Do claims for distress and anxiety resulting from a data breach require authorisation from the Injuries Resolution Board?

This article was co-authored by Wayne Miley, trainee solicitor.

Ireland’s highest court, the Supreme Court, has said ‘no’ – in its recent judgment in Dillon v Irish Life Assurance. 

In doing so, the Court overturned a High Court decision that had dismissed a claim for non-material damage under section 117 of the Data Protection Act 2018, on the basis that the plaintiff did not have an authorisation from the Injuries Resolution Board. The plaintiff was seeking damages for distress, upset, anxiety and inconvenience after letters containing his personal and financial data were mistakenly sent by the defendant, with whom he held a life assurance policy, to a third party.

Importantly, the Supreme Court confirmed that where a plaintiff claims solely for mental distress, upset and anxiety under section 117 of the 2018 Act, they “cannot expect anything other than very, very modest awards.”

Emotional disturbances vs recognised psychiatric disorder

The Supreme Court clarified that a standalone claim in tort or contract for emotional disturbances (such as anxiety, distress, worry, fear, inconvenience and upset), where there is no recognised psychiatric disorder, is not a personal injury claim within the meaning of the Personal Injuries Assessment Board Act 2003. Therefore, such claims do not require Injuries Resolution Board authorisation.

However, claims involving a medically recognised psychiatric injury are personal injury claims under the 2003 Act and must go through the Injuries Resolution Board process before proceedings can be issued.

The claim in Dillon

The plaintiff advanced claims in negligence and breach of duty, including breach of statutory duty.

The Supreme Court found that the claim in negligence was “misconceived”: there could never have been a liability in negligence because a plaintiff cannot obtain damages in negligence for mental distress that falls short of a psychiatric injury. 

The claim for breach of duty was superfluous.

In reality, the claim was for non-material damage under a distinct statutory cause of action provided by section 117 of the Data Protection Act 2018, which allows for compensation arising from a breach of data protection law. As such, the claim fell outside the personal injuries regime.

Responsibility of plaintiffs and their legal advisers

The Court emphasised that it is the responsibility of plaintiffs and their legal advisers to clearly plead the type of loss for which they seek compensation and the precise legal basis on which they do so. Where a claim is brought solely under section 117 of the 2018 Act, it should be pleaded as such, rather than framed as a negligence or breach of duty action.

Key insights

  • Section 117-only claims for distress, anxiety, or upset caused by a data breach do not require Injuries Resolution Board authorisation.
  • Awards for these claims will be very modest.
  • Claims involving recognised psychiatric injuries do require Injuries Resolution Board authorisation.
  • Plaintiffs must clearly identify the basis of the claim in the pleadings.

Since January 2024, the District Court, with its fixed scale of legal costs, has had jurisdiction to hear data protection claims. The vast majority, if not all, of these non-material damage (or mere distress) claims should now be brought in the District Court. The combined effect of very modest damages and limited legal fees significantly reduces the attractiveness of these actions for both claimants and their legal advisers. This, in turn - and contrary to earlier fears - should limit the exposure for data controllers, processors and their insurers.

Locations