Compensation for GDPR Breach - Non-Material Damage

Compensation in Cases of GDPR Breaches - Introduction 

This article will examine the issue of compensation in cases of data rights breaches, following the recent judgement of Circuit Court Judge John O’Connor ([2023] IECC 5). This case is of significance as it was the first to fully address the award of compensation, in Ireland, under national and European data protection and privacy laws.

The primary data protection law in Ireland is the Data Protection Act 2018 (the 2018 Act), which was enacted to align with the European Union's General Data Protection Regulation (GDPR). The GDPR is a comprehensive regulation that governs data protection and privacy across the European Union member states.

Section 177 of the 2018 Act and Article 82(1) of the GDPR stipulate that when an individual suffers material or non-material damages as a result of a violation of their data protection rights, they are permitted to seek compensation from the controller of the data for the injury that they have suffered. 

Background to the Case 

The plaintiff in this case was Arkadiusz Kaminski (the Plaintiff) and the defendant was Ballymaguire Foods Limited (the Defendant). 

Ballymaguire Foods Limited is a huge company. Just last month it entered into a new five-year deal worth €70 million with Musgraves. However, they are no stranger to the courts. In December 2020, the Workplace Relations Commission ordered that an employee of the company be paid €8000 in compensation after his line manager called him “a lazy, fat, blind, old, drunken communist”.

The Plaintiff in the present case had been employed by the Defendant since 2005. By 2019, the Plaintiff was an Acting Supervisor of 20 employees. 

In March 2019, a meeting was held between the Quality Control Manager and several other managers and supervisors. According to the Defendant, the purpose of this meeting was to address issues to do with poor food safety practices and to identify what actions could be taken to remedy these issues. 

During this meeting, CCTV footage, showing poor food quality and safety practices, was shown to employees. One of these clips showed the Plaintiff and was used by the Defendant to demonstrate the issues with persons moving directly from the low care area of the factory, where unprepared food is maintained, to the high care area where prepared food is dealt with. While the Plaintiff was not named during this demonstration, it was acknowledged by both parties, that the Plaintiff could be identified from this footage. 

It is worth noting that after the meeting, the CCTV footage was stored on a communal work computer, which was not password protected. 

At trial, the Plaintiff’s counsel stated, “I put it to you: this was a black mark against my client: This was a black mark showing him being held up as somebody engaged in a serious food safety issue”. 

The Plaintiff gave evidence noting the impact that this issue had had on him. He stated “In my opinion I was laughed at. I was more stressed because of it. I wasn’t so glad to go to work every morning. I felt humiliated and I felt I was being mocked. I had problems with my sleep”. 

The Complainant had lodged a complaint with the Data Protection Commissioner. However, due to a severe backlog of complaints, the complaint was not given to a complaint handler. Eventually, the Plaintiff decided that he could not wait any longer and brought the matter before the Circuit Court. 

What were the legal issues or questions to be addressed in this case? 

Helpfully, Judge John O’Connor set out the key questions which needed to be addressed by the court. These were as follows: 

1. Whether the Defendant’s use of the CCTV footage, in a demonstration of work practices, was a breach of the Plaintiff’s personal data such as to constitute unlawful processing under the Data Protection Act 2018 and the GDPR.
2. If the answer to question (1) was yes, then the question became whether or not the damage caused by the infringement on the Plaintiff’s personal data, was more than just a mere upset or displeasure.
3. Finally, if the answer to question (2) was yes, then the question to be considered was what (if any) compensation could be given for such damages and how it should be calculated. 

The Law on GDPR Compensation

One of the key issues that Judge John O’Connor highlighted was that it is a “core principal” of both GDPR and the 2018 Act that individuals have clarity in relation to data protection policies. 

In the present case, the policies were not in fact clear. The Plaintiff was Polish and yet the four policies on the matter were provided to him in English. Out of these four policies, only one mentioned the use of CCTV for training purposes. 

Judge John O’Connor also noted the cases of Cormac Doolin v The Data Protection Commissioner and Our Lady’s Hospice and Care Services [2020] IEHC 90; 2022 IECA 117 and McVann v Data Protection Commissioner [2023] IECC 3. Both of these cases make it very clear that employers have an obligation to ensure that their employee privacy notices, and CCTV policies are obvious to employees.

