Civil Measures
Data Protection Commission Case Studies
Dairygold – Failure to comply in full with an Access Request
In June 2006, I received a complaint from a firm of solicitors acting on behalf of a client regarding alleged non-compliance with a subject access request. The data subject had made an access request to her employer, Dairygold Co-Operative Society Limited/ REOX, in March 2006 but it had not been complied with within the statutory forty day period.
My Office wrote to the data controller and we subsequently received a reply to the effect that the material sought in the access request had now been supplied. However, following examination of the documents received, the solicitor for the data subject communicated further with my Office and identified certain documents omitted by the data controller. Particular reference was made to documents in relation to a workplace accident in which the data subject was involved in October 2004. My Office contacted Dairygold/Reox seeking an explanation for the missing documents. While it responded by providing observations on a number of the missing documents, it also stated that it was obtaining legal advice regarding the release of the documents relating to the workplace accident.
After the exchange of detailed correspondence between my Office, Dairygold/Reox and its legal representatives, an index of all of the personal information which had been released was provided to my Office. In relation to the documents concerning the workplace accident, the solicitors for the data controller confirmed that their client was in possession of both an Internal Accident Report and a Consulting Engineer’s Report. It stated that both documents were prepared in contemplation of a personal injury claim and were therefore privileged.
To satisfy ourselves that there was a sound basis for the legal privilege claim in relation to these documents, my Office sought information from the data controller regarding the dates on which the two reports were created. It was confirmed that the Internal Accident Report Form was created in the days immediately following the workplace accident and the Consulting Engineers Report was created some nineteen months later in May 2006. My Office pointed out to the data controller’s solicitor that the claim of legal privilege related only to communications between a client and his professional legal advisers or between those advisers and that this provision could not be applied to the internal accident report created shortly after the incident. In light of the information available to my Office, we accepted that the claim of legal privilege could be applied to the Consulting Engineer’s Report. The data controller continued, however, to claim legal privilege on both documents. In an attempt to bring closure to this matter, my Office requested a confidential sighting of the Internal Accident Report. Regrettably, the data controller refused to comply with this request and I had no option but to serve an Information Notice requiring that a copy of the Internal Accident Report be furnished to me. The Internal Accident Report was supplied to me in response to the Information Notice. On examining the Report I was satisfied that it contained personal data of the data subject and I was further satisfied that the limited exemptions to the right of access set down in the Acts did not apply to this document. The document also contained some limited personal data of third parties and non personal information which we advised the data controller to redact with the balance to be released voluntarily to the data subject. The Report was subsequently released in accordance with our advice.
There is a tendency for data controllers in some cases to claim non-relevant exemptions under Sections 4 or 5 of the Acts to restrict the right of access. With increased frequency, accident reports in relation to workplace incidents are being withheld with data controllers claiming legal privilege on such reports. I do not accept that legal privilege applies to such reports. It is standard procedure for an accident report to be compiled by an employer in the aftermath of a workplace accident and such reports clearly do not fall into the category of personal data in respect of which a claim of legal privilege could be maintained in a court in relation to communications between a client and his professional legal advisers or between those advisers. Any data controller who is reported to me as having restricted a data subject’s right of access to reports of this nature will face an investigation by my Office involving a close scrutiny of the grounds for applying the restriction. I will have no hesitation in using my full enforcement powers to ensure the rights of the data subject are upheld in relation to such cases.
Opera Telecom: Forced to delete database
I received a complaint from an individual regarding the receipt of an unsolicited text message in November 2005. The message, sent by Opera Telecom, was a promotional message for a subscription service.
When my Office investigated the matter it was discovered that the complainant had attended a major music concert in Croke Park in June 2005. During the concert, those attending were encouraged to text support for the Global Call Against Poverty Campaign. The complainant did so. The information collected from these texts was stored in a database held by Opera Telecom and was subsequently used by the company for the purpose of sending unsolicited direct marketing SMS messages.
