Civil Measures
Data Protection Commission Case Studies
Dairygold – Failure to comply in full with an Access Request
In June 2006, I received a complaint from a firm of solicitors acting on behalf of a client regarding alleged non-compliance with a subject access request. The data subject had made an access request to her employer, Dairygold Co-Operative Society Limited/ REOX, in March 2006 but it had not been complied with within the statutory forty day period.
My Office wrote to the data controller and we subsequently received a reply to the effect that the material sought in the access request had now been supplied. However, following examination of the documents received, the solicitor for the data subject communicated further with my Office and identified certain documents omitted by the data controller. Particular reference was made to documents in relation to a workplace accident in which the data subject was involved in October 2004. My Office contacted Dairygold/Reox seeking an explanation for the missing documents. While it responded by providing observations on a number of the missing documents, it also stated that it was obtaining legal advice regarding the release of the documents relating to the workplace accident.
After the exchange of detailed correspondence between my Office, Dairygold/Reox and its legal representatives, an index of all of the personal information which had been released was provided to my Office. In relation to the documents concerning the workplace accident, the solicitors for the data controller confirmed that their client was in possession of both an Internal Accident Report and a Consulting Engineer’s Report. It stated that both documents were prepared in contemplation of a personal injury claim and were therefore privileged.
To satisfy ourselves that there was a sound basis for the legal privilege claim in relation to these documents, my Office sought information from the data controller regarding the dates on which the two reports were created. It was confirmed that the Internal Accident Report Form was created in the days immediately following the workplace accident and the Consulting Engineers Report was created some nineteen months later in May 2006. My Office pointed out to the data controller’s solicitor that the claim of legal privilege related only to communications between a client and his professional legal advisers or between those advisers and that this provision could not be applied to the internal accident report created shortly after the incident. In light of the information available to my Office, we accepted that the claim of legal privilege could be applied to the Consulting Engineer’s Report. The data controller continued, however, to claim legal privilege on both documents. In an attempt to bring closure to this matter, my Office requested a confidential sighting of the Internal Accident Report. Regrettably, the data controller refused to comply with this request and I had no option but to serve an Information Notice requiring that a copy of the Internal Accident Report be furnished to me. The Internal Accident Report was supplied to me in response to the Information Notice. On examining the Report I was satisfied that it contained personal data of the data subject and I was further satisfied that the limited exemptions to the right of access set down in the Acts did not apply to this document. The document also contained some limited personal data of third parties and non personal information which we advised the data controller to redact with the balance to be released voluntarily to the data subject. The Report was subsequently released in accordance with our advice.
There is a tendency for data controllers in some cases to claim non-relevant exemptions under Sections 4 or 5 of the Acts to restrict the right of access. With increased frequency, accident reports in relation to workplace incidents are being withheld with data controllers claiming legal privilege on such reports. I do not accept that legal privilege applies to such reports. It is standard procedure for an accident report to be compiled by an employer in the aftermath of a workplace accident and such reports clearly do not fall into the category of personal data in respect of which a claim of legal privilege could be maintained in a court in relation to communications between a client and his professional legal advisers or between those advisers. Any data controller who is reported to me as having restricted a data subject’s right of access to reports of this nature will face an investigation by my Office involving a close scrutiny of the grounds for applying the restriction. I will have no hesitation in using my full enforcement powers to ensure the rights of the data subject are upheld in relation to such cases.
Opera Telecom: Forced to delete database
I received a complaint from an individual regarding the receipt of an unsolicited text message in November 2005. The message, sent by Opera Telecom, was a promotional message for a subscription service.
When my Office investigated the matter it was discovered that the complainant had attended a major music concert in Croke Park in June 2005. During the concert, those attending were encouraged to text support for the Global Call Against Poverty Campaign. The complainant did so. The information collected from these texts was stored in a database held by Opera Telecom and was subsequently used by the company for the purpose of sending unsolicited direct marketing SMS messages.
In October 2005 Opera Telecom sent a direct marketing text message to the complainant. Regulation 13 of Statutory Instrument 535 of 2003 refers to unsolicited communications, making it an offence in certain circumstances to send direct marketing messages. The message the complainant received was contrary to this Regulation. It also contravened Section 2 of the Data Protection Acts as the personal data in question had not been obtained and processed fairly and was further processed in a manner which was incompatible with the purpose forwhich it was originally collected.
During our investigation, my Office discovered that 16,000 concert goers had used their mobile phones to text support for the Global Call Against Poverty Campaign. My Office recognised the potential risk of all of these people being subjected to direct marketing in the same way as the complainant had been. Conscious of this risk, I initially requested in a letter to Opera Telecom that they delete the related Database. When it did not comply with this request, I used my powers under Section 10 of the Data Protection Act and issued an Enforcement Notice. An Enforcement Notice is a legal document and it is an offence not to comply with this. Opera Telecom complied with the Enforcement Notice and deleted the database.
Caredoc: Failure to comply with an access request and appeal of an enforcement notice
I received a complaint from the parents of a child that Caredoc (a medical facility in Carlow) had failed to comply with an access request under Section 4 of the Acts for access to the child’s personal data.
My Office received the complaint in January 2006 and commenced an investigation. We established that the child had attended Caredoc in May 2004 and that the access request was made by the solicitor for the child’s family in August 2005. Prior to the complaint being submitted to my Office, Caredoc’s solicitors informed the legal representative for the child’s family that the access request raised matters of serious importance to their clients and that they wished to be absolutely sure of their position prior to making a formal reply.
During the course of my Office’s investigation, we exchanged correspondence on several occasions with Caredoc’s solicitors. We posed a number of key questions on the matter, none of which were answered to the satisfaction of my Office. At one point we were advised that the access request had thrown up a serious difficulty with which Caredoc was trying to come to terms. Caredoc’s solicitors acknowledged that their client owed statutory obligations on foot of the Data Protection Acts but stated that their client also owed a number of other conflicting obligations which needed to be reconciled properly with all the persons concerned before they were in a position to comply with the access request. In later correspondence, my Office was told that the request had raised a fundamental problem for Caredoc concerning the information gathered by them both physically and electronically and that the opinion of Senior Counsel was required. This was accepted in good faith on the basis that such advice would be forthcoming promptly. In a further letter, Caredoc’s solicitors informed my Office that genuine difficulties had arisen as a result of the circumstances thrown up by the access request and that Caredoc was anxious not to have any adverse precedents set in relation to the confidentiality issue as between doctor and patient. Throughout the investigation, my Office continued to remind Caredoc of its obligations to comply with the access request and we advised them that failure to proceed to release the information was a contravention of Section 4(1) of the Acts. At the end of June 2006, having exchanged a large volume of correspondence and with no prospect of the legal advice emerging, my Office gave Caredoc’s solicitors a final opportunity to respond to the key questions which we had raised with them. They failed to respond and I subsequently served an Enforcement Notice on Caredoc in July 2006 pursuant to Section 10 of the Acts.
There were a number of reasons for my decision to serve an Enforcement Notice on Caredoc. From the information available to me, I believed that information collected by Caredoc on the date in question likely constituted sensitive personal data within the meaning of the Acts. I believed that Caredoc had not complied with an access request and was, therefore, in contravention of Section 4(1) of the Acts. Furthermore, I believed that, given the passage of time and the continued failure of the data controller or their legal representatives to engage substantively with my Office, an Enforcement Notice was required to ensure compliance.
The Enforcement Notice required Caredoc, within a period of twenty one days, to provide the solicitor of the child’s family with the personal data relating to the attendance of the child at Caredoc’s facility in Carlow in May 2004. In line with their legal entitlements, pursuant to Section 26 of the Acts, Caredoc appealed to the Circuit Court against the requirement specified in the Enforcement Notice. The appeal was listed for hearing in Carlow Circuit Court in December 2006. At the Court hearing, Caredoc withdrew the appeal and agreed to supply the personal data sought.
I was very satisfied with the outcome of this case. Firstly, it ensured that the patient in question received access to their full medical records. Secondly, the case was significant for my Office as I used my full legislative powers to compel the provision of the records in question when Caredoc had repeatedly delayed in doing so. Thirdly, the case was all the more acute as it related to sensitive medical information which a patient has a right to access except in certain very limited circumstances. Finally, the patient in question was a minor and the access request was made on his behalf by his mother.
By continuing to use this website, you consent to the use of cookies in accordance with our Cookie Policy.HIDE THIS NOTICE
Data Protection Commissioner Data Protection Commissioner
Ashbury Taverns: Failure to comply with an access request
My Office received a complaint regarding alleged non-compliance with an access request. This complaint was made by a legal representative on behalf of a data subject formerly employed by Ashbury Taverns of Wexford.
As the access request had not been complied with within the 40 day period, my Office wrote to the data controller. When no response was received, my Office also attempted to make contact on numerous occasions by telephone and by registered post.
As my Office had attempted to investigate this complaint and had been stymied by the failure of the data controller to respond, I decided to issue an Enforcement Notice to Ashbury Taverns. The Enforcement Notice required the data controller to comply with the access request within a period of twenty-one days. During that period, my Office received its first correspondence from Ashbury Taverns by way of a letter from its solicitors. My Office was informed that the access request had not been complied with by Ashbury Taverns because it had likely confused its obligations under the data protection legislation with claims made under employment legislation. The letter also stated that the access request had now been complied with. Upon follow-up communication with the legal representative of the data subject, it was confirmed to my Office that the personal data sought in the access request had been provided.
Political database and a charity request, “spamming” of constituents and non co-operation from a County Councillor
During the year, I received two complaints concerning matters relating to political activity which raised important Data Protection issues.
The first related to a political party. It was alleged by the complainant, a member of this party, that another local member of the party who was also a member of a charitable organisation had sent him a fund-raising letter on behalf of the charity which identified him as “an active member of our community within the party”. He maintained that his contact details were obtained from the party membership list held locally.
While the appeal for the charity was worthwhile nevertheless once a complaint was received I had to take the matter up with the party’s national headquarters. It responded promptly and acknowledged that the local member had used the local party database in sending out an appeal for funds for the charity. While the individual was well-intentioned, the headquarters accepted that the use of data in this way was a contravention of section 2 of the Data Protection Acts, 1988 and 2003 which provides that personal data
(i) ” shall have been obtained only for one or more specified , explicit and legitimate purposes”
and
(ii) “shall not be further processed in a manner incompatible with that purpose or those purposes.”
Data relating to membership of a political party is sensitive personal data within the meaning of the Acts and such data controllers are required to ensure that appropriate safeguards against disclosure are in place. This is especially important given the provision in section 2B(1)(ix) of the Acts which permits processing of sensitive data without individual consent “by political parties, or candidates for election to, or holders of, elective political office in the course of electoral activities for the purpose of compiling data on people’s political opinions?”. In the course of concluding this complaint, my Office advised the party on their obligations as a data controller, particularly in regard to informing members processing personal data of the requirements of Data Protection.
The second complaint which was received in late 2003 was about an unsolicited email of a political nature which had been sent by a County Councillor, Jon Rainey, of Fingal County Council. It was alleged that in June 2003 he had “harvested” email addresses from the address line of an email sent by a third party – who was also a County Councillor but of another party. (“Harvesting” refers to the addition to one’s own mailing list of any email address received on the “to” or “cc” line of the email). This was in contravention of the provisions of S.I. No. 535 of 2003 (European Communities (Electronic Communications Networks and Services (Data Protection) Regulations 2003) which provides for prior consent for unsolicited emailing of individuals for direct marketing purposes, including political purposes.
I only name Mr. Rainey in my Report as he failed completely to cooperate with my investigations and only acknowledged the facts of the complaint 6 months after I had first raised them and then only when I had to formally issue him with an Information Notice under sections 10 and 12 of the Acts. At that late stage, he confirmed that the details of email addresses “harvested” from another email had been deleted from his system and that no further details had been been obtained in this manner. However, his attitude to my Office was that the matter was of little consequence and he complained that I had “pestered” him.
It is important that public representatives and candidates for elective office realise the importance of their obligations under the Acts and that, in so far as responding to legitimate investigations from statutory office holders is concerned, in no sense should they consider themselves above the Law. In this case, I was concerned that a public representative failed to see the significance of a complaint that he was “spamming” his constituents and equally that a lot of unnecessary correspondence and time could have been spared if a full reply to this matter had been received initially.
That said I am pleased to record that this was an isolated incident as any complaints I have received regarding political activities are responded to in a proper and prompt manner.
used the local political party database in sending out an appeal for funds for a charity. While the individual was well-intentioned it was accepted that the use of data in this way was a contravention of the Data Protection Acts.
a public representative failed to see the significance of a complaint that he was “spamming” his constituents and equally a lot of unnecessary correspondence and time could have been spared if a full reply to this matter had been received initially – an isolated incident as any complaints I have received regarding political activities are responded to in a proper and prompt manner.
Legal firm – identification of source of personal data – lack of co-operation – issue of enforcement notice
This case study provides a useful example of a matter which could have been disposed of easily at the outset, but which was protracted due to lack of cooperation from a data controller – in this case a solicitor. The case also demonstrates that, where I consider that an important issue is at stake, I am prepared to have full recourse to my legal powers until I reach a satisfactory conclusion.
The complainant had been involved in a car collision. The complainant and the other party involved had exchanged phone numbers but not addresses. The complainant subsequently received a phone call from a solicitor, acting for the other party involved, seeking her car registration number and address. The complainant declined to provide these details, since she had understood the matter to have been informally resolved, and that no recourse to legal action had been contemplated. In any event, some weeks later the complainant received a letter at her home address from the solicitor. The complainant asked how the solicitor had obtained these details, but this information was not forthcoming. The complainant raised the matter with me, as she suspected that her personal details had not been ‘fairly obtained’ by the solicitor, as required under the Data Protection Act.
On raising the matter with the solicitor, she explained that her client had noted the registration number of the complainant’s car, and that the Motor Registration Bureau had used this information to supply the solicitor with the complainant’s address, in accordance with the provisions of the Road Traffic Acts. However, the complainant contested this assertion. , since the solicitor and the complainant had declined to supply this information. Why would the solicitor have requested the car registration number during their initial phone call, the complainant asked, if the solicitor’s client already had this information? The complainant argued forcefully that the solicitor must in fact have obtained the data from another source.
