by Robert Adamson
Robert Adamson is a final-year Masters in Common Law student at UCD. In this article he remarks on constraints and tensions in the use of civil remedies for damages in Irish and EU data protection law.
1 Introduction
In addition to public regulatory enforcement measures, the EU data protection regime under the General Data Protection Regulation (‘GDPR’)[1] provides for civil remedies as a means of protecting and vindicating data subjects’ rights in at least some circumstances. The effectiveness of such remedies is limited, however, by a number of practical and procedural factors in both the GDPR itself and in domestic Irish law. In particular, a data subject faces distinct challenges in proving damage, which are examined in Section 2 below. Data subjects must also prove data controller or processor liability based on a data processing breach as well as causation between that breach and the damage suffered. Barriers to satisfying these burdens of proof are briefly touched on in Section 3. The availability and usefulness of collective redress mechanisms, which might to some extent help overcome these barriers, are discussed in Section 4. Section 5 then comments on matters pertaining to the purpose and legal basis of civil remedies in the EU data protection regime, and Section 6 concludes that the effectiveness of such remedies will be contingent, in part, on future developments and clarification as to their purpose by the Court of Justice of the European Union (‘CJEU’).
2 Proving damage
Article 79(1) GDPR provides that a data subject ‘shall have the right to an effective judicial remedy’ for any infringement of their rights under the GDPR, and Article 82(1) provides that ‘any person who has suffered material or non-material damage as a result of [such] an infringement […] shall have the right to receive compensation from the controller or processor for the damage suffered.’ While the GDPR is generally directly effective, these provisions are further elaborated and incorporated into Irish law by Section 117 of the Data Protection Act 2018 (‘DPA’), which provides, among other things, that data protection actions will be ‘founded on tort’[2] and that Irish courts may award relevant remedies in the form of injunctions, declarations, and/or compensation for damage suffered.[3]
While damage must clearly be either ‘material or non-material,’[4] there is otherwise a lack of clarity as to what constitutes ‘damage’ under this regime. This stems from ambiguity as to domestic and EU law’s respective roles in determining this matter. At least some role for EU law is suggested by:
- the drafting of Article 82, which unlike its predecessor in the Data Protection Directive (‘DPD’)[5] and similar provisions in other directives, does not imply clearly—or perhaps at all—that Member States need to implement provisions in order to achieve a certain legal effect;[6]
- the CJEU’s jurisprudence, which has historically provided broad interpretations of actions based on EU rights where necessary to make these rights effective,[7] as required in principle here under Article 79 GDPR and arguably generally under Article 47 of the EU Charter of Fundamental Rights (‘CFR’); and
- the line of thinking, as in the Vidal-Hall decision, that the subject matter of a right (in that case, ‘privacy’) may require an expanded definition of ‘damage’ where necessary to give effect to a statutory action to vindicate it.[8]
Against this, a number of provisions suggest a broad jurisdiction for Member States in this area:
- Article 82 GDPR provides a dearth of guidance on considerations relevant to compensatory remedies, including ‘damage,’ especially when compared with the GDPR’s detailed guidance on factors relevant to setting administrative fines under Article 83;
- the GDPR does not establish an equivalent regime for consistency and cooperation on compensatory remedies between Member States as it does with administrative fines;[9] and
- the GPDR’s apparent requirement that compensation be ‘full and effective’[10] is not as obviously prescriptive as the ‘effective, proportionate and dissuasive’ standard for fines.[11]
Accordingly, Member States seem to have considerable discretion to shape compensatory remedies in domestic law, but it is foreseeable that the CJEU will, if necessary, establish clearer constraints on this jurisdiction to make EU data protection rights more effective.[12]
This matters because it will determine whether individuals suffering many non-material harms from data protection breaches will have a cause of action for damages. Privacy and data protection breaches may, for example, cause a range of psychological harms to individuals.[13] However, Irish tort law, which applies in this area under s 117 DPA, currently only recognises purely psychological harm as ‘damage’ where it amounts to a recognisable—i.e. diagnosed—psychiatric illness.[14] Even with a more relaxed threshold—such as ‘serious and prolonged’ injury that ‘rises above […] ordinary annoyances, anxieties and fears’[15]—an individual would still need to substantiate any claim for a significant quantum of damages through a financially onerous adversarial litigation process. By contrast, the proposition in the Vidal-Hall judgment could be relied on that mere ‘distress’ should count as ‘damage’ in the context of privacy-related statutory and EU rights intended to protect individuals from, among other things, the distress of privacy breaches.[16] However, this potentially low burden of proof would inevitably be associated with far lesser damages and might still require proof of an individual’s particular privacy interest in the relevant data.[17]
