Subject’s Rights
Cases
Google Spain SL, v Agencia Espanola de Proteccion de Datos (AEPD) Mario Costeja Gonzalez
Durant v Financial Services Authority
Johnson v The Medical Defence Union Ltd (2)
Lloyd v Google LLC
Compensation
[2018] EWHC 2599 (QB) (08 October 2018)
U
Mr Justice Warby:
Introduction
The claimant, Richard Lloyd, applies for permission to serve the proceedings in this action on Google LLC (“Google”). Permission is needed because Google is a Delaware corporation with its principal place of business outside the jurisdiction – in Mountain View, California – and it has not agreed to accept service of the proceedings.
The claim alleges breach of the duty imposed by s 4(4) of the Data Protection Act 1998 (“DPA”). The allegation is that over some months in 2011-2012 Google acted in breach of that duty by secretly tracking the internet activity of Apple iPhone users, collating and using the information it obtained by doing so, and then selling the accumulated data. The method by which Google was able to do this is generally referred to as “the Safari Workaround”.
Mr Lloyd is the only named claimant. However, he sues not only on his own behalf, but also in a representative capacity on behalf of a class of other residents of England and Wales who are also said to have been affected by the Safari Workaround in this jurisdiction (“the Class”). The claim is for damages or, in the language of the DPA, “compensation”. No other remedy is sought. No financial loss or distress is alleged. The claim is for an equal, standard, “tariff” award for each member of the Class, to reflect the infringement of the right, the commission of the wrong, and loss of control over personal data. Alternatively, each Class member is said to be entitled to damages reflecting the value of the use to which the data were wrongfully put by Google. It is said that on either basis of recovery more than nominal damages are recoverable by each claimant. No specific figure is put on the tariff, though ranges are mooted, and a figure of £750 was advanced in the letter of claim.
On either basis of recovery, the total damages payable by the Defendant would be calculated by multiplying the fixed sum awarded in respect of each Class member by the number of individuals within the class. The Class is a large one. Estimates of its scale have varied. The claimant’s best estimate at one stage was that it comprised as many as 5.4 million people. The estimate has reduced as the Class has been re-defined and refined. But it is still a substantial seven figure number, 4.4 million in the reply evidence. Google’s estimate of the potential liability, if some of the claimant’s per capita figures for damages were accepted, is between £1 and 3 billion.
There is no dispute that it is arguable that Google’s alleged role in the collection, collation, and use of data obtained via the Safari Workaround was wrongful, and a breach of duty. The main issues raised by the application are:
(1) whether the pleaded facts disclose any basis for claiming compensation under the DPA;
(2) if so, whether the Court should or would permit the claim to continue as a representative action.
The Safari Workaround and the DoubleClick Cookie
The relevant events took place between 1 June 2011 and 15 February 2012 (“the Relevant Period”). The evidence before me sets out in some detail the technical background to the claims, but it is unnecessary for present purposes to do more than summarise the position as set out by the claimant.
The case concerns the acquisition and use of browser generated information or “BGI”. This is information about an individual’s internet use which is automatically submitted to websites and servers by a browser, upon connecting to the internet. BGI will include the IP address of the computer or other device which is connecting to the internet, and the address or URL of the website which the browser is displaying to the user. As is well-known, “cookies” can be placed on a user’s device, enabling the placer of the cookie to identify and track internet activity undertaken by means of that device.
Cookies can be placed by the website or domain which the user is visiting, or they may be placed by a domain other than that of the main website the user is visiting (“Third Party Cookies”). Third Party Cookies can be placed on a device if the main website visited by the user includes content from the third party domain. Third Party Cookies are often used to gather information about internet use, and in particular sites visited over time, to enable the delivery to the user of advertisements tailored to the interests apparently demonstrated by a user’s browsing history (“Interest Based Adverts”).
Google had a cookie known as the “DoubleClick Ad cookie” which could operate as a Third Party Cookie. It would be placed on a device if the user visited a website that included content from Google’s Doubleclick domain. The purpose of the DoubleClick Ad cookie was to enable the delivery and display of Interest Based Adverts.
Safari is a browser developed by Apple. At the relevant time, unlike most other internet browsers, all relevant versions of Safari were set by default to block Third Party Cookies. However, a blanket application of these default settings would prevent the use of certain popular web functions, so Apple devised some exceptions to the default settings. These exceptions were in place until March 2012, when the system was changed. But in the meantime, the exceptions enabled Google to devise and implement the Safari Workaround. Stripped of technicalities, its effect was to enable Google to set the DoubleClick Ad cookie on a device, without the user’s knowledge or consent, immediately, whenever the user visited a website that contained DoubleClick Ad content.
This enabled Google to identify visits by the device to any website displaying an advertisement from its vast advertising network, and to collect considerable amounts of information. It could tell the date and time of any visit to a given website, how long the user spent there, which pages were visited for how long, and what ads were viewed for how long. In some cases, by means of the IP address of the browser, the user’s approximate geographical location could be identified. Over time, Google could and did collect information as to the order in which and the frequency with which websites were visited. It is said by the claimant that this tracking and collating of BGI enabled Google to obtain or deduce information relating not only to users’ internet surfing habits and location, but also about such diverse factors as their interests and habits, race or ethnicity, social class, political or religious views or affiliations, age, health, gender, sexuality, and financial position.
Further, it is said that Google aggregated BGI from browsers displaying sufficiently similar patterns, creating groups with labels such as “football lovers”, or “current affairs enthusiasts”. Google’s DoubleClick service then offered these groups to subscribing advertisers, allowing them to choose when selecting the type of people that they wanted to direct their advertisements to.
Previous action over the Workaround
None of this is news. Google’s activities in relation to the Safari Workaround were discovered by a PhD researcher, Jonathan Mayer, as long ago as 2012, and publicised in blog posts and, on 17 February 2012, in the Wall Street Journal. Regulatory action was then taken against Google in the USA. In August 2012 the company agreed to pay a US$22.5 million civil penalty to settle charges brought by the United States Federal Trade Commission (“FTC”) that it misrepresented to users of the Safari browser that it would not place tracking cookies or serve targeted advertisements to those users. On 11 November 2013 it agreed to pay US$17 million to settle US state consumer-based actions brought against it by attorneys general representing 37 US states and the District of Columbia. In addition, the Defendant was required to give a number of undertakings governing its future conduct in its dealings with users in the USA.
In this jurisdiction, these matters would fall under the regulatory jurisdiction of the Information Commissioner, but it appears that there has been no regulatory action taken here. The Safari Workaround has however been the subject of high profile civil litigation against Google in this jurisdiction. In June 2013, Judith Vidal-Hall and two others issued claims against Google claiming damages on the basis that by obtaining and using information about their internet usage via the Safari Workaround the company had misused their private information and/or committed a breach of confidence and breach of the DPA and caused them distress and anxiety.
Permission to serve outside the jurisdiction was granted. The case then came before Tugendhat J. By a judgment delivered in January 2014 he set aside service of the proceedings in relation to breach of confidence, but declined to do so in relation to the claims in misuse and under the DPA: Vidal-Hall v Google Inc [2014] EWHC 13 (QB) [2014] 1 WLR 4155. An appeal by Google was dismissed by the Court of Appeal on 27 March 2015: Vidal-Hall v Google Inc (Information Commissioner intervening) [2015] EWCA Civ 311 [2016] QB 1003. The Supreme Court granted permission to appeal on one issue, but the claim settled before the appeal to the Supreme Court or any trial took place.
The nature and basis of the claims in Vidal-Hall were described by Tugendhat J at [22-25]. They were for compensation for distress suffered by the individual claimants when they learned that information about their “personal characteristics, interests, wishes or ambitions” had been used as the basis for advertisements targeted at them, or when they learned that, as a result of such targeted advertisements, such matters had in fact, or might well have, come to the knowledge of third parties who they had permitted to use their devices, or to view their screens. As Tugendhat J said at [25]: “What each of the claimants claims in the present case is that they have suffered acute distress and anxiety.” The details of the “personal characteristics, interests, wishes or ambitions” referred to were considered sensitive enough to be set out in Confidential Schedules to the claimants’ statements of case. So they are not public knowledge.
The Court of Appeal emphasised the serious nature of what was alleged. Dismissing a suggestion that the claims were too trivial to deserve a trial, the Court observed that the claims
“concern what is alleged to have been the secret and blanket tracking and collation of information, often of an extremely private nature, as specified in the confidential schedules, about and associated with the claimants’ internet use, and the subsequent use of that information for about nine months. The case relates to the anxiety and distress this intrusion on autonomy has caused.”
See [137] (Lord Dyson and Sharp LJ, with whom Macfarlane LJ agreed).
The present action
This action was started by a claim form issued on 31 May 2017. Mr Lloyd (“the Representative Claimant”) has had a long career in consumer protection, and was Executive Director of Which? between April 2011 and February 2016. The claim which he advances is set out in Particulars of Claim, which have gone through more than one version, due to some modifications in the definition of the Class.
The current definition of the Class, as set out in paragraph 6 of draft Amended Particulars of Claim, is as follows:-
“… all individuals who:
(a) at any date between 9 August 2011 and 15 February 2012 whilst they were present in England and Wales:
(i) had an “Apple ID”; and
(ii) owned or were in lawful possession of an iPhone 3G or subsequent model running iOS version 4.2.1 or later; and
(iii) used the Apple Safari internet browser version 5.0 or later on that iPhone to access a website that was participating in Google’s DoubleClick advertising service; and
(iv) did not change the default security settings in the Apple Safari internet browser and did not opt-out of tracking and collation via the Defendant’s “Ads Preference Manager”; and
(v) did not obtain a DoubleClick Ad cookie via a “first party” request made by their Safari browser of DoubleClick’s server; and
(b) are resident in England and Wales at the date of issue or such other domicile date as the Court may order; and
(c) are not a Judge of the Supreme Court, a Judge of the High Court (as defined in s. 4 of the Senior Courts Act 1981) or a Master of the Queen’s Bench Division, who held office on or after 31 May 2017.”
This last sub-paragraph has been inserted to exclude those who might deal with this case, to ensure that none of us are judges in our own cause, and disqualified by having an interest in the issue.
In paragraphs 1 and 2 of the Particulars of Claim, the claim is described as relating to Google’s “collection and use of the personal data of the Representative Claimant and those whom he represents …”. The claim is said to “arise from the secret tracking and collation by [Google] of information as to their internet usage” during the Relevant Period. This activity is defined as “the Tracking and Collation”. In paragraph 3 of the Particulars of Claim, the facts of the claim are summarised in this way:
“The Tracking and Collation was carried out without the knowledge or consent of the Claimant Class, was contrary to [Google’s] publicly stated policy that such activity could not be conducted in relation to Apple Safari users unless they had actively chosen to allow this to happen, and was in breach of [Google’s] duties under the [DPA]. The information obtained by [Google] as a result of the Tracking and Collation was aggregated and sold to advertisers, making [Google] a very substantial profit.”
The Particulars then set out details of the parties, and give an account of the technical terminology, and the background. In paragraphs 35 to 38, the basis on which the claim is brought is explained, by reference to the DPA. The allegations are of processing of personal data in breach of the statutory duty imposed by DPA s 4(4).
Paragraphs 39 to 43 deal with the topic of “Damages”. It is alleged that:
“The Representative Claimant and each member of the … Class suffered damage by reason of [Google’s] contraventions of the DPA [and] are therefore entitled to compensation pursuant to s 13(1) of the DPA.”
Paragraph 40 identifies three bases for, or categories of, damage. The allegation is that the Representative Claimant and each member of the Class is entitled to damages “for [1] the infringement of their data protection rights, … [2] the commission of the wrong and [3] loss of control over personal data” (I have added the numbering). No material loss or damage is alleged. Nor is there any allegation of distress, anxiety, embarrassment, nor any other individualised allegation of harm. The claimants’ primary case on damage and compensation is explained in paragraph 41:
“41. Such damages are sought on a uniform per capita basis, with the quantum reflecting the serious nature of the breach, in particular (but non-exhaustively):
(a) The lack of consent or knowledge of the Representative Claimant and each member of the Claimant Class to the Defendant’s collection and use of their personal data.
(b) The fact that such collection and use was contrary to the Defendant’s public statements.
(c) The fact that such collection and use was greatly to the commercial benefit of the Defendant.
(d) The fact that Defendant knew or ought to have known of the operation of the Safari Workaround from a very early stage during the Relevant Period. The Representative Claimant relies in support of this contention upon the fact that as a result of the operation of the Safari Workaround, the Defendant Tracked and Collated information regarding the internet usage of many millions of Safari users which could not have been Tracked and Collated but for its operation. In the circumstances it must have been apparent to the Defendant that the volume of information it was collecting from Safari users was substantially in excess of that which it would have expected to collect given the existence of the default security settings. It is to be inferred that the Defendant was at all material times in fact aware of the Safari Workaround or became aware of it during the Relevant Period but chose to do nothing about it until the effect of the Safari Workaround came into the public domain as a result of the investigations of an independent third party.”
Paragraph 42 of the Particulars advances an alternative case, that the Representative Claimant and each member of the Class “is entitled to damages on a ‘hypothetical release’ basis.” This is explained as follows:
“The Defendant used their personal data without their consent and in breach of the DPA. They are each entitled to be compensated for what they could reasonably have charged for releasing the Defendant from the duties which it breached. Such a hypothetically negotiated fee should be on a uniform per capita basis, reflecting the generalised standard terms (rather than individuated basis) on which the Defendant does business. The hypothetical fee should reflect in particular (but non-exhaustively) the Defendant’s anticipated profits. The Representative Claimant cannot give further information as to the amount of those profits until after disclosure.”
Paragraph 43 explains how the Representative Claimant proposes to deal with the totality of the “uniform per capita” damages, calculated on one or the other of the two bases relied on:
“Since the present proceedings are of a representative nature, damages are claimed on an aggregate basis with the management and distribution of such aggregate sum to be carried out in accordance with the directions of the Court.”
The present claim therefore resembles the claims in Vidal-Hall in some respects. It concerns the operation of the Safari Workaround, and its impact upon individuals in this jurisdiction. In other ways, however, this claim is clearly distinct from those in Vidal-Hall. This claim does not depend upon any identifiable individual characteristics of any of the claimants, or any individual experiences of or concerning the Safari Workaround. It is generic. It does not allege the disclosure, or possible disclosure, on any screen of any personal information. There is no allegation that any individual suffered any distress or anxiety, however slight. The claim is a representative action, whereas the Vidal-Hall claims were fact-specific individual claims. They were not “test cases”, or a representative action, or group litigation. Tugendhat J was at pains to point this out at [42], because there was evidence before him that “there are numerous other persons, some 170, who claim to have used Safari, who also claim, that as a result of the conduct complained of in this action, they have suffered damage similar to that suffered by the claimants.” Google points out that until this case there have in fact been no further claims for damages against Google in England and Wales in respect of the Safari Workaround.
Administration and funding of the claim
There is no dispute that the Representative Claimant is appropriately qualified to act in the interests of the represented Class. He does however have the benefit of an advisory committee which he may consult as he considers appropriate. The committee is comprised of the Rt Hon Sir Christopher Clarke, Christine Farnish, Martin Lewis, and Dominic McGonigal. Nobody suggests that this is an inappropriately or inadequately qualified group of advisors.
The Representative Claimant has retained specialists who have devised a plan, called a “Notice and Administration Plan”, which provides for the Class to be notified of any significant developments in the case; the administration of requests to withdraw from the claim; and proposals for each class member to make their claim, if the representative action succeeds. The advisers who have devised this plan are an international communications consultancy called Portland Communications; a provider of legal services and technology called Epiq Systems; and “class action notice experts” called Hilsoft Notifications.
The claim is being funded by Therium Litigation Funding IC (“Therium”), an investment vehicle associated with and advised by Therium Capital Management Limited. Therium has engaged to provide funding in up to three tranches, the first and second being of £5 million each, and the third of £5.5 million. This is aptly described as “a significant budget”, and there is no quarrel with the evidence of Mr Oldnall of Mishcon de Reya that it is “more than adequate to fund the claim through to judgment.” After the Event (“ATE”) insurance has been obtained, providing cover of up to £12 million in respect of any adverse costs order the Court may make. This appears to be a sound and proper insurance arrangement.
That insurance would not be needed if the claim succeeded, of course. In that event, the arrangement is that the funders would have first call on the damages awarded. The remainder would be distributed between the Representative Claimant and such other members of the Class who came forward and convincingly identified themselves as such. Recognising that this might result in a surplus of damages over self-identifying claimants, the proposal is that any such surplus might be applied cy-près, or alternatively returned to Google.
The legal framework
Service outside the jurisdiction
The normal procedure is for the claimant to apply to a Master or Judge without notice to the intended defendant. If permission is granted, a defendant that wishes to contest the court’s jurisdiction must make an application, on notice to the claimant, to set aside the grant of permission. That is the procedure adopted in Vidal-Hall. The decision of Tugendhat J was made upon Google’s application to set aside permission granted by Master Yoxall, and the service of the claim form consequent on that permission: see Vidal-Hall [10-11].
In the present case, by agreement, the procedure has been compressed. The claimant has applied to the Judge for permission, on notice to Google. In the unusual circumstances of this case, I agree that this is a sensible procedure to adopt, which will inevitably result in some saving of costs and time. The procedure does not, however, affect the burden of proof. As Mr Tomlinson accepts, the burden of establishing that the necessary criteria for service outside the jurisdiction are met lies on the claimant.
The principles governing the grant or refusal of permission are well-established. Summaries may be found in Altimo Holdings and Investment Ltd v Kyrgyz Mobil Tel Ltd [2011] UKPC 7 [2012] 1 WLR 1804 [71], VTB Capital Plc v Nutritek International Corp [2012] EWCA Civ 808 [2012] 2 Lloyd’s Rep 313 [99 – 101], and Vidal-Hall (CA) [7]. In short, a claimant must establish:
(1) that the claim has a reasonable prospect of success (CPR 6.37(1)(b));
(2) that there is a good arguable case that each claim advanced against the foreign defendant falls within at least one of the jurisdictional “gateways” in paragraph 3.1 of Practice Direction 6B;
(3) that England is clearly or distinctly the appropriate place to try the claim (CPR 6.37(3)).
A claim with a reasonable prospect of success is one that raises a substantial question of fact or law or both and has a real, as opposed to a fanciful, prospect of success.
The claimant must identify each candidate gateway, and satisfy the court that there is a good arguable case that the claim falls within that gateway. “Good arguable case” in this context means that the claimant has the better argument on the issue. But where a question of law arises in the context of a dispute about service out of the jurisdiction, which goes to the existence of the jurisdiction (e.g. whether a claim falls within one of the classes set out in paragraph 3.1 of Practice Direction 6B), then the court will normally decide the question of law, as opposed to seeing whether there is a good arguable case on that issue of law: VTB Capital (above) [99].
A number of “gateways” have been touched upon in the course of the application, but in the end the only one that requires consideration is the one provided for by PD6B 3.1(9). This empowers the Court to grant permission to serve proceedings out of the jurisdiction in respect of:
“A claim … in tort where –
(a) damage was sustained within the jurisdiction; or
(b) the damage sustained resulted from an act committed within the jurisdiction.”
When a claimant seeks permission to serve proceedings on a foreign defendant out of the jurisdiction, the task of the court is to identify the forum in which the case can be suitably tried for the interests of all the parties and for the ends of justice.
Relevant principles of data protection law
The case for the Representative Claimant is that Google was a data controller within the meaning of the DPA, in respect of the personal data it obtained by means of the Safari Workaround. Google is alleged to have dealt with those data in breach of the statutory duty imposed on data controllers by DPA s 4(4), “… to comply with the data protection principles in relation to all personal data with respect to which he is the data controller.” The claim alleges non-compliance with the first, second and seventh data protection principles:
“1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless—
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
…
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
Section 13 of the DPA provides, so far as relevant:
“13. Compensation for failure to comply with certain requirements
(1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.”
At one time it was thought that the term “damage” in this sub-section referred only to material or financial loss, and did not extend to distress (see Johnson v Medical Defence Union Ltd (No 2) [2007] EWCA Civ 262 [2008] Bus LR 503). The main argument in favour of that narrow interpretation was that DPA s 13(2) provided that compensation was recoverable for distress, but only in limited circumstances: (a) where the claimant suffered not only distress but also “damage”, and (b) where the processing was for “the special purposes” (journalism, literature and art). This issue arose in Vidal-Hall, where the processing was not for the special purposes. The second main issue for decision by the Court of Appeal was “(ii) the meaning of damage in section 13 of the DPA, in particular, whether there can be a claim for compensation without pecuniary loss”: [13].
The Court of Appeal identified this as a question of law that went to the existence of the jurisdictional gateway so that, in accordance with the principles identified above, it should determine the issue rather than merely decide whether it was arguable: [15]. The Court held that the narrow interpretation of s 13(1) would be incompatible with Article 47 of the Charter of Fundamental Rights of the European Union (“the Charter”). Article 47 grants everyone a right to an effective remedy for the violation of the rights and freedoms guaranteed by the Charter, one of which (Article 8) is “the protection of personal data”. Hence, applying the principles laid down in the Benkharbouche case [2016] QB 347 [69—85], it was held that s 13(2) must be disapplied in its entirety, with the consequence that:
“… compensation would be recoverable under section 13(1) for any damage suffered as a result of a contravention by a data controller of any of the requirements of the 1998 Act.”
See [105]. The emphasis in this citation is mine. It reflects the use by the Court of Appeal of the precise wording of s 13(1) itself. That language, as the Court pointed out, was meant to implement the Data Protection Directive (95/46/EC). Relevant provisions of the Directive include recital (55) and Article 23, which provide as follows (emphasis added):
“(55) Whereas, … any damage which a person may suffer as a result of unlawful processing must be compensated for by the controller …
…
23. Member States shall provide that any person who has suffered damage as a result of unlawful processing operation … is entitled to receive compensation from the controller for the damage suffered.”
Representative proceedings
The claim is brought in reliance on CPR 19.6, which is headed “Representative Parties with the Same Interest” and provides, so far as relevant, as follows:-
“(1) Where more than one person has the same interest in a claim –
(a) the claim may be begun; or
(b) the court may order that the claim be continued,
by or against one or more of the persons who have the same interest as representatives of any other persons who have that interest.
(2) The court may direct that a person may not act as a representative.
(3) Any party may apply to the court for an order under paragraph (2).
(4) Unless the court otherwise directs any judgment or order given in a claim in which a party is acting as a representative under this rule –
(a) is binding on all persons represented in the claim; but
(b) may only be enforced by or against a person who is not a party to the claim with the permission of the court.”
The wording makes clear that a representative action may be brought without first seeking the permission of the court. That contrasts with the position in respect of applications for a Group Litigation Order (“GLO”) under CPR 19.11. In the Queen’s Bench Division, an application for a GLO must be made to the Senior Master, and no GLO can be made without the consent of the President of the Queen’s Bench Division; similar arrangements apply in the Chancery Division, specialist lists, and the County Court: see PD19B, paras 3.3 and 3.5.
Once brought, however, a representative claim comes under the Court’s control. Rule 19.6(3) makes clear that a party may apply for a direction that a person may not act as a representative. There is as yet no application. But Mr Tomlinson has not argued, and I see no reason to suppose from the wording of the rule as a whole or its context, that the Court is only empowered to make such a direction upon application. The power under Rule 19.6(2) is not expressed to be confined in that way. It is set out separately from the right to apply, which is to be found in rule 19.6(3). Nor would it make sense or, indeed, be compatible with the overriding objective, to restrict the power. I conclude that in an appropriate case, the Court may act of its own initiative. Otherwise, the Court might find itself powerless to prevent the pursuit of a representative claim where (for example) the parties did not have “the same interest”.
Service outside the jurisdiction
It is convenient to address in reverse order the three requirements I have identified at [33] above.
Google does not concede, but nor does it dispute that, if this claim is fit to be pursued at all, England is the appropriate place to try it, and clearly and distinctly so. I consider that this requirement is met. The Class is confined to those who are residents of England and Wales or have been during the Relevant Period, and the claims are confined to the impact on members of the Class in this jurisdiction, or the impact on them of acts in this jurisdiction. This would appear to be the natural jurisdiction for the claims. The only obvious alternative jurisdiction(s) would be the home jurisdiction(s) of Google in the USA. Google has not identified any reason why the claims should be brought in any US jurisdiction. There is, in my judgment, every reason why any such a claim should be brought here and not in any other jurisdiction.
The real issue, so far as jurisdiction is concerned, is whether the claim falls within the “tort” gateway provided for by Part 6 Practice Direction B. As to that, there is no dispute or doubt that a claim for damages for breach of DPA s 4(4) is “a claim in tort” within the meaning of PD6B para 3.1(9). That much was established by the decision of Tugendhat J in Vidal-Hall, upheld by the Court of Appeal. Nor is there any issue as to the location at which the Safari Workaround operated so as to affect the Representative Claimant and at least some other members of the Class. The mechanism by which it operated was to place the DoubleClick Cookie on a user’s iPhone when connected to the internet using the Safari browser and, thereafter, to track usage and collect BGI by means of the DoubleClick Cookie. Those were the harmful events, for the purposes of this paragraph, it is said. The submission is that there is at least a good argument that each member of the Class was, for at least some of the Relevant Period, within the jurisdiction of this Court when he or she was affected in that way. On this basis, at least some of any damage that was sustained resulted from acts performed within this jurisdiction; and if there was damage, some at least of that damage was sustained here. Those submissions are sufficient for present purposes, I have no doubt. There might be an issue as to limitation, and Google has reserved its position on that question. But there is no suggestion that permission to serve out can or should be refused on that ground.
The real and substantial issue between the parties is whether the impact of the Safari Workaround on the Representative Claimant and the other Class members caused or counts as “damage” for the purposes of paragraph 3.1(9). Mr Tomlinson submits that in this context “damage” should be given its natural and ordinary meaning, namely “any damage which is properly characterised as such and recoverable in the context of the tort/wrong in question.” That is a submission accepted by Tugendhat J in Vidal-Hall at [74-75]. I agree, and I do not understand it to be disputed that this is an appropriate approach for the Court to take.
That, however, leaves open the question of whether the Representative Claimant has shown, or presented a good arguable case, that the conduct complained of did cause or involve anything that is properly characterised as “damage”, for which compensation is recoverable under the DPA. Google says that has not been done. The answer is not, or at least not obviously, provided by the Vidal-Hall decisions. There, Tugendhat J declined to decide the meaning of “damage” in DPA s 13, but held that it was sufficiently arguable that “the alleged damage, in the form of stress and anxiety, can amount to damage sufficiently serious to engage the claimants’ article 8 rights” and hence the DPA: [2014] 1 WLR 4180 [97-103]. The Court of Appeal concluded that it should go further and decide the meaning of “damage” in DPA s 13. But on the facts of the case before it, the Court did not need to, and did not, go further than to decide that the non-material damage asserted by the claimants, in the form of distress and anxiety, fell within the scope of that provision when interpreted in the light of the Charter. The Court of Appeal did not decide the validity of any of the three bases of claim on which the present claim is primarily founded ([23] above). Still less does its decision address the validity of the alternative basis of claim advanced by the present claimant ([24] above). No such argument was advanced in Vidal-Hall.
These are questions of law. I do not think it would be right merely to consider whether the Representative Claimant has the better of the argument on these questions, and leave a final decision until trial. It seems to me that, like the Court of Appeal, I should determine the questions. This would be consistent with the general rule in cases where the decision of whether to assume jurisdiction turns on a point of law. I see no good reason to step back from that approach here. I have had the benefit of extensive legal argument over several days. There is no need to determine any facts; indeed, it is of the essence of the claim that the Court would never need to reach any factual conclusions about the position of any individual claimant.
It follows from this conclusion that there is a substantial degree of overlap between the “gateway” question and the remaining requirement, that the claim should have reasonable prospects of success. The overlap is not complete because, in this case, the latter requirement encompasses two distinct issues. The first is whether the claim discloses any reasonable basis for seeking compensation under the DPA (“the DPA issue”). That depends on the questions of data protection law that I have just identified ([49] above). The second issue is separate and distinct. It arises only if the DPA issue is resolved in favour of the claimant. The issue is whether there is a real prospect that the Court would permit the claim to continue as a representative action, pursuant to CPR 19.6 (“the representative action issue”).
Google submits that the Representative Claimant cannot satisfy the “same interest” requirement and/or a Court would conclude that the continuation of the claim under CPR 19.6 does not fulfil the overriding objective. Google maintains that this claim is a contrived and illegitimate attempt to shoe-horn a novel “opt-out class action” into the representative action procedure, in circumstances where Parliament has not considered it appropriate to make such a claim available; and that the claim is unnecessary in case management terms, unworkable in practice and disproportionately expensive.
I shall deal first with the DPA issue.
The DPA issue: does the claim disclose a basis for
seeking compensation under the DPA?
In my judgment it does not.
The issue is one of statutory construction. A reasonable starting point is the wording of DPA s 13(1). Giving that wording its natural and ordinary meaning, the statutory right to compensation arises if (a) there is a contravention of a requirement of the DPA and (b) as a result, the claimant suffers damage. The right is defined as a right to compensation “for that damage”. The infringement and the damage are thus presented as two separate events, connected by a causal link. These points do not hold good only for the language of DPA s 13(1), they are also true of the corresponding Article of the Directive: see the statutory wording at [39] and the words of Article 23 which are emphasised at [41] above. In this respect, the statute faithfully reflects the language of the parent instrument. Neither is apt to characterise the contravention itself as amounting to damage.
An interpretation of these provisions which requires proof not only of a contravention but also of consequent damage is also one that makes sense. It presupposes that some contraventions of the DPA will not result in damage, or call for a compensatory remedy. That is a realistic approach. For example, a data controller may record and hold personal data which are inaccurate (for instance by recording information communicated to the data controller by a third party), but may neither disclose nor use those data. Without more, it would seem artificial (and, as Mr White has argued, unduly burdensome on the data controller) to regard such conduct as having caused damage to the data subject. Even if the data controller had no justification for its conduct, and was thus in breach of duty, the remedy which the law requires does not have to be the remedy of compensation, if no consequences followed from the breach. The Directive and the DPA afford a data subject in this situation a range of other remedies, including the remedies of rectification, blocking, and erasure of inaccurate data and of any opinions based upon them: DPA s 14 and Article 12(b) of the Directive. Similar reasoning can be applied to other categories of contravention, such as holding – but not disclosing, or using, or consulting – personal data which are irrelevant, or holding them for too long, in breach of the third and fifth data protection principles, or failing – without consequences – to take adequate security measures, in breach of the seventh principle. In a case of the present kind, proceedings might be brought at an appropriate time for injunctions or declaratory remedies or both.
In Vidal-Hall, the Court of Appeal concluded that the Charter requires the remedy of compensation where distress has been suffered as a result of a breach of duty. It cannot realistically be said that the same is true where the breach of duty has caused neither material loss nor emotional harm, and has had no other consequences for the data subject. And it is not suggested by the Representative Claimant that the Charter requires a departure from the interpretation of DPA s 13 and Article 23 of the Directive that I have set out. Mr Tomlinson, for the Representative Claimant, has not cited any Luxembourg jurisprudence, nor any domestic authority, to that effect. Indeed, the claimants’ pleaded case reflects the wording of the statute and the Directive; it is that the claimants have “suffered damage by reason of [Google’s] contraventions of the DPA” ([22] above).
The pleaded contraventions are breaches of the statutory duty imposed by s 4(4), by tracking, collation, aggregation, and sale of personal data without consent. The pleaded case as to the damage suffered “by reason of” that conduct ([23] above) states what the compensation should be for, but categories [1] and [2] are not descriptions of damage; rather, they are two apparently indistinguishable descriptions of the tort. To that extent, the pleaded case appears circular: it asserts that the commission of the tort has caused compensatable damage, consisting of the commission of the tort. Similar considerations apply to category [3]. To say simply that A has “lost control” over his or her personal data is not obviously different from saying that B has acquired and used the data without A’s consent.
Of course, a loss of control over personal data can be significant, and may have significantly harmful consequences. Vidal-Hall is an example. The focus in that case was on the significant distress caused to the claimants by the delivery to their screens of unwanted advertising material. The inference I draw is that the nature of that material was a significant element in the case. But the delivery of unwanted commercial communications can be upsetting in other ways, and persistence in such conduct may arguably be so distressing as to justify proceedings for harassment, even if the content of the communications is inherently innocuous: see Ferguson v British Gas Trading Inc. [2009] EWCA Civ 46 [2010] 1 WLR 785. It might be said, in an individual case, that the use of personal data to enable the repeated or bulk delivery to a person of unwanted communications infringes the person’s right to respect for their autonomy, in a way which counts as damage for the purpose of DPA s 13, even if the content of the messages is innocuous. A person who objected to receiving such material might say that its delivery caused irritation and/or that in any event it represented a material interference with their freedom of choice over how to lead their life. That, however, is not the case advanced by this Representative Claimant.
It has been said in argument that the result of the collection, collation, aggregation and sale of the data obtained via the Safari Workaround was that individuals in the Class (as well as others) received advertising that was targeted by reference to their interests and preferences, as inferred from the personal data that was processed in those ways, when they would otherwise have received advertising that was not so targeted. But the Particulars of Claim do not contain any complaint that this amounts to damage. They are framed in the way that I have set out. The allegations of damage are confined to the three categories I have numbered at [23] above.
I have not been shown any European authority to support the view that any of those three categories contains a description of something that, of itself, counts as “damage” for this purpose. What little authority there is concerns Directive 90/134. It tends to suggest that “damage” has been extended in various contexts to cover “non-material damage” but only on the proviso that “genuine quantifiable damage has occurred”: see Leitner v TUI Deutschland GmbH & Co KG (Case-168/00) [2002] All ER (EC) 561 [AG38]. In Vidal-Hall the Court of Appeal considered it “instructive” to consider this case, as an indication of how the concept of “damage” had been interpreted in other European legislation.
However, Mr Tomlinson invites me to resist that approach. He founds his argument instead on domestic authority on damages for the tort of misuse of private information, and for the wrongful use of property. He relies on two principal authorities, submitting as follows:-
(1) In Gulati v MGN Ltd [2015] EWHC 1482 (Ch) [2016] FSR 12, Mann J rejected an argument that Vidal-Hall showed that in data protection and (by extension) privacy cases the only relevant head of general damages was for distress. The Judge held that damages could be awarded for the “infringement of the right” (see [132-137]), and assessed damages on the basis that compensation could be given for the “commission of the wrong itself” ([144]). This conclusion was upheld on appeal ([2017] QB 149), where Arden LJ held at [45-48] that a claimant was entitled to compensation for “loss of control” by the use of private information. This approach can properly be applied to damages under s 13, and to the facts of this case, in which each member of the Class has “lost control” over their personal data. The Court can determine an appropriate sum to compensate each such member for this infringement of their rights. There is no need for an individual to have known of the relevant breach or to have suffered distress as a result.
(2) Alternatively, damages can be awarded by applying the established principle that a person who has wrongfully used another’s property without causing pecuniary loss may be liable for more than nominal damages, being liable to pay a reasonable sum (“user damages”) for the wrongful use of that property: Stoke-on-Trent City Council v W & J Wass Ltd [1988] 1 WLR 1406, 1416. It is submitted that such an award can also be made in cases of breach of statutory duty affecting the person.
It might be thought that this overall approach is flawed. The term “damage” in DPA s 13 must be interpreted and applied in conformity with the language of the section and the provisions of the parent Directive. In general, the Court would give the term “damage” in the Directive an autonomous interpretation, that does not depend upon the content of individual national laws. If domestic authority in respect of different torts affords a compensatory remedy for things that would not count as “damage” on this footing, it is hard to see how that can assist the Representative Claimant. But it is not necessary to decide this point.