My Office put these points in writing to the solicitor, who declined to provide any further explanation, maintaining simply that the details had been obtained from the Motor Registration Bureau. I was not satisfied with the completeness or frankness of the solicitor’s response and so, after repeated refusals from the solicitor to furnish additional information, I decided to issue a formal Information Notice under section 12 of the Data Protection Act. An Information Notice obliges the recipient to “furnish such information in relation to matters specified in the notice as is necessary or expedient for the performance by the Commissioner of his functions”. It is an offence not to comply fully with the information sought; and in general, I only resort to issuing such a Notice if I consider that necessary information will not be provided voluntarily.
In response to the Information Notice, the solicitor stated that the details were obtained from its client and the Motor Registration Bureau. My Office then wrote once more to the solicitor expressing dissatisfaction with her reply. My Office had established that the Motor Registration Bureau had not been contacted by the solicitor until five months after the incident, while the complainant’s home address was known to the solicitor within weeks of the incident. The solicitor was advised that, unless full particulars were forthcoming immediately, I would commence proceedings in accordance with section 30 of the Data Protection Act, 1988 for failure to comply with the Information Notice.
The solicitor responded with an explanation that the complainant’s address details had, in fact, been obtained from her client, and only subsequently confirmed by the Motor Registration Bureau. This belated explanation, had it been provided at the outset, would have obviated the need for the protracted and time-consuming investigation of this matter.
It concerns me that, in this case, a member of the legal profession was reluctant to provide the straightforward information which I considered necessary to bring the complaint to a conclusion. It took seventeen months and the full use of my statutory powers to get the information in question. I can ill afford the time my staff had to devote to ‘delaying tactics’ – but where I feel an important issue is at stake I am prepared to pursue matters fully to reach a satisfactory conclusion. From my general experiences with legal practitioners to date, I consider this to have been an isolated case and not representative of the legal profession in general. However, should a similar type case arise in future from any source, I will have no hesitation in publicly naming the party involved, and in vigorously pursuing proceedings for any offences under the Act.
Ex-directory phone number obtained by insurance broker – Information Notice used to establish circumstances
Two people complained to me, separately, that a particular firm of insurance brokers had obtained their ex-directory telephone numbers and used these to contact them to try to sell insurance products. They were surprised to be contacted at home, since they had taken the trouble to opt for ex-directory numbers, and they were indignant at what they saw as an aggressive invasion of their privacy. Both complainants speculated that the brokers had got their phone numbers in some illicit way, though neither offered any evidence for this.
I issued an Information Notice under section 12 of the Act to the brokers. In response to the Information Notice, the brokers stated that in the majority of cases they obtained the telephone numbers of prospective clients from the telephone directory, but in some cases they got them from referrals by existing clients (in other words, existing clients were encouraged to suggest other people who might be interested in the company’s products and services). However, the brokers indicated that they did not keep records as to who made such referrals and consequently they were unable to explain how they had come into possession of information relating to the complainants.
My decision was that in all the circumstances the investigation had not established that a contravention of the Act had taken place in these cases. In reaching this decision I took into account the fact that the data controller’s account of the events had been given to me by way of response to an Information Notice, and that section 12 provides that –
“A person who, without reasonable excuse, fails or refuses to comply with a requirement specified in an information notice or who in purported compliance with such a requirement furnishes information to the Commissioner that the person knows to be false or misleading in a material respect shall be guilty of an offence.”
However I told the brokers that they should in future retain a record of how details of prospective clients were obtained. They agreed to do so.
Cases
Collins -v- FBD Insurance Plc
[2013] IEHC 137 Judgment of Mr. Justice Feeney delivered on 14th day of March, 2013.
1.1 This is an appeal from a Circuit Court order of the 9th March, 2012 where the Court determined that Michael Collins, the plaintiff in the Circuit Court, was entitled to the sum of €15,000 damages and that he should recover that sum together with costs from the defendant. The defendant has appealed that order by notice of appeal dated the 15th March, 2012.
1.2 In the Circuit Court proceedings Michael Collins claimed a number of reliefs including damages for discrimination and harassment in breach of the Equal Status Acts 2000/2008, damages for negligence and breach of duty including statutory duty and damages for breach of contract. He also claimed damages pursuant to s. 7 of the Data Protection Acts 1988 and 2003 (“the Data Protection Acts”). The order of the Circuit Court did not identify the claim in respect of which the damages were awarded. However, both parties to the appeal proceeded on the basis that the only issues to be considered by the High Court was whether or not the plaintiff was entitled to damages pursuant to s. 7 of the Data Protection Acts and if so, the quantum of such damages. Both parties proceeded on the basis that the Circuit Court had determined that the defendant had breached the provisions of the Data Protection Acts and that the plaintiff in the Circuit Court action had been held entitled to general damages in the sum of €15,000 pursuant to the provisions of s. 7 of the Data Protection Acts and that no special damages or loss had been proved.
1.3 The case initially commenced before the High Court on the basis that the sole issue to be determined was whether as a matter of law the plaintiff respondent is entitled to compensation pursuant to s. 7 of the Data Protection Acts in the absence of evidence of actual loss or damage. When the case commenced it was envisaged by both parties that oral evidence would not be required and that the parties would seek the Court to rule on the issues of the entitlement to general damages under s. 7 of the Data Protection Actsand, if the plaintiff was so entitled, then to determine the quantum of damages. Following further consideration of the matter, the parties agreed and proceeded on the basis that oral evidence should be heard by the Court.
2.1 The factual matters which give rise to this claim commenced with the plaintiff insuring his van bearing registration number 08D 1065 with the defendant insurance company. The van which the plaintiff insured was for use by him in his business of painting and decorating. The insurance cover obtained extended to the loss of the vehicle or damage to it but the policy did not cover any other financial loss due to matters such as the temporary loss of the vehicle. The period of insurance provided for in the policy was for the twelve month period beginning the 31st May, 2008.
2.2 On the 27th September, 2008 the plaintiff’s van was stolen from outside of his home in Finglas following a break-in to his house and the theft and break-in were investigated by An Garda Síochána. Following the theft of his van, the plaintiff made a claim under his policy of insurance on the 2nd October, 2008. The claim was investigated on behalf of the defendant by a claims management company who concluded in a report from its investigator that there was clear evidence that the insurer’s house had been broken into whilst it was unoccupied and that a number of items had been stolen along with the insured’s van and that the claims management company had no reason to suspect that there was anything untoward. The report expressed the view that it was a case for settlement. Following receipt of that report, the defendant insurance company determined to have the plaintiff investigated by a private investigator. The private investigator reported to the insurance company. In the report the investigator stated that his inquiries at the local Garda station had indicated that the Gardaí considered the claim to be a genuine incident but the report went on to state that from other inquiries and information, the private investigator had established that the plaintiff was involved in an incident in Blanchardstown Shopping Centre where a van had been broken into and a strongbox in the rear of the vehicle had been forced open and items stolen and that the investigator had established from court records that it appeared that at Swords District Court on the 26th June, 2004, the plaintiff had been convicted under the Theft Act and had been sentenced to two months in prison. It should be noted that the factually correct position is that the plaintiff pleaded guilty to receiving the stolen goods which were removed from the vehicle that was broken into and that on a plea of guilty, the plaintiff received a three month sentence.
2.3 On the 10th November, 2008 the defendant insurance company wrote to the plaintiff and stated:
“We understand that you may have been convicted of a criminal offence. Please let us have full details of same in writing, together with an explanation as to why this material fact was not disclosed to us. If we do not hear from you within ten days from the date of this letter, we will proceed to cancel the above policy and treat the same as null and void.”
That letter of the 10th November, 2008 was written at a time when the insurance company did not have available to it the plaintiff’s proposal form. On the 19th November, 2008 the plaintiff wrote to the defendant seeking the plaintiff’s proposal form. The proposal form was unavailable to the defendant insurance company as of that date. On the 27th November, 2008, solicitors acting for the plaintiff wrote to the defendant requesting the urgent attention of the insurance company and pointing out that the plaintiff was currently out of work due to the loss of his vehicle. No response was received to the plaintiff’s solicitors’ letter and further reminders were sent on the 11th December, 2008 and the 16th December, 2008.
2.4 In early January 2009, the plaintiff’s van was recovered and returned to him. As of the date that the van was returned, the defendant insurance company had neither paid out under the policy of insurance nor responded to the correspondence from the plaintiff’s solicitors nor had it provided the plaintiff with a copy of his proposal form. That form had been signed and completed at the inception of the policy. On the 12th January, 2008 the plaintiff’s solicitors wrote to the defendant pursuant to the Data Protection Acts formally calling upon the defendant pursuant to s. 4 to furnish a copy of the plaintiff’s file, including a copy of the original proposal form. The cheque enclosed with the request was for a sum greater than the required amount and correspondence was exchanged to achieve the payment of the actual required amount. A cheque for the correct sum was forwarded by the plaintiff’s solicitors to the defendant by letter dated the 19th February, 2009. On the 25th March, 2009, the defendant forwarded to the plaintiff’s solicitors a letter enclosing the documentation that the defendant held on its file in respect of Michael Collins. By that date, the plaintiff’s solicitors had already been in contact with the Data Protection Commissioner and had, by letter of the 9th March, 2009, requested the Commissioner to inquire into the insurance company’s delay in dealing with the request from the plaintiff. Following receipt of the insurance company’s letter of the 25th March, 2009, enclosing certain documentation, the solicitors for the plaintiff again wrote to the Data Protection Commissioner by letter of the 30th March, 2009 raising concerns as to how the insurance company had come upon certain information and whether or not, in obtaining such information, there had been a breach of the Data Protection Acts. Following further correspondence between the Data Protection Commissioner, the plaintiff’s solicitors and the defendant insurance company, the solicitors for the plaintiff, by letter of the 16th September, 2009 to the Data Protection Commissioner, formally requested a decision from the Commissioner under s. 10 of the Data Protection Acts in relation to the complaint brought on behalf of Michael Collins against FBD Insurance Company. That request was ultimately responded to by a decision of the Data Protection Commissioner dated the 1st August, 2010 concluding that the defendant insurance company had been in breach of s. 4(1)(a) of the Data Protection Acts “by not providing all the relevant personal data within the forty day time limit specified”, and, secondly, had been in breach of s. 4(7) “by not notifying Lawlor Partners Solicitors [the plaintiff’s solicitors] when it released certain personal data on the 25th March, 2010 of its reasons for refusal to supply other personal data in its possession and of the data’s subject right to complain to the Data Protection Commissioner about that refusal”.
2.5 As part of the correspondence which was exchanged prior to the first decision of the Data Protection Commissioner, the Data Protection Commissioner wrote to the plaintiff’s solicitors by letter of the 11th August, 2009 indicating that the Commissioner had been informed in a recent letter that the insurance company’s actions arose because “the reasons the claims handlers became suspicious on this case came down to the occupation of the insured. The claims handler in the case of Mr. Michael Collins asked the question on previous convictions because the client’s occupation is stated to be a painter and decorator”. During the hearing in this Court, it was accepted and acknowledged on behalf of the insurance company that that was a false explanation, based upon incorrect information and that by the date that the insurance company had written to the plaintiff on the 10th November, 2008 stating that they understood that Mr. Collins may have been convicted of a criminal offence, the insurance company were in fact of a possession of the claims management company’s report dated the 13th October, 2008 and the private investigator’s report which referred to a criminal conviction. The explanation provided by the defendant for raising the possibility of a criminal conviction was, on the face of it, concocted.
2.6 Following receipt of the first decision of the Data Protection Commissioner dated the 1st August, 2010, further correspondence was exchanged between the plaintiff’s solicitor and the office of the Data Protection Commissioner. On the 9th September, 2010 the plaintiff’s solicitors made a complaint against FBD Insurance Company on behalf of the plaintiff. Eventually, that complaint resulted in the second decision of the Data Protection Commissioner which was dated the 14th April, 2011 wherein it was identified that on the 9th September, 2010 a request had been made to investigate alleged breaches of the Data Protection Acts relating to the use by FBD of a private investigator and the production by him of a report on Mr. Collins which included information on an unrelated incident involving Mr. Collins which had resulted in a criminal conviction. The decision of the Data Protection Commissioner set out details of the investigation and an analysis of the data protection issues and concluded on the final page with the decision. The Commissioner was of the opinion that FBD Insurance had contravened the Acts and, in particular, s. 2(c)(3):
“. . . by failing to ensure that all the processing of your client’s [Mr. Collins’] personal data was carried out in pursuance of a contract in writing or in another equivalent form between the data protection controller (FBD) and the data processor (private investigator), that the contract provide that the data processor carry out the processing only on and subject to the instructions of the data controller and that the data processor comply with obligations equivalent to those imposed on the data controller by s. 2(1)(d) of the Act”.
The Commissioner also gave the opinion that the insurance company failed “to ensure that the data processor provide sufficient guarantees in respect of the technical security measures, and organisational measures governing the processing” and also failed to “take reasonable steps to ensure compliance with those measures”. The decision also found that FBD Insurance failed to comply with 2(c)(3) and s. 2(1):
“by (i) securing access to court records through the agency of the private investigator which recorded sensitive data – a criminal conviction – related to your client [Mr. Collins], other than in a manner prescribed by the District Court rules and (ii) in failing to take reasonable steps to ensure that the private investigator did not thus unfairly obtain personal data related to your client [Mr. Collins]”.
2.7 The second decision of the Data Protection Commissioner of the 14th April, 2011 concluded by stating in relation to damages that data controllers are liable under s. 7 of the Data Protection Acts to an individual for damages if they fail to observe the duty of care they owe in relation to personal data in their possession and that it was a matter for any individual who feels that he might have suffered damage from a contravention by a data controller of its data protection responsibilities to take legal advices appropriate but that the office of the Data Protection Commissioner has no function in relation to the taking of proceedings under s. 7 or in giving any such legal advice.
2.8 The decisions of the Data Protection Commissioner were not appealed.
2.9 By civil bill dated the 12th May, 2011, Michael Collins commenced Circuit Court proceedings against FBD Insurance Company Plc including claims for a number of reliefs including a claim for damages under s. 7 of the Data Protection Acts arising from the contraventions by FBD of its data protection responsibilities as detailed in the two decisions of the Data Protection Commissioner. The claim pursuant to s. 7 was the only clam proceeded with in the Circuit Court and it was in respect of that claim under s. 7 of the Data Protection Acts that damages were awarded to the plaintiff by the Circuit Court.
2.10 The second decision of the Data Protection Commissioner identified that the defendant insurance company in its disclosure of documents made on the 25th March, 2009 to the plaintiff’s solicitors had omitted therein to identify or reveal the existence of a report from the private investigator and the decision of the Data Protection Commissioner had identified that there was no written contract in place between the insurance company and the investigator as required by the Acts.
