A vital precedent has been set in Irish GDPR history. The Circuit Court’s recent award of €7,500 in MH v Child and Family Agency, the highest compensation under the GDPR in Ireland to date, demonstrates an evolving recognition of the emotional and relational impact of personal data breaches—in this case, non-material damages.
If you’re a victim of a GDPR breach, understanding this landmark case can empower you to take action and secure justice.
What Happened in the MH Case?
This ground-breaking case involved the unlawful disclosure of highly sensitive personal data by Tusla (the Child and Family Agency). The data revealed confidential details of abuse allegations made by the plaintiff as a child. The disclosure breached GDPR principles of fairness, lawfulness, and confidentiality by sharing the information with family members without proper consent.
The fallout was devastating:
- The plaintiff testified that the breach caused serious emotional distress, eroding trust not only in Tusla but also in their closest family relationships.
- The Circuit Court, guided by its precedent in Kaminski v Ballymaguire Foods Limited, recognised the uniqueness and gravity of this breach, awarding €7,500 for emotional harm inflicted.
This decision signifies the importance of holding data controllers accountable, irrespective of whether the victim presents medical evidence, as the plaintiff’s own testimony in this case proved to be sufficient evidence of harm.
Why This Case is Important
This ruling sets an important precedent for victims of GDPR breaches, with key takeaways, including:
1. Genuine Emotional Harm Matters
The court accepted non-material harm as a valid basis for damages, interpreting emotional distress (beyond mere upset) as “genuine and not trivial”. This represents a shift in favour of recognising individual experiences of injustice caused by breaches.
2. No Mandatory Medical Evidence
The Circuit Court reinforced a victim-friendly stance by accepting the plaintiff’s testimony without requiring medical records to validate emotional harm. This simplifies access to justice for victims suffering non-material damages.
3. The Responsibility to Mitigate
The ruling highlighted the defendant’s lack of timely mitigation, such as failure to immediately apologise or take satisfactory remedying actions, as a contributing factor to the final award. Defendants in future cases may face stricter scrutiny if adequate steps are not taken to address a breach once discovered.
4. GDPR Breaches Are Often Serious
GDPR breaches, especially those surrounding sensitive personal data, transcend legal obligations and highlight ethical responsibilities. This judgement encapsulates how data breaches intertwine with deeper issues like loss of privacy and dignity.
What Does This Mean for GDPR Breach Victims?
If you’ve been impacted by a data breach, you have rights to compensation under Article 82 of the GDPR, which allows claims for non-material damages such as emotional distress and anxiety. The MH decision underscores several actionable lessons for breach victims:
Understand Your Rights
GDPR enforces organisations to act responsibly with personal data. A breach is not just an IT issue but also a breach of trust and security. If your personal data has been disclosed or processed unlawfully, you’re entitled to take action.
Gather Evidence of Impact
While this case shows medical evidence is not a requirement, keeping a diary of events or changes to your mental well-being and relationships post-breach can substantiate your claim.
Legal Matters Can be Complex (But You Don’t Need to Navigate Them Alone)
Cases like MH are precedent-setters in a complex and evolving system of privacy law. Seeking guidance from GDPR experts or solicitors experienced in breach-related claims is critical. They can guide you on key matters like:
- Filing compensation claims.
- Submitting complaints with the Data Protection Commissioner (DPC).
Evaluate the Breach Context
Did the organisation involved notify legal authorities? Did their corrective actions feel insufficient? These elements strengthen your case.
Takeaway for Businesses on GDPR
For organisations, the decision in MH serves as a critical reminder of their obligation to protect personal data under GDPR principles. Organisations must adopt proactive measures to avoid breaches, including:
- Enhancing transparency in their data practices.
- Implementing robust safeguards for managing sensitive information.
- Training staff consistently on GDPR compliance, especially regarding confidentiality.
- Acting swiftly to mitigate harm if breaches occur.
Non-compliance doesn’t just risk fines or lawsuits; it risks the reputation and trust that businesses rely on for long-term success.
Legal Awareness Can Make a Difference
The importance of accountability and compensation under the GDPR is growing. Whether you are a victim or part of a data-involved organisation, awareness of cases such as MH and evolving Irish legal verdicts surrounding GDPR breaches is invaluable.
If you’ve been affected by a GDPR breach and want to understand your rights or start a claim, take the first step today. Visit HOMS Assist for the guidance you can trust.
