general question whether the award of compensation under Article 82 requires in addition to an infringement of the GDPR that an applicant has suffered harm. This reference also requests clarification on whether compensation for non-material damage requires the existence of a consequence more than upset caused by an infringement.
The Bulgarian reference in Case-340/21 – VB v Natsionalna agentsia za prihodite (Bulgaria) seeks to establish whether worries, fears and anxieties suffered by a data subject whose data is breached in a hacking attack amount to non-material damage with an entitlement to compensation where no further harm has been caused to the data subject. The referring court requests guidance on whether Article 82(3) allows a data controller to escape liability for an unauthorised disclosure by way of a hacking attack by persons who are not employees of the controller or otherwise subject to its control.
In Case-667/21 – ZQ v Medizinischer Dienst der Krankenversicherung Nordrhein, the referring German Court adopts the position that “infringement of the GDPR in itself already leads to non-material damage for which compensation can be sought” but questions whether the assessment of non-material damage pursuant to Article 82(1) requires a court to consider the preventative function of GDPR in addition to its compensatory function.
The question of non-material damage recurs in Case-687/21 – BL v Saturn Electro-Handelsgesellscahft mbH Hagen. In this case, the underlying facts relate to the accidental disclosure of personal data when a sales contract for a household appliance was accidentally given to an incorrect customer. The data was retrieved by the data controller within half an hour and an offer of free delivery of the appliance as compensation to the data subject was made and rejected.
The questions referred by the German court include whether the compensation rule in Article 82 is invalid in the case of non-material damage due to the absence of any automatic legal effects specified, whether the occurrence of non-material damage must be demonstrated by an applicant in addition to an unauthorised disclosure to give rise to an entitlement to compensation, whether discomfort of a data subject whose data was unlawfully disclosed but retrieved without any third party reading the data is sufficient to establish non-material damage and whether accidental disclosure of personal data in a printed document is sufficient to amount to an infringement of the GDPR.
The Landgericht Saarbrücken in Case-741/21 – GP v juris GmbH asks whether non-material damage includes any impairment of a data subject’s legal position irrespective of the other effects and materiality of the impairment in light of recital 85 and recital 146 of the GDPR. The case giving rise to this referral involved several data breaches relating to the same data subject which were attributed to human error.
The referring court seeks confirmation of whether liability for a data breach is excluded where the breach occurs due to human error and whether compensation must be determined for each breach separately or on the basis of an overall assessment. Clarification is also sought on whether it is appropriate to assess compensation for non-material damage by having regard to the criteria for the determination of fines as set out in Article 83 GDPR.
Case 182/22 – JU v Scalable Capital GmbH and Case 189/22 – SO v Scalable Capital GmbH are both references from the Amtsgericht München in Germany and relate to claims for compensation arising from the hacking of personal data including name, date of birth, address, e-mail address and a copy of an identity card from a trading app. The referring court asks if damages under Article 82 are of a compensatory nature only or if they also have a punitive function. In respect of non-material damages, the referring court questions whether impairment arising from a data breach should be given less weight than impairment and pain associated with a bodily injury, and whether, if a national court is to assume damage arising from a data breach, it is open to a that court to award damages which are only symbolic in view of the lack of gravity. Finally, the referring court seeks specific guidance on whether identity theft as set out in recital 75 of the GDPR requires that a data subject’s personal data has actually been used by a third party.
Key questions from CJEU references
A number of distinct themes emerge from these references. First, is it necessary for specific damage to be identified arising from a data breach for an entitlement to compensation to arise? In the context of non-material damage, does mere upset and distress (of a trivial nature) caused by a data breach without more constitute non-material damage within Article 82? What factors should be taken into account in the assessment of damages? Is the function of damages limited to compensation or do they also have a punitive or deterrent effect? In what circumstances is a data controller or data processor exempt from liability for a data breach pursuant to Article 82(3)?
Recent UK case law: Three to consider
As the GDPR came into force prior to Brexit, the English High Court has delivered written decisions in a number of cases in which damages pursuant to Article 82 GDPR and the UK Data Protection Act 2018 were sought.