2.11 The proceedings before the High Court were a re-hearing of the case considered by the Circuit Court and during the course of the hearing counsel for the defendant acknowledged that the FBD Insurance Company had breached the Data Protection Acts and accepted the findings of the Commissioner in relation to such breaches and confirmed that no appeal had been taken against the findings made by the Commissioner. Whilst the civil bill had identified particulars of special damage in the form of loss of earnings and alternative transport, no figure was identified in respect of such special damage nor was any loss proved in Court. At the commencement of the hearing before the High Court, it was acknowledged on behalf of the plaintiff that there had been no out of pocket expenses or special damages incurred by the plaintiff arising from the breaches of the Acts. It was on that basis that the issue which was before the Court was whether or not the plaintiff was entitled under s. 7 of the Act to an award of general damages in the absence of any damage including special damage. During the course of the evidence certain limited evidence was led in relation to loss of earnings arising from the plaintiff being without his van for a number of months. That evidence was so imprecise and indefinite that I was unable to conclude that the plaintiff suffered any provable damage or to relate any claimed damage to the breaches of the Data Protection Acts committed by the defendant.
3.1 The plaintiff claims that he is entitled to damages pursuant to s. 7 of the Data Protection Acts for the breaches of the Acts committed by the defendant. In the two decisions of the Data Protection Commissioner, four breaches were identified. Those breaches were:
(a) the failure by the insurance company to furnish data within forty days;
(b) the failure by the insurance company to disclose that documentation; in its possession had been released;
(c) the failure by the insurance company to have the necessary and required contract in place with a private investigator before using such investigator; and
(d) the failure by the insurance company to access District Court conviction orders in the proper manner.
3.2 Section 7 of the Data Protection Act deals with the duty of care owed by data controllers and data processors. Section 7 provides:
“For the purposes of the law of torts and to the extent that that law does not so provide, a person, being a data controller or a data processor, shall, so far as regards the collection by him of personal data or information intended for inclusion in such data or his dealing with such data, owe a duty of care to the data subject concerned.”
It is the extent of the civil liability for breach of statutory duty as identified in s. 7 which is central to the matters which I must consider. The plaintiff contends that he is entitled to damages pursuant to s. 7 of the Act as there has been a breach of the Act by the defendant. The plaintiff contends that s. 7 establishes a statutory duty of care and allows for a remedy for a breach under the law of torts. The plaintiff also contends that to recover damages under s. 7 of the Act, a data subject does not have to show a loss and damages may be awarded by a Circuit Court Judge, or on appeal by a High Court Judge, so as to allow the data subject enforce his data protection rights. The defendant contends that a plaintiff is not entitled to any award of damages pursuant to s. 7 unless the plaintiff proves actual loss or damage. I must therefore determine what is the extent of damage recoverable under s. 7 of the Data Protection Acts. Section 7 of the Data Protection Acts establishes a statutory duty of care and allows for a remedy for a breach under the law of torts. Section 7 is a statutory provision which expressly provides that a civil action may be taken. Section 7 imposes a statutory duty of care on data controllers and data processors to the extent that the law of torts does not already provide, as regards the collection of personal data and their dealing with the data; the duty is owed to the data subject concerned. The question comes down to whether or not the damages provided for by s. 7 requires that there be proof of damage suffered by a plaintiff as a necessary pre-condition to an award of damages.
3.3 The long title to the Data Protection Act 1988 reads in part as follows:
“An Act to give effect to the convention for the protection of individuals with regard to automatic processing of personal data done at Strasbourg on the 28th day of January, 1981, and for that purpose to regulate in accordance with its provisions the collection, processing, keeping, use and disclosure of certain information relating to individuals that is processed automatically.”
The convention referred to is the Strasbourg Convention. Section 7 of the Data Protection Acts seeks to provide for remedies as envisaged under Directive 95/46/EC of the 24th October, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Article 23 of the Directive reads under the heading “Liability”;
“Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered.”
What is envisaged by Article 23 is that a person who has suffered damage is entitled to be compensated. Paragraph (55) of the preamble to the same Directive reads:
“Whereas, if the controller fails to respect the rights of data subjects, national legislation must provide for a judicial remedy; whereas any damage which a person may suffer as a result of unlawful processing must be compensated for by the controller, who may be exempted from liability if he proves that he is not responsible for the damage, in particular in cases where he establishes fault on the part of the data subject or in case of force majeure; whereas sanctions must be imposed on any person, whether governed by private of public law, who fails to comply with the national measures taken under this Directive.”
The Directive mandates that in the event of a breach that sanction shall apply and Article 24 of the Directive states in relation to sanctions:
“The Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Directive.”
3.4 What is obligated under the Directive is that a Member State is obliged to have in place a provision which provides that a person who has suffered damage as a result of an unlawful processing operation or an act incompatible with national provisions is entitled to receive compensation from the controller for the damage suffered. The obligation does not extend to an automatic payment of compensation. It is open to the Member State to provide that the compensation permissible in a Member country’s legislation extends beyond the Directive. That is a matter for each individual Member State. Article 23 provides that a wronged individual may be entitled to payment of compensation but subject to proof of the damage that they have suffered.
3.5 Section 7 of the Data Protection Acts transposes the Directive into Irish law. Section 7 imposes a statutory duty of care on data controllers to the data subject. It is stated in the legal submissions on behalf of the plaintiff that:
“The drafting of the section (s. 7) is perhaps not inspired and academic commentary is sparse. Almost all Irish authority on statutory duty relate to the existence of statutory duty existing in parallel to a common law duty and generally in the context of occupational injury”.
I accept that the drafting of s. 7 is imperfect and, to some extent imprecise. However, what is clear is that s. 7 does not provide, within its terms, for strict liability or for the automatic payment of compensation. It limits compensation by a provision providing for the existence of a duty of care within the law of torts. The section does not in its express terms seek to go beyond the obligation for compensation contained in the Directive.
3.6 Insofar as it may be said that the terms of s. 7 are ambiguous or unclear, s. 7 must be interpreted in the light of Article 23 of the Directive. The interpretation of Directives requires not only the construction of the Community Directive or text but also of the national implementing legislation. It is accepted that national legislation ought to be interpreted so as to give effect to the intention identifiable from the text of the Directive itself. Directives are commands addressed to each Member State and each State has a duty to give effect to its obligations under the Directive. That duty does not extend to going beyond the obligation required in the Directive even though the possibility of doing so is permitted, provided the Member State does so clearly within the legislation implementing the Directive. It is submitted by the defendant that the Directive limits the obligation to provide for an entitlement to compensation for the data controller to damage suffered by a person who can prove that they have, in fact, suffered damage arising from a breach of their rights pursuant to the legislation. I accept that submission. It is also the case that s. 7 in the Irish legislation does not, on the face of it, provide for compensation for strict liability or for the automatic payment of compensation but limits compensation to the existence of a duty of care within the law of torts. It is consistent with the general principles of the Irish law of torts that a person seeking compensation arising from a breach of statutory duty must establish that the loss or damage which they have sustained flowed from that breach unless the statutory duty involved is one of strict liability. The Directive does not provide for strict liability or the automatic payment of compensation nor does s. 7 of the Irish legislation so provide, either by its express terms or by reference to a duty of care within the law of torts.
3.7 Consideration of the legislation by which a number of Member States have incorporated the Directive into their national law demonstrates that those countries have proceeded on the basis that there is no need or requirement to go beyond providing for compensation on proof of damage (see the provisions of s. 69 of the Danish legislation on processing of personal data of 2000 and s.8 of the Federal Data Protection Act 2001 of Germany dealing with compensation by a private body which is limited to the harm caused and also s. 15 of the Italian Personal Data Protection Code of 2003 which deals with compensation for damage to another).
3.8 Insofar as it can be claimed that there is an ambiguity within the words of s. 7, that section is required to be interpreted in the light of Article 23 of the Directive and on that basis, and by reference to the terms of s. 7 itself, I am satisfied that s. 7 does not provide for either strict liability or the automatic payment of compensation but limits itself to providing for the existence of a duty of care within the law of torts. For that duty of care, in circumstances where it is a breach of statutory duty to extend to the payment of damages without proof of damage or loss, it would mean that strict liability applied. For that to arise, the section itself would have to have so provided.
4.1 As recognised by the plaintiff in the legal submissions submitted on his behalf, almost all Irish authority on statutory duty relates to the existence of statutory duty existing in parallel to a common law duty and generally in the context of occupational injury. Occupational injury claims are often brought on the basis that there has been a breach of the Safety, Health and Welfare at Work Act of 2005 and the regulations made thereunder. That Act, like the Data Protection Acts, has its origin in obligations placed upon Ireland pursuant to a European Directive which provided for significant rights and protections to individual citizens. An individual claimant seeking to rely on a breach of the extensive statutory obligations pursuant to the Safety, Health and Welfare at Work Act 2005 and seeking compensation must establish that he or she has suffered damage flowing from the particular breach in respect of which complaint is made. In other words, the person seeking compensation arising from a breach of statutory duty under the Safety, Health and Welfare at Work Act 2005 must prove damage flowing from a breach and unless that is established, there is no entitlement to damages as the Act does not provide for a strict liability.
4.2 The provisions of s. 7 of the Data Protection Acts provides for an obligation on a data controller or a data processor to exercise a duty of care. A breach of that duty of care can result in the award of damages. However, the section does not provide for automatic damages for a breach of the Act and there is no reference or identification of any strict liability. The Act does deal with and expressly provides for sanctions or penalties for criminal liability (see s. 31). In addressing the requirement to implement the Directive and a need for liability under the Act, the legislature was addressing the requirement to provide for “any person who has suffered damage” and to provide for compensation “for the damage suffered”. The implementation by Ireland, in its legislation, could have gone further and Ireland as a Member State could have provided for greater protection than required under Directive 95/46 (see the case of Re Criminal Proceedings against Lindqvist [2004] QB at para. 49, which identifies that nothing prevents a Member State from extending the scope of the national legislation implementing Directives). In Ireland the legislature determined to implement the Directive into Irish law by reference to a statutory duty of care obligation and not by reference to strict liability.
4.3 As a matter of construction, the statutory obligation which provides for a private remedy for breach of statutory duty under the Data Protection Acts was imposed, not as a strict liability, but as a duty of care obligation. If the statute provides a express means of enforcing a duty, that normally indicates that the statutory right was intended to be enforceable by that means. The entitlement to damages and the scope of such damages is dependent upon a true interpretation of the relevant statutory provision. In this case, where it is clear that there is no strict liability and that liability and the entitlement to compensation is predicated upon and dependent upon a claimant establishing a breach of a statutory duty of care, it necessarily follows that a claimant must establish that the breach has caused the claimant damage if that claimant is to be entitled to damages. In this instance, the entitlement is not to damages for breach of duty, but compensation for breach of duty. Compensation is intended to place an individual in the position which that individual would have been apart from the wrong done. In general, an entitlement to damages for distress, damage to reputation or upset, are not recoverable save where extreme distress results in actual damage, such as a recognisable psychiatric injury.
4.4 Section 7 is limited and goes no further than providing for a duty of care that is a duty of care within the law of torts. To obtain a compensation for a breach of duty of care, it is necessary for a claimant to establish that there has been a breach, that there has been damage and that the breach caused such damage. The tort of negligence, unlike the tort of trespass to person, requires proof of damage. Such requirement is demonstrated in the judgment of Clark J. in Larkin v. Dublin City Council [2008] 1 IR 391 where Clark J. held, in dismissing the plaintiff’s claim, that the defendant had breached its duty to ensure that the results of assessments for appointment to a post were not presented to the candidates until their accuracy had been checked, but that despite that breach by the defendant, the plaintiff had not established that he had suffered from any recognisable psychiatric illness and was therefore excluded from the recovery of damages for public policy reasons. A person seeking compensation arising from a breach of statutory duty under an Act must establish that the loss or damage that such person has suffered flowed from the breach, unless the statutory duty involved is one of strict liability. Here, the statute does not provide for strict liability and for me to interpret s. 7 of the Data Protection Acts as enabling a claimant to benefit from an award of damages for non-pecuniary loss, would be for me to expand the scope of s. 7 beyond that provided for in the Act or required by the Directive. The Directive in issue in this case requires for there to be compensation for damage suffered and s. 7 does not extend beyond that obligation. Section 7 provides an obligation of duty of care and allows for a remedy under the law of torts and the law of torts generally provides for compensation to be based upon certain criteria which includes the proof of damage.
5.1 The defendant sought to rely on various English decisions concerning the U.K.’s legislation implementing the Directive, namely, the Data Protection Act 1998. However, consideration of the provisions of that Act and, in particular, s. 13(2) dealing with compensation which allows for compensation to an individual “. . . who suffers distress by reason of any contravention”. The U.K. Act goes beyond the requirements in the Directive and expressly provides for compensation for distress. The Irish legislation does not. In those circumstances, I have decided this case without regard to the English authorities as the statutory approach to damages is different.
6.1 In this case the plaintiff has failed to prove any damage resulting from the breach of the duty of care owed by the defendant. While certain limited evidence was led by the plaintiff in relation to the consequences of delay, no evidence was led to prove such damage or to establish that any damage flowed from the admitted breach of statutory duty on the part of the defendant. In those circumstances, the plaintiff in this case is not entitled to any damages as he has failed to establish that he has suffered any loss or damage within the scope of s. 7 of the Data Protection Acts. The statutory position in Ireland is that no matter how blatant the breach that the person the subject of the breach can only receive damages on proof of loss or damage caused by the breach.
7.1 Whilst I am satisfied that the plaintiff is not entitled to an award of damages, and that therefore the Circuit Court order should be vacated, the Court will have regard to both the manner in which the defendant company conducted itself in relation to the investigations carried out by the Data Protection Commissioner, and also to the fact that the issue as to the limitation of the nature of damages under s. 7, which has resulted in the defendant succeeding in this appeal, was not argued in the Circuit Court when addressing the question of costs.
