+353 (0) 404 37420

Data Protection Acts – High Court rules on limitation of damages under Section 7

The case of Collins v FBD Insurance 2012 52 CA delivered by Justice Feeney on 14th day of March 2013, concerned an appeal by the defendant from a Circuit Court order where the Court determined that the plaintiff was entitled to the sum of €15,000 damages together with costs.Background and Circuit Court ProceedingsIn the Circuit Court proceedings the plaintiff claimed a number of reliefs including damages for discrimination and harassment in breach of the Equal Status Acts 2000 (as amended), damages for negligence and breach of duty including statutory duty and damages for breach of contract. He also claimed damages pursuant to section 7 of the Data Protection Acts 1988 and 2003 (“the Data Protection Acts”). The appeal to the High Court proceeded on the basis that the only issues to be considered was whether or not the plaintiff was entitled to damages pursuant to section 7, and if so, the quantum of such damages. The plaintiff insured his van with the defendant insurance company which was used by him in his business of painting and decorating.On the 27th September, 2008 the plaintiff’s van was stolen from outside of his home in Finglas following a break-in to his house. The plaintiff subsequently made a claim under his policy of insurance on the 2nd October, 2008. The claim was investigated on behalf of the defendant by a claims management company who expressed the view that it was a case for settlement. Following receipt of the report from the claims management company, the defendant insurance company determined to have the plaintiff investigated by a private investigator who established from court records that it appeared that at Swords District Court in 2004, the plaintiff had been convicted of theft and sentenced to two months in prison. The court noted however that the factually correct position was that the plaintiff pleaded guilty to receiving stolen goods and received a three-month sentence. On the 10th November, 2008 the defendant insurance company wrote to the plaintiff and requested an explanation as to why the plaintiff’s conviction had not been disclosed to them.On the 19th November, 2008 the plaintiff wrote to the defendant seeking the plaintiff’s proposal form. In early January 2009, the plaintiff’s van was recovered and returned to him. On the 12th January, 2008 the plaintiff’s solicitors wrote to the defendant pursuant to the Data Protection Acts formally calling upon the defendant pursuant to section 4 to furnish a copy of the plaintiff’s file, including a copy of the original proposal form. On the 25th March, 2009, the defendant forwarded to the plaintiff’s solicitors a letter enclosing the documentation that the defendant held on its file in respect of the plaintiff however by that date, the plaintiff’s solicitors had already been in contact with the Data Protection Commissioner and requested them to inquire into the insurance company’s delay in dealing with the request from the plaintiff. Data Protection Commissioner DecisionsThe Data Protection Commissioner concluded by correspondence dated 1st August, 2010 that the defendant insurance company had been in breach of section 4(1)(a) of the Data Protection Acts “by not providing all the relevant personal data within the forty day time limit specified”, and, secondly, had been in breach of section 4(7) “by not notifying Lawlor Partners Solicitors [the plaintiff’s solicitors] when it released certain personal data on the 25th March, 2010 of its reasons for refusal to supply other personal data in its possession and of the data’s subject right to complain to the Data Protection Commissioner about that refusal”. In a second decision of the Data Protection Commissioner dated 14th April, 2011 (concerning use by FBD of a private investigator and the production by him of a report on the plaintiff) the Commissioner was of the opinion that FBD Insurance had contravened the Acts and, in particular, section 2(c)(3):“. . . by failing to ensure that all the processing of your client’s [Mr. Collins’] personal data was carried out in pursuance of a contract in writing or in another equivalent form between the data protection controller (FBD) and the data processor (private investigator), that the contract provide that the data processor carry out the processing only on and subject to the instructions of the data controller and that the data processor comply with obligations equivalent to those imposed on the data controller by s. 2(1)(d) of the Act”.The second decision of the Data Protection Commissioner of the 14th April, 2011 concluded by stating in relation to damages that data controllers are liable under section 7 of the Data Protection Acts to an individual for damages if they fail to observe the duty of care they owe in relation to personal data in their possession.High Court ProceedingsThe High Court noted that the issue before it was whether or not the plaintiff was entitled under section 7 of the Data Protection Acts to an award of general damages in the absence of any damage including special damage. It noted that in the two decisions of the Data Protection Commissioners, four breaches were identified, namely:(a) the failure by the insurance company to furnish data within forty days;(b) the failure by the insurance company to disclose that documentation; in its possession had been released;(c) the failure by the insurance company to have the necessary and required contract in place with a private investigator before using such investigator; and(d) the failure by the insurance company to access District Court conviction orders in the proper manner. Section 7 of the Data Protection ActsJustice Feeney observed that Section 7 of the Data Protection Acts deals with the duty of care owed by data controllers and data processors and provides:“For the purposes of the law of torts and to the extent that that law does not so provide, a person, being a data controller or a data processor, shall, so far as regards the collection by him of personal data or information intended for inclusion in such data or his dealing with such data, owe a duty of care to the data subject concerned.”He noted:

  • Section 7 of the Data Protection Acts establishes a statutory duty of care and allows for a remedy for a breach under the law of torts;
  • Section 7 is a statutory provision which expressly provides that a civil action may be taken;
  • Section 7 imposes a statutory duty of care on data controllers and data processors to the extent that the law of torts does not already provide, as regards the collection of personal data and their dealing with the data; the duty is owed to the data subject concerned.

He noted that the key question comes down to whether or not the damages provided for by section 7 requires that there be proof of damage suffered by a plaintiff as a necessary pre-condition to an award of damages. The court further accepted that the drafting of section 7 is imperfect and, to some extent imprecise but “…….what is clear is that s. 7 does not provide, within its terms, for strict liability or for the automatic payment of compensation. It limits compensation by a provision providing for the existence of a duty of care within the law of torts”.Justice Feeney observed that “……for that duty of care, in circumstances where it is a breach of statutory duty to extend to the payment of damages without proof of damage or loss, it would mean that strict liability applied. For that to arise, the section itself would have to have so provided….” He noted that the section did not provide for automatic damages for a breach of the Act and there was no reference or identification of any strict liability. The High Court observed that where it is clear that there is no strict liability and that liability and the entitlement to compensation is predicated upon and dependent upon a claimant establishing a breach of a statutory duty of care, it necessarily follows that a claimant must establish that the breach has caused the claimant damage if that claimant is to be entitled to damages. In essence it provided that Section 7 is limited and goes no further than providing for a duty of care that is a duty of care within the law of torts. ConclusionJustice Feeney concluded that the plaintiff failed to prove any damage resulting from the breach of the duty of care owed by the defendant.  In those circumstances, the plaintiff was not entitled to any damages as he has failed to establish that he had suffered any loss or damage within the scope of section 7 of the Data Protection Acts.However the High Court noted that it would have regard to both the manner in which the defendant company conducted itself in relation to the investigations carried out by the Data Protection Commissioner and the fact that the issue as to the limitation of the nature of damages under section 7, which resulted in the defendant succeeding in the appeal, was not argued in the Circuit Court when addressing the question of costs.

Scroll to Top