On 11 July 2023, the Circuit Court of Ireland awarded 2,000 euros in compensation to a plaintiff seeking ‘non-material damage’ under Article 82 of the General Data Protection Regulation, in what is believed to be the first case in the European Union to follow the recent Court of Justice of the European Union decision in the Österreichische Post case (Case C-300/21).

We have written previously about the Österreichische Post case, in the blog post titled ‘European Court of Justice Clarifies Rules on Damages Compensation for GDPR Breaches’.

In the Irish case of Arkadiusz Kaminski v Ballymaguire Foods Limited [2023] IECC 5, the court held that the plaintiff suffered non-material harm when the defendant, his employer, used CCTV footage of him, in which he was clearly identifiable, in a training session delivered to other employees.

Background

The plaintiff, Arkadiusz  Kaminski, was a supervisor at Ballymaguire Foods. In March 2019, at a meeting between various supervisors, managers and quality control, the defendant played various clips of CCTV footage taken on-site for the purpose of training its employees. One of the clips in question clearly showed the plaintiff making a mistake, with the clip being used to demonstrate how food could be contaminated in the workplace.

The plaintiff was capable of being identified from the CCTV footage, despite him not being named in the meeting. He later was informed by his colleagues who had attended the meeting that the footage had been shown and, as a result, the plaintiff alleged that he was mocked by his colleagues for his mistake. The plaintiff claimed that he suffered damage and distress as a result, as the incident caused him anxiety and humiliation.

The plaintiff initially complained to the regulator, the Irish Data Protection Commission, about the incident, but the complaint was not assigned to a handler due to a backlog of complaints. As a result, the plaintiff opted to issue court proceedings.

Submissions on identifiability

The defendant’s original defence denied that the plaintiff was identifiable in the CCTV footage, as he had ‘protective wear’ on his face. As a result, the defendant denied that the CCTV footage constituted personal data.

The plaintiff submitted that he was identifiable from the CCTV footage for the following reasons:

  • His entire face was not obscured.
  • He has a distinctive physical presence and movements.
  • He was one of a limited pool of people working in the area concerned.
  • There was an associated audio recording identifying him by his first name.

During the hearing, it was conceded by the defendant that the plaintiff was in fact identifiable, and that the CCTV footage was therefore subject to the GDPR.

Submissions on non-material damage

The plaintiff alleged that he suffered non-material damage and distress in the form of anxiety and embarrassment due the remarks made by work colleagues as a result of the alleged data breach.

In response, the defendant submitted that the incident caused mere ‘upset, anxiety and embarrassment’ and that compensation was not recoverable for such damage.

Submissions on data protection policies

The plaintiff submitted that the defendant’s privacy policies lacked clear information about the intention to use CCTV footage in employee training sessions. The defendant had four separate policies, dated 2011, 2014, 2016 and 2018, respectively, but only the 2018 policy dealt with the use of CCTV footage. Further, the employee in charge of devising the training in question confirmed that she relied on the 2016 and 2011 policies only.

Questions considered by the court

The key questions for the court in deciding whether non-material damages should be awarded were as follows:

  • Did the use of the CCTV footage by the defendant constitute a breach of the GDPR?
  • If yes, did the damage go beyond mere upset or displeasure as a result of the infringement?
  • If yes, what (if any) compensation should be awarded, and how should it be calculated?

Relevant factors in deciding damages for non-material loss

The court (following the Österreichische Post case) stated that the following factors should be considered in a claim for non-material damage under the GDPR:

  • A ‘mere breach’ or a mere violation of the GDPR is not sufficient to justify an award of compensation for non-material harm, but damages should nonetheless be interpreted broadly (as per Recital 146 of the GDPR).
  • A claim does not have to meet any threshold of seriousness, but compensation should not cover ‘mere upset’ – and the non-material damage must be genuine, not speculative.
  • There must be a link between the infringement and the damages claimed and this must be proven; for example, in a claim for distress and anxiety, independent evidence such as a psychologist report or medical evidence is desirable.
  • Data policies, employee privacy notices, and CCTV policies must be clear, transparent and accessible by all parties affected.

The court also noted that steps taken to mitigate the harm and, by contrast, failures which aggravate the harm, should be taken into consideration in an assessment of damages for non-material harm. For example:

  • An apology may be considered in mitigation of damages (e.g., it may reassure an affected employee that their employment is safe and not at risk).
  • A delay in dealing with an incident may aggravate the damage, leading to a higher compensation award.

The court also noted that, in many cases, even where non-material damage can be proved and is not trivial, damages will often ‘probably be modest’. (In making this assessment, the court took into consideration some Irish judicial guidelines on minor psychiatric damages.)

Decision

In summary, the court held in its judgment that:

  • The plaintiff was identifiable from the CCTV clips shown during the training session, so the footage did constitute personal data that was subject to the GDPR.
  • The defendant’s data protection policies were not sufficiently clear and transparent due to there being four separate policies covering overlapping material, and that they were not provided in Polish, the plaintiff’s first language.
  • The plaintiff’s consent to the processing was ‘at best unclear’ and this should be construed against the employer.
    • While the defendant later submitted that it was relying on the legal basis of legitimate interests, it did not conduct a legitimate interests assessment to show that the processing was necessary for the purposes for which it was used.
  • Bearing in mind the plaintiff’s role as a supervisor, his loss went beyond mere upset and created ‘an emotional experience and negative emotions of insecurity which did affect him for a short period of time’.
    • Although this was not supported by a medical report, the plaintiff was subject to examination and cross-examination at trial, and he was viewed by the court as being a reliable witness.
  • In respect of mitigation, the court noted that the defendant had subsequently translated its policies into the various first languages of its employees and addressed the use of CCTV footage in training sessions, which was ‘commendable’, while also noting that the breach did not have any long-term effect on the plaintiff or his employment.
  • The court therefore awarded the sum of 2,000 euros to the plaintiff.

Conclusion

Companies should take note of the Irish court’s judgment here, as it may very well lead to employees and other data subjects following in the plaintiff’s footsteps by seeking to enforce their GDPR rights through the courts, rather than via the relevant regulator, particularly in circumstances where the courts are perceived to offer a timelier resolution.

The judgment is helpful in setting out the various factors which the courts of the EU member states are likely to consider when assessing damages for non-material harm under Article 82 of the GDPR. Companies ought to take these factors into consideration when reviewing their GDPR compliance, particularly in respect of the transparency of their data protection policies (including ensuring that any policies are made available in the first language of the company’s employees) and the usage of CCTV footage.

In the event of a breach, companies also should seek to ease any distress caused to the affected data subject(s), whether through an apology or other appropriate reassurances. Given the judge’s comments about dispute resolution and the ‘modest’ level of damages which are likely to be awarded for non-material damage, it also would be wise for companies to consider implementing an independent conciliation scheme or other alternative dispute resolution methods with a view towards resolving any employee issues without the need to involve the courts.

Authors

Joanne Elieli

Morgan McCormack

Posted by Cooley