In a recent judgment of the Commercial Court, the Court held that a director of a company which was responsible for breaches of the Data Protection Acts was personally liable for those breaches.
Although the judgment in Nolan & Ors v Dildar & Ors [2024] IEHC 4 primarily addresses the scope of data controllers' liability to data subjects for infringement of their rights (previously discussed here), it also highlights the personal responsibility company directors have in respect of data breaches.
Background
The matter relates to proceedings brought by the trustees of a family pension fund in relation to allegations that approximately €7m of fund property had been misappropriated by a company in the UAE. In the course of the proceedings, the plaintiffs claimed that one of the defendants, John Millett, a specialist pensions provider operating through a limited liability company, John Millett Independent Financial Advisors Limited (of which he was a director and shareholder) had provided the plaintiffs' personal data to a fund service provider in the Isle of Man. The plaintiffs alleged that Mr Millet had provided their personal data (their names, dates of birth, home addresses, PPS numbers, and copies of passports) without their consent and in order to obscure the involvement of other people in the fund.
In circumstances where the data breaches took place in 2013 (prior to the enactment of the GDPR and the Data Protection Act 2018) the Court was satisfied that the disclosure fell within the statutory meaning of “unauthorised disclosure of personal data” under the Data Protection Acts 1988 and 2003.
Although the letter to the Isle of Man fund had been signed by Mr Millett on the headed paper of his company, the Court concluded that "as the human author of the letter", Mr Millett could not escape liability for the unauthorised disclosure. The Court further noted that it is "well settled that, where a company director procures the commission of a tort, the director will incur personal liability".
Conclusion
Although the total award of damages in respect of the data breach in this case was relatively minor (€3,000) in light of the de minimis nature of the data protection infringements, it serves as a welcome reminder to company directors that they may be held personally liable for data breaches that take place in the course of carrying out the company's business.
