Neutral Citation  IEHC 137
THE HIGH COURT
[2012 No. 52 CA]
Judgment of Mr. Justice Feeney delivered on 14th day of March, 2013.
1.1 This is an appeal from a Circuit Court order of the 9th March, 2012 where the Court determined that Michael Collins, the plaintiff in the Circuit Court, was entitled to the sum of €15,000 damages and that he should recover that sum together with costs from the defendant. The defendant has appealed that order by notice of appeal dated the 15th March, 2012.
1.2 In the Circuit Court proceedings Michael Collins claimed a number of reliefs including damages for discrimination and harassment in breach of the Equal Status Acts 2000/2008, damages for negligence and breach of duty including statutory duty and damages for breach of contract. He also claimed damages pursuant to s. 7 of the Data Protection Acts 1988 and 2003 (“the Data Protection Acts”). The order of the Circuit Court did not identify the claim in respect of which the damages were awarded. However, both parties to the appeal proceeded on the basis that the only issues to be considered by the High Court was whether or not the plaintiff was entitled to damages pursuant to s. 7 of the Data Protection Acts and if so, the quantum of such damages. Both parties proceeded on the basis that the Circuit Court had determined that the defendant had breached the provisions of the Data Protection Acts and that the plaintiff in the Circuit Court action had been held entitled to general damages in the sum of €15,000 pursuant to the provisions of s. 7 of the Data Protection Acts and that no special damages or loss had been proved.
1.3 The case initially commenced before the High Court on the basis that the sole issue to be determined was whether as a matter of law the plaintiff respondent is entitled to compensation pursuant to s. 7 of the Data Protection Acts in the absence of evidence of actual loss or damage. When the case commenced it was envisaged by both parties that oral evidence would not be required and that the parties would seek the Court to rule on the issues of the entitlement to general damages under s. 7 of the Data Protection Acts and, if the plaintiff was so entitled, then to determine the quantum of damages. Following further consideration of the matter, the parties agreed and proceeded on the basis that oral evidence should be heard by the Court.
2.1 The factual matters which give rise to this claim commenced with the plaintiff insuring his van bearing registration number 08D 1065 with the defendant insurance company. The van which the plaintiff insured was for use by him in his business of painting and decorating. The insurance cover obtained extended to the loss of the vehicle or damage to it but the policy did not cover any other financial loss due to matters such as the temporary loss of the vehicle. The period of insurance provided for in the policy was for the twelve month period beginning the 31st May, 2008.
2.2 On the 27th September, 2008 the plaintiff’s van was stolen from outside of his home in Finglas following a break-in to his house and the theft and break-in were investigated by An Garda Síochána. Following the theft of his van, the plaintiff made a claim under his policy of insurance on the 2nd October, 2008. The claim was investigated on behalf of the defendant by a claims management company who concluded in a report from its investigator that there was clear evidence that the insurer’s house had been broken into whilst it was unoccupied and that a number of items had been stolen along with the insured’s van and that the claims management company had no reason to suspect that there was anything untoward. The report expressed the view that it was a case for settlement. Following receipt of that report, the defendant insurance company determined to have the plaintiff investigated by a private investigator. The private investigator reported to the insurance company. In the report the investigator stated that his inquiries at the local Garda station had indicated that the Gardaí considered the claim to be a genuine incident but the report went on to state that from other inquiries and information, the private investigator had established that the plaintiff was involved in an incident in Blanchardstown Shopping Centre where a van had been broken into and a strongbox in the rear of the vehicle had been forced open and items stolen and that the investigator had established from court records that it appeared that at Swords District Court on the 26th June, 2004, the plaintiff had been convicted under the Theft Act and had been sentenced to two months in prison. It should be noted that the factually correct position is that the plaintiff pleaded guilty to receiving the stolen goods which were removed from the vehicle that was broken into and that on a plea of guilty, the plaintiff received a three month sentence.
2.3 On the 10th November, 2008 the defendant insurance company wrote to the plaintiff and stated:
That letter of the 10th November, 2008 was written at a time when the insurance company did not have available to it the plaintiff’s proposal form. On the 19th November, 2008 the plaintiff wrote to the defendant seeking the plaintiff’s proposal form. The proposal form was unavailable to the defendant insurance company as of that date. On the 27th November, 2008, solicitors acting for the plaintiff wrote to the defendant requesting the urgent attention of the insurance company and pointing out that the plaintiff was currently out of work due to the loss of his vehicle. No response was received to the plaintiff’s solicitors’ letter and further reminders were sent on the 11th December, 2008 and the 16th December, 2008.
