The decision follows the recent Court of Justice of the European Union (“CJEU”) judgment of Case C-300/21 UI v Osterreichische Post AG (the “Post AG” case), delivered on 4 May 2023.  This judgment was eagerly anticipated by Member States and data controllers generally in the hope that it would provide greater clarity on the assessment of claims for non-material damage.  On this aspect, the CJEU held that it is for each Member State to determine the assessment of non-material damages in line with domestic practice once the EU principles of equivalence and effectiveness are complied with. This heightens the significance of the Kaminski decision given the role the Irish courts will continue play in assessing these claims at domestic level.

In addition, there are several decisions awaited in this area from the CJEU and it remains to be seen whether a consistent approach at EU level in awarding compensation for this category of data infringement will emerge. In the meantime (and unless the decision is appealed), given the volume and increasing number of these types of claims that data controllers are faced with, the Kaminski decision gives an indication of the attitude of the domestic courts to these types of claims.

Facts in the Kaminski Case

The plaintiff was an employee of the defendant in a supervisory role.  The defendant employer delivered workplace training on food safety practice which included use of CCTV footage in which the plaintiff’s image appeared.  The plaintiff was not aware that his image was used in the training video until after the training occurred and was not present at the training session.  He claimed that he was clearly identifiable in the video.  The defendant initially denied that the plaintiff was identifiable but later admitted this at trial.  The training video was stored on a computer at the workplace, which was not password protected, however no unauthorised person accessed the video.  The plaintiff claimed that the events had negatively impacted him as he believed he was mocked by colleagues, he was severely embarrassed, struggled with sleep loss and was stressed at work.

The court awarded the plaintiff €2,000 in damages, along with his legal costs, and held that there was an infringement of the plaintiff’s rights under GDPR as there was no legal basis for the processing of this data and that the defendant had not established a legitimate interest for using it.  

Key takeaways from the decision in Kaminski

  1. Compensation for non-material damage is likely to be ‘modest’.
  2. The Court suggested that alternative dispute resolution in the format of an independent adjunctive or conciliatory process may be an appropriate way to resolve data-breach disputes in the future.
  3. While the plaintiff in Kaminski did not undergo medical assessment, the court referred to the Personal Injuries Guidelines 2021 and measured the damage sustained by the plaintiff as “minor psychiatric damages” (which can be valued at less than €500). This is in circumstances where the plaintiff did not establish that he suffered psychiatric damage in the absence of a medical report. 
  4. The court also noted that the above factors will likely impact a claim for legal costs in data-breach cases for non-material damage.

Where do we go from here?

The level of damages squarely places the Kaminski case within the monetary jurisdiction of the District Court, which has an upper threshold of €15,000. Claims for data-breaches cannot currently be brought in the District Court but this is due to change via a recently enacted amendment to the Data Protection Act 2018, which added the District Court as an appropriate court to hear and determine data protection actions.[1]

This amendment has not yet been commenced but the trend in awards indicates that the District Court may well be the appropriate court for these types of cases. Importantly, from a costs perspective, the level of costs awarded to successful claimants in the District Court will be considerably lower than in the Circuit Court. It is not clear that a consistent approach will emerge in the assessment of data-breach claims in future cases decided by the District Court, as the costs may militate against the obtaining of psychologist or medical reports and the District Court does not deliver written decisions. As such, in the absence of judicial guidelines or the establishment of an alternative dispute resolution process to deal with these cases, the precise value trajectory of future claims for non-material damage is difficult to predict but the Kaminski case is helpful nonetheless. 

[1] Part of the 12 Courts and Civil Law (Miscellaneous Provisions) Act 2023 which amended section 117 of the Data Protection Act 2018.