Data Protection and Privacy
Data Protection, privacy and technology developments continued to dominate the headlines last year. In this briefing, we consider some of the most noteworthy developments of which organisations should be aware, and look at what is coming down the tracks in 2023.
The importance of fair, transparent and lawful processing has been in the spotlight as the Irish Data Protection Commission ("DPC") recently imposed three significant fines on a leading technology company for unlawful reliance on contractual necessity as a lawful basis for certain processing activities. International transfers continues to be a hot topic, as the EU Parliament, EDPB and a Committee of EU Member States review the draft EU-US Data Privacy Framework ("DPF").
In addition, the extent and scope of the right to compensation for non-material damage under Article 82 GDPR has been subject to scrutiny as a number of national court decisions concerning this matter are filtering up to the Court of Justice of the European Union ("CJEU"). All of these matters are considered in more detail in this commentary.
We also consider the CJEU decision in the case of X-Fab (Case C-453/21) which provides guidance on how to determine whether a conflict of interest could arise for an organisation's Data Protection Officer. In addition, the European Data Protection Board ("EDPB") has finalised a number of Guidelines to assist organisations to comply with their GDPR obligations including, amongst others, Guidelines on what constitutes an international transfer of data under Chapter V GDPR, and Guidelines on deceptive design patterns in social media platform interfaces.
Legislation surrounding data protection, privacy and technology continues to develop at a rapid pace. These technologies and developments present new challenges for companies and consumers alike. As a result, 2023 will undoubtedly be an exciting and busy year for all.
Is Mere Worry Enough? “Non-Material Loss” claims for breach of data rights under the GDPR
The Data Protection Act 2018, which entered into force in May 2018 for the purposes of implementing the General Data Protection Regulation (“GDPR”), brought with it the possibility of a brave new world of damages claims for breaches of personal data rights. For the first time in Ireland, individuals (or groups of individuals) would be allowed by law to claim damages for “non-material loss” arising from breaches of their data rights. The term “non-material loss” essentially means non-economic loss, i.e. pain and suffering, inconvenience and anxiety which might arise from a data rights breach, as opposed to any kind of financial damage.
Now, more than four years later, we are awaiting judgments in a number of cases which have been referred to the Court of Justice of the European Union (“CJEU”) by Member State courts, including by courts in Germany and Austria, which have the potential to significantly curtail the operation of the new regime for non-material loss claims before it has ever really taken off in Ireland. Two recent and much-publicised English decisions have already restricted the scope for claims of this kind in the UK to those where there is more than a de minimis level of pain and suffering. This week, an opinion of the Advocate General, delivered on 6 October 2022 in one of the cases awaiting judgment before the CJEU, suggests that the CJEU may follow suit.
What is "non-material loss" under the GDPR?
Prior to 2018, the Irish courts had taken the position that a person was not entitled to damages for a breach of data rights without proof of some financial or economic loss caused by the breach[1]. That position seemed settled in Irish law until Article 82(1) of the GDPR introduced a broader basis for damages claims by providing that:
“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”
While “non-material damage” is not defined in the GDPR, the (non-binding) Recital 146 of the GDPR suggests that the “concept of damage should be broadly interpreted” and that data subjects should receive “full and effective compensation for the damage they have suffered”. Recital 85 of the GDPR provides that where a personal data breach is not addressed in an appropriate or timely manner, it may result in “physical, material or non-material damage to natural persons” in circumstances where the natural person has “suffered a loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss…damage to reputation, loss of confidentiality of personal data or any other significant economic or social disadvantage”.
To date, the Irish courts have not been required to deliver any written judgment assessing a claim for damages for non-material loss. As such, it has not been possible to glean an understanding of the approximate value which the courts in this jurisdiction would place on claims of this kind. However, the question has been the subject of a number of reported cases in other EU Member States since the entry into force of the GDPR, particularly in Germany and Austria. Now, questions have emerged from those countries, and others, as to whether technical breach of data rights is, in itself, sufficient to justify damages for non-material loss or, alternatively, whether some minimum level of “pain and suffering” will be required.
The position in the EU
In April 2021, in the case of UI v Österreichische Post AG, the Austrian Supreme Court (Oberster Gerichtsof [2]), referred some key questions to the CJEU on the appropriate method to award and quantify non-material damages for data protection infringements under the GDPR. In particular, the CJEU has been asked to determine:
- does a mere breach of provisions of the GDPR, in and of itself, allow a data subject to seek an award of damages?;
- in addition to the principles of effectiveness and equivalence, what, if any, additional considerations must a national court observe when assessing damages under Article 82 of the GDPR?; and
- to be eligible for non-material damages, is there a requirement that the legal infringement goes beyond the annoyance caused by the infringement?
