Page Contents
Key Contacts
Related areas
Key takeaways
Background
The case concerned a claim that the plaintiff’s personal data had been breached due to the defendant mistakenly sending the plaintiff's personal and financial data to third parties on a number of occasions.
The plaintiff contended that those events gave rise to data breaches, which constituted:
The plaintiff alleged that these breaches resulted in him suffering distress, upset anxiety, inconvenience, loss and damage.
The plaintiff did not obtain authorisation from the Personal Injuries Assessment Board (PIAB) (now, the PIRB) prior to issuing proceedings.
Circuit Court and High Court decisions
In both the original Circuit Court case, and the High Court appeal, the defendant had argued that the plaintiff’s claim was for a ‘personal injury’ as defined in section 2(1) of the Civil Liability Act 1961 (which includes “any disease and any impairment of a person’s physical or mental condition”) and therefore required PIAB authorisation under section 12 of the 2003 Act.
Both the Circuit Court and the High Court agreed with the defendant and dismissed the proceedings as being bound to fail for want of PIAB authorisation. The plaintiff appealed to the Supreme Court, contending that his claim for distress and anxiety did not amount to a personal injury within the meaning of the 2003 Act and that the requirement for PIAB authorisation was incompatible with the right to compensation for non-material damage under Article 82 of the GDPR.
The Supreme Court’s ruling
The Supreme Court (judgment delivered by Murray J.) overturned the High Court decision, finding that emotional disturbances such as distress, anxiety, worry, fear, inconvenience, and upset do not constitute a ‘personal injury’ within the meaning of the 2003 Act, unless they were to rise to the level a recognised psychiatric disorder. Consequently, prior authorisation from PIAB is not required as a precondition to instituting proceedings for such claims.
Personal injuries analysis
The Court undertook a detailed analysis of the statutory definition of ‘personal injury’ (section 2(1) of the Civil Liability Act 1961), how that phrase is used within existing legislation and its historical relationship with the common law. Ultimately the Court found that the construction of ‘personal injury’ proposed by the defendants did not reflect the common usage of the phrase by the legal profession or the courts.
The judgment highlighted a number of instances where legislation which impacts on claims involving personal injuries separately references ‘personal injuries’ and other harms like ‘pain and suffering’ or ‘mental distress’, suggesting that the former category does not encompass the latter.
In addition, the Court found that the defendant’s proposed interpretation was flawed as it would mean that any civil claim, (e.g. a claim in negligence against a solicitor, or for the disappointed expectations of a ruined holiday) which included a claim for distress or anxiety, must proceed through PIAB, which could not have been the intention and which would not make sense within the contemplation of the PIAB legislation.
Damages for distress at common law
The Court also noted that, at common law, it is well established that damages are not recoverable for distress or anxiety alone (unless they reach the level of a medically recognised psychiatric illness). Damages for distress/anxiety are only recoverable when a legally recognised injury is established, and such distress/anxiety is a consequence of that legally recognised injury.
As such, the Court noted that those parts of the plaintiff’s claim seeking damages for distress/anxiety due to the defendant’s negligence were misconceived.
Damages for non-material damages under the GDPR
Notwithstanding the position at common law, the Court noted that the right to compensation for non-material damages under Article 82 of the GDPR and Section 117 of the Data Protection Act 2018 did permit a claim for solely mental emotional distress, upset, and anxiety.
Where such claims are being brought, the Court noted that it would be preferable for plaintiffs to make that clear. More generally, then Court emphasised the need for plaintiffs to properly identify:
Where damages are sought for distress/anxiety which reached the level of a recognised psychiatric disorder, PIRB authorisation would be required.
Where damages are sought pursuant to Article 82 of the GDPR and Section 117 of the Data Protection Act 2018 for distress/anxiety that does not reach the level of a recognised psychiatric disorder, the Court noted that the plaintiff could expect only “very, very modest awards”.
Commentary
The Supreme Court’s judgment provides an important clarification as to when PIRB authorisation is required in GDPR non-material damages claims. A number of such claims were stalled pending the Supreme Court’s ruling and are now likely to start progressing again.
However, given the Court’s comments as to how non-material GDPR damages claims should be pleaded, it remains to be seen what impact the judgment will have on how such cases are progressed. For instance, it may be the case that plaintiffs now consider amending their pleadings to accurately describe the case they are bringing, in line with the Supreme Court’s guidance.
The Supreme Court’s commentary around the ‘very, very modest’ level of awards that might be expected in GDPR non-material damages claims for distress/anxiety is also welcome. Such commentary aligns with recent EU court decisions, such as Bindl v European EU Commission (Case T-354/22), where the EU General Court awarded €400 in respect of an unlawful data transfer. The Supreme Court’s commentary also echoes previous guidance from the Irish Circuit Court, which suggested that non-material damages could be valued below €500 (Kaminski v Ballymaguire Foods Limited IECC 5). A similar approach was taken to nominal damages for a data breach in Nolan & Ors v Dildar [2024] IEHC 4, where €500 was awarded to each plaintiff.
That said, for defendants who suffer large scale data breaches (including as a result of criminal cyber attacks), €400 per impacted data subject could nevertheless constitute an enormous cumulative figure. In circumstances in which the EU courts have accepted that an apology could constitute sufficient compensation (A v Patērētāju tiesību aizsardzības centrs (Case C‑507/23 )), it remains to be seen exactly how modest Irish court awards will be in these types of cases. The landscape in this respect could become clearer in the near future as the Irish courts will likely be dealing with an ever increasing number of such claims.
If you would like any further information on the above, please contact Dr Stephen King, Partner, Chris Bollard, Partner, Sean Dwyer, Solicitor, Eoghan O’Keeffe, Knowledge Consultant, or your usual contact on ALG's Technology team.
Date published: 1 August 2025