Realm Communications Ltd -v- Data Protection Commissioner
[2009] IEHC 1
JUDGMENT delivered by Mr. Justice McCarthy on the 9th day of January 2009
1. Pursuant to the European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003, made, pursuant to s. 3 of the European Communities Act 1972, by Statutory Instrument No. 535 of 2003 (“The Regulations”) and in particular Regulation 13(1)(b):-
“A person shall not use or cause to be used any publicly available electronic communications service to send an unsolicited communication for the purpose of direct marketing by means of electronic mail, to a subscriber, who is a natural person, unless the person has been notified by that subscriber that for the time being he or she consents to the receipt of such communication”.
and by the provisions of Regulation 13(9)(a):-
“A person who fails to comply with paragraph (1) … shall be guilty of an offence”
and, in turn, by s. 31(1A) of the Data Protection Act 1988 (as amended by the Regulations):-
“A person guilty of an offence under the … regulations … shall be liable on summary conviction to a fine not exceeding €3,000 …”
2. There are pending before Dublin Metropolitan District Court some 60 summonses charging the applicant (“Realm”) with offences contrary to Regulation 13(9(a) although they are perhaps infelicitously worded, to put it no further, in as much as the offence is one contrary to Regulation 13(1)(b) of using or causing to be used an electronic communications service contrary to the prohibition in s. 13(1)(a) of the Regulations, the penalty provision being s. 31(1A) of the Act.
3. On the 28th April, 2008, my colleague Peart J. afforded leave to Realm to seek certain relief to restrain the continuance of those proceedings by the Data Protection Commissioner (“the Commissioner”) (and of course they are stayed pending the outcome hereof). That relief (so far as it is substantive and relevant at this juncture) is set out in the statement grounding application for leave to apply for judicial review (“Realm’s Statement”) at paragraphs 1 to 5 inclusive, as follows:-
“(1)A declaration that the respondent acted unlawfully in issuing summonses for alleged contraventions of Regulations 13(1)(b) and Regulation 13(9)(a) of the European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations, 2003 (S.I. No. 535/2003) (“the 2003 Regulations”) and section 31(A) of the Data Protection Acts, 1988 and 2003 (“the Acts”) (as inserted by Regulation 17(1) of the 2003 Regulations) in circumstances where the respondent has failed in his statutory obligation to arrange within a reasonable time for the amicable resolution between the Applicants and the complainants of complaints in relation to the alleged contraventions the subject of summonses.
(2) A declaration that the Respondent can only lawfully exercise his power under the Acts to summarily prosecute on foot of complaints of contraventions of the 2003 Regulations if section 10(1) of the Acts has been complied with.
(3) A declaration that the Respondent has failed to satisfy the statutory precondition to the exercise of his power to prosecute a contravention of the said Acts and/or the 2003 Regulations, that section 10(1) of the Acts be complied with.
(4) An Order by way of Certiorari quashing the Respondent’s decisions to institute the summary prosecutions instituted by the respondent against the Applicant, as set out in the Schedule to this Statement of Grounds.
(5) An Order by way of prohibition preventing the Respondent from further prosecuting the said summonses.”
4. The grounds upon which leave was granted are those set out at paragraphs 1 to 7 inclusive of para. E of Realm’s Statement, as follows:-
“(1) The Respondent is a statutory officer who is appointed by the provisions of the Data Protection Act 1988, as amended to be the supervisory authority in the State for the purposes of enforcing the State’s obligations to its citizens in respect of data protection matters.
(2) Under the terms of the Data Protection Act 1988, as amended the Respondent is given a range of civil and criminal enforcement powers, including the powers to issue enforcement notices and prohibition notices and to institute summary prosecutions, in respect of contraventions of the Acts and the 2003 regulations.
(3) Regulation 17(1) of the 2003 Regulations (which give effect to Directive 2002/58/EC) (“the Directive”) provides, inter alia, that section 10 of the 1988 Act as amended (including the provisions of section 10(1) in relation to complaints) shall apply to the 2003 Regulations. The provisions of section 10(1) of the 1988 Act as amended accordingly apply to a complaint made to the Respondent that there has been a contravention of, inter alia, Regulations 13 of the 2003 Regulations.
(4) The Respondent asserts that he has received a number of complaints from consumers that they have received unsolicited communications from the Applicant in contravention of Regulations 13(1)(b) and 13(9)(a) of the 2003 Regulations.
(5) Despite the clear obligation on the Respondent, pursuant to section 10(1) of the 1988 Act as amended, to arrange within a reasonable time for the amicable resolution by the parties concerned of the matter a subject of the complaint before deciding to take any enforcement steps (including summary prosecution) the Respondent unlawfully and/or irrationally and/or in excess of jurisdiction failed to make any attempt at all for the amicable resolution by the parties of the complaints concerning alleged contraventions of the 2003 Regulations, before deciding to prosecute same.
(6) The Respondent has acted unlawfully and/or irrationally and/or in excess of jurisdiction in deciding to prosecute the Applicant for alleged contraventions of Regulation 13 of the 2003 Regulations without complying with a necessary statutory precondition of the commencement of such proceedings and/or in failing to arrange for amicable resolution for the said complaints before instituting the summary prosecutions.
(7) The Respondent has acted in breach of the Applicants’ rights to fair procedures and natural justice, including its rights pursuant to Article 40 of the Constitution and Article 8 of the European Convention on Human Rights and its rights under the Acts and 2003 Regulations.
5. Reference is made, both in the grounding affidavit sworn on behalf of Realm and at para. 37 of Realm’s outline (legal) submissions to certain guidelines published on the Commissioner’s website under the heading “Complaint Outcome” and to a subsequent “Guidance Document”, apparently also published on such website, the tenor of the first of which is that all complaints do not necessarily result in prosecutions but that in the first instance the Commissioner attempts to resolve matters amicably. The second is, apparently, a bald statement to the effect that the Commissioner is obliged to seek an amicable resolution of complaints. It is not contended on behalf of the applicant that anything in the nature of an estoppel or legitimate expectation could give rise to an inhibition of prosecution here, and in my view, rightly. The core basis, accordingly, for seeking to inhibit prosecution is that summarised in para. 1 under the heading of “the Relief Sought” in Realm’s statement and, accordingly, amounts to the proposition that it is a condition precedent to a prosecution in respect of the offences now pending that an attempt be made to seek amicable resolution of the complaints giving rise to the charges. This arises because of the provisions of s. 10(1) of the Acts which is as follows:-
“10.(1)(a) The Commissioner may investigate, or cause to be investigated, whether any of the provisions of this Act have been, are being or are likely to be contravened by a data controller or a data processor in relation to an individual either where the individual complains to him of a contravention of any of those provisions or he is otherwise of opinion that there may be such a contravention.
(b) Where a complaint is made to the Commissioner under paragraph (a) of this subsection, the Commissioner shall
(i) investigate the complaint or cause it to be investigated, unless he is of opinion that it is frivolous or vexatious, and
(ii) as soon as may be, notify the individual concerned in writing of his decision in relation to the complaint and that the individual may, if aggrieved by his decision, appeal against it to the Court under section 26 of this Act within 21 days from the receipt by him of the notification.”
6. I have herein referred to the Data Protection Acts 1988 – 2003 and the Regulations for convenience sake as “the Acts” unless otherwise appears: this is so notwithstanding the fact that they were amended by the Regulations. These, transposed into Irish law the Directive.
7. The Statement of Opposition of the 3rd June, 2008 (“the Commissioner’s Statement”) is extensive and I accordingly do not propose to set the grounds therein out in full but merely to summarise the substantive elements, as follows:-
“(a) That (of course) the power of the Commissioner to investigate compliance with, or a possible contravention of, the provisions of the Acts provides the “necessary underpinning” for the exercise of his powers of enforcement and he asserts that there are three separate bases for investigation, firstly, being that arising under s. 10(1) aforesaid, secondly s. 10(1A), which provides that:
‘The Commissioner may carry out or cause to be carried out such investigations as he or she considers appropriate in order to ensure compliance with the provisions of this Act and the … Regulations … and to identify any contravention thereof”
and, thirdly, pursuant to s. 10(1B) which provides that:-
“The Commissioner may carry out or cause to be carried out such investigations as he or she considers appropriate in order to ensure compliance with (inter alia Regulation 13) and to identify any contravention thereof”
(b) That an unsuccessful attempt by the Commissioner to arrange for amicable resolution is “solely and exclusively a condition precedent” to a decision (and the notification to a complainant of a decision) under s. 10(1)(b) of the Act and not a condition precedent to the exercise of any of his investigation powers or to the exercise of any of his enforcement powers or, most importantly in the present context, his capacity to prosecute.
(c) That the requirements of s. 10(1)(b) in respect of complaints by natural persons do not displace the Commissioner’s entitlement to conduct a separate investigation (whether related or distinct) pursuant to other investigatory powers even if such investigation is the subject of an individual complaint.
(d) That the term “reasonable time”, referred to in s. 10(1)(b)(ii) is to be construed by reference to all of the surrounding circumstances (including the fact that the Commissioner might have conducted an extensive investigation into the complaints with all due expedition).
(e) That in as much as the Regulations transpose the Directive, and such Directive does not contemplate a “prior requirement to mediate” (whereby any such requirement would be outside the terms of the Directive) no such construction of the power of prosecution is permissible and, in addition, “would not be required or necessitated by the terms of the Directive”.
(f) That the Commission has not acted in breach of the applicant’s right to fair procedure and natural justice or of its rights under the Acts or the Regulations or, in the, any breach of its rights under the Constitution or Article 8 of the European Convention on Human Rights and Fundamental Freedoms.”
The allegation of breach of rights under Article 40 or Article 8 aforesaid has not been pursued, nor has an assertion of a breach of natural justice or fair procedures. I think that this was the correct course in as much as if there is, as a matter of law, a capacity to prosecute without a condition precedent, I know of no rule of law which imposes any obligation on the prosecutor to hear the putative accused before deciding upon, and commencing, a prosecution.
8. The relevant affidavits for the purpose of this judgment are those of Mr. Higgins (Realm’s Managing Director) of the 25th April, 2008, and of Mr. Davis (Deputy Data Protection Commissioner) dated the 3rd June, 2008. I have, of course, to a degree, referred to the facts of the matter above. So far as material, as to further relevant facts deposed to therein, Mr. Higgins says that disclosure of documents took place at Realm’s request, by the Commissioner qua prosecutor (as ordinarily occurs in the case of prosecutions on indictment but, exceptionally, only, in the case of summary prosecution) (and rightly disclosed in the present case if only because it avoided the necessity for discovery herein) and that the prosecutions were based on the complaints of fourteen complainants. This term is not used in this context as a term of art and there is no such term in the Acts. He says that there was a good working relationship between Realm and the Commissioner, that there was co-operation in respect of a number of individual instances of alleged contraventions of the Acts or Regulations and that Realm welcomed the introduction of the regulatory procedure. He refers to a so called “dawn raid” and to the fact that during such raid a journalist contacted him and that subsequently, before service of summonses, a journalist also communicated with him in relation thereto. I am not required to address whether or not these enquiries resulted from “leaks”, or, if they did, what the legal consequences (if any) thereof might happen to be. I accordingly ignore this aspect of the matter.
9. It would appear from Mr. Davis’s affidavit that the Commissioner seeks to deal with enforcement issues without recourse to prosecution whilst remaining “fully entitled to adopt the latter course”, that so called mediation in respect of individual complaints would not be effective so far as repeated offenders are concerned, that a small portion of recipients of unsolicited texts make complaints and that the proportion of those who do so is in the order of one in ten thousand whereby, he asserts, if the condition precedent alleged exists the remedy (presumably of prosecution) would be ineffective. He further asserts that any obligation to mediate successive complaints would mean that the respondent, whilst engaged in mediation in respect of some complaints, might be in receipt of further complaints against the same person to the point of a course of conduct and that the Commissioner treats the handling of complaints that might or might not result in a decision by him (under s. 10(1)) as an entirely separate activity to the function of prosecuting breaches: apparently, these are dealt with by separate units in the Commissioner’s office. Mr. Davis refers to the so called dawn raids and to the fact that they occurred against a background of “significant concern” regarding the sending of so called SMS messages (being unsolicited mobile telephone text messages) for marketing purposes without the consent of the recipient.
10. The applicant has set out a conspectus of the Directives giving rise to the present law in the State and it is submitted that the proper construction of s. 10 of the Acts “in light of the scheme of the Communications Data Protection Directive, the 2003 Regulations and the Acts as a whole” gives rise to the condition precedent to the taking of enforcement actions, including prosecutions. The proposition advanced, based upon Bell and Ray in EU Electronic Communications Law, that the Directive aims to harmonise the law in this field and to thereby encourage free movement of data, electronic communications equipment and services seems uncontroversial as do the recitals (6, 40, 41 and 47) in the Directive, which are quoted.
11. The first of these recitals, inter alia, is to the effect that the “Internet is overturning traditional market structures” and that “publicly available electronic communications services over the Internet opened up new possibilities for users and also new risks for their personal data and privacy”, that, (as set out in recital 40) “safeguards should be provided for subscribers against intrusion of their privacy by unsolicited communications for direct marketing purposes, in particular by means of automated calling machines, telefaxes, and e-mails, including SMS messages” and that “where the electronic contract details are obtained, customers should be informed about their further use for direct marketing and be given the opportunity to refuse such usage…” (as appears from recital 41). As appears from recital 47, penalties must be imposed for failure to comply with national measures taken under the Directive. There is nothing in these recitals or in any other part of the Directive, either quoted by Realm or otherwise which supports a contention that attempted amicable resolution is a condition precedent to enforcement, whether by prosecution or otherwise (in the case of complaints by natural persons). There seems to me to be no difference between the scheme of the domestic law implementing the Directive or any sufficient distinction between the Directive and the Acts or Regulations to assist in respect of the proposition advanced and therefore it suffices to have regard only to the national provisions.
12. Reference is made to a schematic or teleological approach to the interpretation of the Directives’ provisions but even if it was necessary to have regard to the Directive for the purpose of gaining a true understanding, or properly interpreting or construing our legislation (which it is not) it might, firstly, be arguable that such schematic or teleological interpretation is unnecessary but if it was, it seems to me that there is nothing in the application of that principle of interpretation (as summarised in the passage from Dodd on Statutory Interpretation in Ireland, quoted in the applicant’s submissions), which adds anything to Irish law since the Directive is fully and properly transposed into it (and no proposition is advanced here to the effect that it is not), or having regard to Irish law only.
13. Further in the European context reference is made by Realm to Article 13 of the Directive (“unsolicited communications”) and it is suggested that having regard to its provisions “out of court resolution of complaints” is “entirely consistent with this scheme”. I do not doubt that this is so but that is not the point. What is in issue is not whether or not it is consistent with but whether or not it is a condition precedent to prosecution, involving, as it does, in the event of conviction, the imposition of penal sanctions as required by the Directive. I do not understand on what basis it is submitted that, by reference to that Article of the Directive, (as at paragraph 32 of the applicant’s submissions) that “in the event that there is a complaint as to the manner in which such texts are received or whether they comply with the Regulations, an attempt to amicably resolve is a sensible precondition to any more serious enforcement measures” – it may be but, again, it tells us nothing as to whether or not such a condition precedent arises; such a proposition does not follow directly or indirectly from Article 13, in any event: it is simply a bald assertion, unsupported by a chain of reasoning.
