Dillon v Irish Life: Irish Supreme Court Clarifies Procedure for GDPR Distress Claims
August 2025On 24 June 2025, the Irish Supreme Court delivered its judgment in Dillon v Irish Life Assurance plc[1]. The appeal was taken directly from the High Court under the “leapfrog” procedure after the High Court upheld a decision of Dublin Circuit Court that a claim under Article 82 of the GDPR and Section 117 of the Data Protection Act 2018 (“the 2018 Act”) for distress, upset, and anxiety resulting from a personal data breach, when no psychiatric injury was alleged, was a “personal injury” claim within the meaning of the Civil Liability Act 1961 (“the 1961 Act”). On that basis, the High Court held that the claim required prior authorisation from the Personal Injuries Resolution Board under the Personal Injuries Assessment Board Act 2003 (“the 2003 Act”).
The Supreme Court disagreed with both lower courts, holding that where a claimant seeks damages for distress, upset and anxiety caused by a personal data breach but does not allege psychiatric injury, the claim is not one of personal injury within the meaning of the 1961 Act. Accordingly, claims for non-material damage under Art. 82 of the GDPR do not require Injuries Board authorisation, except where a psychiatric injury is alleged.
Background
Art. 82 of the GDPR creates a right to compensation for both material and non-material damage caused by a breach of a data subject’s GDPR rights. This provision was implemented in Ireland by s. 117 of the 2018 Act, which provides that a “data protection action” is an action in tort which could originally only be brought in the Circuit Court or High Court (but can now also be brought in the District Court).
From the outset, courts differed on whether distress without psychiatric injury would constitute a personal injury under the meaning of the 1961 Act. This was an important question. Under the 2003 Act, the Injuries Board’s remit extends to any claims for psychiatric injury within the meaning of the 1961 Act, namely “any impairment of a person’s…mental condition”. S. 11 of the 2003 Act also required that a valid application to the Injuries Board be accompanied by a medical report. Absent any Injuries Board authorisation before issuing court proceedings, claims for distress or anxiety following a GDPR breach would potentially be invalid.
The position was complicated by the fact that prior to the commencement of the Personal Injuries Resolution Board Act 2022 (“the 2022 Act”), PIAB, the predecessor to the Injuries Board, was obliged to accept applications for purely psychological injury claims but had no statutory power to assess them. PIAB therefore simply issued an authorisation for the claimant to go to court. The 2022 Act removed this anomaly, requiring the Injuries Board to attempt to assess psychological injury claims in the same way as other personal injury claims.
As neither the 2018 Act nor the 2022 Act clarified whether distress-only GDPR claims required Injuries Board authorisation, there was a significant gap. This uncertainty was compounded by the fact that Irish courts have traditionally been very cautious around awarding damages for non-material damage claims.
The concept of non-material damage is nebulous, covering emotional harm such as distress, anxiety, reputational harm or loss of control over personal data, and is as such distinguishable from material damage such as quantifiable economic loss. In Murray v Budds[2], a professional negligence action, the Supreme Court upheld a decision of the Court of Appeal that (i) “worry and stress” without psychiatric illness does not give rise to recoverable damages in tort, and (ii) claims for “worry and stress” were personal injury claims and such damages were not recoverable in negligence without a pleaded recognisable psychiatric injury.
In 2023, the Court of Justice of the European Union (CJEU) delivered an important decision regarding non-material damage claims under the GDPR in UI v Österreichische Post AG[3] (“the Austrian Post decision”). The CJEU held that whilst proof of damage was required (i.e., a GDPR breach alone was not sufficient and actual damage must be shown), there was no seriousness threshold, and even short-lived or minor emotional harm could be compensable under Art. 82 GDPR.
Facts in Dillon and High Court Decision
It was against this backdrop that Dillon v Irish Life Assurance plc arose. Mr Dillon initially issued proceedings in Dublin Circuit Court after Irish Life mistakenly sent six letters containing his personal and financial data to a third party between 2008 and 2020. Mr Dillon claimed damages for distress, upset, anxiety, inconvenience, loss and damage, without alleging psychiatric injury and without obtaining Injuries Board authorisation or a medical report. Irish Life argued that the effects complained of by Mr Dillon amounted to an “impairment of mental condition” under the 1961 Act, requiring Injuries Board authorisation. The Circuit Court agreed and struck out his claim.
