Damages for Data Protection Breaches – I – Why Collins v FBD Insurance is wrong (again)

Phone cable laptop; via FlickrA story in the newspapers this morning has made me think once again about some of the weaknesses in Irish law relating to damages for data protection infringements. The Workplace Relations Commission [WRC] has ordered a company, whose CEO hacked into an employee’s phone and downloaded intimate photos of her from it, to pay her a total of €94,708 damages (see, eg, Breaking News | Irish Independent | Irish Sun | Irish Times | TheJournal.ie). She had plugged her phone into his laptop to charge it, and he downloaded the images while she was in the bathroom. The award of €94,708 includes €65,000 for persistent sexual harassment, and €25,000 for unfair dismissal. The case is WRC Adjudication ADJ-00020222 An International Sales and Marketing Executive v A Fashion Company (25 November 2019); the report explains that the download occurred in October 2017, and that the complainant became aware of this in March 2018. She found herself in a terrible situation, but at least she was able to get some compensation for breaches of various pieces of workplace legislation. And the WRC Adjudication Officer ordered the respondent “to immediately destroy all photographs or images that depict the complainant or belong to her”.

However, let us assume that the download of the intimate images occurred outside an employment relationship, so that the workplace legislation would not apply. Say a supposed friend had offered his laptop to charge her phone, and he downloaded the images while she was in the bathroom. Would she have a claim for damages against the supposed friend? The most obvious claim would be for damages for distress for infringing her data protection rights. However, on our altered facts, if the download had still occurred in October 2017, and if the complainant had still become aware of this in March 2018, then she probably would not be able to make such a claim. Article 23 of the Data Protection Directive (Directive 95/46/EC) [hereafter: Article 23 DPD] provided that “any person who has suffered damage as a result of … unlawful processing … is entitled to receive compensation … for the damage suffered”. Implementing this, section 7 of the Data Protection Act, 1988 (also here) [hereafter: section 7 DPA88] provides that

a person, being a data controller or a data processor, shall, so far as regards the collection by him of personal data or information intended for inclusion in such data or his dealing with such data, owe a duty of care to the data subject concerned.

In Collins v FBD Insurance plc [2013] IEHC 137 (14 March 2013), Feeney J held that this did not permit a claim for general damages for distress. If this is right, then, in our hypothetical, the woman whose intimate photographs had been surreptitiously downloaded by her supposed friend would not have a claim against him for damages for distress for infringement of her data protection rights pursuant to section 7 DPA88. This cannot be correct as a matter of principle, and that raises very serious doubts about to the correctness of Collins. In this post, I’ll discuss Collins and how it was undermined by later cases in the UK and CJUE. In a future post [update: here], I’ll discuss how subsequent Irish cases approving Collins have in their turn also been undermined by later cases in the UK and CJUE. And, in a further post, I’ll add an analysis of Article 82 of the General Data Protection Regulation (Regulation (EU) 2016/679) and section 117 of the Data Protection Act 2018 (also here) [DPA18].

In Collins, the plaintiff’s van was stolen, and he made a claim to the defendant insurance company. It had the claim investigated by a private investigator; and it failed to respond to his correspondence, or to pay out on his claim, before his van was recovered. The Data Protection Commissioner determined that the insurance company’s response to a subject access request made by him was late and incomplete; that the company had failed to ensure that the processing of the plaintiff’s data by the private investigator was carried out pursuant to a written contract; and that it had gained access to court records concerning the plaintiff by the private investigator’s improper means. The plaintiff sought general damages pursuant to section 7 DPA88 for these four breaches, and he was awarded €15,000 in the Circuit Court. The insurance company appealed. Feeney J allowed the appeal, and dismissed the plaintiff’s claim, on the grounds that neither section 7 DPA88 nor Article 23 DPD provides for strict liability or the automatic payment of compensation. Instead, section 7 simply provides for the existence of a duty of care within the law of torts, and that requires proof of damage. As Noonan J in the High Court succinctly summarized Collins in Duggan v Commissioner of an Garda Síochána [2017] IEHC 565 (06 October 2017) [8], a breach of section 7 DPA88 “is not actionable per se but only on proof of actual damage”. In McCann v JM [2015] IECA 281 (8 December 2015) [38], Hogan J (Ryan P and Finlay Geoghegan J concurring) in the Court of Appeal referred uncritically to Collins. And, in Murphy v Callinan [2018] IESC 59 (30 November 2018) [36]-[44], Baker J (Clarke CJ and Dunne J concurring) in the Supreme Court approved Feeney J’s analysis in Collins (I will return to this case in a future post).

