Data Breach as Personal Injury?

white caution cone on keyboard

29 November 2023

According to the GDPR, claims for material or non-material damage may be brought for infringement of personal data rights. The level of compensation for non-material damage claims has been given greater clarity following the decision earlier this year in Kaminski v Ballymaguire Foods Limited.

In that decision, the case which is the subject of this article was specifically referenced and acknowledged to be “important for potential future actions concerning data breaches and claims for damages.” However, it was alleged the data breach caused severe stress and anxiety with physical manifestations, so it was not merely a non-material damages claim. The court therefore had to consider:

  1. Whether the claim in this respect, at least, was properly a personal injury claim and, if so,
  2. Should the claim have been brought by way of a personal injuries summons following application to the Personal Injuries Assessment Board (PIAB).

Background

The case involved proceedings brought by a census enumerator, Ms Keane, by way of ordinary civil bill. This is the originating document for conventional tort and contract claims in the Circuit Court. As an enumerator for Census 2016, she provided personal data for salary and tax purposes. At the end of her employment, she received her P45. In 2017, some 3,000 enumerators’ P45s, including Ms Keane’s, were allegedly unlawfully disclosed by the Central Statistics Office (CSO). This was claimed to be a complete breach of Ms Keane’s privacy rights, which caused her to suffer anxiety and distress. This affected her in her daily life, in that it impacted her sleep and appetite, and exacerbated symptoms of psoriatic arthritis. Ms Keane sought “damages for the stress and anxiety caused as a result of this data breach”. Ultimately damages were sought for:

  • Breach of confidence
  • Breach of privacy rights, and
  • Breach of data protection rights

Following discovery of Ms Keane’s medical records, the CSO successfully applied to amend its defence. Until then, it had broadly denied liability. Instead, a preliminary issue was raised regarding whether, insofar as the proceedings involved a personal injuries claim, they had been authorised by PIAB. The decision here involved the determination of that preliminary issue.

The decision

The CSO argued that the legal action aimed to seek compensation for personal injuries and it was consequently a ‘civil action’ under the Personal Injuries Board Act 2003. The court accepted that proposition. It held that a wrongdoing could be considered a civil action for personal injury if the remedy sought is damages for personal injuries.

The court differentiated between causes of action (e.g., breach of confidence) and the cause for the action, noting that the data breach was the basis for the case here. The court emphasised that personal injuries are not a cause of action but the injuries suffered that may lead to a remedy. Although it acknowledged that this case didn’t have the typical characteristics of a personal injuries action, it recognised that legal descriptions may not always align with legal reality. In such cases, the court considers the overall context “in the round”, using both common sense and applicable law.

In this case, after scrutinising the pleadings, the court determined that the primary remedy sought was damages for personal injuries. It concluded that none of the causes of action escaped the obligation to apply to PIAB as required by the 2003 Act. The judge concluded that the claim fell within the definition of a ‘civil action’ under the 2003 Act and that PIAB authorisation should have been obtained. Therefore, the main remedy seeking damages for personal injury was “doomed to failure” due to non-compliance with the 2003 Act. This meant that what was left of Ms. Keane’s claim would be limited to other damages, if any, that might be awarded for the unintentional data breach. Effectively, this meant that non-material damages under Article 82 GDPR and Section 117 of the Data Protection Act 2018, as relied on in Kaminski’s case, could still be available.

Conclusion

Based on this decision, claims for stress, anxiety and consequential physical conditions arising from data right infringements, and not just non-material damage claims for upset or embarrassment like in Kaminski, ought to be brought as formal personal injury proceedings. For such claims, the originating document should be a personal injury summons and PIAB approval should be obtained prior to issue. Failure to pursue that route could be fatal to the claim if a limitation defence were available to any fresh summons issued under the proper mechanism. Conversely, for defendants to actions seeking such recoveries, beyond non-material damages, consideration should be given to raising a similar objection could be used. If successful, this could effectively preclude the claim entirely or at least restrict it to a non-material damage claim.

Follow us for the latest updates & news

Recent News

Autistic cinema manager wins €12k over discrimination in roster row

An autistic cinema manager who quit when his employer was unable to guarantee him two days off in a row following a months-long dispute over rostering arrangements has secured €12,000 in compensation for disability discrimination. The complainant's wife gave evidence...

Northern Ireland exam board boss wins £100,000 settlement

Northern Ireland’s Council for the Curriculum, Examinations and Assessment (CCEA) has paid a substantial settlement to its former interim chief executive who complained of sex, race and age discrimination and constructive dismissal. The sum paid to Margaret Farragher,...

Recent Articles

Psychological Injury

Nervous Shock I The law allows recovery of damages for so called nervous shock, within certain parameters and subject to limitations.  Nervous shock is the most commonly used legal label for psychiatric or psychological injury. Psychiatric injuries include...

Public Authorities and Negligence

Powers and Duties In broad terms, public authorities are subject to civil liability for negligence and other civil wrongs, in the same way as private individuals and companies.  The State and other public bodies are responsible for the actions and omissions of...

Duty of Care (Part 2)

Limits to Neighbour Principle The famous neighbour principle re-stated the general basis of liability in negligence. It stated, that “you must take reasonable care to avoid acts or omissions which you can reasonably foresee would be likely to injure your...

Duty of Care (Part 1)

Meaning of Negligence I Negligence is used in a number of senses.  In one sense, it refers to a person’s state of mind.  An act is negligent, where it is done without giving due weight to the risks involved.  A person  (and his state of mind) may...

Join our Panel

You May Also Like...