For other non-material harms, similar considerations apply. Those with low burdens of proof are generally either not recognised as ‘damage’ or are recognised as very minimal forms of damage. Both Irish and UK courts have held, for example, that a breach of data protection rights does not itself constitute damage—or entitle an individual to compensation without the need to prove damage—under the EU data protection regime.[18] The purported harm of ‘loss of control’ of personal data was held by the UK Supreme Court to be relevant only to privacy claims, particularly because data protection law strictly-speaking does not require or even presuppose that a data subject has control of their own data.[19] ‘User damages’ based on the economic value—or cost evaded—by the wrongful misuse of property were similarly held to be presumptively inapplicable in relation to data that are not necessarily private and to which an individual might well attach no particular exchange value.[20] Relatedly, while EU Member State courts have dealt with the issue of non-material damage differently, the trend, even where a broad interpretation of damage is given, is often for very minimal damages to be awarded.[21]
Lastly, the harm of some data protection breaches is arguably a potential harm or a risk of a future harm. Potential harms are, of course, not amenable to compensation in common law tort. There is sound principle in this, but it is especially onerous on would-be plaintiffs where actual ‘damage’ from a data protection breach occurs only after a limitations period has expired.[22]
3 Proving liability and causation of damage
The GDPR sets out bases for liability for data controllers and processors that are ‘strict’ in principle. However, many of these are dependent on potentially nuanced assessments that would attract technical argument in litigation. These include, for instance, what constitute ‘reasonable steps’[23] to request joint data controllers to erase data, or what ‘appropriate technical and organisation measures’[24] are proportionate to particular risks and to the state of development and cost of relevant technologies.[25] The burden of proof on these points falls on the plaintiff. So too does the burden of proving the causality between a breach and the damage suffered as per Article 82(1) GDPR. The latter is potentially a technical legal question depending on considerations like the above and/or a technical factual question, often pertaining to information technology. The GDPR alleviates this burden somewhat by requiring data controllers to not only comply with but to be able to demonstrate compliance with its obligations under the principle of ‘accountability.’[26] This is valuable to plaintiffs as it gives them a body of documented facts with which to make a case. However, it does not eliminate the need for technical litigation, which can be a barrier to redress for individual plaintiffs, particularly where the potential damages are limited by the factors outlined in the previous section.
4 Collective redress
In principle, then, collective redress mechanisms have the promise of helping plaintiffs overcome legal and financial barriers to successful litigation. However, particularly in Ireland, such mechanisms have limited scope and, in some instances, are of limited usefulness for data protection claims.
The closest procedural mechanism to a ‘class action’ with relatively general application in Irish law is a representative action.[27] A decision on a representative action is binding on unnamed but ‘represented’ plaintiffs on the condition that these plaintiffs have ‘authorised’ the named plaintiff and have the same interest in the case as that plaintiff.[28]However, all actions for damages are excluded from this procedure in Irish law on the basis that plaintiffs do not share the ‘same’ interest in the award of damages, as opposed to—where relevant—their interest in an injunction or declaration.[29] Additionally, civil legal aid is not available for such actions,[30] and third-party funding is generally prohibited in Ireland,[31] meaning that even if damages were available, a significant upfront financial burden would normally fall on the plaintiff.
The UK Supreme Court’s approach to representative actions in Lloyd v Google also suggests further limits to representative actions’ effectiveness in Irish law, even if their use were permitted in claims for damages. Leggatt LJ remarked obiter that the court could in principle make a binding decision on damages for unnamed represented plaintiffs on the condition that the damages were uniform for plaintiffs (and so not requiring further litigation) and not prejudicial to a separate claim another individual might make.[32] This, however, limits the representative plaintiff to reliance on facts common to every plaintiff’s case as regards the alleged breach and resulting harm. On the facts in Lloyd, a cookie was wrongfully operated in each plaintiff’s browser, but some plaintiffs may not have even had a browsing history, meaning the claimed ‘user damages’ would be of no value at all.[33]
This highlights a difficulty with collective redress as a strategy generally, particularly where it is constrained by common law principles on rights of action and compensation, which generally—and rightly—tend to impose higher burdens of proof on more extensive claims of alleged damage. This difficulty is addressed, in part, by Article 80 GDPR as incorporated and transposed into Irish law by s 117(7)-(9) DPA. These provisions entitle data subjects to mandate a non-profit organisation with certain credentials to take an action on their behalf. Within the discretion afforded by Article 80, Ireland has elected to allow such organisations to take actions for damages[34] but has declined to allow this outside of an ‘opt-in’ basis.[35] This ensures that plaintiffs are happy to be bound by the finality of a decision on damages while also giving litigators more flexibility of argument than in Lloyd. However, the requirement of getting signatures can be an onerous logistical undertaking, and the low burden of proof arguments that would enable large numbers of participants to join are often associated with such modest damages that potential plaintiffs are unlikely to bother out of ‘inertia.’[36] Additionally, it is not entirely clear how the non-profit requirement will restrict representative organisations,[37] but presumably they will have fewer resources and less bandwidth than if they were able to attract straightforwardly commercial litigation funding. The bandwidth of such organisations as gatekeepers is, accordingly, a general limit to collective redress. That said, their requisite credentials are such that, in principle, they should be expected to prioritise cases with public interest value.[38]