Damages for infringement of rights
Gulati was concerned with the appropriate compensation for numerous claimants whose personal information had been acquired and disclosed or used by the defendant, MGN Limited, as a result of hacking of their voicemail. Mann J awarded substantial damages to the claimants.
The first point to make about the case is one that Mann J himself made at [141]: the claims in Gulati were in the tort of misuse of private information, which is separate and distinct from the tort of breach of statutory duty that is created by s 4(4) of the DPA. Thus, when the defence argued, in reliance on Vidal-Hall, that damages were not recoverable in the absence of distress, Mann J said that he did not find that case helpful on the point as “The case concerned the specific drafting of the DPA and what it provided by way of compensatable loss… the case was particular to the relevant legislation and claims made in their own circumstances.” It is true that the two torts have a common source, in the form of Article 8 of the Convention, but that does not compel a conclusion that they are coterminous.
In any event, I do not read Gulati as authority for a rule or principle that substantial damages are invariably recoverable and must always be awarded for misuse of private information, just because the tort has been committed, and regardless of the nature of the wrong and its impact on the individual claimant. Mann J and the Court of Appeal rejected the argument advanced by the defendants, that distress was an essential component of the tort. But neither held that damages must be awarded for the infringement of the right, in and of itself. Certainly, that is not how I read the Court of Appeal decision.
What Mann J said at [144] was this (emphasis added):
“I shall therefore approach quantum on the footing that compensation can be given for things other than distress, and in particular can be given for the commission of the wrong itself, so far as that commission impacts on the values protected by the right.”
It is clear law that the Court cannot make an award of “vindicatory” damages, merely to mark the commission of the wrong; this is wrong in principle: see R (Lumba) v Secretary of State for the Home Department [2012] 1 AC 245 [97-100]. The point has since been reiterated, and built upon, by the Court of Appeal. In Shaw v Kovac [2017] EWCA Civ 1028 [2017] 1 WLR 4773, the Court rejected an invitation to approve the award of a conventional sum by way of damages for loss of autonomy, where a surgical operation was conducted without informed consent, holding that to do so would be contrary to legal authority and principle. An element in the Court’s reasoning was the “disconcerting implications” given that “most torts can be said to involve a ‘loss of autonomy'”: [81] (Davis LJ). The Court was unable to identify “just what it is that the claimant’s proposed award is required to compensate”, over and above the established heads of loss: [68]. It was thus unable to distinguish between this proposed head of damages and the prohibited category of vindicatory damages: [84].
In Gulati, both Mann J and, in the Court of Appeal, Arden LJ (with whom the other members of the Court agreed) took care to distinguish the awards they made or approved from a merely vindicatory award. Shaw was not cited to either court. It was not decided until many months after the Court of Appeal decision in Gulati. But I do not believe that in Gulati either Court considered that what it was doing was making a “conventional award” for loss of autonomy as such. Arden LJ made clear in terms that the awards were “to compensate”. She identified “the essential principle” at [45]: “… by misusing their private information, MGN deprived the claimants of their right to control the use of private information”. She then illustrated the point by reference to the facts of three “obvious example[s]”. In one, “hacking pre-empted disclosure of the decision of one claimant” to leave a well-known television show. In the second “a newspaper published confidential information that the claimant had taken legal advice on a possible divorce”. The third case involved disclosure of an otherwise secret wedding venue. Arden LJ said that the claimants “are entitled to be compensated for that loss of control of information” (my emphasis). At [47], she drew an analogy with loss of liberty. At [48], she identified the damages awarded as “compensation for the loss or diminution of the right to control formerly private information and for the distress that the claimants could justifiably have felt …”
In my judgment, the Court of Appeal’s decision in Gulati is not to be read as approving the award of substantial damages for the abstract fact that a person has had their personal information misused. The essential features of Gulati can be summarised, for present purposes, in this way. The case holds that (1) damages can be awarded for misuse of private information even in the absence of material loss or distress; and (2) in the factual circumstances of the cases before the Court, the defendants’ conduct had adversely affected the claimants’ ability to exercise control over information about themselves, and thus the value of their right to exercise such control, in a way and to an extent which was significant or material, and deserving of substantial (as opposed to nominal) compensation for misuse of private information.
The facts of Gulati were exceptional, as Arden LJ observed at [106]. Plainly, the information in the examples she gave was significant personal information. The right to choose how, when, and to whom that information was used or disclosed was a valuable right, in the sense that it was of value to the individual. It is easy to see the defendants’ conduct as having a real and appreciable impact on the claimants in question, which deprived them of all or most of the value of that right. The disclosures were unwarranted, unwanted, and significant in nature and scale, exposing private information to publicity and/or limiting the choices available to the claimants in ways that appear to have been important to them. Nothing comparable is alleged here.
In oral argument, Mr Tomlinson relied on one case, decided before Vidal-Hall, in which the Court of Appeal gave consideration to damages for breach of DPA s 13, but I did not find the case of any real assistance. In Halliday v Creation Consumer Finance Ltd [2013] EWCA Civ 333 [2013] 3 CMLR 4 the appellant had established that breaches of the DPA caused some damage to his credit and reputation, but because this could not be quantified only nominal damages were awarded. The Court below had taken the view that no “damage” had been established within the meaning of DPA s 13(1) and hence declined to hear evidence on the issue of damages for distress under s 13(2). The main issue on appeal was to have been whether this was correct. But that fell away when the respondent conceded that “damage” had been proved: [3]. What the Court then had to do was to assess the nominal damages, and decide what if any compensation was recoverable for distress under s 13(2). Nominal damages were assessed at £1, and damages of £750 were awarded for the frustration which the Court was prepared to infer the claimant had experienced as a result of non-compliance. The case does not assist the Representative Claimant in this action, which is not a claim for nominal damages, or for compensation for distress.
Mr White makes two striking points about the consequences, if the case for the Representative Claimant in this action were accepted. First, the tort of misuse of private information contains built-in safeguards against claims for damages in respect of trivial or insignificant interferences with a protected interest. There is a threshold requirement: in order to be actionable, an interference must attain a certain level of seriousness (McKennitt v Ash [2008] QB 73 [12], Ambrosiadou v Coward [2011] EMLR 21 [28]–[30]). And the process of deciding a misuse case will always involve a balancing exercise, including an assessment of the proportionality of the interference with free speech which success for the claimant would involve. But if the Representative Claimant is correct, a right to compensation would flow from any breach of any requirement of the DPA, or at least from any breach of s 4(4), however trivial. Secondly, Mr White points out that the authorities hold that the right to compensation for distress pursuant to s 13 DPA is also subject to a threshold of seriousness, and the de minimis principle: Vidal-Hall (CA) [82], TLT v Secretary of State for the Home Department [2016] EWHC 2217 (QB) [15] (Mitting J). Yet on the Representative Claimant’s case, a claim which failed these tests would still yield an award, to reflect the “infringement of the right”, the commission of the tort and/or the loss of control involved.
These considerations reinforce my conclusion. I do not believe that the authorities show that a person whose information has been acquired or used without consent invariably suffers compensatable harm, either by virtue of the wrong itself, or the interference with autonomy that it involves. Not everything that happens to a person without their prior consent causes significant or any distress. Not all such events are even objectionable, or unwelcome. Some people enjoy a surprise party. Not everybody objects to every non-consensual disclosure or use of private information about them. Lasting relationships can be formed on the basis of contact first made via a phone number disclosed by a mutual friend, without asking first. Some are quite happy to have their personal information collected online, and to receive advertising or marketing or other information as a result. Others are indifferent. Neither category suffers from “loss of control” in the same way as someone who objects to such use of their information, and neither in my judgment suffers any, or any material, diminution in the value of their right to control the use of their information. Both classes would have consented if asked. In short, the question of whether or not damage has been sustained by an individual as a result of the non-consensual use of personal data about them must depend on the facts of the case. The bare facts pleaded in this case, which are in no way individualised, do not in my judgment assert any case of harm to the value of any claimant’s right of autonomy that amounts to “damage” within the meaning of DPA s 13.
“Censure”
It might be said that in a case involving breaches of duty of the nature and on the scale alleged here, there should be consequences for the perpetrator. That, indeed, is said in the evidence for the Representative Claimant. The Representative Claimant’s solicitor, Mr Oldnall, says in paragraph 31 of his first statement that “This is a claim where the Defendant’s breaches are serious and where censure of those breaches is merited.” But the word used in DPA s 13 is “compensation”. Censure is the role of the regulator, or the criminal law. There have been regulatory responses to the breaches, which have resulted in consequences for Google. If those responses are perceived to be inadequate, I do not believe the remedy is to fashion a means of imposing a further penalty by bringing a class action for compensation, based on an artificial notion of “damage”.
User damages
There is one obvious obstacle to this alternative claim: it is contrary to authority. The argument that compensation under s 13 could be recovered on this basis was advanced in Murray v Express Newspapers [2007] EWHC 1908 (Ch) [2007] EMLR 22, but emphatically rejected by Patten J. The claimant, the infant son of J K Rowling, had been photographed without parental consent when out in Edinburgh in his pushchair. A claim for damages was brought, alleging misuse of private information and breach of duty under the DPA. The defence applied to strike out, arguing (among other things) that the DPA claim must fail, in the absence of pecuniary loss or distress. The claimant sought to meet this argument by submitting that the court should award DPA compensation “calculated by reference to the market value of the data which has been misused”: see [90]. Like the argument before me, the argument for young David Murray relied upon Wrotham Park Estate Co Ltd v Parkside Homes Ltd [1974] 1 WLR 798 (where damages were awarded in lieu of an injunction to enforce equitable rights). The Judge identified the underlying principle as “compensating the claimant for his loss of bargaining opportunity or the compulsory acquisition by the claimant of his rights”: see Attorney-General v Blake [2001] 1 AC 268, 281G (Lord Nicholls). Striking out the claim, Patten J said this at [92]:
“It seems to me that these principles have no application in this case. They depend upon an analogy with property rights and the court’s power to enforce the terms of the contract. The Data Protection Act does not purport to give the data subject any property in his personal data but merely regulates the way in which it can be processed. Section 13 entitles him to compensation for pecuniary damage and distress suffered as a result of a contravention of the Act. I think that [Counsel for the defendant] is right in his submission that this does not give him a cause of action based upon a misuse of data which does not actually cause him to suffer damage or distress but rather allows the data controller to profit from his use of the material. The claim is one for breach of statutory duty and I am not aware of any authority in which damages have been assessed on this rather than the more normal basis of direct pecuniary loss suffered by the claimant himself.”
Other authorities on the ambit of user damages (also known as restitutionary damages) bolster the view that this is not a basis on which a DPA claimant can recover compensation, and certainly not an apposite basis for these members of the Class. In Douglas v Hello! Ltd [2005] EWCA 595 [2006] QB 125, the Court of Appeal identified at [246] some “obvious problems” with assessing damages for breach of confidence involving private information on a “notional licence fee” basis. The first was that “the whole basis” of the claim “is upset and affront at invasion of privacy, not loss of the opportunity to earn money”. Secondly, there was the “unreality of the fictional negotiation in this case”, which was “palpable” because the claimants would never have agreed to the publication for which the fee was hypothetically to be paid. A further reason, though not in itself sufficient, was “the difficulty of assessing a fee”: [248].
All these considerations are pertinent in the present case. The claim is put on the basis that the gist of the wrong is a “loss of control” over information – control which the members of the Class would not willingly have given up. It is hard, if not impossible, to envisage the bargain which this approach requires the court to hypothesise. It would not, indeed could not, be an individualised affair. It could only be a process by which each individual was given the chance to opt in to the use of his or her personal data on standard terms set by Google. Such bargains do of course take place, millions of them, every day. But they do not involve the offer or payment of any money. On the contrary, the implicit bargain is that if the consumer consents to the acquisition and use of their personal data in the ways set out in the “privacy notice” or “cookie notice”, the consumer will receive something else of value, in the form of targeted or filtered communications, more likely to be of interest to the consumer than if consent was withheld. The only alternative on offer is the refusal of consent.
In One Step (Support) Ltd v Morris-Garner [2018] UKSC 20 [2018] 2 WLR 1353, the recovery of damages assessed by reference to a notional licence fee was considered by the Supreme Court in the context of damages for breach of restrictive covenants not to compete, solicit clients or use confidential information. The Court held that there were circumstances in which damages could be awarded for harm to “the economic value of the right which had been breached, considered as an asset”. The fact that the claimants would not in fact have “sold” the right to compete did not deter the Court from approving such an award in that case, because the test is objective. But the Court emphasised that, whilst the categories are not necessarily closed, the circumstances are tightly circumscribed. At [75], the Court referred to the problem of artificiality. Approving the judgment of Leggatt J in Marathon Asset Management LLP v Seddon [2017] ICR 791 [235], the Court held that:
“the premise of the hypothetical negotiation – that a reasonable person in the claimant’s position would have been willing to release the defendant from the obligation in return for a fee – breaks down in a situation where any reasonable person in the claimant’s position would have been unwilling to grant a release.”
That does not quite represent the position in the present case. Here, some reasonable people in the position of some Class members (and some members of the Class) would no doubt have been unwilling to grant a release, wanting to guard their personal data. It can properly be inferred that other reasonable people (and some other members of the Class) would have been willing to grant a release, and to permit the use of their personal data, on the terms offered by Google, in return for nothing more than the central promise in fact available: to use of those data to support the delivery of targeted sales and marketing communications. Other reasonable people (and other members of the Class) might have been willing to release their personal data but only for something more, in the form of a fee. For the reasons I have given, it seems to me to be wholly artificial to envisage a bargaining process involving such individuals. The only option realistically open to them would be to refuse consent. But if that is wrong, then it is not possible to envisage the same negotiation in the case of every claimant. Their personal characteristics and attitudes to data disclosure will inevitably differ. The extent to which they would be willing to consent, and their readiness to accept any given sum of money in return, will vary. The value of their consent to Google will also be variable.
Mr Tomlinson points to McGregor on Damages (20th edition para 14-031), where the author identifies Gulati as a case where the award “might be explained as restitutionary damages but in which courts nevertheless jump through difficult verbal hoops to give some other explanation for the award”. McGregor argues that in Gulati damages for a “lost right of control” were awarded “independently of any consequence suffered by the claimant”. The author does not seek to defend an award on that basis, but suggests the award can be justified on the basis that the defendant “helped itself” to the information of others, and treated it as its own, and the claimant was entitled to recover according to the value obtained. This is not how the awards were explained by the Court in Gulati at first instance, or on appeal. As will be apparent, I do not agree with the analysis. Mr Tomlinson submits that the McGregor analysis may be “simply another way to analyse the recovery of damages under the first head relied on.” I disagree. The two bases of recovery are separate and distinct. In my judgment, neither can be relied on.
The representative action issue: is there a real prospect that the court would allow the continuation of representative proceedings?
If I am right about the DPA issue, this question does not arise. But it was fully argued, and this matter might go further. There is also an inter-relationship between the two issues. So, without attempting to address every point that has been argued, I will set out and explain my main conclusions, and the principal reasons for them. The conclusions are, in summary, that:
(1) The essential requirements for a representative action are absent. The Representative Claimant and the Class do not all have the “same interest” within the meaning of CPR 19.6(1).
(2) Even if the Class is appropriately defined, there are insuperable practical difficulties in ascertaining whether any given individual is a member of the Class.
(3) Further and alternatively, the Court’s discretion would in any event be exercised against the continuation of the action as a representative action.
“Same interest”
The procedural rule is clear: a representative action may only be started, and the court may only order that a claim be continued as a representative action, if the representative party and those whom that party represents, have “the same interest in” the claim. This is a “threshold point which must be established” by reference to the facts ascertained or assumed at the relevant time: Millharbour Management Ltd v Weston Homes Ltd [2011] 3 All ER 1027 [22(1)] (Akenhead J). The requirement is “fundamental”: Emerald Supplies Ltd v British Airways plc. [2011] Ch 345 [62]. The rule is “non-bendable”: In re X (Court of Protection: Deprivation of Liberty) [2016] 1 WLR 227 [124] (Black LJ).
It is necessary, therefore, to determine what counts as “the same interest” for this purpose, and to apply the relevant law to the facts and circumstances of the present claims, as they presently appear.
The rule dates from the procedural regime introduced by the Supreme Court of Judicature Act 1873. Its origins lie further back, in the procedures of the Court of Chancery. There is a considerable accretion of authority around its exercise. Changes in the wording of the rule do not appear to be material. Mr Tomlinson invites me to regard the rule as a “flexible tool”, to be construed and applied pragmatically in order to provide access to justice, so long as that can be achieved fairly. He emphasises some of the summary descriptions to be found in the authorities: “a simple rule resting merely upon convenience” (Duke of Bedford v Ellis [1901] AC 1, 10 (Lord Macnaghten)) and a “flexible tool of convenience in the administration of justice” (John v Rees [1970] Ch 345, 370E-F (Megarry J) which “ought to be applied to the exigencies of modern life as occasion requires” (Taff Vale Railway Co v Amalgamated Society of Railway Servants [1901] AC 426, 443 (Lord Lindley)). Mr Tomlinson makes four central submissions:
(1) Persons have the “same interest” if they have a common interest and a common grievance.
(2) Persons may have the same interest in a claim even if there are disagreements between them and even if the quantum of damages that they have suffered is different.
(3) A representative claimant may represent a class, even if the members of that class have been affected by the defendant’s actions in different ways.
(4) There is no limit to the number of persons that can be within the class to be represented.
The first three of these propositions give rise to dispute. Google submits that the existence of a common grievance against the same defendant is not enough to satisfy the “same interest” condition. In particular, where the defendant is alleged to have damaged individual rights and interests, the representative action will be unavailable unless every member of the class has suffered the same damage (or their share of a readily ascertainable aggregate amount is clear). Further, and in any event, the procedure will be unavailable where different potential defences are available in respect of claims by different members of the class. I accept Google’s submissions, and in my judgment these principles apply to the facts of this case, so as to disqualify this claim.
At one time it was thought that a representative action for damages was not permissible at all, because damages have to be proved separately in the case of each plaintiff. A long line of authority stands for this proposition: see Markt & Co. Ltd. v Knight Steamship Co. Ltd. [1910] 2 KB 1021, 1039-1041 (Fletcher Moulton LJ), David Jones v Cory Bros & Co Ltd [1921] 56 LJ 302, Prudential Assurance Co Ltd v Newman Industries Ltd [1981] 1 Ch 229, 251-253, 255A, 256B, 256B. It has however been recognised that this rule has exceptions or limitations. In specific circumstances representative claims for damages can be permitted. Such claims have been allowed in cases of copyright piracy (EMI v Riley [1981] 1 WLR 923, Independiente Ltd v Music Trading On-Line (HK) Ltd [2003] EWHC 470 (Ch)) but on the basis that the members of the Class had all transferred their rights to pecuniary remedies to the representative claimant: see Riley 925D-E, Independiente at [28]. In Irish Shipping Ltd v Commercial Union Assurance Co. Plc (“The Irish Rowan”) [1991] 2 QB 206 the Court of Appeal approved a claim against representative defendants. I accept Mr White’s analysis of this case, that the claim in that case was allowed to proceed on the basis that the Court could ascertain the total amount recoverable against the class as a whole, and the extent to which each class member was bound to participate: see eg pp231G-232A.
Subsequent authorities have adhered to the main principle, demonstrating that these conditions are not met, and the represented parties do not have the “same interest”, where the defendant has an answer to some but not all of the claims, or where the wrong in question is not actionable without proof of damage, and it cannot be said that the injury sustained is uniform. In Emerald Supplies Ltd v British Airways plc [2010] EWCA Civ 284 [2011] Ch 345, the Court of Appeal upheld a decision of the Chancellor, Sir Andrew Morritt ([2009] EWHC 741 (Ch) [2010] Ch 48), striking out a representative action for breach of competition law, on the basis that the parties whom the claimants sought to represent did not all have the same interest. The Chancellor held that damage was a necessary ingredient of the cause of action, and since different represented parties would have suffered different levels of damages, the relief sought was not equally beneficial to all class members. Upholding that approach in the Court of Appeal, Mummery LJ added at [64] that the “same interest” requirement was not met if a defence was available to some but not all the claims. This decision was followed by Edwards-Stuart J in Rendlesham Estates plc. v Barr Ltd [2015] 1 WLR 3663, where he struck out a representative action claiming damages under the Defective Premises Act 1972, on behalf of 120 apartment owners. The claims raised common complaints against the same defendant. The Judge accepted (at [89]) that “where the effect of the defect was the same on everyone, there might be room for a representative claim”, but held that “those are not the facts of this case.” He concluded at [90] that “if damage is an ingredient of the cause of action a representative claim could not be maintained”. It seems to me indisputable that damage is an essential ingredient of a claim under DPA s 13.
In the present case, on the basis of what I have said about the DPA issue, the Class as defined in the draft Amended Particulars of Claim might include some for whom the consequences of the alleged breach do amount to “damage” within the meaning of DPA s 13; but the Class will also, inevitably, include some who have not suffered any such “damage”. The claim as pleaded fails to disclose a basis on which to advance a claim on behalf of the former group, because the necessary facts are not asserted. If they were, the claim could not be advanced as a representative claim on behalf of this Class, for two reasons. First, it is obvious that a representative action for damages cannot properly be brought on behalf of a class which is so defined as to include persons who have no cause of action, and thus no “interest” in the claim. Secondly, a representative action would not be legitimate because those claimants who had suffered “damage” would have different interests from one another, dependent on the individual facts of their cases.
Many of these considerations would apply even if (contrary to my view) compensation is recoverable by, and must be awarded to, anybody who is the “victim” of a breach of the statutory duty under s 4(4), and has suffered a “loss of control” over their personal data. In principle, the amount of compensation recoverable by any individual must still depend on the facts of that individual’s case. That is clearly the approach adopted by Mann J in Gulati. There was a “tariff” element in his quantification of damages; he took a starting point of £10,000 per year of “serious” levels of hacking: see [230]. But he made clear that this figure was intended to reflect a “common factor” in all the claimants’ cases, namely that “for a considerable period an individual’s voicemail, and those of associates, were listened to and the private lives exposed there were studied by at least one journalist and probably more, on a frequent, sometimes daily, basis.” The starting point was not the end point of the assessment process, which was tailored to the nature and extent of the wrongdoing in each claimant’s case.
In the present case, some affected individuals were “super users” – heavy internet users. They will have been “victims” of multiple breaches, with considerable amounts of BGI taken and used throughout the Relevant Period. Others will have engaged in very little internet activity. Different individuals will have had different kinds of information taken and used. No fewer than 17 categories of personal data are identified in the claim documents. The specified categories of data vary in their sensitivity, some of them being “sensitive personal data” within the meaning of the DPA, s 2 (such as sexuality, or ethnicity). The pleaded case is that Google was “able to and did obtain and collate personal data (including sensitive personal data) relating to each user”. But it is not credible that all the specified categories of data were obtained by Google from each represented claimant. Not all represented parties will have created BGI within every category. Google is likely to have a defence available, in principle, in respect of some of these allegations. Further, the nature and extent of the loss of control over personal information experienced will have varied. The results of the acquisition and use will also have varied according to the individual, and their attitudes towards the acquisition, disclosure and use of the information in question. The same is true, if damages are assessed on the user principle, as already discussed when dealing with the DPA issues. It would be unrealistic to suppose that the value to Google of each user’s BGI was the same.
In short, it cannot be supposed that the breach of duty or the impact of it was uniform across the entire Class membership; on the contrary, it is inevitably the case that the nature and extent of the breach and the impact it had on individual Class members will have varied greatly.
I do not believe the “tariff” strategy adopted on behalf of the Representative Claimant is a satisfactory answer to these difficulties. The argument advanced is that compensation can and should be awarded on the basis that “each member of the class has suffered the same damage as a result of Google’s infringement of the rights under the DPA”. The damage relied on for this purpose is the loss of control of their personal data or the hypothetical release fee. It is said that the appropriate compensation is the same for each individual. For the reasons given, I accept Mr White’s submission that this uniform approach fails to reflect the law or the reality. It is an artificial device. Further, if no claimant is to be over-compensated, the “tariff” must be set at the figure appropriate to the claimant who suffered the least “damage”. It seems to me that this would be at best a token sum, or alternatively a modest one. Other claimants, perhaps many, would consequently be under-compensated. This would be unprecedented and, it seems to me, unprincipled. To say of the parties represented as claimants in an action constituted in this way that they all have “the same interest” would be unreal. Indeed, many might have no interest (in the ordinary sense of the term) in being parties to the representative action. Some would not see the point of litigation over such modest sums. Others might claim to have suffered significant financial loss or distress as a result of the alleged tort; they would want to consider an individual claim for compensation reflecting the actual harm, à la Vidal-Hall. This is acknowledged in the Representative Claimant’s action plan, which provides for opt-outs in such circumstances.
Impossibility of identifying all Class members
Google’s evidence in response to the present application asserted that the original Class definition was faulty, because it included iPhone users who were unaffected by the matters complained of. In particular, some individuals within the Class as then defined will have had a DoubleClick Cookie before the Relevant Period (“Already Hads”); others will not have received the DoubleClick cookie (“Never Hads”). It is unnecessary to elaborate the explanation of these factors. The Representative Claimant has conceded the force of these points, and sought to re-define the Class as a result. Hence the revised definition set out in the draft Amended Particulars of Claim ([19] above). Google maintains, however, that the attempt to meet its objections is futile. It is an essential requirement of a representative action that the claimants must be identifiable in practice. The point was put this way by Mummery LJ in Emerald Supplies at [62]: “At all stages of the proceedings … it must be possible to say of any particular person whether or not they qualify for membership of the represented class of persons”. Here, Google contends that it is not possible to identify and exclude unaffected users. That submission appears to me to be supported by the evidence, and I accept it.
It is common ground that a proportion of iPhone users will have received a DoubleClick Cookie before the start of the Relevant Period. No such individual could properly participate in the aggregate compensation. Hence, an appropriate modification has been made to the Class definition. Similarly, it is an undisputed fact that a proportion of iPhone Safari browsers that interacted with websites that participated in the DoubleClick programme did not have the DoubleClick Cookie set on them by the time the Relevant Period expired. Again, the definition of the Class has been altered to reflect this. But the method of distribution proposed by the Representative Claimant relies on self-identification. It is envisaged that iPhone users will come forward to claim a share of the “pot”. The problem is one of verification. Absent a viable method of identifying and excluding individuals in this category, there is an obvious risk that compensation will go to persons who did not suffer damage on any view.
Mr Tomlinson’s argument is that Google are confusing and conflating two separate and distinct issues: definition and practicality. Mr Tomlinson submits that the point of principle is that the class boundaries must be conceptually clear, and that this requirement is satisfied: the revised definition is now unassailably appropriate. I am not convinced that this is right. It seems to me that in principle the Class definition must be both conceptually sound and workable. Mr Tomlinson submits that those acting for the Representative Claimant have devoted a lot of thought and work to dealing with the practical difficulties. Although he does not claim that they have a practical answer at the present time, there is a huge amount of data which can be analysed and which will enable them to determine “in many, perhaps all cases”, whether someone is within the class. It must be at least arguable, he submits, that the requirement is satisfied. I do not regard this somewhat Micawberite response as an adequate answer to the evidence and argument for Google.
Google’s estimate is that 74% of iPhone Safari browsers were “Already Hads” at the start of the Relevant Period. Those acting for the Representative Claimant propose a figure of 5%. As to “Never Hads”, the evidence suggests that between 9 and 40% of iPhone Safari users did not receive the Cookie within the Relevant Period. It is not necessary, even if it were possible, to resolve the disagreements. It is not possible to say that the numbers are insignificant. The root problem is that no methodology has been proposed to ensure that individuals are excluded who fall within this category, however many they are.
To take but one example, one sub-category of “Never Hads” would be those who changed the default settings on their browsers to reject all cookies. Hence provision (a)(iv) in the definition of the Class. No explanation has been offered of how, in practice, the Representative Claimant would be able to sift out such individuals from those who came forward to claim a share of the compensation “pot”. It would seem impossible to verify whether such a change had been made, during a six-month window that ended over six years ago. It is unclear how individuals could be expected reliably to remember whether they made such a change. There are two risks. A person might come forward honestly to claim compensation which was not in fact due. Or there might be abuse.
Discretion
The case for Google is put on the basis that the Court would inevitably exercise its discretion against the continued pursuit of this representative action. I agree, but for the reasons given above, I think I can deal with the matter more directly by exercising of my own initiative the discretion conferred by CPR 19.6(2).
This is a novel form of action, but everything was new once. Mr Tomlinson submits, and I accept, that in principle a person may sue in a representative capacity without the authority of those whom he represents, or any of them, provided the conditions in CPR 19.6 are met. That does not mean, however, that the Court must permit such an unauthorised action to continue, come what may. The authorities make clear that, where the threshold criteria are satisfied, the rule creates a flexible discretionary regime. The Court’s discretion must, however, be exercised in a principled way. As Sir Andrew Morritt C observed at first instance in Emerald Supplies at [38], CPR 19.6 “should be construed and applied with the overriding objective in mind.”.
Features of the overriding objective identified in CPR 1.1(2), which appear to me to be pertinent here, are “(b) saving expense (c) dealing with the case in ways which are proportionate (i) to the amount of money involved; (ii) to the importance of the case …” and “(e) allotting to it an appropriate share of the court’s resources, while taking into account the need to allot resources to other cases.” The nature and extent of the damage that may have been sustained, the quantum of the compensation recoverable by each individual, and the scale of the resources that would need to be devoted to the case, are all legitimate factors to take into account. So too is the extent to which the represented parties are in fact concerned about the issues which are the subject of the representative action.
It is not easy to estimate the quantum of the costs that this litigation would generate. It would be wrong to assume that the costs would be vast, but the costs figures given earlier in this judgment do give some indication of the worst case scenario, as envisaged by those acting for the Representative Claimant. A considerable amount of court time would undoubtedly be consumed. The damage sustained and the compensation recoverable by each represented individual are modest at best. The main beneficiaries of any award at the end of this litigation would be the funders and the lawyers, by a considerable margin. Even if the members of the Class have the “same interest” in the technical sense in which that term is used in CPR 19.6(1), it is a striking feature of the case that in the five or six years since the Safari Workaround was identified and publicised none of the million(s) of such individuals in this jurisdiction has demonstrated any interest in the common sense of the term, by coming forward to claim, or complain, or to identify himself or herself as a victim – other than Ms Vidal-Hall, and her co-claimants (if they fall within the Class), and Mr Lloyd.
As Sir Andrew Morritt VC observed in Emerald Supplies, (ibid), one of the main purposes of CPR 19.6 is “to provide a convenient means by which to avoid a large number of substantially similar actions”. Put another way, the rule affords a convenient case management tool. On the evidence before me, the present action would not serve that purpose. Rather the contrary. I agree with Mr Tomlinson’s submission, that the individual claims are not viable as stand-alone litigation, and a GLO is impracticable, so that this representative action is in practice the only way in which these claims can be pursued. I do not accept his argument that this favours the continued pursuit of the representative action. It would not be unfair to describe this as officious litigation, embarked upon on behalf of individuals who have not authorised it, and have shown no interest in seeking any remedy for, or even complaining about, the alleged breaches.
The Court has jurisdiction to strike out a claim on proportionality grounds (Jameel (Yousef) v Dow Jones & Co Inc [2005] EWCA Civ 75 [2005] QB 946) but it will be hesitant to do so, striving to find a proportionate means by which the claim can be pursued: Sullivan v Bristol Film Studios Ltd [2012] EWCA Civ 570. But I am not striking out a claim which the claimant wishes to pursue because the “game is not worth the candle”. My decision is that, if I am wrong about the DPA issue and the threshold requirements, the Representative Claimant should not be permitted to consume substantial resources in the pursuit of litigation on behalf of others who have little to gain from it, and have not authorised the pursuit of the claim, nor indicated any concern about the matters to be litigated.
The difficulties of ascertaining whether any given individual actually falls within the affected class are an additional factor in favour of that conclusion. As Sir Andrew Morritt VC said in the same paragraph of his judgment in Emerald Supplies,
“It is not convenient or conducive to justice that actions should be pursued on behalf of persons who cannot be identified before judgment in the action and perhaps not even then.”
Conclusions
In my judgment the facts alleged in the Particulars of Claim do not support the contention that the Representative Claimant or any of those whom he represents have suffered “damage” within the meaning of DPA s 13. If that was wrong, the Court would inevitably refuse to allow the claim to continue as a representative action because members of the Class do not have the “same interest” within the meaning of CPR 19.6(1) and/or it is impossible reliably to ascertain the members of the represented Class. Alternatively, permission to continue the action in this form would be and is refused as a matter of discretion. Accordingly, the Representative Claimant has failed to establish that the claim is one that arguably falls within PD6B 3.1(9), and has a real prospect of success, and permission to serve these proceedings on Google outside the jurisdiction is refused.
Data Protection Commission Cases Access
Request by Airbnb on the Basis of an Opinion Given in Confidence
We received a complaint in July 2016 from an individual (an Airbnb guest) concerning an access request which he had submitted to Airbnb. The essence of the complaint was that Airbnb had not provided the guest with a particular email about him which had been sent to Airbnb by the host of Airbnb accommodation which the guest had rented. That email related to a complaint by the host about the guest. In responding to the guest’s access request, Airbnb had withheld this email on the basis that it consisted of an expression of opinion given in confidence by the host.
Of relevance here was Section 4(4A)(a) of the Data Protection Acts 1988 and 2003 which allows for personal data which consists of an expression of opinion about the data subject by another person to be disclosed by the data controller to the data subject in response to an access request without the need to obtain the consent of the person who gave the opinion. Equally relevant was Section 4(4A)(b)(ii) of the Data Protection Acts 1988 and 2003 which provides for an exemption from the right of access to personal data where the personal data consists of the expression of an opinion about the data subject by another person which has been given in confidence or on the understanding that it could be treated as confidential.
We commenced an investigation which examined in particular whether the email in question from the host to the data controller, Airbnb, consisted of the expression of a confidential opinion by the host about the guest. We found that the content of the email in question was predominately factual in nature. While one element of the email comprised of an expression of opinion, there was no reference or indication in the email to an expectation on the part of the host that the contents of the email would be kept confidential or not disclosed by Airbnb to the guest. In fact, we noted that in another email directly from the host to the guest, the host had indicated to the guest that they had contacted the Airbnb about the guest.
While Airbnb was clearly trying to fairly balance the rights of the guest against the rights of the host in this case, it was our view based on our examination of the issues and communications involved that there was no evidence at all of an expectation or understanding by the host that their email about the guest would not be released to him. In those circumstances no exemption from the right of access applied under Section 4(4A)(b)(ii). Airbnb accepted our position and accordingly released the email in question to the guest. This allowed the complaint to be amicably resolved.
As this case demonstrates, before withholding personal data on the basis that it consists of the expression of an opinion given in confidence or on the understanding that it could be treated as confidential, a data controller must ensure that there is a solid basis for such an assertion. It is not enough for a data controller to simply assume that this was the case in the absence of any indication to this effect from the person who expressed the opinion.
Furthermore, the inclusion of an opinion which attracts this exemption does not mean that all other personal data which is contained within the same document is similarly exempt from the right of access. Rather, in the context of a full document of personal data, the data subject is entitled to access the personal data within it which is not an opinion given in confidence and the data controller may only redact the part or parts to which the exemption validly applies. Opinions about individuals in respect of which no expectation of confidentiality can be shown to apply, or indeed information which is simply confidential, are not exempt from an access request.
As outlined in our published guidance, an opinion given in confidence on the understanding that it will be kept confidential must satisfy a high threshold of confidentiality. Simply placing the word “confidential” at the top of the page, for example, will not automatically render the data confidential. In considering the purported application of this exemption to a right of access, we will examine the data and its context and will need to be satisfied that the data would not otherwise have been given but for this understanding of confidentiality.
