HSE data breach fallout: a new era of collective lawsuits arising from GDPR breaches?

In figures released by RTE News this week it was revealed that the Health Service Executive (HSE) is facing 473 data-protection lawsuits, as a result of the 2021 cyber attack where HSE patients' personal data was illegally accessed (the HSE Proceedings).

RTE News also revealed that 140 pre-action letters have been issued in the HSE Proceedings. It is reported that the State Claims Agency is handling 12 personal injury claims taken against the HSE, linked to the cyberattack, with lawsuits in respect of 11 of these. The total number of people affected by the attack was 90,936, and 1,445 people requested follow up information under Data Subject Access Requests. The personal injury claims are reportedly for alleged psychological damage resulting from the data breach.

Involvement of the CJEU

A large number of cases relating to compensation for material and non-material damage suffered due to a breach of the General Data Protection Regulation (“GDPR”) are currently before the Courts of Justice of the European Union (CJEU), the outcome of which will impact the decisions to be taken by the Irish Courts, as reported by RTE. It is also reported that a stay has been sought and/or agreed in the HSE Proceedings pending the outcome of those CJEU decisions, however the likelihood of a stay being granted is unclear.  

Non-material loss under GDPR

The judgment of the Court of Justice of the European Union (CJEU), in UI v Österreichische Post AG – Case C – 300/21 provided some clarity in relation to awards for non-material losses resulting from breaches of GDPR.

In the Österreichische case, the AG Advocate General (the AG) delivered his opinion and found, in summary, that: (i) GDPR infringements do not in and of themselves warrant compensation and (ii) non-material damages should meet a minimum “threshold of seriousness”. This signalled initial good news that non-material would not be recoverable. However the CJEU's subsequent decision did not adopt the same position. It held that while a mere violation of GDPR does not confer a right to compensation, non-material damage is nonetheless recoverable, introducing considerable risk for organisations / Data Controllers.

The Irish courts subsequently delivered the first written judgment awarding damages for non-material loss in the judgment of O'Connor J. in Kaminski v Ballymaguire Foods [2023] IECC 5 in which the applicant was awarded €2,000 in compensation. The quantum of damages awarded in the Kaminski decision indicates that claims for non-material damage under the GDPR should proceed before the District Court.

Class action lawsuits – the position in Ireland

Currently, the only means by which it is possible to bring a class-action-type lawsuit in Ireland is via a representative action for the protection of the collective interests of consumers pursuant to the Representative Action Directive (EU Directive 2020/1828). This was given legislative footing in Ireland by the Representative Actions for the Protection of the Collective Interests of Consumers Act 2023 (the Act) in July 2023.

The Act was recently commenced and came into force on 30 April 2024, introducing the powers for an organisation to make an application to the Minister for Enterprise, Trade and Employment to be  designated a "Qualified Entity"(QE). Designation as a QE will enable that organisation to take domestic representative actions or cross-border representative actions on behalf of consumer collectives. These actions can challenge infringements across a comprehensive range of EU consumer protection regulations, spanning areas from financial services to data protection and telecommunications.

A QE must meet certain criteria set out in s.8 the Act, including:

• it is a legal person and can demonstrate in the application 12 months of actual public activity in the protection of consumer interests prior to the application
• its main purpose is one that demonstrates that it has a legitimate interest in protecting consumer interests provided for in a relevant enactment
• it has a non-profit-making character
• it is not the subject of insolvency proceedings and has not been declared insolvent
• it is independent and is not influenced by persons other than consumers, in particular by traders, who have an economic interest in the bringing of any representative action, including in the event of funding by third parties, and, to that end, it has established procedures to prevent such influence as well as to prevent conflicts of interest between itself, its funding providers and the interests of consumers and
• it makes publicly available in plain and intelligible language by any appropriate means, in particular on its website, information that demonstrates that it complies with the matters referred to in paragraphs (a) to (e) of s.8 of the Act and information about the sources of its funding in general, its organisational, management and membership structure, its statutory purpose (if any) and its activities.

It remains to be seen whether the litigants in the HSE Proceedings may be represented by a QE. This will be governed by whether the multiple cases were brought pre or post the enactment of the Act. If proceedings are brought through a QE, this would be relatively unchartered waters for the Irish Courts.  Nonetheless, given the increased instances of cyber-attacks and the risk of resulting breaches of the GDPR, the spectre of class-action-type, data breach claims looms large going forward.

Whether it will be permissible for a QE to bring actions such as those brought in the HSE Proceedings, also remains to be seen and will be dependent on whether they fall within the scope of actions captured by the Act and EU Directive 2020/1828.

Conclusion

For present purposes, we await developments in the HSE Proceedings and we are closely monitoring whether any QE will represent any of the applicants, although this is unlikely given we anticipate most of the HSE Proceedings were issued prior to the commencement of the Act. Insurers and underwriters in particular, should monitor developments closely, in terms of the increased risk of class-action-type lawsuits and the impact on its reserving

If you have any queries concerning GDPR and Data Protection in Ireland, please contact any of our team via their contact details below. 

About Ogier

Ogier is a professional services firm with the knowledge and expertise to handle the most demanding and complex transactions and provide expert, efficient and cost-effective services to all our clients. We regularly win awards for the quality of our client service, our work and our people.

Disclaimer

This client briefing has been prepared for clients and professional associates of Ogier. The information and expressions of opinion which it contains are not intended to be a comprehensive study or to provide legal advice and should not be treated as a substitute for specific advice concerning individual situations.

Regulatory information can be found under Legal Notice