“We understand that you may have been convicted of a criminal offence. Please let us have full details of same in writing, together with an explanation as to why this material fact was not disclosed to us. If we do not hear from you within ten days from the date of this letter, we will proceed to cancel the above policy and treat the same as null and void.”
2.4 In early January 2009, the plaintiff’s van was recovered and returned to him. As of the date that the van was returned, the defendant insurance company had neither paid out under the policy of insurance nor responded to the correspondence from the plaintiff’s solicitors nor had it provided the plaintiff with a copy of his proposal form. That form had been signed and completed at the inception of the policy. On the 12th January, 2008 the plaintiff’s solicitors wrote to the defendant pursuant to the Data Protection Acts formally calling upon the defendant pursuant to s. 4 to furnish a copy of the plaintiff’s file, including a copy of the original proposal form. The cheque enclosed with the request was for a sum greater than the required amount and correspondence was exchanged to achieve the payment of the actual required amount. A cheque for the correct sum was forwarded by the plaintiff’s solicitors to the defendant by letter dated the 19th February, 2009. On the 25th March, 2009, the defendant forwarded to the plaintiff’s solicitors a letter enclosing the documentation that the defendant held on its file in respect of Michael Collins. By that date, the plaintiff’s solicitors had already been in contact with the Data Protection Commissioner and had, by letter of the 9th March, 2009, requested the Commissioner to inquire into the insurance company’s delay in dealing with the request from the plaintiff. Following receipt of the insurance company’s letter of the 25th March, 2009, enclosing certain documentation, the solicitors for the plaintiff again wrote to the Data Protection Commissioner by letter of the 30th March, 2009 raising concerns as to how the insurance company had come upon certain information and whether or not, in obtaining such information, there had been a breach of the Data Protection Acts. Following further correspondence between the Data Protection Commissioner, the plaintiff’s solicitors and the defendant insurance company, the solicitors for the plaintiff, by letter of the 16th September, 2009 to the Data Protection Commissioner, formally requested a decision from the Commissioner under s. 10 of the Data Protection Acts in relation to the complaint brought on behalf of Michael Collins against FBD Insurance Company. That request was ultimately responded to by a decision of the Data Protection Commissioner dated the 1st August, 2010 concluding that the defendant insurance company had been in breach of s. 4(1)(a) of the Data Protection Acts “by not providing all the relevant personal data within the forty day time limit specified”, and, secondly, had been in breach of s. 4(7) “by not notifying Lawlor Partners Solicitors [the plaintiff’s solicitors] when it released certain personal data on the 25th March, 2010 of its reasons for refusal to supply other personal data in its possession and of the data’s subject right to complain to the Data Protection Commissioner about that refusal”.
2.5 As part of the correspondence which was exchanged prior to the first decision of the Data Protection Commissioner, the Data Protection Commissioner wrote to the plaintiff’s solicitors by letter of the 11th August, 2009 indicating that the Commissioner had been informed in a recent letter that the insurance company’s actions arose because “the reasons the claims handlers became suspicious on this case came down to the occupation of the insured. The claims handler in the case of Mr. Michael Collins asked the question on previous convictions because the client’s occupation is stated to be a painter and decorator”. During the hearing in this Court, it was accepted and acknowledged on behalf of the insurance company that that was a false explanation, based upon incorrect information and that by the date that the insurance company had written to the plaintiff on the 10th November, 2008 stating that they understood that Mr. Collins may have been convicted of a criminal offence, the insurance company were in fact of a possession of the claims management company’s report dated the 13th October, 2008 and the private investigator’s report which referred to a criminal conviction. The explanation provided by the defendant for raising the possibility of a criminal conviction was, on the face of it, concocted.