14. It is undoubtedly the position, as pointed out by the parties, that the Directive imposes no explicit obligation on the State, in implementing it, to provide for an attempted amicable resolution as a condition precedent to enforcement. Realm points out that the Directive as implemented in Irish law seeks to strike a balance between the legitimate interests of businesses in using electronic communications networks, on the one hand, and privacy and data protection rights of persons in respect of information confidential to them. There is no reason to suppose that it must follow therefrom that Irish law, in implementing the Directive, must include the inhibition on prosecution for which Realm contends. One cannot but say that it would be permissible to do so (unless of course it was to undermine the scheme of protection or other desiderata, such as the free movement of services) but that is a far cry from saying that on any view of the Directive it is essential in order to strike an appropriate balance between those competing interests.
15. It is further submitted that the existence of a provision pertaining to amicable resolution as a condition precedent to prosecution is consistent with the wording of s. 10 of the Acts; one can understand, of course, why the statutory scheme might direct the Regulator, in certain instances, to attempt to amicably resolve complaints, but, again, one can understand why it might not, for example, because of the difficulty of addressing egregious and repeated breaches by the same party with respect to the same complainant, thus giving rise to a situation where an amicable resolution had to be attempted in respect of each or any complaint received no matter how ineffective or time consuming that might be as a matter of practice. I cannot see why the Oireachtas should be taken to have intended this, when it does not say it.
16. At the end of the day one only tool of interpretation is required, namely, consideration of the Statute, as amended, in accordance with the natural and ordinary meaning of the words used therein. This form of interpretation is itself relied upon by Realm. Realm make the point that its interpretation is consistent with the Commissioner’s published material. This may be so but the Commissioner’s published material may or may not, in a given case, correctly express his legal powers or duties. I do not think that it is an aid to interpretation by a court that a party has, on some previous occasion, taken a given view of the interpretation of a Statue, but now takes a different view. Any prior erroneous view as to, say, the powers or duties of an entity such as the Commissioner are of no assistance to a court in deciding the correct view in law. There may, of course, from time to time, be other consequences of error and they are not relevant in this action. I need hardly say that one considers the provisions of s. 10 only in their statutory context as a whole. Such an approach could give no different a result by reference to the Directive itself as I have said above.
17. The natural and ordinary meaning of the words of the Statute seem to me to give rise to investigatory powers under the three heads pleaded in the Statement of Opposition, i.e. pursuant to s. 10(1), pursuant to s. 10 (1)(a) and s. 10(1)(b). These powers are undoubtedly overlapping: all three afford a general power of investigation but the difference between s. 10(1) and the others is an obligation in certain circumstances to attempt to arrange an amicable resolution concerning the matter in complaint. There is no suggestion here but that such complaints have been made: it is said at para. 21 of Mr. Higgins’s affidavit that “it seems clear” that these prosecutions were commenced “on the basis of complaints received by (the Commissioner)” from (presumably) the persons named in the summonses. One would have thought, however, that the process of investigation would extend beyond the mere mechanical receipt of a complaint. The very use of the term poses difficulties because presumably a complaint will be of greater or lesser substance (in terms of the detail afforded and the capacity to address such complaint without further or more extensive investigation). One would have thought that in every case investigation beyond mere receipt of the complaint would be required if the investigation was to be competent, if only by verification of some technical detail (e.g. a telephone number) furnished by a complainant.
18. In any event, under s. 10(1)(a) the Commissioner is afforded power to investigate, inter alia, in the case of an individual complaint and if one proceeds to s. 10(1)(b)(i) one sees that there is an obligation to investigate (i.e. to exercise that power) where such individual complaint is received, unless it is frivolous or vexatious. Thereafter, in default of an amicable resolution “by the parties concerned” the Commissioner must make a decision and notify the same to the complainant, informing him that if he is aggrieved he may appeal to the Circuit Court pursuant to s. 26 of the 1988 Act. It seems reasonable to conclude, that the term “may” in s. 10(1)(a) affords authority or power to investigate with mandatory investigation only of a complaint by a natural person which it is neither frivolous or vexatious. Of course, as pointed out by Kelleher “the Commissioner, by undertaking the level of investigation necessary to determine whether a complaint is frivolous or vexatious will thereby have discharged any duty to investigate (see 16/08 “Privacy and Data Protection Law in Ireland”). There is nothing in the provision, or elsewhere in the Acts, of course, which in any way inhibits the capacity to prosecute whether on foot of an individual’s complaint or otherwise, and whether the provisions of s. 10(1) are invoked or applicable or not. The proposition must accordingly be that notwithstanding the absence of any explicit inhibition in s. 10 or elsewhere the fact of an obligation to attempt to arrange, within a reasonable time, an amicable resolution in the case of complaints made by natural persons, must be interpreted as importing a limitation on the power of prosecution or a prohibition thereon unless resolution has been attempted and failed.
19. I cannot see any warrant for a court to add to the section or otherwise to the Acts. Accordingly it may well be that in tandem with the preparation of, and the ultimate commencement of, criminal proceedings an attempt at amicable resolution might take place and prima facie there is nothing to inhibit such a course. It would, however, if adopted, be an outcome potentially beneficial to the complainant who of course would have no role in the criminal proceedings except perhaps as a witness and the outcome whereof might not satisfy him in terms of the complaint beyond, perhaps, a moral vindication of his position. I see no absurdity, ambiguity, obscurity or capacity for advancing the proposition that a literal interpretation would fail to reflect the plain intention of the Oireachtas. Hence, I do not think that s. 5 of the Interpretation Act 2005, permits anything other than the normal rule of interpretation. In this regard reliance has been placed by the Commissioner on the judgment of Denham J. in D.B. v. The Minister for Health and Children and the Hepatitis C Compensation Tribunal (Unreported, Supreme Court, 26th March, 2003). Denham J. repeated the approach she took in M. O’C. v. Minister for Health (Unreported, Supreme Court, 31st July, 2001) when she held that:-
“It was well established that in construing statutes effect should be given to clear and unambiguous words, for the words of the statute best declare the purpose of the Act …”.
It seems to me that little more need be said in respect of the manner in which one must approach the interpretation of the statutes or of s. 10.
20. Further, let us suppose an amicable resolution took place. The breach would still exist. There is nothing in the Act which in some sense would “expunge” or render inadmissible evidence of the breach, such that a prosecution could not be maintained. The facts would remain as they always had been whether the complainant was satisfied with his lot or not. The Commissioner has strongly emphasised the nature of the criminal prosecution in the common law which is, as we know, an issue between the State (or the community) and an alleged wrongdoer and that the private interest of any party injured or aggrieved by that wrongdoing constituting the offence (which might, of course, be a civil wrong as well) is irrelevant in point of law. Thus, I accept the proposition that the erection of the condition precedent here would uniquely fetter the prosecutor in the exercise of his discretion and would thus thereby introduce, in point of law, a question of private interest into the community’s right to enforce the law. Of course in the event of an amicable resolution a complainant might prove to be indifferent to the prosecution but that is of no moment. Nor do I think that it could have been in the contemplation of the Oireachtas to place in the hands of a criminal (I speak generally, of course) the capacity to delay and perhaps undermine a prosecution by merely ostensibly engaging in an attempt at amicable resolution whilst, to a greater or lesser extent, placing obstacles in the way of a prospective prosecution for any number of commercial or other reasons. Such things are not unknown in the enforcement of the criminal law! Such a provision would introduce an entirely new phenomenon at variance with the nature of criminal prosecutions. I cannot believe that the Oireachtas would have intended to introduce such drastic change into the administration of criminal justice without explicitly saying so.
21. Of course, in truth, Realm fails to answer the question which must arise, ipso facto, if its assertion about the existence of a condition precedent is correct. This is the issue of what might occur if the attempt was successful. One would have thought that on any view of the Acts nobody could contend that there is a prohibition or bar on prosecution in the event of successful mediation. Presumably it might be the hope of a party such as Realm that no prosecution would be commenced but I cannot see how the Oireachtas would have merely imposed an obligation to attempt to mediate, when such attempt, even if successful, had no bearing on whether or not a prosecution could be initiated. I think that this is explicable only on the basis that the statutory obligation to seek an amicable resolution is unrelated to prosecution. One might see some logic, perhaps, to the proposition that a prosecution was barred in the event of a resolution. Again I do not propose to rewrite the Acts in this respect.
22. We know, also, that pursuant to the Acts a summary prosecution must be commenced within twelve months of the date of the offence and it is presumably possible that the fact of an offence could be brought to the attention of the Commissioner by a complaint within perhaps days of the expiry of the relevant period. The relevant provision is s.30(2) of the Act and the period is an extended period to that ordinarily contemplated pursuant to s. 10(4) of the Petty Sessions (Ireland) Act 1851. Whilst I accept that the term “reasonable time” could only, by definition, be reasonable in relation to the surrounding circumstances (including the time limit applicable for the commencement of a prosecution) there would be cases where there was no reality to attempted amicable resolution within days only and the Oireachtas cannot have intended that some form of charade or merely nominal attempted resolution should be attempted. The position might be different if, of course, the Oireachtas had, say, provided for a suspension of the running of the time during a period of attempted mediation (something which in the event that the unprecedented concept of a condition precedent were to be introduced, might not be irrational).
23. Further, I cannot see how the Oireachtas might have conceived that there could be an effective enforcement of the provisions of the Acts by the criminal law if, in every case where a natural person had complained, whether or not the Commissioner had other sufficient evidence prior to such complaint or garnered it directly or indirectly as a result thereof, the Commissioner might be required not merely to prove the fact of the crime but also the fact that there had been an attempt at amicable resolution being, of course, a real or meaningful attempt rather than something that could be stigmatised as a mere colourable device.
I therefore refuse the reliefs sought.
Savage -v- Data Protection Commissioner & anor
[2018] IEHC 122
JUDGMENT of Mr. Justice White delivered on 9th of February, 2018
1. This is an appeal on points of law only from an order of the Circuit Court of 25th October 2016, pursuant to the Data Protection Acts 1998 and 2003.
2. The Circuit Court allowed the appeal of Mark Savage (in this judgment the Respondent) from a ruling of the Respondent the Data Protection Commissioner of 26th March, 2015 (in this judgment referred to as the First Appellant). The Notice Party Google Ireland Ltd has also appealed. ( In this judgment referred to as the Second Appellant)
3. The First Appellant appealed by Notice of Appeal of 3rd November, 2016 on the following grounds,
(i) The Court erred in law in directing the Commissioner to issue an enforcement notice. The Circuit Court has no jurisdiction on an appeal to direct that an enforcement notice be issued by the Commissioner.
(ii) The Court erred in law in directing the Commissioner to issue an enforcement notice to a party that was not a party to the proceedings; namely Google Inc. The Circuit Court has no jurisdiction on an appeal to direct that an enforcement notice be issued by the Commissioner to a person who is not a party to the Circuit Court Appeal, namely Google Inc.
(iii) The court erred in law in its application of the test outlined in Orange Communications Limited v. Director of Telecommunications Regulations & Anor (No 2) [2004] 4 I.R. 159 to the Commissioner’s decision.
(iv) The court erred in law in its interpretation an application of the decision of the Court of Justice of the European Union delivered on 13th May, 2014, in Google Spain v. AEPD & Mario Costeja Gonzalez (Case C-131/12) (the Google Spain Decision).
(v) The court erred in law in holding that the Commissioner made a serous error in her application of the Google Spain decision.
(vi) The court erred in law in finding that the content of the URL title was factual in nature and not an expression of opinion.
(vii) The court erred in law in holding that the content of the URL is to be presumed to be a statement of fact in the absence of quotation marks or some other indication expressly identifying it as opinion.
(viii) The court erred in law in evaluating whether the content of the URL title was factual in nature or an expression of opinion without having regard to the contents of the webpages to which the URL directs internet users.
(ix) The court erred in law in circumstances where there was no factual basis for a finding that the content of the URL was inaccurate, excessive or out of date.
(x) The court erred in law in finding that the content of the URL title was inaccurate.
(xi) The court erred in law in its determination that the accurate transposition of a statement of opinion from a posting or thread to a URL title or heading had the effect of elevating such statement of opinion to the status of accurate data.
(xii) The court erred in law in its balancing of the competing interests in play as required by the Google Spain decision. In particular, the court erred in failing to give due or any weight to the necessity to protect freedom of expression.
(xiii) The court erred in law in failing to give due weight or any weight to
• The context in which that information was published (i.e. as part of an online exchange of views in which Mr. Savage himself had participated in an active way, posting three separate entries); and
• more especially, the fact that the expressions of opinion posted to the relevant webpages (including the specific content of the URL title) were clearly prompted by, and connected with, material that had been put into the public domain by Mr. Savage as an integral part of the platform he was presenting to voters in the course of the elections for Fingal County Council.
4. The Second Appellant appealed by Notice of Appeal of 1st November 2016 on the following grounds,
(i) The learned Circuit Court Judge erred in law in determining the appeal of the Data Protection Commissioner’s decision made by Mr. Savage (the “Respondent”) on the basis that the URL title bore the appearance of a verified fact.
(ii) The learned Circuit Court Judge erred in law in determining that the test of whether data are opinion rather than fact is dependent on whether the data have the appearance of verified fact.
(iii) The learned Circuit Court Judge erred in law in determining that the URL title was a matter of fact rather than an expression of opinion.
(iv) The learned Circuit Court Judge erred in law in determining that the accurate transposition of a statement of opinion from the underlying webpage to the URL title elevated such opinion to the status of apparently accurate data.
(v) The learned Circuit Court Judge erred in law in determining that the URL title was inaccurate data.
(vi) The learned Circuit Court Judge erred in law in determining the fact/opinion status of the URL title in isolation, and the accuracy thereof, without reference to the content of the underlying webpage linked to by that URL.
(vii) The learned Circuit Court Judge erred in law in determining that an expression of opinion was required to be highlighted by the use of quotation marks or parentheses.
(viii) The learned Circuit Court Judge erred in law in her application of the Orange/Nowak test to the Data Protection Commissioner’s Decision.
(ix) The learned Circuit Court Judge erred in law in not carrying out an appropriate balancing of interests as required by the Court of Justice of the European Union in the Costeja case.