Data Controller Obliged to Demonstrate Effort Made to Locate Data Within the Statutory 40 Day Period
We received a complaint from an individual concerning an access request which they had submitted to Meteor seeking a copy of their personal data and, in particular, the call recordings of calls which they had made to Meteor Customer Care for a particular period. Meteor responded initially to his request by stating that only 10% of calls to its Customer Care line are recorded and retained for 30 days and that there was no guarantee that his calls from the previous 30 days had been recorded. Meteor subsequently replied to the complainant’s access request definitively stating that there were no calls recorded and available in relation to the complainant.
We commenced an investigation of the complaint requesting information from Meteor in relation to the efforts it had undertaken to retrieve the call recordings which were the subject of the access request as well as information on the locations and/or business units to which enquiries were made in relation to the requester’s access request. Meteor supplied us with a printout showing the searches undertaken and it responded that that it did not hold any calls in relation to the complainant.
In this case the issue of compliance with the 40 days for responding to an access request under the Data Protection Acts 1988 and 2003 was at issue. The complainant had made a valid access request to Meteor by email dated 24 August 2015. Meteor had finally responded to the requester by email on 29 October 2015 with a substantive answer. This substantive response to the access request fell nearly four weeks outside the 40 day statutory period for responding. Furthermore, Meteor did not provide us with any evidence that it had commenced the search for the call recordings which the complainant had sought within that 40 day period but instead chose to rely on its policy that only 10 % of Customer Care line calls are recorded and simply assumed that the complainant’s calls had not been recorded.
Despite attempting to amicably resolve this complaint we were unable to do so and the data subject requested a formal decision from the Data Protection Commissioner. In her decision the Data Protection Commissioner concluded that Meteor had contravened the Data Protection Acts 1988 and 2003 by not responding to the complainant’s access request within the 40 day period as provided for under Section 4(1)(a).
This case demonstrates that a data controller must not approach a valid data access request on a simple assumption that it does not hold the personal data which is sought. Irrespective of the circumstances of the request, any policies employed or assumptions held by a data controller, it must take all steps necessary to establish in fact whether the requested data is, or is not, held by the data controller and to respond substantively to the access request within the 40 day statutory period. The right of access of a data subject is one of the cornerstones to the protection of an individual’s personal data and this right must not be stymied by the actions of data controllers, whether unintentional or otherwise.
Eircom Fails to Meet Statutory Timeframe for Processing Access Request
A staff member of Eircom submitted a complaint to this Office in relation to the alleged failure of Eircom to comply with an access request submitted by him to the company in September 2013. In his access request, he specifically requested a copy of a particular letter that was sent on a date in February 2013 to Eircom’s Chief Medical Officer.
We commenced the investigation of the complaint and we asked Eircom to respond to the access request without further delay. We were informed by Eircom that it had already provided the data subject with a copy of the letter that was the subject of his access request, and it subsequently provided us with a copy of its response to an access request. However, on further inspection of Eircom’s response to that access request, it was unclear to us that the response was in relation to the particular access request that was the subject of the current complaint as the response issued to the data subject prior to the date of his access request. We asked Eircom to review the matter. Eventually, on 2 May 2014, we received an email from Eircom enclosing a copy of the response of that date to the data subject’s access request of 22 September 2013, supplying a copy of the document that the data subject had sought access to.
The complainant asked for a formal decision of the Data Protection Commissioner on his complaint. In making his decision, the Commissioner formed the opinion that Eircom Limited contravened Section 4(1)(a) of the Data Protection Acts by failing to supply the data subject with a copy of his personal data in response to his access request submitted on 22 September 2013 within the statutory period of 40 days. This contravention occurred when Eircom Limited released a copy of the data subject’s personal data to him on 2 May 2014 – which was outside the statutory period of 40 days.
As outlined elsewhere in this annual report, over half of the complaints received by this Office in 2014 were made by data subjects who experienced difficulties in accessing their personal data. One common theme that emerges in many of these complaints is lateness on the part of the data controller in processing the access request. The Acts lay down a period of 40 days for compliance with an access request and if this is not met, as in the case outlined above, the data controller contravenes the Data Protection Acts. The Office of the Data Protection Commissioner is very concerned about the prevalence of this particular contravention. In some instances, the data controller fails to even acknowledge receipt of the access request within the 40-day period. This means that the requester has no idea whether their access request is being dealt with or ignored. There have been many instances where the data controller has taken no action whatsoever in terms of processing the access request until this Office commences an investigation on foot of receiving a complaint from the data subject. Clearly, that is an undesirable situation. Data subjects have a statutory right to access their personal data held by a data controller by the simple means of submitting an access request, and the data controller has a statutory obligation to comply with that request within 40 days. A data subject should not have to resort to the extra step of lodging a complaint with the Office of the Data Protection Commissioner in order to have their statutory right of access enforced. Unfortunately, as the complaint statistics reveal, far too many data subjects are experiencing barriers and access-denying tactics on the part of data controllers.
In the above case, the data subject’s right of access was severely delayed. There is no justification for such a lengthy delay in any circumstances. Such a delay is particularly unacceptable in a situation where the requester simply sought a copy of personal data contained in one relatively recently created letter and where the data controller is a large telecommunications company that is well aware of the Data Protection Acts and receives and processes subject access requests on a regular basis. Eircom is the subject of several data-protection complaints every year across a range of issues, many of which relate to access requests. The Office of the Data Protection Commissioner expects to see a marked improvement in that company’s data-protection performance in the near future, particularly in the context of processing subject access requests in a timely manner.
Patient Denied Right of Access by SouthDoc
We received a complaint in June 2014 from a firm of solicitors whose client had made an access request in May 2014 to the Practice Manager at South West Doctors-On-Call Limited (trading as SouthDoc) seeking a copy of his medical notes. In response to the access request, SouthDoc replied to the solicitors, stating that they are advised to contact the patient’s own GP, who holds a complete record for the patient. The solicitors wrote back to SouthDoc, pointing out that the access request was made to SouthDoc and that it was a separate request to any request their client may make to his own GP. The solicitors pointed out that SouthDoc was obliged to comply with the request. In submitting the complaint to this Office, the solicitors informed us that SouthDoc had not replied to their latest letter but had returned it to them unanswered.
We began an investigation by writing to SouthDoc. It responded by return post, indicating that the request for medical records had now been dealt with. Soon afterwards, the solicitors for the complainant supplied us with a copy of a letter they had received from SouthDoc stating that, further to the access request, the patient’s records had been forwarded to his own GP. The solicitors pointed out that SouthDoc had not complied with the access request as it was their client who requested the records, and it was not sufficient for SouthDoc to give them to his GP. We wrote to SouthDoc again, seeking an explanation. A few days later we received from SouthDoc a copy of a letter that it had issued to the patient’s solicitors, enclosing a copy of the patient’s medical records. We then concluded our investigation.
There are a number of after-hours or on-call service providers such as SouthDoc in operation in Ireland, all of which provide an essential medical service for the general public. In doing so, these service providers collect and process both personal data and sensitive personal data (data relating to the physical or mental health of the attending patient). For the purposes of data protection, it is important that patients and service providers understand that when a patient attends one of those services, they provide their personal data to an organisation (data controller) that is entirely separate to their usual GP practice. Accordingly, the records created by the service provider in respect of the patient’s attendance and treatment are new records in respect of which the service provider is the data controller. For that reason, the patient has a right to access those records directly from the service provider by making an access request for a copy of them. This right of access to the records of the service provider exists whether or not the service provider passes on details of the patient’s attendance and treatment to the patient’s GP. Furthermore, the service provider is obliged to supply a copy of the personal data directly to the requesting patient (or to the solicitor acting on his behalf, as in the above case) rather than to the patient’s own GP. (Access to medical records is subject to the provisions of S.I. 82 of 1989, which prohibits the supply of data to a patient in response to an access request if that would cause harm to his or her physical or mental health.)
Incorrect application of Section 4(4A) to restrict access to personal data
We received a complaint in May 2013 from an employee of a media organisation concerning an access request he submitted to it. The complainant was concerned that he had not been provided with a copy of all of his personal data as the organisation had withheld some personal data citing Section 4(4)(A) on the basis that it considered that the data consisted of an expression of opinion given in confidence.
The focus of our investigation was to establish whether the restriction to the right of access applied by the organisation using Section 4(4)(A) of the Acts was valid in respect of the personal data which was contained in an email which was in the possession of the organisation. Section 4(4A)(a) provides as follows: “Where personal data relating to a data subject consists of an expression of opinion about the data subject by another person, the data may be disclosed to the data subject without obtaining the consent of that person to the disclosure.” Section 4(4A)(b)(ii) provides as follows: “Paragraph (a) of this subsection does not apply if the expression of opinion referred to in that paragraph was given in confidence or on the understanding that it could be treated as confidential.” The organisation informed the requester that it was exempt from providing details of the data in question as the data consisted of an expression of opinion given in confidence.
As outlined in our published guidance, an opinion given in confidence on the understanding that it will be kept confidential must satisfy a high threshold of confidentiality. Simply placing the word “confidential” at the top of the page, for example, will not automatically render the data confidential. The Commissioner will look at the data and its context and will need to be satisfied that the data would not otherwise have been given but for this understanding. Supervisors and managers will not normally be able to rely on Section 4(4A) to restrict access as it is an expected part of their role to give opinions on staff which they should be capable of standing over. On the other hand, a colleague who reports a matter relating to an individual in confidence to a supervisor or manager could be expected to be protected by the confidentiality provision.
We commenced an investigation of this matter by writing to the organisation outlining the details of the complaint. We asked the organisation to provide us with a copy of the withheld personal data and details of the author of the email containing it. In order to consider the context in which the email was created, we sought details of the working relationship of the author of the email and the data subject. Having examined the email, we formed the opinion that the organisation could not rely on Section 4(4)(A) of the Acts to restrict the data subject’s right of access to his personal data contained in the email. We were satisfied from our investigations that the author of the email was not a peer of the data subject but, while not considered by the organisation to be the data subject’s manager, they were in a position of some authority in relation to the data subject. We were satisfied that the content of the email was supplied in the context of a position of authority. Acting on our advice, the organisation proceeded then to release the previously withheld personal data.
As this case demonstrates, the right of access to personal data may not be restricted in any widespread manner by the provisions in Section 4(4A). Even where the personal data does qualify for restriction from access, that restriction only applies to the specific opinion(s) given in confidence. In practice this means that, in the context of a full document of personal data, the data subject is entitled to access the personal data within it which is not an opinion given in confidence and the data controller may redact the part or parts which constitute the actual opinion given in confidence. As a general rule, any opinions on an individual supplied by a supervisor or manager may not be restricted under this provision.
Access Request for CCTV footage
We received a complaint in February 2013 concerning the alleged failure of a data controller to supply a data subject, in response to an access request, a copy of their personal data and, in particular, the CCTV footage of an incident involving the data subject. The data subject provided the data controller with the specific date and time of the incident captured on the CCTV system.
A claims adjuster firm responded to the access request on behalf of the data controller stating that it was in possession of the CCTV footage but it was not in a position to release a copy of the footage as images of other customers were identifiable on it and to release same would contravene data protection rules.
We commenced our investigation in March 2013 by writing to the data controller. The claims adjuster subsequently replied to us and it stated that the supply of the CCTV footage could potentially prejudice any right of recovery or indemnity that it was due to receive. It also claimed that, as there were other members of the public in the CCTV footage, providing the footage to the data subject would breach the Data Protection Acts.
We responded to the claims adjuster and we informed it that it had not cited an exemption under the Data Protection Acts which it was seeking to rely on to withhold a copy of the CCTV footage. We also drew its attention to the judgment of the High Court in the case of Dublin Bus v The Data Protection Commissioner. This case related to an access request for a copy of CCTV footage concerning a woman falling on a bus (Case Study 5 in Annual Report 2012 refers). The High Court ruled that “the existence of proceedings between a data requester and the data controller does not preclude the data requester making an access request under the Act nor justifies the data controller in refusing the request.” We told the claims adjuster to re-consider its position on withholding the CCTV footage in light of that judgment.
On foot of our correspondence the claims adjuster sought photographic identification of the data subject in order to correctly identify him in the CCTV footage. On receipt of photographic identification it released a series of photographic stills from the CCTV footage to the data subject’s legal representatives. The data subject’s solicitor wrote to our Office and informed us of their dissatisfaction that there was no audio recording supplied with the series of stills. We wrote to the claims adjuster about this matter and it informed us that there was no audio recorded on the data controller’s CCTV system. We advised the data subject’s solicitor that we were satisfied that the obligations of a data controller were met in this case by providing a reasonable series of stills of images from the CCTV footage showing the requester’s image only.
The following outlines this Office’s position with regard to access to CCTV footage made under a Section 4 access request:
1.Any person whose image is recorded on a CCTV system has a right to seek and be supplied with a copy of their own personal data from the footage.
2.When making an access request for CCTV footage, the requester should provide the data controller with a reasonable indication of the timeframe of the recording being sought – i.e. they should provide details of the approximate time and the specific date(s) on which their image was recorded. For example, it would not suffice for a requester to make a very general request saying that they want a copy of all CCTV footage held on them. Instead, it is necessary to specify that they are seeking a copy of all CCTV footage in relation to them which was recorded on a specific date between certain hours at a named location. Obviously, if the recording no longer exists on the date on which the data controller receives the access request, it will not be possible to get access to a copy. Requesters should be aware that CCTV footage is usually deleted within one month of being recorded.
3.For the data controller’s part, the obligation in responding to the access request is to provide a copy of the requester’s personal information. This normally involves providing a copy of the footage in video format. In circumstances where the footage is technically incapable of being copied to another device, or where the supply of a copy in video format is impracticable, it is acceptable to provide stills as an alternative. Where stills are supplied, it would be necessary to supply a still for every second of the recording in which the requester’s image appears in order to comply with the obligation to supply a copy of all personal data held.
4.Where images of parties other than the requesting data subject appear on the CCTV footage, the onus lies on the data controller to pixilate or otherwise redact or darken out the images of those other parties before supplying a copy of the footage or stills from the footage to the requester. Alternatively, the data controller may seek the consent of those other parties whose images appear in the footage to release an unedited copy containing their images to the requester.
5.Where a data controller chooses to use technology to process personal data, such as a CCTV system to capture and record images of living individuals, they are obliged to shoulder the data protection obligations which the law places on them for such data processing. In the matter of access requests for CCTV footage, data controllers are obliged to comply fully with such requests. Claims by a data controller that they are unable to produce copies of footage or that stills cannot be produced from the footage are unacceptable excuses in the context of dealing with an access request. In short, where a data controller uses a CCTV system to process personal data, its takes on and is obliged to comply with all associated data protection obligations.
Disclosure of Student Personal Data by Secondary School
In November 2011 we received a complaint from an individual concerning the alleged disclosure of his daughter’s personal data by a secondary school at which she was a student, St. Joseph’s College, Borrisoleigh, Co. Tipperary, to a third party. It was alleged that this disclosure took place by way of a letter issued by the secondary school to a third party without the knowledge or consent of either the complainant or his daughter.
By way of background, the complainant informed us that, following a complaint which he and his wife had made to the Board of Management of a local national school, he received correspondence from the Chairperson of that school’s Board of Management in relation to that complaint. Included with that correspondence was a copy of a letter issued by St. Joseph’s College which contained references to the complainant’s daughter who was a student of that College. We were further informed that this letter, which was allegedly requested by a separate third party (a parent of a different student at St. Joseph’s College) and addressed “To Whom It May Concern,” was subsequently passed by that third party to the Chairperson of the Board of Management of the local national school.
My Office commenced the investigation of the complaint by writing to St. Joseph’s College. We asked it for an explanation as to what led to the alleged disclosure and what steps were being taken to address the matter. We received a response from St. Joseph’s College informing us that it would not be getting involved in our investigation at that juncture. We responded in early December 2011 stating that, as St. Joseph’s College was the data controller in this instance, we required a response to our letter. In the absence of any further communication we issued a final warning letter to St. Joseph’s College on 12 January, 2012 requiring it to respond to our investigation within fourteen days.On the following day we received a phone call from the school manager of St. Joseph’s College. He informed us that he did not have any knowledge of the issues between the complainant and his school.
On the same phone call we then spoke to the administrator of St. Joseph’s College, the signatory of the letter in question. He informed us that when the third party requested the letter he (the administrator) did not know why he wanted it. He said that he was unaware that he breached the Data Protection Acts when he made references to the complainant’s daughter in the letter. Later that day, we received an email from St. Joseph’s College outlining the circumstances which led to the issuing of the letter to a parent of a student at the College and which referenced the complainant’s daughter, a different student at the same College. In the email, the administrator indicated that the parent concerned did not state that the letter would be given to the Board of Management of a primary school. The College informed us that it had redrafted its data protection policy to ensure that the Data Protection Acts are fully complied with.
Having informed the complainant of the College’s response to our investigation, we asked him if he was interested in seeking an amicable resolution of his complaint. In response, he indicated that he could not accept that there could be any informal resolution to his complaint and he sought a decision of the Commissioner.
In making the decision on this complaint, the Commissioner examined and considered all aspects of the case. He formed the opinion that St. Joseph’s College contravened Section 2(1)(c)(ii) of the Data Protection Acts by disclosing the personal data of the student concerned to a third party without her knowledge or consent or the knowledge or consent of her parents. This contravention occurred when St. Joseph’s College issued a letter in September 2011 containing personal data of one of its students under the heading “To Whom It May Concern” and gave it to a third party, namely a parent of a different student.
Discovery Process Reveals Data Protection Breach.
We received a complaint in September 2011 from an individual in relation to the alleged failure of the Dublin Airport Authority to comply in full with an access request made to it in May 2005. Dublin Airport Authority had responded to this access request in July 2005 stating that it held no personal data in relation to the requester.
Some years later, however, a number of documents were produced following a discovery process undertaken by the Dublin Airport Authority pursuant to High Court proceedings. In that context, the data subject was given access to a copy of three documents which contained some personal data relating to him. These documents pre-dated the access request made in 2005. The data subject complained that his right of access had been wrongly denied six years previously.
Having examined the documents concerned, we were satisfied that they did contain some personal data relating to the data subject and that those items of personal data did fall due for release at the time of the access request in 2005. We commenced an investigation by contacting the Dublin Airport Authority on the matter and we sought a full explanation in relation to the handling of the access request in 2005.
We received correspondence from Dublin Airport Authority’s legal representatives informing us that, following receipt of the access request in May 2005, Dublin Airport Authority identified a small number of documents in its possession relating to the request. They informed us that, at the time of the access request, an assessment of the documents was made in conjunction with legal advice obtained by the Dublin Airport Authority. This concluded that the documents did not constitute personal data within the meaning of the Data Protection Acts given that only passing reference was made to the data subject and that the data subject was not the focus of the documents in question. Consequently, a letter issued to the requester in July 2005 stating that Dublin Airport Authority held no data in relation to him which would be regarded as personal data.
The complainant sought a decision on his complaint. The Commissioner subsequently issued a formal decision which found that Dublin Airport Authority contravened Section 4(1)(a) of the Data Protection Acts, 1988 and 2003 by not providing the relevant personal data to the data subject within the time limit specified in respect of the access request made in May 2005.
The Commissioner specifically identified on the documents involved the text which he considered to constitute personal data of the data subject concerned. (The documents discovered on foot of the High Court proceedings contained non-personal information as well as some personal data relating to the data subject). As this case demonstrates, a court discovery process undertaken long after the access request was processed uncovered a data protection breach which took place at the time of the processing of the access request and this breach was caused by the data controller’s interpretation of the definition of personal data. As a result, the data subject was wrongly denied his right of access to his personal data for a number of years.
Access Restriction Under Section 5(1)(a) Requires A Prejudice Test
We received a complaint from an individual in relation to an access request he submitted to the Health Information and Quality Authority (the Authority). The complainant had worked as a healthcare assistant in a nursing home and was allegedly involved in an incident there. Details of this alleged incident were reported to the Authority and the individual concerned sought to access any personal information now held by the Authority.
The Authority refused to provide the requester with a copy of the personal data held by it as it was of the opinion that the data was exempt from disclosure under Section 5(1)(a) of the Data Protection Acts 1988 and 2003. This provision states that Section 4 of the Act does not apply to personal data “kept for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders …. in any case in which the application of that section to the data would be likely to prejudice any of the matters aforesaid.” The Authority stated that the data it held in relation to the requester was kept for the purpose of preventing, detecting or investigating offences under Section 79 of the Health Act 2007.
We commenced an investigation by contacting the Authority, we informed it of the nature of the complaint and we requested that it explain how it had come to the view that the requester’s personal data in this case was exempt from disclosure under Section 5(1)(a). It was not immediately clear to us that personal data relating to an alleged incident involving a healthcare assistant came within the ambit of the offences which the Authority had power to investigate and/or prosecute.
The Authority stated that the offences within Section 79(2) of the Health Act 2007 related inter alia to compliance by the registered provider (i.e. the nursing home) with the Health Act 2007 (Care and Welfare of Residents in Designated Centres for Older People) Regulations 2009. It said that the offences thereunder are offences to which the registered provider would be subject to sanction and, for that reason, it was considered that the data fell under the ambit of Section 5(1)(a). Regarding the status of the investigation into alleged offences under the Health Act 2007 we were informed that following its initial review the matter was concluded from a care and welfare perspective. However, the Authority indicated that it intended to keep the file on the matter active until the relevant statute of limitations period has elapsed.
We advised the Authority that a prejudice test applied to the applicability of the exemption under Section 5(1)(a). We also pointed out that the requester’s right to access personal data is confined to that data which relates to them, or by which they can be identified. We pointed out that this does not provide a basis for the requester to access from a report or files information which is not their personal data. We informed the Authority that while it was a matter for it to determine in the first instance, it was not immediately obvious to us what prejudice would arise in relation to an investigation by releasing the personal data to the requester in this case.
The relevant issue for the Authority to consider was whether the provision of the requester’s personal data would be likely to prejudice the Authority’s ability to investigate the alleged non-compliance by the care home with the Health Act 2007. Following a further examination, the Authority concluded that no prejudice would arise by the release of the personal data concerned. The requester was subsequently provided with a copy of the personal data concerned.
While the Data Protection Acts restrict the right of access to personal data where that data is kept for the purpose of investigating and/or prosecuting offences, the mere existence of such an investigation or proceedings does not permit the exercising of a blanket exemption by the data controller across all personal data held by it. The personal data of an individual who requests access to such data may only be withheld where the provision of that data would be likely to prejudice the particular investigation or prosecution proceedings. The exemption is not a permanent one.
Where investigations and follow-on proceedings (if any) have been completed it is unlikely that those matters can continue to be prejudiced by the release of the personal data concerned. Once the prejudice no longer exists, the exemption used to withhold the personal data ceases to apply and a copy of the personal data must be made available to the data subject.
Unacceptable delay by O2 in processing an access request
We received a complaint in March 2012 in relation to the alleged failure of O2 (a Telecommunications company) to comply with an access request made to it in January 2012 seeking a copy of call records in respect of a mobile phone number from November 1999 to the date of the access request. In response to an access request, a data controller must supply the personal data to the individual within forty days of receiving the request.
We commenced our investigation initially by way of telephone contact with O2 during which we were assured by the company that it would immediately contact the requester’s legal representatives to progress the matter of the access request. O2 subsequently wrote to the requester’s legal representatives requesting a fee of €6.35 for the processing of the access request. It also informed them of the two year retention period applying to such data as set out in the Communications (Retention of Data) Act, 2011 and it informed them that call records beyond two years were not available.
The requester rejected the suggestion that there were limitations on the availability of call records beyond two years. They were informed by O2 that it was not simply a technical limitation but a legislative limitation and obligation incumbent on it on foot of the Communications (Retention of Data) Act, 2011 which obliges telecommunications service providers not to retain any such call data after a period of two years has elapsed.
In April 2012 O2 provided us with a copy of a letter which it sent to the requester’s legal representatives informing them, among other things, that the mobile number for which the data was requested was an unregistered number. We urged the requester’s legal representatives to provide O2 with any information available to substantiate ownership of the mobile number.
During the course of a subsequent conference call with O2 we established that the telephone number used by O2 when conducting its initial search of its database contained an incorrect digit. A further search by O2 using the correct digit established that the phone number was registered to the requester. We instructed O2 to commence the process of retrieving the call records immediately. O2 informed us in August 2012 that the retrieval process had been completed and that a copy of the call records for the previous two years had been provided to the requester’s legal representatives in response to the access request.
The requester’s legal representatives subsequently requested a formal decision under Section 10 of the Data Protection Acts. The Commissioner found in his decision that O2 contravened Section 4(1)(a) of the Data Protection Acts by not providing the relevant personal data within the time limit specified in respect of the access request submitted to it in January 2012.
There were several failings on the part of O2 in the processing of this access request:
The Data Protection Acts provide at Section 4(1)(c)(i) that a fee may be payable to the data controller in respect of an access request. O2 requested the fee of €6.35 more than two months after the receipt of the access request and it did not commence processing the request until the fee was received. As the application of the fee is entirely discretionary on the part of the data controller, it is our view that if the data subject does not submit the fee with the access request, the onus lies on the data controller who intends to apply the fee to request payment at the earliest possible opportunity within the forty day statutory period.
In the meantime, the data controller should continue to process the access request with a view to meeting the forty day timeframe for release of a copy of the personal data, subject to the fee being received within that timeframe. If the fee is not submitted until after the statutory timeframe, the data controller is not obliged to release a copy of the data sought until it receives it. However, a data controller may not delay the processing of a data access request and the release of a copy of personal data by failing to request payment of the fee until the statutory timeframe of forty days has either elapsed or is about to elapse within a few days.
The data retrieval process did not commence until the end of May 2012, four months after the receipt of the access request. This was due to O2’s delay in requesting the fee and the fact that its initial search for records was conducted using an incorrect number. As a result of these delays, four months of data which the data subject wished to access was no longer in existence by the time the data retrieval process commenced.
The data retrieval process was completed in August 2012. By O2’s own admission and due to technical limitations all such requests made to O2 can take up to ten weeks to process. Therefore, had the retrieval process commenced as soon as the access request was received, the 40 day statutory timeframe in which such requests must be complied with would still have been exceeded – thereby resulting in a breach of Section 4(1)(a) of the Acts.
Case Study 10: Financial institutions deny right of access to credit assessments
.
I received a number of complaints in the recent past concerning the failure of some financial institutions to comply in full with access requests that are submitted to them by their customers or former customers. A recurring theme with these complaints is the withholding, under the provision set out in Section 4(4A)(b)(ii) of the Data Protection Acts, of personal data contained in credit assessments or submissions to credit committees. This provision allows a data controller to withhold personal data relating to the requester if the data consists of an expression of opinion about the requester where such an opinion was given in confidence or on the basis that it would be treated as confidential.
The exemption to the right of access in this provision is limited to expressions of opinion about the data subject given in confidence which may be contained within a document(s). The exemption does not apply to the remainder of the personal data in the document(s) which is not an expression of opinion about the data subject. It may be the case, for example, that a part, section or sentence within a document is, on its own merit, an expression of opinion given in confidence about a data subject. However, it is highly unlikely that a document would constitute in its entirety an expression of opinion given in confidence about an individual. In most circumstances, a document which contains an expression of opinion would also contain factual information about the individual who is the subject matter of the expression of opinion. I consider that an expression of opinion must be considered in its narrowest sense, namely the view(s) held by a person or entity of a living individual or what one thinks about a living individual. Clearly it does not apply to matter of fact about a living individual.
It follows, therefore, that a data controller may not be permitted to apply a blanket exemption to the right of access over an entire document(s) simply because there are parts, sections or sentences within it which may be considered to be an expression of opinion about a living individual given in confidence. The exemption, where validly claimed, may only be applied to cover the specific elements of the document(s) that constitute an expression of opinion about the data subject given in confidence. A data controller can comply with the access request and, at the same time, easily give effect to a valid exemption by blackening out the specific expression of opinion and then release the remainder of the document(s).
Some financial institutions have attempted to rely on Section 4(4A)(b)(ii) to restrict access to certain information contained in credit assessments or submissions to credit committees in the consideration of loan applications. However, I consider that an employee who submits in written form their views or opinions on the financial status of a customer does so as part of the day-to-day performance of their own functions as an employee. For that reason, I do not consider that they can validly claim that their views or opinions on the customer concerned enjoy an expectation of confidentiality. A financial services employee must be able to stand over their views or opinions on a customer without trying to conceal their thinking behind the cloak of an expectation of confidentiality.
In cases which we investigated, we upheld the rights of the requesters to access this information and the financial institutions concerned have released the personal data concerned on pain of enforcement. I am putting all financial institutions on notice that any further reliance on this exemption to withhold such personal data will be met with by enforcement proceedings.
Access request for old records
We received a complaint from an individual concerning the alleged failure of the Public Appointments Service (PAS) to comply with an access request he submitted in March 2010. The personal data which the complainant was seeking access to related to his candidature in recruitment campaigns carried out by the PAS (formerly the Office of the Civil Service and Local Appointments Commission) in the 1960s and 1970s.
In response to our investigation, the PAS confirmed that it was still in possession of the files relating to the recruitment campaigns in question, campaigns that took place over the course of a decade from 1969 to 1979. It also confirmed that it was in the process of identifying all of the personal data relating to the complainant, but it was not a straightforward process given the age of the files, and the fact that some older files had been amalgamated.
The PAS subsequently provided the complainant with copies of the personal data that it had located, but it informed him that it was applying the exemption set out at Section 4(4A)(b)(ii) to other data. This exemption allows for the withholding of data that constitutes an expression of opinion, in circumstances where the expression of opinion referred to was given in confidence or on the understanding that it could be treated as confidential. The PAS argued that the data was created in the 1970s in a culture of confidentiality, long before the introduction of Data Protection or Freedom of Information legislation. Having examined the data it was satisfied that it would not have been created in the first instance but for the understanding that it would be treated in confidence. The PAS indicated that it had an obligation to honour the guarantee given to the individuals concerned in this case and that it would not be prepared to renege on that commitment, even at this stage.
We requested sight of the documents in question to determine whether the exemption at Section 4(4A)(b)(ii) was validly applied. Following an examination, we informed the PAS that some elements of the documents could be withheld, but the exemption could not be applied to the entirety of the documents in question. The PAS followed our advice and released the personal data on that basis to the requester.
We took this opportunity, given the complaint and the issues highlighted by it, to advise the PAS to re-examine its policies in relation to the retention of personal data for longer than was necessary for the purpose/s for which it was obtained. The PAS informed us that it had a Records Retention Policy in place, in accordance with data protection requirements, which sets out the timeframes for the retention and destruction of records. Records such as those that had been examined by my Office on foot of this complaint have a retention period of three years after the determining of the candidate as suitable, or otherwise, for appointment, but in this instance records had been retained by the PAS for over 30 years. PAS indicated that it had applied for, and had only recently received Certificates of Destruction from the National Archives in relation to these records.
As this case shows, data controllers not only need to have a retention policy in relation to the keeping of personal data, but they must also have an effective mechanism in place to implement that policy. Once an access request is received by a data controller, they must provide the requester with all personal data sought, irrespective of the age of the records, once the data is still in existence. The safe destruction of older records in accordance with a data retention policy is a vital aspect of good data protection practice in any organisation and is a critical tool in ensuring compliance with the law.
Access requests to solicitors for copies of files.
My Office received a number of complaints in relation to the failure of solicitors to comply with access requests from former clients. Often the reason cited by the solicitor for not complying with the access request is that they have a common law lien on all documents and papers that constitute work carried out on the client’s behalf for which payment remains outstanding.
This issue, where a common law lien on a client’s file is considered to apply, is one that we have dealt with and we are not in any way unsympathetic to the scenario for the solicitor in question where a former client is seeking not to pay outstanding fees which are the subject of a dispute. Equally, in the context of a file handled by a solicitor’s practice, it is undoubtedly the case that there is far more information on a file than what could be considered to be the requester’s personal data and no requirement to provide any information which is not strictly the personal data of the requester arises. However, the Data Protection Acts, which transpose the EU Directive on Data Protection, do not provide any exemption to the provision of the personal data of a person in these circumstances.
A solicitor who has been engaged by an individual is a data controller of that individual’s personal data which is subsequently processed. Personal information held by a data controller falls to be released in response to an access request unless a valid exemption as provided for under Sections 4 and 5 of the Data Protection Acts can be relied upon.
The complaints were resolved to the satisfaction of the complainants and the solicitors concerned on the basis of the following guidance from my Office:
The exemption provided for under Section 5(1)(g) of the Data Protection Acts, which relates to personal data “in respect of which a claim of privilege could be maintained in proceedings in a court in relation to communications between a client and his professional legal advisers or between those advisers” applies to personal information held in respect of a solicitor’s capacity as legal adviser to its clients (not the requester) rather than information held in their capacity, or former capacity, as legal representative for the requester.
In relation to letters from the solicitor acting for another client, it is possible that the restriction to the right of access in Section 5(1)(g) of the Data Protection Acts may apply to any personal data of the requester contained within them.
Regarding letters generated by a solicitor on behalf of the requester who was a client, a large number of which may have already been sent to them in the normal course of events, i.e. when generated, its difficult to see how a claim of privilege under Section 5(1)(g) would apply where the letters have previously been sent to the requester.
It is difficult to anticipate that Section 5(1)(g) would apply to attendance notes created by the solicitor in relation to their client. Where notes relate specifically to the client and were created in that context, we would deem the personal data contained in those notes to be valid for release.
Access to reports compiled by private investigators
My Office received a complaint from an individual concerning the alleged failure of HSG Zander Ireland Limited to comply with an access request submitted to it in October 2010. The requester was a former employee of HSG Zander Ireland Limited and he informed us that the company had hired a private investigator to monitor him for a period of time. He was particularly eager to access any personal data contained in documentation relating to the surveillance carried out by the private investigator.
We commenced an investigation with HSG Zander Ireland Limited in relation to an alleged failure to comply with the access request. It subsequently provided the requester with a copy of his personnel file but stated that it was withholding the security report compiled by the private investigator by virtue of the exemption under Section 5(1)(g) of the Data Protection Acts 1988 and 2003. This Section restricts the right of access to personal data “in respect of which a claim of privilege could be maintained in proceedings in a court in relation to communications between a client and his professional legal advisers or between those advisers”.
It was not obvious to our investigation that a security report compiled by a private investigator could constitute a communication between a client and their professional legal advisers to which a claim of privilege could be maintained in proceedings in a court. On that basis we sought an explanation from HSG Zander Ireland Limited as to its application of that provision to restrict the right of access to the data subject. In response, the company immediately released a copy of the security report and associated photographs to the data subject while maintaining its position that it was entitled to restrict the right of access in accordance with Section 5(1)(g).
We also established in the course of our investigation that there was no contract in place between HSG Zander Ireland Limited and the private investigator who prepared the security report. Engaging the services of a private investigator is no different to engaging the services of any other third party service provider. For that reason, it is unlawful for an entity to pass any details of its employees to a private investigator for the purposes of surveillance or for any other purpose unless that entity has put a contract in place with in line with Section 2C(3) of the Data Protection Acts 1988 and 2003 which would render the private investigator to be a data processor.
With greater frequency complaints such as this one are coming to my Office regarding difficulties which data subjects are experiencing in accessing security or surveillance reports which have been conducted on them by private investigators. I consider it necessary, therefore, to set down my position in relation to the requisitioning of such reports in the first instance and then the right of access by data subjects to them.
The decision by a data controller to engage the services of a private investigator to gather personal data surreptitiously about a data subject carries very serious risk of breaching the provisions of the Data Protection Acts and the general right to privacy protected by Bunreacht na hÉireann (the Irish Constitution), the European Charter of Fundamental Rights and the European Convention on Human Rights. It should therefore not be taken lightly. Data controllers who hire a private investigator to undertake surveillance on an individual and/or to seek a background or other report from a private investigator on an individual must be aware of and should ensure that the following rules are observed both by themselves and by the private investigator:
I. Prior to passing any instructions to a private investigator in respect of any individual, the data controller should have a written contract in place with the private investigator which meets the requirements of Section 2C(3) of the Data Protection Acts.