In Rolfe v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB), the claimants sought damages arising from the sending of a single e-mail by the defendants containing the claimants’ names, address and details of a sum due in respect of school fees to a client of the defendants. The e-mail was erroneously sent to a third party who notified the defendants immediately of its receipt and confirmed its deletion at the request of the defendants. The claimants sought damages for the worry caused to them by the possible consequences of the breach.
Master McCloud dismissed the claim stating “[t]here is no credible case that distress or damage over a de minimis threshold will be proved. In the modern world it is inappropriate for a party to claim, (especially in the High Court) for breaches of this sort which are, frankly, trivial.”
A similar claim was advanced by the claimant in Johnson v Eastlight Community Homes Ltd [2021] EWHC 3069 (QB). In that case, the defendant sent an e-mail to a third party which inadvertently contained personal data of the claimant (her name, address, postcode, account reference number and details of recent rent transactions) amongst personal data of several other parties. The recipient of the e-mail immediately notified the defendant of the error and confirmed its deletion at the request of the defendant the same day. The claimant acknowledged no unauthorised activity had occurred on her bank account but alleged she suffered stress, worry and anxiety.
Master Thornett confirmed that a de minimis standard of damage is required for a claim under Article 82 GDPR. On the facts of the case, he was satisfied that this threshold was exceeded but stated that this was a case where the claimant would only be entitled to “purely nominal or instead extremely low damages” and indicated the claim should have been issued in the County Court rather than the High Court.
The same outcome was reached in Stadler v Currys Group Ltd [2022] EWHC 160 (QB). There, Lewis J held that a claim for damages pursuant to Article 82 arising from the disposal of the claimant’s smart TV by the defendant without deletion of his personal data could not be characterised as a trivial breach in circumstances where at least one of the apps on the TV was used by a third party, but the claim was “unquestionably of low value.”
It is apparent from these decisions that the UK courts require a de minimis threshold of damage before compensation will be awarded for damage pursuant to Article 82 GDPR.
Ongoing relevance of case law pertaining to Directive 95/46/EC
The recent Court of Appeal decision in The Data Protection Commissioner v Doolin [2022] IECA 117 concerned a statutory appeal of a decision made by the appellant under the Data Protection Acts 1988-2003. While the decision does not concern the award of damages, it is of note that Noonan J recognised that the Data Protection Act 2018 giving effect to the GDPR contains similar provisions relating to processing which were at issue in that appeal, and he acknowledged that “the issue arising here continues to have relevance”.
While there are some differences between the compensation regimes provided in Directive 95/46/EC and the GDPR, the case law under the previous regime remains relevant. The decision in Collins v FBD Insurance PLC [2013] IEHC 137 which was endorsed by the Supreme Court in Murphy v Callinan [2018] IESC 59 which requires a claimant to demonstrate damage to ground a claim for compensation is especially pertinent. With that in mind, there is a good basis to believe that the dicta of Master McCloud in Rolfe would be of persuasive authority here as it aligns with Collins and Murphy.
In the UK Supreme Court decision in Lloyd v Google LLC [2021] UKSC 50, Leggatt LJ confirmed that the UK Data Protection Act 1998 which implemented Directive 95/46/EC “cannot reasonably be interpreted as conferring on a data subject a right to compensation for any (non-trivial) contravention by a data controller of any of the requirements of the Act without the need to prove that the contravention has caused material damage or distress to the individual concerned.” The recent UK case law discussed earlier demonstrates that the UK courts continue to require a de minimis or non-trivial threshold of damage before compensation will be considered under Article 82 GDPR.
Conclusion
The advent of multiple references to the CJEU concerning the interpretation of Article 82 GDPR demonstrates ongoing uncertainty as to its effect across multiple EU Member States. The UK jurisprudence suggests that the UK Courts are adopting a proportionate response to the measurement of compensation for data breaches through the implementation of a de minimis requirement.
While these judgments may be persuasive to an Irish Court considering the question of compensation pursuant to Article 82, it remains to be seen whether the CJEU will adopt a similar approach in balancing the rights of data subjects with the obligations on data controllers and data processors.
- Rose Caroline McGrath BL and Mark Finan BL are barristers. This article first appeared on the Law Library website.