The Relevant Legislative Provisions
5. The relevant act is the Data Protection Act 1988, s. 10 deals with the enforcement of data protection and states:-
“(1)
(a) The Commissioner may investigate, or cause to be investigated, whether any of the provisions of this Act have been, are being or are likely to be contravened by a data controller or a data processor in relation to an individual either where the individual complains to him of a contravention of any of those provisions or he is otherwise of opinion that there may be such a contravention.
(b) Where a complaint is made to the Commissioner under paragraph (a) of this subsection, the Commissioner shall—
(i) investigate the complaint or cause it to be investigated, unless he is of opinion that it is frivolous or vexatious, and
(ii) as soon as may be, notify the individual concerned in writing of his decision in relation to the complaint and that the individual may, if aggrieved by his decision, appeal against it to the Court under section 26 of this Act within 21 days from the receipt by him of the notification.
(2) If the Commissioner is of opinion that a person, being a data controller or a data processor, has contravened or is contravening a provision of this Act (other than a provision the contravention of which is an offence), the Commissioner may, by notice in writing (referred to in this Act as an enforcement notice) served on the person, require him to take such steps as are specified in the notice within such time as may be so specified to comply with the provision concerned.
(3) Without prejudice to the generality of subsection (2) of this section, if the Commissioner is of opinion that a data controller has contravened section 2 (1) of this Act, the relevant enforcement notice may require him—
(a) to rectify or erase any of the data concerned, or
(b) to supplement the data with such statement relating to the matters dealt with by them as the Commissioner may approve of; and as respects data that are inaccurate or not kept up to date, if he supplements them as aforesaid, he shall be deemed not to be in contravention of paragraph (b) of the said section 2(1).
(4) An enforcement notice shall—
(a) specify any provision of this Act that, in the opinion of the Commissioner, has been or is being contravened and the reasons for his having formed that opinion, and
(b) subject to subsection (6) of this section, state that the person concerned may appeal to the Court under section 26 of this Act against the requirement specified in the notice within 21 days from the service of the notice on him.
(5) Subject to subsection (6) of this section, the time specified in an enforcement notice for compliance with a requirement specified therein shall not be expressed to expire before the end of the period of 21 days specified in subsection (4)(b) of this section and, if an appeal is brought against the requirement, the requirement need not be complied with and subsection (9) of this section shall not apply in relation thereto, pending the determination or withdrawal of the appeal.
(6) If the Commissioner—
(a) by reason of special circumstances, is of opinion that a requirement specified in an enforcement notice should be complied with urgently, and
(b) includes a statement to that effect in the notice,
subsections (4)(b) and (5) of this section shall not apply in relation to the notice, but the notice shall contain a statement of the effect of the provisions of section 26 (other than subsection (3)) of this Act and shall not require compliance with the requirement before the end of the period of 7 days beginning on the date on which the notice is served.
(7) On compliance by a data controller with a requirement under subsection (3) of this section, he shall, as soon as may be and in any event not more than 40 days after such compliance, notify—
(a) the data subject concerned, and
(b) if such compliance materially modifies the data concerned, any person to whom the data were disclosed during the period beginning 12 months before the date of the service of the enforcement notice concerned and ending immediately before such compliance, of the rectification, erasure or statement concerned.
(8) The Commissioner may cancel an enforcement notice and, if he does so, shall notify in writing the person on whom it was served accordingly.
(9) A person who, without reasonable excuse, fails or refuses to comply with a requirement specified in an enforcement notice shall be guilty of an offence.
6. Section 26 of the Act allows for an appeal to the Circuit Court from a decision of the Data Protection Commissioner and an onward appeal from the Circuit Court to the High Court on a point of law. It states:- Appeals to Circuit Court:-
“(1) An appeal may be made to and heard and determined by the Court against—
(a) a requirement specified in an enforcement notice or an information notice,
(b) a prohibition specified in a prohibition notice,
(c) a refusal by the Commissioner under section 17 of this Act, notified by him under this section and
(d) a decision of the Commissioner in relation to a complaint under section 10(1)(a) of this Act,
and such an appeal shall be brought within 21 days from the service on the person concerned of the relevant notice or, as the case may be, the receipt by such person of the notification of the relevant refusal or decision.
(2) The jurisdiction conferred on the Court by this Act shall be exercised by the judge for the time being assigned to the circuit where the appellant ordinarily resides or carries on any profession, business or occupation or, at the option of the appellant, by a judge of the Court for the time being assigned to the Dublin circuit.
(3)
(a) Subject to paragraph (b) of this subsection, a decision of the Court under this section shall be final.
(b) An appeal may brought to the High Court on a point of law against such a decision; and references in this Act to the determination of an appeal shall be construed as including references to the determination of any such appeal to the High Court and of any appeal from the decision of that Court.
(4) Where—
(a) a person appeals to the Court pursuant to paragraph (a), (b) or (c) of subsection (1) of this section,
(b) the appeal is brought within the period specified in the notice or notification mentioned in paragraph (c) of his subsection, and
(c) the Commissioner has included a statement in the relevant notice or notification to the effect that by reason of special circumstances he is of opinion that the requirement or prohibition specified in the notice should be complied with, or the refusal specified in the notification should take effect, urgently, then, notwithstanding any provision of this Act, if the Court, on application to it in that behalf, so determines, non-compliance by the person with a requirement or prohibition specified in the notice, or, as the case may be, a contravention by him of section 19 of this Act, during the period ending with the determination or withdrawal of the appeal or during such other period as may be determined as aforesaid shall not constitute an offence.
Section 1(2) states:- For the purposes of this Act, data are inaccurate if they are incorrect or misleading as to any matter of fact.
Section 2 of the Act defines the responsibility of a data controller in relation to the processing, keeping, use and disclosure of personal data and it states:-
“Protection of Privacy of Individuals with regard to Personal Data
Collection, processing, keeping, use and disclosure of personal data
(1) A data controller shall, as respects personal data kept by him, comply with the following provisions:
(a) the data or, as the case may be, the information constituting the data shall have been obtained, and the data shall be processed, fairly,
(b) the data shall be accurate and, where necessary, kept up to date,
(c) the data—
(i) shall be kept only for one or more specified and lawful purposes,
(ii) shall not be used or disclosed in any manner incompatible with that purpose or those purposes,
(iii) shall be adequate, relevant and not excessive in relation to that purpose or those purposes, and
(iv) shall not be kept for longer than is necessary for that purpose or those purposes,
(d) appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction.
(2) A data processor shall, as respects personal data processed by him, comply with paragraph (d) of subsection (1) of this section.
(3) Paragraph (a) of the said subsection (1) does not apply to information intended for inclusion in data, or to data, kept for a purpose mentioned in section 5(1)(a) of this Act, in any case in which the application of that paragraph to the data would be likely to prejudice any of the matters mentioned in the said section 5(1)(a).
(4) Paragraph (b) of the said subsection (1) does not apply to back-up data.
(5)
(a) Paragraph (c)(iv) of the said subsection (1) does not apply to personal data kept for historical, statistical or research purposes, and
(b) the data or, as the case may be, the information constituting such data shall not be regarded for the purposes of paragraph (a) of the said subsection as having been obtained unfairly by reason only that its use for any such purpose was not disclosed when it was obtained,
if the data are not used in such a way that damage or distress is, or is likely to be, caused to any data subject.
(6)
(a) The Minister may, for the purpose of providing additional safeguards in relation to personal data as to racial origin, political opinions, religious or other beliefs, physical or mental health, sexual life or criminal convictions, by regulations amend subsection (1) of this section.
(b) Regulations under this section may make different provision in relation to data of different descriptions.
(c) References in this Act to subsection (1) of this section or to a provision of that subsection shall be construed in accordance with any amendment under this section.
(d) Regulations under this section shall be made only after consultation with any other Minister of the Government who, having regard to his functions, ought, in the opinion of the Minister, to be consulted.
(e) Where it is proposed to make regulations under this section, a draft of the regulations shall be laid before each House of the Oireachtas and the regulations shall not be made until a resolution approving of the draft shall have been passed by each such House.
(7) Where—
(a) personal data are kept for the purpose of direct marketing, and
(b) the data subject concerned requests the data controller in writing to cease using the data for that purpose, the data controller shall, as soon as may be and in any event not more than 40 days after the request has been given or sent to him—
(i) if the data are kept only for the purpose aforesaid, erase the data,
(ii) if the data are kept for that purpose and other purposes, cease using the data for that purpose, and
(iii) notify the data subject in writing accordingly and, where appropriate, inform him of those other purposes.
Recent Developments in the Law
7. A decision of the European Court of Justice has enshrined “the right to be forgotten” into data protection law. In essence, this development in jurisprudence places a responsibility on search engines who collate and order material on the internet rather than edit it to delete evidence of a search under certain circumstances. The relevant case is Google Spain SL & Anor v. Agencie Espanola de Proteccion de Datos (AEPD) & Anor Case C-131/12. I will return to extracts from this judgment.
Background
8. The background to this appeal is the complaint of the Respondent in respect of a search result against his name from a search on the Google website. He contested the local government elections in May 2014 as a candidate in the Swords Ward for Fingal County Council. He had printed and distributed an election leaflet for the election and a small portion of the leaflet stated:-
“Mark Savage – is an Advocate of FAMILY VALUES and allowing Parents and Children to enjoy the amenity of Donabate beach without witnessing the lewd behaviour of Gay Perverts cavorting in flagrante on the beach in broad daylight as was reported in the media last summer and condemned as DISGUSTING…Mr. Savage is seen here on a fact finding mission to the location and illustrates the kind of detritus left behind by the Gay Perverts. This Hedonistic Integral part of gay “Culture” known as “Cruisin” cannot be allowed to conflate with the Integrity of the Institute of Marriage. In the referendum for MARRIAGE INTEGRITY, it is the fallacy of fools to believe otherwise. This extract was accompanied by a photograph of Mr. Savage wearing a t-shirt on the beach with some material in his hand. The logo on the t-shirt stated ‘STOP AIDS NOW’.”
9. This provoked a discussion on a website called Reddit.com. It is a discussion website which posts comments on any issue. A contributor to this website called Soupynorman uploaded the election leaflet of the Respondent and attached a heading to it, “North County Dublin’s Homophobic Candidate. “ The next post had the first sentence “me thinks Mark doth protest too much”.
10. The subsequent posts on the site were generally of a coarse nature, some aiming to be good humoured, but certainly the posting of the Respondent’s election leaflet provoked quite a number of controversial responses. He participated in this discussion forum at a later date posting three lengthy contributions. In the first, he objected to being labelled as homophobic. He stated in his post:-
“The attempt to demonise me as a homophobe or closet homosexual is a wearingly predictable tactic of the hysterical homosexual brigade. I think a new adjective needs to be created to give undistorted meaning. In the context of homosexuals they have pushed to have the meaning of the word Phobia to imply Hate, but what phobia really means is Fear. I am neither hateful of homosexuals or afraid of them. What I am is Disgusted by them. Their attempts to erode Marriage Integrity to shore up their deep seated doubts about their disordered lifestyle. I don’t think it is unlawful to be Homo-disgusted and it is a more accurate reflection of how I feel. I object to being called a homophobe, no objection to being called ‘homodisgusted’. Hate is distinct from disgust…I have the same compassion for homosexuals as I do for heroin addicts and prostitutes who all belong to the same category of being barred for life from ever donating blood by virtue of their destructive lifestyles.”
The Respondent made a complaint by email to Google on 31st August, 2014 which stated:-
“I wish to make a complaint about information Google hold on me. When you type in the Google search bar – mark savage swords or mark savage swords dublin, the search results include in reference to me ‘northside’s homophobic candidate’. This is from the reddit.com site and details a defamatory statement by a poster. The context of this was regarding my candidacy to be elected a Councillor to Fingal county council in the recent local elections. The poster objected to an issue I was highlighting in my election leaflet. The issue that I was raising public awareness about was out of concern for public decency and public health risks. It was about gay perverts on Donabate beach walking around without clothes and having sex in broad daylight in front of parents with children present on the beach at the time. I object to being labelled a Homophobe just for relaying facts to the public. The facts are they were gay, they were perverts – public nudity and having gay sex in public is illegal under the sexual offences act. This occurring in daylight in front of children makes it even more offensive. I was highlighting the scandal of this and also the health risk of this behaviour contributing to people becoming infected with HIV through having gay sex with strangers on a beach. I was also equating this behaviour as a reason not to support “gay marriage.” My belief and opinion is that supporting gay marriage would legitimise the gay lifestyle a part of which is having sex with strangers in public places such as parks and beaches. To label me a Homophobe because of this is completely inaccurate and defamatory. I include here links to media reports about what I am referring to and also attach a photo of the section in my leaflet that the Reddit.com poster was reacting to.”
11. Google responded to the complaint on 21st October, 2014, stating:-
“We note that the data subject, Mark Savage ran for public office as Councillor to Fingal County Council in 2014 elections. The URL http://www.reddit.com/r/ireland/comments/26a486/marksavage north county dublin homophobic/ contains a discussion and criticism of alleged homophobic remarks that Mr. Savage has made.
The criteria used by the CJEU in the Costeja case are based on the wording of Article 7(f) of the Directive, which requires that the legitimate interest pursued by the controller or a third party or parties to whom the data disclosed are overridden by the interest for fundamental rights and freedoms of the data subject which require protection under Article 1.
When a person chooses to willingly run for public office and become an elected representative, the legitimate interest in providing access to information and of the public in being able to search for information which is directly relevant to that candidate’s political, economic and cultural stances, as well as any kind of past behaviour or act that may be of relevance to potential voters and constituents’ ability to make informed decisions about political candidates vastly outweighs the data subject’s right to privacy. In this case, Mr. Savage willingly chose to run for public office and inject himself into the public sphere. Even though he failed to win office, he may run again in the next election, and this information still retains a strong public interest value in identifying the political and cultural positions of past candidates for this office, particularly given its recent date of publication.”
12. The Second Appellant in its submissions explained the search result on the Google site. The search result stated as follows:-
“Mark Savage – North county Dublins homophobic candidate. : ireland
http://www.reddit.com/r/ireland/mark_savage_north_county_dublins_homophobic
May 23rd 2014 – Mark Savage North county Dublin’s homophobic candidate. Me thinks Mark doth protest too much. I believe he’s running in Swords.”
13. The submissions state:-
“Every search result has three elements.