II. Any processing of information by private investigators on their behalf must be undertaken in full compliance with the Data Protection Acts.
III. The private investigator is expected to comply at all times with the Data Protection Acts and should not perform their functions in such a way as to cause the data controller to breach any of its obligations under the Data Protection Acts.
IV. Any unauthorised processing, use or disclosure of personal data by the private investigator is strictly prohibited.
V. Where the private investigator, pursuant to its obligations under contract from the data controller, processes the personal data of an individual on behalf of the data controller, the private investigator should:
Process the personal data only in accordance with the specific instructions of the data controller;
Process the personal data only as is necessary for the fulfilment of its duties and obligations under the contract with the instructing data controller;
Implement appropriate measures to protect against accidental loss, destruction, damage, alteration, disclosure or unlawful access to the personal data in their possession;
At the conclusion of each investigation deliver all data collected and processed under the contract of service to the instructing data controller and delete all such personal data held by itself at that time;
Not further disclose the personal data to any other party except with the express approval of the data controller;
Not seek to access personal data held by other data controllers which is not in the public domain without the consent of the data subject or unless otherwise permitted by law.
With regard to the right of access to reports compiled by private investigators, the responsibility to comply with a data subject access request lies with the data controller who hired the private investigator. Where a private investigator receives an access request from an individual, they should transmit that request without delay for processing to the data controller who commissioned them in respect of the particular task. I do not consider that any of the restrictions to the right of access to personal data which are set down in Section 5 of the Data Protection Acts could reasonably be applied to an access request by an individual for a copy of a surveillance report or accompanying photographs or video footage taken by a private investigator. As in the aforementioned complaint, Section 5(1)(g) is invalidly relied on from time to time as a means of restricting access by data subjects to private investigator reports by data controllers or by solicitors who hired private investigators on their behalf. This Section does not equate to privilege at common law (i.e. legal advice privilege and litigation privilege). Instead, this very narrow statutory restriction to the right of access only applies where (i) there is a communication between a client and his professional legal advisors or a communication as between a client’s professional legal advisors; and (ii) that is a communication in respect of which a claim of privilege could be maintained in proceedings in a court. A private investigator’s report, commissioned by a data controller or by a solicitor acting on behalf of a data controller, is clearly not a communication between a client and his professional legal advisors. Nor is it a communication as between a client’s professional legal advisors. For those reasons, the statutory exception in Section 5(1)(g) does not apply to such a report.
I will continue to defend the rights of data subjects to access a copy of private investigator reports and I do not contemplate that any of the limited restrictions to the right of access in the provisions of Section 5 can, as a generality, be validly claimed in such cases.
An access request and a successful claim of legal privilege by a Data Controller
In May 2007 I received a complaint from a solicitor acting on behalf of a client regarding the alleged failure of a data controller to respond to an access request. The solicitor had submitted an access request on behalf of his client to her former employer in February 2007. The data controller failed to respond to the access request within the statutory forty-day period.
My Office commenced an investigation by writing to the data controller about the complaint. We received a reply from the data controller’s solicitor confirming that a response had issued to the access request. The reply included a number of documents containing personal data. However, the data controller’s solicitor informed my Office that their client was claiming privilege in respect of two specific documents and was therefore not releasing them. These documents were a handwritten account by the store manager of the data subject’s period of employment with the data controller and a handwritten account by the store manager relating to the data subject’s alleged personal injuries suffered as a result of a workplace accident in July 2006. The solicitors for the data controller informed my Office that both documents were created by their client for the benefit of legal advisers and in anticipation of litigation following receipt of two solicitor’s letters on behalf of the data subject.
There are some very limited exemptions within the Data Protection Acts to a data subject’s right of access. These are set out in Sections 4 and 5 of the Acts. One of the restrictions to the right of access is set out in Section 5(1)(g). This states:-
Section 4 of this Act does not apply to personal data in respect of which a claim of privilege could be maintained in proceedings in a court in relation to communications between a client and his professional legal advisers or between those advisers.
The data subject’s solicitor subsequently informed my Office of his dissatisfaction with the data controller’s claim of privilege. It was necessary for my Office to be satisfied that the data controller’s claim of privilege in relation to these documents was properly founded. For that purpose I requested the data controller to confirm to my Office the date(s) on which the documents were created and the purpose or purposes for which the documents were created. In response, we were informed that the relevant documents were created on two separate dates in the second half of February 2007 after the data controller received letters dated 6 February, 2007 from solicitors for the data subject. The data controller’s solicitors informed my Office that the letters from the data subject’s solicitors had intimated personal injuries and employment claims on behalf of the data subject.
The claim of legal privilege under the Acts relates only to communications between a client and his professional legal advisers or between those advisers. The date of creation of the documents, on which the data controller was claiming privilege, when compared with the dates of its receipt of communications from the data subject’s solicitors, satisfied my Office about the purpose of these documents. We accepted that the claim of legal privilege could be applied to both documents as it fell into the category of a communication between a client and his professional legal advisers.
There are limited exemptions under the Acts to a data subject’s right of access. When a data controller claims an exemption, my Office may request additional information from the data controller to be satisfied that the withholding of the documentation is properly founded. Such matters are dealt with by my Office on a case by case basis.
An access request and a successful claim of legal privilege by a Data Controller
In May 2007 I received a complaint from a solicitor acting on behalf of a client regarding the alleged failure of a data controller to respond to an access request. The solicitor had submitted an access request on behalf of his client to her former employer in February 2007. The data controller failed to respond to the access request within the statutory forty-day period.
My Office commenced an investigation by writing to the data controller about the complaint. We received a reply from the data controller’s solicitor confirming that a response had issued to the access request. The reply included a number of documents containing personal data. However, the data controller’s solicitor informed my Office that their client was claiming privilege in respect of two specific documents and was therefore not releasing them. These documents were a handwritten account by the store manager of the data subject’s period of employment with the data controller and a handwritten account by the store manager relating to the data subject’s alleged personal injuries suffered as a result of a workplace accident in July 2006. The solicitors for the data controller informed my Office that both documents were created by their client for the benefit of legal advisers and in anticipation of litigation following receipt of two solicitor’s letters on behalf of the data subject.
There are some very limited exemptions within the Data Protection Acts to a data subject’s right of access. These are set out in Sections 4 and 5 of the Acts. One of the restrictions to the right of access is set out in Section 5(1)(g). This states:-
Section 4 of this Act does not apply to personal data in respect of which a claim of privilege could be maintained in proceedings in a court in relation to communications between a client and his professional legal advisers or between those advisers.
The data subject’s solicitor subsequently informed my Office of his dissatisfaction with the data controller’s claim of privilege. It was necessary for my Office to be satisfied that the data controller’s claim of privilege in relation to these documents was properly founded. For that purpose I requested the data controller to confirm to my Office the date(s) on which the documents were created and the purpose or purposes for which the documents were created. In response, we were informed that the relevant documents were created on two separate dates in the second half of February 2007 after the data controller received letters dated 6 February, 2007 from solicitors for the data subject. The data controller’s solicitors informed my Office that the letters from the data subject’s solicitors had intimated personal injuries and employment claims on behalf of the data subject.
The claim of legal privilege under the Acts relates only to communications between a client and his professional legal advisers or between those advisers. The date of creation of the documents, on which the data controller was claiming privilege, when compared with the dates of its receipt of communications from the data subject’s solicitors, satisfied my Office about the purpose of these documents. We accepted that the claim of legal privilege could be applied to both documents as it fell into the category of a communication between a client and his professional legal advisers.
There are limited exemptions under the Acts to a data subject’s right of access. When a data controller claims an exemption, my Office may request additional information from the data controller to be satisfied that the withholding of the documentation is properly founded. Such matters are dealt with by my Office on a case by case basis.
Access is wrongly denied in respect of an accident report
I received a complaint from a data subject who had been involved in an accident at work. The data subject had made an access request, under section 4 of the Data Protection Acts, to their employer for a copy of all information held about them, including the accident report form. The employer had not responded to the request within the forty day timeframe specified in section 4 of the Acts.
My Office contacted the data controller to enforce compliance with the terms of the access request. The data controller stated that they had passed the request on to their insurance company who were dealing with legal proceedings arising from the accident. My Office pointed out that the obligation to comply with an access request was on the data controller and not on the insurance company. My Office informed the data controller that we were investigating its failure to respond to an access request.
The data controller then provided certain documents containing personal data to the data subject. However, it failed to provide a copy of the accident report form.
My Office contacted the data controller again to request that the outstanding documents be furnished to the data subject. The data controller responded by claiming a restriction on the right of access under section 5(1)(g) of the Acts based on an assertion that the documents were exempt from disclosure due to legal privilege. This provision restricts the right of access with regard to personal data in respect of which a claim of privilege could be maintained in proceedings in a court in relation to communications between a client and his professional legal advisers or between those advisers.
My Office rejected this claim because in this case the accident report was prepared on foot of the legal requirement for an accident report to be created if a workplace injury results in at least three days absence from work. This is set out in Regulation 59 of Statutory Instrument No. 44 of 1993. My Office also rejected claims by the data controller that, as the accident report form was created with the assistance of their legal adviser, it could be withheld on the basis of legal privilege. As a result, the data controller provided a copy of the accident report form to the data subject.
While the Data Protection Acts provide for limited, narrow restrictions to the right of access by a data subject to their personal data, this case highlights the fact that my Office will rigorously examine complaints of this nature to establish whether the restriction asserted by a data controller can be legitimately relied upon.
Failure to finalise a complaint against Money Corp Limited
I received a complaint from a data subject in February 2007 regarding the failure of Money Corp Limited to respond to an access request made by him in November 2006. The right of access to personal data is one of the key fundamental rights conferred on a data subject by the Data Protection Acts. The Acts provide that access requests must be complied with by a data controller “as soon as may be and in any event not more than 40 days” after receipt of the request. My Office commenced an investigation which lasted for a period of some seven months.
During our investigation, we received correspondence from a firm of Dublin-based solicitors acting for Money Corp Limited stating that its client had responded to the data subject’s access request in early May 2007. However, the data subject subsequently informed us that some critical documents had not been included in the response he had received to his access request. Accordingly, our investigation continued on the basis that Money Corp appeared to have failed to comply in full with the data subject’s access request. We communicated further with Money Corp’s solicitors regarding the matter of the outstanding documents.
At the end of August 2007, my Office received correspondence from these solicitors in which they stated that their client had furnished the data subject with any documentation held by them. They went on to state that their client’s instructions were that any further documentation that the data subject considered to be outstanding “must have been mislaid during the process of moving offices as they have moved offices three times in the intervening period.” The solicitors concluded their letter by informing my Office that all further correspondence on this matter should be directed to the registered office of Money Corp Limited.
My Office was very concerned at this turn of events and it was particularly cognisant of the fact that the outstanding documents could be of considerable importance to the data subject in relation to proving outstanding financial matters of a very significant nature. Accordingly, in order to investigate the matter further, one of my authorised officers, using the powers conferred by Section 24 of the Data Protection Acts, visited an address in Dun Laoghaire, Co. Dublin at which the company was registered with the Irish Financial Services Regulatory Authority (We had previously found out that the company was not trading at the address at which it was registered with the Companies Registration Office). Despite three separate attempts to gain access to the premises in Dun Laoghaire, the authorised officer failed to gain access or to make contact with any member of staff of Money Corp at the premises. Following this, my Office communicated again with the solicitors for Money Corp to which we subsequently received a reply which stated that “we have been unable to obtain further instructions from our client and we are now closing our file. As a result, we will be no longer representing them in relation to this matter.”
By way of a further attempt to communicate with Money Corp Ltd, my Office sent a letter by registered post in early October 2007 to the company’s Dun Laoghaire address. This letter was returned by An Post to my Office in November 2007 with an indication from An Post that nobody was available at the address on the delivery date and that it was not subsequently collected at the mail centre.
Unfortunately, despite extensive efforts by my Office to make direct contact with Money Corp Limited, we were unable to do so. As our investigation was effectively stymied, we found ourselves in the unsatisfactory situation of being unable to pursue the complaint to finality, despite the best possible use of the powers available to me. In the circumstances, my Office has communicated with the Financial Regulator in relation to the details of this case.
An Garda Síochána: Failure to respond to an access request on time
I received a complaint in July 2005 that An Garda Síochána had failed to satisfy a data subject’s request under Section 4 of the Data Protection Acts for access to his personal data.
My Office commenced an investigation which lasted for a period of some eleven months. We established that An Garda Síochána initially provided the data subject with personal data which it had identified from a search of the PULSE database and of manual files held in the Dublin Metropolitan Region South Central area. The data subject was concerned that the search had been restricted and he requested that all databases and relevant filing systems held by the Gardaí should be searched for his personal data. The Gardaí subsequently informed the data subject that a search of archived files had been conducted and that the personal data which he had sought had been located. They explained that the reason this data had not been located during the initial search was because the file had been archived prior to the introduction of the PULSE system. Over the following months, An Garda Síochána released portions of the personal records to the data subject. As part of my investigation of this complaint, I directed my staff to examine all the records and portions of records initially withheld by the Gardaí, pursuant to the Acts. As a consequence of this examination, and a further voluntary release of records to the data subject in June 2006 by the Gardaí following the provision of advice from my Office, I was satisfied that the data subject had received access pursuant to his rights under the Acts.
The fact remains that it took some twelve months from the initial access request before the data subject achieved his full entitlements under the Acts. Section 4(1)(a) of the Acts provides for a maximum response time of forty days to an access request. In this regard, the Gardaí apologised for the delay which they indicated was due in part to a delay in locating the relevant file in the Garda District in which the data subject resides. The data subject requested a formal decision from me in relation to his complaint pursuant to Section 10(1)(b) of the Acts. My decision found that An Garda Síochána had, indeed, contravened Section 4(1)(a) of the Acts in respect of the delay in complying with the data subject’s access request. In that decision I stated that “I cannot accept that a delay of this magnitude is acceptable for a body such as the Gardaí which has a responsibility to ensure it fully meets its obligations under the Acts especially given the level of sensitive data that it holds.” In all other respects, I found that the Gardaí had complied with their obligations under the Acts and that the data subject had obtained his access rights. Finally, I considered that the Gardaí should develop a clear policy on data retention and apply for the necessary authorisation to dispose of records that are no longer necessary for operational Garda purposes.
This case highlights the fact that no data controller can consider itself as not bound by the obligations of the Acts. The right of access is an important and fundamental right which every living individual in this State is entitled to exercise in the expectation that data controllers will comply within the forty day time limit.
Caredoc: Failure to comply with an access request and appeal of an enforcement notice
I received a complaint from the parents of a child that Caredoc (a medical facility in Carlow) had failed to comply with an access request under Section 4 of the Acts for access to the child’s personal data.
My Office received the complaint in January 2006 and commenced an investigation. We established that the child had attended Caredoc in May 2004 and that the access request was made by the solicitor for the child’s family in August 2005. Prior to the complaint being submitted to my Office, Caredoc’s solicitors informed the legal representative for the child’s family that the access request raised matters of serious importance to their clients and that they wished to be absolutely sure of their position prior to making a formal reply.
During the course of my Office’s investigation, we exchanged correspondence on several occasions with Caredoc’s solicitors. We posed a number of key questions on the matter, none of which were answered to the satisfaction of my Office. At one point we were advised that the access request had thrown up a serious difficulty with which Caredoc was trying to come to terms. Caredoc’s solicitors acknowledged that their client owed statutory obligations on foot of the Data Protection Acts but stated that their client also owed a number of other conflicting obligations which needed to be reconciled properly with all the persons concerned before they were in a position to comply with the access request. In later correspondence, my Office was told that the request had raised a fundamental problem for Caredoc concerning the information gathered by them both physically and electronically and that the opinion of Senior Counsel was required. This was accepted in good faith on the basis that such advice would be forthcoming promptly. In a further letter, Caredoc’s solicitors informed my Office that genuine difficulties had arisen as a result of the circumstances thrown up by the access request and that Caredoc was anxious not to have any adverse precedents set in relation to the confidentiality issue as between doctor and patient. Throughout the investigation, my Office continued to remind Caredoc of its obligations to comply with the access request and we advised them that failure to proceed to release the information was a contravention of Section 4(1) of the Acts. At the end of June 2006, having exchanged a large volume of correspondence and with no prospect of the legal advice emerging, my Office gave Caredoc’s solicitors a final opportunity to respond to the key questions which we had raised with them. They failed to respond and I subsequently served an Enforcement Notice on Caredoc in July 2006 pursuant to Section 10 of the Acts.
There were a number of reasons for my decision to serve an Enforcement Notice on Caredoc. From the information available to me, I believed that information collected by Caredoc on the date in question likely constituted sensitive personal data within the meaning of the Acts. I believed that Caredoc had not complied with an access request and was, therefore, in contravention of Section 4(1) of the Acts. Furthermore, I believed that, given the passage of time and the continued failure of the data controller or their legal representatives to engage substantively with my Office, an Enforcement Notice was required to ensure compliance.
The Enforcement Notice required Caredoc, within a period of twenty one days, to provide the solicitor of the child’s family with the personal data relating to the attendance of the child at Caredoc’s facility in Carlow in May 2004. In line with their legal entitlements, pursuant to Section 26 of the Acts, Caredoc appealed to the Circuit Court against the requirement specified in the Enforcement Notice. The appeal was listed for hearing in Carlow Circuit Court in December 2006. At the Court hearing, Caredoc withdrew the appeal and agreed to supply the personal data sought.
I was very satisfied with the outcome of this case. Firstly, it ensured that the patient in question received access to their full medical records. Secondly, the case was significant for my Office as I used my full legislative powers to compel the provision of the records in question when Caredoc had repeatedly delayed in doing so. Thirdly, the case was all the more acute as it related to sensitive medical information which a patient has a right to access except in certain very limited circumstances. Finally, the patient in question was a minor and the access request was made on his behalf by his mother.
Barcode/Westwood Club: Failure to comply with an access request for CCTV footage
I received a complaint from a data subject alleging that Barcode Night Club of WestWood Club in Clontarf did not comply with his access request for CCTV footage in respect of himself, which had been recorded at a specified time in the early hours of a morning in August 2005. The data subject requested footage specifically from the cloakroom inside Barcode Night Club and outside the main gate. He had been involved in an incident inside and outside Barcode Night Club, had his wallet stolen and he was injured as a result.
The data subject made his access request and, in doing so, he referred in his letter to the data controller’s obligations under the Acts. He included a reference to my Office’s website where the data controller could “see all the details surrounding the Act.” After the 40 days had elapsed, during which time his access request had not been complied with, he contacted the manager of Barcode/Westwood Club and she said she would look into it. When he called her again on a later date he was told that Barcode/Westwood Club would not be giving him a copy of any data.
My Office commenced an investigation and wrote to the Manager of Barcode/Westwood Club. In a response received from the solicitor for the Club, my Office was advised that the Club no longer had CCTV footage from the relevant time and that it was not aware, at the time that the access request was made, of its obligations under the Data Protection Acts to provide such footage (if it existed then).
The right of access under the Acts to one’s own personal data is a key right and it is the starting point for obtaining control over the use of one’s own data. CCTV images which capture an individual are personal data relating to that individual within the meaning of the Acts. The Acts define “personal data” as “data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller”.
I could not accept the explanation offered on behalf of Barcode/WestWood Club that they were not aware of their obligations under the Acts when they received the data subject’s access request. This is especially so as the data subject specifically brought their obligations under the Acts to their attention. The solicitors introduced a question as to whether the data existed at the date of the access request, which was twelve days after the date in respect of which the CCTV footage had been sought. However, they subsequently copied to my Office a document which stated that “CCTV tapes are held for 31 days unless the Gardaí make an official request to download to a master tape.” It seemed unlikely to me, therefore, that the data had been deleted at the stage of the access request. This retention policy reflects industry practice which is to retain such footage for 28 days. It is also important to emphasise that pursuant to Section 4(5) of the Acts, the deletion of data is not permissible following receipt of an access request – the Data Controller’s obligation is to provide whatever data exists at the time the access request is received.
In March 2006, I issued my Decision on this case under Section 10(1) (b) (ii) of the Acts. I found that the data subject was entitled to a copy of the CCTV footage held by Barcode/WestWood Club in respect of the early hours of the morning concerned in response to his access request. I also found that Barcode/WestWood Club were in contravention of Section 2(1)(c) of the Acts as they failed to keep a copy of the CCTV tape as per their own procedures given to my Office. The specified purpose in this case was for the data subject’s access request.
Cases
Bus Atha Cliath/Dublin Bus -v- The Data Protection Commissioner
[2012] IEHC 339
ESPONDENT JUDGMENT of Mr. Justice Hedigan delivered the 8th day of August 2012
1. The appellant is is a wholly owned subsidiary of the state-owned Córas Iompar Eireann Group and has offices at 59 Upper O’Connell Street, Dublin 1. The respondent was established pursuant to the Data Protection Act 1988. The respondent’s office is located at Canal House, Station Road, Portarlington, Co. Laois.
Background Facts
2.1 The matter comes before the High Court in the present instance as an appeal on a point of law from a decision of the Circuit Court made on the 5th of July 2011, in which Judge Linnane upheld a decision of the Data Protection Commissioner to issue an Enforcement Notice, requiring the appellant to provide a copy of CCTV footage to a Ms Margaret McGarr.
2.2 The background to this matter is as follows; on the 3rd October 2008, Ms McGarr allegedly fell on a Dublin Bus, the property of the appellant herein. On the 19th October, 2009, Ms McGarr commenced personal injury proceedings arising out of her alleged fall. Following receipt of the formal notice of Ms McGarr’s application to PIAB, the appellant entered into correspondence with her Solicitors, informing them of the existence of CCTV footage, and inviting them to view the footage. On the 29th January, 2010, the said Solicitors attended at the office of the appellant and viewed the CCTV footage.
2.3 On the 12th February 2010, an access request, pursuant to s. 4 of the Data Protection Act 1988 (as amended) was served by Ms McGarr upon the appellant, requesting a copy of any information including video records the appellant held in respect of her. On the 16th February 2010, that access request was rejected by the appellant, on the grounds that any such information was prepared in anticipation of potential litigation, and as such was privileged. On the 18th May 2010, the Data Protection Commissioner, notified the appellant by letter of the commencement of an investigation into the matter. On the 23rd June 2010, a personal injuries summons was issued in the High Court by Ms McGarr as against the appellant.
2.4 On the 20th January 2011, an Enforcement Notice requiring the appellant to provide a copy of the CCTV to Ms McGarr, was issued by the Data Protection Commissioner. On the 7th February 2011, the appellant appealed the decision of the Data Protection Commissioner to the Circuit Court. On the 5th July 2011, Judge Linnane upheld the decision of the Data Protection Commissioner. The within proceedings are an appeal from the decision of Judge Linnane.
Appellant’s Submissions
3.1 The appellant submits that Judge Linnane in giving her Judgement in respect of this matter, and in allowing the Enforcement Notice of the respondent to stand, erred in law in holding that, subsequent to the commencement of legal proceedings, the High Court did not have the sole competence to deal with and adjudicate upon all of the matters arising between the parties, Margaret McGarr and Dublin Bus, and relating to the accident which occurred on the 3rd October, 2008.
3.2 The appellant contends that the proper forum for adjudicating on matters of Discovery between the parties in the proceedings of “McGarr v Dublin Bus” is the court which has seisin of the proceedings, in this instance, the High Court. When conducting his investigation into this matter, pursuant to s.10 (1) (a) of the Act, the respondent should have taken account of Ms Me Garr’s motive for seeking the CCTV footage. It is not contested that Ms McGarr seeks this material solely as a means of furthering her litigation against the appellant. It is also not contested that the respondent was put on notice in the course of his investigation, of the commencement of proceedings between the parties. In those circumstances, the respondent should have advised Ms McGarr that the appropriate way to proceed in seeking material from the appellant, in the context of litigation taken against the appellant, was by way of discovery.
3.3 The appellant submits that any attempt to seek disclosure outside of the High Court is a mistaken and inappropriate attempt to usurp the function of the High Court. In Murphy v Corporation of Dublin [1972] IR 215, the Supreme Court unanimously held that it was the Courts who retained sole power to order discovery between parties. Walsh J held as follows at page 233:-
“Under the Constitution the administration of justice is committed solely to the judiciary in the exercise of their powers in the courts set up under the Constitution. Power to compel the attendance of witnesses and the production of evidence is an inherent part of the judicial power of government of the State and is the ultimate safeguard of justice in the State. The proper exercise of the functions of the three powers of government set up under the Constitution, namely, the legislative, the executive and the judicial, is in the public interest. There may be occasions when the different aspects of the public interest “pull in contrary directions” to use the words of Lord Morris of Borth-y-Gest in Conway v Rimmer. If the conflict arises during the exercise of the judicial power then, in my view, it is the judicial power which will decide which public interest shall prevail.”
In relying on the constitutional principle of the separation of powers, Walsh J held that the courts are the sole body constitutionally mandated to decide if a document is to be discovered or produced. Walsh J. went on to state at 234 that:-
“It is … impossible for the judicial power in the proper exercise of its functions to permit any other body or power to decide whether or not a document will be disclosed or produced. In the last resort the decision lies with the courts so long as they have seisin of the case.”
This decision has remained the fundamental cornerstone of the law of discovery in this state, and has repeatedly been upheld by the Supreme Court as the correct interpretation of the law in this regard.
3.4 It is the clear position of the courts in this jurisdiction that it is the judicial power which retains the “sole competence” and discretion to order, or to deny, the production of documents in circumstances where parties have submitted themselves to the jurisdiction of the Court. Any attempt to usurp this competence by some other body, or to bypass the judicial process by effectively obtaining discovery by another means, must involve the subversion of the jurisdiction of the Courts. The appellant submits that the role of the Data Protection Commissioner is protecting the data of the citizens of the state. The Commissioner should have no role in the conduct of litigation; no such role was conceived by the drafters of the Data Protection Acts.
3.5 There is very little jurisprudence on Data Protection Law in this jurisdiction, there is however a body of relevant English case law. While the respective English and Irish legislation is not identical there is nevertheless a strong similarity between them. Both emanate from Directive 95/46/EC and both seek to compel, broadly, the same effect. Section 7 of the UK’s Data Protection Act 1998 deals with the “right of access to personal data”, the purpose of this right was considered in Durant v Financial Services Authority [2003] EWCA Civ 1746 where Auld LJ held as follows at paragraph 27:-
“In conformity with the 1981 Convention and the Directive, the purpose of section 7, in entitling an individual to have access to information in the form of his “personal data” is to enable him to check whether the data controller’s processing of it unlawfully infringes his privacy and, if so, to take such steps as the Act provides, for example in sections 10 to 14, to protect it. It is not an automatic key to any information, readily accessible or not, of matters in which he may be named or involved. Nor is to assist him, for example, to obtain discovery of documents that may assist him in litigation or complaints against third parties.”
3.6 The appellant submits that by affording an appellant the right to first appeal to the Circuit Court, and thereafter to the High Court on a point of Law the drafters of the legislation clearly intended that the Courts would have discretion in deciding upon the interpretation of the Acts. Therefore the purposive effect of the Acts provisions must be considered, and it is on this basis that the appellant submits that the dicta of Auld LJ in the Durant case retains very strong persuasive value in terms of the interpretation of the Irish Acts. In England the “purpose” of the access right in Data Protection Law was expressly held not to be “to assist [individuals], for example, to obtain discovery of documents that may assist them in litigation or complaints against third parties.”
3.7 The appellant submits that the High Court should take cognizance of the dicta of Auld LJ that the purpose of Data Protection Law is not:-
“to assist [a litigant]… to obtain discovery of documents that may assist him in litigation or complaints against third parties”.
It is the High Court which retains seisin of the case between Ms McGarr and the appellant and it is the High Court that has the sole competence to adjudicate upon all of the matters arising between the parties.
Respondents Submissions
4.1 The appellant herein seeks to challenge a decision made on the 25th of January 2011, by the Data Protection Commissioner to issue an enforcement notice. The appellant appealed this decision to the Circuit Court but was unsuccessful in that appeal. The appellant has now appealed that decision to this Court. In the Circuit Court Judge Linnane held inter alia that the case law in England that the appellant had sought to rely on was not relevant as the English legislation conferred discretion as to whether or not to grant an order for access. Judge Linnane dismissed the appeal. The respondent submits that the Circuit Court was correct in its finding.
4.2 Section 26(3) (b) of the Data Protection Act 1988 (as amended) provides that where the Circuit Court has determined an appeal from a decision made by the Data Protection Commissioner, an appeal may be brought to the High Court on a point of law against such a decision. No indication is given in the Acts as to what the test to be applied in the appeal is. In Ulster Bank v Financial Services Ombudsman [2006] IEHC 323, the following test for an appeal pursuant to section 57CL Central Bank and Financial Services Authority of Ireland Act 2004 was laid down by Finnegan P. at 4:-
“To succeed on this appeal the plaintiff must establish as a matter of probability that, taking the adjudicative process as a whole, the decision reached was vitiated by a serious and significant error or a series of such errors. In applying the test the Court will have regard to the degree of expertise and specialist knowledge of the Defendant. The deferential standard is that applied by Keane C.J. in Orange v The Director of Telecommunications Regulation & Anor and not that in The State (Keegan) v Stardust Compensation Tribunal.”
The above test has been subsequently followed by the Circuit Court in a number of Data Protection appeals and by the High Court in a number of appeals from the Financial Services Ombudsman. Thus it has become well-established at this stage as the correct test to apply in the context of statutory appeals. The respondent submits that the serious and significant error test is of long standing in Irish law and is the appropriate standard to apply to this appeal.
4.3 In Nowak v Data Protetcion Commissioner, (unreported, 7th March 2012) Birmingham J. held that the Ulster Bank test was the appropriate test to apply in a data protection appeal. In that case Birmingham J. upheld a decision of the Circuit Court to dismiss an appeal against a decision of the Commissioner (both on jurisdictional grounds and on the merits). Birmingham J held at page 9 that:-
“I am satisfied that the approach adopted by Finnegan P. is the one that would have been appropriate to apply had an appeal been available. In particular it seems to me that it would have been appropriate for the court to have regard to what Finnegan P. referred to as the deferential standard, when deciding to substitute its own view for that of the Data Protection Commissioner on the issue of whether an exam script constituted personal data.”
That case is currently under appeal to the Supreme Court. It is submitted on behalf of the respondent that in the present case the decision of the Data Commissioner did not contain a serious and significant error or a series of such errors to use the words of Finnegan P. It is further submitted that the Circuit Court did not make an error of law in rejecting the appeal. The question for the Circuit Court was not what it would have done if it had been faced with the complaint. The question for the Court was whether the Commissioner exercised his own discretion in such an arbitrary manner as to render it a decision that no Commissioner could have reached. It is submitted that the answer to that question is no. On the basis of the material before him the Commissioner could not have reached any other decision. The applicant seeks to argue that the Commissioner should have taken into account the requesters motive for wanting the data. The respondent submits that a person’s fundamental right to access their personal data under the Acts is not conditional upon their establishing a good motive for wanting their personal data and the Commissioner is not required to demand of a requester why they want their personal data.
4.4 It is submitted that if the drafters of the legislation wished to impose limitations on the right of access to personal data in circumstances where litigation has been instituted they would have done so expressly. If the Court were to read a new exception into the Acts based around the idea of there being legal proceedings then it is far from obvious how the Court would draft this new exception. Some of the basic problems that would arise in drafting such an exemption would be as follows:-
“(i) would it apply to proceedings that are merely contemplated or to proceedings that have actually commenced?
(ii) what about a case where someone wants to see their personal data in order to decide whether or not they might want to bring legal proceedings?
(iii) what about a case where the requester has not sought discovery in the legal proceedings?
(iv) would the rights under the Act in respect of the personal data in question be terminated forever or merely suspended until the legal proceedings conclude?
(v) could the data controller cross-examine the requester as to what their motives are in seeking access to their personal data?
(vi) if the data controller can so cross-examine the requester what duty is there on the requester to reveal their future intentions?”
Each of the above questions give rise to difficult issues that are properly a matter for legislative policy choice. Even if the drafters of the legislation had been of the mind to include such an exception in the Acts then the question would arise as to whether its creation placed Ireland in breach of its obligations to transpose the Data Protection Directives properly. As no such exception was included by the legislative drafters this issue does not arise.
4.5 The appellant’s submissions refer to an attempt to subvert the jurisdiction of the courts. However there is nothing about making a data access request pursuant to the statutory right of access that amounts to subverting the jurisdiction of the courts. Indeed, quite the opposite, since the courts expect parties to see if they can obtain information from other sources before taking up the time of the court with a discovery request. Thus one of the tests for discovery is that the discovery request be necessary. If a motion for discovery comes before the court, all that the court will have seisin of is the issue as to whether the material is relevant and necessary to the litigation and so whether discovery should be ordered. On the other hand, the issue that the Commissioner had seisin of was the entirely separate and distinct issue as to whether the requester had a right of access to the CCTV footage under the Acts or not.
4.6 A person’s right of access to personal data is a fundamental right. Indeed Article 16 of the Lisbon Treaty now makes express reference to the need to protect personal data and provides that “Everyone has the right to the protection of personal data concerning them.” Thus it is submitted that any exemption to data protection law should be narrowly construed since it is an exemption from a fundamental right.
Decision of the Court
5.1 This matter comes before the High Court as an appeal on a point of law from a decision of the Circuit Court made on the 5th of July 2011, in which Judge Linnane upheld a decision of the Data Protection Commissioner to issue an Enforcement Notice, requiring the appellant to provide a copy of CCTV to a Ms. Margaret Me Garr. The background to this matter is as follows; on the 12th of February 2010, an access request, pursuant to s. 4 of the Data Protection Acts 1988 and 2003 was served upon the appellant by Ms. Me Garr requesting a copy of video records the appellant held in respect of her. On the 16th February 2010, that access request was rejected by the appellant on grounds that any such information was prepared in anticipation of potential litigation, and as such was privileged. Ms Me Garr had initiated proceedings against the appellant arising out of an alleged fall on one of the appellant’s buses. On the 18th of May 20 I 0, the Data Protection Commissioner, by way of letter, notified the appellant of the commencement of an investigation into the matter. On the 20th of January 2011, an Enforcement Notice, requiring the appellant to provide a copy of the CCTV footage to Ms Mc Garr, was issued by the Data Protection Commissioner as against the appellant. On the ih of February 2011, the appellant appealed the decision of the Data Protection Commissioner to the Circuit Court. On the 5th of July 2011, Judge Linnane upheld the decision of the Data Protection Commissioner. This is the decision which the appellant now seeks to appeal.
5.2 The relevant legislation governing this matter is the Data Protection Acts 1988 and 2003. Section 10(1) of the Acts provides that:-
“(a) The Commissioner may investigate, or cause to be investigated, whether any of the provisions of this Act have been, are being or are likely to be contravened in relation to an individual either where the individual complains to him of a contravention of any of those provisions or he is otherwise of the opinion that there may be such a contravention.
(b) Where a complaint is made to the Commissioner under paragraph (a) of this subsection, the Commissioner shall-
(i) investigate the complaint or cause it to be investigated, unless he is of opinion that it is frivolous or vexatious, and,
(ii) if he or she is unable to arrange, within a reasonable time, for the amicable resolution by the parties concerned of the matter the subject of the complaint, notify in writing the individual who made the complaint of his or her decision in relation to it and that the individual may, if aggrieved by the decision, appeal against it to the Court under section 26 of this Act within 21 days from the receipt by him or her of the notification.
The appeal from the decision of the Data Commissioner is to the Circuit Court. The decision of the Circuit Court can in turn be appealed to the High Court on a point of law, as provided for in Section 26 (3) (b) of the Acts which states:-
“An appeal may be brought to the High Court on a point of law against such a decision; and references in this Act to the determination of an appeal shall be construed as including references to the determination of any such appeal to the High Court and of any appeal from the decision of that Court.”