In October 2005 Opera Telecom sent a direct marketing text message to the complainant. Regulation 13 of Statutory Instrument 535 of 2003 refers to unsolicited communications, making it an offence in certain circumstances to send direct marketing messages. The message the complainant received was contrary to this Regulation. It also contravened Section 2 of the Data Protection Acts as the personal data in question had not been obtained and processed fairly and was further processed in a manner which was incompatible with the purpose forwhich it was originally collected.
During our investigation, my Office discovered that 16,000 concert goers had used their mobile phones to text support for the Global Call Against Poverty Campaign. My Office recognised the potential risk of all of these people being subjected to direct marketing in the same way as the complainant had been. Conscious of this risk, I initially requested in a letter to Opera Telecom that they delete the related Database. When it did not comply with this request, I used my powers under Section 10 of the Data Protection Act and issued an Enforcement Notice. An Enforcement Notice is a legal document and it is an offence not to comply with this. Opera Telecom complied with the Enforcement Notice and deleted the database.
Caredoc: Failure to comply with an access request and appeal of an enforcement notice
I received a complaint from the parents of a child that Caredoc (a medical facility in Carlow) had failed to comply with an access request under Section 4 of the Acts for access to the child’s personal data.
My Office received the complaint in January 2006 and commenced an investigation. We established that the child had attended Caredoc in May 2004 and that the access request was made by the solicitor for the child’s family in August 2005. Prior to the complaint being submitted to my Office, Caredoc’s solicitors informed the legal representative for the child’s family that the access request raised matters of serious importance to their clients and that they wished to be absolutely sure of their position prior to making a formal reply.
During the course of my Office’s investigation, we exchanged correspondence on several occasions with Caredoc’s solicitors. We posed a number of key questions on the matter, none of which were answered to the satisfaction of my Office. At one point we were advised that the access request had thrown up a serious difficulty with which Caredoc was trying to come to terms. Caredoc’s solicitors acknowledged that their client owed statutory obligations on foot of the Data Protection Acts but stated that their client also owed a number of other conflicting obligations which needed to be reconciled properly with all the persons concerned before they were in a position to comply with the access request. In later correspondence, my Office was told that the request had raised a fundamental problem for Caredoc concerning the information gathered by them both physically and electronically and that the opinion of Senior Counsel was required. This was accepted in good faith on the basis that such advice would be forthcoming promptly. In a further letter, Caredoc’s solicitors informed my Office that genuine difficulties had arisen as a result of the circumstances thrown up by the access request and that Caredoc was anxious not to have any adverse precedents set in relation to the confidentiality issue as between doctor and patient. Throughout the investigation, my Office continued to remind Caredoc of its obligations to comply with the access request and we advised them that failure to proceed to release the information was a contravention of Section 4(1) of the Acts. At the end of June 2006, having exchanged a large volume of correspondence and with no prospect of the legal advice emerging, my Office gave Caredoc’s solicitors a final opportunity to respond to the key questions which we had raised with them. They failed to respond and I subsequently served an Enforcement Notice on Caredoc in July 2006 pursuant to Section 10 of the Acts.
There were a number of reasons for my decision to serve an Enforcement Notice on Caredoc. From the information available to me, I believed that information collected by Caredoc on the date in question likely constituted sensitive personal data within the meaning of the Acts. I believed that Caredoc had not complied with an access request and was, therefore, in contravention of Section 4(1) of the Acts. Furthermore, I believed that, given the passage of time and the continued failure of the data controller or their legal representatives to engage substantively with my Office, an Enforcement Notice was required to ensure compliance.
The Enforcement Notice required Caredoc, within a period of twenty one days, to provide the solicitor of the child’s family with the personal data relating to the attendance of the child at Caredoc’s facility in Carlow in May 2004. In line with their legal entitlements, pursuant to Section 26 of the Acts, Caredoc appealed to the Circuit Court against the requirement specified in the Enforcement Notice. The appeal was listed for hearing in Carlow Circuit Court in December 2006. At the Court hearing, Caredoc withdrew the appeal and agreed to supply the personal data sought.