5 Purpose of civil remedies
The requirement of ‘public interest’ credentials of representative organisations indicates a legislative consciousness of the public value of civil litigation in this context. This is important, because whereas tort law is generally concerned with compensating individuals, privacy and data protection harms may sometimes be best described as harms done to society at large, such as when they undermine democratic processes and values.[39] Another significant public interest concern in this area is simply the diffuse nature of small individual data protection harms which collectively amount to large aggregate harms.[40] The question of how best to assess damage and determine damages is greatly affected by this, as damages risk being too small to matter to individuals and—potentially even at the same time—too large to be borne in a sustainable and orderly manner by data controlling organisations. In stark contrast to the individualised common law approach to compensation, some commentators have accordingly advocated for setting damages by statute, calibrating them to balance public interest considerations—such as deterrence, compensation, and predictable and sustainable risk allocation—and deliberately incentivising civil society to avail of them as ‘private attorneys general’, whether as activists or opportunists.[41] This approach would potentially favour greater opportunities for commercial litigation funding and might insist on the availability of representative actions—for certain types of small claims—on an opt-out basis.
The EU data protection regime, as implemented in Ireland, clearly falls somewhere between this approach and the common law approach to compensation. While Article 82 GDPR gives little guidance on what constitutes compensable damage, Article 79 requires that data subjects have an ‘effective judicial remedy.’ Recital 146 sets out, moreover, that damage should be ‘broadly interpreted in light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation.’ Such case-law is forthcoming,[42] and Member States clearly have some flexibility, but it would appear that however they define ‘damage’ domestically, what will likely matter under EU law is whether the burden of proving damage is consistent with the provision of an effective remedy. Under the GDPR, this is to some extent a purposive public-interest question and not just a question of domestic legal principles. Lowering a burden of proof, if necessary, may require domestic recognition of new forms of non-material damage. In Ireland’s case, that might mean broader forms of psychological injury or something else entirely. This may also depend on other evidentiary rules and devices, such as judicial presumptions,[43] which reduce evidentiary burdens and potentially make collective redress more effective by putting the onus on defendants, where appropriate, to exclude individuals from a claim, rather than on plaintiffs to include them.
6 Conclusion
In conclusion, civil remedies for damages in EU data protection law, as implemented in Ireland, are limited in several respects. There is often a discrepancy between the damages available and the financial and logistical burden of taking an action. This can be particularly acute for individual plaintiffs, given the technical burdens of proof they need to discharge. Collective redress mechanisms help overcome these difficulties in part, and they are in any event more appropriate for addressing the often diffuse and public nature of the harms of data protection breaches. However, they are limited insofar as they require non-profit funding and mandates from represented individuals. The CJEU itself will also foreseeably address some of the inefficacies of data protection actions. Going ahead, it is likely that EU law will have a greater role in purposively determining interpretations of ‘damage’ and burdens of proof in data protection actions.
[1] Regulation 2016/679/EU (‘General Data Protection Regulation’).
[2] Data Protection Act 2018, Section 117(2)
[3] ibid, Section 117(4) and 117(8).
[4] See also ibid, Section 117(10).
[5] Directive 95/46/EC (‘Data Protection Directive’), Article 23.
[6] Eoin O’Dell, ‘Compensation for Breach of the General Data Protection Regulation’ (2017) 40 Dublin U LJ 97, 106-115.
[7] ibid, 115–121.
[8] Google Inc v Vidal-Hall and ors [2015] EWCA Civ 311 [77]-[78].
[9] Johanna Chamberlain & Jane Reichel, ‘The Relationship between Damages and Administrative Fines in the EU General Data Protection Regulation’ (2020) 89 Miss LJ 667, 688-689, 691.
[10] Regulation 2016/679/EU, Recital 146.
[11] Regulation 2016/679/EU, Article 83(1) and 83(9).
[12] For discussion of an Austrian preliminary reference which could allow the CJEU to impose such constraints (or give guidance in any event), see Tim Wybutil, Christoph Baus, Stefan Patzer and Isabelle Brams, ‘Austrian Court Submits Questions on GDPR Civil Damages Claims to CJEU (Global Privacy Blog, 15 June 2021)
<https://www.globalprivacyblog.com/gdpr/austrian-court-submits-questions-on-gdpr-civil-damages-claims-to-cjeu/> accessed 20 December 2021.
