Director held personally liable for data breach

white caution cone on keyboard

2 April 2024

In Nolan & Ors v Dildar & Ors [2024] IEHC 4, the High Court held a director personally liable for breaches of the Data Protection Acts 1988 and 2003.

The judgment is part of the long-running litigation involving Nolan Transport, the transport and logistics company. This article is concerned with a very small aspect of McDonald J’s 317-page judgment, in which he found one the director of a company personally liable for data breaches.

Facts

The proceedings arose when the plaintiffs, who were trustees of a family pension fund, alleged that approximately €6.9m of fund property was misappropriated by a company based in the United Arab Emirates. The Court dismissed all but one of the plaintiffs’ claims: the unauthorised disclosure of the plaintiffs’ personal data.

The plaintiffs claimed that Mr Millett, a specialist pensions provider operating through the limited liability company of which he was a director and the sole shareholder, had provided their personal data (comprising names, home addresses, dates of birth, PPS numbers and copies of passports) to an Isle of Man fund without their consent. Mr Millett admitted in interrogatories that he had disclosed the personal data to the fund without the plaintiffs’ permission. He also admitted that he did so in order to obscure the involvement of other persons in the fund, but there is no evidence that he benefitted personally from this.

Decision

The data breaches took place in 2013, before the introduction of the General Data Protection Regulation (GDPR) and Data Protection Act 2018, so the Court had to rely on the Data Protection Acts 1988 and 2003 (the Acts). The Court was satisfied that the disclosure by Mr Millett fell within the statutory meaning of “unauthorised disclosure of personal data” under the Acts.

The letter to the Isle of Man fund was written on the headed paper of Mr Millet’s company, but, because it was signed by Mr Millett, the Court held that he was personally liable as the “human author”. The personal information was not disclosed beyond the Isle of Man fund and there was no evidence of actual damage. McDonald J determined that it was appropriate to make an award of nominal damages to each of the plaintiffs “to mark the fact that their rights have been infringed”. He ordered Mr Millett to pay €500 to each of the six plaintiffs, making him personally liable for a total of €3,000.

Comment

Personal liability for tort

McDonald J mentioned that it’s “well settled” that a director will incur personal liability where they “procure the commission of a tort”, but he does not cite any cases in support of this. There is some limited English case law to support the contention, as well as a decision of the Irish Supreme Court in Shinkwin v Quin-Con Ltd and Quinlan [2001] 1 IR 514. In Shinkwin, the manager of a factory was held personally liable in negligence, because he was in “undisputed control” of the factory and “had placed himself by his own actions in such a relationship to the plaintiff as to call upon himself the obligation to exercise care”. Without more information in the judgment, it is difficult to determine the factors which led McDonald J to make the finding of personal liability in this case.

Damages for non-material breaches

In terms of awarding damages for non-material breaches of data protection laws, the decision appears to be an amalgamation of old and new positions, although none of the leading cases are cited in the judgment. Pre-GDPR, the leading case in Ireland was Collins v FBD Insurance PLC [2013] IEHC 137, where the High Court held that, in order for compensation to be awarded under the Data Protection Acts 1988 and 2003, a data subject had to prove that the data breach resulted in actual damage.

In Österreichische Post (Case C-300/21), in 2023, the Court of Justice of the European Union (CJEU) ruled that a data breach by itself is not sufficient to ground a claim for compensation and set out the three conditions which must be satisfied in order to recover compensation under GDPR:

  1. There has been a breach of GDPR.
  2. Either material or non-material damage has been suffered by the data subject.
  3. There was a causal link between the infringement and the damage suffered.

The CJEU further held that non-material damage arising from a breach of GDPR does not need to reach a certain level of seriousness for the affected party to acquire the right to compensation and it is up to national courts to determine damages based on the seriousness of the harm.

In Kaminski v Ballymaguire Foods [2023] IECC 5, the Irish Circuit Court followed Österreichische Post, awarding “modest” damages of €2,000 for a breach that did not result in any widespread harm or further dissemination of data, but which went beyond causing “mere upset” to the claimant. However, most Irish cases are following the approach taken in Cunniam v Parcel Connect Limited & Ors [2023] IECC 1 and placing a stay on proceedings until the CJEU rules on a number of similar cases. Since Cunniam, the CJEU has broadly reinforced its approach in Österreichische Post.

To cast some further doubt on the treatment of non-material damages for data breaches in Ireland, the High Court in Keane v Central Statistics Office [2024] IEHC 20 upheld a Circuit Court ruling that the plaintiff’s claim for non-material damages was principally a personal injury claim and, therefore, failed because she did not obtain prior authorisation under the Personal Injuries Assessment Board Act 2003.

While McDonald J’s decision in this case appears to align most closely with the approach taken in Kaminski, this area of the law is still in flux, and it remains to be seen what approach to non-material damages claims will prevail.

If you would like an assessment of a claim, you can use the online form available here without obligation or alternatively you can use the automatic claim calculator.

Follow us for the latest updates & news

Recent News

Autistic cinema manager wins €12k over discrimination in roster row

An autistic cinema manager who quit when his employer was unable to guarantee him two days off in a row following a months-long dispute over rostering arrangements has secured €12,000 in compensation for disability discrimination. The complainant's wife gave evidence...

Northern Ireland exam board boss wins £100,000 settlement

Northern Ireland’s Council for the Curriculum, Examinations and Assessment (CCEA) has paid a substantial settlement to its former interim chief executive who complained of sex, race and age discrimination and constructive dismissal. The sum paid to Margaret Farragher,...

Recent Articles

Psychological Injury

Nervous Shock I The law allows recovery of damages for so called nervous shock, within certain parameters and subject to limitations.  Nervous shock is the most commonly used legal label for psychiatric or psychological injury. Psychiatric injuries include...

Public Authorities and Negligence

Powers and Duties In broad terms, public authorities are subject to civil liability for negligence and other civil wrongs, in the same way as private individuals and companies.  The State and other public bodies are responsible for the actions and omissions of...

Duty of Care (Part 2)

Limits to Neighbour Principle The famous neighbour principle re-stated the general basis of liability in negligence. It stated, that “you must take reasonable care to avoid acts or omissions which you can reasonably foresee would be likely to injure your...

Duty of Care (Part 1)

Meaning of Negligence I Negligence is used in a number of senses.  In one sense, it refers to a person’s state of mind.  An act is negligent, where it is done without giving due weight to the risks involved.  A person  (and his state of mind) may...

Join our Panel

You May Also Like...