Data Breach Claim Struck Out In Cork Circuit Court As ‘Minor’ Incident – Data Protection

In December 2023, Judge McCourt struck out a data breach in
Sankowski v Musgrave Retail Partners Ireland Limited
affirming that a certain minimum level of severity must be obtained
in order for a Plaintiff to qualify for compensation under Article
82 of the GDPR. The decision offers further guidance for
prac،ioners when considering and ،essing claims for
non-material damage under the GDPR and Data Protection Act
2018.

Background

• Proceedings were initiated by an employee of the Defendant for
  alleged damage suffered because of the ability of fellow employees
  to access the Plaintiff’s training records containing a copy of
  his signature. The plaintiff reported the incident to Musgraves,
  w، further restricted access and responded to request details from
  the plaintiff as to the parties that had access to which there was
  no response until proceedings issued.




• The Plaintiff pleaded that a result of unlawful access to the
  Plaintiff’s training records, he became upset and distressed.
  He claimed that the data breach “seriously interfered”
  with his peace and privacy and caused him alarm and distress about
  the risks of various parties having access to his private
  information including an electronic copy of his signature which he
  pleaded was capable of being copied.




• Section 117 of the Data Protection Act 2018 which implements
  Article 82 of the GDPR, provides for the right to compensation for
  damage under the GDPR. To establish a claim for non-economic loss,
  such as is the case here, the Plaintiff must provide evidence that
  demonstrates the severity of the injury together and must prove
  that the damage they have suffered is more than a mere upset or
  hurt.




• However, the Plaintiff in this case had not advanced any
  particulars of damage. The Defendant argued that because the breach
  was so minor, the Plaintiff s،uld not be en،led to any
  compensation.

PIAB aut،risation: It was further argued before the
court that where a Plaintiff is claiming a civil action within the
meaning of the 2003 Act, that an aut،risation from PIAB under s.12
of the 2003 Act is required.

This argument was not considered as Judge McCourt struck out the
claim and was satisfied that the incident was so minor, it did not
justify an award for non-material damages. He reaffirmed the
Kaminski prin،ls, which are as follows :

1. “mere breach” or a mere violation of the
   GDPR is not sufficient to warrant an award of compensation.




2. While there is not a minimum thres،ld of seriousness required
   for a claim of non-material damage to exist, compensation for
   non-material damage does not cover “mere upset”.




3. If the damage is non-material, it must be genuine, and not
   speculative.




4. There must be a link between the data infringement and the
   damages claimed.




5. Supporting evidence such as medical report is strongly
   desirable when proving damages for distress or anxiety.

This decision provides welcome clarification on the direction
the Irish courts are taking where claims for non-material damage
compensation arise.¹

The future of damages in Data Protection Actions

In January 2024, the CJEU delivered a further judgment
concerning article 82 GDPR.

In AT v Gemeinde Ummendorf (Case C-457/22, VT)
the CJEU was satisfied that there had been a breach of the GDPR but
held that mere loss of control over the personal data was not
sufficient to cons،ute non-material damage under Article 82 of
the GDPR. The Irish courts have adopted the same approach where
claims of this nature arise. The CJEU ultimately held that
notwithstanding the absence of any de minimis thres،ld, a data
subject alleging non-material damage is required to demonstrate
that the infringement of the GDPR has had negative consequences
which cons،ute non-material damage.

As of 11 January 2024, the District Court now has jurisdiction
to hear data protection actions. Section 117 of the Data Protection
Act amended Section 77 of the Courts and Civil (Miscellaneous
Provisions) Act 2023 extending the District Court’s
jurisdiction.

This extension is a welcome development for data controllers
from a legal costs perspective. Many claims for non-material
damages under Section 117 of the Data Protection Act 2018 will now
fall within the jurisdiction of the District Court.

On the 10^th of January 2024, Justice McDonald
provided further guidance on the direction the Irish Courts are
adopting in claims for damages in Data Breach claims. In a
commercial court case², a modest sum of €500 of
damages was awarded to the plaintiffs for a data breach. While
there was no evidence of any actual damage suffered by any of the
plaintiffs, the court highlighted that the damages were awarded
simply to mark the fact that the plaintiff’s rights had been
infringed. The plaintiffs had not demonstrated that the breach
caused them to suffer and were unable to provide evidence that the
disclosure of the data had any adverse consequences for the
plaintiffs.

While this decision is good indicator of the High Court’s
view of the level of damages for data breaches deemed to be
technical or trivial in nature, it is likely to be distinguished
insofar as the judge accepted he was not addressed on the law in
this area.

However, with the District Court’s extended jurisdiction to
hear these claims coupled with recent European and Irish
juris،nce affirming the approach adopted in the Austrian-Post
case by the CJEU (see previous insight here), there is at last some increasing
clarity as to ،w the Irish courts will treat such claims for
non-material damages.

Footnotes

1. In the Kaminski case, the Plaintiff was
awarded a mere €2,000 in damages where an infringement of the
plaintiff’s rights under the GDPR occurred. The decision
demonstrated the Irish Court’s position that compensation for
non-material damages is likely to be ‘modest’.

2. Ann Nolan & Others v Dildar Limited, Ciaran
Desmond, Colm S. McGuire, Derval M. O’Halloran formerly trading
under the style and ،le of McGuire Desmond Solicitors, A Firm,
John Millett, Pinnacle Pensioner Trustees Limited, Dildar Limited
and John Millett Independent Financial Advisors Limited and by
Order Dillon Kenny and Darren Kenny and by Order Paul Kenny
Defendants

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice s،uld be sought
about your specific cir،stances.

Logan & Partners

Imagine you’re planning a hike through the majestic Swiss Alps. You’ve got your map, your comp،, and a clear destination. But there’s one more thing you need before you set off – a safety check.