The first written judgment in Ireland addressing the question of non-material damage under Article 82 of the GDPR and Section 117 of the Data Protection Act 2018 (the 2018 Act) was recently delivered by the Dublin Circuit Court (see Arkadiusc Kaminski v Ballyguire Foods Limited [2023] IECC 5).
Facts
The plaintiff was a supervisor at the defendant’s factory. In March 2019, CCTV footage was shown to employees as part of a meeting between the Quality Control Manager and several managers and supervisors. The purpose of the meeting was to identify instances of poor food safety practice and to highlight food quality and safety issues that needed to be addressed for the purpose of identifying corrective actions. Several clips involving poor food quality and safety practices were shown to those present including one in which the plaintiff appeared. The plaintiff was not present at the meeting and only learnt of the footage from other colleagues. For two weeks after the incident, the CCTV was stored on a communal computer, without password protection but there was no evidence that authorised persons accessed the CCTV.
The plaintiff claimed the use of the CCTV footage was an unlawful processing of his data and alleged that he suffered damage and distress, namely anxiety and embarrassment, due to remarks made by work colleagues.
The plaintiff complained to the Data Protection Commissioner (DPC). As the complaint was not assigned a complaint handler due to backlogs at the DPC office, the plaintiff did not wish to delay his case by awaiting the DPC's outcome and so, he initiated legal proceedings before the Circuit Court.
Judgment
In assessing damages for non-material loss, the Court stated that the following factors will be considered:
-
A “mere breach” or a mere violation of the GDPR is not sufficient to warrant an award of compensation.
-
While there is not a minimum threshold of seriousness required for a claim for non-material damage to exist, compensation for non-material damage does not cover “mere upset”.
-
There must be a link between the data infringement and the damages claimed.
-
If the damage is non-material, it must be genuine, and not speculative.
-
Damages must be proved. Supporting evidence is strongly desirable.
-
Data policies should be clear and transparent and accessible by all parties affected.
-
Employers should ensure their employee privacy notices and CCTV policies are clear to employees.
-
Where a data breach occurs, it may be necessary to ascertain what steps were taken by the relevant parties to minimise the risk of harm from the data breach.
-
An apology where appropriate may be considered in mitigation of damages.
-
Delay in dealing with a data breach by either party is a relevant factor in assessing damages.
-
A claim for legal costs may be affected by these factors.
-
Even where non-material damage can be proved and is also not trivial, damages in many cases will probably be modest. In the absence of other guidelines, from the Oireachtas or the Superior Courts and/or the Judicial Council, the Court stated that it had taken cognisance of the factors outlined in the Judicial Council Personal Injuries Guidelines 2021 in respect of the category of minor psychiatric damages as instructive guidance, though noting in some cases non-material damage could be valued below €500.
The Court accepted that (i) the plaintiff's rights under the GDPR had been infringed, (ii) there was non-material damage and (iii) there was a causal link between the damage and the infringement. It stated that the damage suffered by the plaintiff consisted of “some slagging by [his fellow] employees, culminating in the Plaintiff’s own evidence in some serious embarrassment and sleep loss”. The Court accepted that the loss went beyond “mere upset” (particularly bearing in mind his supervisory position) and created "an emotional experience and negative emotions of insecurity which affected him for a short period of time". Accordingly, it awarded €2,000 compensation for non-material damages.
Takeaways
The judgment offers long-awaited guidance in relation to compensation for non-material damages and coincides with the recent signing into law of the Courts and Civil Law (Miscellaneous Provisions) Act 2023 (the 2023 Act). The 2023 Act amends the 2018 Act by giving the District Court jurisdiction to hear and determine data protection actions. When commenced, it is likely that most claims of non-material damage will (given the low level of damages awarded in this case) fall within the remit of the District Court.
If you have any query arising from this article, please contact Maureen Daly or any member of the data protection team.
While all care has been taken in the preparation of this article, no responsibility is accepted for its content which is intended for general information purposes and does not constitute legal advice.