5.3 In this case the appellant has not, as required by Section 26 (3) (b), set out the point of law on which it wishes to appeal. The appellant’s notice of appeal simply states:
“The Appellant, Bus Atha Cliath/Dublin Bus hereby appeals to the High Court sitting in Dublin at the first opportunity after the expiration of 10 days from the date of service hereof from the whole of the Judgment of the Circuit Court given herein on the 5th day of July, 2011 in Circuit Court Number 22 before Judge Jacqueline Linnane.”
No attempt has been made in the notice of appeal to identify any points of law. From the Courts perspective this is completely unsatisfactory. Simply saying that you are appealing the whole of a judgment does not amount to a valid appeal on a point law. An appeal on a point of law is just that. The point of law should be identified and the submissions should be directed to that point. When pressed on the matter, the appellant did identify the point of law which it wished to raise on appeal as follows:-
“Whether the existence of legal proceedings between a data requester and a data controller precludes a data requester making an access request under the Act”
Notwithstanding the unsatisfactory notice of appeal, I indicated to the parties that I would deal with this appeal. However the parties were to strictly confine themselves to this narrow legal point. I also directed the parties to provide updated written submissions which also address just this net issue within seven days from the date of hearing. Both parties have provided amended submissions.
5.4 The right of an individual to access personal data processed by a data controller relating to that individual is contained in section 4 of the Data Protection Acts 1988. Section 4 provides as follows:-
“4. (1) (a) Subject to the provisions of this Act, an individual shall, if he so requests a data controller in writing:
(i) be informed by the data controller whether the data kept by him include personal data relating to the individual, and
(ii) be supplied by the data controller with a copy of the information constituting any such data.
The Data Protection Act 2003 imposes exceptions to the right of access where:
(a) the supply is not possible or would involve disproportionate effort, or
(b) the data subject agrees otherwise.
The appellant has not sought to argue that either of these two exceptions apply, instead it seeks to argue that an exception to the right of access to data should apply where there are legal proceedings between a data requester and a data controller. In advancing this proposition the appellant places heavy reliance on English case law.
5.5 It seems to me that the English case law relied on by the appellant is not relevant. What we are concerned with here is a right of access to personal data. The English cases were concerned with information whereby the requester was merely mentioned in documents that related to third parties and where there was a statutory discretion reserved to the court under the UK Data Protection Act 1988 as to whether to make an order directing compliance with a person’s access request. No such discretion exists under the Irish Legislation. Furthermore the applicants in the English cases were seeking very large volumes of documentation. It was in the context of the exercise of that discretion that the courts considered matters such as why the requester wanted the information. However in this case we are dealing not with discretion but with the requester’s statutory right to personal data.
5.6 In Durant v Financial Services Authority [2003] EWCA Civ 1746 Auld LJ was of the view that the purpose of UK Data Protection Act 1988 was not to assist Mr. Durant in obtaining discovery of documents that may assist him in litigation or complaints against third parties. In that case Mr. Durant was seeking information that might possibly refer to him, not because it was personal data, but because he was fishing for information that he could use in proceedings against third parties. That is not the case here since what the requester is seeking is clearly her own personal data. In addition, in Durant the requester was seeking documents that contained information about third parties and thus the question arose as to whether it was reasonable to disclose such information. The English legislation stated that a test of reasonableness applied to such a request. Therefore when the court came to exercise what it viewed as its discretion to direct access to such data, Auld LJ looked at the fact that Mr. Durant was fishing for information he could deploy in proceedings against third parties. By contrast, in the present case, none of the statutory exceptions applying, the requester has a right to access her personal data and so
discretionary issues are not a factor.
5.7 It seems to me that in effect the appellant is seeking to carve out a new exception in the Acts, to the effect that whenever a data requester has instituted litigation against a data controller he or she is precluded from making a data access request under the Acts. I accept the respondent’s submission that if the drafter of the legislation wished to place such limitations on the right of access to personal data then they would have done so expressly. Thus in my judgment, the existence of proceedings between a data requester and the data controller does not preclude the data requester making an access request under the act nor justifies the data controller in refusing the request. I am not therefore satisfied that the appellant has raised a point of law giving rise to grounds for overturning the decision of the learned circuit judge. I must therefore dismiss this appeal.
Peter Nowak -v- Data Protection Commissioner
[2012] IEHC 449
Judgment of Mr. Justice Birmingham delivered the 7th day of March, 2012
1. This matter comes before the Court by way of an appeal from the judgment of Judge Linnane of the 16th November, 2010. The background to the matter may be stated briefly. The appellant has registered as a student with Chartered Accountants Ireland (hereinafter “CAI”) with a view to gaining a professional qualification as a chartered accountant. He sat an examination on the 7th October, 2009 but was unsuccessful. By letter dated the 12th May, 2010, Mr. Nowak submitted a personal data access request in which he asked CAI to release to him all personal data within the meaning of that term as set out in the Data Protections Acts 1988 to 2003 (hereinafter “the Data Protection Acts”). The letter specified that in particular he was seeking a copy of his examination script, all personal data relating to his appeal to the Appeals Panel with regard to his failure in that examination to include any personal data in existence concerning that appeal, any data compiled by the External Examiner and Appeals Panel and any data sent or received by CAI whether in manual or electronic format.
2. A very considerable volume of material was furnished to Mr. Nowak by CAI but in correspondence it was made clear to him that the material that would be provided to him would not include his examination script because CAI had received legal advice that the Data Protection Acts did not extend to that material. In passing, it may be noted and it is certainly a very strange feature of this case that although the procedures in relation to examinations conducted by the CAI provided exam candidates with an opportunity to read their scripts at a particular time and under controlled conditions, that Mr. Nowak never availed of this option. By letters dated the 1st July, 2010 and the 14th July, 2010, Mr. Nowak submitted a formal complaint to the Data Protection Commissioner, the respondent. CAI, it may be noted is registered as a “data controller” with the respondent,. These written complaints supplemented an earlier online complaint that had been submitted by him on the 17th June, 2010. While Mr. Nowak in the form he completed and in correspondence had raised a number of issues, his principal concern, and this is the only matter that arises on the appeal hearing, was the refusal of CAI to provide him with a copy of his examination script based on the view that it had formed that the script did not constitute “personal data” within the meaning of the Acts. On the 21st July, 2010, the respondent wrote to the appellant and informed him that having examined all the papers in the matter it had been concluded that Mr. Nowak had not identified any substantive breach of the Data Protection Acts. The letter stated:
“In accordance with s. 10(1)(b)(i) of the Data Protection Acts we are not obliged to investigate a complaint where no substantive breach of the Act remains to be investigated”.
3. By a notice of motion dated the 11th August, 2010 an appeal was brought to the Circuit Court. By letter of even date, the respondent wrote to the appellant’s solicitors stating as follows:-
“It is noted that you intend to make an appeal to the Circuit Court under the provisions of the Data Protection Acts 1988 and 2003. You should be aware that the Data Protection Commissioner has not made an appealable decision under the provisions of s.10(1)(b)(ii) of the Data Protection Acts 1988 and 2003. The Commissioner chose not to investigate your client’s complaints as he had formed the opinion, in accordance with s.10(1)(b)(i) of the Acts, that they were frivolous or vexatious. The Data Protection Acts do not provide for a right of appeal in such circumstances”.
4. The matter came on for hearing before Judge Linnane on the 16th November, 2010. She determined that the Court did not have jurisdiction pursuant to s.26 of the Data Protection Acts to hear an appeal as the Data Commissioner pursuant to s. 10(1)(b) of the Acts had declined to investigate the appellant’s complaint having formed the view that the complaint was “frivolous or vexatious”. She went on to hold that if she had jurisdiction to hear the appeal that she would have upheld the decision arrived at by the Commissioner and would have agreed with his views that the examination script did not constitute personal data.
5. Section 26(3)(b) of the Data Protection Acts provides that an appeal may be brought to the High Court on a point of law against a decision of the Circuit Court in relation to an appeal that had been brought to it. The notice of appeal in the present case which is dated the 26th November, 2010 does not specify on what point of law the appeal is brought to the High Court but instead simply states that Mr. Nowak appeals the whole of the order of the Circuit Court declaring that the Circuit Court did not have jurisdiction to hear the appeal pursuant to s. 26 of the Data Protection Acts and dismissing the appeal and granting the respondent, the Data Protection Commissioner the costs of the proceedings. However, written submissions have been exchanged and by reference to those and more particularly by reference to the submissions delivered on behalf of the appellant it emerges that the following points of law are said to arise on the hearing of the appeal to this Court.
(1) Was the Circuit Court correct to conclude that it had no jurisdiction to hear an appeal in circumstances where the Data Commissioner had not embarked upon an investigation of the merits of the complaint but had declined to do so having formed the view that the complaint was frivolous and vexatious;
(2) If the Circuit Court had jurisdiction should it have determined that the Data Commissioner was correct in concluding that the examination scripts did not constitute “personal data” and;
(3) Should the Circuit Court have concluded that the complaint advanced by Mr. Nowak to the Data Commissioner was one that was frivolous and vexatious.
6. Section 10(1)(b)(i) of the Data Protection Acts provides as follows:-
(a) The Commissioner may investigate, or cause to be investigated, whether any of the provisions of this Act, have been, are being or are likely to be contravened in relation to an individual either where the individual complains to him of a contravention of any of those provisions or he is otherwise of opinion that there may be such a contravention.
(b) Where a complaint is made to the Commissioner under paragraph (a) of this subsection, the Commissioner shall –
(i) investigate the complaint or cause it to be investigated, unless he is of opinion that it is frivolous or vexatious, and
(ii) if he or she is unable to arrange, within a reasonable time, for the amicable resolution by the parties concerned of the matter, the subject of the complaint notify in writing the individual who made the complaint of his or her decision in relation to it and that the individual may, if aggrieved by the decision, appeal against it, to the Court under section 26 of this Act within 21 days from the receipt by him or her of the notification.
7. Section 26(1) of the Acts so far material provides that:
“An appeal may be made to and heard and determined by the Court against-
…
(d) a decision by the Commissioner in relation to a complaint under section 10(1)(a) of this Act”.
Thus, the Circuit Court’s jurisdiction is to hear and determine an appeal against a decision of the Commissioner in relation to a complaint under s. 10(1)(a) of these Acts. The question then is whether when the Commissioner declines to investigate a complaint because he has formed the view that the subject matter of the complaint is frivolous or vexatious, that reaching that conclusion involves a decision which can be the subject of an appeal.
8. Section 10(1) seems to envisage that the following sequence of events will occur:-
(1) The Commissioner has to decide whether the matter submitted to him is frivolous or vexatious.
(2) If the Commissioner is of the view that the matter was not frivolous or vexatious, then, unless an amicable resolution can be arranged within a reasonable time, he considers the matter and reaches a decision in relation to it and then informs the complainant of the decision that has been reached and that the decision may be appealed.
(3) However, if the view is formed that the matter that has been submitted is frivolous or vexatious, then the Commissioner does not investigate the complaint or cause it to be investigated. In that event the procedure comes to a halt.
9. I find myself in respectful agreement with Judge Linnane that the jurisdiction of the Circuit Court is to hear an appeal against a decision that has been arrived at after there has been an investigation. I share her view that absent investigation of the complaint and a decision in relation to the investigation, that the Circuit Court has no jurisdiction. The entitlement of an aggrieved party in the first place to submit an appeal and then of the Court to hear and determine an appeal arises only where there has been a decision of the Commissioner in relation to a complaint under section 10(1)(a). However, the Commissioner reaches a decision in relation to a complaint only if, not having decided that the matter is frivolous and vexatious, he proceeds to investigate the complaint and reaches a decision in relation thereto.
10. Counsel for the appellant has placed reliance on the terms of Council Directive 95/46/E.C. of 24 October, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, O.J. L281 23.11.1995 and in particular article 28.1 thereof.
11. However, if one looks at the structure of article 28 of the Council Directive 95/46/E.C., it does not seem to me that the provision to which the appellant has drawn attention is of any real assistance. Article 28.3 is in these terms:
“3. Each authority shall in particular be endowed with:-
– investigative powers, such as powers of access to data forming the subject-matter of processing operations and powers to collect all the information necessary for the performance of its supervisory duties;
– effective powers of intervention, such as, for example, that of delivering opinions before processing operations are carried out, in accordance with Article 20, and ensuring appropriate publication of such opinions, of ordering the blocking, erasure or destruction of data,
– of imposing a temporary or definitive ban on processing, of warning or admonishing the controller, or that of referring the matter to national parliaments or other political institutions;
– the power to engage in legal proceedings where the national provisions adopted pursuant to this Directive have been violated or to bring these violations to the attention of the judicial authorities.
Decisions by the supervisory authority which give rise to complaints may be appealed against through the courts.”
12. It would seem that the complaint submitted by the appellant does not fit readily within the terms of article 28.3, but would seem to fit more naturally within the terms of article 28.4 it reads so far as material:
“4. Each supervisory authority shall hear claims lodged by any person, or by an association representing that person, concerning the protection of his rights and freedoms in regard to the processing of personal data. The person concerned shall be informed of the outcome of the claim.”
13. In any event, I am quite satisfied that the effect of ss. 10(1)(b)(i) and 26(1) when read together is quite clear and fully supports the conclusion reached in the Circuit Court.
14. Lest I be wrong in my conclusion that the Circuit Court did not have jurisdiction to entertain the appeal and in a situation where counsel on both sides have addressed the issues, I have decided to indicate a view on the substantive issue that the appellant had sought to canvass in his appeal.
15. Had an appeal been possible, it would then have been necessary to consider how a court should approach the hearing of an appeal from a body such as the Data Protection Commissioner. How a court should approach an appeal from a statutory body was addressed by Finnegan P. in the case of Ulster Bank v. Financial Services Ombudsman [2006] IEHC 323 (Unreported, High Court, Finnegan P., 1st November, 2006). In the course of his judgment he commented:
“To succeed on this appeal the Plaintiff must establish as a matter of probability that, taking the adjudicative process as a whole, the decision reached was vitiated by a serious and significant error or a series of such errors. In applying the test the Court will have regard to the degree of expertise and specialist knowledge of the Defendant. The deferential standard is that applied by Keane C.J. in Orange v The Director of Telecommunications Regulation & Anor and not that in The State (Keegan) v Stardust Compensation Tribunal.”
16. The reference by Finnegan P. to the standard applied by Keane C.J. in Orange v. the Director Telecommunications Regulations & Anor (Unreported, Supreme Court, Keane C.J. 18th May, 2000) was a reference to the following passage from the judgment of the Chief Justice in that case:
“In short, the appeal provided for under this legislation was not intended to take the form of a re-examination from the beginning of the merits of the decision appealed from culminating, it may be, in the substitution by the High Court of its adjudication for that of the first defendant. It is accepted that, at the other end of the spectrum, the High Court is not solely confined to the issues which might arise if the decision of the first defendant was being challenged by way of judicial review. In the case of this legislation at least, an applicant will succeed in having the decision appealed from set aside here (sic) it establishes to the High Court as a matter of probability that, taking the adjudicative process as a whole, the decision reached was vitiated by a serious and significant error or a series of such errors. In arriving at a conclusion on that issue, the High Court will necessarily have regard to the degree of expertise and specialised knowledge available to the [first defendant].”
17. I am satisfied that the approach identified by Finnegan P. is the one that would have been appropriate to apply had an appeal been available. In particular, it seems to me that it would have been appropriate for the court to have regard to what Finnegan P. referred to as the deferential standard, when deciding whether to substitute its own view for that of the Data Protection Commissioner on the issue of whether an examination script constituted personal data. The Data Protection Commissioner is concerned with issues involving data protection on a daily basis. He is required to be in regular contact with his colleagues in other EU member states and is likely to be fully au fait with developments internationally. Pointing to the expertise of the Data Protection Commissioner does not mean that a court will abdicate its responsibilities and there may be cases where decisions of the Commissioner will be set aside, but if that happens, the decision to set aside the decision of the Commissioner will have been taken by a court that is conscious of the experience and expertise of the Commissioner. In this case, the Commissioner concluded that the examination script did not constitute personal data and accordingly, he was not in a position to identify any substantive breach of the Acts. He pointed out that there was no law in this jurisdiction to suggest it was personal data and in the course of a letter of the 21st July, 2010, pointed out that there was no example of any other Data Protection Authority within the EU considering such material to be personal data. In this case the script to which access is sought was a script created during an accountancy examination, an open book examination. While on its face the document would not contain any reference to Mr. Peter Nowak and its author would be identified only by an examination number, it was of course potentially possible to link scripts to individual candidates. Obviously, if that were not so, there would be no point in setting the examination. However, little or no personal information about Mr. Peter Nowak would be gleaned by anyone reading his script.
18. It seems to me that the conclusion arrived at by the Data Protection Commissioner was not one that would have come as a surprise to most people. The CAI had an examination system in place and one might have expected that Mr. Nowak would have availed of that system. If he was unhappy with aspects of the system then there was scope available to him to challenge that system. However, what would have surprised most people was that instead of utilising the examination system to the full, Mr. Nowak sought to invoke the data protection code in order to create a parallel examination code.
19. Accordingly, had it been possible to appeal to the Circuit Court, then, in my view, the Court would have been correct to uphold the conclusion of the Data Protection Commissioner that the material in question did not amount to personal data within the meaning of the Acts and accordingly to dismiss the appeal. I am of that view notwithstanding that the applicant has pointed to the provisions of the equivalent British legislation and has drawn attention to the fact that Schedule 7 of the Data Protection Act there, which contains a number of exemptions, lists examination scripts as an exempt category. Counsel for the applicant asks why it would be necessary to exempt examination scripts unless, in the absence of such a specific exemption, examination scripts would fall within the concept of personal data. It seems to me that that argument falsely assumes that all examination scripts fall to be treated in an identical manner. However, that is not necessarily so at all. The amount of personal information contained in an examination script may vary significantly depending on the nature of the examination. As the website of the respondent in its frequently asked questions section points out a psychometric test or IQ test would likely contain more information relating to the person that undertook the test than say a test of general knowledge. The examination that the applicant sat was, as we have seen, an “open book” examination. The applicant described the process involved in the course of a letter to the Commissioner dated the 14th July, 2010. He did so in these terms:-
“Since the above mentioned exam was an “open book” exam I was able to reproduce answers provided during the real exam”.
In the course of the written submissions on behalf of the respondent the point is made that there was little more involved here than a transfer of model answers from text books into the examination booklet. Even if it was thought that there was an element of overstatement in that assertion, it does nonetheless provide a clear basis for the Commissioner to have formed the view that the examination script was not personal data.
20. Once the Commissioner had formed the view that the examination script did not constitute personal data it followed that he was being asked to proceed with an investigation where no breach of the Data Protection Acts could be identified. It was in those circumstances he had resort to s. 10(1)(b)(i). That section refers to complaints that are frivolous or vexatious. However, I do not understand these terms to be necessarily pejorative. Frivolous, in this context does not mean only foolish or silly, but rather a complaint that was futile, or misconceived or hopeless in the sense that it was incapable of achieving the desired outcome, see R. v. Milden Hall Magistrates Courts Ex P Forest Heat D. C. -16/05/1997 Times Law Reports. Having regard to the view the Commissioner had formed that examination scripts did not constitute personal data, he was entitled to conclude that the complaint was futile, misconceived or hopeless in the sense that I have described, indeed such a conclusion was inevitable.
21. Having regard to the views that I have reached that Judge Linnane was correct that no appeal lay and to the views that I have reached on the arguments in relation to the merits of the case that have been canvassed, I propose to affirm the decision of the Circuit Court dated the 16th November, 2010.
Susquehanna International Group Ltd -v- Needham
[2017] IEHC 706 (24 November 2017)
JUDGMENT of Ms. Justice Baker delivered on the 24th day of November, 2017.
1. This judgment is given in the motion for discovery brought by the plaintiff against the defendant and raises the novel question of whether a court should order a person to make discovery of documents that he or she can obtain on foot of a data subject protection request.
The proceedings
2. The plaintiff, Susquehanna International Group Limited (“SIG”), is a limited liability company with registered offices at the IFSC in the City of Dublin. The defendant is a trader in financial instruments and lives in Dublin. The defendant was employed by the plaintiff from 4th September, 2006, until 29th April, 2016, pursuant to a contract of employment made in writing. The defendant was initially employed as an assistant trader and was promoted to the role of trader in the course of his employment. The defendant was paid a substantial salary and bonus payments in respect of his employment.
3. The defendant gave notice to the plaintiff on 1st April, 2016, that he intended to terminate his employment, and, having worked out his period of notice, left his employment on 29th April, 2016.
4. The plaintiff seeks injunctive relief and damages for breach of contract arising from what it claims are certain breaches of contract by the defendant relating to confidential documents obtained in the course of his employment regarding the business, employees and business relationships of the plaintiff.
5. The plaintiff claims that the defendant has breached the express terms of his contract of employment by which, inter alia, the defendant agreed not to in any manner or capacity hire or solicit for employment or otherwise attempt, directly or indirectly, to provide any information for use in connection with the possible hiring or solicitation of any employee of SIG, (an “SIG person”) within the meaning of Clause 11.4 of the defendant’s contract of employment.
6. I will examine more fully below the claims made in the statement of claim relevant to the disputed discovery, but, in essence, the statement of claim pleads that the defendant was in breach of the covenant against the inducement of persons to leave the employment of the plaintiff and his obligation to preserve confidential information, trading strategies and commercial know-how of the plaintiff firm.
7. The defendant was one of a number of employees who tendered notice of termination of their employment to the plaintiff in March and April of 2016. Some or all of those persons have since taken up employment with Citadel LLC (“Citadel”), a company which was, at the material time, registered in London and which has now established a place of business in Dublin. The defendant was for a time subject to a restriction on taking up employment with a firm in the same business as his former employer but has now commenced employment with Citadel.
8. The primary action of the plaintiff is that the defendant has breached the terms of his contract of employment, inter alia, by assisting Citadel with the recruitment of other SIG employees and supplying Citadel with confidential information concerning the business of SIG, including the identity and details of other traders employed by SIG, the types of trades carried on by them, the profits earned by them and details of confidential trading strategies and models used by SIG or in the course of being developed.
9. Citadel operates a business of investment trade in broadly the same field as SIG and was at the material time intending to set up business in Dublin. It is pleaded that the intention of Citadel and its objective was to acquire a readymade business by persuading a group of employees of SIG who would have knowledge and expertise in financial trading to leave SIG and bring with them their knowledge and confidential information, including the know-how and trading strategies of SIG.
10. It is common case that the defendant did discuss taking up employment with Citadel and that he was recruited through a company, Execuzen Ltd., acting on behalf of Citadel.
11. Discovery of three categories of documents is sought, and the defendant has not refused to make discovery, and. rather has sought to limit the categories in the way that will appear in the course of this judgment.
12. I will deal with each category of documents separately.
Category 1:
13. Discovery is sought in respect of the following category of documents:
“All documentation relating to any interactions howsoever described between the defendant and Citadel LLC or its associated or affiliated entities and between the defendant and Execuzen Limited or any individuals employed by or acting on behalf of Execuzen Limited generated during the period between 1st August, 2015 and 29th January, 2017 to include, but strictly without prejudice to the generality of the foregoing, all such documents held by Citadel and Execuzen that the defendant can obtain on foot of data protection requests.”
14. A number of principled objections are made by the defendant to the discovery sought in category 1. I will deal with these in turn and note that some of the arguments relate also to the remaining two categories.
Request is too broad
15. The defendant argues that the discovery sought is broad, vague and impermissibly wide-ranging. He is not prepared to make discovery in regard to documentation relating to the “associated or affiliated entities” of Citadel, as he argues that those entities are ill-defined and might involve him having to discover documents from entities that he himself cannot identify.
16. In order to deal with this argument, it is necessary to consider the application of the well established principles that discovery should be ordered only in respect of documents which are relevant and necessary.
Discovery: relevance
17. Whether discovery should be ordered in respect of a category of documents is well-established in the authorities. In short, documents are to be discovered if they are relevant for the determination of the issues between the parties.
18. The test of relevance involves an examination of whether the categories of documents sought are relevant to the claim as pleaded and, for that purpose, pleadings include replies to particulars.
19. A disagreement arose in the course of the hearing of the motion regarding the fact that the plaintiff’s counsel had produced in the course of argument a “dossier” obtained by the plaintiff in a data request against Execuzen in which an analysis of the SIG business is shown. In a document headed “Susquehanna International Group Ltd. breakdown and analysis” there is material titled “Business Information” which the plaintiff argues identified a conversation had with a person called “Dan” who was working for SIG and engaged in mathematical modelling. There is an entry that says “Dan says he knows he could bring an identified SIG employee” to a “new venture like Citadel”. The identified person is known to have terminated his employment with the plaintiff and to now be either working with or intending to work with Citadel at that point.
20. I accept the argument of the defendant that the dossier which has not been exhibited on affidavit is not evidence on which I can rely and that the determination of an application for discovery is to be made by reference to the pleadings and not by reference to contested allegations of fact in affidavits, as a court hearing an application for discovery might otherwise be compelled to make a determination on the credibility or weight of contested averments on affidavit.
21. Accordingly, I propose considering the application for discovery by testing the relevance of the categories to the pleadings, and not the dossier. However, that approach also means that I must not make a determination on the discovery application by reference to the unsubstantiated submissions of fact made by counsel for the defendant that the person named “Dan” in the dossier may not in fact be the defendant but rather another person with the same Christian name. I also for that reason cannot determine the application for discovery on the basis that the defendant has denied that he gave any confidential information to Citadel, or accept his assertion that the person identified in the dossier who was later employed by Citadel through Execuzen was directly contacted by Execuzen and that the introduction was not made by the defendant.
22. I note that the defendant has not sworn an affidavit for the purposes of the motion and the replying affidavit is sworn by his solicitor on his behalf. I note also that the allegations and particulars of breach of confidence and breach of contract are all denied in the defence.
23. I also accept the argument of the defendant that the request for discovery of documents relating to “Citadel or its associates or affiliated entities” has the appearance of being a very broad trawl, and equivalent to what is commonly called “fishing”. It seems that the primary Citadel company, or at least a primary company which trades under that name, has offices and its registered address in London and that it also operates as a company registered in the United States. It is not asserted that the defendant had association with Citadel or any company associated with it or any of its subsidiaries or companies bearing that name other than for the alleged purpose in respect to which these proceedings are brought. The allegation in the statement of claim is that a company identified as “Citadel LLC” intended to set up business in Ireland and has had the benefit of being supplied with confidential information concerning the business of SIG. Having regard to the fact that there is no evidence of any other association between the defendant and a Citadel “entity”, I consider that the request for discovery of documentation relating to Citadel or its associated or affiliated entities has the appearance of being broad but is not truly broad when tested against the pleaded facts.
24. However, in the interests of clarity, I consider that the phrase used in the request could be refined so that discovery is ordered in regard to communication with Citadel LLC or its parent or any Citadel subsidiary or associated company which intended to or did in fact establish a business in Ireland.
25. The defendant also argues that the inclusion of a request for documentation relating to his engagement with Execuzen Limited is not discoverable, and that that firm is not named in the statement of claim. The statement of claim pleads that the defendant supplied Citadel with confidential information, and paragraph 5.5 expressly pleads that “arising out of the activities of Citadel and/or its agents”, offers of employment were made to a number of SIG employees. Execuzen was the recruitment agency through which the defendant and some or all of the other former employees of SIG were engaged. Therefore, the fact that Execuzen is not named in the statement of claim does not make any engagement between the defendant and that firm irrelevant to the claim, as Execuzen is acknowledged to have acted as a recruiting agent for Citadel. I consider that the claim as formulated permits me to make an order for discovery relating to documents which might have been generated in the course of the recruitment process or for the purposes of the employment by Citadel, by itself or through an agent, of the relevant persons, including the defendant.
26. The defendant argues that the request for documentation “relating to any interactions howsoever” is impermissibly broad and is equivalent to “blanket discovery”, as described in Ryanair plc v. Aer Rianta c.p.t. [2003] IESC 62, [2003] 4 IR 264, or is “too wide ranging”, as described in Framus Limited & Ors. v. CRH plc & Ors. [2004] IESC 25, [2004] 2 IR 20, and I agree. The documentation that is relevant to the present case is documentation relating to or evidencing contact and engagement that the defendant had relating to the employment of himself and of the other SIG employees to whom Citadel made an offer of employment. The defendant is uniquely placed to know who those persons are, as the claim is made in respect of persons who formerly worked with him in SIG and who now work, are about to commence work or did work in the relevant period with Citadel.
27. Discovery therefore is to be made of documents relating to or evidencing contact and engagement that the defendant had relating to the employment of he himself and of the other SIG employees to whom Citadel made an offer of employment.
Necessity
28. The defendant has already voluntarily offered not only his own electronic devices but those of several of his family members for inspection and review. The defendant prepared a number of memoranda for his interview with Citadel, some of which were sent by email to his family members from his personal Gmail account. Those memoranda included lists of persons who worked in SIG and who have now moved or are about to move to Citadel. It is denied that the defendant ever passed on that information regarding his co-workers to Citadel, but whether that denial would be borne out at the trial is a matter in respect of which I can make no assumptions.
29. The defendant argues that, in the light of the fact that he has already voluntarily offered his own Gmail account and those of his family members, disclosure of other documentation is unnecessary and oppressive. Counsel points to the fact that the passing on of that information is denied in the defence but that is not determinative, as the fact that it is denied makes it an issue in the proceedings in respect of which discovery is to made on account of relevance.
30. Whether discovery is necessary cannot, bar an argument of oppression, be assessed on the basis that the requesting party already has a large volume of documentation. The class of documents sought to be discovered in the present application would include those documents already agreed to be disclosed in the form of email accounts of the defendant and his family members, but I cannot at this juncture safely make the assumption, which counsel for the defendant invites me to make, that the plaintiff already has enough documents and sufficient material to advance his case by reason of the nature and probable extent of the documentation agreed to be disclosed such that discovery of further documentation should not be directed.
31. Counsel describes the defendant as having acted in an “unusually cooperative fashion” and that approach is to be admired. The level of cooperation, however, cannot influence my decision whether to grant discovery of the documents now sought, as the discovery process is not to be viewed as a process of attrition by which the party is rewarded for doing what he or she would be compelled to do in any event. Counsel for the defendant also argues that, as the plaintiff has issued separate proceedings against Execuzen and has obtained discovery from it in that litigation, the documentation sought against the defendant is not necessary. It goes without saying that the documentation discovered in the other proceedings may not be used for the current proceedings without leave of the Court and the plaintiff is bound by its implied undertaking regarding how the documents obtained in the other discovery may be used. That argument fails.
The documents that may be available through data protection rights
32. The primary dispute between the parties referable to this category is the request that the defendant make discovery of documents which could be available to him on foot of a data subject access request.
33. The plaintiff argues that this class of documents is within the “power” of the defendant, as explained by the Supreme Court in Thema International Fund plc v. HSBC International Trust Services (Ireland) Ltd. [2013] IESC 5, [2013] 1 I.R. 274 where, at para. 5.9, Clarke J. (as he then was) accepted the test identified by Lord Diplock in Lonrho Ltd. v. Shell Petroleum [1981] 1 W.L.R. 627 as:
“In that context, Lord Diplock defined the term “power” to mean:-
“… a presently enforceable legal right to obtain from whoever actually holds the document inspection of it without the need to obtain the consent of anyone else. Provided that the right is presently enforceable, the fact that for physical reasons it may not be possible for the person entitled to it to obtain immediate inspection would not prevent the document from being within his power; but in the absence of a presently enforceable right there is, in my view, nothing in Order 24 to compel a party to a cause or matter to take steps that will enable him to acquire one in the future.”
34. Clarke J. identified the test as follows in para. 5.19:
“The position adopted in most of the common law jurisprudence to which reference has been made and also adopted under the former rule in this jurisdiction under Johnston v. Church of Scientology [2001] 1 IR 682 has, in my view, the considerable merit of certainty. A party either has documents in its possession or has the legal entitlement to require possession. In those circumstances the document must be discovered. In all other circumstances, the document does not have to be discovered. Subject to the argument, to which I will now turn, concerning whether the addition of the word “procurement” to the rule has altered that situation I do not see any basis in principle for deviating from the law as stated in Johnston v. Church of Scientology.”
35. Accordingly, a document is capable of being the subject matter of an order for discovery if the document, while not in the possession of a person, is one in regard to which he or she has the legal entitlement to procure or obtain.
36. The question then, is whether the defendant in the present proceedings has a “presently enforceable legal right”, to borrow the language of Lord Diplock, to obtain copies of the document.
37. The relevant documents are more likely than not held in the offices in England of Citadel and/or Execuzen. No evidence of foreign law was produced at the hearing, but it is common case that the right to seek and inspect personal data is a right which derives from the Data Protection Directive (EU Directive 95/46/EC). There is no dispute between the parties as to the purpose of the Directive, being to provide a person with the right of access to data relating to him or her, and such a right is recognised as deriving from fundamental rights, including the right of privacy. It is agreed by both parties that, under the law of England and Wales, a person has a right of access under the Data Protection Act 1998 and a direct right of access to the Court to enforce that right.
38. Counsel for the plaintiff makes a simple but compelling argument that the defendant has a right as a matter of European law, however it has been transposed, to obtain from the relevant persons information in the form of data relevant to him. The example given of particular relevance in the present case is that a person has the right to obtain under data protection legislation documents relating to any interview process engaged by a prospective employer regarding that person.
39. The defendant makes a number of arguments in support of his contention that he cannot be compelled to make a data subject access request in aid of making discovery. The first argument relies on a decision of the Court of Appeal of England and Wales in Durant v. Financial Services Authority [2003] EWCA Civ 1746. That judgment concerned a request by Mr. Durant for disclosure of information under s. 7 of the Data Protection Act 1998. In the course of the judgment Auld L.J. observed that the request for data made by Mr. Durant was:
“a misguided attempt to use the machinery of the Act as a proxy for third party discovery with a view to litigation or further investigation, an exercise, moreover, seemingly unrestricted by consideration of relevance.” (para. 31)
40. Counsel for the defendant argues that it is wrong as a matter of principle for a person to be compelled to use data protection processes to achieve a purpose which more properly should be achieved by an order for discovery or non-party discovery. She argues that the power to order discovery is a judicial power and not one that any other body or person may usurp and relies on the dicta of Walsh J. in Murphy v. Corporation of Dublin [1972] I.R. 215 at p. 234 that:
“It is … impossible for the judicial power in the proper exercise of its functions to permit any other body or power to decide for it whether or not a document will be disclosed or produced. In the last resort the decision lies with the courts so long as they have seisin of the case.”
41. The defendant’s counsel argues that the plaintiff is attempting to bypass the judicial process by seeking an order the direct effect of which will require the defendant to avail of his data protection rights, and that the correct approach is for the plaintiff to seek non-party discovery against the relevant persons.
42. More fundamentally, she argues that the objective of data protection law and the Directive is to protect the right of an individual to privacy, to enable the individual to correct any inaccuracy in the personal data relevant to them held by others or to ensure that records of an inaccurate nature are not kept about that person. She points to Recital 41:
“Whereas any person must be able to exercise the right of access to data relating to him which are being processed, in order to verify in particular the accuracy of the data and the lawfulness of the processing;
whereas, for the same reasons, every data subject must also have the right to know the logic involved in the automatic processing of data concerning him, at least in the case of the automated decisions referred to in Article 15(1);..”
43. The substantial rules are to be found in Article 12 of the Directive which requires that Member States shall guarantee every data subject the right to obtain from the holder without constraint certain documents, or, as appropriate, the right to erasure or blocking of incomplete or inaccurate data
44. I accept the argument of counsel for the defendant as to the purpose of the Data Protection Directive and the source of the right of a person to make a data request. I consider too that, there are likely to be circumstances where another remedy such as non-party discovery is more appropriate. This derives from the principle that discovery must not be permitted to be oppressive of a litigant and must be proportionate.