I was very satisfied with the outcome of this case. Firstly, it ensured that the patient in question received access to their full medical records. Secondly, the case was significant for my Office as I used my full legislative powers to compel the provision of the records in question when Caredoc had repeatedly delayed in doing so. Thirdly, the case was all the more acute as it related to sensitive medical information which a patient has a right to access except in certain very limited circumstances. Finally, the patient in question was a minor and the access request was made on his behalf by his mother.
By continuing to use this website, you consent to the use of cookies in accordance with our Cookie Policy.HIDE THIS NOTICE
Data Protection Commissioner Data Protection Commissioner
Ashbury Taverns: Failure to comply with an access request
My Office received a complaint regarding alleged non-compliance with an access request. This complaint was made by a legal representative on behalf of a data subject formerly employed by Ashbury Taverns of Wexford.
As the access request had not been complied with within the 40 day period, my Office wrote to the data controller. When no response was received, my Office also attempted to make contact on numerous occasions by telephone and by registered post.
As my Office had attempted to investigate this complaint and had been stymied by the failure of the data controller to respond, I decided to issue an Enforcement Notice to Ashbury Taverns. The Enforcement Notice required the data controller to comply with the access request within a period of twenty-one days. During that period, my Office received its first correspondence from Ashbury Taverns by way of a letter from its solicitors. My Office was informed that the access request had not been complied with by Ashbury Taverns because it had likely confused its obligations under the data protection legislation with claims made under employment legislation. The letter also stated that the access request had now been complied with. Upon follow-up communication with the legal representative of the data subject, it was confirmed to my Office that the personal data sought in the access request had been provided.
Political database and a charity request, “spamming” of constituents and non co-operation from a County Councillor
During the year, I received two complaints concerning matters relating to political activity which raised important Data Protection issues.
The first related to a political party. It was alleged by the complainant, a member of this party, that another local member of the party who was also a member of a charitable organisation had sent him a fund-raising letter on behalf of the charity which identified him as “an active member of our community within the party”. He maintained that his contact details were obtained from the party membership list held locally.
While the appeal for the charity was worthwhile nevertheless once a complaint was received I had to take the matter up with the party’s national headquarters. It responded promptly and acknowledged that the local member had used the local party database in sending out an appeal for funds for the charity. While the individual was well-intentioned, the headquarters accepted that the use of data in this way was a contravention of section 2 of the Data Protection Acts, 1988 and 2003 which provides that personal data
(i) ” shall have been obtained only for one or more specified , explicit and legitimate purposes”
and
(ii) “shall not be further processed in a manner incompatible with that purpose or those purposes.”
Data relating to membership of a political party is sensitive personal data within the meaning of the Acts and such data controllers are required to ensure that appropriate safeguards against disclosure are in place. This is especially important given the provision in section 2B(1)(ix) of the Acts which permits processing of sensitive data without individual consent “by political parties, or candidates for election to, or holders of, elective political office in the course of electoral activities for the purpose of compiling data on people’s political opinions?”. In the course of concluding this complaint, my Office advised the party on their obligations as a data controller, particularly in regard to informing members processing personal data of the requirements of Data Protection.
The second complaint which was received in late 2003 was about an unsolicited email of a political nature which had been sent by a County Councillor, Jon Rainey, of Fingal County Council. It was alleged that in June 2003 he had “harvested” email addresses from the address line of an email sent by a third party – who was also a County Councillor but of another party. (“Harvesting” refers to the addition to one’s own mailing list of any email address received on the “to” or “cc” line of the email). This was in contravention of the provisions of S.I. No. 535 of 2003 (European Communities (Electronic Communications Networks and Services (Data Protection) Regulations 2003) which provides for prior consent for unsolicited emailing of individuals for direct marketing purposes, including political purposes.
I only name Mr. Rainey in my Report as he failed completely to cooperate with my investigations and only acknowledged the facts of the complaint 6 months after I had first raised them and then only when I had to formally issue him with an Information Notice under sections 10 and 12 of the Acts. At that late stage, he confirmed that the details of email addresses “harvested” from another email had been deleted from his system and that no further details had been been obtained in this manner. However, his attitude to my Office was that the matter was of little consequence and he complained that I had “pestered” him.
