A recent decision of the Commercial Court, in Nolan & Ors v Dildar & Ors [2024] IEHC 4, addresses the scope of data controllers' liability to data subjects for infringement of their rights under the Data Protection Acts 1988 and 2003. Whilst the breach occurred in 2013, and is therefore outside of the scope of the GDPR and Data Protection Act 2018, the judgment is noteworthy to the extent that it indicates the potential quantum of damages that may be awarded to data subjects bringing compensation claims for damage suffered due to data protection violations under the new regime.
Background
The decision of the Court of Justice of the European Union ("CJEU") in Oesterreichische Post (previously discussed here), held that in order to recover compensation for non-material damages under the GDPR, three cumulative conditions must be satisfied, including: (1) there has been a GDPR infringement; (2) the data subject has suffered material or non-material damage; and (3) there was a causal link between the infringement and the damage. The CJEU further found that there is no requirement for any non-material damage suffered to reach a minimum threshold of seriousness in order to confer a right to compensation. A number of compensation claims taken by data subjects for damage suffered following GDPR infringements by companies, which had been stayed before the Irish courts, proceeded following the CJEU's decision. However, it remained to be seen what quantum, if any, would be fixed by the Court for damages in these cases.
The first such decision came in the Circuit Court in Kaminski v Ballymaguire Foods Limited [2023] IECC 5 (previously discussed here), in which the plaintiff was awarded €2,000 in damages following the unlawful processing of his personal data, namely CCTV footage containing his image, for workplace training purposes. The Circuit Court assessed that the plaintiff's damages constituted minor psychiatric damages, and awarded a nominal sum in line with the Personal Injuries Guidelines.
Facts
The Commercial Court proceedings in Nolan arose when the plaintiffs, who were related trustees of a familial pension fund, alleged that approximately €7 million of fund property was misappropriated by a company based in the UAE. In the course of proceedings, a large number of defendants were joined, and the Court addressed a number of issues relating to the alleged fraudulent scheme carried out against the defendants.
The fifth named defendant – Mr Millett, a specialist pensions provider – was alleged to have misused the plaintiffs' personal data by way of providing it to a fund service provider in the Isle of Man. The plaintiffs alleged that Mr Millet had provided their personal data (comprisingtheir names, dates of birth, home addresses, PPS numbers, and copies of their passports) to the fund without their consent. They claimed that Mr Millett misused their personal data with the intention of making it appear to the fund that the plaintiffs beneficially owned a SPV, with a view to obscuring the involvement of another named party to the proceedings.
Mr Millett admitted in interrogatories that he had disclosed the personal data to the fund without the plaintiffs' permission, and as such, the Court was tasked with determining Mr Millett's liability for this unauthorized disclosure.
Decision
Considering the de minimis nature of the data protection infringement by Mr Millett, the Court awarded €500 to each of the six plaintiffs whose personal data were impacted by the unauthorized disclosure, leading to a total award of €3,000 to the plaintiffs.
The Court noted that Mr Millett was individually liable for the unauthorized disclosure, notwithstanding the fact he had drafted the letter (which disclosed the personal data) on headed paper of another defendant joined to the proceedings, to which he was a director. The Court held that 'it is well settled that, where a company director procures the commission of a tort, the director will incur personal liability'.
In so far as measurement of damages was concerned, the Court noted that there was no suggestion that the unauthorized disclosure of the personal data had any adverse consequences for the plaintiffs. The data had not been disseminated more widely than to the fund, and there was no evidence of any actual damage suffered by any of the plaintiffs. Accordingly, the Court determined that the plaintiffs were only entitled to nominal damages to reflect the fact that their data protection rights were infringed. The Court contrasted this infringement to those in which data subjects' personal data are exfiltrated and posted on the dark web, where the data are exploited by criminals, or where the infringement results in the data subjects' identities being stolen. The Court commented that aggravating circumstances like these may give rise to an award of more substantial damages in favour of the data subjects impacted by the breach.
Comment
The decision in Nolan is surprising, to the extent that the High Court awarded damages in circumstances where the Judge did not find any actual damage (either material or non-material) was suffered by the plaintiffs. Rather he awarded damages "to mark the fact that their rights had been infringed". This is contrary to the decision in the leading case of Collins v FBD Insurance PLC [2013] IEHC 137, under which the High Court considered that in order for compensation to be awarded under the Data Protection Acts 1988 and 2003, a claimant must prove that a duty of care was owed to them, there was a breach of that duty of care, and that the breach resulted in actual damage to them. Nor is the decision in line with the Austrian Post case that an infringement of data protection law of itself does not confer a right to recover compensation.
The decision does, however,appear to follow the approach taken by the Irish Circuit Court in Kaminski, namely that de minimis breaches of data protection rights that do not result in any widespread harm or further dissemination of data do not give rise to a right to substantial damages on the part of the data subjects.
Given the modest awards made in Nolan and Kaminski, it seems likely that a significant proportion of future data protection claims made in Ireland will proceed before the District Court (rather than Circuit or High Courts). Section 77 of the Courts and Civil Law (Miscellaneous Provisions) Act 2023 was commenced in January 2024, allowing the District Court to hear data protection actions which fall within its monetary jurisdiction of up to €15,000. Costs in District Court proceedings are typically substantially lower than those before the Circuit and High Courts, and it is open to defendants to seek costs differential orders where the plaintiff ultimately recovers less than €15,000 in proceedings before the higher courts.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
