Pro-data subject
“Since the General Data Protection Regulation [GDPR] was introduced in 2018, data-breach litigation in Ireland became much more pro-plaintiff or pro-data subject than it was under the Data Protection Act 1988,” said Kneale.
“The judgments in these cases represent a step in the other direction as they were more pro-defendant or pro-data controller. They are important for practitioners to be aware of as they will change the way we all build our defences in such cases involving non-material damage.”
'Severe stress and anxiety'
Keane v Central Statistics Office was a claim for damages initially brought to the Circuit Court under the Data Protection Act 1988. The plaintiff claimed she had suffered severe stress and anxiety, which had exacerbated her psoriatic arthritis symptoms, as a result of her employer disclosing her P45 to a third party.
Justice O’Donnell delivered his decision on the case in January, with straightforward conclusions, noted Kneale: “He said the causes of action brought by the plaintiff – breach of contract, negligence and breach of duty – were clearly wrongs under the Civil Liability Act 1961 and within the meaning of the Personal Injuries Assessment Board Act 2003.
“Notwithstanding that the claim wasn’t explicitly brought as a personal-injuries claim, he found that in substance it was a claim seeking damages for personal injuries, which required pre-authorisation under the 2003 act. And as the plaintiff hadn’t obtained this the claim couldn’t proceed.”
Differences under GDPR
After the Keane case, two questions remained open, said Kneale: ‘What about similar claims brought under the GDPR?’ and ‘What about claims for distress and anxiety without exacerbation of a pre-existing condition?’
These questions were answered about three months later with Justice O’Donnell’s judgment in Dillon v Irish Life Assurance plc where the defendant had sent six insurance policies relating to the plaintiff to the incorrect address.
“Like in Keane, there had been no prior authorisation from PIAB. But there were two key differences. The first was the claim for compensation was brought under article 82 of the GDPR and section 117 of the Data Protection Act 1988 – which significantly altered the nature of liability and compensation,” said Kneale.
“Second, unlike in Keane, the only damage that was being pleaded in Dillon was ‘distress, upset, anxiety, inconvenience, loss and damage’. Notwithstanding those differences, the judge came to the same conclusion that he had done in Keane.”
In the Dillon decision, Justice O’Donnell relied on a 2017 judgment in Murray v Budds, which was an application to amend a professional negligence claim for worry and stress. Here, both the Court of Appeal and the Supreme Court found that a claim for worry and stress amounted to a personal-injuries claim.
Consequences for practitioners
When considering Justice O’Donnell’s reasoning, Kneale said that it would be a mistake to draw the conclusion that IRB-authorisation is required in all cases where the plaintiff claims to have suffered distress and upset arising from a data breach. Equally, defendants will not always succeed in having data-breach claims for stress and anxiety struck out in the absence of IRB-authorisation.
“I think the position is more nuanced in the data-protection context given the nature of damages which are recoverable under the GDPR,” said Kneale.
“It is clear from recent European Court of Justice [ECJ] judgments that the interpretation of the word ‘damage’ under the GDPR is extremely broad and even very minimal impacts on data subjects can attract an award of compensation.”
An Irish example of this highlighted at the public-law conference is the 2023 Circuit Court case of Kaminski v Ballymaguire Foods, where the plaintiff was identifiable in CCTV footage used in a training session on food safety. Judge John O’Connor awarded the claimant €2,000 for non-material damages suffered following this infringement of the GDPR.
“In any event, the judgments in Keane and Dillon show that practitioners need to be very careful in the way they see claims and are advised to seek prior authorisation from the IRB when they relate to stress and anxiety,” said Kneale.
AIE regulations case
In her presentation at the public-law conference, Aoiffe Moran, partner at Mason, Hayes & Curran, drew attendees’ attention to a High Court case which Justice Richard Humphreys has referred to the ECJ on questions of law.
Coillte v OCEI and others (2023) concerns Coillte receiving over 100 requests for information under the Access to Information on the Environment (AIE) regulations, where requesters hadn’t provided any physical addresses.
“An astute employee noticed a general theme of 1980s American films and TV shows running through the requesters’ names. This was around the same time as the Department of Agriculture was getting around 32,000 AIE requests from the likes of Gene Hackman and Neil Diamond,” Moran explained.
“Coillte got no response when it requested that the applicants confirm their actual name and current address to verify their identity and thus deemed the requests invalid. Ultimately the requester went to the Commissioner for Environmental Information, who decided Coillte wasn’t justified in refusing to deal with the requests and there was no onus on the applicant to identify themselves. And so Coillte took an appeal to the High Court.”
In his decision, Justice Humphreys determined that in the absence of ECJ clarification, ‘Name’ under article 6(1)(c) meant actual name and not a pseudonym; ‘Address’ meant a current physical address at which the requester might be contacted; and ‘Email details’ would only arise under ‘any other relevant contact details’ in article 6(1)(c).
Grounds for refusal
“As we await the ECJ’s decision on this case, it’s worth asking where it leaves us in relation to the new draft AIE Regulations 2023 currently under consultation. There may be an outlet in the proposed amendments in relation to grounds for refusal. Currently, a request for information can only be refused where it is ‘manifestly unreasonable’ having regard to the volume and range of information sought,” said Moran.
“Arguably, under the new regulations, it might be possible to refuse the ‘Willy Wonka’ type of requests if it can be established that they are coming from a serial requester who is clogging up the system. But proving such requests are all coming from one person is difficult to do.”