A data privacy violation occurs when an individual or entity responsible for safeguarding your personal information carelessly or purposefully mishandles your personal data without your consent. This could manifest as something as straightforward as erroneously sending an email or letter to the wrong recipient or revealing your private details. It can also encompass more sinister events like a data breach or cyber-attack targeting an organization’s computer systems to compromise your personal data.
Any individual who considers or is known to have been a victim of a personal data breach may make a claim. This claim may arise in two different ways;
- A complaint to the Data Protection Commissioner (hereinafter called the DPC); and
- By taking a damage claim in the Court under Section 117 of the Data Protection Act 2018.
Data Protection Commission
You are entitled to raise concern with the DPC in relation to a manner in which an organisation has handled your personal data. Generally, it would be typical to raise the issue directly with the organisation before contacting the DPC , though if this is not possible, or if the response is not satisfactory then the DPC is available for consultation. The DPC will work towards an amicable resolution between the parties involved. Thereafter a formal complaint handling procedure will begin wherein the DPC will make further decisions on the matter. Though the most noteworthy point to mention is that the DPC do not have the power to offer compensation.
While complaints issued directly to the DPC are useful for both sides, it must be noted that it is not a pre-requisite to going to Court. It does not “stop the clock” regarding statue of limitations. Under Section 117(2) of the Data Protection Act, data breach claims are an “action founded on tort” and therefore the statute of limitation period of six years applies to a claim being made pursuant to Section 117 of the Data Protection Act.
Damages Claims under the Data Protection Act 2018
All claims as of now shall be heard under the remit of the Circuit Court and High Court as per Section 117(3) of the Data Protection Act 2018. This is due to be changed in the future as per the Courts and Civil Law (Miscellaneous Provisions) Act 2023 though this provision has yet to commence. Differentiating from the DPC avenue, once a damage claim has been lodged with the Court by way of Civil Bill, the burden of proof reverses from the Plaintiff to the Defendant. Evidence of this can be seen in the CJEU case of (VB v Natsionalna Agentsia za Prihodite C-340/21) where the Advocate General was of the opinion that it is the controller who has to bear such a burden.
The recent Circuit Court decision of Kaminsi v Ballymaguire Foods [2023] IECC 5 has shown that the extent of damage need not be as apparent as one may predict. Kaminski, an employee of Ballymaguire Foods, claimed unlawful processing of his data due to a training exercise involving CCTV footage that caused him anxiety, embarrassment, and sleep disturbances as a result of him being clearly identificable from the footage shown. The court recognized that his emotional distress was more than mere upset, even though not supported by a medical report, and was awarded the sum of €2,000 for the infrigement of his rights.
The Court considered that, in numerous instances, damages for non-material harm would likely be “modest.” Without further guidance, the Court regarded the factors delineated in the Judicial Council Personal Injuries Guidelines 2021 concerning minor psychiatric damages as informative reference points.
The fact that the damages awarded in this case were relatively low suggests that the majority of non-material damage claims under Section 117 of the Data Protection Act will now be handled by the District Court upon commencement of the necessary provision.
If you have been affected by a personal data breach, do not hesitate to contact us on 021 239 0620 or email jack.byrne@mdmsolicitors.ie and a member of our team will be able to advise you.