Analysis: A stay — a novel defence tactic in data protection claims?
Mark D Finan BL and Rose Caroline McGrath BL explore a new development in litigation seeking damages arising from data breaches in Ireland.
Data Protection Day 2023 brought a new development in litigation seeking damages arising from data breaches in Ireland pursuant to Article 82 GDPR and s.117 Data Protection Act 2018.
On 27 January 2023, the judgment of Judge John O’Connor in the Dublin Circuit Court delivered days earlier on 23 January 2023 was published by the Court services in the case Cunniam v Parcel Connect Limited trading as Fastway Couriers Ireland and Others  IECC 1.
The case is one of several cases arising from an alleged data breach by one of the defendants in which the plaintiff’s personal data (his name, email address, residential address and mobile telephone number) were allegedly accessed by a third party as a result of a hacking incident. The plaintiff has claimed that he has suffered interference with his peace and privacy, apprehension about the use to which his data has been put and loss of his control of his personal data. The plaintiff has asserted that he has been contacted by unknown third parties, and that he is unable to exercise any rights to erasure, rectification or restriction of processing of his personal data by these unknown third parties. In replies to particulars, the plaintiff has confined his claim to one for non-material damages and has confirmed that the interference with his peace and privacy has not caused him to suffer any personal injury. The defendants’ characterisation of the claim as one concerning ‘mere upset’ or subjective feelings of displeasure thus seems apt.
At this time, it remains the case that Article 82 or s.117 of the 2018 Act have yet to be the subject of a written decision from the Irish Superior Courts, save the obiter remarks by Whelan J in Shawl Property Investments Ltd v A. & B.  IECA 53 that nothing stated in the 2018 Act (which gives further effect to the GDPR in Irish law) “suggests that a data protection action is a tort of strict liability” and that regard should be had to “the principle of proportionality in evaluating claims for breaches of [the GDPR]”.
While no written decision from the Circuit Court relating to Article 82 or s.117, it is apparent that a number of cases seeking damages under these provisions have progressed to conclusion in the Circuit Court. Media reporting indicates that Judge James O’Donoghue dismissed a number of claims arising from a data breach in May 2020 by the union SIPTU. It is reported that O’Donoghue J. held that decisions in this and other jurisdictions confirm that proof of more than minimal loss is required in order to succeed in a claim for damages arising from such breach.
The approach by the defendants in Cunniam diverges from previous cases. Here, instead of progressing the case to conclusion, the defendants sought a stay on the progression of the case pending the outcome of a number of referrals to the CJEU concerning the operation of Article 82. The referrals concerned are Case C-300/21 – UI v Österreichische Post AG, Case-340/21 – VB v Natsionalna agentsia za prihodite (Bulgaria), Case-667/21 – ZQ v Medizinischer Dienst der Krankenversicherung Nordrhein, Case-687/21 – BL v Saturn Electro-Handelsgesellscahft mbH Hagen, Case-741/21 – GP v juris GmbH and Case-182/22 – JU v Scalable Capital GmbH.
As noted by O’Connor J., clarification on a number of issues relating to the award of damages for breaches of the GDPR has been sought, including the meaning of material and non-material damage, the conditions for the imposition of liability pursuant to Article 82 and in particular, whether any degree of fault is necessary, particularly in the context of a hacking incident. Similar questions arise in further referrals to the CJEU not referred to by O’Connor J (Case 189/22 – SO v Scalable Capital GmbH, Case 456/22 – VX and AT v Gemeinde Ummendorf and Case 590/22 – AT and BT v PS GbR and Others).
On 6 October 2022, the first Advocate General opinion was handed down by Advocate General Campos Sánchez-Bordona in Case-300/21. The Advocate General reached the following conclusions regarding Article 82:
“Article 82…is to be interpreted as meaning that for the purposes of the award of compensation for damage suffered by a person as a result of an infringement of that regulation, a mere infringement of the provision is not in itself sufficient if that infringement is not accompanied by the relevant material or non-material damage.
“The compensation for non-material damage provided for in the regulation does not cover mere upset which the person concerned may feel as a result of the infringement of provisions of [the GDPR]. It is for the national courts to determine when, owing to its characteristics, a subjective feeling of displeasure may be deemed, in each case, to be non-material damage.”
This opinion is consistent with the views of Whelan J. in Shawl that data protection claims are not a tort of strict liability. It also suggests that the approach adopted by the UK court in Rolfe v Veale Wasbrough Vizards LLP  EWHC 2809 (QB) requiring a de minimis threshold of damage to ground a successful claim for non-material damage in data protection claims is correct.
While this opinion will undoubtedly be welcomed by defendants facing data breach claims, it remains to be seen whether the CJEU will concur with the views of the Advocate General. Additionally, the questions posed in Case C-300/21 do not address issues such as liability of data controllers for hacking incidents, and the wait thus continues until the release of opinions and judgments in the other cases referred for clarification of these issues.
The defendants in Cunniam convinced O’Connor J. to stay the proceedings pending the conclusion of the CJEU cases cited in the judgment in accordance with the principle of sincere cooperation required by Article 4 TEU. In reaching this conclusion, O’Connor J. was influenced by the external circumstances, fairness and due process to the parties and procedural efficiencies.
In referring to the issue of prejudice to the parties, O’Connor J. made obiter remarks about quantum of damages stating that “assessing the plaintiff’s claim at its highest level, damages are likely to be small”. These remarks are consistent with the awards of compensation for non-material which have been reported in German courts (ranging €100 – €5,000). The UK Courts have also pointed towards low level damages in Johnson v Eastlight Community Homes Ltd  EWHC 3069 (QB) where the High Court expressed the view that the plaintiff in that case would be entitled only to “purely nominal or instead extremely low damages” where his personal data was inadvertently sent by the defendant to a third party, and in Stadler v Currys Group Ltd  EWHC 160 (QB) where the claim arising from the disposal of the claimant’s smart TV by the defendant without deletion of his personal data was held to be “unquestionably of low value.” Indeed, it appears that the Irish Circuit Court was also prepared to give its approval to nominal damages of €500 in ruling an infant claim against Fingal County Council.
In contrast to the plaintiff’s situation, O’Connor J. was satisfied that the continuation of the proceedings in Cunniam prior to the conclusion of the CJEU cases would cause prejudice to the defendants in this case. In the absence of clarification from the CJEU on the meaning of non-material damage, the defendants pointed towards their inability to make a lodgement to minimise their costs exposure.
The ongoing uncertainty concerning the interpretation of the material and non-material damage in data protection claims and whether the data protection claims are strict liability tort claims creates difficulties for litigants, legal representatives and the judiciary alike. The case law to date across the EU suggests that data protection claims pursuant to the GDPR will rarely give rise to damages within the jurisdiction of the High Court. Given the rarity of published written decisions from the Circuit Court, this gives rise to difficulty in achieving consistent and predictable outcomes.
The remarks by O’Connor J. that “it is unrealistic to expect [the Circuit Court] to exercise a supervisory role” over the various cases through a case management process or nomination of a lead case are apt. The approach taken by O’Connor J. is to be welcomed in that it affords a mechanism for the courts to take a consistent approach to data breach claims based on the findings of the CJEU. It is to be hoped that a decision from the CJEU will be forthcoming without further delay.
- Mark D Finan BL and Rose Caroline McGrath BL are practising barristers. This article first appeared on the Law Library website.