[13] Daniel J. Solove and Danielle Keats Citron, ‘Privacy Harms’ (forthcoming, 2022) 102 BUL Rev, 42-45.
[14] Kelly v Hennessy [1995] IESC 8, [1995] 3 IR 253; Larkin v Dublin City Council [2007] IEHC 416 [20]-[21]; it is questionable what relevance diagnostic criteria developed for clinical applications should have to assessing damage, as certain rational fears or anxieties relating to a privacy or data protection breach may be serious but medically non-pathological. For a critical discussion of this standard in English law, see Rachel Mulheron, “Rewriting the Requirement for a ‘Recognized Psychiatric Injury’ in Negligence Claims” (2012) 32(1) Legal Studies 77, 84-91.
[15] Mustapha v Culligan of Canada Ltd., 2008 SCC 27, para 9 (McLachlin J, obiter); Approved in Canada in Sadaati v Moorhead, 2017 SCC 28, para 37.
[16] Google Inc v Vidal-Hall and ors [2015] EWCA Civ 311 [77]-[78].
[17] Lloyd v Google (n 18) [130]-[131]; A privacy interest might be e.g. a ‘reasonable expectation of privacy.’
[18] Collins v FBD Insurance [2013] IEHC 137 [3.6]-[3.8]; Lloyd v Google [2021] UKSC 50 [119]-[123].
[19] Lloyd v Google (n 18) [109]-[138].
[20] ibid [139]-[143].
[21] Eoin O’Dell, ‘Compensation for non-material damage pursuant to Article 82 GDPR’ (Cearta.ie, 6 March 2020) <http://www.cearta.ie/2020/03/compensation-for-non-material-damage-pursuant-to-article-82-gdpr/> accessed 20 December 2021.
[22] Solove and Citron (n 13) 20-21; Note that in the area of product liability, the CJEU has held damage to consist of the cost of remedying an unacceptable risk to medical patients with merely potentially defective pacemakers: Cases C-503/13 and C-504/13, Boston Scientific Medizintechnik [2015] 3 CMLR 6, para 49. This broad interpretation has not given rise to a significant case law, however, and it is not clear that it could be applied to data protection. For one thing, the risks generated by data breaches may be practically irremediable. Alternatively, the cost of compensating these risks for high volumes of individuals might be so excessive as to be beyond judicial contemplation: Solove and Citron (n 13) 20.
[23] Regulation 2016/679/EU, Article 17(2).
[24] Regulation 2016/679/EU, Article 25(1).
[25] Brendan Van Alsenoy, ‘Liability under EU Data Protection Law’ (2016) 7 JIPITEC 271, 282.
[26] Regulation 2016/679/EU, Article 5(2); ibid.
[27] Rules of the Superior Courts 1986, Order 15, rule 9.
[28] Law Reform Commission, Consultation Paper on Multi-Party Litigation (LRC CP 25-2003), para 1.1.1-1.1.8.
[29] ibid, para 1.1.9-1.1.10; Law Reform Commission, Multi-Party Litigation (LRC 76-2005), 1.19.
[30] Civil Legal Aid Act 1995, Section 28(9)(a)(ix).
[31] Personal Digital Telephone Ltd v Minister for Public Enterprise [2017] IESC 27.
[32] Lloyd v Google (n 18) [144]-[148].
[33] ibid, [154]-[157].
[34] Data Protection Act 2018, Section 117(8)(b).
[35] The enabling provision of Regulation 2016/679/EU, Article 80(2) is not availed of in the Data Protection Act 2018.
[36] Bryony Hurst, ‘The Tidal wave of data protection-related class actions: Why we’re not drowning just yet’ (Bird & Bird, November 2018) <https://www.twobirds.com/en/news/articles/2018/global/tidal-wave-of-data-protection-related-cases> accessed 20 December 2021.
[37] ibid.
[38] See also Directive 2020/1828/EU (‘Collective Redress Directive’), which would make such organisations the gatekeepers for collective actions in broader areas of EU law, particularly those relating to consumer protection.
[39] Solove and Citron (n 13) 21-22.
[40] ibid 19-20.
[41] ibid 17-19.
[42] Case C-340/21, VB v Natsionalna za prihodite (CJEU, 2 June 2021) [Lodged request for preliminary ruling by Varhoven administrativen sad (Bulgaria)]; Case C-300/21, UI v Österreichische Post AG (CJEU, 12 May 2021) [Lodged request for preliminary ruling by Oberster Gerichtshof (Austria)].
[43] Van Alsenoy (n 28) 275, 283, 288.
Sutherland Symposium 