The judge also highlighted that the Plaintiff’s implied consent to the use of his data for training purposes was “at best unclear”. The judge went on to note that consent is not the only basis by which the collecting of data is lawful. Article 6 of the GDPR clearly sets out other legal basis upon which data can be collected. However, the Defendant in this case did not initially plead a legal basis for the processing of the data. Eventually, the Defendant tried to claim that they had been operating on foot of a legitimate interest. 

However, the Defendant failed in this argument. Judge John O’Connor placed significant emphasis on the fact that a legitimate interest assessment had not been carried out to identify what the legitimate interest was or to show if the processing was necessary to achieve it. Furthermore, even if a legitimate interest was present, it had not been “considered against the Plaintiff’s interests, rights and freedoms”. 

On this basis the judge was satisfied that the Plaintiff’s rights under the GDPR had been violated, that he had suffered nonmaterial damage as a result of that violation and there was a causal link between the damage and the infringement. 

Therefore, the matter turned to what damages should be awarded. 

Non-Material Damages and GDPR Compensation

Non-material loss basically means a non-economic loss. In the context of data protection, non-material loss would refer to the pain and suffering, or inconvenience and anxiety, which is caused by a breach of your data protection rights. 

At the time that it was enacted, one of the most controversial aspects of the GDPR was the fact that it contained the term ‘nonmaterial damage’ in Article 82(1). It has been said to be one of the most debated issues in the construction of EU data protection laws. 

In a recent decision from the CJEU, UI Österreichische Post Case C-300/21, the issue was examined in detail. 

In this case the CJEU ruled that the GDPR has to be construed as meaning that a mere violation of the provisions of the GDPR is not in and of itself enough to result in a right to compensation. Essentially, what this means, is that there is no automatic right to compensation once an infringement is proven.

The CJEU also concluded that the GDPR has to be interpreted as prohibiting a national rule which makes compensation for non-material damage subject to the condition that the damage suffered has reached a certain degree of seriousness. This is referred to in legal circles as being a ‘de minimis threshold’. 

Finally, the CJEU held that the amount of damages payable under the right to compensation is to be determined by the national court applying the domestic rules of each member state, provided that the principles of equivalence and effectiveness of EU law are complied with. 

Judge John O’Connor then went on to examine Irish case law on the matter. He referred to the decision of Collins v FBD Insurance plc [2013] IEHC 137 where it was held that there is no right to compensation for non-material damage. However, it is important to note that this case is of limited value in this context as it predates the enactment of the GDPR. 

Having examined the case law, Judge John O’Connor outlined some of the relevant factors which are important in determining damages for non-material loss. He was eager to note that he was suggesting these factors “with some caution in the absence of clarification from the Oireachtas, the Superior Courts and the outstanding preliminary references pending before the CJEU”. These factors were as follows: 

1. A “mere breach” or mere violation of the GDPR is not sufficient to warrant an award of compensation.
2. No minimum threshold of seriousness is required for a claim for non-material damage. However, compensation for non-material damage does not cover “mere upset”.
3. There must be a link between the infringement and the damages claimed.
4. If the damage is non-material, it must be genuine, not speculative.
5. Damages must be proved. Supporting evidence is strongly desirable.
6. Data protection policies should be clear and transparent, and accessible by all parties affected.
7. Employers should ensure privacy notices and CCTV policies are clear to employees. 
8. Where a personal data breach occurs, it may be necessary to ascertain what steps the relevant parties took to minimise the risk of harm from the breach.
9. An apology, where appropriate, may be considered in the mitigation of damages. Delay in dealing with a data breach by either party is a relevant factor in assessing damages. A claim for legal costs may be affected by these factors.
10. Even where non-material damage can be proved and is not trivial, damages will probably be modest.

In consideration of these factors, a total of €2000 was awarded to the Plaintiff in this case. 

Conclusion 

The key significance of this decision is that while compensation for non-material loss can be given, damages awarded in these types of cases will generally be quite low. This is consistent with the newly enacted Courts and Civil Law (Miscellaneous Provisions) Act 2023 which gives the District Court jurisdiction to hear data protection claims. The fact that these claims can now be heard in the District Court will make it much easier for ordinary individuals to bring cases when their rights have been violated as the costs involved will be much lower.