COMPENSATION FOR VICTIMS OF DATA BREACHES
Regulation (EU) 2016/679 the General Data Protection Regulation (‘GDPR’) and the new Data Protection Act 2018 (‘New Legislative Framework’) became law in Ireland on the 25th May, 2018. While many of the main concepts and principles of GDPR are the same as those under the Data Protection Acts 1988 and 2003 (‘Old Legislative Framework’), GDPR introduced new elements and significant enhancements to the Old Legislative Framework. One such enhancement is the ability of victims of data breaches to bring claims for compensation for ‘non-material’ damage that they have suffered. While this indeed is a positive development, it remains to be seen how the Irish courts will deal with such claims.
Data protection is a fundamental right of all Irish citizens; everyone has the right to the protection of their personal data. “Personal Data” is defined as any information relating to a living person (called a ‘Data Subject’) who is identified or identifiable. In other words, if the data can be used on its own or in combination with other information to identify you, then it counts as Personal Data.
Pursuant to legislation, Data Controllers and Data Processors are subject to stringent obligations to keep the Data Subject’s Personal Data safe and secure; to process data fairly; to retain data for one or more specified lawful purpose and to retain data for no longer than is necessary.
In order for an impacted Data Subject to initiate legal proceedings and bring a data protection claim, a Data Subject must claim that his or her data protection rights have been infringed and that the infringement is as a result of the processing of his or her Personal Data in a manner that is noncompliant with data protection laws. Notably, there is no obligation upon a Data Subject, before initiating legal proceedings, to prove fault or negligence on the part of the Data Controller or the Data Processor. A Data Controller or Data Processor will be at fault unless it can prove that it was not in any way responsible for the infringement which caused damage.
Prior to May 2018, victims of data breaches who initiated legal proceedings pursuant to the provisions of the Old Legislative Framework could only seek compensation for ‘material’ damage that they suffered as a result of an infringement of their data rights. ‘Material’ damage encompasses actual damage that is quantifiable (for example where one suffered financial loss as a result of the infringement). This limitation of compensation was recently affirmed by the Circuit Court in or around April, 2019 when a Plaintiff’s action against Ulster Bank, brought pursuant to the provisions of the Old Legislative Framework, was dismissed on the basis that they failed to establish any specified financial loss that they had suffered. No compensation for stress and upset could be awarded by the Court.
However, under the New Legislative Framework, in particular, Article 82 of the GDPR, Data Subjects have a right to compensation against Data Controllers or Data Processors if a breach of their rights has caused them to suffer material or ‘non-material’ damage (i.e. non-financial damage). Accordingly, ‘damage’, as and from May 2018, is now broadly defined to include stress and emotional suffering, financial loss, damage to reputation among other things.
While the above legislative enhancement is a positive development for impacted Data Subjects who have suffered non-material damage as a result of an infringement of their data rights (as and from May 2018) it remains to be determined how the Irish courts will deal with such claims and therefore, a reported judgment is to be welcomed in that regard.
* In contentious business, a solicitor may not calculate fees or other charges as a percentage of any award or settlement.