Empty Link Skip to Content

Data Protection and Privacy

As we enter into the final quarter of 2022, its timely to consider the hottest developments in the data protection space, and the compliance challenges companies are facing.

In this briefing, we set out some key legislative and case-law developments in relation to international transfers, compensation for non-material loss under the GDPR, and cyber security reporting requirements.

Key Themes in Data Protection and Technology

Legal Certainty ahead for EU-US Data Transfers?

On 7 October 2022, President Biden issued an Executive Order, which paves the way for the European Commission to draft a US Adequacy Decision, known as the "EU-US Data Privacy Framework".  This Framework will replace the EU-US Privacy Shield, which was invalidated by the Court of Justice of the European Union ("CJEU") in July 2020 in the Schrems II case.

Since the Schrems II decision, there has been much legal uncertainty over how to legitimise EU-US data transfers, and EU Data Protection Authorities have been ramping up enforcement in this area. Once the US Adequacy Decision is formally adopted (likely to be in Spring 2023), US companies will be able to self-certify with the US Department of Commerce, and commit to complying with a detailed set of privacy obligations.

It will undoubtedly be a huge relief to companies transferring data from the EU to the US, to be able to rely on the new Framework, and avoid the burden and uncertainties associated with relying on Article 46 transfer tools (such as the SCCs), including transfer impact assessments and supplementary measures.

Whilst we await the adoption of the US Adequacy Decision (which is by no means guaranteed), the European Commission has confirmed that all the safeguards contained within the Executive Order will be available for all transfers to the US under the GDPR, regardless of the transfer tool used. Accordingly, companies should start taking account of the new safeguards when carrying out their Transfer Impact Assessments in respect of EU-US transfers, as the safeguards (including the redress mechanism once implemented) should serve to lower the data protection risks associated with EU-US transfers.

Non–material damages not available for "mere upset"

Since the GDPR and Data Protection Act 2018 came into force, it has been possible for individuals, or groups of individuals in Ireland to claim damages for "non-material loss" (i.e. non-economic loss) arising from breaches of their data protection rights.  However, there has been much debate about what claimants need to prove in order to seek compensation for non-material damage, in particular whether it requires proof of something greater than "mere upset" about their GDPR rights being violated.

Now, more than four years later, we are awaiting judgments in a number of cases which have been referred to the CJEU by Member State courts, which have the potential to significantly curtail the operation of the new regime for non-material loss claims before it has ever really taken off in Ireland.

On 6 October 2022, Advocate General Manuel Campos Sánchez-Bordona delivered his opinion in UI v Österreichische Post AG, the Austrian Supreme Court (Oberster Gerichtsof]) Case C-300/21, at the CJEU which clarifies that mere infringement of the provisions of the GDPR, without accompanying damage (whether that be material or non-material), is not sufficient for the purposes of awarding compensation; and in relation to non-material damage, compensation for such damage as provided for in the GDPR does not cover "mere upset".

It can often take several months after the publication of an Advocate General Opinion for the CJEU to deliver its final judgment.  While the Opinion is not binding on the CJEU, it will be of strong persuasive value. 

Read more in Matheson's Cyber Bulletin here.

Operational Resilience and Cyber Security

In response to the growing threats of cyber-attacks and taking into account the significant growth of digitalisation, the European Commission is in the process of updating the NIS Directive through the introduction of a replacement directive ("NIS 2"). In parallel, the European Commission has published a draft regulation for a Digital Operational Resilience Act ("DORA") as part of its Digital Finance Strategy, which is specifically directed to financial services.

One of the key features of both initiatives is the extension of the regulatory cyber and operational resilience regime to a broader range of business sectors (NIS 2) and a much broader range of financial services (DORA).

The focus of reporting obligations will shift from impact on total users to incidents causing (or having the potential for) severe operational disruption, financial losses for the entity or considerable material or non-material losses for other natural or legal persons. The timeframe within which reports must initially be made under will also be reduced, depending on whether the report is required under NIS 2 or DORA.

What organisations should do now:

  • Assess whether within scope of NIS 2 or DORA
  • Refresh or undertake risk assessment
  • Update or create incident response plans, and communicate them
  • Implement additional technical and organisational protections where gaps and vulnerabilities have been identified
  • Update all relevant and impacted policies and procedures
  • Train personnel on cyber risks and awareness, and on the incident response plan
  • Do a dry run / simulation
Read more in Matheson's Cyber Bulletin here.