The Collins approach makes it very difficult to recover general damages for distress pursuant to section 7 DPA88. For example, a plaintiff whose bank statements were sent in error to his ex-wife failed in an action against his bank, as he did not establish any actual damage (Beauchamps blogpost). Of course, where such actual damage could be established, damages are available, and some actions have settled in the plaintiffs’ favour as a result. For example, a woman claimed a pharmacy allowed her husband to watch CCTV footage of her buying a pregnancy test kit. She complained to the Data Protection Commissioner, who had found there had been a breach of the data protection legislation, and she subsequently settled a Circuit Court damages claim against the pharmacy for €10,000 (see, eg, A&L Goodbody Ireland IP and Technology Law Blog | Irish Examiner | Irish Independent | Irish Times | Sunday Times). Where an infant was captured on video when his mother was the subject of the surveillance, a psychiatric injury was alleged, and a settlement of €50,000 was approved by O’Sullivan J in the Circuit Court (O’Brien Lynam blogpost). And various actions for damages against the Department of Social Protection have settled in the plaintiffs’ favour (Irish Times: here and here; the reports suggest that the cases were settled in the plaintiffs’ favour, and this in turn suggests that they recovered damages as part of the settlements, but this was not revealed in open court in either case). Be that as it may, the pharmacy, infant and DSP cases are all settlements; and, in the light of Collins, they seem generous. Apart from Murphy, the misdirected-bank-statements-case is the only other post-Collins case that seems to have gone to trial, and, in it, Collins precluded damages for distress.

As I have had occasion to observe more than once on this blog (eg, here and here), Collins is fatally flawed. As a matter of national law, Feeney J’c conclusion that neither section 7 DPA88 nor Article 23 DPD provides for strict liability or the automatic payment of compensation mistakenly conflates general damages for distress with strict liability. They are different legal issues that arise at different stages in the legal analysis of a claim. The question of strict liability goes to the cause of action, whereas the question of general damages for distress goes to the remedy if a cause of action has been made out. To conflate them is to commit an indefensible category error. Moreover, general damages for distress are part of the ordinary compensatory damages payable for breach of a duty of care. Feeney J effectively held that the plaintiff was entitled to ordinary compensatory damages, but he failed to appreciate that such damages include damages for distress (Conway v Ireland [1991] 2 IR 305, 317, [1991] ILRM 497, 503 (Finlay CJ; Griffin J and McCarthy JJ concurring); Shortt v Commissioner of an Garda Síochána [2007] 4 IR 587, 612, [2007] IESC 9 (21 March 2007) [82] (Murray CJ), [2007] 4 IR 587, 648, [2007] IESC 9 [223] (Hardiman J)). As Noonan J put it in Duggan, a breach of section 7 DPA88 is actionable “only on proof of actual damage”, but Feeney J in Collins missed that the distress is actual damage.