2.6 Following receipt of the first decision of the Data Protection Commissioner dated the 1st August, 2010, further correspondence was exchanged between the plaintiff’s solicitor and the office of the Data Protection Commissioner. On the 9th September, 2010 the plaintiff’s solicitors made a complaint against FBD Insurance Company on behalf of the plaintiff. Eventually, that complaint resulted in the second decision of the Data Protection Commissioner which was dated the 14th April, 2011 wherein it was identified that on the 9th September, 2010 a request had been made to investigate alleged breaches of the Data Protection Acts relating to the use by FBD of a private investigator and the production by him of a report on Mr. Collins which included information on an unrelated incident involving Mr. Collins which had resulted in a criminal conviction. The decision of the Data Protection Commissioner set out details of the investigation and an analysis of the data protection issues and concluded on the final page with the decision. The Commissioner was of the opinion that FBD Insurance had contravened the Acts and, in particular, s. 2(c)(3):
The Commissioner also gave the opinion that the insurance company failed “to ensure that the data processor provide sufficient guarantees in respect of the technical security measures, and organisational measures governing the processing” and also failed to “take reasonable steps to ensure compliance with those measures”. The decision also found that FBD Insurance failed to comply with 2(c)(3) and s. 2(1):
“. . . by failing to ensure that all the processing of your client’s [Mr. Collins’] personal data was carried out in pursuance of a contract in writing or in another equivalent form between the data protection controller (FBD) and the data processor (private investigator), that the contract provide that the data processor carry out the processing only on and subject to the instructions of the data controller and that the data processor comply with obligations equivalent to those imposed on the data controller by s. 2(1)(d) of the Act”.
2.7 The second decision of the Data Protection Commissioner of the 14th April, 2011 concluded by stating in relation to damages that data controllers are liable under s. 7 of the Data Protection Acts to an individual for damages if they fail to observe the duty of care they owe in relation to personal data in their possession and that it was a matter for any individual who feels that he might have suffered damage from a contravention by a data controller of its data protection responsibilities to take legal advices appropriate but that the office of the Data Protection Commissioner has no function in relation to the taking of proceedings under s. 7 or in giving any such legal advice.
“by (i) securing access to court records through the agency of the private investigator which recorded sensitive data – a criminal conviction – related to your client [Mr. Collins], other than in a manner prescribed by the District Court rules and (ii) in failing to take reasonable steps to ensure that the private investigator did not thus unfairly obtain personal data related to your client [Mr. Collins]”.
2.8 The decisions of the Data Protection Commissioner were not appealed.
2.9 By civil bill dated the 12th May, 2011, Michael Collins commenced Circuit Court proceedings against FBD Insurance Company Plc including claims for a number of reliefs including a claim for damages under s. 7 of the Data Protection Acts arising from the contraventions by FBD of its data protection responsibilities as detailed in the two decisions of the Data Protection Commissioner. The claim pursuant to s. 7 was the only clam proceeded with in the Circuit Court and it was in respect of that claim under s. 7 of the Data Protection Acts that damages were awarded to the plaintiff by the Circuit Court.
2.10 The second decision of the Data Protection Commissioner identified that the defendant insurance company in its disclosure of documents made on the 25th March, 2009 to the plaintiff’s solicitors had omitted therein to identify or reveal the existence of a report from the private investigator and the decision of the Data Protection Commissioner had identified that there was no written contract in place between the insurance company and the investigator as required by the Acts.
2.11 The proceedings before the High Court were a re-hearing of the case considered by the Circuit Court and during the course of the hearing counsel for the defendant acknowledged that the FBD Insurance Company had breached the Data Protection Acts and accepted the findings of the Commissioner in relation to such breaches and confirmed that no appeal had been taken against the findings made by the Commissioner. Whilst the civil bill had identified particulars of special damage in the form of loss of earnings and alternative transport, no figure was identified in respect of such special damage nor was any loss proved in Court. At the commencement of the hearing before the High Court, it was acknowledged on behalf of the plaintiff that there had been no out of pocket expenses or special damages incurred by the plaintiff arising from the breaches of the Acts. It was on that basis that the issue which was before the Court was whether or not the plaintiff was entitled under s. 7 of the Act to an award of general damages in the absence of any damage including special damage. During the course of the evidence certain limited evidence was led in relation to loss of earnings arising from the plaintiff being without his van for a number of months. That evidence was so imprecise and indefinite that I was unable to conclude that the plaintiff suffered any provable damage or to relate any claimed damage to the breaches of the Data Protection Acts committed by the defendant.
