“Justice Best Served” – Data Subject Claims Stayed
In a recent significant judgment1 from the Irish Circuit Court, the judge concluded that “justice is best served” by granting a stay of a data subject’s damages claim pending determination of certain preliminary references currently before the CJEU. The court expressed a view that damages in the case, if awarded, were likely to be small and a stay would not impact the procedural efficiency of the proceedings, but a delay in granting a stay could substantially and unnecessarily increase legal costs for the defendant.
According to the plaintiff, there was a third party hacking incident at the defendant company, Fastway Couriers, in February 2021, in which the personal data of over 450,000 individuals’ data was allegedly compromised. As one of the data subjects affected, the plaintiff is seeking damages arising from the incident, with the proceedings being brought pursuant to Articles 79 and 82 of GDPR and section 117 of the Data Protection Act 2018. The plaintiff’s solicitor acts for a number of affected data subjects and there are apparently other solicitors waiting in the wings who also have clients who intend issuing similar proceedings in relation to the incident.
Fastway Couriers applied for a stay of the proceedings pending determination of six preliminary references currently before the CJEU. The court acknowledged the duty of sincere cooperation provided for in Article 4(3) of the Treaty on European Union. According to that duty, the court is obliged to stay proceedings in any case where there is a risk that its decision could conflict with an existing or future CJEU decision.
In that context the court referenced, in particular, the Advocate General’s opinion in the Österreichische Post case2, and noted that if the CJEU follows that opinion the plaintiff in the present proceedings may not be entitled to damages at all. With fundamental issues of interpretation remaining pending before the CJEU – such as the meaning of “material” and “non-material” damage; and the imposition or otherwise of liability under Article 82 in the context of a hacking incident – the court used its inherent discretionary jurisdiction, to grant a stay. If the proceedings were allowed to progress to hearing, the judge commented that the costs incurred by the defendant would likely be far in excess of any damages awarded in favour of the plaintiff – assuming the plaintiff succeeds in its claim, which is by no means certain.
The judgment is significant because it not only has an impact on existing or potential plaintiffs in relation to this particular incident, but also is clearly relevant to other data subject damages claims generally in the pipeline where the claim is for non-material loss. Based on the reasoning in this judgment, it seems that until key GDPR interpretation issues before the CJEU are clarified, most other similar claims in the Irish courts are likely to suffer the same fate and not get off the ground for some time yet, if at all.
- Cunniam v Fastway Couriers Dublin Circuit Court Record No. 2021/03424; Judgment of O’Connor J on 23rd January 2023
- Case C-300/21
For more information on this topic, please contact John Whelan, Partner, or any member of A&L Goodbody’s Commercial & Technology team.
Date published: 8 February 2023