The Irish Circuit Court, in the case of Cunniam v Parcel Connect Limited & Ors [2023] IECC 1, recently granted a stay on proceedings brought by a data subject where non-material damages were alleged, pending six decisions awaited from the Court of Justice of the European Union ('CJEU') relating to non-material damage claims. The Court held that not granting the stay would substantially prejudice the defendants’ case, and would lead to the risk of an irreconcilable judgment being produced by the Court.
Background
Article 82 GDPR, and section 117 of the Irish Data Protection Act 2018 (the 'DPA') allows data subjects or non-profit organisations mandated to act on their behalf, to seek compensation for material or non-material damage suffered as a result of a breach of the GDPR. However, uncertainty prevails over the scope of the right to compensation for non-material damage.
Whilst obiter comments by Whelan J., in Shawl Property Investments Ltd v A. & B [2021] IECA 53 state that nothing in the DPA “suggests that a data protection action is a tort of strict liability” and regard should be had to “the principle of proportionality in evaluating claims for breaches of [the GDPR]", there has been no consideration of Article 82 GDPR in any written decision of the Irish Superior Court to date.
The extent and scope of the right to compensation for non-material damage under Article 82 GDPR has been subject to scrutiny recently as a number of national court decisions concerning same are filtering up to the CJEU. In particular, the Advocate General has delivered an Opinion in the UI v Österreichische Post AG case (Case C-300/21) which will be welcomed by parties facing data breach claims, as it requires a de minimus threshold of damage to be met in a claim for non-material damages arising from a breach of the GDPR (previously discussed here). However, it remains to be seen whether the CJEU will follow the Advocate General's Opinion.
The Cunniam Case
Facts
In the Irish Circuit Court case of Cunniam v Parcel Connect Limited & Ors, the plaintiff alleged that the defendants, or one of them, had a data breach incident in which the personal data of over 450,000 people was compromised by a third party hacker. The plaintiff's solicitor acts for 22 clients, including the plaintiff, in proceedings against one of the defendants, arising out of the data breach incident. The personal data of the plaintiff that was allegedly accessed by the third party hacker included the plaintiff's name, email address, residential address and mobile number.
The damage alleged to have been suffered by the Plaintiff included interference with his peace and privacy, and apprehension about the use to which his data has been put. It was further alleged that he had been contacted by unknown third parties, and that he had lost control over his personal data, with the result that he is unable to exercise any rights of erasure, rectification or restriction of processing against the unknown third parties in possession of his personal data. The plaintiff claimed non-material damages pursuant to Articles 79 and 82 GDPR and/or section 117(4) of the DPA.
The defendants sought to stay the proceedings under the Circuit Court's inherent jurisdiction pending the determination of six preliminary references made by various Member States to the CJEU.
Ruling
The Court, in accordance with its duty of sincere cooperation, and the need to avoid the risk of irreconcilable judgments, granted an Order staying the proceedings pending a determination by the CJEU of the preliminary references referred to it by a number of Member State courts including Austria, Germany and Bulgaria, in the following cases:
(a) UI v Österreichische Post AG (Case C-300/21)
(b) VB v Natsionalna agentsia za prihodite (Case C-340/21)
(c) ZQ v Medizinischer Dienst der Krankenversicherung Nordrhein (Case C-667/21)
(d) BL v Saturn Electro-Handelsgesellschaft mbH Hagen (Case C-687/21)
(e) GP v Juris GmbH (Case C-741/21)
(f) JU v Scalable Capital GmbH (Case C-182/22)
The Court noted that the above cases concern the correct interpretation of Article 82 GDPR, in particular: (i) the meaning of "material or non-material damage"; and (ii) the conditions for the imposition of liability under Article 82, and whether some degree of "fault" is required in order to impose liability, particularly in the context of a hacking incident perpetrated by a third party.
Comment
In the recent Opinion of the Advocate General in UI v Österreichische Post AG (6 October 2022), the Advocate General provided some insight into the potential outcome of these references, and the correct interpretation of Article 82.
The Advocate General opined that, firstly, a mere violation of the GDPR is not sufficient for an award of compensation, rather the infringement must be accompanied by some material or non-material damage. Secondly, compensation for non-material damage does not cover mere upset which the person concerned may feel as a result of a violation of the GDPR. Thirdly, it is for the national courts to determine when a subjective feeling of displeasure may be deemed, in each case, to constitute non-material damage.
In the event that the CJEU follows this opinion, it would be welcome news for companies, as it would raise the bar for successful damages claims for non-material loss. However, the Irish courts would still be left to decide what constitutes non-material damage over a de minimus threshold. Accordingly, even after the CJEU has ruled on these preliminary references, some legal uncertainty will remain over exactly what types of non-material damage may be eligible for compensation under the GDPR. It also remains to be seen what level of compensation will be awarded for such claims.