Authors: Eilis McDonald; Marcus Walsh; John Magee; Gavin Woods; David Cook; Andreas Rüdiger

The Irish Circuit Court has recently delivered an important judgment on non-material damages for infringement of the GDPR.  The judgment also establishes a list of factors for the courts to consider when assessing non-material damages.

This judgment comes in the context of other recent decisions on this topic in the UK and EU and which continue to shape the data protection environment that multi-national organisations operate in. The scrutiny by national courts over the lawfulness of certain processing, and commentary on the factors that will aggravate or mitigate an infringement, should be considered by these organisations and inform their approach to data protection compliance.

In Kaminski v Ballymaguire Foods [2023] IECC 5, the Irish Circuit Court awarded a claimant the sum of €2,000 for non-material damages for infringement of the GDPR by his employer. The approach of the Irish courts is broadly consistent with the approach in Germany and the UK as referred to below.

Facts in Kaminski

Mr Kaminski held a supervisory position within Ballymaguire Foods. In the course of a meeting about poor food safety practices, CCTV footage of Mr Kaminski was shown to other supervisors. Following the meeting, Mr Kaminski’s colleagues began to “slag” him for his conduct, causing him to feel humiliated and mocked. Mr Kaminski claimed that he suffered issues with his sleep following the incident, as well as heightened stress about going to work each day.

Mr Kaminski sought to claim damages on the basis that Ballymaguire Foods had infringed the Irish Data Protection Act 2018 and the GDPR by unlawfully processing his personal data.  Ballymaguire Foods denied the infringement and also argued that that Mr Kaminski was not entitled to recover damages as the non-material damage claimed amounted to no more than mere “upset, anxiety and embarrassment”, for which compensation was not recoverable.

The Court disagreed with Ballymaguire Foods and held that there was an infringement of the GDPR, that non-material damage resulted from that infringement and that a financial sum in compensation was due.  Mr Kaminski was awarded €2,000 for non-material loss, on the basis that it went beyond mere upset, and which resulted in insecurity lasting a short period of time.

Factors to consider in assessing non-material damages

In his judgment, Judge O’Connor referred to the CJEU ruling[1] in the Osterreichische Post[2] case and set out a list of factors to consider in assessing non-material damages. Interestingly the Judge caveated his own judgment stating that he was formulating the list “with some caution in the absence of clarification from the Oireachtas [the Irish Parliament], the Superior Courts and the outstanding preliminary reference before the CJEU”. The factors that he set out are:

  • “Mere breach” of the GDPR is not sufficient to warrant an award of compensation.
  • There is no minimum threshold of seriousness for a claim to exist (however compensation for non-material damage does not cover “mere upset”).
  • There must be a link between the data infringement and the damages claimed.
  • If the damage is non-material, it must be genuine and not speculative.
  • Damages must be proved. Supporting evidence is strongly desirable (e.g. in a claim for distress and anxiety, independent evidence is desirable such as a psychologist report or medical evidence). Interestingly the Court did not require medical proof of Mr Kaminski’s purported anxiety in this case, commenting that Mr Kaminski was “viewed as a truthful and conscientious witness”.
  • Data policies, such as employee privacy notices and CCTV policies, should be clear and transparent and accessible by all parties affected[3].
  • Where a data breach occurs, it may be necessary to ascertain what steps were taken by the relevant parties to minimise the risk of harm from the breach.
  • An apology where appropriate may be considered in mitigation of damages (e.g. reassuring the individual that their employment is safe and not at risk).
  • Delay in dealing with a breach by either party is a relevant factor in assessing damages.
  • A claim for legal costs may be affected by these factors.
  • Even where non-material damage can be proved and is not trivial, damages in many cases will probably be modest (and the Court referred to the Irish Judicial Council Personal Injuries Guidelines re minor psychiatric damages, noting some cases non-material damage could be valued below €500).

The Comparative View – damages

Until now, there has been some uncertainty as to how compensation for non-material loss would be calculated in Ireland. The Irish court’s ruling, following the Osterreichische case, indicates some consistency in approach across Europe. The award of €2,000 for the claimant’s distress is comparatively consistent with the approach in the UK and Germany.

There are now several judgements where the German courts awarded compensation for non-material damages.[4] The highest compensation we are aware of is €10,000 for non-material damages for the loss of control of a data subject due to a delay in complying with the right of access.[5] However, the average award for non-material damages by the German courts appears to be in the region of approximately €2,000.[6]

The position in the UK broadly aligns with this. The case of Driver v CPS[7] was heard by the UK High Court in 2022 and made an award “at the lowest end of the spectrum” of £250. More recently in Ali v Chief Constable of Bedfordshire Police[8], the High Court awarded £3,000 for non-material damage on the basis that it was “in the bottom half of the range of awards for ‘less severe psychiatric harm’” in the Judicial College Guidelines for the Assessment of General Damages in Personal Injury cases.  However, the position in the UK Courts certainly remains somewhat unsettled.