3.1 The plaintiff claims that he is entitled to damages pursuant to s. 7 of the Data Protection Acts for the breaches of the Acts committed by the defendant. In the two decisions of the Data Protection Commissioner, four breaches were identified. Those breaches were:
3.2 Section 7 of the Data Protection Act deals with the duty of care owed by data controllers and data processors. Section 7 provides:
(a) the failure by the insurance company to furnish data within forty days;
(b) the failure by the insurance company to disclose that documentation; in its possession had been released;
(c) the failure by the insurance company to have the necessary and required contract in place with a private investigator before using such investigator; and
(d) the failure by the insurance company to access District Court conviction orders in the proper manner.
It is the extent of the civil liability for breach of statutory duty as identified in s. 7 which is central to the matters which I must consider. The plaintiff contends that he is entitled to damages pursuant to s. 7 of the Act as there has been a breach of the Act by the defendant. The plaintiff contends that s. 7 establishes a statutory duty of care and allows for a remedy for a breach under the law of torts. The plaintiff also contends that to recover damages under s. 7 of the Act, a data subject does not have to show a loss and damages may be awarded by a Circuit Court Judge, or on appeal by a High Court Judge, so as to allow the data subject enforce his data protection rights. The defendant contends that a plaintiff is not entitled to any award of damages pursuant to s. 7 unless the plaintiff proves actual loss or damage. I must therefore determine what is the extent of damage recoverable under s. 7 of the Data Protection Acts. Section 7 of the Data Protection Acts establishes a statutory duty of care and allows for a remedy for a breach under the law of torts. Section 7 is a statutory provision which expressly provides that a civil action may be taken. Section 7 imposes a statutory duty of care on data controllers and data processors to the extent that the law of torts does not already provide, as regards the collection of personal data and their dealing with the data; the duty is owed to the data subject concerned. The question comes down to whether or not the damages provided for by s. 7 requires that there be proof of damage suffered by a plaintiff as a necessary pre-condition to an award of damages.
“For the purposes of the law of torts and to the extent that that law does not so provide, a person, being a data controller or a data processor, shall, so far as regards the collection by him of personal data or information intended for inclusion in such data or his dealing with such data, owe a duty of care to the data subject concerned.”
3.3 The long title to the Data Protection Act 1988 reads in part as follows:
The convention referred to is the Strasbourg Convention. Section 7 of the Data Protection Acts seeks to provide for remedies as envisaged under Directive 95/46/EC of the 24th October, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Article 23 of the Directive reads under the heading “Liability”;
“An Act to give effect to the convention for the protection of individuals with regard to automatic processing of personal data done at Strasbourg on the 28th day of January, 1981, and for that purpose to regulate in accordance with its provisions the collection, processing, keeping, use and disclosure of certain information relating to individuals that is processed automatically.”
What is envisaged by Article 23 is that a person who has suffered damage is entitled to be compensated. Paragraph (55) of the preamble to the same Directive reads:
“Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered.”
The Directive mandates that in the event of a breach that sanction shall apply and Article 24 of the Directive states in relation to sanctions:
“Whereas, if the controller fails to respect the rights of data subjects, national legislation must provide for a judicial remedy; whereas any damage which a person may suffer as a result of unlawful processing must be compensated for by the controller, who may be exempted from liability if he proves that he is not responsible for the damage, in particular in cases where he establishes fault on the part of the data subject or in case of force majeure; whereas sanctions must be imposed on any person, whether governed by private of public law, who fails to comply with the national measures taken under this Directive.”
3.4 What is obligated under the Directive is that a Member State is obliged to have in place a provision which provides that a person who has suffered damage as a result of an unlawful processing operation or an act incompatible with national provisions is entitled to receive compensation from the controller for the damage suffered. The obligation does not extend to an automatic payment of compensation. It is open to the Member State to provide that the compensation permissible in a Member country’s legislation extends beyond the Directive. That is a matter for each individual Member State. Article 23 provides that a wronged individual may be entitled to payment of compensation but subject to proof of the damage that they have suffered.
“The Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Directive.”
3.5 Section 7 of the Data Protection Acts transposes the Directive into Irish law. Section 7 imposes a statutory duty of care on data controllers to the data subject. It is stated in the legal submissions on behalf of the plaintiff that:
I accept that the drafting of s. 7 is imperfect and, to some extent imprecise. However, what is clear is that s. 7 does not provide, within its terms, for strict liability or for the automatic payment of compensation. It limits compensation by a provision providing for the existence of a duty of care within the law of torts. The section does not in its express terms seek to go beyond the obligation for compensation contained in the Directive.
