Legal Actions for Data Breaches & Misuse of Personal Data

The ransomware attack on the HSE in May 2021 has raised questions re potential legal actions from those whose sensitive personal data may have been compromised and/or published online. In this article, Dermot Sheehan BL takes a deep dive into personal data restrictions and remedies under Irish Law.

Remedies in Irish Law for Data Breaches and misuse of personal data

There have been legal restrictions and remedies in Irish law in terms of the wrongful processing personal data since the enactment of the Data Protection Act 1988 which implemented the 1981 Strasbourg Convention on the Automatic Processing of Personal Data.

Data Protection became a European Union competency which enacted the Data Protection Directive on the 24^th of October 2005 which was subsequently implemented in Irish Law.

It was decided at a European level to unify Data Protection laws across the European Union by the enactment of a regulation. European Union Regulations automatically take effect in each member state, while a Directive requires a Member State to enact laws to give effect to the objects of the Directive, but leave it to the Member States much of how that object is to be achieved.

The General Data Protection Regulation (“GDPR”) (EU Regulation 2016/679) was adopted by the European Union on the 27^th of April 2016 and it gave a two year lead in until the 25^th of May 2018.

As a European Union Regulation it takes direct effect in Irish Law and can be relied on in the same manner as an Act of the Oireachtas. The Data Protection Act 2018 was enacted to ensure Irish law was in compliance with its provisions (specifying who the national data supervisor is and specifying how an entitlement to a judicial remedy under the regulation is given effect).

Restrictions on data processing

The GDPR imposes legal restrictions on the processing of “personal data” which is defined as:

personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

Article 2(1) of the GDPR means the legal requirements of the GDPR applies to data processing by automatic means, partly by automatic means  or processing otherwise than by automatic means when the data forms part of a filing system or is intended to firm part of a filing system.

Article 2(2) of the GDPR provides that there is an exemption in terms of processing by natural persons in the course of purely personal or household activities, or for national authorities for the purposes of criminal investigations and prosecutions or national security.

Article 5 of the GDPR requires that the information be obtained fairly, for a legitimate purpose, be accurate and relevant in the context of data breaches that personal identifying data be kept no longer than strictly differently and that appropriate security measures be taken providing in Article 5(e) and 5(f):

1. Personal data shall be:

(e)

kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

(f)

processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1

Article 6(1) of the GDPR lists that processing must be authorised by one of the paragraphs of that article namely;

1. consent given by the data subject,
2. processing is required for the performance of a contract that the data subject is a party to,
3. is necessary with compliance to a legal obligation to which the data controller is subject,
4. is necessary for the vital interests of the data subject or some other natural person,
5. for the performance of a task carried out in the public interest or in the exercise of public authority vested in the data controller,
6. for the legitimate interests of the data controller or a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child

For paragraphs (c) and (e) Irish Law or EU law must specify the circumstances that give rise to the application of those paragraphs.

Articles 7 and 8 of the GDPR give the conditions for giving consent providing that it must be freely given, if in writing given separately, that such consent can be withdrawn at any time and whether consent was freely given regard shall be had to whether the performance of a contract was conditional on such consent. Article 8 is in respect of consent by children providing that for a child below the age of 16 consent shall be by a parent or guardian although member states can specify a lower age of consent but not lower than 13 years of age.

Article 9 of the GDPR puts in place heightened restrictions and obligations for “special categories of personal data” that is:

“personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”

An entitlement to process this data can only take place on the basis of:

• explicit consent, although national law can remove consent as a basis for certain situations,
• if it is necessary for the purpose of employment or social security law, insofar as it is authorised by national law,
• for the vital interests of the data subject or another natural person where the data subject is incapable of giving consent,
• for the legitimate purposes with appropriate safeguards of a non profit foundation or society with a political, philosophical, religious or trade union aim in relation to members or former members who are in regular contact with it and the data is not disclosed outside the body without consent
• processing of personal data that the data subject has manifestly made public
• necessary for litigation or by the courts acting in their judicial capacity,
• necessary for reasons of substantial public interest as authorised by law, such a law must be “proportionate”
• processing necessary for occupational health
• processing necessary for public health measures
• for archiving for research purpose

Sections 39-55 of the Data Protection Act 2018 implements these provisions in Irish law authorising lawful data processing for such diverse activities as for electoral purposes by political parties, crime and national security reasons, social welfare, for the purposes of obtaining legal advice or for legal proceedings and for insurance/pension purposes.