Is Mere Worry Enough? “Non-Material Loss” claims for breach of data rights under the GDPR

Oct 7, 2022, 17:47 PM
The GDPR brought with it the possibility of, for the first time in Ireland, individuals (or groups of individuals) being allowed by law to claim damages for “non-material loss” arising from breaches of their data rights. Two recent and much-publicised English decisions have already restricted the scope for claims of this kind in the UK to those where there is more than a de minimis level of pain and suffering. This week, an opinion of the Advocate General, delivered on 6 October 2022 in one of the cases awaiting judgment before the CJEU, suggests that the CJEU may follow suit.
Title : Is Mere Worry Enough? “Non-Material Loss” claims for breach of data rights under the GDPR
Filter services i ds : 6e10fdc5-0d23-4933-baa6-ef058f845dc3;83504ba1-0ab9-4b75-9444-c462071cd8d5;
Engagement Time : 4
Insight Type : Article
Insight Date : Oct 7, 2022, 00:00 AM

The Data Protection Act 2018, which entered into force in May 2018 for the purposes of implementing the General Data Protection Regulation (“GDPR”), brought with it the possibility of a brave new world of damages claims for breaches of personal data rights.  For the first time in Ireland, individuals (or groups of individuals) would be allowed by law to claim damages for “non-material loss” arising from breaches of their data rights. The term “non-material loss” essentially means non-economic loss, i.e. pain and suffering, inconvenience and anxiety which might arise from a data rights breach, as opposed to any kind of financial damage.  

Now, more than four years later, we are awaiting judgments in a number of cases which have been referred to the Court of Justice of the European Union (“CJEU”) by Member State courts, including by courts in Germany and Austria, which have the potential to significantly curtail the operation of the new regime for non-material loss claims before it has ever really taken off in Ireland.  Two recent and much-publicised English decisions have already restricted the scope for claims of this kind in the UK to those where there is more than a de minimis level of pain and suffering. This week, an opinion of the Advocate General, delivered on 6 October 2022 in one of the cases awaiting judgment before the CJEU, suggests that the CJEU may follow suit. 

What is "non-material loss" under the GDPR?

Prior to 2018, the Irish courts had taken the position that a person was not entitled to damages for a breach of data rights without proof of some financial or economic loss caused by the breach[1].  That position seemed settled in Irish law until Article 82(1) of the GDPR introduced a broader basis for damages claims by providing that:

Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”

While “non-material damage” is not defined in the GDPR, the (non-binding) Recital 146 of the GDPR suggests that the “concept of damage should be broadly interpreted” and that data subjects should receive “full and effective compensation for the damage they have suffered”.  Recital 85 of the GDPR provides that where a personal data breach is not addressed in an appropriate or timely manner, it may result in “physical, material or non-material damage to natural persons” in circumstances where the natural person has “suffered a loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss…damage to reputation, loss of confidentiality of personal data or any other significant economic or social disadvantage”.

To date, the Irish courts have not been required to deliver any written judgment assessing a claim for damages for non-material loss. As such, it has not been possible to glean an understanding of the approximate value which the courts in this jurisdiction would place on claims of this kind. However, the question has been the subject of a number of reported cases in other EU Member States since the entry into force of the GDPR, particularly in Germany and Austria.  Now, questions have emerged from those countries, and others, as to whether technical breach of data rights is, in itself, sufficient to justify damages for non-material loss or, alternatively, whether some minimum level of “pain and suffering” will be required.

The position in the EU

In April 2021, in the case of UI v Österreichische Post AG, the Austrian Supreme Court (Oberster Gerichtsof [2]), referred some key questions to the CJEU on the appropriate method to award and quantify non-material damages for data protection infringements under the GDPR.  In particular, the CJEU has been asked to determine:

  1. does a mere breach of provisions of the GDPR, in and of itself, allow a data subject to seek an award of damages?;
  2. in addition to the principles of effectiveness and equivalence, what, if any, additional considerations must a national court observe when assessing damages under Article 82 of the GDPR?; and
  3. to be eligible for non-material damages, is there a requirement that the legal infringement goes beyond the annoyance caused by the infringement?

The recent opinion of the Advocate General (published on 6 October 2022) on these issues proposes effectively that a de minimis approach should be adopted, concluding that:

  1. mere infringement of provisions of the GDPR, without accompanying damage (whether that be material or non-material), is not sufficient for the purposes of awarding compensation; and
  2. specifically in relation to non-material damage, compensation for such damage as provided for in the GDPR does not cover "mere upset".

Confirmation of whether the CJEU will adopt this position though will have to wait for its final judgment on the questions referred. It can often take several months after the publication of an Advocate General opinion for the CJEU to deliver its judgment.

