ARTICLE
25 July 2024

Circuit Court Awards Employee €5,500 GDPR Damages

M
Matheson

Contributor

Matheson logo
Established in 1825 in Dublin, Ireland and with offices in Cork, London, New York, Palo Alto and San Francisco, more than 700 people work across Matheson’s six offices, including 96 partners and tax principals and over 470 legal and tax professionals. Matheson services the legal needs of internationally focused companies and financial institutions doing business in and from Ireland. Our clients include over half of the world’s 50 largest banks, 6 of the world’s 10 largest asset managers, 7 of the top 10 global technology brands and we have advised the majority of the Fortune 100.
Explore
In a decision delivered on 5 July 2024, Judge O'Brien in the Dublin Circuit Court awarded a data subject €5,500 for damages, including non-material damages, following infringements of the GDPR and/or Data Protection Act 2018.
Ireland Privacy
Photo of Davinia Brennan
Photo of Connor Cassidy
Person photo placeholder
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

In a decision delivered on 5 July 2024, Judge O'Brien in the Dublin Circuit Court awarded a data subject €5,500 for damages, including non-material damages, following infringements of the GDPR and/or Data Protection Act 2018.

In delivering his decision in McCabe v AA Ireland Ltd [2024] IECC 6, Judge O'Brien referred to the case of Kaminski v Ballymaguire Foods [2023] IECC 5 (previously discussed here), in which the Irish Circuit Court delivered its first written decision awarding compensation for non-material damage suffered following a GDPR infringement. In Kaminski, the court followed the decision of the European Court of Justice in UI v Österreichische Post AG, awarding damages of €2,000 for non-material loss suffered by the plaintiff following a GDPR infringement. In Kaminski, Judge John O'Connor did caution, however, that "even where non-material damage can be proved and is also not trivial, damages in many cases will probably be modest" and that in some cases, non-material damages could be valued below €500.

Facts

The McCabe case concerned a video recording of the plaintiff (an employee of the defendant) taken covertly whilst he was on sick leave. The video was taken on a mobile phone by a senior manager and operations manager of the defendant. The plaintiff was helping his mother-in-law cut an overhanging branch at the time at the time the video was recorded. Once the plaintiff realised he was being recorded, he approached the defendant's employees and remonstrated with them about being wrongfully recorded outside of the workplace, without his knowledge and consent. It was alleged that the plaintiff engaged in threatening and abusive behaviour, which factored into his subsequent his suspension, and ultimate dismissal.

While the defendant relied, in its defence, on the fact that the video was not used for the purpose of the subsequent disciplinary meetings or related decisions which resulted in the plaintiff's dismissal, the plaintiff argued that there was a causal link between the loss suffered by him, and the actions of the defendant. This was due to the fact that the plaintiff's reaction to being recorded was proffered by the defendant as part of the reason for his dismissal.

The plaintiff argued that the recording was in breach of his rights and the defendant's obligations under the GDPR and the Data Protection Act ("DPA") 2018, and further constituted a violation of his right to privacy under both the Irish Constitution and the European Convention of Human Rights ("ECHR"). He argued that the defendant, it's servants and/or agents were negligent, and in breach of duty, including breach of statutory duty, and/or in breach of confidence due to the manner in which it used his personal data.

As a result of these breaches, the plaintiff claimed that he suffered "significant distress, stress, and anxiety" arising from:

  • the loss of control of his personal data;
  • violation of his movements while not working and outside the workplace;
  • being wrongfully required to defend and explain his private movements to the defendant;
  • a complete loss of trust and confidence in the defendant, it's servants and/or agents to exercise their duty of care to defend and protect his privacy; and
  • the defendant's misuse and unlawful recording to his financial detriment by placing a blemish and reputational damage on his working career.

The plaintiff claimed for damages, including non-material damages, damages for wrongful invasion and breaches of his right of privacy pursuant to the provisions of the Constitution and the ECHR.

