Damages for Data Protection Breaches – II – Why Murphy v Callinan is wrong

Auto insurance, via FlickrIn my previous post in this series, I argued (yet again) that Collins v FBD Insurance plc [2013] IEHC 137 (14 March 2013) was wrongly decided. It precludes a claim for damages for distress for breach of data protection rights, pursuant to section 7 of the Data Protection Act, 1988 (also here) [hereafter: section 7 DPA88]. Building on a case in which the Workplace Relations Commission ordered a company, whose CEO hacked into an employee’s phone and downloaded intimate photos of her from it, to pay her a total of €94,708 damages, I argued that, if the surreptitious download had occurred outside an employment relationship, the complainant should be able to recover damages for distress for breach of her data protection rights, pursuant to section 7 DPA88. However, when the Supreme Court was presented with an opportunity to depart from Collins, it did not take it. Instead, in Murphy v Callinan [2018] IESC 59 (30 November 2018) Baker J (Clarke CJ and Dunne J concurring) approved and applied Collins. In my previous post, I argued that Collins was wrong as a matter of domestic law, and of European law, and that Google Inc v Vidal-Hall [2016] QB 1003, [2015] EWCA Civ 311 (27 March 2015) and Case C–362/14 Schrems v Data Protection Commissioner (ECLI:EU:C:2015:650; CJEU, 6 October 2015) illustrated the EU law points and undercut the reasoning in Collins. Unfortunately, they were not discussed in Murphy, which simply referred to Collins with approval. However, Murphy in turn has been undermined by later cases in the UK and CJUE. In this post, I will discuss Murphy and the cases that undermine it, and explain why it continues to be imperative that Collins and Murphy are departed from at the first opportunity.

Murphy v Callinan, like Collins before it, concerned an insurance policy. The defendant insurance company cancelled a motor insurance policy on the plaintiff’s motor trading business. It did so on foot of information about the plaintiff’s convictions, including for road traffic offences and fraud, which it had received from a member of An Garda Síochána acting in his professional capacity. The plaintiff asserted that the insurance company was in breach of DPA88 by failing to rectify identified errors in its data concerning him, and he sought damages pursuant to section 7 DPA88. His claims failed before MacMenamin J in the High Court and Baker J (Clarke CJ and Dunne J concurring) in the Supreme Court. Baker J agreed with Feeney J in Collins that neither Article 23 of the Data Protection Directive (Directive 95/46/EC) [hereafter: Article 23 DPD] nor section 7 DPA88 provided for compensation for strict liability or for the automatic payment of compensation but limits compensation to the existence of a duty of care within the law of torts. And she held that, since the plaintiff had not adduced any evidence of loss, his claim must fail.

On this issue, Murphy is wrong for all the reasons that Collins is wrong. Of course, it is entirely unobjectionable to hold, as both Feeney and Baker JJ did that the plaintiff must prove damage or loss to succeed in a claim pursuant to section 7 DPA88. The real problem is just how narrowly, even inaccurately, Feeney J interpreted proof of damage or loss in Collins. His specific exclusion of damages for non-pecuniary loss such as distress from the ambit of section 7 DPA88 is quite simply wrong as a matter of the basic principles of the Irish law of torts: damage or loss at common law includes non-pecuniary loss such as distress. Moreover, it is just as wrong to equate recovery for non-pecuniary loss with strict liability: strict liability goes to the cause of action, damages for non-pecuniary loss go to the remedy. Worse, there was no discussion of Vidal-Hall or Schrems, of the CJEU’s broad approach to the interpretation of the Directive, and Articles 7 and 8 CFR, or to any other EU law consideration.

In the same way that Collins is undermined by the subequent decisions in Google Inc v Vidal-Hall [2016] QB 1003, [2015] EWCA Civ 311 (27 March 2015) and Case C–362/14 Schrems v Data Protection Commissioner (ECLI:EU:C:2015:650; CJEU, 6 October 2015), so Murphy is undermined by the subsequent decisions in Lloyd v Google LLC [2019] EWCA Civ 1599 (02 October 2019) and Case C-40/17 Fashion ID GmbH v Verbraucherzentrale NRW eV (ECLI:EU:C:2019:629; CJEU, 29 July 2019).

The claimant in Lloyd v Google sought damages on behalf of a class of more than 4 million iPhone users affected by Google’s acquisition and use of information generated by their Safari browsers. This was the same data breach that had also been at issue in Vidal-Hall. The Court of Appeal held that a claimant could recover damages under section 13 of the UK’s Data Protection Act 1998 for loss of control of personal data without proving pecuniary loss or distress, and that the representative action could proceed. Vos C (Sharp P and Davis LJ concurring) said that the Court had been right in Vidal-Hall to give an autonomous meaning to Article 23 DPD and section 13 of the 1998 Act, and to construe both on the basis that they were giving effect to Article 8 CFR and Article 47 CFR (he might, with profit, have referred to Article 7 CFR as well). Indeed, in his view, it was only by construing Article 23 DPD and section 13 of the 1998 Act that broadly that data subjects could be provided with an effective remedy for the infringement of their privacy and data protection rights.

Vidal-Hall held that damages for distress were available pursuant to Article 23 DPD and section 13 of the 1998 Act, and such damages are now unexceptional as a matter of UK law. If the damages sought in Collins and Murphy were for distress, then, by parity of reasoning with Vidal-Hall, they ought to have been available pursuant to Article 23 DPD and section 7 DPA88. However, Lloyd went further than Vidal-Hall, and held that damages for loss of control of data should also be available pursuant to Article 23 DPD and section 13 of the 1998 Act. Hence, even if loss of control of personal data (rather than distress) is the gravamen of the plaintiffs’ complaints in Collins and Murphy, then the analogy with Lloyd demonstrates that damages should have been available for such loss pursuant to section 7 DPA88.

