Prior to the introduction of the General Data Protection Regulation (GDPR), an individual whose information was the subject of a data breach in this jurisdiction could only claim compensation for material damage i.e., actual quantifiable damage. A data breach is an incident where information is leaked or stolen and usually happens accidentally or as a result of a cyber-attack by a third party. Article 82 of the GDPR, and section 117 of the Irish Data Protection Act 2018 (DPA), introduced a new right to compensation for individuals, which has opened the door for claimants to seek compensation for what is considered non-material damage, such as minor distress and upset. As a result, corporate entities in Ireland are becoming increasingly involved in defending claims brought by individuals before the Irish courts seeking compensation arising from data breaches. A single data breach can result in multiple claims being brought by the individuals affected, which represents a considerable risk for entities that collect and store personal information.
A recent decision of the English High Court, Rolfe v Veale Wasbrough Vizards LLP, provides useful guidance on an individual’s right to compensation for distress and upset arising from breaches of their data protection rights. In particular, the court found that claimants must show damage or distress over a de minimis threshold to succeed in a claim for compensation. In Rolfe, the claim concerned a data breach involving a limited amount of personal data. It was held that the claimants, Mr and Mrs Rolfe, failed to prove damage over the de minimis threshold and were not entitled to compensation. In granting summary judgment against Mr and Mrs Rolfe, the court also awarded costs against them in circumstances where the court found the claims were exaggerated and lacked credible evidence of distress.
Although not binding in this jurisdiction, the consideration of an individual’s right to compensation in Rolfe may be considered persuasive by the Irish Courts and will be welcomed by parties defending data breach claims in this jurisdiction.
Rolfe v Veale Wasbrough Vizards LLP
Mr and Mrs Rolfe owed fees to a school represented by the defendant law firm, Veale Wasbrough Vizards LLP. The school had been instructed to write to the couple with a demand for payment. Due to a typographical error, the defendant accidentally sent an email intended for the Rolfes to a third party. The email attached a request for payment of outstanding school fees and contained a limited amount of Mr and Mrs Rolfe’s personal data, including their names and address. The misdirected email was promptly deleted by the recipient who was unknown to the couple.
Mr and Mrs Rolfe brought a claim seeking damages for distress under Article 82(1) GDPR and section 169(1) UK Data Protection Act 2018, which is similar to section 117 of the Irish DPA, together with common law actions in breach of confidence, misuse of confidential information, and negligence. In seeking to establish distress, they asserted they had “lost sleep worrying about the possible consequences”, that the disclosure “had made them feel ill”, and they were suffering “fear of the unknown” regarding the consequences.
The defendant law firm disputed that the incident caused Mr and Mrs Rolfe to suffer harm in excess of the de minimis threshold and applied for summary judgment on the basis that the claim had no real prospect of success.
De minimis principle
The court confirmed that it is possible to recover damages for non-material damage flowing from a data breach. However, a claimant must be able to show that they have suffered loss or damage over a de minimis threshold, meaning it must not be trivial. The court quoted with approval the court of Appeal’s recent judgment in Lloyd v Google, which endorsed a seriousness threshold that would exclude "for example a claim for damages for an accidental one-off data breach that was quickly remedied".
The court concluded that the claimants in Rolfe could not prove damage over a di minimis threshold taking into consideration the “minimally significant” nature of the information and circumstances of the breach, including the prompt deletion of the email.
Ordinary fortitude test
In holding that the distress suffered fell below the de minimis threshold, the court observed that no person of “ordinary fortitude” would reasonably suffer the distress claimed in these circumstances. The court added that it was “inappropriate” in the modern world for a party to claim compensation for breaches of this sort.
The court not only awarded summary judgment against Mr and Mrs Rolfe, but also ordered that they pay GBP£11,000 in costs to the defendant given the “strong observations of [the] court as to the nature of the claim in terms of exaggeration” and “lack of credible evidence of distress”.
Lloyd v Google LLC
Separately, in another welcome development for parties defending data breach claims, the UK Supreme Court recently delivered its decision in Lloyds v Google LLC. In that case, the UK Supreme Court found that damages were not awardable for a mere loss of control of personal data under the UK data protection regime. The court further held that UK Data Protection Act 1998 (UK DPA) could not “reasonably be interpreted as giving an individual a right to compensation without proof of material damage or distress…”.
As with Rolfe, the decision in Lloyds is not binding in this jurisdiction and the decision itself concerns the UK Supreme Court’s interpretation of the UK DPA, which pre-dates the GDPR. However, as the UK DPA provides that individuals can seek compensation for distress arising from a data breach, it is certainly indicative of judicial thinking about an individual’s right to compensation for non-material damage and may be considered persuasive by the Irish Courts.
Conclusion and key takeaways
In circumstances where the Irish courts have not yet considered damages for non-material damage and distress under the GDPR and the DPA, the decisions in Rolfe and Lloyds provide useful guidance and may be considered persuasive authority by the Irish courts.
Key takeaways include:
Rolfe confirms the principle that where there is an infringement of data protection law, there must be damage above a "de minimis threshold of triviality" for a claim in damages to succeed.
The decisions in Rolfe and Lloyds will be welcomed by parties defending data breach compensation claims in Ireland for distress under Article 82 GDPR and section 117 of the DPA.
It is possible that the “ordinary fortitude test” employed by the court in Rolfe may form part of the test for distress in data breach cases going forward.
Rolfe may be persuasive authority in this judication for data controllers to seek costs orders against claimants that do not provide compelling evidence of distress above a de minimis threshold or where such claims are exaggerated.