Recent developments: Awards of non-material damages under the GDPR

28 February 2025

Darragh Killeen, Shannon Fahy, Ellen McKenna

Recent developments in case law have shed light on the potential non-material damages that can be obtained on foot of a data breach claim brought in Ireland.

The Irish Court Service recently published an enlightening judgment in respect of the M.H v Child and Family Agency (MH) case, which was before the Circuit Court in 2023. In that case, the plaintiff claimed that the defendant, the Child and Family Agency, Tusla, had processed or circulated highly sensitive and confidential personal data to third parties without her consent. It was asserted that this amounted to negligence and breach of statutory duty.

The plaintiff had given evidence to the court of damage to her familial relationships as a result of the breach. She further claimed to have experienced upset, distress, and long-term mental health difficulties as a result of the defendant’s actions. Notably, in assessing the damages, the court took into consideration the role and very high level of trust that is ordinarily placed on the defendant, particularly given its capacity, and the necessity on its part, to handle personal data concerning abuse with utmost care and propriety.

Furthermore, the court did not require medical evidence in this particular case, as it held the plaintiff was in a better position than any expert to give evidence about the impact of the breach on her familial relationships. It was also noted that no evidence was given by the defendant to suggest that it had taken steps to minimise the damage to the plaintiff.

Ultimately, the court found a link between the damages claimed and the data infringement. The court was satisfied that the damage proved was at the “serious end of the scale” and therefore, the award for compensation would reflect that. As a result, the court awarded the plaintiff damages in the sum of €7,500.

Factors to consider when assessing damages for non-material loss

In reaching its conclusion, the court had considered the guidelines provided by Justice O’Connor in Kaminski v Ballymaguire Foods Limited [2023] IECC 5. In that case, it was held that a mere breach of the General Data Protection Regulation (GDPR) does not automatically entitle an individual to compensation. In Kaminski, the plaintiff’s personal data, which was captured by CCTV, was used without his consent for workplace training. Kaminski was awarded €2,000 for non-material damages under Article 82 GDPR, which provides that any person who has suffered material or non-material damage as a result of an infringement, shall have the right to receive compensation.

The Kaminski case is a particularly helpful precedent as it identifies the factors to consider when assessing damages for non-material loss arising from a data breach. These factors are as follows:

A “mere breach” or mere violation of the GDPR is not sufficient to warrant an award of compensation;
There isn’t a minimum threshold of seriousness required for a claim for non-material damage to exist, but compensation for non-material damage does not cover “mere upset”;
There must be a link between the data infringement and the damages claimed;
Non-material damages must be genuine, not speculative;
Damages must be proved and independent evidence is desirable;
Data policies should be clear, transparent, and accessible to all parties;
Employers should ensure their employee privacy notices and CCTV policies are clear;
Consideration should be given to whether any steps were taken by the defendant to minimise the risk of harm;
An apology may mitigate damages; and
Delay on the part of either party should be taken into account.

The court acknowledged that the above factors may also impact a claim for legal costs. Separately, the court also noted that even where non-material damage can be proved and is not trivial, damages are likely to be modest. It was observed that in some cases, non-material damage could be valued below €500.

Conclusion

The judgment in MH is indicative of the court’s willingness to award damages for data breaches where they are ‘not trivial’ in nature; where the plaintiffs can show that inadequate care has been taken by those handling their sensitive personal data; and where plaintiffs can also exhibit evidence of the breach’s negative impact on them.

The plaintiff’s award of €7,500 in non-material damages in this case has been deemed to be at the ‘serious’ end of the scale for these types of claims. The practical effect of awards at this level is that claims for non-material damages under the GPDR are likely to come within the remit of the District Court in Ireland – which can hear cases where the claim for damages does not exceed €15,000. This is further supported by the fact that the Courts and Civil Law (Miscellaneous Provisions) Act 2023 specifically identifies the District Court’s power to hear data protection actions. Claimants should keep this case in mind when initiating proceedings, in order to ensure their claims are progressed in the most appropriate forum.

If you have any queries in relation to the above, please feel free to contact us.