FOIL Ireland: Claim for stress caused by data breach not properly constituted

This article is also reproduced in the February 2024 edition of the Voice (Publisher: Forum of Insurance Lawyers).

This article was co-authored by Sinéad Reilly, Knowledge Lawyer. 

The Irish High Court has found that a claim seeking damages for stress and anxiety caused by an accidental data breach was not properly constituted because the plaintiff had not sought authorisation from the Irish Personal Injuries Assessment Board (PIAB) before issuing proceedings.

Keane v Central Statistics Office: what happened?


The plaintiff, a census enumerator employed by the Irish Central Statistics Office (CSO), was one of 3,000 people whose salary details were mistakenly disclosed by the CSO to third parties.

She issued proceedings in the Circuit Court, claiming that this had caused her stress and anxiety. She said she had suffered a loss of appetite, difficulty sleeping and a flare up of her psoriatic arthritis. The plaintiff did not claim any other specific loss or damage.

In its defence, the CSO submitted that as the plaintiff was seeking damages for personal injuries (i.e. stress and anxiety), she should have applied to PIAB for an assessment of her claim before issuing court proceedings.

Requirement to seek authorisation from PIAB

The Irish Circuit Court and the High Court, on appeal, found that the plaintiff should have sought authorisation from PIAB.

Broadly speaking and subject to certain exceptions, the Personal Injuries Assessment Board Act 2003 applies to actions intended to be pursued for the purpose of recovering damages, in respect of a wrong, for personal injuries.

A “wrong” is “…a tort, breach of contract or breach of trust…”.

“Personal injuries” include “any disease and any impairment of a person’s physical or mental conditions.”

Where the 2003 Act applies, a claimant must apply to PIAB for an assessment of the claim before issuing court proceedings.

Here, the plaintiff’s action against the CSO was for breach of contract, negligence and breach of the duty of care it owed to her. These causes of action were clearly “wrongs” within the meaning of the 2003 Act.

The plaintiff was seeking damages for the stress and anxiety she suffered and the impact this had on her appetite, sleep and psoriatic arthritis. These were impairments of the plaintiff’s physical or mental condition and came within the definition of “personal injuries”.

The High Court found that:

“a claim that arising from a tort or breach of contract, a person has suffered stress or anxiety… is a claim that constitutes a civil action that requires authorisation from PIAB under the terms of the Act of 2003.”

A significant factor in the Court’s decision was that the plaintiff did not claim any other specific loss or damage. The Court did not consider whether a PIAB authorisation is required where a claim for stress is ancillary to a claim for other damages said to arise from a tort or breach of contract.


Data protection actions under the Irish Data Protection Act 2018

Persons affected by a data breach can bring a claim under the Data Protection Act 2018 (the breach in the Keane case pre-dated this Act).

The court can award compensation for any damage caused by the data breach, including non-material damage. In 2023, the Circuit Court indicated that claims for non-material damage would likely attract “modest” compensation, awarding €2,000 in the particular case for damage that it said went “beyond mere upset”.

As of 11 January, this year, the District Court can, in addition to the Circuit Court, hear data protection actions under the 2018 Act. This is a welcome development as the value of these claims typically comes within the District Court’s monetary jurisdiction (up to €15,000) and it should reduce the costs of defending these claims.

 

Related content

Locations