“The drafting of the section (s. 7) is perhaps not inspired and academic commentary is sparse. Almost all Irish authority on statutory duty relate to the existence of statutory duty existing in parallel to a common law duty and generally in the context of occupational injury”.
3.6 Insofar as it may be said that the terms of s. 7 are ambiguous or unclear, s. 7 must be interpreted in the light of Article 23 of the Directive. The interpretation of Directives requires not only the construction of the Community Directive or text but also of the national implementing legislation. It is accepted that national legislation ought to be interpreted so as to give effect to the intention identifiable from the text of the Directive itself. Directives are commands addressed to each Member State and each State has a duty to give effect to its obligations under the Directive. That duty does not extend to going beyond the obligation required in the Directive even though the possibility of doing so is permitted, provided the Member State does so clearly within the legislation implementing the Directive. It is submitted by the defendant that the Directive limits the obligation to provide for an entitlement to compensation for the data controller to damage suffered by a person who can prove that they have, in fact, suffered damage arising from a breach of their rights pursuant to the legislation. I accept that submission. It is also the case that s. 7 in the Irish legislation does not, on the face of it, provide for compensation for strict liability or for the automatic payment of compensation but limits compensation to the existence of a duty of care within the law of torts. It is consistent with the general principles of the Irish law of torts that a person seeking compensation arising from a breach of statutory duty must establish that the loss or damage which they have sustained flowed from that breach unless the statutory duty involved is one of strict liability. The Directive does not provide for strict liability or the automatic payment of compensation nor does s. 7 of the Irish legislation so provide, either by its express terms or by reference to a duty of care within the law of torts.
3.7 Consideration of the legislation by which a number of Member States have incorporated the Directive into their national law demonstrates that those countries have proceeded on the basis that there is no need or requirement to go beyond providing for compensation on proof of damage (see the provisions of s. 69 of the Danish legislation on processing of personal data of 2000 and s.8 of the Federal Data Protection Act 2001 of Germany dealing with compensation by a private body which is limited to the harm caused and also s. 15 of the Italian Personal Data Protection Code of 2003 which deals with compensation for damage to another).
3.8 Insofar as it can be claimed that there is an ambiguity within the words of s. 7, that section is required to be interpreted in the light of Article 23 of the Directive and on that basis, and by reference to the terms of s. 7 itself, I am satisfied that s. 7 does not provide for either strict liability or the automatic payment of compensation but limits itself to providing for the existence of a duty of care within the law of torts. For that duty of care, in circumstances where it is a breach of statutory duty to extend to the payment of damages without proof of damage or loss, it would mean that strict liability applied. For that to arise, the section itself would have to have so provided.
4.1 As recognised by the plaintiff in the legal submissions submitted on his behalf, almost all Irish authority on statutory duty relates to the existence of statutory duty existing in parallel to a common law duty and generally in the context of occupational injury. Occupational injury claims are often brought on the basis that there has been a breach of the Safety, Health and Welfare at Work Act of 2005 and the regulations made thereunder. That Act, like the Data Protection Acts, has its origin in obligations placed upon Ireland pursuant to a European Directive which provided for significant rights and protections to individual citizens. An individual claimant seeking to rely on a breach of the extensive statutory obligations pursuant to the Safety, Health and Welfare at Work Act 2005 and seeking compensation must establish that he or she has suffered damage flowing from the particular breach in respect of which complaint is made. In other words, the person seeking compensation arising from a breach of statutory duty under the Safety, Health and Welfare at Work Act 2005 must prove damage flowing from a breach and unless that is established, there is no entitlement to damages as the Act does not provide for a strict liability.
4.2 The provisions of s. 7 of the Data Protection Acts provides for an obligation on a data controller or a data processor to exercise a duty of care. A breach of that duty of care can result in the award of damages. However, the section does not provide for automatic damages for a breach of the Act and there is no reference or identification of any strict liability. The Act does deal with and expressly provides for sanctions or penalties for criminal liability (see s. 31). In addressing the requirement to implement the Directive and a need for liability under the Act, the legislature was addressing the requirement to provide for “any person who has suffered damage” and to provide for compensation “for the damage suffered”. The implementation by Ireland, in its legislation, could have gone further and Ireland as a Member State could have provided for greater protection than required under Directive 95/46 (see the case of Re Criminal Proceedings against Lindqvist  QB at para. 49, which identifies that nothing prevents a Member State from extending the scope of the national legislation implementing Directives). In Ireland the legislature determined to implement the Directive into Irish law by reference to a statutory duty of care obligation and not by reference to strict liability.