(a) The URL title which means Uniform Resource Location. The first blue line of any Search result is the title of the third party webpage Here the URL title is – Mark Savage- North county Dublin’s homophobic candidate. The URL title is itself a hypertext link to the reddit.com discussion thread. When an internet user clicks on the URL title, the user is automatically taken to the webpage contained at the Reddit URL. As is apparent from the review of that webpage, the URL title comes from the website itself. It is derived from the discussion thread title. (Mark Savage North County Dublin’s homophobic candidate) originally posted by a reddit.com user ‘Soupynorman’. It is important to recognise that Google Inc did not author or modify the content of the URL title – it was merely transposed from the webpage.”
(b) “The URL link – the second part of the Search result is then in green which is the web address of the webpage. Here the URL link is http://www.reddit.com/r/ireland/comments/26a486/marksavagenorthcountydublinshomophobic/. This is the URL for a reddit.com discussion thread that contains comments about the Respondent’s candidacy in the May 2014 elections as detailed in the next paragraph. Reddit.com is a third party website unconnected to Google. It is a popular discussion platform on which internet users debate and exchange views on topical issues. The Reddit URL itself contains the words ‘Mark Savage North county Dublin’s homophobic candidate’.
(c) “The Snippet Text – Finally below the URL link is grey descriptive text (or a snippet) that helps show how the page relates to the internet user’s query. This is completely automated and takes into account both the content of the webpage as well as references to it that appear on the web. Here, the snippet text is ‘May 23rd 2014 – Mark Savage North county Dublin’s homophobic candidate. Me thinks Mark doth protest too much…I believe he’s running in Swords. As is apparent from the review of the Reddit URL webpage the snippet text is comprised of pieces of text that are derived from that webpage which are then reproduced as a snippet in the search result namely:-
(i) the date the discussion thread was posted – 23rd May, 2014;
(ii) the title of the discussion thread (which is the same as the URL title); and
(iii) texts from two comments that were posted by reddit.com users to the discussion thread.
An internet user must click on the URL title in order to be brought to the Reddit URL discussion thread.”
Decision of the First Appellant
14. In her ruling of 26th March, 2015, the Data Protection Commissioner stated:-
“In November 2014, the Article 29 Data Protection Working Party which was set up under the Directive 95/46/EC devised a list of common criteria for the handling of complaints by European Data Protection Authorities in the wake of the Judgment of the Court of Justice of the European Union in the case of Google Spain v. AEPD & Maria Costeja and these were carefully considered in respect of your complaint and the response to your complaint received from Google. These criteria are available at the following link: http://ec.europa.eu/justice/data-protection/article/29/documentation/opinion-recommendation/files/2014/wp225en.pdf.”
15. The following criteria were considered to be particularly pertinent in relation to your request for de- indexing of the following URL: http://www.reddit.com/r/ireland/comments/26a486/mark_savage_north_county_dublins homophobic:-
• Does the data subject play a role in public life? Is the data subject a public figure? As per the response received from Google, you ran for public office as Councillor to Fingal County Council in the 2014 local elections.
• Is the data accurate? Section 2(1)(b) of the Data Protection Acts 1988 & 2003 requires that data shall be accurate. In general ‘accurate’ means accurate as to a matter of fact and this link remains accurate in that it represents the opinion expressed of you by a user of the relevant forum. As to the quality or otherwise of that opinion that is not a matter for this Office.
• Is the data relevant and not excessive? Section 2(1)(c)(iii) of the Data Protection Act 1988 &2003 requires that data shall be adequate, relevant and not excessive. You stated in an email to this Office dated 6th March, 2015, that the discussion content of this URL is relevant to the public interest as you ran for public office.
• Is it clear that the data reflect an individual’s personal opinion or does it appear to be a verified fact? It is clear that the original poster is expressing his/her opinion.
• In what context was the information published? Was the content voluntarily made public by the data subject? The URL is to a particular discussion topic on an on-line discussion forum. The discussion topic relates to the poster’s opinion of you based on material disseminated by you to the public during your election campaign in 2014. It must also be noted that you took part in the on-line discussion and posted three separate entries.
I do not consider that the processing of your personal data by Google in the context of the URL http://www.reddit.com/r/ireland/comments/26a486/mar_savage_north_countydublins homophobic/ being indexed in the results for searches conducted on your name is unwarranted by reason of prejudice to your fundamental rights and freedoms or your legitimate interests.
Decision.
This letter should be read as the outcome of the investigation by the Data Protection Commissioner of your complaint against Google Ireland Limited. Following the investigation of your complaint against Google Ireland regarding the refusal to remove the URL. I am unable to conclude that a contravention of the Data Protection Acts 1988 and 2003 took place in this instance.”
16. The Respondent appealed this ruling pursuant to s. 26 of the Data Protection Acts 1988 and 2003, to the Circuit Court.
Judgment of the Circuit Court
17. The learned Circuit Court Judge in a written judgment of 11th October, 2016, allowed the Respondents appeal. The relevant extracts of the judgment are as follows:-
“19. The Appellant accepts that the content of the discussion thread under the URL title constitutes freedom of expression and is in the public interest. However, his point as it has been explained to me and as I understand it, is that he denies the stance he took can accurately define him as a homophobe and that the URL asserts this as a fact without any qualification or parenthesis and as a result constitutes inaccurate data appearing as he argues it does as a verified fact.
30. There was no engagement with the central point made by the Appellant that if it was an opinion it should be obvious or made obvious that this was so, as it was presented, it appeared to be a verified fact. He argues that the absence of quotation marks gives it the appearance of a verified fact.
31. If one looks at the criteria laid out by the Working Party for consideration when a DPC is adjudicating on application to de-list data held by a Data Controller on a Data Subject, the fact that a Data Subject might be a public figure, mitigates against de-listing information which might be relevant to that role and the public might have an interest in being aware of this. However, another relevant consideration is whether the data is accurate? It says
‘DPAs will be more likely to consider that delisting of a search result is appropriate where there is inaccuracy as to a matter of fact and where this presents an inadequate or misleading impression of an individual.’
33. Mr. Savage contends that title of the URL in issue is a statement of fact, or has the appearance thereof, which is untrue and inaccurate, and set out in his correspondence and affidavit, why this was so. In his submissions he states that he believes he will be disadvantaged or prejudiced by this inaccurate factual assertion being allowed to stand, without qualification or disclaimer in terms of his employment prospects, or other future plans. It is accepted by Mr. Savage that the contents of the discussion thread or forum beneath the URL clearly involves the exchange of views and constitutes the expression of opinions and is not objected to by him.
34. Where there is a dispute about the accuracy of information and that dispute is ongoing, it appears that the DPC may choose not to intervene until the process is complete. In this matter, the Court has been told that the Appellant has issued a number of defamation writs and it is argued that the Appellant has sought to use the Data Protection legislation to support his defamation actions.
35. It is accepted by all parties that while DPA’s are generally not empowered and not qualified to deal with information that is likely to constitute slander or libel, the DPA’s remain competent to assess whether data protection law has been complied with or not and this, the DPC has sought to do in this instance. This Court considers this application in the context of this Appeal under the Data Protection Acts and expresses no view regarding any defamation proceedings which may be in being.”
18. Under the heading “Decision”, the court went on to state:-
“44. As such the case law would suggest that this court ought only to interfere with a decision of the DPC where it finds:¬
(a) An error of law or
(b) If there is a serious error or a series of errors made by the DPC in coming to her decision.
45. In reality, this Appeal turns on the consideration of a narrow premise. The DPC in her decision at paragraphs (b) and (d) arrives at a conclusion that the data in question is accurate because:
(b) In general’ accurate’ means accurate as to a matter of fact and this link remains accurate in that it represents the opinion expressed of you by a user of the relevant forum. As to the quality or otherwise of that opinion, that is not a matter for this office.
And further at para (d) she states:
(d) Is it clear that the data reflect an individual’s personal opinion or does it appear to be verified fact? – It is clear that the original poster is expressing his/her opinion.
46. Upon consideration of the above issues, this Court arrives at a conclusion which is to the contrary. This Court takes the view that if one were to simply consider the URL title, and apply the reasoning of the DPC, it is not accurate by virtue of the fact that it is simply not clear, that it is the original poster expressing his or her opinion but rather bears the appearance of a verified fact.
47. It may well be the case that upon further or full consideration of the entire thread, to include the contribution of not alone the original poster but the Applicant also, it would become clear that the original poster is expressing his or her opinion.
48. However, upon the Search Engine returning, on foot of a search for the Applicant, the URL heading “Mark Savage North County Dublin’s Homophobic Candidate,” without the parenthesis, the position is far from clear that it is the expression of a poster’s opinion as found at (b) and (d) above.
49. It is on this narrow basis and this basis alone that I must conclude that the DPC fell into error such as justifies, warrants or indeed mandates the Court’s interference.
50. The reasoning or logic as communicated by the DPC leaves open the possibility of elevating a statement of opinion from the body of any such discussion forum to the status of accurate data, by merely accurately transposing the data from the body of the posting or thread to a URL heading, in the absence of any indication that it is actually requoting such a view.
51. If the expression of an opinion is to constitute accurate data in circumstances such as this, one would have expected at a minimum, that it would be carried within quotation marks or parenthesis. This simple step ought properly to have been taken and would have eleviated the present difficulties. In the absence of such an amendment, in its present format I do not believe it constitutes accurate data or communicates that it is “clearly the expression of the opinion of the original poster.
52. In coming to the decision I have, I have had regard to the dicta of O’Donnell J., in Nowak v DPC 28/04/2016 and believe that even as a non expert Court, after scrutiny of the DPC’s decision, and consideration of the oral and written submissions, the case and legislation, this Court can detect sufficient errors which justify the decision as set out above. By reason of these, the Court takes the view that the Appellant’s fundamental rights and legitimate interests have been prejudiced.
53. I accept that the actual procedures followed by the DPC were appropriate. I accept that the DPC assessed the criteria of the Art 29 Working Group and the reasoning of the Court of Justice in the “Google Spain” decision before coming to her decision. However as set out I disagree with the findings she made for the reasons set out.
54. Given the acknowledged ubiquitous nature of the internet and the accessing of it for all types of information, irrespective of whether the Data Subject is a public figure or not, I am of the view that the balance of rights which I have to consider, in the circumstances of this case, falls in favour of the Appellant, notwithstanding the fact that he was a public figure, for the reasons outlined. I am not convinced by the submission that “any individual user of the internet seeking out facts in relation to any topic is unlikely to consult an online discussion forum such as Reddit as a source of verified facts” given the manner in which a search engine operates.
55. Therefore I will uphold the Appeal and on the application of Counsel for the Respondent, adjourn the matter to the 25th October, 2016, for mention, to consider the appropriate Order to be made.”
The Law
19. The ambit of an appeal pursuant to s. 26 of the Data Protection Acts 1998 and 2003, to the Circuit Court from a ruling of the Data Protection Commissioner was clarified by the Supreme Court judgment of Peter Nowak v. Data Protection Commissioner, a judgment delivered by O’Donnell J. on 28th April, 2016. [2016] IESC 18 O’Donnell J. at para. 30 stated:-
“In my view, in addition to considering the terms of the statute, it is useful to ask why the Oireachtas might have created a right of appeal to a court rather than to a further expert appellate body as occurs, for example, when planning appeals are brought to An Bord Pleanála, or indeed as occurred in the telecommunications field when, briefly, an expert appeal panel was established. First, it may, no doubt, be that the Oireachtas wished, by designating the court as the appropriate appellate body, to provide a guarantee of independence. It is, of course, possible to establish a body which is, by statute, independent, but by providing for appeal to the court, the legislation invokes, and to some extent, benefits from the constitutional guarantee of independence of the judiciary, and moreover the long history of independence in decision making. Thus, provision for appeal to a court can be seen as an assurance that extraneous considerations, whether national or local, or industry requirements or expectations, or perhaps public controversy, will not affect the decision. In so much as any appeal raises a point of law, then it is natural to expect that a court would determine such issues. Furthermore, however, courts, while perhaps having no expertise in the underlying area, do have considerable experience both in decision making and in review of decision making and reasoning processes. On the other hand, even the greatest admirer of courts might think it unlikely that individual courts could, in the course of a single case, develop the type of technical expertise acquired by, and available to, specialist bodies in a complex area, and in any event, might reasonably doubt that adversarial litigation is the most effective or cost efficient way of educating a judge on technical issues to the point where he or she could, with confidence, substitute his or her decision on a technical issue for that of the original decision maker. This functional analysis perhaps supports the test identified in Orange: a court can be expected to detect errors of law, and may identify serious errors in reasoning or approach. It can be said that if an error is sufficiently clear and serious to be detectable by a non-expert court after scrutiny, then that is justification for overturning the decision, even though the court may lack more specific expertise. In my view, the Orange standard is the appropriate standard to apply here. As it happens, I do not believe this issue has much, if any, impact on the substance of Mr Nowak’s appeal, since the issue he raises is essentially an issue of law: it involves the application of a legal test to facts which are not significantly in dispute. However, since the matter is of general importance, I would hold that the Circuit Court is not required to allow a full appeal on the merits, or the narrower appeal permitted in Dunne. Instead, the Court should apply the Orange test as outlined above. I would, however, emphasise that the argument here proceeded on the basis that the only options were a Dunne type appeal, or the more limited form of review contemplated in Orange. No argument was addressed to the formulation of the test in Orange, which may yet arise in an appropriate case.”
20. The case referred to is Orange Communications Limited v. Director of Telecommunications Regulations [2004] 4 I.R. 159, when in relation to curial deference, Keane C.J. referred with approval to a passage from the decision of the Canadian Supreme Court in Canada (Director of Investigation and Research) v. Southan Inc [1997] ISCR at 748, and also to the decision of Kearns J. in M&J Gleeson v. Competition Authority [1999] ILRM 401, in which he was considering the nature of an appeal under the Competition Act 1991, s. 9 and in which the same passage was cited with approval. Keane C.J. stated,
“Accordingly, while I would approach the case on that basis, it is also clear that the High Court in hearing the appeal must bear in mind that the Oireachtas has entrusted to the first defendant a decision of a nature which requires the deployment of knowledge and expertise available to her, her staff and consultants retained by her, but not available to the court. As it was put by the Canadian Supreme Court in Canada (Director of Investigation and Research) v. Southam Inc. [1997] 1 S.C.R. 748:-
‘… (an) appeal from a decision of an expert tribunal is not exactly like an appeal from a decision of a trial court. Presumably if parliament entrusts a certain matter to a tribunal and not (initially at least) to the courts, it is because the tribunal enjoys some advantage the judges do not. For that reason alone, review of the decision of a tribunal should often be of a standard more deferential than correctness … I conclude that the … standard should be whether the decision of the tribunal is unreasonable. This is to be distinguished from the most deferential standard of review, which requires courts to consider whether a tribunal’s decision is patently unreasonable. An unreasonable decision is one that, in the main, is not supported by any reasons that can stand up to a somewhat probing examination. Accordingly, a court reviewing a conclusion on the reasonableness standard must look to see whether any reasons support it …’”
21. To the same effect is the decision of Kearns J. in M. & J. Gleeson v. Competition Authority [1999] 1 I.L.R.M. 401, where he was considering the nature of an appeal under s. 9 of the Competition Act, 1991 and said at p. 410:-
“It seems to me clear that the concept of curial deference of necessity takes the court to this further position, namely that the greater the level of expertise and specialised knowledge which a particular tribunal has, the greater the reluctance there should be on the part of the court to substitute its own view for that of the authority. That again is the weighting which was indicated by the court in Canada (Director of Investigation and Research) v. Southam Inc. [1997] 1 S.C.R. 748.
