Analysis: Defending data breach claims in Ireland
Mason Hayes & Curran partner Colin Monaghan and associate Anthony Strogen look at recent case law developments concerning data breach claims and the threshold for awarding compensation.
Prior to the introduction of the General Data Protection Regulation (GDPR), an individual whose information was the subject of a data breach in this jurisdiction could only claim compensation for material damage, i.e. actual quantifiable damage.
What is a data breach?
A data breach is an incident where information is leaked or stolen and usually happens accidentally or as a result of a cyber-attack by a third party.
Right to compensation for data breaches
Article 82 of the GDPR, and section 117 of the Irish Data Protection Act 2018 (DPA), introduced a new right to compensation for individuals. This has opened the door for claimants to seek compensation for what is considered non-material damage, such as distress and upset.
As a result, corporate entities in Ireland are becoming increasingly involved in defending claims brought by individuals before the Irish courts seeking compensation arising from data breaches. A single data breach can result in multiple claims being brought by the individuals affected, which represents a considerable risk for entities that collect and store personal information.
Recent international case
A recent decision of the English High Court, Rolfe v Veale Wasbrough Vizards LLP, provides useful guidance on an individual’s right to compensation for distress and upset arising from breaches of their data protection rights. In particular, the court found that claimants must show damage or distress over a de minimis threshold to succeed in a claim for compensation.
In Rolfe, the claim concerned a data breach involving a limited amount of personal data. It was held that the claimants, Mr and Mrs Rolfe, failed to prove damage over the de minimis threshold and were not entitled to compensation. In granting the defendant’s application to dismiss Mr and Mrs Rolfe’s claim, the court also awarded costs against them in circumstances where the court found the claims were exaggerated and lacked credible evidence of distress.
Although not binding in this jurisdiction, the consideration of an individual’s right to compensation in Rolfe may be considered persuasive by the Irish Courts and will be welcomed by parties defending data breach claims in this jurisdiction.
Mr and Mrs Rolfe owed fees to a school represented by the defendant law firm, Veale Wasbrough Vizards LLP. The school had been instructed to write to the couple with a demand for payment. Due to a typographical error, the defendant accidentally sent an email intended for the Rolfes to a third party. The email attached a request for payment of outstanding school fees and contained a limited amount of Mr and Mrs Rolfe’s personal data, including their names and address. The misdirected email was promptly deleted by the recipient who was unknown to the couple.
Mr and Mrs Rolfe brought a claim seeking damages for distress under Article 82(1) GDPR and section 169(1) UK Data Protection Act 2018, which is similar to section 117 of the Irish DPA, together with common law actions in breach of confidence, misuse of confidential information, and negligence. In seeking to establish distress, they asserted they had “lost sleep worrying about the possible consequences”, that the disclosure “had made them feel ill”, and they were suffering “fear of the unknown” regarding the consequences.
The defendant law firm disputed that the incident caused Mr and Mrs Rolfe to suffer harm in excess of the de minimis threshold and applied to have the claim dismissed on the basis that the claim had no real prospect of success.
De minimis principle
The court confirmed that it is possible to recover damages for non-material damage flowing from a data breach. However, a claimant must be able to show that they have suffered loss or damage over a de minimis threshold, meaning it must not be trivial. The court quoted with approval the Court of Appeal’s recent judgment in Lloyd v Google, which endorsed a seriousness threshold that would exclude “for example a claim for damages for an accidental one-off data breach that was quickly remedied”.
The court concluded that the claimants in Rolfe could not prove damage over a de minimis threshold taking into consideration the “minimally significant” nature of the information and circumstances of the breach, including the prompt deletion of the email.
Ordinary fortitude test
In holding that the distress suffered fell below the de minimis threshold, the court observed that no person of “ordinary fortitude” would reasonably suffer the distress claimed in these circumstances. The court added that it was “inappropriate” in the modern world for a party to claim compensation for breaches of this sort.
Costs
The court not only granted the defendant’s application to dismiss Mr and Mrs Rolfe’s claim, but also ordered that they pay GBP£11,000 in costs to the defendant given the “strong observations of [the] court as to the nature of the claim in terms of exaggeration” and “lack of credible evidence of distress”.
Lloyd v Google LLC
Separately, in another welcome development for parties defending data breach claims, the UK Supreme Court recently delivered its decision in Lloyd v Google LLC. In that case, the UK Supreme Court found that damages were not awardable for a mere loss of control of personal data under the UK data protection regime. The court further held that UK Data Protection Act 1998 (UK DPA) could not “reasonably be interpreted as giving an individual a right to compensation without proof of material damage or distress…”.
As with Rolfe, the decision in Lloyd is not binding in this jurisdiction and the decision itself concerns the UK Supreme Court’s interpretation of the UK DPA, which pre-dates the GDPR. However, as the UK DPA provides that individuals can seek compensation for distress arising from a data breach, it is certainly indicative of judicial thinking about an individual’s right to compensation for non-material damage and may be considered persuasive by the Irish Courts.
Compensation for data breach claims – where are we now?
In circumstances where there has been no Irish written judgment to date on what constitutes non-material damage and distress under the GDPR and the DPA, the decisions in Rolfe and Lloyd provide useful guidance and may be considered persuasive authority by the Irish courts.
Key takeaways include:
- Rolfe confirms the principle that where there is an infringement of data protection law, there must be damage above a “de minimis threshold of triviality” for a claim in damages to succeed.
- The decisions in Rolfe and Lloyd will be welcomed by parties defending data breach compensation claims in Ireland for distress under Article 82 GDPR and section 117 of the DPA.
- It is possible that the “ordinary fortitude test” employed by the court in Rolfe may form part of the test for distress in data breach cases going forward.
- Rolfe may be persuasive authority in this judication for data controllers to seek costs orders against claimants that do not provide compelling evidence of distress above a de minimis threshold or where such claims are exaggerated.
Where next?
Although a written decision from the Irish courts is still awaited on what constitutes non-material damage and how the courts will assess such damage, there has been some indication from recent Circuit Court decisions that a negative view of non-material damage claims is emerging. It was recently reported that in the Dublin Circuit Court, a group of workers brought data breach claims against their union after their personal details were inadvertently sent on a wide distribution email. After hearing the nature of the claims, the court threw the claims out for a lack of material loss, and awarded costs against the claimants. While this is not a reliable authority due to there being no written judgment, it is perhaps indicative of the direction of travel in Ireland
At European level, judgment is eagerly awaited from the Court of Justice in the Post AG (Case C-300/21) decision, which will see the court rule on some key questions relating to non-material loss and the ability to recover damages for the mere fact of a data breach. While not binding, the Advocate General’s opinion in Court of Justice cases is usually persuasive to the final decision, and the opinion in Post AG concluded that mere infringement of GDPR, without accompanying damage (whether that be material or non-material), is not sufficient for the purposes of awarding compensation. The opinion further concluded that in relation to non-material damage, “mere upset” is not a category of damage provided for under GDPR. The Post AG judgment is eagerly awaited as the next major landmark in data breach claims in the GDPR era.
- Colin Monaghan is a partner and Anthony Strogen is an associate at Mason Hayes & Curran LLP. This article first appeared on the MHC website.