4.3 As a matter of construction, the statutory obligation which provides for a private remedy for breach of statutory duty under the Data Protection Acts was imposed, not as a strict liability, but as a duty of care obligation. If the statute provides a express means of enforcing a duty, that normally indicates that the statutory right was intended to be enforceable by that means. The entitlement to damages and the scope of such damages is dependent upon a true interpretation of the relevant statutory provision. In this case, where it is clear that there is no strict liability and that liability and the entitlement to compensation is predicated upon and dependent upon a claimant establishing a breach of a statutory duty of care, it necessarily follows that a claimant must establish that the breach has caused the claimant damage if that claimant is to be entitled to damages. In this instance, the entitlement is not to damages for breach of duty, but compensation for breach of duty. Compensation is intended to place an individual in the position which that individual would have been apart from the wrong done. In general, an entitlement to damages for distress, damage to reputation or upset, are not recoverable save where extreme distress results in actual damage, such as a recognisable psychiatric injury.
4.4 Section 7 is limited and goes no further than providing for a duty of care that is a duty of care within the law of torts. To obtain a compensation for a breach of duty of care, it is necessary for a claimant to establish that there has been a breach, that there has been damage and that the breach caused such damage. The tort of negligence, unlike the tort of trespass to person, requires proof of damage. Such requirement is demonstrated in the judgment of Clark J. in Larkin v. Dublin City Council  1 I.R. 391 where Clark J. held, in dismissing the plaintiff’s claim, that the defendant had breached its duty to ensure that the results of assessments for appointment to a post were not presented to the candidates until their accuracy had been checked, but that despite that breach by the defendant, the plaintiff had not established that he had suffered from any recognisable psychiatric illness and was therefore excluded from the recovery of damages for public policy reasons. A person seeking compensation arising from a breach of statutory duty under an Act must establish that the loss or damage that such person has suffered flowed from the breach, unless the statutory duty involved is one of strict liability. Here, the statute does not provide for strict liability and for me to interpret s. 7 of the Data Protection Acts as enabling a claimant to benefit from an award of damages for non-pecuniary loss, would be for me to expand the scope of s. 7 beyond that provided for in the Act or required by the Directive. The Directive in issue in this case requires for there to be compensation for damage suffered and s. 7 does not extend beyond that obligation. Section 7 provides an obligation of duty of care and allows for a remedy under the law of torts and the law of torts generally provides for compensation to be based upon certain criteria which includes the proof of damage.
5.1 The defendant sought to rely on various English decisions concerning the U.K.’s legislation implementing the Directive, namely, the Data Protection Act 1998. However, consideration of the provisions of that Act and, in particular, s. 13(2) dealing with compensation which allows for compensation to an individual “. . . who suffers distress by reason of any contravention”. The U.K. Act goes beyond the requirements in the Directive and expressly provides for compensation for distress. The Irish legislation does not. In those circumstances, I have decided this case without regard to the English authorities as the statutory approach to damages is different.
6.1 In this case the plaintiff has failed to prove any damage resulting from the breach of the duty of care owed by the defendant. While certain limited evidence was led by the plaintiff in relation to the consequences of delay, no evidence was led to prove such damage or to establish that any damage flowed from the admitted breach of statutory duty on the part of the defendant. In those circumstances, the plaintiff in this case is not entitled to any damages as he has failed to establish that he has suffered any loss or damage within the scope of s. 7 of the Data Protection Acts. The statutory position in Ireland is that no matter how blatant the breach that the person the subject of the breach can only receive damages on proof of loss or damage caused by the breach.
7.1 Whilst I am satisfied that the plaintiff is not entitled to an award of damages, and that therefore the Circuit Court order should be vacated, the Court will have regard to both the manner in which the defendant company conducted itself in relation to the investigations carried out by the Data Protection Commissioner, and also to the fact that the issue as to the limitation of the nature of damages under s. 7, which has resulted in the defendant succeeding in this appeal, was not argued in the Circuit Court when addressing the question of costs.