In Fashion ID, the CJEU expressly affirmed an expansive interpretation of Chapter III DPD. Article 22 required Member States to provide a judicial remedy for breach of implementing legislation; Article 23 required that a person who had suffered damage from such a breach be entitled to receive compensation. And Article 24 required Member States for provide for sanctions for breach of implementing legislation. In Fashion ID, the CJEU held these “must be interpreted as not precluding national legislation which allows consumer-protection associations to bring or defend legal proceedings against a person allegedly responsible for an infringement of the protection of personal data”. To ensure effective and complete protection of the right to privacy and of the right to the protection personal data, national laws implementing the Directive had to ensure a high level of protection for those rights. The fact that a Member State provides for a representative action by consumer associations “in no way undermines the objectives of that protection and, in fact, contributes to the realisation of those objectives”. Articles 22 to 24 are worded in general terms, and are not to be read as limiting the judicial remedies provided by national law. All of this supports the broader view of Article 23 DPD taken in Vidal-Hall and Lloyd; it undermines the narrower approach taken in Collins; and it calls into question, once again, the approval of Collins in Murphy.

Not long after Murphy was decided, Rob Corbett argued that it should be seen “as more of a ‘last’ than a ‘first’, as it was decided under the old legislation, and the Supreme Court was at pains to point out that the GDPR and Data Protection Act 2018 had no application. Similar cases in future are likely be decided differently, as Article 82(1)
GDPR provides a new right to receive compensation for material or nonmaterial damage resulting from a GDPR infringement arising after 25 May 2018. This right is now also enshrined in section 117(4) of the Data Protection Act 2018″ (see Rob Corbett “Expert Comment” (2018) 11(6) Data Protection Ireland Journal 2, 3 (pdf) (with added links)). I agree that things will be better under the new regime, and I will discuss it in a future blogpost. But I don’t think we’ve seen the last of Collins or Murphy. For example, an afterlife for those cases, seeking to dilute the impact of section 117 DPA18, cannot be ruled out. Moreover, whilst I agree with Rob that the 1988 Act, as amended in 2003, has been largely superseded by the Data Protection Act 2018 (also here) [hereafter: DPA18], it has not actually been repealed, and will continue to apply in some significant respects. Section 8 DPA18 provides

(1) Subject to this section, the Act of 1988 shall, on and from the date on which this section comes into operation, cease to apply to the processing of personal data (within the meaning of that Act) other than—

(a) the processing of such data for the purposes of safeguarding the security of the State, the defence of the State or the international relations of the State, or
(b) the processing of such data under the Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 or the Vehicle Registration Data (Automated Searching and Exchange) Act 2018 to the extent that the Act of 1988 is applied in those Acts.

(2) The Act of 1988 shall apply to—

(a) a complaint by an individual under section 10 of that Act made before the commencement of this section, and
(b) a contravention of that Act that occurred before such commencement.

(3) An investigation under section 10 of the Act of 1988 that was begun but not completed before the commencement of this section shall be completed in accordance with that Act and that Act shall apply to such an investigation.

Subsection 1(a) reflects the ambit of the GDPR as applied in DPA18; security, defence and international relations are outside the material scope of the GDPR as defined in Article 2. The 2018 Act could have been applied mutatis mutandis to such matters, but the Oireachtas decided instead to retain the 1988 Act for them, and so section 7 will continue to apply in any damages claims for unlawful processing of personal data in the context of security, defence and international relations. There may not be many cases in such contexts; but those that do arise are, by the very nature of such contexts, likely to be very serious.

Section 1(b) refers to important legislation in which the 1988 Act continues to apply. The DNA Database Act 2014 is particularly important. In Director of Public Prosecutions v Wilson [2017] IESC 54 (19 July 2017) [4.22] the Supreme Court noted that the “constitutional right to privacy is well-established and it is not controversial to hold that it encompasses the intimate information about an individual contained in DNA”. Similarly, the ECHR has held that the determination and retention of DNA profiles constitute an interference with the right to respect for private life protected by Article 8 ECHR (S and Marper v UK 30562/04 (2009) 48 EHRR 50, [2008] ECHR 1581 (4 December 2008) [71]-[77]; Aycaguer v France 8806/12 [2017] ECHR 587 (22 June 2017)). Section 7 will continue to apply in any damages claims for unlawful processing of DNA. Again, there may not be many cases in this context; but those that do arise are, by the very nature of that context, likely to be very serious.

Section 2 refers to legacy cases. Regulation 3 of the Data Protection Act 2018 (Commencement) Order 2018 (SI No 174 of 2018) appoints 25 May 2018 as the day on which the 2018 Act came into operation. Section 8(2)(b) DPA18 covers legacy claims such as the hypothetical in my previous blogpost. These legacy claims make Collins and Murphy important, insofar as these cases preclude damages for distress in such cases. But they will eventually come to an end. Section 7 DPA88 provides that the claim is to be regarded as one “for the purposes of the law of torts”, where a data controller or processor “owe[s] a duty of care to the data subject”. And section 11(2)(a) of the Statute of Limitations, 1957 (also here) as amended by section 3(1) of the Statute of Limitations (Amendment) Act, 1991 (also here) provides that “an action founded on tort shall not be brought after the expiration of six years from the date on which the cause of action accrued”. This means that the latest that proceedings can be issued pursuant to section 8(2)(b) DPA18 is 25 May 2024. But, even though legacy cases will eventually peter out thereafter, cases pursuant to subsection (1) will continue to be possible; and this possibility continues to make Collins and Murphy important, insofar as these cases preclude damages for distress in such cases. The correctness of these cases is not academic; it is very real for cases within section 8 DPA18; and, at the next opportunity, the courts should depart from them by whatever legal means necessary.