Feeney J’s conclusions are also mistaken as a matter of EU law. He gave Article 23 DPD a very narrow reading, contrary to CJEU decisions such as Case C–168/00 Leitner v TUI Deutschland GmbH [2002] ECR I–1631 (ECLI:EU:C:2002:163; ECJ, 12 March 2002), which held that compensation for “damage” must include both material and non-material damage, that is, both actual damage and distress (see also Case C-63/09 Walz v Clickair SA [2010] ECR I 4239 (ECLI:EU:C:2010:251; CJEU, 6 May 2010); Case C-22/12 Haasová v Petrík (ECLI:EU:C:2013:692; CJEU, 24 October 2013); Case C-277/12 Drozdovs v Baltikums AAS (ECLI:EU:C:2013:685; CJEU, 24 October 2013)). Not only do CJEU cases take an expansive approach to the issue of non-material damage in particular, they also take a similarly expansive approach to the interpretation of compensation provisions in general. For example, in Joined Cases C–402/07 and C–432/07 Sturgeon v Condor Flugdienst GmbH & Böck v Air France SA [2009] ECR-I 10932 (ECLI:EU:C:2009:716; CJEU, 9 November 2009), the Court held the compensation provisions of the Flight Compensation Regulation must be interpreted broadly to provide a high level of protection for stranded or delayed air passengers. And in Case C-83/10 Rodríguez v Air France SA [2011] ECR I-9469 (ECLI:EU:C:2011:652; CJEU, 13 October 2012), the Court held that awards of compensation in that Regulation must include non-material damage.

In Google Inc v Vidal-Hall [2016] QB 1003, [2015] EWCA Civ 311 (27 March 2015), the Court of Appeal of England and Wales followed Leitner and declined to follow Collins. Article 23 DPD was implemented in UK law by section 13 of the UK’s Data Protection Act 1998. Section 13(1) provided a claim for “compensation” for actual “damage” for contravention of the Act, and section 13(2) provided more limited claims for “compensation” for “distress” where the claimant “also suffers [actual] damage” (emphasis added). In Vidal-Hall, the claimants alleged that the defendant had tracked and collated private information about the their internet usage through their Apple Safari browser without their knowledge and consent, contrary to the defendant’s publicly stated position that such activity could not be conducted for Safari users unless they had expressly allowed it to happen. They sought damages for distress pursuant to section 13, but they could not show that they had also suffered actual damage, so they argued that the limitations in section 13(2) were inconsistent with Article 23 DPD. The Court of Appeal agreed, holding that the word “damage” in that Article had to be given “its natural and wide meaning” so as to include both pecuniary or material damage, on the one hand, and non-pecuniary or non-material damage, on the other. Article 23 DPD does not make a distinction between those types of damage, and there “is no linguistic reason” to interpret the word “damage” in that Article as being restricted to material damage and to exclude non-material damage from its ambit. The analogy with Leitner was compelling, and was one of the many reasons why the Court declined to follow Collins. They accepted that it was authority for an interpretation of Article 23 DPD that would exclude compensation for distress. But they were unable to place much weight on it, since it did not address any of the reasoning which lead them to conclude that “damage” in Article 23 includes non-pecuniary loss including distress.

Moreover, there is a long line of CJEU authority holding that the Data Protection Directive was intended to ensure effective and complete protection of data subjects’ right to privacy in Article 7 of the Charter of Fundamental Rights of the EU, and of their right to the protection of personal data in Article 8 CFR. The Directive had to be interpreted in the light of those Article 7 and 8 rights; its protections had to be interpreted broadly and not restrictively; exceptions deviating from those protections had to be interpreted strictly; and national laws implementing the Directive had to ensure a high level of protection those rights. A leading case on this point is Case C–362/14 Schrems v Data Protection Commissioner (ECLI:EU:C:2015:650; CJEU, 6 October 2015). In 2000, the Commission adopted Commission Decision 2000/520/EC (the Safe Harbour adequacy decision) that the US provided an adequate level of protection for personal data such that personal data could be transferred from the EU to the US pursuant to Article 25 DPD. However, in 2013, after the Snowden revelations about secret surveillance programs in the US and elsewhere, the applicant contended that the US did not ensure an adequate level of protection, and complained to the Data Protection Commissioner in Ireland that Facebook’s transfers of personal data from the EU to the US were invalid. However, because of the Commission’s Safe Harbour adequacy decision, the Commissioner refused to consider the complaint. The applicant therefore sought judicial review in the High Court of the Commissioner’s refusal, and Hogan J referred the matter to the CJEU ([2014] IEHC 310 (18 June 2014)). The CJEU reiterated its basic principles about the Charter and the Directive; it held that the Commission’s Safe Harbour adequacy decision did not prevent the Data Protection Commissioner from examining the applicant’s complaint that the US did not ensure an adequate level of protection; and it held that the Commission’s Safe Harbour adequacy decision was invalid. In particular, it held that US legislation did not provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data; and this compromised the essence of the fundamental right to an effective judicial remedy enshrined in Article 47 CFR.

