Irish Circuit Court Stays Compensation Claim For Non-Material Damages

• Published date: 13 March 2023
• Subject Matter: Privacy, Data Protection, Privacy Protection
• Law Firm: Matheson
• Author: Ms Davinia Brennan and Thomas Condon

The Irish Circuit Court, in the case of Cunniam v Parcel Connect Limited & Ors [2023] IECC 1, recently granted a stay on proceedings brought by a data subject where non-material damages were alleged, pending six decisions awaited from the Court of Justice of the European Union ('CJEU') relating to non-material damage claims. The Court held that not granting the stay would substantially prejudice the defendants' case, and would lead to the risk of an irreconcilable judgment being produced by the Court.

Background

Article 82 GDPR, and section 117 of the Irish Data Protection Act 2018 (the 'DPA') allows data subjects or non-profit organisations mandated to act on their behalf, to seek compensation for material or non-material damage suffered as a result of a breach of the GDPR. However, uncertainty prevails over the scope of the right to compensation for non-material damage.

Whilst obiter comments by Whelan J., in Shawl Property Investments Ltd v A. & B [2021] IECA 53 state that nothing in the DPA 'suggests that a data protection action is a tort of strict liability' and regard should be had to 'the principle of proportionality in evaluating claims for breaches of [the GDPR]", there has been no consideration of Article 82 GDPR in any written decision of the Irish Superior Court to date.

The extent and scope of the right to compensation for non-material damage under Article 82 GDPR has been subject to scrutiny recently as a number of national court decisions concerning same are filtering up to the CJEU. In particular, the Advocate General has delivered an Opinion in the UI v 'sterreichische Post AG case (Case C-300/21) which will be welcomed by parties facing data breach claims, as it requires a de minimus threshold of damage to be met in a claim for non-material damages arising from a breach of the GDPR (previously discussed here). However, it remains to be seen whether the CJEU will follow the Advocate General's Opinion.

The Cunniam Case

Facts

In the Irish Circuit Court case of Cunniam v Parcel Connect Limited & Ors, the plaintiff alleged that the defendants, or one of them, had a data breach incident in which the personal data of over 450,000 people was compromised by a third party hacker. The plaintiff's solicitor acts for 22 clients, including the plaintiff, in proceedings against one of the defendants, arising out of the data breach incident. The personal data of the plaintiff that was allegedly accessed by the third party hacker included the...