Rights of Data Subject under GDPR

A data subject under the GDPR has a right of access to the personal data under Article 15 of the GDPR, under Article 16 the right to rectification of inaccurate data and under Article 17 the right to erasure of data of data for which consent for processing was withdrawn and/or for which there is no longer a lawful purpose for processing. Under Article 20 a data subject has the right to receive data in a common machine readable format if it is stored in that format (“data portability”) and under Article 21 and 22 a data subject as the right to object to automated decision making and being profiled by such automated decision making.

Article 23 of the GDPR authorises restrictions on these rights imposed by national law, for national security reasons, investigating/prosecuting crime, for judicial proceedings and the bringing of civil claims and other important objects of a general public interest.

Sections 56-60 of the Data Protection Act 2018 give effect to these restrictions in Irish Law by providing for example for restrictions for the rights of data subjects in respect of amongst other things cabinet confidentiality, court proceedings, the immigration system, criminal asset forfeiture, the independence of the Central Bank, the financial interests of the State or European Union and under section 56 restricting access to an examination script until the exam results are announced.

Requirements of a Data Controller and Data Processor

The persons subject to the requirements under the GDPR are the “data controller” and “data processor” which is defined as

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Articles 24(1) and (2) of the GDPR provide that a controller must take measures to ensure that processing is carried out in accordance with the GDPR:

1. 1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
   2. Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.

Article 25 fleshes out this obligation by requiring specifically that technical measures be taken to safeguard personal data:

1. 1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
   2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.

A data controller may outsource processing to a data processor. Article 28 of the GDPR requires that there be a written contract between the controller and processor and Article 28(1) provides:

 Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

Article 32(1) and (2) of the GDPR imposes an obligation on both controllers and processors in terms of the security of the data providing:

1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

(a) the pseudonymisation and encryption of personal data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

2.   In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

Articles 33 and 34 imposes a requirement on the data controller to notify the national supervisory authority (which in Ireland is the Data Protection Commission) and the data subject in a as soon as possible  of a “personal data breach” which is:

‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

The requirement to notify the Data Protection Commission arises if there is a risk to the rights and freedoms of natural persons resulting from the personal data breach, the requirement to notify the data subjects concerned only occurs if there is a “high risk” of that occurring.

Legal Remedies

Article 77 of the GDPR gives a data subject the entitlement to lodge a complaint with a national supervisory authority (which in Ireland is the Data Protection Commission) in respect of an infringement of the regulation. The Data Protection Commission can administratively assess a fine against the controller or processor.

If the data subject or controller/processor is unhappy with how the Data Protection Commission has dealt with their cases Article 78 of the GDPR gives them an entitlement to an effective judicial remedy to appeal the decision and it is given effect in Ireland by section 150 of the Data Protection Act which allows an appeal to be brought to the Circuit Court or High Court by either the data controller/processor or data subject.

Article 79 of the GDPR imposes a requirement for an effective judicial remedy directly against a data controller or processor. This is implemented in Ireland by section 117 of the Data Protection Act 2018 which creates a “data protection action” which shall be considered an action founded on tort, and for which the High Court has jurisdiction as well as the Circuit Court (for claims up to €75,000).

As an action founded on tort the limitation period would appear to be 6 years under s. 11(2) of the Statute of Limitations, although it is possible that the shorter limitation of two years would apply under the Statute of Limitations (Amendment) Act 1991 in respect of any data protection claims that cause personal injuries.

Section 117(4) of the Data Protection Act 2018 provides that the court can grant an injunction, declaration and/or damages which are defined to include “material or non material damages”.

Article 82 of the GDPR specifies that an individual has an entitlement to damages against the data processor or controller concerned:

1. 1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
   2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
   3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.
   4. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.
   5. Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.
   6. Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2)

As can be seen from this provision there is a reference to “material and non material damages”. The previous position in Irish Law was that under s. 7 of the Data Protection Act 1988 a data controller and subject owed the data subject a duty of care.

