Ireland: GDPR: Judicial Remedies

Introduction

With less than a year to the introduction of the General Data Protection Regulation (EU) 2016/679 (the "GDPR") it is important to consider the potential consequences for data controllers and data processors in the event of a breach. The GDPR envisages both administrative sanctions and judicial remedies which can be brought side by side. Where a data subject alleges that there has been a breach of the GDPR which has caused the data subject damage, either material or nonmaterial, he or she can lodge a complaint with the relevant supervisory authority within a member state and there is also a right to seek compensation from the data controller or data processor for the damage suffered. For a fuller discussion on administrative sanctions see our linked article.

Ireland's Data Protection Bill

The General Scheme of Data Protection Bill (the "Bill") proposed by the Irish Government provides for a specific cause of action known as a 'data protection action' to be brought by way of court proceedings.

Liability

The GDPR provides that a data controller shall be liable for both material and non-material damage caused to a data subject as a result of data processing which infringes the GDPR. Data processors will be liable where the damage is caused by a breach of a specific obligation imposed on data processors under the GDPR or where the data processor has acted contrary to instructions received from a data controller.

In terms of avoiding liability, the GDPR provides that a data controller or data processor will need to prove that it is not responsible for the event giving rise to the damage. Where multiple data controllers / data processors have a liability, the principle of joint and several liability will apply. This means that the claimant can recover the entire compensation awarded from any one of the liable parties regardless of the parties' individual share of the liability. The party who pays the entire compensation can separately seek to recover from the other parties who are liable.

Types of Damage

Material damage is generally straightforward and quantifiable. However, of more concern is the right under the GDPR of a data subject to be compensated for non-material damage suffered as a result of an infringement of the GDPR. No definition has been provided for what amounts to non-material damage and it remains to be seen whether any guidance will be given by the European Data Protection Board. At present, it would appear to equate to what are known in Ireland as general damages in personal injuries actions being damages which are for pain and suffering and are not readily quantifiable. This is a significant exposure for a defendant in a judicial action and will likely involve an increase in the costs of such actions due to the need to engage experts to provide guidance where non-material damage is claimed.

Under current Irish law, in order for a claimant to be compensated for a breach of his or her data protection rights, the claimant must establish that a data controller / data processor owes him or her a duty of care and has breached that duty which has resulted in damage to the claimant. The Irish courts have found that a claimant is not entitled to compensation for non-pecuniary loss¹ being a loss which is not readily quantified such as damages for pain and suffering which appears to equate to non-material damage.

Jurisdiction

The Bill has proposed that the Circuit Court and High Court only will have jurisdiction to hear a data protection action in the first instance. The District Court hears actions where the quantum of damages claimed is up to €15,000 for personal injuries actions with the Circuit Court hearing actions ranging from €15,000 to €60,000 and the High Court hearing claims above €60,000.

It is concerning that the District Court does not have jurisdiction to hear proposed data protection actions under the Bill and it poses a further exposure given the increase in the costs of an action in the Circuit Court in comparison to the District Court.

Representative Actions

A final point of note is that the GDPR provides for a not-for-profit body, organisation or association bringing an action on behalf of a data subject. Current Irish law does not provide for class actions and prohibits litigation funding² . Therefore, it will remain to be seen whether enacted Irish legislation will allow a not-for-profit body, organisation or association to bring a multi-party action whereby the claims of a number of claimants are brought within the same set of proceedings. In any event, the right of a data subject to engage a not-for-profit body, organisation or association to bring an action on his or her behalf will allow those who may be otherwise deterred from bringing an action (due to the potential cost implications of a finding against them) to bring a claim. Although the entity that brings the action on behalf of a data subject is to be a not-for-profit body, organisation or association, this right may amount to a derogation from the law of maintenance and champerty depending on how such an entity is funded in bringing the action.

Conclusion

It is too early at this stage to predict how exactly the provisions in the GDPR relating to data protection actions will play out. Data controllers and data processors can, however, anticipate that their exposure in the event of a breach will increase, not only as a result of the fines which can be imposed on them, but also because of the scope for an award in respect of non-material damage.

Footnotes

¹ See Collins v FBD Insurance Plc [2013] IEHC 137
² See The Regulation of Crowdfunding in Ireland and Supreme Court Rules against Litigation Funding in Ireland in Persona Judgment

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.