45. I am not satisfied that the request in the present case is oppressive or disproportionate. From the evidence and arguments before me, I am satisfied that the defendant has a unique right to seek certain classes of documents. While the request is couched in the language of contemporary data rights, the class of documents sought to be discovered is a type of document which is known and recognised in the common law. A person may be compelled to make discovery of documents which are in the possession of an agent of that person, for example a solicitor, a banker or a trustee, to take a few examples. While I accept that counsel for the defendant is correct regarding the purpose of the Data Protection Directive, and while the plaintiff could seek in the alternative to make an application for non-party discovery against Citadel or Execuzen, the test remains that which is long established in the authorities, namely whether the documents are relevant and necessary and the request is proportionate and not unduly oppressive.
46. Counsel relies on the judgment of Barrett J. in Glaxo Group Ltd. & Anor. v. Rowex Ltd. [2016] IEHC 253, where he, correctly in my view, noted that care was required in regard to the protection of confidential information. That plaintiff had brought proceedings for trademark infringement against the defendant and both parties had sought discovery against the other. In the course of his analysis of the legal principles, Barrett J. said at para. 41 that “individuals should enjoy a high level of protection when it comes to personal data” and that discovery ought not to be used to compel “inappropriate disclosures of personal data”. Barrett J. did not need to address the issue as it had mostly been resolved in the currency of the application, although he did go on to say that if a person, whether for “good reason, bad reason or no reason”, declined to consent to the release of their personal data, the court would not intervene. That statement is not authority for the proposition that, if documents are relevant, they could not be ordered to be discovered if the person making discovery had to obtain the documents through a date subject access request.
47. I am not satisfied that the defendant has made out an argument that the documents sought from the recruitment company and/or Citadel regarding the course of engagement he had with them which led to his decision to take up employment with Citadel, or by which he allegedly disclosed information relating to other persons with whom he worked in SIG, is confidential or highly personal information of the type referred to.
48. I am not satisfied therefore that the information in respect of which discovery is sought in category 1 is information of a personal or confidential nature of the type to which Barrett J. referred, or of the type referred to by Clarke J. in Hartside Ltd. v. Heineken Ireland Ltd. [2010] IEHC 3 at para. 5.9 where he referred to “the undoubted undesirability of allowing a mere allegation to give rise to an entitlement to access highly confidential information”. That dicta and the approach of Barrett J. seem to me to correctly express a difficulty that arises with a broad request for discovery and highlights the requirement that a court should engage a degree of scrutiny with regard to the test of relevance and necessity where information is likely to be highly confidential or personal.
49. The present request for discovery is not in my view an attempt to use data protection law for a collateral purpose. The judgment of the Court of Appeal for England and Wales in Durant v. Financial Services Authority is not on point, as it concerned whether the applicant was himself entitled to access to information, and the Court held that he was misguided, as the proper course of action was to seek discovery and not to make a data request.
50. It matters not therefore that data protection legislation deriving from the Directive has the primary purpose of protecting the right of privacy and accuracy regarding personal data held by others, if the effect of the legislation is to make available as of right certain information held by others relevant to that person.
51. There is no principled reason why information which is capable of being obtained by a data request cannot be the subject matter of a request for discovery. The law would suggest that a data access request ought not to replace discovery where discovery is the more relevant remedy, and the corollary may equally be the case, that discovery ought not to replace a data request. But the question at issue in the present case is whether the defendant can be compelled to obtain documents which are within his power by making a data request. I consider that he can.
52. However, I accept the argument of counsel for the defendant that the test of whether a document is in the power of a person must, having regard to the complex nature of the data protection legislation, not be used as a tool of oppression. The defendant is to be directed to make discovery of all documents that are reasonably available to him by means of a data subject access request and that will require him to take reasonable steps to procure the documents by such means.
53. This might have the inevitable consequence in the present case that the defendant would be unable to procure some or all of the data through either Execuzen or Citadel without a challenge of a refusal, whether such challenge is to be through the relevant Data Protection Commissioner or to a relevant court. It is too early in the process for me to determine how far the defendant is required to go to obtain the relevant information but I consider that he must take reasonable steps to obtain such documentation, as I consider that the documentation, insofar as it exists, is documentation to the production of which he has a legal right.
54. It will be necessary to therefore give the defendant liberty to apply in regard to this class of documents if he fails to obtain the documents after a reasonable process has been engaged by him.
Alternative means to obtain the documents
55. Counsel for the defendant argued that the plaintiff had available to it the option of seeking non-party discovery against Execuzen and Citadel, albeit it was acknowledged that the discovery process would most likely be made in the Courts of England and Wales and would therefore involve the enforcement process through the Central Authority.
56. In Ryanair plc v. Aer Rianta c.p.t. Fennelly J. acknowledged that, in lieu of making an order for discovery, a court may have regard to an alternative means of obtaining documents, or an alternative means of proving the facts which those documents might serve to prove. MacMenamin J. in Linfen Ltd. & Ors. v. Rocca & Ors. [2009] IEHC 292, [2009] 2 ILRM 504 explained the matter as follows:
“…the mere fact that a document is relevant will not inevitably lead to a finding that discovery of that document is also necessary, as against that particular respondent. The issue may hinge on evidence as to the conduct of other respondents. Discovery of documents may not be necessary if the applicant has sufficient alternative means available to deal with matters at issue in the trial or whether, in the first instance, the applicant should appropriately seek discovery against another party.” (para. 31)
57. For the purposes of the argument, I accept that it is open to the plaintiff to seek non-party discovery against one or both of these entities but that fact alone does not prevent me from directing discovery by that party. In general, it seems to me that, as a matter of preference, a court would make an order for discovery against a party to the proceedings, rather than engaging in the more cumbersome and costly process of seeking discovery against a non-party. The costs of non-party discovery are, under the Rules of the Superior Courts, to be met by the party seeking that discovery, but those costs may ultimately come to fall on some other party to the proceedings depending on the result of the litigation. A rush to seek non-party discovery when those documents could be made available by a party must, therefore, not be a first option and it seems to me that the fact that the application for discovery against a party is straightforward, less costly process. The fact that such costs may be levied eventually against that party tends to support a view that discovery against a party is to be preferred.
58. Therefore, the argument that discovery ought not to be directed as the documents can equally or readily be made available through a request for non-party discovery against Citadel or Execuzen must fail in the present case.
The cut off date for the order
59. It is argued that the period for which discovery is sought goes beyond the claim in seeking discovery up to and including 29th January, 2017, the date the defendant took up employment with Citadel.
60. The plenary summons issued on 15th April, 2016, and the defendant argues that that date is the relevant cut-off date, as it identifies the nature and extent of the plaintiff’s claim. The defendant is prepared to give discovery up to and including 29th April, 2016, the day he actually left his employment with the plaintiff.
61. The defendant argues that, if discovery is to be granted, the discoverable documents ought to be those which were in existence at the date that the proceedings were commenced or, at the latest, the date he left his employment. The plaintiff argues otherwise and says that there may be relevant documents which came into existence after the proceedings were commenced.
62. There is little authority on this point and that is because the test to be applied by a court in ordering discovery must always start with the pleaded claim, taking into account the requirements of proportionality, relevance and necessity.
63. Some assistance is to be gained from the judgment of O’Sullivan J. delivered on the 2nd February, 2000, in McDonnell v. Sunday Business Post Ltd and Others, in which he was hearing an application for discovery against the plaintiff, who had commenced proceedings claiming damages for libel. Counsel had argued that the discovery order should relate to documents in existence at or prior to the date of publication of the alleged libellous newspaper article, but counsel for the defendant argued that documents that may have come into existence subsequently could well relate to a matter in question and would clearly be relevant. O’Sullivan J. dealt with the matter as follows at p. 10 of his judgment:-
“It seems to me that there should be some reasonable limit on the categories of documents which are ordered to be discovered and which came into existence after the date of publication. I consider that any such document is discoverable only if a draft or earlier edition thereof or working papers in relation thereto was or were in existence at the date of publication.”
64. O’Sullivan J. therefore posited a test of relevance and necessity which linked the documents to the event in respect of which the proceedings were commenced, but which did not envisage a cut-off date as invariably being the date of the institution of proceedings. That approach commends itself in the present case and I consider it possible that there may be documents which are relevant and necessary to the matters in issue and which were generated after the defendant left his employment with the plaintiff.
65. Therefore such documents are discoverable, and in the circumstances I propose that the order for discovery require discovery to be made up to the date of the motion
The undertaking
66. In correspondence between the parties through their respective solicitors in April, 2016, the plaintiff has accepted undertakings, inter alia, from the defendant not to induce any “SIG Person” to discontinue an existing employment relationship with the plaintiff, not to solicit directly or indirectly such persons away from that employment, communicate with such persons regarding the likelihood or possibility of that person moving to a different employment and generally restraining the taking up of employment with a rival firm for a period of eighteen months. The defendant argues these undertakings offer sufficient protection to the plaintiff when taken together with his agreement to delete emails and relevant potentially confidential documents from all devices and systems owned by him, or to which he has access. It is argued in those circumstances that the plaintiff is sufficiently protected in respect of any possible future breach.
67. I disagree that the giving of these undertakings in the context of an application for injunctive relief determines the relevance or necessity of the discovery of the documents sought, and whilst I accept that there is no reason to suppose that the defendant has breached or will breach this solemn undertaking, the giving of the undertaking does not relieve the defendant of the obligation to make discovery. To consider otherwise could be a pre-judging of the factual claims to be determined at trial
Category 2
68. Category 2 seeks discovery of documentation, whether confidential or otherwise, connected to the business of the plaintiff that the defendant sent to his personal email address or that of other persons. Discovery is agreed to be made of this category and the only issue between the parties is the time limit. The defendant is prepared to give discovery up to the date he left the employment of the plaintiff on 29th April, 2016 and my views with regard to the cut-off date above are relevant.
69. Discovery is to be made up to the date of the motion.
Category 3
70. Under this category the plaintiff seeks:
“All documentation generated in the period between 1st August, 2015 and 29th January, 2017 relating to any interactions howsoever described between the defendant and any other employee of the plaintiff howsoever connected to the defendant or those other employees leaving the employment of the plaintiff to commence employment with Citadel LLC.”
71. The reason given for seeking this category is that the documents “are relevant and necessary for the determination, inter alia, of the plaintiff’s claim that the defendant conspired with other employees in relation to the circumstances in which the defendant and other employees would leave the employment of the plaintiff.”
72. The grounding affidavit of the solicitor for the plaintiff avers to a belief and apprehension that the defendant connived with Execuzen and Citadel and assisted in the targeting of employees of SIG.
73. The defendant argues that this category is “wholly” objectionable, not rooted in the proceedings and is framed in exceptionally broad terms.
74. The defendant is correct that the claim is not made in conspiracy but breach of confidence is pleaded, as is a claim that the defendant has, inter alia, breached his contract by assisting in the recruitment of other SIG employees by Citadel. A specific former employee of SIG is identified by name in the pleadings. The plaintiff in replies to particulars has acknowledged that the claim was not made in conspiracy. The defendant argues that this category is a classic fishing expedition made in order to obtain information in regard to employees not identified in the pleadings. He points to the fact the allegations in the statement of claim are unspecific and neither the statement of claim nor the replies to particulars identify any other person apart from the named employee.
75. Paragraph 5.5 of the statement of claim pleads that offers of employment were made to “a group of SIG employees”, including the defendant, by Citadel “arising out of the activities” of Citadel and or its agents. There is then a plea as follows:
“The Plaintiff apprehends and contends that the Defendant breached the provisions of his contract of employment by assisting Citadel with the recruitment of other SIG employees and in particular the Defendant caused an approach to be made or assisted in the making of an approach to one [employee identified], an employee of the plaintiff”.
76. I consider that that plea is broadly made and includes a claim that the defendant assisted with the recruitment of persons other than the one identified person, and I note also that the plea is followed by an assertion that further particulars will be given following discovery and other pre-trial processes.
77. Counsel for the defendant relies on the recent judgment of the President of the Court of Appeal in O’Brien v. Red Flag Consulting Limited & Ors [2017] IECA 258. There, the Court of Appeal upheld a judgment of the High Court that the plaintiff was not entitled by discovery to ascertain the identity of a wrongdoer. The facts and reasoning are complex, in that it was regarded as relevant that Mac Eochaidh J. in the High Court had already refused an order under the jurisdiction identified in Norwich Pharmaceutical Co. & Ors. v. Customs and Excise Commissioners [1974] AC 133. The Court of Appeal held that there was “no new basis advanced by the plaintiff to produce a different result from the previous unsuccessful application” (para. 37). The reasoning of the Court of Appeal was, inter alia, that the matter was res judicata and the discovery motion proceeded on the basis that the Court of Appeal agreed with the finding of the High Court that the plaintiff did not pass the threshold required to establish that the documents were relevant in the light of the pleadings.
78. The judgment of the Court of Appeal in that case is relevant to the argument of the defendant because counsel argued that the dossier obtained through Execuzen could not form the basis of the request for discovery. In the course of argument, the plaintiff agreed with that proposition and argued, correctly in my view, that the request for discovery is firmly rooted in the pleadings, which expressly plead that the defendant by his actions had enticed other employees of SIG to move to Citadel. The request for documentation that might show interaction with other persons is within that pleading, but is also borne out by the fact that the emails sent by the plaintiff from his personal Gmail account to his family members did contain a list of those employees, some or all of whom did subsequently take up employment with Citadel. While the defendant denies that he used that information in the course of interviews with Citadel, the fact remains that he himself had identified those persons in his preparatory paper work, and the plaintiff is aware that certain other former staff of SIG did move to Citadel. Thus there is a basis in the pleadings and in the known facts which justifies disclosure of other documents.
79. The judgment of the High Court and of the Court of Appeal on appeal in O’Brien v. Red Flag Consulting Limited & Ors. was grounded on the fact that the identity of the clients of the defendant was not relevant to the proceedings. I consider that particular finding to be central to the reasoning of the Court of Appeal and of the High Court in O’Brien v. Red Flag Consulting Limited & Ors., and to be readily distinguishable from the present case. The identity of the persons who might have by reason of an alleged wrongful act of the defendant chosen to take up employment with Citadel is relevant to the present proceedings.
80. For that reason, I reject the argument of the defendant that category 3 is impermissibly wide, is a fishing exercise and must be refused on the basis identified in O’Brien v. Red Flag Consulting Limited & Ors.. There is a pleaded basis and a factual basis to substantiate the request for discovery.
81. I will hear counsel on the exact form of the order, but propose that discovery be made within ten weeks, with the proviso that the time for discovery for the class of documents that may require the defendant to make a data subject access request be extended if necessary, whether by agreement or further order. The defendant is to exhibit in with his affidavit of discovery correspondence regarding the request and by affidavit explain the then current progress.
Shatter -v- Data Protection Commissioner & anor
[2017] IEHC 670
JUDGMENT of Mr. Justice Meenan delivered on the 9th day of November, 2017
Background
1. On 16th May, 2013, both the appellant and the notice party appeared on the RTE television programme “Prime Time”. Both were interviewed concerning controversy over the penalty points system. The notice party claimed that it was unlawful for members of An Garda SÃochána to exercise any discretion in relation to the issuing of fixed charge notices for certain road traffic offences. The appellant expressed the view that it was entirely appropriate for members of An Garda SÃochána to exercise such a discretion and stated:-
“Deputy Wallace himself was stopped with a mobile, on a mobile phone last May by members of An Garda SÃochána and he was advised by the guard who stopped him that a fixed ticket charge could issue and he could be given penalty points. But the garda apparently, as I am advised…used his discretion and warned him not to do it again…”
2. Political controversy followed.
3. On 21st May, 2013 the appellant said the following in Dáil Éireann: –
“I am grateful for the opportunity to address issues arising from last Thursday’s Prime Time programme. I regret that comments made by me have inadvertently resulted in concerns being expressed that I am prepared to use confidential Garda information to damage a political opponent. Nothing could be further from the truth, but I am happy to offer reassurances to deputies on this point. I give a solemn assurance to the house that I am not in the business of receiving, seeking or maintaining confidential, sensitive information from An Garda SÃochána on members of this house, Seanad, anyone in political life, nor are Gardai in the business of providing it…”
4. The appellant further stated:-
“The manner in which I acquired the information was quite straightforward and there is nothing sinister about it. I have taken the allegations made about the integrity of the fixed notice charge system and the controversy that arose with great seriousness. In the circumstances, I asked that the allegations made be fully investigated and was briefed on the matter by the Garda Commissioner. During the course of one of our conversations in which a number of matters relating to the reports on the fixed notice charge issues were discussed, including circumstances in which Gardaà exercised their discretion on traffic offences, the incident involving Deputy Wallace was mentioned by the Garda Commissioner…”
5. In the meanwhile, the notice party submitted a complaint to the respondent concerning what the appellant had said on the “Prime Time” programme. The respondent commenced an investigation into the complaint and notified the appellant of that fact by letter dated 21st May, 2013. In the course of this letter, Mr. Tony Delany, Assistant Commissioner, on behalf of the respondent stated :-
“Section 2 of the Data Protection Acts sets down the requirements which apply to the processing of personal data by data controllers. The Commissioner is satisfied the personal data of Deputy Wallace was processed by you in the incident complained of. This investigation will seek to determine whether that data processing was carried out in compliance with the requirements of s. 2 of the Data Protection Acts…”
I will return to this paragraph later in the judgment in the context of dealing with one of the issues of the appeal.
6. Under s. 10.1(b)(ii) of the Data Protection Acts 1988-2003 (the “Acts”) the respondent may attempt to arrange an “amicable resolution” of the complaint. However, such a resolution was not achieved and so by letter dated 20th December, 2013, on behalf of the respondent, the appellant was informed under s. 10 of the Acts that the respondent was going to carry out an investigation as to whether or not the Acts had been breached in the manner complained of. The letter also posed a number of questions for the appellant to answer concerning, inter alia, the circumstances under which the appellant acquired the information upon which he based his comments on the RTE programme.
7. By letter of 17th February, 2014, the respondent sought answers to the questions set out in the letter of 20th December, 2013. In the course of a reply to that letter, dated 25th February, 2014, the appellant stated:-
“As I have indicated previously to you, I am anxious not unduly to delay your investigation and the work of the Data Protection Commissioner in this matter and I look forward to providing you with a full response to the questions which were set out previously.
In advance of doing so, however, there is a legal point which has arisen in my analysis of the issues and which I believe requires to be addressed first. In your letter to me of 21st May, 2013, you stated that “the Commissioner is satisfied that the personal data of Deputy Wallace was processed by you in the incident complained of”, that is to say, of course the remarks made by me in the course of the discussion on the Prime Time programme of 16th May 2013”.
It appears to me that there may be grounds to question the conclusion that the disclosure of information regarding Deputy Wallace by me in the particular and peculiar circumstances of the Prime Time programme qualifies as the processing of personal data as this would be normally comprehended by the terms of the Data Protection Acts.
It may be helpful to reiterate to you that the information about Deputy Wallace in question was not in my possession or in my department’s possession in any documentary form – it was information conveyed verbally and directly to me by the Garda Commissioner in the course of a discussion at which no other persons were present. The information resided thereafter in my mind. I did not make a written record of it, nor was a written record of it made in my department.
I would have a concern about the extent to which the provisions of the Data Protection Acts could be taken to apply to or could be used to regulate information or the processing of information that is held in a person’s” mind.
As you well know, the provisions of the Data Protection Acts deal with manual data or automated data as they are defined in the Acts. In the light of the way in which data is so defined, the Acts then set out a range of provisions dealing with the processing and disclosure of such data, the rights of data subjects and also the roles and responsibilities of data controllers and the Data Protection Commissioner…”
8. The respondent replied to this letter on 4th March, 2014, stating, inter alia:
“The contents of your letter have been noted and considered. We note in particular your assertion that the information about Deputy Wallace was not in your possession or in the possession of your department in any documentary form as it was information which was conveyed verbally and directly to you by the Garda Commissioner in the course of a discussion where no other persons were present. Notwithstanding that, the Data Protection Commissioner must take account of the fact that the information about Deputy Wallace was, as the Data Protection Commissioner understands, kept in a written record in An Garda SÃochána. For that reason, the Data Protection Commissioner is satisfied that the information concerned is covered in by the Data Protection Acts 1988 and 2003…”
9. The reference in this letter to “a written record in An Garda SÃochána” is important in the context of the interaction between the respondent and An Garda SÃochána. In the course of an affidavit in the proceedings sworn on 24th July, 2014, the respondent states: –
“25. On the 12th March 2014, I attended a meeting with Assistant Garda Commissioner Nolan (along with other officials from this office) to discuss a number of different data protection matters including, but not limited to, Deputy Wallace’s complaint. At that meeting, Assistant Commissioner Nolan confirmed to me that the Gardaà held a written record of the incident in which Deputy Wallace was allegedly cautioned by a member of the Gardai in relation to the use of a mobile phone while driving.”
and:-
“28. By an email dated 4th April 2014, this office asked the Gardai to formally confirm in writing that they held a written record of the incident in which Deputy Mick Wallace was allegedly cautioned by a member of the Gardaà in relation to the use of a mobile phone whilst driving.”
10. The respondent exhibited to his affidavit this email of 4th April, 2014 which stated inter alia: –
“… on the basis of those inquiries, the formal decision will record that An Garda SÃochána held a written record in respect of the incident in which Deputy Wallace was cautioned by a member of An Garda SÃochána and that the former Garda Commissioner orally briefed Minister Shatter on the contents of that written record. Please confirm that this is correct.”
It would therefore seem that at this stage of the investigation the respondent had neither seen nor considered the ‘written record’.
11. By letter dated 8th April, 2014 the appellant responded. With regard to the paragraph in the respondent’s letter of 21st May, 2013 that I set out at para. 5 above, it continued:-
“In the context of the current refinement addressed to controlling rather than processing of the earlier view, the view expressed in the letter of 21st May 2013 gives rise to an impression that the outcome of any subsequent investigation into the matter might have been in some way predetermined. Moreover, this coincides with the public statement of the Data Protection Commissioner on the RTE news the previous day 20th May 2013, that “the key issue is that it is the personal data of Deputy Wallace, it was disclosed by Minister Shatter, so it is for Minister Shatter to justify the basis and the justification for disclosing data that came into his possession as Minister for Justice”. This is a matter for considerable concern”.
12. On 17th April, 2014, the appellant was furnished with a copy of a “draft decision” by the respondent of the notice parties’ complaint. Observations were invited.
13. In giving his observations on 2nd May, 2014, the appellant contended, as he had done before, that what was involved in the complaint was not “data” for the purposes of the Acts nor was he, the appellant, a “joint controller” for the purposes of the Acts.
14. Notwithstanding the appellant’s observations, the respondent issued his decision dated 6th May, 2014. The decision sets out in detail the background to the complaint and the exchange of correspondence. The respondent concluded that the appellant was a “data controller” for the purposes of the Acts, and that:-
“I understand from An Garda SÃochána that the incident involving Deputy Wallace was not recorded on the central Garda IT system, PULSE, but that it was recorded as a written note, the contents of which were disclosed orally to the Garda Commissioner in the course of a briefing session with senior Garda officers. I consider that the information thus processed by An Garda SÃochána falls within the definition of “personal data” for which the Garda Commissioner is the “data controller”.”
15. The decision further states:-
“The Minister contends that since the disclosure of the “personal data” about Deputy Wallace was made orally to him by the Garda Commissioner as was his statement on RTE, he should not be considered a “data controller” in respect of this information in view of the definition of “personal data” in the Data Protection Acts.
I acknowledge that the Minister raises a legitimate point of interpretation which could be the subject of detailed legal argument. I am not, on balance, disposed to accept the Minister’s contention in context of this case. In reaching this conclusion, I have had regard, inter alia, to the following considerations.
It is not disputed that Minister Shatter disclosed information about Deputy Wallace in the course of the Prime Time programme. In circumstances where the information about Deputy Wallace was “personal data” held by An Garda SÃochána and where an otherwise unlawful disclosure of this “personal data” the Minister is legitimate solely because of the Minister’s duties under the Garda SÃochána Act 2005, I consider that the Minister, on receipt of the “personal data” in these circumstances was bound by the same obligations of nondisclosure under the terms of the Data Protection Acts as was the Commissioner. I consider that the Minister in these circumstances, became a joint controller with the Garda Commissioner of the “personal data” of Deputy Wallace and he could not therefore disclose it other than in accordance with the Data Protection Acts. Bearing in mind the definition of “data controller” cited above, it is clear that the use of the personal data on Prime Time was determined by the Minister”
16. In conclusion, the respondent decided:-
“I am of the opinion following the investigation of the complaints submitted to this office by Deputy Mick Wallace T.D. against Mr. Alan Shatter T.D. Minister for Justice and Equality, that Mr. Alan Shatter T.D. Minister for Justice and Equality, contravened the Data Protection Acts 1988 and 2003 as follows:
• Section 2(1)(c)(ii) by further processing Deputy Mick Wallace’s personal data in a manner incompatible with the purpose of which that personal data was obtained…”
17. On the same date of the decision, 6th May, 2014, in his affidavit the respondent states the following:-
“At a meeting I attended (along with other officials from this office) on 6th May, 2014, Assistant Garda Commissioner Nolan produced a copy of an email dated 11th January, 2013, internal to An Garda SÃochána, setting out details of an incident said to have occurred in or around May 2012, whereby a member of An Garda SÃochána had cautioned Deputy Mick Wallace in relation to the alleged use of a mobile phone by him whilst driving. A copy of the email in question was not handed over to me at the meeting. Assistant Commissioner Nolan did, however, confirm that he would formally reply to the email issued by this office on 4th April, 2014”.
18. There is no reference to any of this in the respondent’s decision of 6th May, 2014. Further, it turns out that the “written note” referred to in both correspondence and the decision was an email “internal to An Garda SÃochána”. The email was not “handed over” to the respondent. He was simply “shown” it as was deposed to at para. 44 of the respondent’s affidavit.
19. The decision of the respondent was appealed to the Circuit Court and the matter was heard on 21st January, 2015.
The Circuit Court Appeal
20. Her Honour Judge Jacqueline Linnane delivered a written judgment on 21st January, 2015.
21. At the hearing of the appeal, the respondent maintained that the appellant had no standing to bring the appeal by reason of the fact that the office of the Minister for Justice and Equality is a separate legal personality from the appellant as an individual citizen. As such, the appellant cannot appeal against a decision that relates to the office the Minister. At this stage, the appellant was no longer the Minister for Justice and Equality. Further, the respondent stood over both his decision and the procedures he followed in reaching such decision.
22. The Circuit Judge dismissed the appeal:-
“In my view this objection regarding the standing of the appellant to bring this appeal is well founded and on this ground alone I would dismiss the appeal. However, as I have also heard submissions and arguments from both the appellant and the respondent on the merits of the appeal and in case I am incorrect on this standing point, I have considered those arguments.”
and:-
“The onus rests with the appellant here. In my view, the Data Protection Commissioner considered the matter fully and at length in the course of his investigation. He took into account the arguments put forward by Mr. Shatter, fair procedures were followed and reasons given for the conclusion and decision reached. Applying the test referred to above, I do not consider that it has been shown that the decision made was vitiated by any serious or significant error or series of such errors. Accordingly, even if the standing of the appellant to bring this appeal had not been raised, I would dismiss this appeal.”
23. The appellant now appeals the decision of the Circuit Court to this Court pursuant to s. 26(3)(b) of the Acts and to set aside the decision made by the respondent of 6th May, 2014, and relying on, inter alia, the following grounds:-
(i) The learned trial judge erred in law in holding that the appellant did not have standing to bring an appeal pursuant to s. 26(1) of the Data Protection Act 1988, as amended, against the decision.
(ii) That the learned trial judge erred in law in holding that the respondent was correct in determining that personal data had been received by the appellant on the basis that the gardaà had a note in writing regarding the incident involving the notice party and that the respondent saw the note (in writing) during the course of his investigation in circumstances where:
– no evidence of such note in writing was before the court or was set out in the decision
– in fact, the evidence before the court was to the effect that the respondent had sight of an email relating to the incident
– there was no evidence in the decision or before the court as to the contents of the email such as to allow the conclusion that it constituted personal data to be drawn and the respondent failed to set out the basis for any such conclusion in the decision
(iii) The learned trial judge erred in law insofar as she held that the appellant disclosed personal data in circumstances where he retained the information given to him by the Garda Commissioner neither in automated form nor as manual data.
(iv) The learned trial judge erred in law in holding that the appellant was a data controller or a joint data controller or that the appellant processed personal data.
(v) The learned trial judge erred in law in holding that the respondent took into account the arguments put forward by the appellant, that fair procedures were followed and that reasons were given for the decision.
Legal Principles to be Applied in this Appeal
24. There was agreement between the parties as to the test to be applied on an appeal such as this. I refer to Ulster Bank Investment Funds Ltd. v. Financial Services Ombudsman [2006] IEHC 323 where Finnegan P. stated:-
“To succeed on this appeal the Plaintiff must establish as a matter of probability that, taking the adjudicative process as a whole, the decision reached was vitiated by a serious and significant error or a series of such errors. In applying the test, the Court will have regard to the degree of expertise and specialist knowledge of the Defendant. The deferential standard is that applied by Keane C.J. in Orange v The Director of Telecommunications Regulation & Anor and not that in The State (Keegan) v Stardust Compensation Tribunal.”
25. The first issue that has to be addressed on this appeal is the appellant’s standing.
The Appellant’s Standing
26. The respondent submitted that the appellant, in his capacity as a private citizen, does not have standing to institute and maintain the appeal pursuant to s. 26 of the Acts. This is because the decision of the respondent was not made against the appellant in his personal capacity but rather in his capacity as Minister for Justice and Equality. Further, as the appellant stated in his affidavit, when he appeared on the television programme on 16th May, 2013, he did so in his capacity as Minister for Justice and Equality.
27. On this submission, it would follow that the only person with standing to institute and maintain the appeal is the individual who currently occupies the post of Minister for Justice and Equality.
28. A similar submission was made in Shatter v. Guerin [2016] IECA 318. This was an appeal by the applicant/appellant against the dismissal by the High Court of an application for judicial review of a report to An Taoiseach concerning the handling of allegations of Garda misconduct made by Sergeant Morris McCabe. The applicant, at the time of the inquiry he sought to impugn, held the post of Minister for Justice and Equality. The respondent argued that the only person with standing to institute and maintain the proceedings was the person then currently occupying the post of Minister for Justice and Equality.
29. In the course of his judgment, Ryan P. stated:-
“94. A Minister has an official position as a member of the Government which means that he has collective responsibility. In his official capacity the Minister for Justice and Equality had legal status as a corporation sole. However, in the inquiry with which we are concerned, it was not the Minister in his disembodied capacity as a persona designata such that it did not matter who occupied the office whose conduct was in issue. The question here concerned a particular Minister or rather a particular person, namely, Mr. Alan Shatter, TD. And although his name is not actually mentioned in the report in the challenged conclusions section, it was his personal and individual conduct in relation to the complaints made by Sergeant McCabe that was actually in issue.”
30. Also dealing with this issue, Finlay Geoghegan J. stated:-
“19. Objection was made to the locus standi of the appellant as a private citizen or natural person to complain of alleged damage to his good name or reputation by reason of alleged criticism in the Report of the Minister in respect of acts done or not done while he was the holder of the office. That objection is not sustainable. The Minister, a corporation sole, is a legal person with perpetual succession and hence in that sense a distinct person from the appellant. Nevertheless the appellant personally is identified as the Minister for so long as he holds office. Hence it appears to me that criticism in respect of acts done or not done by the Minister while the appellant was the holder of the office can only be objectively viewed as criticism of him personally with the potential to damage his good name and reputation. Hence I am satisfied the appellant, albeit no longer Minister, has locus standi to pursue this claim.”
31. It can hardly be disputed that in pursuing this appeal, the applicant is seeking to reverse potential damage to his good name and reputation that arises from the decision of the respondent. I, therefore, reject the submissions of the respondent on this and find that the appellant has standing both to bring and maintain the appeal herein.
The Appeal
32. There are essentially two aspects to the appellant’s appeal. Firstly, the issue of constitutional/natural justice and, secondly, issues concerning the interpretation by the respondent of certain provisions of the Acts. I will address these separately.
Constitutional/Natural Justice
33. There are two issues under this heading, firstly pre-determination and secondly, the procedures followed by the respondent in reaching his decision of 6th May, 2014.
34. The submission that the respondent was guilty of “pre-determination” is based on firstly, the letter of 21st May, 2013 entitled “Notification of the Commencement of an Investigation” sent on behalf of the respondent which states:-
“Section 2 of the Data Protection Acts sets down the requirements which apply to the processing of personal data by data controllers. The Commissioner is satisfied that the personal data of Deputy Wallace was processed by you in the incident complained of. This investigation will seek to determine whether that data processing was carried out in compliance with the requirements of s. 2 of the Data Protection Acts.”
Secondly, a public statement of the respondent on RTE News on 20th May, 2013, that ‘the key issue is that it is the personal data of Deputy Wallace, it was disclosed by Minister Shatter, so its for Minister Shatter to justify the basis and the justification for disclosing data that came into his possession as Minister for Justice’.”
35. The foregoing statements have to be seen in the context of matters set out in correspondence from the appellant to the respondent. In para. 7 above, I set out in detail the extracts from the appellant’s correspondence wherein he is expressly contesting whether the provisions of the Acts apply to the circumstances of the complaint at all. This was clearly an issue being raised by the appellant in dealing with the complaint but, notwithstanding this, it would appear from the foregoing that the respondent had already decided the matter.
36. Issues concerning “bias” and “pre-determination” have been considered in a number of cases. I refer to the decision of Clarke J. (as he then was) in A.P. v. His Honour Judge McDonagh & Anor [2009] IEHC 316, (unreported, High Court, Clarke J., 10th July, 2009) where, having reviewed the authorities, states:-
“7.1 There was no real dispute between the parties as to the test to be applied in assessing whether bias had been established. The test is as to whether a reasonable and properly informed person (that is to say someone who is well informed as to the process engaged in and issues to be tried), would have had a reasonable apprehension that one of the parties would not have a fair hearing from an impartial judge.”
and:-
“7.4 However, it seems to me that there is another form of pre-judgment which arises where the adjudicator indicates that the adjudicator has reached a conclusion on a question in controversy between the parties, at a time prior to it being proper for such adjudicator to reach such a decision (indeed it might well be more accurate to describe such a situation as premature judgment rather than pre-judgment). It can hardly be said that a reasonable and objective and well informed person would be any the less concerned that a party to proceedings was not going to get a fair adjudication if, at an early stage of the hearing, comments were made by the adjudicator which made it clear that the adjudicator had reached a decision on some important point in the case at a time when no reasonable adjudicator could have, while complying with the principles of natural justice, reached such a conclusion…”
37. Given that the appellant was contesting from the outset that he did not accept that the Acts applied to the circumstances of the complaint, the statements made both in the correspondence referred to and the national media cannot, in my view, be seen as anything other than pre-judgment of a central issue. Indeed, it is noteworthy that this issue was not adequately addressed in the lengthy written decision of 6th May, 2014.
38. However, notwithstanding this pre-judgment, the appellant remained engaged in the complaint procedure which, therefore, raises the issue of “acquiescence”.
39. Such an issue was considered in Corrigan v. Irish Land Commission [1977] I.R. 317, where Henchy J. stated:-
“I consider it to be settled law that, whatever may be the effect of the complaining party’s conduct after the impugned decision has been given, if, with full knowledge of the facts alleged to constitute disqualification of a member of the tribunal, he expressly or by implication acquiesces at the time in that member taking part in the hearing and in the decision, he will be held to have waived the objection on the ground of disqualification which he might otherwise have had…”
40. In applying the foregoing to the circumstances of the instant case, it is my view that, the respondent was guilty of pre-determination of an important issue in the complaint. The appellant, nonetheless, did not take any steps to have the respondent recuse himself. Therefore, the appellant cannot rely on this particular aspect of his appeal.