Two elements of Schrems illustrate the infirmity of the reasoning in Collins. First, it illustrates and reinforces the importance of Articles 7 and 8 CFR in the data protection context. Where Collins failed to consider Articles 7 and 8 CFR, Schrems reaffirmed in particular that the Data Protection Directive had to be interpreted in the light of those Articles, and that, as a consequence, national laws implementing the Directive had to ensure a high level of protection the rights in those Articles. Vidal-Hall demonstrates how Article 23 DPD must be interpreted more broadly in the light of Articles 7 and 8 CFR than Feeney J had done in Collins; and it follows that section 7 DPA88 must also be interpreted more broadly than Feeney J had done in Collins to ensure a high level of protection the rights in Articles 7 and 8 CFR. The second element of Schrems that illustrates the infirmity of the reasoning in Collins is its reliance upon the right to an effective judicial remedy in Article 47 CFR, which requires robust interpretations of the remedial provisions of the Data Protection Directive. Consequently, the provisions of Article 23 DPD, providing for compensation for damage, must likewise be given robust interpretations to ensure that the Article embodies an effective remedy. The denial of damages in Collins is the very opposite of an effective remedy.

Similarly, in Case C-73/16 Puškár v Financné riaditelstvo Slovenskej republiky (ECLI:EU:C:2017:725; CJEU, 27 September 2017), the Court held that arrangements for the exercise of data protection remedies must not disproportionately affect the right to an effective remedy pursuant to Article 4 CFR. Moreover, in Case C-199/11 Europese Gemeenschap v Otis NV (6 November 2012) [42] the CJEU emphasised that actions for damages before national courts can make a significant contribution to the effectiveness of EU law.

Hence, both Vidal-Hall and Schrems illustrate the infirmities in the reasoning in Collins. However, for so long as that case stands, the woman in our hypothetical, whose supposed friend had surreptitiously downloaded intimate images of her from her phone, would not have a claim for damages for distress pursuant to section 7 DPA88. That Act, as amended in 2003, has been largely superseded by the Data Protection Act 2018. However, section 8 DPA18 provides that the 1988 Act continues to apply, inter alia, to contraventions of the 1988 Act that occurred before the commencement of the 2018 Act (see s8(2)(b)DPA18). Our hypothetical falls within this legacy provision: the download occurred in October 2017, and the complainant became aware of this in March 2018, but the 2018 Act did not come into force until 25 May 2018, so any data protection claims arising out of the surreptitious downloads are governed by the 1988 Act and not the 2018 Act. And since Feeney J’s interpretation of section 7 DPA88 in Collins precludes damages for distress, the complainant in our hypothetical would not be able to recover damages for distress for the surreptitious downloading of her intimate photographs. For the reasons set out above, Collins should have been departed from at the first opportunity so that those with legacy claims should be able to recover damages for distress pursuant to section 7 DPA88 in appropriate cases. Unfortunately, Murphy v Callinan was the opportunity, but it was not taken, so that case will be the focus of my next blogpost on the issue [update: here].