Unlike the old “Data Protection Act” Recital 146 of the GDPR encourages a broad interpretation of the concept of damage . That said there is no clearly defined interpretation as to how someone is to be compensated for “non-material damage”.
As of now, it is unknown what attitude the Irish Court might take to the concept of awarding compensation for breach of data protection laws as it has not been tested as yet.
There are currently two schools of thought on how non material damage should be compensated. On the one side, Courts generally only award compensation for non-material damages in exceptional circumstances where rights have been egregiously infringed. Courts have often concluded that a “mere inconvenience” is normally not an adequate basis for claim. It is however questionable if this rationale is in keeping with Recital 146, and certainly in the case of medical records falling into the hands of nefarious actors, it is possible that few would consider they suffered a “mere inconvenience”. This is more plausible given it will be difficult to assure anyone that the exfiltrated data can ever be considered confidential again; the milk cannot be unspilt!
The second school of thought would be that an expansive view of “non-material damage” would be adopted by the Courts. It is suggested the second approach is more in keeping with the intentions of the GDPR. Although the Irish Courts have not been asked to comment on the issue of Material Damage as yet, a number of European Courts have done so.
In Germany, the Courts have concluded that a breach of the GDPR itself can result in a pay-out. On the 5th March 2020 the Düsseldorf labour court ordered a company to pay an employee €5,000 in damages for their failure to comply with Article 15 GDPR. In May 2020, the regional court of Darmstadt awarded €1,000 in non-material damages against a company that mistakenly sent an email to an unconnected third party. Importantly, in that case the court did not require proof of concrete disadvantage suffered by the litigant. In another case, a data subject was awarded €4,000 after a psychotherapist forwarded on sensitive data without consent.
Turning to the Netherlands; the Dutch Courts have awarded damages ranging from €250 to €500. They have applied a strict test and require either a severe breach of the GDPR or something to substantiate the non-material damage.
The European Court of Justice (ECJ) has not yet had the opportunity to consider the matter of how compensation should be paid for “non-material” damages, but it will do so shortly. In the Goslar case a number of weeks ago the German Constitutional Court (BVerfG) ruled that the ECJ would need to clarify the application of Recital 146 and the interpretation of Non-Material Damage as it applies to compensation for GDPR breaches. The German Constitutional Court stated:
This claim for monetary compensation has not been exhaustively clarified in the case law of the Court of Justice of the European Union, nor can it be determined directly from the GDPR in its individual requirements necessary for the assessment of the facts presented in the main proceedings. Even in the literature available to date, which arguably favours a broad understanding of the concept of damage in view of Recital 146, the details and the exact scope of the claim are still unclear.
The facts in the Goslar case were notably less serious than is faced by the HSE. It simply concerned the sending of an unsolicited email. How the ECJ will interpret the Goslar case may well have a bearing for the quantum of damages HSE data subjects who have only suffered a non-material loss may be entitled to. The ECJ will need to balance two competing lines of jurisprudence in its decision. One line can be seen from the recent Schems II where the ECJ suggests that any compensation paid (in a similar situation) should be a deterrent. On the other hand there is settled case-law of the Court, that damage for which compensation for is sought must be actual and certain. Irrespective of how the ECJ concludes, the outcome is highly unlikely to be that no compensation should be paid for non-material breaches.
Given the massive number of people likely to be affected by this data breach, even compensation at the level of €500 per person (and without consideration of costs) would run into the billions. It would also appear that the more widely circulated the exfiltrated data, the higher awards to individuals might be.