EU Generally Awards Little for Data Breach Damages, Privacy Lawyers Say

In a July 24 decision, the Irish Supreme Court clarified the issue of non-material damages under General Data Protection Regulation (GDPR) Article 82, the William Fry attorneys noted in an Aug. 5 blog. The issue was whether someone who claims non-material damages from a data breach needs authorization from Ireland's personal injuries resolution board, formerly called the personal injuries assessment board and still known as PIAB.

The plaintiff in the case, Dillon v. Irish Life Assurance ([2025] IESC 37), made a non-material damage claim under the GDPR, alleging that Irish Life had wrongfully disclosed his personal data by sending letters containing his personal and financial information to an unauthorized third party between 2008 and 2020, the William Fry lawyers said. He sought damages for distress, upset and inconvenience but didn't allege psychiatric injury or seek authorization from the PIAB.

The Circuit Court and High Court tossed the case for being frivolous, vexatious or bound to fail. Both courts said the claim was a personal injuries action requiring PIAB authorization.

The Supreme Court overturned the lower courts. It held that emotional distress without a diagnosed psychiatric injury isn't a personal injury under the PIAB Act, the attorneys wrote. They said that since the plaintiff's claim sought damages for distress, upset and anxiety, falling short of a recognized psychiatric disorder within the PIAB Act, authorization wasn't needed.

The Supreme Court also said non-material damage such as emotional distress can be compensated under the GDPR but doesn't automatically qualify as a personal injury under Irish law. In such cases, the court said, plaintiffs can't expect anything other than "very, very modest awards."

The judgment "provides much-needed clarity" for data subjects, insurers and organizations as personal data controllers, the lawyers wrote. Among other things, they said the ruling "assures data controllers that minor mental distress claims will not attract significant compensation."

The lead EU case on non-material damages from data breaches was a December 2023 European Court of Justice (ECJ) case from Bulgaria, Natsionalna agentsia za prihodite (Case C-340/21), Schrems emailed us.

There, the EU high court ruled that Article 82 of the GDPR must be interpreted as meaning that fear experienced by a data subject with regard to a possible misuse of their personal data by third parties as a result of an infringement can, in itself, constitute non-material damage.

Claims like these under the GDPR tend to result in payments of about 100-1,000 euros ($116-$1,161) per person, Schrems noted. He stressed that his organization, Noyb, doesn't handle data breach litigation but focuses on willful data violations by companies.

Since tort law is national law, exact amounts may differ among EU countries, Schrems said. Common-law jurisdictions traditionally have very high tort payments, "continental jurisdictions not so much."

There has been only one case so far in which the exact amount of compensation was disputed at the EU level, Schrems said. In January, the ECJ's General Court ordered the European Commission to pay 400 euros to a German visitor to one of its websites because the site unlawfully transferred his personal data to the U.S. (Case T-354/22/Bindl v. Commission) (see 2501080001).

In the EU, mere "loss of control" of one's data is enough to form the basis for a monetary claim, Schrems said. There's no need to prove secondary harm such as spam or phishing. Secondary harm is also recoverable but would be an additional claim for material damages, he added.