The recent opinion of the Advocate General (published on 6 October 2022) on these issues proposes effectively that a de minimis approach should be adopted, concluding that:
- mere infringement of provisions of the GDPR, without accompanying damage (whether that be material or non-material), is not sufficient for the purposes of awarding compensation; and
- specifically in relation to non-material damage, compensation for such damage as provided for in the GDPR does not cover "mere upset".
Confirmation of whether the CJEU will adopt this position though will have to wait for its final judgment on the questions referred. It can often take several months after the publication of an Advocate General opinion for the CJEU to deliver its judgment.
In Germany (as well as some other countries), it would appear that a general rule has emerged from domestic case law to the effect that there must be more than minimal damage to ground a claim and that compensation should only be paid where there is “perceptible harm”. Separately, the German Federal Labour Court[3] has asked the CJEU for a preliminary ruling on the following questions relating to non-material damages under the GDPR:
- does Article 82 (1) GDPR have a special or general preventive character and does this have to be taken into account when assessing the amount of non-material damage to be compensated on the basis of Article 82 (1) GDPR at the expense of the controller or the processor?; and
- when assessing the amount of non-material damage to be compensated on the basis of Article 82 (1) GDPR, is the degree of fault of the controller or processor decisive? In particular, may a non-existent or minor fault on the part of the controller or processor be taken into account in its favour?
The decisions of the CJEU on the above questions will be of great significance to the development of future case law on this subject and will be of particular interest to organisations and data controllers which process a large amount of data and which, as such, can expect to find themselves as the targets of claims for non-material loss.
The UK position and the de minimis threshold
The CJEU’s awaited decision in UI v Österreichische Post AG is particularly relevant given the recent judgment of the English High Court in Rolfe v Veale [4], in which the Court held that there is a de minimis threshold implicit in English case law which claimants have to show has been exceeded before they can seek damages for actual loss or distress. In a separate case, Johnson v Eastlight Community Homes Ltd [5], the English High Court has ruled that the de minimis concept applies to claims taken under the GDPR and the UK Data Protection Act 2018.
It is difficult to know how much persuasive authority these UK judgments will have in the post-Brexit age, particularly at EU level. However, even post-Brexit, it is likely that the CJEU and other European courts will pay attention to the decisions of the UK higher courts in the sphere of data protection, especially given the general dearth of case law in this arena. Indeed, it seems likely that the CJEU will follow a de minimis approach given the recent opinion of the Advocate General in UI v Österreichische Post AG, although, as noted above, the final decision of the CJEU on the matter is still awaited. In an Irish context, while the Irish judiciary is not bound by these UK decisions, they are nevertheless likely to have some persuasive effect in this jurisdiction also.
Can we expect class actions data breach cases in Ireland?
There is currently no provision in Irish court rules for class actions. Rather, there is a range of procedural options which allow claims involving multiple parties to be litigated as private actions. These include; (i) joining additional parties to an individual claim; (ii) representative actions; (iii) consolidation and co-ordinated hearings of separate actions; and (iv) test cases.
One potential additional avenue for class actions in Ireland will be the EU Directive 2020/1828 on representative actions for the protection of the collective interests of consumers (Directive on representative actions) (the “Directive”), which is due to enter into effect in June 2023. This Directive will harmonise the regime for collective actions to be brought on behalf of EU Consumers and will require each Member State to designate at least one “qualified entity” to bring actions on behalf of consumers for breaches of a wide range of EU directives and regulations. It remains to be seen what, if any, impact this will have on data breach cases in Ireland. Article 80 of the GDPR already makes provision for collective actions to be brought in respect of certain provisions of the GDPR, including the right to compensation under Article 82. However, the take-up on actions of this kind has been slow to date, possibly as a result of a lack of clarity as to whether a de minimis level of harm is required. Where the requirement of a de minimis level of harm is confirmed by the CJEU, this is likely to decrease the chances of class actions for breach of data rights.
Conclusion
CJEU decisions are difficult to predict and while most decisions follow the opinion of the Advocate General (such as that delivered this week in the Österreichische Post case), this is never completely certain. We eagerly await and look forward to receiving clarity from the CJEU when it delivers its rulings in the Österreichische Post and other references currently before it, in particular, as to whether there is a de minimis threshold which must be met in order to be eligible for an award of damages under the GDPR. The future of non-material loss claims depends on them.
If you would like to find out more, please contact Michael Byrne, Partner, Commercial and Dispute Resolution, any member of the Data Protection, Technology and Cyber Security Expert Team, or your usual Matheson contact.
The author would like to credit Roisin Collins, trainee solicitor; and Dylan Gannon for their support and assistance in researching and producing this article.
[1] Collins v FBD Insurance plc [2013] IEHC 137
[2] Case C-300/21 – UI v Österreichische Post AG
[3] Case C-667/21 – ZQ v Medizinischer Dienst der Krankenversicherung Nordrhein
[4] Rolfe & Others v Veale Wasbrough Vizards LLP [2021] EWHC (QB)
[5] [2021] EWHC 3069 (QB)