The General Data Protection Regulation (“GDPR”) brought about significant changes to the ways in which individuals can pursue civil claims for breach of their data protection rights. Notably, it is now possible for individuals to claim compensation not only for financial damage they have suffered, but also for non-financial damage such as distress and emotional suffering. Individuals can also now authorise certain representative bodies to initiate data protection claims on their behalf.
This article examines the compensation mechanisms that are available to individuals and the current landscape in Ireland in this area.
The pre-GDPR position: Collins v FBD Insurance Plc
An individual’s entitlement to seek compensation for damage suffered as a result of breach of their data protection rights is a longstanding principle of data protection law. Under the pre-GDPR legislation, individuals were limited to pursuing compensation for “material damage”. This is actual damage that is quantifiable, such as financial loss suffered as a result of a GDPR breach of a person’s data protection rights.
This principle was endorsed by the High Court in its 2013 decision in Collins v FBD Insurance Plc. The Circuit Court had awarded general damages in the sum of €15,000 to the Plaintiff for various data protection breaches by the Defendant in the course of handling the Plaintiff’s insurance claim for the theft of his van. The High Court overturned the Circuit Court’s award, finding that an individual must prove that they have, in fact, suffered damage arising from a GDPR breach of their data protection rights before they can be entitled to compensation, and furthermore that non-financial loss is not recoverable.
Extension of rights under the GDPR: Compensation for both material and non-material GDPR Breach
In keeping with its objective of boosting the rights of individuals, the GDPR built upon the entitlement to claim compensation for GDPR breach of data protection rights and it is now possible for individuals to claim compensation both for material damage and non-material damage (such as distress and emotional suffering). Recital 75 of the GDPR lists such types of damage as also including reputational damage and situations where individuals might be prevented from exercising control over their personal data.
Several compensation claims have come before the Irish courts since the introduction of the GDPR on 25 May 2018 which related to breaches of the pre-GDPR legislation. One such claim earlier this year involved an allegation by a customer that his bank had erroneously sent his account statements to his ex-wife over a number of months, causing him emotional distress. The Circuit Court refused to award compensation to the customer in circumstances where an individual does not have an entitlement under the pre-GDPR regime to recover compensation for non-material damage.
There are no reported Irish court decisions involving compensation claims arising from data protection GDPR breaches that occurred after the introduction of the GDPR. As such, the approach that an Irish court would take to a case similar to the one outlined above, but involving a post-GDPR breach, remains to be seen. In the meantime, the UK Court of Appeal recently delivered a decision regarding the entitlement to recover compensation for non-material damage caused by breaches of data protection obligations, which may be of persuasive value to the Irish courts if faced with the issue.
Lloyd v Google LLC
The facts giving rise to the UK Court of Appeal’s decision in October 2019 in the Lloyd v Google LLC case related to what is known as the “Safari Workaround”. The “Safari Workaround” allegedly involved Google collecting information about internet usage via users’ Apple Safari browsers (called “Browser Generated Information”) without users’ knowledge or consent, which could subsequently be used to facilitate targeted advertising to those users.
The Plaintiff, Mr Lloyd, intended to pursue an action on behalf of a class of more than 4 million Apple iPhone users against Google LLC under the UK “representative action” procedure. A unique feature of the case was that Mr Lloyd intended to pursue a uniform amount of compensation on behalf of each individual regardless of whether or not they had authorised him to do so, or even were aware of the breaches of their data protection rights.
Before the action could get off the ground, Mr Lloyd needed permission from the domestic court to serve the proceedings on Google LLC in the United States. The High Court refused such permission, and Mr Lloyd appealed the High Court’s decision to the Court of Appeal.
One of the Court of Appeal’s key findings was that compensation is in principle capable of being awarded for loss of control of data, even if there is no financial loss and no distress. The Court ultimately granted permission to Mr Lloyd to serve the proceedings on Google LLC in the United States, with the consequence that the claim could progress to the next stages.
A key distinguishing feature between the facts in the Lloyd v Google LLC case and the Irish experience is the availability of the “representative action” procedure in the UK. While there is a type of representative action procedure in Ireland, it is very limited and infrequently used. However, a kind of hybrid procedure is now available under the GDPR which could be considered as paving the way to “class action” type claims for breach of data protection rights in this jurisdiction.
Representation of data subjects
Under Article 80 of the GDPR, an individual or group of individuals can authorise a not-for-profit body, organisation or association that is committed to the protection of personal data to bring an action on their behalf for breach of their data protection rights. Member States were given discretion regarding the implementation of some aspects of the representative procedure into national law. A key feature of the Irish legislation is that each individual must authorise the representative body to take a claim on their behalf. Therefore, it would not be possible for a representative body to take action on behalf of individuals who do not wish to take a claim, or who may not even be aware of the breach (in contrast to the position in Lloyd v Google LLC).
In November 2019, the civil liberties group Digital Rights Ireland submitted a complaint to the Data Protection Commission on behalf of a large number of individuals following the Data Protection Commission’s investigation into alleged widespread breaches of data protection rights by the Irish Government in the operation of the Public Services Card (“PSC”). Digital Rights Ireland has announced its plan to add further individuals to the complaint over the coming months.
At this stage, the PSC complaint is proceeding as a complaint to the Data Protection Commission. In light of the mechanism that is available under Article 80 of the GDPR, there is also scope for representative claims before the Irish courts arising from the PSC controversy and we expect to see considerable activity in this space over the coming year.
Conclusion on GDPR Breach
The entitlement to claim compensation for non-material damage and the availability of the representative action procedure mark significant developments under the GDPR. Given that data subjects are generally more aware of their rights now than they were in the past, it is likely that compensation claims before the Irish courts for breach of data protection rights will become more common in the years ahead. Organisations should keep these developments in mind when implementing their policies and procedures to manage data protection risks into the future.
If you have been affected by a breach of GDPR legislation contact us now for a free assessment of your claim.
