The case of M.H. -v- Child and Family Agency concerns a claim for damages by a plaintiff arising out of a data breach caused by negligence and breach of statutory duty by the defendant. The plaintiff was ultimately successful in her claim for distress arising from a breach of her personal data related to childhood abuse. This infringement was found to be at the serious end of the scale and resulted in award of €7,500.

Background

The plaintiff claimed for damages arising out of the circulation of personal data including sensitive and confidential data relating to abuse suffered by the plaintiff during her childhood. The defendant accepted that a breach occurred, specifically that information relating to childhood abuse suffered by the plaintiff was released to the plaintiff’s deceased brother. The detailed attendance note containing the plaintiff’s details was further shared with the plaintiff’s remaining siblings and the wife of the deceased brother, causing significant distress and damage to the plaintiff’s familial relationships.

Impact on the Plaintiff

The plaintiff experienced severe upset and distress, leading to a loss of trust in the defendant. The plaintiff also provided evidence of long-term treatment for mental health difficulties which had been exacerbated by the breach. The court found that medical evidence was not required as it determined that the plaintiff was “in a better position than any such expert” when giving evidence about the impact on her family relationships.

Court’s Decision

Judge O’Brien referred to the guidelines provided by Judge O’Connor in the Kaminski case, acknowledging that a mere breach of GDPR is not sufficient to merit an award of compensation. Judge O’Brien found that the plaintiff proved genuine distress and damage to familial relationships, and a link between the damages claimed and the nature of the infringement, warranting compensation. Judge O’Brien further acknowledged that even where non-material damages has been proven, as in the plaintiff’s case, the Kaminski guidelines indicate damages should be modest. In the plaintiff’s case it was determined that the damage was at the serious end of the scale due to the sensitive nature of the data and the lack of care in handling it. It was noted that an apology was issued several months after the incident, but no other evidence was provided with regards to the defendant’s efforts to minimise the damage. The plaintiff was therefore awarded €7,500 in damages. The court also made an order for costs in favour of the plaintiff.

Implications for Data Controllers

This judgment demonstrates the willingness of the Irish courts to award damages where a data breach is deemed to be “not trivial” and where defendants have not shown that adequate care has been taken in handling sensitive personal data.  

Please see our recent briefings on this topic:

All the small things: EU – US transfers and non-material damages

‘Modest’ Compensation for GDPR Non-Material Damage Claim: New Guidance from the Irish Courts