That means in practical terms that the applicants in order to succeed must establish a significant erroneous inference which was critical to the grant of the licence and which went to the root of that decision rather than an erroneous inference which relates to some detail, even if that detail is relevant.”
22. In short, the appeal provided for under this legislation was not intended to take the form of a re-examination from the beginning of the merits of the decision appealed from culminating, it may be, in the substitution by the High Court of its adjudication for that of the first defendant. It is accepted that, at the other end of the spectrum, the High Court is not solely confined to the issues which might arise if the decision of the first defendant was being challenged by way of judicial review. In the case of this legislation at least, an applicant will succeed in having the decision appealed from set aside where it establishes to the High Court as a matter of probability that, taking the adjudicative process as a whole, the decision reached was vitiated by a serious and significant error or a series of such errors. In arriving at a conclusion on that issue, the High Court will necessarily have regard to the degree of expertise and specialised knowledge available to the first defendant.”
23. In the High Court judgment in Ulster Bank Investment Funds Limited v. Financial Service Ombudsman, judgment of the High Court of 1st November, 2006, the then President, Finnegan P. stated in respect of an appeal pursuant to the Central Bank Acts known as the statutory appeal:-
“To succeed on this appeal the Plaintiff must establish as a matter of probability that, taking the adjudicative process as a whole, the decision reached was vitiated by a serious and significant error or a series of such errors. In applying the test the Court will have regard to the degree of expertise and specialist knowledge of the Defendant. The deferential standard is that applied by Keane C.J. in Orange v The Director of Telecommunications Regulation & Anor and not that in The State (Keegan) v Stardust Compensation Tribunal.”
The Judgment in Google Spain SL v. Agencia Espanola de Proteccion de Datos Case C131/12
24. This is an important and determinative judgment and relevant to the issues which this Court has to decide. There are a number of important extracts from the judgment which are relevant and are set out hereunder:-
“81 In the light of the potential seriousness of that interference, it is clear that it cannot be justified by merely the economic interest which the operator of such an engine has in that processing. However, inasmuch as the removal of links from the list of results could, depending on the information at issue, have effects upon the legitimate interest of internet users potentially interested in having access to that information, in situations such as that at issue in the main proceedings a fair balance should be sought in particular between that interest and the data subject’s fundamental rights under Articles 7 and 8 of the Charter. Whilst it is true that the data subject’s rights protected by those articles also override, as a general rule, that interest of internet users, that balance may however depend, in specific cases, on the nature of the information in question and its sensitivity for the data subject’s private life and on the interest of the public in having that information, an interest which may vary, in particular, according to the role played by the data subject in public life.”
“92. As regards Article 12(b) of Directive 95/46, the application of which is subject to the condition that the processing of personal data be incompatible with the directive, it should be recalled that, as has been noted in paragraph 72 of the present judgment, such incompatibility may result not only from the fact that such data are inaccurate but, in particular, also from the fact that they are inadequate, irrelevant or excessive in relation to the purposes of the processing, that they are not kept up to date, or that they are kept for longer than is necessary unless they are required to be kept for historical, statistical or scientific purposes.”
“93 It follows from those requirements, laid down in Article 6(1)(c) to (e) of Directive 95/46, that even initially lawful processing of accurate data may, in the course of time, become incompatible with the directive where those data are no longer necessary in the light of the purposes for which they were collected or processed. That is so in particular where they appear to be inadequate, irrelevant or no longer relevant, or excessive in relation to those purposes and in the light of the time that has elapsed.
97. As the data subject may, in the light of his fundamental rights under Articles 7 and 8 of the Charter, request that the information in question no longer be made available to the general public by its inclusion in such a list of results, it should be held, as follows in particular from paragraph 81 of the present judgment, that those rights override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in finding that information upon a search relating to the data subject’s name. However, that would not be the case if it appeared, for particular reasons, such as the role played by the data subject in public life, that the interference with his fundamental rights is justified by the preponderant interest of the general public in having, on account of inclusion in the list of results, access to the information in question.”
“98. As regards a situation such as that at issue in the main proceedings, which concerns the display, in the list of results that the internet user obtains by making a search by means of Google Search on the basis of the data subject’s name, of links to pages of the on-line archives of a daily newspaper that contain announcements mentioning the data subject’s name and relating to a real-estate auction connected with attachment proceedings for the recovery of social security debts, it should be held that, having regard to the sensitivity for the data subject’s private life of the information contained in those announcements and to the fact that its initial publication had taken place 16 years earlier, the data subject establishes a right that that information should no longer be linked to his name by means of such a list. Accordingly, since in the case in point there do not appear to be particular reasons substantiating a preponderant interest of the public in having, in the context of such a search, access to that information, a matter which is, however, for the referring court to establish, the data subject may, by virtue of Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46, require those links to be removed from the list of results.”
“Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, in order to comply with the rights laid down in those provisions and in so far as the conditions laid down by those provisions are in fact satisfied, the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.”
25. The Appellants also rely on Cornec v. Morrice [2012] 1 I.R. 804 where Hogan J. stated at para. 65 and 66 as follows:-
“65. I now turn to the position of Mr. Garde. While Mr. Garde is not a journalist in the strict sense of the term, it is clear that his activities involve the chronicling of the activities of religious cults. Part of the problem here is that the traditional distinction between journalists and laypeople has broken down in recent decades, not least with the rise of social media. It is probably not necessary here to discuss questions such as whether the casual participant on an internet discussion site could invoke Goodwin v. United Kingdom (App No. 17488/90 (1996) 22 EHRR 123 style privileges, although the issue may not be altogether far removed from the facts of this case.
66. Yet Mr. Garde’s activities fall squarely within the “education of public opinion” envisaged by Article 40.6.1. A person who blogs on an internet site can just as readily constitute an “organ of public opinion” as those which were more familiar in 1937 and which are mentioned (but only as examples) in Article 40.6.1, namely, the radio, the press and the cinema. Since Mr. Garde’s activities fall squarely within the education of public opinion, there is a high constitutional value in ensuring that his right to voice these views in relation to the actions of religious cults is protected. It does not require much imagination to accept that critical information in relation to the actions of those bodies would dry up if Mr. Garde could be compelled to reveal this information, whether in the course of litigation or otherwise. It is obvious from the very text of Article 40.6.1 that the right to educate (and influence) public opinion is at the very heart of the rightful liberty of expression. That rightful liberty would be compromised – perhaps even completely jeopardised – if disclosure of sources and discussions with sources could readily be compelled through litigation.”
26. The court was also referred to an English decision of Quinton v. Peirce & Cooper, judgment of the High Court of Justice, Queen’s Bench Division, [2001] EWHC 912, when Eady J. dealing with an allegation of malicious publication was also dealing with an alternative claim of infringements of the principles set out in the schedule to the English Data Protection Act 1998 which is similar to the Irish legislation and at paras. 87 and 88 stated:-
“87. “I must now turn to the Data Protection Act. I am by no means persuaded that it is necessary or proportionate to interpret the scope of this statute so as to afford a set of parallel remedies when damaging information has been published about someone, but which is neither defamatory nor malicious. Nothing was cited to support such a far ranging proposition, whether from debate in the legislature or from subsequent judicial dicta.
88. Still less am I persuaded that it is necessary or proportionate so to interpret it as to give a power to the court to order someone to publish a correction or apology when the person concerned does not believe he has published anything untrue. Such a scheme could surely only work in respect of factual statements which could be demonstrated uncontroversially and objectively to be false. It cannot be intended to compel publication of an account of a factual scenario which is capable of being understood in different ways if, on one interpretation, it might not be accurate.”
27. In distilling the submissions of both Appellants, they submit that the errors of the Circuit Court Judge were as follows:-
(i) In applying the Google Spain judgment she had a duty to consider the underlying text of the Reddit discussion forum and should not have dealt with the search heading wording in isolation.
(ii) The learned Circuit Court Judge made a fundamental error in identifying opinion as an appearance of fact.
(iii) That the learned Circuit Court Judge did not apply any balancing test as envisaged in the Google Spain judgment weighing up the various factors that should have been considered.
(iv) That the learned Circuit Court Judge did not apply properly the test in Orange Communications.
(v) That the learned Circuit Court Judge exceeded jurisdiction on an application of Google Spain by insisting on the editing of the search engine results when the only remedy available was to delist it and could not give appropriate consideration to the consequences of seeking to have a search engine operator edit underlying articles to which the search engine referred to.
The Respondent’s Submissions
28. The Respondent before the statutory appeal commenced on 18th May, 2017, deposed an affidavit on 17th May, 2017, with a number of exhibits. In the course of the hearing he deposed another affidavit on 22nd May, 2017, after two days of hearing on 18th and 19th May and before the final hearing date on 23rd May, 2017. The court accepted the affidavits and exhibits without prejudice to issues in the affidavits to which the Appellants objected to. As the Respondent is a lay litigant, the court will insofar as it can deal with the issues raised in those affidavits. However, the court has to decide the issue on the basis of the circumstances arising at the date of the initial complaint on 31st August, 2014 and the application of the legal principles which apply have to be considered in that context.
29. Because of subsequent decisions by the Second Appellant or its parent company in respect of other matters, the Respondent has submitted that the Second Appellant has particular bias against him because of his religious beliefs which is denied.
30. This Court is dealing with the decision of the First Appellant and is confined to consideration of the legal principles upon which the learned Circuit Court Judge decided the appeal subject to s. 26 of the Act. The Respondent also in his affidavit of 17th May, 2017, purports to appeal aspects of the decision of the learned Circuit Court. That is not permissible as if he wished to appeal any aspect of the matter, he had a responsibility to file and serve a notice of appeal from the order of the Circuit Court within the statutory period.
31. The court accepts that the Respondent may well have posted responses on the Reddit.com site at a much later date than the original discussion thread which occurred around May 2014. However, the extract from his first post which the court has quoted illustrates the difficulty which confronted the learned Circuit Court Judge in determining whether the matter was fact or had the appearance of fact or was the expression of an opinion. This difficulty is readily apparent from the Respondents attempt to explain the difference between homophobic and homo-disgusted. The Respondent refers to alleged bias on the part of the Second Appellant in respect of facilitating a request by another public representative to delist a listed search and also an allegation of particular bias because of the Respondents religious belief. Those matters are irrelevant to the task facing this Court which is to determine if the learned Circuit Court Judge applied the legal principles properly in relation to data protection law.
32. The Respondent also seeks to draw a distinction as to his status pointing out that he was not an elected politician and ran a limited campaign in his local ward for election to Fingal County Council and did not expect to get elected and ultimately only received 125 first preference votes. He also makes an allegation that the search against his name some times brings out different results and thus alleges that the Second Appellant has modified the data. This court does not consider these issues relevant to its determination.
33. S.I. No. 68/2003, European Communities Directive 2000/31/EC, Regulations 2003 are not relevant to this statutory appeal.
34. The Respondent has made a relevant submission on the Australian Federal Court decision of Hockey v. Fairfax Media Publications PPY Limited [2015] FCA 652 which decided that tweets could be considered in isolation and were held to be defamatory.
Decision
35. The learned Circuit Court Judge in applying the jurisprudence of Google Spain had a duty to consider the underlying article the subject of the search. The Circuit Court did refer to this matter by indicating that if that Reddit.com discussion was considered, it would become clear that the original post by Soupynorman was an expression of opinion. The learned Circuit Court Judge was incorrect in law to consider the URL heading in isolation.
36. If the court had considered the underlying discussion thread it could not have come to the conclusion that it was inaccurate data and factually incorrect, or an appearance of fact.
37. The learned Circuit Court Judge did not identify any serious breach by the First Appellant of any legal principle. The court’s only criticism is at para. 30 where it was alleged that the First Appellant did not engage with the central point made by the Respondent that if it was an opinion it should be obvious and that it appeared as a verified fact. The court concluded on a narrow basis that the First Appellant fell into error as if one were to simply consider the URL title and apply her reasoning, the title was not accurate by virtue of the fact that it was simply not clear that it is the original poster expressing his or her opinion but rather bears the appearance of a verified fact. However, the court acknowledged that the actual procedures followed by the First Appellant were appropriate and that she assessed the criteria in Art 29 of the Working Group and the reasoning of the Court of Justice in Google Spain before coming to her decision but that the court disagreed with the findings for the reasons set out. The learned Circuit Court Judge did not carry out any balancing tests as envisaged in the Google Spain judgment but acknowledged that the First Appellant had carried out this procedure correctly.
38. The learned Circuit Court Judge did not properly apply the test as mandated in the Orange Communications and Ulster Bank decisions as she did not identify any serious error either in law or in fact as to how the First Appellant approached her decision making, and did not give that decision appropriate curial deference.
39. The Second Appellant or its parent company does not carry out any editing function in respect of its activities. It is an automated process where individual items of information on the internet are collated automatically and facilitate the user searching particular topics or names. To mandate a search engine company to place parenthesis around a URL heading would oblige it to engage in an editing process which is certainly not envisaged in the Google Spain decision. The responsibility placed on the Data Controller by that judgment is to delist the search once appropriate criteria are considered. It would not have been a simple step to have placed the URL heading within quotation marks or parenthesis.
40. This court is not dealing with the law of defamation but Data Protection law. It is not appropriate for this Court to make any comment in that regard. The jurisprudence in Hockey v. Fairfax does not reflect the law of defamation as it presently stands in Irish jurisprudence but that may well change in due course when the Superior Courts consider Tweets or for that matter the results of searches in the context of the law of defamation.
41. The court vacates the order of the Circuit Court and reinstates the original determination of the First Appellant.