At the Irish Centre for European Law’s Privacy and Data Protection Conference today (programme pdf) in the Royal Irish Academy, many interesting themes were explored. I want in this post to pick up on one of them, relating to damages for infringement of data protection rights.
At present, the matter is governed by Article 23 of the Data Protection Directive (Directive 95/46/EC) [DPD], which provides
Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered.
On the one hand, this has been implemented in Ireland by section 7 of the Data Protection Act, 1988 [DPA] (also here), which provides that
For the purposes of the law of torts and to the extent that that law does not so provide, a person, being a data controller or a data processor, shall, so far as regards the collection by him of personal data or information intended for inclusion in such data or his dealing with such data, owe a duty of care to the data subject concerned …
In Collins v FBD Insurance plc  IEHC 137 (14 March 2013) (noted here) [3.6] Feeney J held that section 7 required that plaintiffs “prove that they have, in fact, suffered damage arising from a breach”.
On the other hand, Article 23 has been implemented in the UK by section 13 of the Data Protection Act, 1998. In Google Inc v Vidal-Hall  EWCA Civ 311 (27 March 2015) , the Court of Appeal held that, having regard to Article 23, “compensation would be recoverable under section 13(1) for any damage suffered as a result of a contravention by a data controller of any of the requirements” of the Data Protection Acts (emphasis in original; (update: the appeal in this case has been withdrawn following agreement between the parties).
Speaking at the ICEL conference today, Emily Gibson gave a wide-ranging paper on data protection litigation after the entry into force of the UE’s new General Data Protection Regulation [GDPR]; and Orla Lynskey complemented this with a discussion of data protection enforcement from the perspective of data protection authorities. In this context, Helen Dixon called for the EU’s data protection authorities to work together on such issues.
On the issue of damages, Gibson commented simply that Collins and Vidal-Hall are conflicting authorities, and swiftly pointed out that Article 82(1) GDPR provides that
Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
Dixon commented that this will provide very powerful new remedies. But this is for the future. What of data subjects who wish, right now, to seek compensation in Irish Courts for current infringement of their data protection rights? I have already argued on this blog both that Collins was wrong in its own terms, and that the reasoning in Vidal-Hall undercuts its analysis of EU law.
But there is a further argument in favour of data subjects’ claims for compensation as the law now stands. It was made by Gary Fitzgerald (Director of the ICEL, and organiser or this today’s conference) at another similar conference in May (programme pdf). His theme was the impact of the decision of the CJEU in Case C-362/14 Schrems (6 October 2015) on the enforcement of data protection rights. Schrems is a (perhaps the) leading CJEU case on the protection of privacy. Today, it was at the heart of of Thomas von Danwitz‘s consideration of the role of the CJEU in privacy law; and coping with the consequences of the decision (and especially the development of the [imminent] EU-US Privacy Shield) were the subject of Bruno Gencarelli’s contribution. At the earlier conference, Fitzgerald argued that one of the fundamental points made by the CJEU in that case is that there must be an adequate level of protection for data protection rights and an effective remedy for infringement of such rights, especially in the light of the Charter of Fundamental Rights [CFR] (see, eg, Schrems ). At today’s event, discussing the Privacy Shield, Anne-Marie Bohan made a similar observation. But Fitzgerald went further. In particular, he argued that an effective remedy for breach of CFR privacy and data protection rights, via Article 23 DPD, requires that section 7 DPA be interpreted as broadly as in Vidal-Hall to reach damages for distress, and not as narrowly as in Collins confining the claim to actual harm. In other words, he argued that Schrems reinforces the decision of the Court of Appeal in Vidal-Hall. I agree, and would add [updated] that Schrems would have made the withdrawn appeal against the decision of the Court of Appeal even less likely to have succeeded, had it gone ahead.
At today’s conference, Michael Lynn provided a thorough guide to the nature and scope of the right to privacy under a great many international and european instruments and the Irish Constitution; and TJ McIntyre argued that Irish surveillance law is incompatible with such standards. At the earlier conference, Fitzgerald also commented on the possible impact of the Constitution on claims for compensation for infringement of data protection rights. He pointed out that Hogan J in the High Court in Schrems v Data Protection Commissioner  IEHC 310 (18 June 2014), making the reference to the CJEU, considered that the constitutional right to privacy was also directly engaged (, , -, -). And he argued that an interpretation of section 7 compatible with the constitutional right to privacy requires a conclusion equivalent to Vidal-Hall rather than Collins. Hence, as a matter both of national law and of EU law, Schrems reinforces the argument that Collins was wrongly decided.
Moreover, Fitzgerald went further still, and argued simply that the Constitution could provide a right to general damages for infringement of privacy rights “because there is a long history of general damages for breach of constitutional rights”. Indeed, in Kennedy v Ireland  IR 587, the first and leading case on privacy of communications, Hamilton P awarded the plaintiffs a total of £50,000 damages for the significant distress that they suffered from the defendants’ infringement of their constitutional right to privacy ( 1 IR 587, 594-595). And in Sullivan v Boylan  IEHC 104 (12 March 2013) Hogan J awarded €15,000 in general damages, and €7,500 in exemplary damages, for infringement of the plaintiff’s constitutional right to privacy. During a Q&A session at today’s conference, Cliona Kimber posed a question about the levels of damages that may be available under the DPD or GDPR for infringement of data protection rights. Gibson replied that they are usually modest. I agree – if Kennedy and Sullivan are anything to go by, the levels are not very high (especially by comparison with damages for defamation; see Mosley v News Group Newspapers  EWHC 1777 (QB) (24 July 2008)  (Eady J); though note also Representative Claimants v MGN Ltd  2 WLR 1217,  EWCA Civ 1291 (17 December 2015)).
At today’s conference, Lynskey commented that lack of private enforcement is one of the reasons for widespread under-enforcement of data protection law. As actions for damages for infringement of data protection rights become increasingly recognised as a means of private enforcement, this reason will fall away, and the lot of data protection enforcement should improve. As Jyn Schultze-Melling commented today, our perspectives on privacy are changing, and we are developing a new paradigm for personal data. Nevertheless, there will continue to zones of privacy for which we will still need protection, and remedies for infringement. And it is now clear that such remedies include damages not just for pecuniary but also for non-pecuniary loss, that is to say, not just for actual harm but also for distress.