Lacey Solicitors, are known and respected as Insurance Defence litigators and represent a number of insurers across the entire island of Ireland. Our office is at front of one of the fastest-growing areas of litigation namely Data Breach Claims in Ireland. Particularly, those involving non-material damages—claims for emotional harm like distress or anxiety, rather than specific financial loss.
What Are Non-Material Damages?
Under Article 82 of the GDPR, individuals can claim compensation for:
- Material damage (e.g. financial loss)
- Non-material damage (e.g. distress, anxiety, embarrassment, or loss of control over personal data)
These claims are supported by the Data Protection Act 2018 in Ireland.
Where Are These Claims Heard?
As of January 2024, the District Court can hear data protection claims up to €15,000. This makes it the default forum for most non-material damages claims. If a claim is filed in the Circuit Court but is worth less than €15,000, insurers should seek to remit it to the District Court to reduce costs.
Do Claimants Need PIAB/IRB Authorisation?
Yes—if the claim involves distress, anxiety, or upset, it may be considered a personal injury. In that case, the claimant must get authorisation from the Injuries Resolution Board (IRB) before issuing proceedings. If they don’t, the case could be dismissed.
Key Irish and EU Cases
Here are the most important cases shaping how non-material damages are assessed:
Irish Cases
- Kaminski v Ballymaguire Foods Ltd [2023] IECC 5
- Facts: Employee’s photo used in a training session without consent.
- Award: €2,000 for distress and embarrassment.
- Key Point: No medical evidence needed; plaintiff’s testimony was enough.
- MH v Child and Family Agency (Tusla) [2023]
- Facts: Sensitive childhood abuse data disclosed to third parties.
- Award: €7,500 for emotional harm.
- Key Point: Seriousness of breach and lack of mitigation increased the award.
- McCabe v AA Ireland Ltd [2024] IECC 6
- Facts: Employee was secretly recorded by a manager while on sick leave.
- Award: €5,500 for distress and embarrassment.
- Dillon v Irish Life Assurance PLC [2024] IEHC 203
- Issue: Whether PIAB authorisation is needed for distress claims.
- Decision: Yes—distress and anxiety fall under personal injury.
EU Cases (CJEU)
- Österreichische Post (C-300/21)
- Key Point: A GDPR breach alone is not enough—actual damage and a causal link are required.
- VB v Natsionalna agentsia za prihodite (C-340/21)
- Key Point: Data controllers must prove they had strong security in place. Strict liability doesn’t apply automatically, but the burden is high.
- AT, BT v PS GbR (C-667/21)
- Key Point: Fear of future misuse of data can be compensable—but only if it’s real and proven, not hypothetical.
What’s Compensable?
Under the GDPR, individuals can claim compensation for certain types of emotional harm caused by data breaches. Compensable non-material damages include distress, anxiety, embarrassment, and loss of control over personal data—these are recognised by courts as legitimate impacts of a breach.
However, not all emotional responses qualify. Mere upset or annoyance, as well as hypothetical fears that are not supported by evidence, are generally not compensable. Courts require a clear and demonstrable link between the breach and the emotional harm suffered.
How Much Are Courts Awarding for Data Breach Claims in Ireland?
| Type of Breach | Typical Award (€) |
|---|---|
| Minor (e.g. Kaminski) | €500 – €2,500 |
| Moderate (e.g. McCabe) | €2,500 – €5,500 |
| Serious (e.g. MH) | Up to €7,500 |
Awards over €10,000 are rare and would require exceptional circumstances.
Strategies for Insurers dealing with Data Breach Claims in Ireland
When defending GDPR-related claims, insurers should take a practical and proactive approach. One of the first steps is to assess whether the case belongs in the District Court, especially if the claim is under €15,000—this can help manage legal costs more effectively. If the claim involves emotional harm like distress or anxiety, it’s important to check whether the claimant has obtained the necessary PIAB or IRB authorisation. Without it, the case may not be allowed to proceed. Insurers should also look closely at the evidence—is there clear proof of actual harm and a direct link to the alleged breach? If not, that’s a strong basis for challenge.
Taking early steps to apologise and correct the issue can also go a long way in reducing potential damages. In some cases, if the data in question is already accessible through a secure online portal, that may be enough to satisfy the claimant’s request. Finally, it’s worth considering mediation or other forms of alternative dispute resolution to settle matters quickly and avoid drawn-out litigation.
What About Cyberattacks?
Insurers should note:
- Controllers are not automatically liable for every breach.
- They must show they had strong security measures in place.
- In complex cases, expert evidence may be needed to prove the breach was unforeseeable.
Need help defending a Data Breach Claim in Ireland?
At Lacey Solicitors, we offer expert legal advice and proven defence strategies tailored to the needs of insurers, businesses, and data controllers across Ireland. Ruaidhri Austin, Partner deals with data protection claims, as well as broader issues involving privacy law and cyber security. Whether you’re facing a data breach allegation, a non-material damages claim, or need guidance on compliance, Ruaidhri and our dedicated team are here to help.
Click through to our online portal to arrange a confidential discussion and see how we can support you:
