The recent (11/04/24) case of Dillon v. Irish Life is further complicating the area of bringing Data Breach Actions. This case suggests that Injuries Resolution Board authorisation is now required for some GDPR claims. Essentially the High Court held that any loss for anxiety and distress arising from a data breach, short of a recognisable psychiatric disorder will require an Injuries Resolution Board (IRB) authorisation. Of course inconvenience and damage don’t require an IRB authorisation. Judge O’Donnell noted

 

the plaintiff stated that the current practices of PIAB generally require the submission of a form of medical report with any claim for authorisation, and argues that this reinforces their assertion that the type of claim envisaged in the Equity Civil Bill does not fall within the definition of “personal injuries ”. Again, I do not consider that this argument can have the effect of modifying the underlying meaning of the legislation. If the proper application of the Act of 2003 , in the sense of requiring an application to be made to PIAB even where an assessment is highly unlikely, is cumbersome for some cases this appears to be the inevitable consequence of the application of the legislation

At this point it would seem prudent to advise anyone who was affected by a data breach to firstly made an application to Injuries Resolution Board, although the recent requirement of that body to require a medical report will make some of these applications interesting, to say the least. This new development was not considered by Judge O’Donnell in Dillon. A doctor is not always the first place most people go after learning they have been the victim of cybercrime, even if they have been caused distress or anxiety. The 2022 Act further complicates the issue of stopping the statute of limitations. The limitation period for personal injury claims is 2 years, but is up to 6 for Data Protection actions in there most straightforward form.

We have many cases issued issued against the HSE, and many to follow against MTU for a breach in 2023 where data was uploaded to the darkweb and continue to follow (and lead) the developments in this rapidly developing area of law.