Director held personally liable for data breach
In Nolan & Ors v Dildar & Ors [2024] IEHC 4, the High Court held a director personally liable for breaches of the Data Protection Acts 1988 and 2003.
The judgment is part of the long-running litigation involving Nolan Transport, the transport and logistics company. This article is concerned with a very small aspect of McDonald J’s 317-page judgment, in which he found one the director of a company personally liable for data breaches.
Facts
The proceedings arose when the plaintiffs, who were trustees of a family pension fund, alleged that approximately €6.9m of fund property was misappropriated by a company based in the United Arab Emirates. The Court dismissed all but one of the plaintiffs’ claims: the unauthorised disclosure of the plaintiffs’ personal data.
The plaintiffs claimed that Mr Millett, a specialist pensions provider operating through the limited liability company of which he was a director and the sole shareholder, had provided their personal data (comprising names, home addresses, dates of birth, PPS numbers and copies of passports) to an Isle of Man fund without their consent. Mr Millett admitted in interrogatories that he had disclosed the personal data to the fund without the plaintiffs' permission. He also admitted that he did so in order to obscure the involvement of other persons in the fund, but there is no evidence that he benefitted personally from this.
Decision
The data breaches took place in 2013, before the introduction of the General Data Protection Regulation (GDPR) and Data Protection Act 2018, so the Court had to rely on the Data Protection Acts 1988 and 2003 (the Acts). The Court was satisfied that the disclosure by Mr Millett fell within the statutory meaning of “unauthorised disclosure of personal data” under the Acts.
The letter to the Isle of Man fund was written on the headed paper of Mr Millet’s company, but, because it was signed by Mr Millett, the Court held that he was personally liable as the “human author”. The personal information was not disclosed beyond the Isle of Man fund and there was no evidence of actual damage. McDonald J determined that it was appropriate to make an award of nominal damages to each of the plaintiffs “to mark the fact that their rights have been infringed”. He ordered Mr Millett to pay €500 to each of the six plaintiffs, making him personally liable for a total of €3,000.
Comment
Personal liability for tort
McDonald J mentioned that it’s “well settled” that a director will incur personal liability where they “procure the commission of a tort”, but he does not cite any cases in support of this. There is some limited English case law to support the contention, as well as a decision of the Irish Supreme Court in Shinkwin v Quin-Con Ltd and Quinlan [2001] 1 IR 514. In Shinkwin, the manager of a factory was held personally liable in negligence, because he was in "undisputed control" of the factory and “had placed himself by his own actions in such a relationship to the plaintiff as to call upon himself the obligation to exercise care”. Without more information in the judgment, it is difficult to determine the factors which led McDonald J to make the finding of personal liability in this case.
Damages for non-material breaches
In terms of awarding damages for non-material breaches of data protection laws, the decision appears to be an amalgamation of old and new positions, although none of the leading cases are cited in the judgment. Pre-GDPR, the leading case in Ireland was Collins v FBD Insurance PLC [2013] IEHC 137, where the High Court held that, in order for compensation to be awarded under the Data Protection Acts 1988 and 2003, a data subject had to prove that the data breach resulted in actual damage.
In Österreichische Post (Case C-300/21), in 2023, the Court of Justice of the European Union (CJEU) ruled that a data breach by itself is not sufficient to ground a claim for compensation and set out the three conditions which must be satisfied in order to recover compensation under GDPR:
- There has been a breach of GDPR.
- Either material or non-material damage has been suffered by the data subject.
- There was a causal link between the infringement and the damage suffered.
The CJEU further held that non-material damage arising from a breach of GDPR does not need to reach a certain level of seriousness for the affected party to acquire the right to compensation and it is up to national courts to determine damages based on the seriousness of the harm.
In Kaminski v Ballymaguire Foods [2023] IECC 5, the Irish Circuit Court followed Österreichische Post, awarding “modest” damages of €2,000 for a breach that did not result in any widespread harm or further dissemination of data, but which went beyond causing “mere upset” to the claimant. However, most Irish cases are following the approach taken in Cunniam v Parcel Connect Limited & Ors [2023] IECC 1 and placing a stay on proceedings until the CJEU rules on a number of similar cases. Since Cunniam, the CJEU has broadly reinforced its approach in Österreichische Post.
To cast some further doubt on the treatment of non-material damages for data breaches in Ireland, the High Court in Keane v Central Statistics Office [2024] IEHC 20 upheld a Circuit Court ruling that the plaintiff’s claim for non-material damages was principally a personal injury claim and, therefore, failed because she did not obtain prior authorisation under the Personal Injuries Assessment Board Act 2003.
While McDonald J’s decision in this case appears to align most closely with the approach taken in Kaminski, this area of the law is still in flux, and it remains to be seen what approach to non-material damages claims will prevail. To discuss the data protection aspects of this decision, please reach out to Eoghan O'Keeffe, Knowledge Consultant.
If you have any questions, please contact Anne O’Neill, Senior Knowledge Executive or any other member of ALG’s Corporate and M&A team.
Date published: 26 March 2024