We read with interest the decision of Judge John O’Connor in the Irish times on the 18th May 2023 concerning the application by the HSE for a stay against a plaintiff seeking to recover damages for the breach by the HSE of the GDPR. The claim stems from the 2021 cyber attack which we have commented on extensively and in respect of which we have a number of proceedings in being (although we have no involvement in the above case)
At first glance the position adopted by Judge O’Connor seems like an attractive “wait and see” position for an Irish Court to adopt. Irish Courts are, where Community law has competency, subject to that community law. The first application for such a stay in Irish Law was in the Fastway case, and this was driven in part by a preliminary decision before the Courts of Justice of the Euopean Union (CJEU) by an advocate general which had data protection defence lawyers salivating. In Österreichische Post AG the advocate general suggested that there might be a de minmis threshold by which individuals could not recover. Colloquially, the Court suggested that unless there was something substantial they might tell a plaintiff “go, home, you are grand”, despite the existence of a breach.
The CJEU however delivered their binding decision in Österreichische Post AG on the 4th May. The salivating stopped. The Court was clear, there was no de minimum rule and in particular the CJEU noted that compensation is required only when three conditions are met:
(1) personal data is processed in a manner that infringes the GDPR;
(2) the data subject suffered damage; and
(3) there is a causal link between the unlawful processing and the damage suffered.
The concept that the GDPR has a minimum threshold was rejected, but the Court concluded that full and effective compensation for the damage.
While we do not have a transcript of Judge O’Connor’s reasoning, it seems the Irish Courts are currently forging a lonesome path in their interpretation of European law. While there are other decisions awaiting determination before the CJEU, it is difficult to see why a national court must wait until all these run their course; particularly when the Europe as firmly put the ball back in the hands of the individual member states, and there the steps in 1-3 above are familiar to Irish Courts in may areas, and not just data protection.