While there is ostensibly some comfort found in the decision in Lloyd v Google[9] in which the UK Supreme Court rejected a US-style opt-out class action against Google, the Court certainly left the door ajar for future mass claims for data protection infringement. Indeed, if the lowest end of the scale is even just £200[10], then a group claim, or multi-party case, could quickly see the figures escalate dramatically and particularly when claimants’ costs are also factored in.

The Comparative View – how are non-material damages assessed elsewhere?

It is interesting to compare the approach of Judge O’Connor with how this issue is dealt with across the EU (in light of the Osterreichische judgment[11]) and the UK (and Lloyd -v- Google[12]) where it has been established:

  • Loss of control of data or a simple infringement without consequence would not itself sound in compensation.
  • Damage would need to be caused, which can be material damage (such as financial loss) or non-material damage (such as distress).
  • That damage must be evidenced and proven.
  • There is a de minimis threshold for distress claims and there will be some claims for which the issue is too trivial to lead to compensation.

Following the CJEU ruling in the Osterreichische Post case, we saw German courts making their decisions on the basis of the above criteria and assume that this will be the case for future decisions. Among the decisive factors here is that a mere breach of the GDPR does not give rise to an automatic claim for damages and that the plaintiff needs to prove both non-material damage and a causal link between the breach and the damage.

This is certainly the case in the UK, and the Österreichische Post AG decision effectively mirrors the reasoning of the UK court in Lloyd v Google, which, in turn, the Irish Circuit Court has followed in Kaminski. There is consistency in those first principles. Where this goes next is unclear. The CJEU decision in Österreichische Post necessarily gives a great deal of discretion to Member State courts and the post-Brexit interpretation of the GDPR requirements in the UK may see further divergence.

Conclusion

We are finally beginning to see the development of broadly consistent principles being applied by national courts to the awarding of non-material damages under GDPR and national data protection legislation. Further, the level of damages appears to be relatively modest. However that may be cold comfort to any organisation where a significant data breach occurs, opening it up to the possibility of a class action or claims by a large group of claimants resulting in large-scale multiples of those “modest” damages.  In DLA Piper, we continue to monitor these decisions to provide our clients with a broader view of the risks involved across multiple jurisdictions.

[1] Case C-300/21, UI v Österreichische Post AG

[2] https://blogs.dlapiper.com/privacymatters/europe-cjeu-holds-that-mere-infringement-of-the-gdpr-does-not-give-rise-to-a-right-to-compensation/

[3] As previously established in the cases of Cormac Doolin v The Data Protection Commissioner and Our Lady’s Hospice and Care Services [2020] IEHC 90 and McVann v Data Protection Commissioner [2023] IECC 3

[4] Some recent court decisions in this regard include: Higher Regional Court of Naumburg, judgment of March 2, 2023 – 4 U 81/22; Administrative Court Cologne, Judgment of February 23, 2023 – 13 K 278/21; Higher Regional Court of Hamm, judgment of January 20, 2023 – 11 U 88/22; Cologne Regional Court, judgment of September 28, 2022 – 28 O 21/22; Koblenz Higher Regional Court, judgment of May 18, 2022 – 5 U 2141/21;

[5] Labour Court Duisburg, judgment of March 23,2023 – 3 Ca 44/23.

[6] This was the result of an evaluation of 21 German court decisions from the years 2020-2023 with regard to the amount of damages awarded.

[7] https://www.dlapiper.com/en-am/insights/publications/2022/11/the-high-court-has-confirmed-its-position-as-to-the-award-of-damages

[8] Ali v Chief Constable of Bedfordshire Police [2023] EWHC 938 (KB)

[9] https://www.dlapiper.com/en-gb/insights/publications/2021/11/lloyd-v-google-supreme-court-judgment-report-and-impacts-on-data-protection

[10] So the lowest end, as per Driver v CPS

[11] https://blogs.dlapiper.com/privacymatters/europe-cjeu-holds-that-mere-infringement-of-the-gdpr-does-not-give-rise-to-a-right-to-compensation/

[12] https://www.dlapiper.com/en-gb/insights/publications/2021/11/lloyd-v-google-supreme-court-judgment-report-and-impacts-on-data-protection