In Collins v. FBD Insurance [2013] IEHC 137 the High Court (Feeney J.) held that under the 1988 Act a Plaintiff had to show actual out of pocket loss, and non pecuniary loss such as upset and/or distress at the breach could not ground a claim for damages.

The GDPR however expressly provides for claims for material and non material damages. It does not define non material damages, and does not expressly provide that damages can be awarded per se as is the case for claims for assault, battery or trespass.

Recital 85 of the GDPR however gives some indication what the European Parliament and Council meant when they referred to such damages providing in respect of damages from a personal data breach:

“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned”

 

It appears that loss of control over the personal data is enough to ground a claim for damages, which would in effect make a data protection claim actionable per se in the case of a personal data breach since this would happen in every such breach.

Issues of Liability for Data Breaches

It is important to note that the GDPR does not impose strict liability on a data controller/processor and there needs to be some degree of fault on the controller or processor (Article 82(3)) insofar as a claim for damages is concerned.

A controller would likely be at fault if a data subject’s data was collected and/or processed not in accordance with the requirements of Articles 6 or 9, it is hard to see how a breach could occur unintentionally. Similarly it is difficult to see how failing to give affect to a data subject’s access, rectification and/or erasure rights under Articles 15-22 could occur without intent.

In terms of a personal data breach resulting in the unlawful access and dissemination by a third party, the data controller is under a duty to notify the data subject if there is a “high risk” to the rights and freedoms of the data subject. This is a separate free standing obligation that can give rise to a claim regardless of whether there was fault with regard to the substantive data breach.

In terms of the data breach, the issue would be whether there was a breach of Articles 24, 25 or 32 by the controller and/or processor. Articles 24 and 25 as noted above requires that appropriate technical and organisation measures be taken such as pseudonymisation, limiting the number of persons with access to the data, and data minimisation. These measures are to minimise the amount of personal data at risk and the people who have access to it.

Article 32 refers to technological measures

“…Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing”.

It is not prescriptive nor defines what measures shall be taken, simply requires “appropriate measures” such as encryption and pseudonymisation and other appropriate measures having regard to the state of the art, the cost and risk of a data breach. It also requires regular testing and assessing of the technical measures.

Systems which involve quite large amounts of very confidential personal data would therefore be expected to have very significant measures taken with regular testing, and organisational or technological measures to stop one user on the system accessing everyone’s personal data. Systems with lesser amounts of personal data, which if subject to a breach would not be significant, have a lesser obligation in terms of the technology employed.

Unlike for example equality law, there is no reverse burden of proof, the Plaintiff would have the burden of proof to show that the measures taken were inadequate. Given however if the Plaintiff proves that there was a data breach, this arguably is adequate to show that prima facie there is something wrong with the data controllers systems/procedures and/or technology so as for the Defendant to have to prove that they employed appropriate systems, procedures and equipment and there was no culpable fault at their end in terms of how they stored and processed the personal data.

If a data protection action was to be taken and liability is in issue, the matter for the court to determine would be whether the measures taken by the data controller were adequate. The data controller is not strictly liable, but they are expected to take steps in terms of organisational control to minimise the amount of personal data and persons with access to it and in terms of technological measures, to employ systems and testing commiserate with the amount and sensitivity of the data they process.

A data subject who is the victim of either unlawful processing of personal data or failure to comply with GDPR rights for access/rectification or erasure can complain to the Data Protection Commission and/or issue proceedings in the Circuit Court or High Court for a declaration, injunction or damages.

A data subject who is the victim of an unlawful data breach has an entitlement to be notified of the data breach if there is a high risk to them from the data breach. The Data Protection Commission should also be notified if there is a risk from the data breach. A complaint can be made by the data subject to the Data Protection Commission.

The data subject can bring proceedings for damages for the data breach in the Circuit Court or High Court if they can show that appropriate organisational and/or technical measures were not taken by the data controller having regard to the personal data processed.

Damages can be awarded for non material damages, such as loss of control of the personal data, it is not clear what quantum would expect to be awarded however given the absence of precedent in this area.

GETTING LEGAL ADVICE

Contact us below if you wish to obtain a legal consultation with regard to personal data and related GDPR issues.