41. A further issue arises on the procedures adopted by the respondent in considering the complaint. Very clearly, central of the complaint was the “data” involved. In the course of correspondence, the draft decision and the final decision the respondent referred to a “written note”. It was only on the 6th May, 2014, the date of the decision, that it transpired that the “written note” was, in fact an email dated 11th January, 2013. All that the respondent knew about this email was that it was “internal to An Garda SÃochána”. There was no information provided as to who was the sender or the recipient of this email.
42. As was stated in the affidavit of the respondent, the respondent was never furnished with a copy of this email. In his own words, the respondent was “shown” it.
43. Fair procedures would require that, at least, a copy of this document would also be shown to the appellant. This was not done. As a result, the appellant was deprived of an opportunity to make any observations or submissions concerning this central piece of evidence in the complaint.
44. In my view, this represented a fundamental flaw in the procedures followed by the respondent and thus amounted to a “significant error” as per Ulster Bank v. Financial Services Ombudsman which, of itself, requires the court to reverse the decision made by the Circuit Court in upholding the decision of the respondent of 6th May, 2014.
45. The second aspect of the appeal concerns the interpretation by the respondent of certain provisions of the Acts.
46. A starting point is to examine whether “data” as is defined in the Acts covers an email “internal to An Garda SÃochána”, that was shown but not handed over to the respondent.
47. Section 1(1) of the Acts define “data” as “means automated data and manual data”.
48. “Automated data” means information that–
(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose, or
(b) is recorded with the intention that it should be processed by means of such equipment.”
49. “Manual data” means information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system.
50. Applying the foregoing definitions to the instant case, it would seem to me that there is no evidence to suggest that the email in question was being “processed by means of equipment operating automatically”. Nor was there evidence that it was “recorded with the intention that it should be processed by means of such equipment”. Therefore it does not fit the statutory definition of “automated data”.
51. In fact, the decision of the respondent clearly states that the email in question “was not recorded on the Central Garda IT System, PULSE”.
52. Equally, there was no evidence on which the respondent could conclude that the email was “recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system”. Thus, in my view, the email was not “manual data” for the purposes of the Acts.
53. The next matter that must be looked at is whether the appellant was a “data controller” for the purposes of the Acts. Section 1(1) defines “data controller” as:-
“a person who, either alone or with others, controls the contents and use of personal data.”
54. In his decision, the respondent found that the appellant came within the said definition of “data controller” at a time when it would appear that the respondent himself was not aware as to what the nature of the data was. I have already referred to the fact that there is no mention in the decision of the email he was shown.
55. Looking at the definition of “data controller” in the context of an email “internal to An Garda SÃochána”, it is difficult to see how the appellant could control the “contents” of such an email as is required by the statutory definition. It would follow from this that the appellant cannot be a joint controller with the Garda Commissioner of such data.
56. Further, it seems to me that the error of the respondent in finding that the appellant was a “data controller” is underlined by the provisions of s. 10 of the Acts. Under s. 10(3)(a) the respondent, having found that a person is in breach of a provision of the Acts may require such person to:-
“(a) to block, rectify, erase or destroy any of the data concerned …”
It is difficult to see how the appellant could comply with such a request.
57. In light of the foregoing, I am of the view that the respondent made “a serious and significant error or a series of such errors”, as per Ulster Bank v. Financial Services Ombudsman in applying the said definitions in the Acts to the appellant in the circumstance that gave rise to the complaint.
58. I should that add in the course of the hearing counsel for the appellant, Ms. Eileen Barrington S.C. and for the respondent Mr. Paul Anthony McDermott S.C. also made submissions in respect of other definitions in the Acts. However, in light of my findings I do not consider it necessary to consider these.
Conclusion
59. By reason of the foregoing, I find that the Circuit Court judge erred in law as follows:-
(i) in holding that the appellant did not have standing to bring and maintain the appeal;
(ii) in finding that the respondent followed fair procedures in reaching his decision of 6th May, 2014;
(iii) in the application of the provisions the Data Protection Acts 1988-2003 (the “Acts”) to the circumstances of the complaint made by the notice party herein.
I would allow the appeal.
Barbulescu v Romania (ECHR)
(Application no. 61496/08)
JUDGMENT
STRASBOURG
12 January 2016
THIS CASE WAS REFERRED TO THE GRAND CHAMBER WHICH DELIVERED JUDGMENT IN THE CASE ON 05/09/2017
This judgment may be subject to editorial revision.
In the case of Bărbulescu v. Romania,
The European Court of Human Rights (Fourth Section), sitting as a Chamber composed of:
András Sajó, President,
Vincent A. De Gaetano,
Boštjan M. Zupančič,
Nona Tsotsoria,
Paulo Pinto de Albuquerque,
Egidijus Kūris,
Iulia Antoanella Motoc, judges,
and Fatoş Aracı, Deputy Section Registrar,
Having deliberated in private on 1 December 2015,
Delivers the following judgment, which was adopted on that date:
PROCEDURE
1. The case originated in an application (no. 61496/08) against Romania lodged with the Court under Article 34 of the Convention for the Protection of Human Rights and Fundamental Freedoms (“the Convention”) by a Romanian national, Mr Bogdan Mihai Bărbulescu (“the applicant”), on 15 December 2008.
2. The applicant was represented by Mr D. Costinescu and Mr O. Juverdeanu, lawyers practising in Bucharest. The Romanian Government (“the Government”) were represented by their Agent, Ms C. Brumar, of the Ministry of Foreign Affairs.
3. The applicant alleged, in particular, that his employer’s decision to terminate his contract had been based on a breach of his right to respect for his private life and correspondence and that the domestic courts had failed to protect his right.
4. On 18 December 2012 the application was communicated to the Government.
THE FACTS
I. THE CIRCUMSTANCES OF THE CASE
5. The applicant was born in 1979 and lives in Bucharest.
6. From 1 August 2004 to 6 August 2007, he was employed by a private company (“the employer”) as an engineer in charge of sales. At his employer’s request, he created a Yahoo Messenger account for the purpose of responding to clients’ enquiries.
7. On 13 July 2007 the employer informed the applicant that his Yahoo Messenger communications had been monitored from 5 to 13 July 2007 and that the records showed that he had used the Internet for personal purposes, contrary to internal regulations. The applicant replied in writing that he had only used Yahoo Messenger for professional purposes. When presented with a forty-five-page transcript of his communications on Yahoo Messenger, the applicant notified his employer that, by violating his correspondence, they were accountable under the Criminal Code. The forty‑five pages contained transcripts of all the messages that the applicant had exchanged with his fiancée and his brother during the period when his communications had been monitored; they related to personal matters involving the applicant. The transcript also contained five short messages that the applicant had exchanged with his fiancée on 12 July 2007 using a personal Yahoo Messenger account; these messages did not disclose any intimate information.
8. On 1 August 2007 the employer terminated the applicant’s employment contract for breach of the company’s internal regulations which stated, inter alia:
“It is strictly forbidden to disturb order and discipline within the company’s premises and especially … to use computers, photocopiers, telephones, telex and fax machines for personal purposes.”
9. The applicant challenged his employer’s decision before the Bucharest County Court (“the County Court”). He complained that this decision had been null and void since, by accessing his communications, his employer had violated his right to correspondence protected by the Romanian Constitution and the Criminal Code.
10. In a judgment of 7 December 2007, the County Court dismissed his complaint on the grounds that the employer had complied with the dismissal proceedings provided for by the Labour Code and noted that the applicant had been duly informed of the employer’s regulations that prohibited the use of company resources for personal purposes. The County Court’s judgment reads, in its relevant parts:
“The court takes the view that the monitoring of the [applicant]’s Yahoo Messenger communications from the company’s computer … during working hours – regardless of whether the employer’s actions were or were not illegal (îmbracă sau nu forma ilicitului penal) – cannot affect the validity of the disciplinary proceedings in the instant case…
However, since the [applicant] claimed during the disciplinary proceedings that he had not used Yahoo Messenger for personal purposes but rather for advising clients on the products offered by his employer, the court finds that checking the content of the [applicant]’s communications was the only method for the employer to verify the [applicant]’s line of defence.
The employer’s right to monitor their employees’ use of the company’s computers in the workplace falls within the broad scope of the right to check the manner in which professional tasks are complete.
As long as the employees’ attention … had been drawn to the fact that, not long before the applicant had received a disciplinary sanction, another colleague had been dismissed for having used the Internet, the telephone and the photocopiers for personal purposes and they had been warned that their activity was under surveillance (see notice no 2316 of 3 July 2007 that the applicant had signed …) it cannot be held against the employer that he had not proven transparency and that he had not been open with regard to his activities in monitoring the use of the computers by its employees.
The Internet in the workplace must remain a tool at the employee’s disposal. It was granted by the employer for professional use and it is indisputable that the employer, by virtue of the right to monitor the employees’ activities, has the prerogative to keep personal use of the Internet monitored.
Some of the reasons that make the employer’s checks necessary are the possibilities that through use of the Internet employees could damage the company’s IT systems, or engage in illicit activities in the company’s name, or reveal the company’s commercial secrets.”
11. The applicant appealed against this judgment. He claimed that e‑mails were also protected by Article 8 of the Convention as pertaining to “private life” and “correspondence”. He also complained that the County Court had not allowed him to call witnesses to prove that the employer had not suffered as a result of his actions.
12. In a final decision of 17 June 2008, the Bucharest Court of Appeal (“the Court of Appeal”) dismissed his appeal and upheld the judgment rendered by the County Court. Relying on EU Directive 95/46/EC, the Court of Appeal ruled that the employer’s conduct had been reasonable and that the monitoring of the applicant’s communications had been the only method of establishing if there had been a disciplinary breach. With regard to his procedural rights, the Court of Appeal dismissed the applicant’s arguments, stating that the evidence already before it was sufficient. The Court of Appeal’s decision reads, in its relevant parts:
“In view of the fact that the employer has the right and the obligation to ensure the functioning of the company and, to this end, [the right] to check the manner in which its employees complete their professional tasks, and of the fact that [the employer] holds the disciplinary power of which it can legitimately dispose and which [entitled it] to monitor and to transcribe the communications on Yahoo Messenger that the employee denied having had for personal purposes, after having been, together with his other colleagues, warned against using the company’s resources for personal purposes, it cannot be held that the violation of his correspondence (violarea secretului corespondenţei) was not the only manner to achieve this legitimate aim and that the proper balance between the need to protect his private life and the right of the employer to supervise the functioning of its business was not struck.”
II. RELEVANT DOMESTIC LAW
13. The Romanian Constitution guarantees the right to the protection of intimate, private and family life (Article 26) as well as private correspondence (Article 28).
14. Article 195 of the Criminal Code provides that:
“Anyone who unlawfully opens somebody else’s correspondence or intercepts somebody else’s conversations or communication by telephone, by telegraph or by any other long distance means of transmission shall be liable to imprisonment for between six months to three years.”
15. The Labour Code in force at the time of events provided in Article 40(1)(d) that the employer had the right to monitor the manner in which the employees completed their professional tasks. Article 40(2)(i) provided that the employer had a duty to guarantee the confidentiality of the employees’ personal data.
16. Law no. 677/2001 on the protection of individuals with regard to the processing of personal data and the free movement of personal data (“Law no. 677/2001”) applies the provisions of EU Directive 95/46/EC (see paragraph 18 below). It defines “personal data” as “any data related to an identified or identifiable individual” (Article 3(a)). It provides that data can only be processed if the person concerned consented to it and it sets out a list of exceptions when consent is not necessary. Exceptions refer, among other situations, to the completion of a contract to which the concerned individual is a party and to securing a legitimate interest of the data operator (Article 5(2)(a and e)). It also provides that when processing data, public authorities remain under the obligation to protect the individuals’ intimate, private and family life (Article 5(3)). Lastly, anyone who suffered prejudice as a result of illegal processing of his/her personal data can ask the courts to allow him/her reparation (Article 18(2)).
II. RELEVANT INTERNATIONAL LAW
A. Council of Europe instruments
17. The 1981 Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data (“the Data Protection Convention”) defines “personal data” as “any information relating to an identified or identifiable individual”. The Convention provides, inter alia, as follows:
Article 2 – Definitions
“For the purposes of this Convention:
(…)
(c) ’automatic processing’ includes the following operations if carried out in whole or in part by automated means: storage of data, carrying out of logical and/or arithmetical operations on those data, their alteration, erasure, retrieval or dissemination …”
Article 3 – Scope
“(1) The Parties undertake to apply this Convention to automated personal data files and automatic processing of personal data in the public and private sectors.”
(…)
Article 5 – Quality of data
“Personal data undergoing automatic processing shall be:
(a) obtained and processed fairly and lawfully;
(b) stored for specified and legitimate purposes and not used in a way incompatible with those purposes;
(c) adequate, relevant and not excessive in relation to the purposes for which they are stored;
(d) accurate and, where necessary, kept up to date;
(e) preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored.”
(…)
Article 8 – Additional safeguards for the data subject
“Any person shall be enabled:
(a) to establish the existence of an automated personal data file, its main purposes, as well as the identity and habitual residence or principal place of business of the controller of the file;
(b) to obtain at reasonable intervals and without excessive delay or expense confirmation of whether personal data relating to him are stored in the automated data file as well as communication to him of such data in an intelligible form (…)”
B. European Union instruments
18. Directive 95/46/EC of the European Parliament and of the Council of the European Union of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data provides that the object of national laws in this area is notably to protect the right to privacy as recognised both in Article 8 of the Convention and the general principles of EU law. The Directive defines personal data as “any information relating to an identified or identifiable natural person” (Article 2(a)) and asks for the Member States to prohibit processing of personal data concerning, among other things, “health or sex life” (Article 8(1)).
19. A Data Protection Working Party (“the Working Party”) was established under Article 29 of the Directive in order to examine the issue of surveillance of electronic communications in the workplace and to evaluate the implications of data protection for employees and employers. It is an independent EU advisory body. The Working Party issued in September 2001 opinion 8/2001 on the processing of personal data in an employment context, which summarises the fundamental data protection principles: finality, transparency, legitimacy, proportionality, accuracy, security and staff awareness. With regard to monitoring of employees, it suggested that it should be:
“A proportionate response by an employer to the risks it faces taking into account the legitimate privacy and other interests of workers”.
20. In May 2002 the Working Party produced the “Working document on the surveillance and the monitoring of electronic communications in the workplace” (“the working document”). This working document asserts that the simple fact that monitoring or surveillance conveniently serves an employer’s interest could not justify an intrusion into workers’ privacy. The document suggests that any monitoring measure must pass a list of four tests: transparency, necessity, fairness and proportionality.
21. From a technical point of view, the working document indicates that:
“Prompt information can be easily delivered by software such as warning windows, which pop up and alert the worker that the system has detected and/or has taken steps to prevent an unauthorised use of the network.”
22. More specifically, with regard to the question of access to an employee’s e-mails, the working document holds that:
“Opening an employee’s e-mail may also be necessary for reasons other than monitoring or surveillance, for example in order to maintain correspondence in case the employee is out of office (for example due to sickness or leave) and correspondence cannot be guaranteed otherwise (for example via an autoreply or automatic forwarding).”
THE LAW
I. ALLEGED VIOLATION OF ARTICLE 8 OF THE CONVENTION
23. The applicant complained that his employer’s decision to terminate his contract had been based on a breach of his right to respect for his private life and correspondence and that the domestic courts had failed to protect his right; he relied on Article 8 of the Convention, which reads as follows:
“1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”
A. Admissibility
1. The parties’ submissions
24. The Government submitted that Article 8 of the Convention was not applicable in the present case. They noted that the applicant had set up the Yahoo Messenger account for professional use and he furthermore claimed that he had only used it for this purpose; the Government inferred that the applicant could not claim an “expectation of privacy” while at the same time denying any private use.
25. They further submitted that a number of Council of Europe member States required an assertion of the private nature of the communication for which the protection of privacy was sought; they relied, among other things, on the case-law of the French Court of Cassation that held that e-mails sent by an employee with means put at his disposal by his employer should be deemed to have a professional character and be accessible to the employer unless expressly identified as private.
26. Taking into consideration the differences between e-mail and instant messaging (the latter lacks a subject field), the Government argued that an assertion of the private character of the communication was essential for it to fall within the scope of Article 8. Thus, they pointed out that the applicant had been given an opportunity to claim that the use he had made of Yahoo Messenger had been, at least in part, private, and he had clearly stated that this had not been the case as he had declared that he had only communicated with clients on behalf of his employer.
27. The Government inferred that the applicant had been given proper prior notice that his employer could monitor his communications; they relied on the employer’s notice of 3 July 2007 and on the findings of the County Court that the applicant had not challenged in his appeal. They did not submit a copy of the notice.
28. Finally, the Government pointed out that the present case was different from the cases of Halford v. the United Kingdom (25 June 1997, Reports of Judgments and Decisions 1997‑III, where one of the landlines of the office had been designated for the applicant’s personal use), and Copland v. the United Kingdom (no. 62617/00, ECHR 2007‑I, where personal use was allowed and the surveillance aimed to determine whether the applicant had made “excessive use” of the facilities); in the instant case, the employer’s regulations explicitly prohibited all personal use of company facilities, including computers and Internet access.
29. The applicant contested the Government’s submissions and claimed that his communications on Yahoo Messenger had had a private character and therefore fell within the scope of Article 8 of the Convention. Referring to the State’s positive obligations according to Article 8, he argued that this provision was applicable on account of the Romanian State’s failure to protect his private sphere from interference by his employer. He pointed out that he had consistently raised this argument before the domestic authorities.
30. In the applicant’s opinion, it could not be disputed that the data intercepted by his employer represented both “personal data” and “sensitive personal data” within the meaning of Law no. 677/2001 and EU Directive 95/46/EC; the information related to identified persons (the applicant, his fiancée and his brother) and concerned sensitive issues (such as the applicant’s health and sex life). The applicant did not explain why he had used Yahoo Messenger for personal purposes, but suggested that at the material time the prices for mobile phones had been very high and that the requests for his professional services, as an engineer charged with selling heating equipment, had been very low in July 2007.
31. The applicant also complained that his employer had also accessed his personal Yahoo Messenger account, which had a different ID from the one he had registered for professional purposes. Moreover, the transcript of his communications had been made available to his colleagues who had discussed it publicly.
32. Relying on the case of Niemietz v. Germany (16 December 1992, Series A no. 251‑B), the applicant contended that denying the protection of Article 8 on the grounds that the measure complained of related only to professional activities could lead to inequality of treatment in that such protection would be available only to persons whose professional and non‑professional activities were so intermingled that they could not be distinguished. With reference to the case of Chappell v. the United Kingdom (30 March 1989, Series A no. 152‑A), he argued that the Court had not excluded the applicability of Article 8 of the Convention in the case of a search of the business premises.
33. The applicant insisted that the Yahoo Messenger software was by its nature designed for personal use and that the nature of the instant messaging service had entitled him to expect that his communications would be private. Had he not expected privacy, he would have refrained from disclosing intimate information. He had felt reassured by his employer instructing him to protect his Yahoo Messenger account by choosing his own password. He denied having been given proper prior notice of his employer’s monitoring; he argued that the general prohibition in the employer’s internal regulations could not have amounted to prior notice of monitoring. He believed that the notice of 3 July 2007 had been identified after the facts; he submitted a copy of this notice which however does not bear the employees’ signatures.
34. The applicant found the Government’s submissions that he had initially asserted that he had used that account for professional purposes artificial; irrespective of his initial position, the fact that the actual use of the instant messaging service had been for personal purposes remains undisputed. He concluded that an employee’s right to establish and develop personal relationships during business hours could not be suppressed at the discretion or by a decision of their employer.
2. The Court’s assessment
35. The Court has consistently held that the notion of private life is a broad concept (see, E.B. v. France [GC], no. 43546/02, § 43, 22 January 2008, and Bohlen v. Germany, no. 53495/09, § 45, 19 February 2015). It encompasses, for example, the right to establish and develop relationships with other human beings, and the right to identity and personal development (Niemietz, cited above, § 29, and Fernández Martínez v. Spain [GC], no. 56030/07, § 126, ECHR 2014 (extracts)). A broad reading of Article 8 does not mean, however, that it protects every activity a person might seek to engage in with other human beings in order to establish and develop such relationships. It will not, for example, protect interpersonal relations of such broad and indeterminate scope that there can be no conceivable direct link between the action or inaction of a State and a person’s private life (see, mutatis mutandis, Botta v. Italy, 24 February 1998, § 35, Reports of Judgments and Decisions 1998‑I).
36. Thus, according to the Court’s case-law, telephone calls from business premises are prima facie covered by the notions of “private life” and “correspondence” for the purposes of Article 8 § 1 (see Halford, cited above, § 44, and Amann v. Switzerland [GC], no. 27798/95, § 43, ECHR 2000‑II). The Court further held that e-mails sent from work should be similarly protected under Article 8, as should information derived from the monitoring of personal Internet usage (see Copland, cited above, § 41).
37. In the absence of a warning that one’s calls would be liable to monitoring, the applicant had a reasonable expectation as to the privacy of calls made from a work telephone (see Halford, cited above, § 45) and the same expectation should apply in relation to an applicant’s e-mail and Internet usage (see Copland, cited above, § 41). In a case in which the applicant’s workspace at a prosecutor’s office had been searched and some of his belongings had been seized (Peev v. Bulgaria, no. 64209/01, 26 July 2007), the Court held that the search amounted to an interference with the applicant’s “private life”; the Court found that the applicant had a reasonable expectation of privacy with regard to the personal belongings that he kept in his office (ibid., § 39). The Court further held that:
“39. … such an arrangement is implicit in habitual employer-employee relations and there is nothing in the particular circumstances of the case – such as a regulation or stated policy of the applicant’s employer discouraging employees from storing personal papers and effects in their desks or filing cabinets – to suggest that the applicant’s expectation was unwarranted or unreasonable”.
38. The Court must therefore examine whether in the present case the applicant had a reasonable expectation of privacy when communicating from the Yahoo Messenger account that he had registered at his employer’s request. In this connection, it notes that it is not disputed that the applicant’s employer’s internal regulations strictly prohibited employees from using the company’s computers and resources for personal purposes (see paragraph 8 above).
39. It follows that the case is different, as suggested by the Government, from the Halford and Copland cases (cited above), in which the personal use of an office telephone was allowed or, at least, tolerated. The case must also be distinguished from the Peev case (cited above), in which the employer’s regulations did not forbid employees to keep personal belongings in their professional office.
40. The Court notes that the applicant chose to raise before the domestic courts his complaint under Article 8 of the Convention within the framework of labour law proceedings. The main object of his case before the domestic courts was indeed his dismissal and the fact that his dismissal had resulted from a breach of his right to respect of his private life was the argument he used in order to prove the nullity of his employer’s decision.
41. It follows that the object of his complaint before the Court is limited to the monitoring of his communications within the framework of disciplinary proceedings; the employer’s decision to terminate the applicant’s contract was not based on either the actual content of his communications nor on the fact of their eventual disclosure. In this regard, the Court notes that the applicant did not argue that he had had no other fora in which to bring these arguments separately before the domestic courts. The domestic law in force at the time of events provided for other remedies designed principally to protect private life (such as a criminal complaint based on Article 195 of the Criminal Code or a complaint based on Article 18(2) of Law no. 677/2001; see paragraphs 14 and 16 above), and the applicant did not claim that they were ineffective.
42. The Court must therefore determine whether, in view of the general prohibition imposed by his employer, the applicant retained a reasonable expectation that his communications would not be monitored. In this regard, the Court takes notice that the Data Protection Convention sets up clear principles applying to automatic data processing in order to enable an individual to establish the existence of an automated personal data file and its main purposes (see Articles 5 and 8 of the Data Protection Convention in paragraph 17 above). The relevant EU law goes in the same direction, notably in the field of surveillance of electronic communications in the workplace (see paragraphs 18, 19 and 20 above).
43. In the instant case, the Court notes that the elements in the file do not easily allow a straightforward answer. Indeed, the parties dispute whether the applicant had been given prior notice that his communications could have been monitored and their content accessed and eventually disclosed. The Government claimed that the applicant had been given proper prior notice that his employer could have monitored his communications (see paragraph 27 above), but the applicant denied having received such specific prior notice (see paragraph 33 above). The Court notes that the Government did not provide a signed copy of the employer’s notice of 3 July 2007 (see paragraph 27 above) and that the copy provided by the applicant does not bear any signatures (see paragraph 33 above).
44. The Court attaches importance to the fact that the employer accessed the applicant’s Yahoo messenger account and that the transcript of his communications was further used as a piece of evidence in the domestic labour court proceedings. It also notes that, according to applicant’s submissions, that the Government did not explicitly dispute, the content of his communications with his fiancée and his brother was purely private, and related to, among other things, very intimate subjects such as the applicant’s health or sex life (see paragraphs 7 and 30 above). It is also mindful of the applicant’s argument that his employer had also accessed his personal Yahoo Messenger account (see paragraphs 7 and 31 above).
45. Having regard to these circumstances, and especially to the fact that the content of the applicant’s communications on Yahoo messenger was accessed and that the transcript of these communications was further used in the proceedings before the labour courts, the Court is satisfied that the applicant’s “private life” and “correspondence” within the meaning of Article 8 § 1 were concerned by these measures (mutatis mutandis, Köpke v. Germany, (dec.), no. 420/07, 5 October 2010). It therefore finds that Article 8 § 1 is applicable in the present case.
46. The Court further notes that this complaint is not manifestly ill‑founded within the meaning of Article 35 § 3 (a) of the Convention and that it is not inadmissible on any other grounds. It must therefore be declared admissible.
B. Merits
1. The parties’ submissions
47. The applicant took the view that there had been an interference with his private life and correspondence within the meaning of Article 8 of the Convention, and that this interference had not been justified under the second paragraph of Article 8. He submitted that this interference had not been in accordance with the law, as the applicable legislation, namely the Labour Code, lacked sufficient foreseeability; in this connection, he claimed that the Court’s findings in the case of Oleksandr Volkov v. Ukraine (no. 21722/11, ECHR 2013) were applicable to the present case. He pointed out that neither the Labour Code nor Law no. 677/2001 provided procedural safeguards as regards the surveillance of an employee’s electronic communications.
48. He further argued that the interference had not been proportionate to the legitimate aim pursued. He refuted the findings of the domestic courts that his employer had had no other choice than to intercept his communications, and complained that no alternative means had been sought so that less damage to his fundamental rights would have been caused whilst fulfilling the same aim. He also mentioned that he had had a tense relationship with his employer and referred to another set of labour law proceedings in which the domestic courts had found in his favour.
49. The Government argued that the State authorities had met their positive obligations required by Article 8 of the Convention. They submitted that a wide variety of approaches existed among Council of Europe member States with regard to the regulation of monitoring of employees by an employer, and that there was no European consensus on the personal use of the Internet in the workplace.
50. They contended that in the instant case the authorities had allowed the applicant sufficient protection because of effective domestic court scrutiny of his case. Relying on the findings of the domestic courts, they noted that the applicant’s denial of any personal use of his computer had made it necessary for the employer to ascertain the content of the communications. He had thus been presented with the transcripts of his communications for a limited period, that is to say those messages between 5 and 13 July 2007, which demonstrated that he had been blatantly wasting time. The Government further argued that the courts would have proceeded to a different balancing act if the applicant had asserted from the beginning that he had used Yahoo Messenger for personal purposes.
51. The Government also submitted that the ban on personal use of the company’s resources was explicitly contained in the company regulations, and that both its enforcement and consequences had been known to the employees. They concluded that the domestic courts had struck a fair balance between the applicant’s rights and his employer’s legitimate interests.
2. The Court’s assessment
52. The Court reiterates that although the purpose of Article 8 is essentially to protect an individual against arbitrary interference by the public authorities, it does not merely compel the State to abstain from such interference: in addition to this primarily negative undertaking, there may be positive obligations inherent in an effective respect for private life. These obligations may involve the adoption of measures designed to secure respect for private life even in the sphere of the relations of individuals between themselves (see Von Hannover v. Germany (no. 2) [GC], nos. 40660/08 and 60641/08, § 57, ECHR 2012, and Benediksdóttir v. Iceland (dec.), no. 38079/06, 16 June 2009). The boundary between the State’s positive and negative obligations under Article 8 does not lend itself to precise definition. In both contexts regard must be had to the fair balance that has to be struck between the competing interests – which may include competing private and public interests or Convention rights (see Evans v. the United Kingdom [GC], no. 6339/05, §§ 75 and 77, ECHR 2007‑I) – and in both contexts the State enjoys a certain margin of appreciation (see Von Hannover, cited above; and Jeunesse v. the Netherlands [GC], no. 12738/10, § 106, 3 October 2014).
53. In the instant case, the Court finds that the applicant’s complaint must be examined from the standpoint of the State’s positive obligations since he was employed by a private company, which could not by its actions engage State responsibility under the Convention. The Court’s findings in the case of Oleksandr Volkov (cited above), which concerned the dismissal of a judge, are therefore not applicable in the present case, as suggested by the applicant (see paragraph 47 above).
54. Therefore, the Court has to examine whether the State, in the context of its positive obligations under Article 8, struck a fair balance between the applicant’s right to respect for his private life and correspondence and his employer’s interests.
55. In this regard, the Court refers to its findings as to the scope of the complaint which is limited to the monitoring of the applicant’s communications within the framework of disciplinary proceedings (see paragraphs 40 and 41 above).
56. The Court notes that the applicant was able to raise his arguments related to the alleged breach of his private life and correspondence by his employer before the domestic courts. It further notes that they duly examined his arguments and found that the employer had acted in the context of the disciplinary powers provided for by the Labour Code (see paragraphs 10 and 15 above). The domestic courts also found that the applicant had used Yahoo Messenger on the company’s computer and that he had done so during working hours; his disciplinary breach was thus established (see paragraph 12 above).
57. In this context, the Court notes that both the County Court and the Court of Appeal attached particular importance to the fact that the employer had accessed the applicant’s Yahoo Messenger account in the belief that it had contained professional messages, since the latter had initially claimed that he had used it in order to advise clients (see paragraphs 10 and 12 above). It follows that the employer acted within its disciplinary powers since, as the domestic courts found, it had accessed the Yahoo Messenger account on the assumption that the information in question had been related to professional activities and that such access had therefore been legitimate. The Court sees no reason to question these findings.
58. As to the use of the transcript of the applicant’s communications on Yahoo Messenger as evidence before the domestic courts, the Court does not find that the domestic courts attached particular weight to it or to the actual content of the applicant’s communications in particular. The domestic courts relied on the transcript only to the extent that it proved the applicant’s disciplinary breach, namely that he had used the company’s computer for personal purposes during working hours. There is, indeed, no mention in their decisions of particular circumstances that the applicant communicated; the identity of the parties with whom he communicated is not revealed either. Therefore, the Court takes the view that the content of the communications was not a decisive element in the domestic courts’ findings.
59. While it is true that it had not been claimed that the applicant had caused actual damage to his employer (compare and contrast Pay v. United Kingdom, (dec.), no. 32792/05, 16 September 2008 where the applicant was involved outside work in activities that were not compatible with his professional duties, and Köpke (cited above), where the applicant had caused material losses to her employer), the Court finds that it is not unreasonable for an employer to want to verify that the employees are completing their professional tasks during working hours.
60. In addition, the Court notes that it appears that the communications on his Yahoo Messenger account were examined, but not the other data and documents that were stored on his computer. It therefore finds that the employer’s monitoring was limited in scope and proportionate (compare and contrast Wieser and Bicos Beteiligungen GmbH v. Austria, no. 74336/01, §§ 59 and 63, ECHR 2007‑IV, and Yuditskaya and Others v. Russia, no. 5678/06, § 30, 12 February 2015).
61. Furthermore, the Court finds that the applicant has not convincingly explained why he had used the Yahoo messenger account for personal purposes (see paragraph 30 above).
62. Having regard to the foregoing, the Court concludes in the present case that there is nothing to indicate that the domestic authorities failed to strike a fair balance, within their margin of appreciation, between the applicant’s right to respect for his private life under Article 8 and his employer’s interests.
63. There has accordingly been no violation of Article 8 of the Convention.
II. ALLEGED VIOLATION OF ARTICLE 6 OF THE CONVENTION
64. Relying on Article 6 of the Convention, the applicant also complained that the proceedings before the domestic courts had been unfair, in particular as he had not been allowed to present witnesses as part of his case.
65. The Court notes that the applicant was able to raise these arguments before the Court of Appeal, which ruled, in a sufficiently reasoned decision, that hearing additional witnesses was not relevant to the case (see paragraph 12 above). Such a decision was delivered in a public hearing conducted in an adversarial manner and does not seem arbitrary (see García Ruiz v. Spain [GC], no. 30544/96, §§ 28-29, ECHR 1999‑I).
66. It follows that this complaint is manifestly ill-founded and must be rejected in accordance with Article 35 §§ 3 (a) and 4 of the Convention.
FOR THESE REASONS, THE COURT
1. Declares, unanimously, the complaint concerning Article 8 of the Convention admissible and the remainder of the application inadmissible;
2. Holds, by six votes to one, that there has been no violation of Article 8 of the Convention;
Done in English, and notified in writing on 12 January 2016, pursuant to Rule 77 §§ 2 and 3 of the Rules of Court.
Fatoş AracıAndrás Sajó
Deputy RegistrarPresident
In accordance with Article 45 § 2 of the Convention and Rule 74 § 2 of the Rules of Court, the separate opinion of Judge Pinto de Albuquerque is annexed to this judgment.
A.S.
F.A.
PARTLY DISSENTING OPINION OF JUDGE PINTO DE ALBUQUERQUE
1. Bărbulescu v. Romania concerns the surveillance of Internet usage in the workplace. The majority accept that there has been an interference with the applicant’s right to respect for private life and correspondence within the meaning of Article 8 of the European Convention on Human Rights (“the Convention”), but conclude that there has been no violation of this Article, since the employer’s monitoring was limited in scope and proportionate. I share the majority’s starting point, but I disagree with their conclusion. I have no reservations in joining the majority in finding the Article 6 complaint inadmissible.
2. The case presented an excellent occasion for the European Court of Human Rights (“the Court”) to develop its case-law in the field of protection of privacy with regard to employees’ Internet communications[1]. The novel features of this case concern the non-existence of an Internet surveillance policy, duly implemented and enforced by the employer, the personal and sensitive nature of the employee’s communications that were accessed by the employer, and the wide scope of disclosure of these communications during the disciplinary proceedings brought against the employee. These facts should have impacted on the manner in which the validity of the disciplinary proceedings and the penalty was assessed. Unfortunately, both the domestic courts and the Court’s majority overlooked these crucial factual features of the case.
Access to the Internet as a human right
3. As the Court’s Grand Chamber recently stated, user-generated expressive activity on the Internet provides an unprecedented platform for the exercise of freedom of expression[2]. In the light of its accessibility and capacity to store and communicate vast amounts of information, the Internet also plays an important role in enhancing the public’s access to news and facilitating the dissemination of information in general[3]. Along the same line of reasoning, the French Constitutional Council has affirmed that “in the current state of means of communication and given the generalised development of public online communication services and the importance of the latter for the participation in democracy and the expression of ideas and opinions, this right (to freedom of expression) implies freedom to access such services.”[4] Thus, States have a positive obligation to promote and facilitate universal Internet access, including the creation of the infrastructure necessary for Internet connectivity[5]. In the case of private communications on the Internet, the obligation to promote freedom of expression is coupled with the obligation to protect the right to respect for private life. States cannot ensure that individuals are able to freely seek and receive information or express themselves without also respecting, protecting and promoting their right to privacy. At the same time, the risk of harm posed by Internet communications to the exercise and enjoyment of human rights and freedoms, particularly the right to respect for private life, is certainly higher than that posed by the press[6]. For example, States should counter racial or religious discrimination or hate speech over the Internet[7]. In other words, situations may emerge where the freedom of expression of the content provider, protected by Article 10, may collide with the right to respect for private life of others enshrined in Article 8, or where both the freedom of expression and the right to respect for private life of those involved in Internet communications may conflict with the rights and freedoms of others. The present case pertains to this second type of situation.