In Germany (as well as some other countries), it would appear that a general rule has emerged from domestic case law to the effect that there must be more than minimal damage to ground a claim and that compensation should only be paid where there is “perceptible harm”.  Separately, the German Federal Labour Court[3] has asked the CJEU for a preliminary ruling on the following questions relating to non-material damages under the GDPR:

  1. does Article 82 (1) GDPR have a special or general preventive character and does this have to be taken into account when assessing the amount of non-material damage to be compensated on the basis of Article 82 (1) GDPR at the expense of the controller or the processor?; and
  2. when assessing the amount of non-material damage to be compensated on the basis of Article 82 (1) GDPR, is the degree of fault of the controller or processor decisive? In particular, may a non-existent or minor fault on the part of the controller or processor be taken into account in its favour?

The decisions of the CJEU on the above questions will be of great significance to the development of future case law on this subject and will be of particular interest to organisations and data controllers which process a large amount of data and which, as such, can expect to find themselves as the targets of claims for non-material loss.  

The UK position and the de minimis threshold

The CJEU’s awaited decision in UI v Österreichische Post AG is particularly relevant given the recent judgment of the English High Court in Rolfe v Veale [4], in which the Court held that there is a de minimis threshold implicit in English case law which claimants have to show has been exceeded before they can seek damages for actual loss or distress. In a separate case, Johnson v Eastlight Community Homes Ltd [5], the English High Court has ruled that the de minimis concept applies to claims taken under the GDPR and the UK Data Protection Act 2018.  

It is difficult to know how much persuasive authority these UK judgments will have in the post-Brexit age, particularly at EU level.  However, even post-Brexit, it is likely that the CJEU and other European courts will pay attention to the decisions of the UK higher courts in the sphere of data protection, especially given the general dearth of case law in this arena. Indeed, it seems likely that the CJEU will follow a de minimis approach given the recent opinion of the Advocate General in UI v Österreichische Post AG, although, as noted above, the final decision of the CJEU on the matter is still awaited. In an Irish context, while the Irish judiciary is not bound by these UK decisions, they are nevertheless likely to have some persuasive effect in this jurisdiction also.

Can we expect class actions data breach cases in Ireland?

There is currently no provision in Irish court rules for class actions. Rather, there is a range of procedural options which allow claims involving multiple parties to be litigated as private actions.  These include; (i) joining additional parties to an individual claim; (ii) representative actions; (iii) consolidation and co-ordinated hearings of separate actions; and (iv) test cases.

One potential additional avenue for class actions in Ireland will be the EU Directive 2020/1828 on representative actions for the protection of the collective interests of consumers (Directive on representative actions) (the “Directive”), which is due to enter into effect in June 2023. This Directive will harmonise the regime for collective actions to be brought on behalf of EU Consumers and will require each Member State to designate at least one “qualified entity” to bring actions on behalf of consumers for breaches of a wide range of EU directives and regulations.  It remains to be seen what, if any, impact this will have on data breach cases in Ireland. Article 80 of the GDPR already makes provision for collective actions to be brought in respect of certain provisions of the GDPR, including the right to compensation under Article 82. However, the take-up on actions of this kind has been slow to date, possibly as a result of a lack of clarity as to whether a de minimis level of harm is required. Where the requirement of a de minimis level of harm is confirmed by the CJEU, this is likely to decrease the chances of class actions for breach of data rights.

Conclusion

CJEU decisions are difficult to predict and while most decisions follow the opinion of the Advocate General (such as that delivered this week in the Österreichische Post case), this is never completely certain. We eagerly await and look forward to receiving clarity from the CJEU when it delivers its rulings in the Österreichische Post and other references currently before it, in particular, as to whether there is a de minimis threshold which must be met in order to be eligible for an award of damages under the GDPR. The future of non-material loss claims depends on them.

If you would like to find out more, please contact Michael Byrne, Partner, Commercial and Dispute Resolution, any member of the Data Protection, Technology and Cyber Security Expert Team, or your usual Matheson contact. 

The author would like to credit Roisin Collins, trainee solicitor; and Dylan Gannon for their support and assistance in researching and producing this article. 


[1] Collins v FBD Insurance plc [2013] IEHC 137

[2] Case C-300/21 – UI v Österreichische Post AG

[3] Case C-667/21 – ZQ v Medizinischer Dienst der Krankenversicherung Nordrhein

[4] Rolfe & Others v Veale Wasbrough Vizards LLP  [2021] EWHC (QB)

[5] [2021] EWHC 3069 (QB)

 

HoldingImage_558x245_Blue HoldingImage_450x200_Red
Authors :
Co Authors

The Latest Data Protection Developments

Download the Full Report