The plaintiff also issued a motion and sought an order under section 117 of the DPA 2018 directing the defendant to comply with his data subject access request, and furnish a copy of his personal data, including a copy of the video recording. If necessary, an order was further sought that the defendant account to the plaintiff for the loss, erasure or destruction of the video recording. Importantly, the video recording did not feature in the disciplinary process culminating in the plaintiff's dismissal, nor in the Workplace Relations Commission ("WRC") proceedings. The defendant submitted that the recording was not taken on its instruction, and that the video had since been deleted.

Decision

Findings

The court, referring to the decision and approach taken by Judge O'Connor in Kaminski made the following findings:

  • Whilst the video was not directly relied on for the purpose of dismissing the plaintiff, there was a clear causal link between the actions of the senior manager of the defendant and the ultimate dismissal of the plaintiff.
  • Given the seriousness of the steps taken by the defendant against the plaintiff following the video recording, and given the reasons cited for the plaintiff's dismissal (i.e. his angry reaction to being recorded), it was in the interests of fairness and transparency to provide a copy of the video to the plaintiff, or inform the plaintiff of the destruction of same.
  • The court did not consider that the defendant's defence of "legitimate interests" had a bearing on the matter as the defendant denied reliance on or use of the recording in reaching its determinations. Such a defence would only arise where use of the data was admitted or proved.
  • The plaintiff had a right of access to data collected by his employer or his employer's agent, including the video recording, where same was closely connected to his role as an employee.
  • The court made no finding with regard to privacy rights and the alleged infringement of same. However, it did not exclude the possibility that constitutional provisions and ECHR provisions may have application in a case such as this.
  • The court made no specific finding of negligence, breach of duty whether statutory or otherwise, and/or breach of confidence.

Orders

The court made the following orders:

  • A declaration that the defendant, its servants and/or agents breached the plaintiff's personal data rights.
  • An order directing the defendant to account to the plaintiff for the loss, erasure, or destruction of the video recording of the plaintiff taken by the defendant, its servants and/or agents.
  • Compensation for damage suffered by the plaintiff pursuant to section 117 (4)(b) of the DPA 2018 as a result of the infringement in the sum of €5,500.
  • The court made an order for costs in favour of the claimant, to include reserved and discovery costs, including the costs of the motion, to be taxed in default of agreement.

Commentary

Unfortunately, in many respects the decision is of limited guidance in circumstances where the court did not engage in any substantive analysis of the provisions of the GDPR and/or the DPA 2018 which were infringed, or in relation to the factors it considered in awarding compensation in the amount of €5,500 for damage suffered by the plaintiff.

Notably, the plaintiff claimed that he suffered significant distress, stress and anxiety as a result of the defendant's infringements of data protection law. In light of the recent decisions in Keane v Central Statistics Office [2024] IEHC 20 and Dillon v Irish Life [2024] IEHC 203, it seems clear, at least for now, that these damages amount to personal injuries requiring authorisation from the Injuries Resolution Board (formerly the Personal Injuries Assessment Board ("PIAB") prior to commencing proceedings. Where a plaintiff fails to obtain prior authorisation from PIAB, it is open to a defendant to raise this as a preliminary issue in its defence, which may result in that element of a claim being struck out. There is no indication from the judgment that the defendant sought to raise this as a preliminary issue in its defence in this case, but had it successfully done so, it is conceivable that the damages awarded could have been lower.

The decision does appear to reinforce the fact that many, if not most, non-material loss claims will fall squarely within the jurisdiction of the District Court (which has jurisdiction to hear claims up to €15,000 in value). Since the commencement of section 77 of the Courts and Civil Law (Miscellaneous Provisions) Act 2023 on 11 January 2024, the District Court now has jurisdiction to determine non-material loss claims under section 117 of the Data Protection Act 2018, which will be welcomed by businesses faced with data breach claims, particularly from a costs perspective.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Davinia Brennan
Davinia Brennan
Photo of Connor Cassidy
Connor Cassidy
Person photo placeholder
Blaithin Sharpley
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More