Irish Commercial Court holds company director personally liable for GDPR breach

In a recent judgment of the Irish Commercial Court in Nolan & Ors v Dildar & Ors [2024] IEHC 4, Mr Justice McDonald held a director of a company personally liable for breaches of the Data Protection Acts 1998 and 2003 (the Acts). The judgment, which is summarised below, should act as a stark reminder to company directors and insurers of the court's willingness to lift the corporate veil to hold individuals personally liable. 

Background

The proceedings related to a dispute regarding the alleged misappropriation of a €6.9 million fund by a company based in the United Arab Emirates. The plaintiffs claimed that a pensions advisor, Mr Millet, misused the plaintiffs' personal data through the provision of their names, dates of birth, home addresses, PPS numbers and copies of their passports, to a company in the Isle of Man, without their consent. The information was furnished in a letter using the headed paper of a company for which Mr Millet was a director. Mr Millet admitted he had disclosed the personal information without the plaintiffs' consent.

Basis of the court's decision 

As the breaches took place in 2013, before the introduction of the General Data Protection Regulation (GDPR), the relevant legislation for the purpose of determining liability was the Acts. The court found that Mr Millet's disclosure fell within the statutory meaning of "unauthorised disclosure of personal data" under the Data Protection Acts. The paragraph of the judgment which best captures the findings of the court is as follows:-

"…although this was done under cover of a letter written on the headed paper of the eighth defendant, Mr Millet as the human author of the letter cannot escape liability for the unauthorised disclosure. It is well settled that, where a company director procures the commission of a tort, the director will incur personal liability."

Despite the court acknowledging that there was no evidence that the disclosure of data had any adverse consequences for the plaintiffs and therefore no evidence of actual damage suffered by any of the plaintiffs, the court awarded €500 to each of the six plaintiffs.

The decision

The significance of this decision is two-fold:

1.         Directors can be held personally liable for company infringements of data protection legislation.

Although the letter enclosing the plaintiffs' personal data was on the company's headed paper, Mr Millet was nonetheless found to be personally liable for breaches of the Data Protection Acts.

2.         The decision provides guidance on the level of damages that will be awarded to plaintiffs who have had their data protection rights infringed.

The court awarded nominal damages of €500 to each plaintiff to "…mark the fact that their rights had been infringed". This decision is in contrast to the decision in Collins v FBD Insurance PLC [2013] IEHC 137 where the Irish High Court found that in order for a reward to be given under the Acts the Plaintiff must prove that a duty of care was owed and that the breach resulted in actual damage to them.

The award in Nolan can be contrasted against the award of €2,000 granted to the plaintiff in the decision of Kaminski v Ballymaguire Foods Limited [2023]  IECC 5 in circumstances where CCTV footage of an employee was used to demonstrate poor work practices to other employees, which the court held ran contrary to the original intended purpose for the CCTV footage.

Conclusion

Directors, companies and their insurers should take note of the willingness of the courts to lift the corporate veil to find directors personally liable, in circumstances such as those presented in the above decision. The decision is particularly relevant in light of the introduction of the Central Bank (Individual Accountability Framework) Act 2023 (IAF) and Senior Executive Accountability Regime (SEAR), which we discussed in a recent article about the Central Bank (Individual Accountability Framework) Act 2023. 

For more information or advice regarding Data Protection and GDPR please contact a member of our Dispute Resolution team via their contact details below. 

About Ogier

Ogier is a professional services firm with the knowledge and expertise to handle the most demanding and complex transactions and provide expert, efficient and cost-effective services to all our clients. We regularly win awards for the quality of our client service, our work and our people.

Disclaimer

This client briefing has been prepared for clients and professional associates of Ogier. The information and expressions of opinion which it contains are not intended to be a comprehensive study or to provide legal advice and should not be treated as a substitute for specific advice concerning individual situations.

Regulatory information can be found under Legal Notice