Mr Dillon appealed the Circuit Court’s decision to the High Court. The appeal was heard by Mr Justice O’Donnell. In a judgment[4], which was delivered following the Austrian Post decision, Mr Justice O’Donnell upheld the decision of the Circuit Court, finding that the Supreme Court had no apparent difficulty in Murray v Budds in treating claims for worry and stress as amounting to a form of claim for personal injuries. Accordingly, Mr Dillon’s claim for distress, upset, anxiety and inconvenience arising from the data breaches required an authorisation from Injuries Board, particularly given that the Act of 1961 was explicit as it plainly said “any impairment [of] mental condition” would constitute an action in personal injuries.
Mr Justice O’Donnell noted that whilst it may be cumbersome to require a claimant to make an application to the Injuries Board, particularly where it is likely that the board would grant an authorisation for such actions anyway, the requirement simply operated as what he termed a “procedural filter” for certain categories of cases and it did not prevent a party bringing a claim for non-material damage, and as such aligned with the Austrian Post decision.
The Supreme Court Decision
The Supreme Court disagreed with the High Court and Circuit Court. In a judgment[5] drafted by Mr Justice Murray, it was held that an “impairment of mind” in the 1961 Act referred to a diagnosable condition more than fleeting in nature, affecting functional capacity and normally requiring medical or psychological treatment or diagnosis. The Supreme Court held that extending the definition to mere distress or upset would blur doctrinal boundaries.
The Supreme Court distinguished its ruling in Dillon from its previous decision Murray v Budds, noting it did not decide whether “worry and stress” met the statutory definition but rather dealt with how such claims were pleaded and recoverability in negligence. The Court also disagreed with the procedural filter argument of Mr Justice O’Donnell, holding that a requirement to obtain Injuries Board authorisation for distress-only GDPR claims would make exercising such rights excessively difficult and breach the principles of the Austrian Post decision.
This conclusion meant that Mr Dillon’s claim, being solely for distress, upset, anxiety and inconvenience and lacking any pleaded psychiatric injury, was not a personal injury action within the meaning of the 1961 Act. The Supreme Court therefore allowed the appeal and held that no Injuries Board authorisation was required. However, the judgment emphasised that claims of distress or upset will generally attract only “very, very modest awards”.
Analysis and Implications for Insurers
The Supreme Court’s decision in Dillon removes a major procedural hurdle for distress-only GDPR claims by confirming they are not personal injury actions, and that claimants do not require Injuries Board authorisation to bring such claims.
Had the Supreme Court upheld the High Court’s decision, every non-material damage claim for upset or anxiety for a GDPR breach would have required an application to the Injuries Board supported by a medical report. Were the Injuries Board then minded to assess those claims, an independent medical report would invariably follow. Such reports are evidence where they go before a court. If a claimant’s doctor records a diagnosis such as “anxiety” and the independent doctor appointed by the Injuries Board concurred, a court would be bound to treat that as an established fact, increasing the potential award. This fact, combined with rising medicolegal report costs in recent years in personal injury litigation – costs that would ultimately have fallen on insurers –could have potentially created both higher claim values and higher procedural costs.
By removing the Injuries Board from the process, Dillon should make GDPR actions faster and cheaper to resolve. This effect is reinforced by the impact s. 77 of the Courts and Civil (Miscellaneous Provisions) Act 2023, which extended the District Court’s jurisdiction to hear data protection actions since January 2024. This shift means lower awards and litigation costs than when such claims were required to be brought in either the Circuit Court or High Court only.
The main downside for insurers will be volume. The lower procedural and evidential threshold will increase the likelihood of a higher number of claims, especially following significant data breaches. While individual awards will be modest, the aggregate exposure could be significant in large data breach scenarios. A further area of potential exposure in this regard is the impact of the Representative Actions for the Protection of the Collective Interests of Consumers Act 2023, which allows qualified entities to bring representative actions (i.e., class actions) for the first time in Irish law, including for GDPR breaches. If large groups of consumers can prove distress or upset, even with small per-claim awards, total liability could be significant.
Summary:
- The Irish Supreme Court has ruled that distress-only GDPR claims (no psychiatric injury) are not “personal injury” actions under the Civil Liability Act 1961.
- No Injuries Board authorisation is required for such claims; only claims alleging psychiatric injury must go through that process.
- The decision removes a procedural barrier, making GDPR distress claims quicker and cheaper to bring to court.
- In line with CJEU decision in UI v Österreichische Post AG, even short-lived or minor distress can be compensable, increasing potential exposure in representative or mass-claim actions.
- The Supreme Court notes that awards for pure distress are likely to be very, very modest, but lower thresholds may drive higher claim volumes, especially after large data breaches.
[2] [2017] 2 IR 178
[3] Case C-300/21 (ECLI:EU:C:2023:370)
[4] [2024] IEHC 203
[5] [2025] IESC 37
Download PDF
