Irish Life Assurance – Court Ruling (Ireland, 2025)

The data subject took out a life insurance policy with the controller, an insurance company. Between 2008 and 2020, a few letters containing the data subject’s personal and financial data were mistakenly sent to a third party. In June 2021, the data subject took proceedings to the court of first instance (Circuit Court) claiming that the controller acted negligently and in breach of duty, causing the data subject “distress, upset, anxiety, inconvenience, loss and damage”. The data subject sought a declaration that that the controller violated the GDPR, implemented by Data Protection Act 2018, and the Data Protection Acts of 1988 and 2003, and further sought damages for negligence and breach of duty. However, the court of first instance dismissed the case on the grounds that the data subject had not obtained authorisation from the Personal Injuries Assessment Board (PIAB), an independent body which was set up to make personal injuries claims faster and cheaper. (In most personal injury claims in Ireland, it is required to obtain an authorisation from the PIAB, before taking a claim to court.) The data subject appealed the decision before the court of appeal (High Court), limiting his claim to data breaches that allegedly occurred after the implementation of the GDPR in 2018. He also contended that his claim was not an action for personal injuries as that term is used in the [https://www.irishstatutebook.ie/eli/2003/act/46/section/12/enacted/en/html section 12 of the Personal Injury Assessment Board Act 2003] (the 2003 Act). Instead, it was a claim for non-material damages under the GDPR. The High Court upheld the Circuit court's decision that the PIAB authorisation should have been obtained first and ruled that the action should be dismissed. However, the data subject was granted leave to appeal to the Supreme Court regarding the question of whether a claim for damages for “distress, upset and anxiety” arising from an alleged data breach, falls within the statut