Circuit Court: Employee awarded €2,000 for non-material damage arising from data breach by employer in training video
The Circuit Court has awarded €2,000 to an employee for non-material damage arising from a data breach by his employer. The plaintiff was identifiable in a training video relating to unacceptable work standards which was seen by management.
About this case:
- Citation: IECC 5
- Court:Circuit Court
- Judge:Judge John O'Connor
Delivering judgment in the case, His Honour Judge John O’Connor applied the principles from case law (such as UI v Österreichische Post Case C-300/21) and outlined a several factors which were important to assessing non-material damage claims. These factors included that the non-material damage must be genuine, the data policies must be clear and that damages awards were likely to be modest.
The plaintiff was employed by Ballymaguire Foods Limited as a goods inwards line lead. The plaintiff was the supervisor of around 20 employees. In March 2019, CCTV footage was shown to employees at a meeting between the quality control manager and several other managers and supervisors. The purpose of the meeting was to address instances of poor food safety practice and highlight issues that needed to be addressed.
Several clips of CCTV footage from the defendant’s premises were shown, with the plaintiff appearing in one of the clips as an example of food contamination. No individual was named in the meeting but the plaintiff was identifiable in the footage.
While he was not at the meeting, the plaintiff learned about the CCTV clip from other employees. He was teased for this. The clip was also stored for two weeks on a communal work computer which was not password-protected. The plaintiff claimed to have been stressed at work once he found out about the clip, as well as feeling humiliated and mocked.
The plaintiff complained to the Data Protection Commission but eventually chose to pursue proceedings against the defendant for non-material damages pursuant to section 117 of the Data Protection Act 2018. Article 82 of the General Data Protection Regulation (GDPR) provided that a data subject had a right to compensation if a data controller infringed the Regulation.
The core claim was that the employer did not have a legal basis to use the CCTV footage containing the plaintiff’s personal data for training purposes. As such, it was said that the GDPR had been breached and the plaintiff was entitled to damages.
The defendant had data protection policies/memos dating from 2011, 2014, 2016 and 2018. However, only the 2018 policy dealt with the use of CCTV footage for training. Further, the employee in charge of devising the training outlined that she only relied on the 2016 memo and the 2011 policy.
The employer denied any breach of the GDPR, relying on the 2018 policy. Further, it was said that the plaintiff had not suffered any damage. It was alleged that the height of the plaintiff’s claim was that he experienced upset, anxiety and embarrassment.
Judge O’Connor began his assessment by reciting the relevant articles of the GDPR to non-material damage claims. The court also noted the recent decision in UI v Österreichische Post where the ECJ determined that there was no de minimis threshold for non-material damages to be awarded in the case of data breaches. However, there was no automatic right to compensation.
Further, it was outlined in UI v Österreichische Post that it was for a domestic court to determine the appropriate amount payable as compensation for non-material damages.
The court went on to consider the English decision of Lloyd v. Google LLC  UKSC 50, where the UK Supreme Court determined that there was a de minimis threshold for damages to be awarded. The case considered the meaning of damage in a context of data breaches.
In applying the case law to the facts, the court outlined the factors which were relevant to assessing damages for non-material loss. It was noted that “damages” was to be interpreted broadly but had to involve a certain degree of seriousness (see UI v Österreichische Post).
The court offered certain factors to be considered in data breach claims. These factors included that there must be a link between the infringement and damages claimed, that non-material damage must be genuine rather than speculative, that it was desirable for damage to be proved by independent evidence and that data policies should be clear and accessible for all parties.
Further, the court stated that employers should ensure that CCTV and privacy policies were clear to their employees. A court may consider whether parties took relevant steps to minimise any harm arising from a data breach and an apology may mitigate a party’s entitlement to damages.
Judge O’Connor stated that a claim for legal costs could be affected by these factors. Finally, it was stated that even where a legitimate case for non-material damages could be proven, an award would “probably be modest”. The court noted that it did not have any guidelines on awards from the Oireachtas but had regard to the factors contained in the Personal Injuries Guidelines relating to minor psychiatric damage.
The court opined that an independent adjudicative or conciliation process would be a suitable alternative to resolve data breach assessments.
In determining the present case, the court held that the plaintiff was identifiable and that there was a lack of clarity regarding the defendant’s data protection policies. The court disregarded the 2018 policy as the training manager had not used it when devising the training meeting.
At the time, the plaintiff was only provided with the policy in English despite being a Polish national. Since the incident, the policy is available in four languages, which was approved by the court.
Further, the court held that the plaintiff’s implied consent to process the data for training was “at best unclear”. While consent was not the only basis for lawful data collection, there was no other legal basis for the processing that was pleaded by the defendant. In legal submissions, it was said that the employer was operating on foot of a legitimate interest, but no legitimate interest assessment had been carried out by the employer.
The court accepted that the plaintiff suffered damage arising from the incident which went beyond mere upset. He was affected for a short period of time. Although no medical evidence was proffered in the case, the court held that the plaintiff was a truthful and conscientious witness who did not exaggerate the claim.
The court awarded €2,000 to the plaintiff for non-material damages arising from the data breach.
Kaminski v. Ballymaguire Foods Limited  IECC 5