Protection of employees’ Internet communications in international law
4. Internet surveillance in the workplace is not at the employer’s discretionary power. In a time when technology has blurred the diving line between work life and private life, and some employers allow the use of company-owned equipment for employees’ personal purposes, others allow employees to use their own equipment for work-related matters and still other employers permit both, the employer’s right to maintain a compliant workplace and the employee’s obligation to complete his or her professional tasks adequately does not justify unfettered control of the employee’s expression on the Internet[8]. Even where there exist suspicions of cyberslacking, diversion of the employer’s IT resources for personal purposes, damage to the employer’s IT systems, involvement in illicit activities or disclosure of the employer’s trade secrets, the employer’s right to interfere with the employee’s communications is not unrestricted. Given that in modern societies Internet communication is a privileged form of expression, including of private information, strict limits apply to an employer’s surveillance of Internet usage by employees during their worktime and, even more strictly, outside their working hours, be that communication conducted through their own computer facilities or those provided by the employer.
5. The Convention principle is that Internet communications are not less protected on the sole ground that they occur during working hours, in the workplace or in the context of an employment relationship, or that they have an impact on the employer’s business activities or the employee’s performance of contractual obligations[9]. This protection includes not only the content of the communications, but also the metadata resulting from the collection and retention of communications data, which may provide an insight into an individual’s way of life, religious beliefs, political convictions, private preferences and social relations[10]. In the absence of a warning from the employer that communications are being monitored, the employee has a “reasonable expectation of privacy”[11]. Any interference by the employer with the employee’s right to respect for private life and freedom of expression, including the mere storing of personal data related to the employee’s private life, must be justified in a democratic society by the protection of certain specific interests covered by the Convention[12], namely the protection of the rights and freedoms of the employer or other employees (Article 8 § 2)[13] or the protection of the reputation or rights of the employer or other employees and the prevention of the disclosure of information received by the employee in confidence (Article 10 § 2)[14]. Hence, the pursuit of maximum profitability and productivity from the workforce is not per se an interest covered by Article 8 § 2 and Article 10 § 2, but the purpose of ensuring the fair fulfilment of contractual obligations in an employment relationship may justify certain restrictions on the above-mentioned rights and freedoms in a democratic society[15].
6. Other than the Court’s case-law, the international standards of personal data protection both in the public and private sectors have been set out in the 1981 Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data[16]. In this Convention the protection of personal data was for the first time guaranteed as a separate right granted to an individual. Specific rules for data protection in employment relations are contained in the Council of Europe Committee of Ministers Recommendation Rec(89)2 to member states on the protection of personal data used for employment purposes, 18 January 1989, recently replaced by Recommendation CM/Rec(2015)5 of the Committee of Ministers to member States on the processing of personal data in the context of employment. Also extremely valuable in this context are Recommendation No.R(99) 5 for the protection of privacy on the Internet, adopted on 23 February 1999, and Recommendation CM/Rec(2010)13 on the protection of individuals with regard to automatic processing of personal data in the context of profiling, adopted on 23 November 2010.
7. In the legal framework of the European Union (EU), respect for private life and protection of personal data have been recognised as separate fundamental rights in Articles 7 and 8 of the EU Charter of Fundamental Rights. The central piece of EU legislation is Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Employment relations are specifically referred to only in the context of the processing of sensitive data. Regulation (EC) No 45/2001 lays down the same rights and obligations at the level of the EC institutions and bodies. It also establishes an independent supervisory authority with the task of ensuring that the Regulation is complied with. Directive 2002/58/EC concerns the processing of personal data and the protection of privacy in the electronic communications sector, regulating issues like confidentiality, billing and traffic data and spam. The confidentiality of communications is protected by Article 5 of the Directive, which imposes on Member States an obligation to ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation. In particular they are to prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so. The interception of communications over private networks, including e-mails, instant messaging services, and phone calls, and generally private communications, are not covered, as the Directive refers to publicly available electronic communications services in public communication networks. Also relevant is Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market, which specifies that Member States may not impose general monitoring obligations on providers of internet/email services, because such an obligation would constitute an infringement of freedom of information as well as of the confidentiality of correspondence (Article 15). Within the former third pillar of the EU, Framework Decision 2008/977/JHA dealt with the protection of personal data processed in the framework of police and judicial co-operation in criminal matters. Finally, Article 29 Working Party Opinion 8/2001 on the processing of personal data in the employment context, adopted on 13 September 2001[17], the Working Document on the surveillance and the monitoring of electronic communications in the workplace, adopted on 29 May 2002[18], the Working Document on a common interpretation of Article 26(1) of Directive 95/46/EC, adopted on 25 November 2005[19], and Article 29 Working Party Opinion 2/2006 on privacy issues related to the provision of email screening services, adopted on 21 February 2006[20], are also important for setting the standards of data protection applicable to employees in the EU. In its 2005 annual report, the Working Party affirmed that “[i]t is not disputed that an e-mail address assigned by a company to its employees constitutes personal data if it enables an individual to be identified”[21].
8. Finally, both the 1980 Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data[22], and the International Labour Office’s 1997 Code of Practice on the protection of workers’ personal data, provide important soft-law guidance to employers, employees and courts.
9. From this international legal framework, a consolidated, coherent set of principles can be drawn for the creation, implementation and enforcement of an Internet usage policy in the framework of an employment relationship[23]. Any information related to an identified or identifiable employee that is collected, held or used by the employer for employment purposes, including with regard to private electronic communications, must be protected in order to respect the employee’s right to privacy and freedom of expression[24]. Consequently, any processing of personal data for the purposes of recruitment, fulfilment or breach of contractual obligations, staff management, work planning and organisation and termination of an employment relationship in both the public and private sectors must be regulated either by law, collective agreement or contract[25]. Particular forms of personal data processing, for example of the employees’ usage of Internet and electronic communications in the workplace, warrant detailed regulation[26].
10. Hence, a comprehensive Internet usage policy in the workplace must be put in place, including specific rules on the use of email, instant messaging, social networks, blogging and web surfing. Although policy may be tailor-made to the needs of each corporation as a whole and each sector of the corporation infrastructure in particular, the rights and obligations of employees should be set out clearly, with transparent rules on how the Internet may be used, how monitoring is conducted, how data is secured, used and destroyed, and who has access to it[27].
11. A blanket ban on personal use of the Internet by employees is inadmissible[28], as is any policy of blanket, automatic, continuous monitoring of Internet usage by employees[29]. Personal data relating to racial origin, political opinions or religious or other beliefs, as well as personal data concerning health, sexual life or criminal convictions are considered as “sensitive data” requiring special protection[30].
12. Employees must be made aware of the existence of an Internet usage policy in force in their workplace, as well as outside the workplace and during out-of-work hours, involving communication facilities owned by the employer, the employee or third parties[31]. All employees should be notified personally of the said policy and consent to it explicitly[32]. Before a monitoring policy is put in place, employees must be aware of the purposes, scope, technical means and time schedule of such monitoring[33]. Furthermore, employees must have the right to be regularly notified of the personal data held about them and the processing of that personal data, the right to access all their personal data, the right to examine and obtain a copy of any records of their own personal data and the right to demand that incorrect or incomplete personal data and personal data collected or processed inconsistently with corporation policy be deleted or rectified[34]. In event of alleged breaches of Internet usage policy by employees, opportunity should be given to them to respond to such claims in a fair procedure, with judicial oversight.
13. The enforcement of an Internet usage policy in the workplace should be guided by the principles of necessity and proportionality, in order to avoid a situation where personal data collected in connection with legitimate organisational or information-technology policies is used to control employees’ behaviour[35]. Before implementing any concrete monitoring measure, the employer should assess whether the benefits of that measure outweigh the adverse impact on the right to privacy of the concerned employee and of third persons who communicate with him or her[36]. Unconsented collection, access and analysis of the employee’s communications, including metadata, may be permitted only exceptionally, with judicial authorisation, since employees suspected of policy breaches in disciplinary or civil proceedings must not be treated less fairly than presumed offenders in criminal procedure. Only targeted surveillance in respect of well-founded suspicions of policy violations is admissible, with general, unrestricted monitoring being manifestly excessive snooping on employees[37]. The least intrusive technical means of monitoring should be preferred[38]. Since blocking Internet communications is a measure of last resort[39], filtering mechanisms may be considered more appropriate, if at all necessary, to avoid policy infringements[40]. The collected data may not be used for any purpose other than that originally intended, and must be protected from alteration, unauthorised access and any other form of misuse[41]. For example, the collected data must not be made available to other employees who are not concerned by it. When no longer needed, the collected personal data should be deleted[42].
14. Breaches of the internal usage policy expose both the employer and the employee to sanctions. Penalties for an employee’s improper Internet usage should start with a verbal warning, and increase gradually to a written reprimand, a financial penalty, demotion and, for serious repeat offenders, termination of employment[43]. If the employer’s Internet monitoring breaches the internal data protection policy or the relevant law or collective agreement, it may entitle the employee to terminate his or her employment and claim constructive dismissal, in addition to pecuniary and non-pecuniary damages.
15. Ultimately, without such a policy, Internet surveillance in the workplace runs the risk of being abused by employers acting as a distrustful Big Brother lurking over the shoulders of their employees, as though the latter had sold not only their labour, but also their personal lives to employers. In order to avoid such commodification of the worker, employers are responsible for putting in place and implementing consistently a policy on Internet use along the lines set out above. In so doing, they will be acting in accordance with the principled international-law approach to Internet freedom as a human right[44].
The absence of a workplace policy on Internet use
16. The Government argue that the company’s internal regulations provided for a prohibition on the use of computers for personal purposes. Although true, the argument is not relevant, since the given internal regulations omitted any reference to an Internet surveillance policy being implemented in the workplace. In this context, it should not be overlooked that the Government also refer to notice 2316 of 3 July 2007, which “highlighted that another employee had been let go on disciplinary grounds, specifically due to personal use of the company’s Internet connection and phones” and “reiterated that the employer verifies and monitors the employees’ activity, specifically stating that they should not use the Internet, phones or faxes for issues unrelated to work”, in other words, which “reiterated” the existence of a policy of Internet surveillance in the company[45]. Also according to the Government, the employees had been informed about this notice, and it had even been signed by the applicant. The applicant disputes these facts. The majority themselves acknowledge that it is contested whether the company’s Internet surveillance policy had been notified to the applicant prior to the interference with his Internet communications[46]. Unfortunately, the majority did not elaborate further on this crucial fact.
17. Since the existence of prior notice was alleged by the Government and disputed by the applicant, the Government had the burden of providing evidence to that effect, which they did not[47]. Moreover, the only copy of the notice 2316 available in the Court’s file is not even signed by the employee[48]. In other words, there is not sufficient evidence in the file that the company’s employees, and specifically the applicant, were aware that monitoring software had been installed by the employer and recorded in real time the employees’ communications on the company’s computers, produced statistical records of each employee’s Internet use and transcripts of the content of the communications exchanged by them, and could block their communication[49].
18. Even assuming that notice 2316 did exist and was indeed notified to the employees, including the applicant, prior to the events in question, this would not suffice to justify the termination of his contract, given the extremely vague character of the notice. A mere communication by the employer to employees that “their activity was under surveillance”[50] is manifestly insufficient to provide the latter with adequate information about the nature, scope and effects of the Internet surveillance programme implemented[51]. Such a poorly-drafted “policy”, if existent, offered precious little protection to employees. In spite of its crucial importance for the outcome of the case, the majority did not care to consider the terms of the notice on the company’s alleged Internet surveillance policy. Taking into account the evidence before the Court, I cannot but consider that the notice did not identify the minimum elements of an Internet usage and surveillance policy, including the specific misconduct being monitored, the technical means of surveillance and the employee’s rights regarding the monitored materials.
The personal and sensitive nature of the employee’s communications
19. The delicate character of the present case is significantly heightened by the nature of certain of the applicant’s messages. They referred to the sexual health problems affecting the applicant and his fiancée[52]. This subject pertains to the core of the applicant’s private life and requires the most intense protection under Article 8. Other than this sensitive data, the messages also dealt with other personal information, such as his uneasiness with the hostile working environment. The employer accessed not only the professional Yahoo Messenger account created by the applicant, but also his own personal account[53]. The employer had no proprietary rights over the employee’s Yahoo messenger account, notwithstanding the fact that the computer used by the employee belonged to the employer[54]. Furthermore, the employer was aware that some of the communications exchanged by the applicant were directed to an account entitled “Andra loves you”, which could evidently have no relationship with the performance of the applicant’s professional tasks[55]. Yet the employer accessed the content of this communication and made transcripts of it against the applicant’s explicit will and without a court order[56].
The lack of necessity of the employer’s interference
20. In addition, the employer’s interference had wide adverse social effects, since the transcripts of the messages were made available to the applicant’s colleagues and even discussed by them[57]. Even if one were to accept that the interference with the applicant’s right to respect for private life was justified in this case, which it was not, the employer did not take the necessary precautionary measures to ensure that the highly sensitive messages were restricted to the disciplinary proceedings. In other words, the employer’s interference went far beyond what was necessary[58].
21. Having said that, the termination of the applicant’s employment relationship with the company could not be based on evidence that did not meet the Convention standards of protection of employees’ privacy. In ratifying the employer’s dismissal decision, the domestic courts accepted as legal evidence of the breach of the applicant’s professional duties records of private communications which merited Convention protection and had nonetheless been accessed, used and publicised by the employer, in violation of the Convention standard[59]. Moreover, the termination of the applicant’s employment contract can hardly be said to be proportionate in itself, bearing in mind that it was not proven that the applicant had caused actual damage to his employer, or that he had adopted the same pattern of behaviour for a considerable period of time[60].
Conclusion
22. “Workers do not abandon their right to privacy and data protection every morning at the doors of the workplace.”[61] New technologies make prying into the employee’s private life both easier for the employer and harder for the employee to detect, the risk being aggravated by the connatural inequality of the employment relationship. A human-rights centred approach to Internet usage in the workplace warrants a transparent internal regulatory framework, a consistent implementation policy and a proportionate enforcement strategy by employers. Such a regulatory framework, policy and strategy were totally absent in the present case. The interference with the applicant’s right to privacy was the result of a dismissal decision taken on the basis of an ad hoc Internet surveillance measure by the applicant’s employer, with drastic spill-over effects on the applicant’s social life. The employee’s disciplinary punishment was subsequently confirmed by the domestic courts, on the basis of the same evidence gathered by the above-mentioned contested surveillance measure. The clear impression arising from the file is that the local courts willingly condoned the employer’s seizure upon the Internet abuse as an opportunistic justification for removal of an unwanted employee whom the company was unable to dismiss by lawful means.
23. Convention rights and freedoms have a horizontal effect, insofar as they are not only directly binding on public entities in the Contracting Parties to the Convention, but also indirectly binding on private persons or entities, the Contracting State being responsible for preventing and remedying Convention violations by private persons or entities. This is an obligation of result, not merely an obligation of means. The domestic courts did not meet this obligation in the present case when assessing the legality of the employer’s dismissal decision, adopted in the disciplinary proceedings against the employee. Although they could have remedied the violation of the applicant’s right to respect for private life, they opted to confirm that violation. This Court did not provide the necessary relief either. For that reason, I dissent.
[1] This case-law is still limited (see Copland v. the United Kingdom, no. 62617/00, ECHR 2007-I, and Peev v. Bulgaria, no. 64209/01, 26 July 2007).
[2] Delfi AS v. Estonia [GC], no. 64569/09, §§ 110 and 118, 16 June 2015, following Ahmet Yıldırım v. Turkey, no. 3111/10, § 48, ECHR 2012, and Times Newspapers Ltd (nos. 1 and 2) v. the United Kingdom, nos. 3002/03 and 23676/03, § 27, ECHR 2009.
[3] Ahmet Yıldırım, cited above, § 48, and Times Newspapers Ltd, cited above, § 27.
[4] Constitutional Council decision no. 2009/580DC, 10 June 2009, paragraph 12.
[5] See, at the regional level, Recommendation CM/Rec(2007)16 of the Committee of Ministers to member States on measures to promote the public service value of the Internet, 7 November 2007, and, most importantly, Recommendation CM/Rec(2011)8 of the Committee of Ministers to member States on the protection and promotion of the universality, integrity and openness of the Internet, 21 September 2011, and the other Council of Europe Resolutions, Recommendations and Declarations, in addition to the Convention on Cybercrime and its Additional Protocol mentioned in my separate opinion joined to Ahmet Yildirim, cited above; and at the global level, the UN Millennium Declaration approved by GA Resolution 55/2, 18 September 2000, A/RES/55/2; International Telecommunications Union, Geneva Declaration of Principles, World Summit on the Information Society, 10 December 2003 (“commitment to build a people-centred, inclusive and development-oriented Information society, where everyone can create, access, utilise and share information and knowledge”); the Joint Declaration on Freedom of expression and the Internet by the UN Special rapporteur on Freedom of Opinion and Expression, the OSCE Representative on Freedom of the media, the OAS Special rapporteur on Freedom of Expression and the ACHPR Special Rapporteur on Expression and Access to Information, 1 June 2011, paragraph 6; and, in the UN committees’ work, for example, the Human Rights Committee General Comment no. 34, Freedoms of expression and opinion (art. 19), 12 September 2011, CCPR/C/GC/34, paragraph 12; and the International Committee on Economic, Social and Cultural Rights, Concluding Observations on China, 25 April-13 May 2005, E/2006/22, paragraphs 168 and 197.
[6] Delfi AS, cited above, § 133, and Editorial Board of Pravoye Delo and Shtekel v. Ukraine, no. 33014/05, §§ 63-64, ECHR 2011.
[7] Delfi AS, cited above, §§ 136 and 162; Committee on the Elimination of Racial Discrimination General Recommendation XXX, Discrimination against Non-citizens, 20 August 2004, A/59/18, paragraph 12, page 95; and Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Frank La Rue, 7 September 2012 (A/67/357), paragraph 87.
[8] Thus, I find it hard to agree with the majority’s very broad statement in paragraph 58 of the judgment.
[9] In Niemietz v. Germany, 16 December 1992, Series A no. 251-B, § 28, Halford v. the United Kingdom, 25 June 1997, Reports 1997-III, § 44, and Amann v. Switzerland [GC], no. 27798/95, § 43, ECHR 2000-II, the Court considered interferences with communications and correspondence in a work or business environment in the light of the concept of private life and correspondence for the purposes of Article 8, no distinction being made between private or professional communication and correspondence. The Court has already stated that privacy rights may not be asserted in the context of conduct away from the workplace, relied upon by an employer as grounds for dismissal (Pay v. the United Kingdom (dec.), no. 32792/05, 16 September 2008).
[10] Inspired by Malone v. the United Kingdom, 2 August 1984, § 84, Series A no. 82, the Court affirmed in Copland, cited above, § 43, that, even if the monitoring is limited to “information relating to the date and length of telephone conversations and in particular the numbers dialled”, as well as to e-mail and Internet usage, and without access to the content of the communications, it still violates Article 8 of the Convention. The same point was made by the Court of Justice of the European Union, Joined Cases C-293/12 and C-594/12, Digital Rights Ireland and Seitlinger and Others, Judgment of 8 April 2014, paragraphs 26-27, and 37, and the Report of the United Nations High Commissioner for Human Rights on the right to privacy in the digital age, 30 June 2014, paragraph 19 (A/HRC/27/37).
[11] Halford, cited above, §§ 44 and 45; Copland, cited above, §§ 41 and 42; and Peev, cited above, § 39. It is not clear what the Court meant by this, since the Court refers to various factors such as lack of warning, provision of private space and assurance of private use of the employer’s communication devices, but does not clarify their relative importance and whether these factors are essential or case-sensitive. Thus, the Court neglects the normative value of the “reasonability” criterion, leaving the impression that the employee’s privacy at work is always deferential to pure management interests, as if the employer had the ultimate word on what kind of activity is not regarded as private in the workplace. Worse still, the Court does not provide any guidance on the interests that the employer may invoke under Article 8 § 2 to justify interferences with the employee’s privacy. The problem with this concept lies in the way it was fashioned at birth. The employee’s expectation of privacy in the context of the “operational realities of the workplace” was affirmed by the United States Supreme Court in O’Connor v. Ortega, 480 US 709 (1983), which addressed the issue on a weak case-by-case basis, leading to the absence of generally applicable principles, as the critical concurring opinion of Justice Scalia also noted. In my view, the “reasonable expectation” test is a mixed objective-subjective test, since the person must actually have held the belief (subjectively), but it must have also been reasonable for him or her to have done so (objectively). This objective, normative limb of the test cannot be forgotten.
[12] Amann, cited above, § 65, and Copland, cited above, § 43. In a broader context, see also my separate opinion joined to Yildirim v. Turkey, no. 3111/10, 18 December 2012.
[13] The pursuance of the interests of national security, public safety or the economic well-being of the country, prevention of disorder or crime, the protection of health or morals is not in the purview of the employer, and therefore do not justify the interference with the Convention right. Hence, for example, it would be inappropriate for a private employer to perform surveillance tasks with regard to his or her employees on the basis of public security concerns. Here, I assume that different rules must apply in any case to State surveillance operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law. A similar assumption is made in paragraph 1.5 of Council of Europe Recommendation No. R (89)2 and Article 3 (2) of EU Directive 95/46/EC.
[14] The pursuit of the interests of national security, territorial integrity or public safety, prevention of disorder or crime, protection of health or morals, and maintenance of the authority and impartiality of the judiciary are not in the purview of the employer and therefore do not justify interference with the Convention right.
[15] For example, in an Article 10 case, Palomo Sánchez and Others v. Spain, nos. 28955/06, 28957/06, 28959/06 and 28964/06, 12 September 2011.
[16] ETS no. 108.
[17] 5062/01/EN/Final.
[18] 5401/01/EN/Final.
[19] 2093/05/EN.
[20] 00451/06/EN.
[21] Important decisions have been delivered in this area by the Luxembourg Court of Justice, such as Asociación Nacional de Establecimientos Financieros de Crédito (ASNEF) and Federación de Comercio Electrónico y Marketing Directo (FECEMD) v. Administración del Estado, Joined cases C-468/10 and C-469/10, 24 November 2011, on the implementation of Article 7 (f) of the Data Protection Directive in national law; Deutsche Telekom AG v. Bundesrepublik Deutschland, C-543/09, 5 May 2011, on the necessity of renewed consent; College van burgemeester en wethouders van Rotterdam v. M.E.E. Rijkeboer, C-553/07, 7 May 2009, on the right of access of the data subject; Dimitrios Pachtitis v. European Commission, F-35/08, 15 June 2010, and V v. European Parliament, F-46/09, 5 July 2011, both on the usage of personal data in the context of employment in EU institutions.
[22] These Guidelines were updated in 2013, but I will refer to both versions, taking into account the date of the facts in the present case.
[23] While the template is to some extent parochial, the lens offered by the Court should be universal, in the sense that the Court should seek a principled approach to Internet communications. This top-down international regulation, imposed by the Court in certain fundamental aspects, does not call into question the free, multi-stakeholder governance of the Internet. On the contrary, it guarantees it. In my view, the Court should not forget the highly political nature of the Internet as a social equaliser and an instrument for furthering human rights, which engages private interests in public decisions. Such an omission would prove particularly regrettable in the context of employment law, whose primarily purpose is to redress the imbalance between vulnerable employees and more powerful employers in their contractual relationships.
[24] Paragraph 14.1 of Council of Europe Recommendation Rec (2015)5: “The content, sending and receiving of private electronic communications at work should not be monitored under any circumstances”, and paragraph 15.1: “The introduction and use of information systems and technologies for the direct and principal purpose of monitoring employee’s activity and behaviour should not be permitted.”.
[25] However, the mere existence of a labour code or a general employment law which regulates the relationship between employers and employees does not suffice if they do not provide for a specific set of rules on employees’ personal data protection, including Internet usage policy in the workplace.
[26] In its updated General Comment on Article 19, the Human Rights Committee pointed out the need to take greater account of free speech on the Internet and digital media (CCPR/C/GC/34, 12 September 2011, paragraph 12).
[27] Paragraph 6.14.1 of the 1997 ILO Code of Practice and paragraph 15 of the revised 2013 OECD Guidelines, which introduces a concept of a privacy management programme and articulates its essential elements.
[28] Article 29 Working Party Working document on the surveillance of electronic communications in the workplace, pages 4 and 24. As the Handbook on European data protection law, 2014, puts it, “Such a general prohibition could, however, be disproportionate and unrealistic.”
[29] Article 29 Working Party Working document on the surveillance of electronic communications in the workplace, page 17, and, previously, the Office of the Australian Federal Privacy Commissioner, Guidelines on Workplace E-mail, Web Browsing and Privacy, 30 March 2000.
[30] See Article 6 of the 1981 Council of Europe Convention, paragraph 10.1 of Council of Europe Recommendation No. R (89)2, paragraph 6.5 of the 1997 ILO Code of practice, and paragraph 9.1 of Council of Europe Recommendation Rec (2015)5.
[31] Rules on the transparency of any processing of an employee’s personal data can be found in paragraph 12 of the 1980 OECD Guidelines; paragraph 3.1 of Council of Europe Recommendation No. R (89)2; paragraph 5.8 of the 1997 ILO Code of practice; Article 29 Working Party Working document on the surveillance of electronic communications in the workplace, pages 4 and 5; Article 29 Working Party Working document on the surveillance of electronic communications in the workplace, pages 13, 14, 22 and 25; and paragraphs 10.1-10.4 and especially paragraph 14.1 and 21 (a) of Council of Europe Recommendation Rec (2015)5.
[32] The principle of informed and explicit consent has been affirmed in paragraph 7 of the 1980 OECD Guidelines, paragraph 3.2 of Council of Europe Recommendation No. R (89)2, paragraphs 6.1-6.4 of the 1997 ILO Code of Practice, Article 29 Working Party Opinion no. 8/2001, pages 3 and 23, Article 29 Working Party Working document on the surveillance of electronic communications in the workplace, page 21, and paragraphs 14.3, 20.2 and 21 (b) and (c) of Council of Europe Recommendation Rec (2015)5. According to the Council of Europe Employment Recommendation, employers should inform their employees in advance about the introduction or adaptation of automated systems for the processing of personal data of employees or for monitoring the movements or the productivity of employees. In the EU framework, the Data Protection Working Party analysed the significance of consent as a legal basis for processing employment data and found that the economic imbalance between the employer asking for consent and the employee giving consent will often raise doubts about whether consent was given freely or not. Hence, the circumstances under which consent is requested should be carefully considered when assessing the validity of consent in the employment context.
[33] Commentary to paragraph 6.14 of the 1997 ILO Code of practice, and Article 29 Working Party Opinion no. 8/2001, page 25.
[34] Paragraph 13 of the 1980 OECD Guidelines, Article 8 of the 1981 Council of Europe Convention, paragraphs 11 and 12 of Council of Europe Recommendation No. R (89)2, paragraphs 11.1-11.3, and 11.9 of the 1997 ILO Code of Practice and paragraphs 11.1-11.9 of Council of Europe Recommendation Rec (2015)5.
[35] See my separate opinion in Yildirim, cited above, on the minimum criteria for Convention-compatible legislation on Internet blocking measures; and also paragraph 8 of the 1980 OECD Guidelines; Article 5 (c), (d) of the 1981 Council of Europe Convention; paragraph 4.2 of Council of Europe Recommendation No. R (89)2; paragraph 5.1-5.4 of the 1997 ILO Code of Practice; Article 29 Working Party Opinion no. 8/2001, page 25; Article 29 Working Party Working document on the surveillance of electronic communications in the workplace, pages 17 and 18; and paragraphs 4.1, 5.2 and 5.5 of Council of Europe Recommendation (2015)5.
[36] Article 29 Working Party Working document on the surveillance of electronic communications in the workplace, page 13, and paragraph 20.1 of Council of Europe Recommendation Rec (2015)5.
[37] Paragraph 6.14.2 of the 1997 ILO Code of practice.
[38] Article 29 Working Party Opinion no. 8/2001, pages 4 and 25, and paragraph 14.3 of Council of Europe Recommendation Rec (2015)5.
[39] See my separate opinion in Yildirim, cited above, on the minimum criteria for Convention-compatible legislation on Internet blocking measures.
[40] Paragraph 14.2 of Council of Europe Recommendation Rec (2015)5. As the Article 29 Data Protection Working Party document on surveillance and monitoring of electronic communications in the workplace, page 24, put it, “the interest of the employer is better served in preventing Internet misuse rather than in detecting such misuse.”
[41] Paragraph 13 of Council of Europe Recommendation No. R (89)2, and paragraph 12.1 of Council of Europe Recommendation Rec (2015)5.
[42] Paragraph 14 of Council of Europe Recommendation No. R (89)2, and paragraph 13.1 of Council of Europe Recommendation Rec (2015)5.
[43] At this juncture it is worth noting the Court’s demanding threshold for accepting dismissal in Vogt v. Germany, no. 17851/91, 26 September 1995, where the penalty of dismissal was found excessive for the employee’s participation in political activities outside work with no impact on her professional role, and Fuentes Bobo v. Spain, no. 39293/98, 29 February 2000, where the penalty of dismissal for offensive remarks broadcast about the employer was also found to be too severe, taking into account the employee’s length of service.
[44] See also my separate opinion joined to Yildirim, cited above; ILO, Conditions of Work Digest, volume 12, Part I, Monitoring and Surveillance in the Workplace (1993), p. 77; the Joint Declaration by the UN Special Rapporteur on Freedom of Opinion and Expression, the OSCE Representative on Freedom of the Media and the OAS Special Rapporteur on Freedom of Expression, adopted on 21 December 2005; and Reports by the UN Human Rights Council’s Special Rapporteur on the promotion and protection of the right to Freedom of Opinion and Expression, Frank La Rue (A/HRC/17/27), 16 May 2011, and (A/66/290), 10 August 2011, especially the latter text, on access to online content (section III) and access to Internet connection (section IV).
[45] Page 2 of the Government’s observations.
[46] Paragraph 41 of the judgment.
[47] Paragraph 27 of the judgment.
[48] Paragraphs 33 and 43 of the judgment. I find it odd, to say the least, that the County Court referred to notice 2316 as having been signed (paragraph 10 of the judgment), but the Government was not in a position to present a copy of the contested item of evidence to the Court.
[49] The employer used IMFirewall Software – Wfilter to intercept the applicant’s communications, which is characterised by real time recording and the possibility to block messages (see paragraph 13 of the applicant’s observations, not disputed by the Government).
[50] Paragraph 10 of the judgment, referring to the County Court’s description of the notice.
[51] This was exactly the same point made by the Article 29 Working Party Working document on the surveillance of electronic communications in the workplace: “Some interpreters point out that this seems to also imply as (although it was not specified in the judgement) that if a worker is warned in advance by an employer about the possibility of their communications being intercepted, then he may lose his expectation of privacy and interception will not constitute a violation of Article 8 of the Convention. The Working Party would not be of the opinion that advance warning to the worker is sufficient to justify any infringement of their data protection rights” (page 8).
[52] Paragraph 45 of the judgment.
[53] Paragraph 5.3 of Council of Europe Recommendation (2015)5 states clearly that “Employers should refrain from requiring or asking an employee or a job applicant access to information that he or she shares with others online, notably through social networking.” As the English High Court stated in Smith v. Trafford Housing Trust (2013) IRLR 86, the employer’s obligation not to promote religious beliefs does not extend to the employee’s Facebook postings, and thus a Christian employee may express his views on gay marriage on social networks without committing professional misconduct. But employee termination may be related to his or her “after hours” commercial activities on eBay, which included videos objectionable to the employer, as decided by the US Supreme Court in San Diego v. Roe, 543 US 77 (2004).
[54] The ownership argument is not lacking in logical appeal, but it should be approached with caution. It can be questioned whether it is appropriate to approach the matter in black-or-white reasoning, arguing that the employee no longer has any expectation of privacy whenever he or she uses IT facilities belonging to the employer, and, conversely, the employer has such an expectation whenever he or she uses his or her own IT facilities. A more nuanced approach is necessary, as emerges from the Article 29 Working Party Working document on surveillance and monitoring of electronic communications in the workplace, page 20: “In any case, the location and ownership of the electronic means used do not rule out secrecy of communications and correspondence as laid down in fundamental legal principles and constitutions.” Recently, the Canadian Supreme Court underscored the same idea, asserting the employee’s reasonable expectation of privacy over his personal information stored in company-owned equipment (R. v. Cole, (2012) SCC 53). By the same token, the working time argument, which claims that an individual at work is not on “private time” and that therefore no right to privacy applies in the workplace, is also misleading. To borrow the words of Justice Blackmun writing for the minority in O’Connor v. Ortega, cited above, “the reality of work in modern time, whether done by public or private employees, reveals why a public employee’s expectation of privacy in the workplace should be carefully safeguarded and not lightly set aside. It is, unfortunately, all too true that the workplace has become another home for most working Americans. Many employees spend the better part of their days and much of their evenings at work … As a result, the tidy distinctions (to which the plurality alludes) between the workplace and professional affairs, on the one hand, and personal possessions and private activities, on the other, do not exist in reality.”
[55] Thus, the explanation provided by the employer, which the majority accept in paragraph 57, that the employer accessed the applicant’s account “in the belief that it contained professional messages”, is not convincing. Moreover, the majority contradict themselves when they argue in paragraph 58 that “the Court takes the view that the content of the communications was not a decisive element in the domestic courts’ findings”. On the one hand, the majority consider that the interference with the employee’s right to respect for private life was “legitimate”, because, “as the domestic courts found”, the employee acted on the “assumption that the information in question had been related to professional activities”, but, on the other hand, the majority state that the private nature of the communication was not decisive for the domestic courts’ confirmation of the dismissal. This makes no sense. In the domestic courts’ view, it was precisely the private, non-professional nature of the communications that was the decisive element for their finding the employee’s disciplinary breach as established.
[56] In fact, the employer also accessed communications between the applicant and his brother’s Yahoo messenger account, entitled “meistermixyo”, which included, for example, information on a car accident sustained by the latter (see paragraph 11 of the applicant’s observations, not contested by the Government).
[57] Paragraph 4 of the applicant’s observations, which was not disputed by the Government, and paragraph 31 of the judgment.
[58] This was explicitly in breach of the applicable rules on internal use of personal data set out in paragraph 10 of the 1980 OECD Guidelines, paragraph 6.1 of Council of Europe Recommendation No. R (89)2, paragraph 10.6 of the 1997 ILO Code of Practice, and paragraph 6.1 of Council of Europe Recommendation (2015)5.
[59] In other words, the interference with the employee’s right to privacy, especially with regard to the sensitive data collected, was so intolerable that it tainted the evidence collected and hence the Schenk standard does not apply here (Schenk v. Switzerland, no. 10862/84, 12 July 1988). A similar approach was taken by the Portuguese Constitutional Court, in its judgment no. 241/2002, on the nullity of evidence collected in a dismissal case on the basis of the labour court’s request to Telepac and Portugal Telecom for traffic data and billing information concerning the employee’s home phone line.
[60] It should be recalled that if a worker is asked questions that are inconsistent with the prohibition of collection of data on the worker’s sex life by the employee, and the worker gives an inaccurate or incomplete answer, the worker should not be subject to termination of the employment relationship or any other disciplinary measure (paragraph 6.8 of the 1997 ILO Code of Practice).
[61] Article 29 Working Party Working document on surveillance and monitoring of electronic communications in the workplace, page 4.