Current position re data protection claims
Article 82 of the GDPR, and Section 117 of the Irish Data Protection Act 2018 is the relevant legislation which gives rise to the possibility of individuals whose data rights have been breached, to claim compensation.
It is important however to understand that this is not quire the bonanza that people whose data might be breached may have thought.
As of yet there are no Irish decisions issued by our Superior Courts although there do appear to have been some Circuit Court decisions which appear to have been unsympathetic to claimants and in one particular case against a trade union for distributing personal details of union members, the court rejected the claims on the basis that the claimant could not prove material loss. The court went further by awarding costs against the claimants.
This decision follows a number of recent decisions in the UK. In a case of Rolfe v Veale Wasbrough Vizards LLP, the claimants brought a claim against a firm of solicitors who, acting on behalf of a school, wrote to the claimants seeking payment of the school fees. In error, the letter in fact went to a third party. The offending email was immediately deleted by the recipient who was unknown to the claimants. The claimants brought a claim for damages and claimed damages on the basis of lost sleep and a fear that this might happen again or there may be consequences in the future.
The court decided that in order for claimants to be able to justify a claim for damages they must suffer harm which is over and above the de minimis threshold. They did not say what this de minimis threshold was but clearly a breach which involves an email being sent which is immediately deleted will not satisfy this test.
The court followed a previous decision of the court of appeal in England of Lloyd v Google which had stated that a claim for damages for an accidental one off data breach that was quickly remedied was not sustainable.
In the Rolfe case the Court awarded costs in favour of the defendants.
Accordingly, claimants who bring a claim for breach of data protection must be able to show real loss arising from the said loss and certainly an accidental one off breach is unlikely to satisfy the de minimis test referred to in the Rolfe case.
For further advice in relation to data protection matters please do not hesitate to contact Conor Cleary or Brendan Dillon on 01 296 0666.