16/02/2023
Briefing

The claim for non-material damage

The plaintiff contended that the defendants, or one of them, had a data breach incident in which it was alleged the personal data of over 450,000 people was compromised due to the actions of a third party hacker. A number of individual claims were issued as a result. The plaintiff claimed that his rights pursuant to GDPR had been infringed and claimed a right to compensation. Of note is that the data of the plaintiff which was allegedly accessed by a third party was limited to his name, email address, residential address and mobile number. In addition, the plaintiff had effectively confirmed that he had not suffered any material damage nor any interference with his peace and privacy or concern.

The defendants sought a stay to the proceedings under the Circuit Court’s inherent jurisdiction pending the decision of the CJEU of a number of preliminary references made to it by various Member States.

Duty of Sincere Cooperation under Article 4(3) of the Treaty on European Union (“TEU”)

The Court found that there was a duty to stay the proceedings pending the determination by the CJEU of the matters referred to it by a number of European Courts (namely Germany, Austria and Bulgaria) in order to fulfil its duty of sincere cooperation, which is provided for under Article 4(3) of the TEU. As the queries raised pursuant to Article 267 of the Treaty on the Functioning of the European Union (“TFEU”) are highly relevant to the case, and are already before the CJEU, a determination by our domestic court on these matters in advance of such judgments being published would risk irreconcilable judgments in a Member State.

In summary, the relevant issues awaiting determination by the CJEU are:

  • Whether the defendants are liable for the unauthorised disclosure of personal data as a result of a hacking incident;
  • Whether the plaintiff is required to establish that his personal data was accessed and misused, or whether loss of control over the personal data in and of itself is sufficient to establish liability;
  • Whether the degree of fault of the defendants is relevant to the quantification of compensation;
  • What is the correct interpretation of non-material damage in Article 82(1) of the GDPR and, in particular, whether anxiety and apprehension alone are capable of constituting non-material damage?; and
  • What is the appropriate level of damages to be awarded where no material damage is suffered, and the non-material damage allegedly suffered is limited to interference with the plaintiff’s peace and privacy and apprehension about the use to which his data has been put?

In a recently published Opinion on foot of a reference form the Austrian Supreme court in case UI v Österreichische Post AG, the Advocate General has provided an insight in to the likely outcome of these references in respect of the interpretation of Article 82 GDPR.

Although this Opinion still leaves a lot to be desired in terms of the flexibility that might be provided to the Courts of each Member State, it introduces the long awaited concept of a de minimis requirement of damage to be met before a Court should entertain a claim for non-material damage arising from a data breach.  Our analysis of the Opinion can be found here.

Refusal to grant a stay prejudicial to defendants

The defendants in Cunniam argued, and the Court agreed, that refusing a stay would substantially prejudice them for a number of reasons, including:

  • The value of the plaintiff’s claim was so small that even if the plaintiff succeeds in establishing liability, if the CJEU decide to accept the recommendation of the Advocate General in Case C-300/21, discussed below, it is possible that the plaintiff will not be entitled to any damages;
  • If the proceedings are simply allowed to proceed until such time as they are ready for hearing, the costs that will have been incurred by then will by far be in excess of any award of damages the plaintiff might recover; and
  • Pending receipt of clarification in respect of the correct interpretation of Article 82 of the GDPR from the CJEU, it is impossible to sensibly seek to quantify the sum which might to be lodged with the Court (this was a particular request from the Plaintiffs in this case). This, it was argued, deprives the Defendant of an ability to provide themselves with any meaningful costs’ protection.

Unsuitableness of alternatives considered

The plaintiff had suggested alternatives to a stay, including case management or taking a lead case. In response the Court found that it was unrealistic for the Court to exercise a supervisory role over all the cases (across eight of the Court’s divisions).

Ultimately the Court found that, due to a number of highly relevant cases pending determination by the CJEU, refusal to grant a stay in this case risked an irreconcilable judgment being produced by the Court, as well as undue prejudice to the defendant.

The decisions from the CJEU are now even more eagerly awaited.  In the interim perhaps parties in with similar facts to the Cunniam case will simply agree to stay proceedings, albeit it is possible that potential claimants may seek to manoeuvre around this judgment by also pleading some form of material damage.

The authors would like to thank Molly Groome and Ellen Roynane for their contribution to this article.