The recent significant Circuit Court decision in the case of Gary Cunniam v Parcel Connect Ltd t/a Fastway Couriers Ireland & Others now provides useful guidance on the view of the Irish Courts in matters related to data breach claims. Importantly, the judgment will have a tangible impact on data breach claims which are pending or contemplated. We examine the key points of the judgment and what it means for the defence of data breach claims in Ireland.
Background of the claim
The plaintiff’s claim in Cunniam relates to a cyber-attack on the operations of Fastway Couriers in February 2021, in which delivery information relating to approximately 450,000 people was hacked, and was one of a number of claims brought against Fastway Couriers. The claims brought by the plaintiff were for non-material damage only and no defence had been delivered by the three defendant entities, together trading as Fastway Couriers.
The defendants sought a stay of the plaintiff’s proceedings pending the outcome of six preliminary references made to the Court of Justice of the European Union (CJEU). The references cited relate to questions from national courts concerning the application of liability in cases involving a hacking incident or cyber-attack, and the appropriate test for non-material damage. The first of these preliminary references which is likely to be determined is Case C-300/21 – UI v Österreichische Post AG. This is expected to give clarity to the issue of non-material damages in data breach claims under the GDPR.
Argument for staying the proceedings
The defendants argued that if the proceedings were not stayed, the prejudice that they would suffer would outweigh any prejudice that would be suffered by the plaintiff. Accordingly, Fastway advanced the following arguments:
- If the CJEU adopts the AG’s opinion in UI v Österreichische Post AG, the plaintiff will, potentially, not be entitled to any damages at all
- Even if the plaintiff was successful in his claim, the damages awarded are likely to be low relative to the jurisdiction of the Circuit Court
- If the proceedings continue until they are ready to go for trial, the costs incurred will be far in excess of any award of damages
- From a practical point of view, in the absence of clarity from the CJEU it is not possible for a defendant to make any proper assessment of the value of a claim and, therefore, they cannot avail of the costs protection of a lodgement
The plaintiff contested the application to stay the proceedings. He contended that if a stay was to be granted, it should only be done at notice of trial stage, if the CJEU decisions had not been delivered at that time. It was also argued that the cases could be progressed by way of case management or by the identification of one “pathfinder case”.
Judge O’Connor appeared to accept the defendants’ arguments on prejudice. He noted that if a stay was granted at replies to particulars stage, there would be very little prejudice to the plaintiff. However, if it was not granted until notice of trial stage, there would be significant costs implications for Fastway.
Also of significance is the fact that the judgment notes that even taking the plaintiff’s claim at its highest level, that damages are likely to be small. In the absence of other judicial guidance in Ireland on the treatment of non-material damage claims, that this is stated in a written judgment is notable. In addition, the judgment suggests that the Irish courts agree with the UK approach, as outlined in Rolfe and discussed in our prior article on this topic, that for a non-material damage claim to succeed, there ought to be a de miminis threshold of damage.
On foot of the analysis of the plaintiff’s claim, the arguments made in favour of the stay, and the EU law principles concerning the duty of sincere co-operation placed on national courts, Judge O’Connor granted the stay of the proceedings. In ordering the stay, Judge O’Connor referenced the need to prevent multiple conflicting judgments on the interpretation of the GDPR in the absence of any level of clarity from the CJEU. A stay was applied to the proceedings until all of the six preliminary references were determined by the CJEU.
The judgment in Cunniam is a significant one for data breach claims under the GDPR. Although stays will have to be sought on an individual case-by-case basis and the judgment does not operate as an automatic stay on other similar cases, the judgment is a significant authority which defendants will be able to leverage when seeking a stay in their proceedings. The judgment will also give prospective plaintiffs serious food for thought before commencing claims, in circumstances where a defendant will have strong grounds to halt the proceedings as soon as they are commenced.
It may be that the decision will be subject of an appeal to the High Court. The possibility of an appeal is increased in light of the far-reaching implications for plaintiff data breach claims. However, until any appeal is determined, or the CJEU determinations are delivered, the judgment will serve as an important insight into how these claims are viewed by the Irish courts and a useful tool in defending data breach claims under GDPR.
For more information on successfully defending similar claims, contact a member of our Dispute Resolution or Privacy & Data Security teams.
Rolfe v Veale Wasbrough Vizards LLP  EWHC 2809 (QB)
  IECC 1