It is important that public representatives and candidates for elective office realise the importance of their obligations under the Acts and that, in so far as responding to legitimate investigations from statutory office holders is concerned, in no sense should they consider themselves above the Law. In this case, I was concerned that a public representative failed to see the significance of a complaint that he was “spamming” his constituents and equally that a lot of unnecessary correspondence and time could have been spared if a full reply to this matter had been received initially.
That said I am pleased to record that this was an isolated incident as any complaints I have received regarding political activities are responded to in a proper and prompt manner.
used the local political party database in sending out an appeal for funds for a charity. While the individual was well-intentioned it was accepted that the use of data in this way was a contravention of the Data Protection Acts.
a public representative failed to see the significance of a complaint that he was “spamming” his constituents and equally a lot of unnecessary correspondence and time could have been spared if a full reply to this matter had been received initially – an isolated incident as any complaints I have received regarding political activities are responded to in a proper and prompt manner.
Legal firm – identification of source of personal data – lack of co-operation – issue of enforcement notice
This case study provides a useful example of a matter which could have been disposed of easily at the outset, but which was protracted due to lack of cooperation from a data controller – in this case a solicitor. The case also demonstrates that, where I consider that an important issue is at stake, I am prepared to have full recourse to my legal powers until I reach a satisfactory conclusion.
The complainant had been involved in a car collision. The complainant and the other party involved had exchanged phone numbers but not addresses. The complainant subsequently received a phone call from a solicitor, acting for the other party involved, seeking her car registration number and address. The complainant declined to provide these details, since she had understood the matter to have been informally resolved, and that no recourse to legal action had been contemplated. In any event, some weeks later the complainant received a letter at her home address from the solicitor. The complainant asked how the solicitor had obtained these details, but this information was not forthcoming. The complainant raised the matter with me, as she suspected that her personal details had not been ‘fairly obtained’ by the solicitor, as required under the Data Protection Act.
On raising the matter with the solicitor, she explained that her client had noted the registration number of the complainant’s car, and that the Motor Registration Bureau had used this information to supply the solicitor with the complainant’s address, in accordance with the provisions of the Road Traffic Acts. However, the complainant contested this assertion. , since the solicitor and the complainant had declined to supply this information. Why would the solicitor have requested the car registration number during their initial phone call, the complainant asked, if the solicitor’s client already had this information? The complainant argued forcefully that the solicitor must in fact have obtained the data from another source.
My Office put these points in writing to the solicitor, who declined to provide any further explanation, maintaining simply that the details had been obtained from the Motor Registration Bureau. I was not satisfied with the completeness or frankness of the solicitor’s response and so, after repeated refusals from the solicitor to furnish additional information, I decided to issue a formal Information Notice under section 12 of the Data Protection Act. An Information Notice obliges the recipient to “furnish such information in relation to matters specified in the notice as is necessary or expedient for the performance by the Commissioner of his functions”. It is an offence not to comply fully with the information sought; and in general, I only resort to issuing such a Notice if I consider that necessary information will not be provided voluntarily.
In response to the Information Notice, the solicitor stated that the details were obtained from its client and the Motor Registration Bureau. My Office then wrote once more to the solicitor expressing dissatisfaction with her reply. My Office had established that the Motor Registration Bureau had not been contacted by the solicitor until five months after the incident, while the complainant’s home address was known to the solicitor within weeks of the incident. The solicitor was advised that, unless full particulars were forthcoming immediately, I would commence proceedings in accordance with section 30 of the Data Protection Act, 1988 for failure to comply with the Information Notice.
The solicitor responded with an explanation that the complainant’s address details had, in fact, been obtained from her client, and only subsequently confirmed by the Motor Registration Bureau. This belated explanation, had it been provided at the outset, would have obviated the need for the protracted and time-consuming investigation of this matter.
It concerns me that, in this case, a member of the legal profession was reluctant to provide the straightforward information which I considered necessary to bring the complaint to a conclusion. It took seventeen months and the full use of my statutory powers to get the information in question. I can ill afford the time my staff had to devote to ‘delaying tactics’ – but where I feel an important issue is at stake I am prepared to pursue matters fully to reach a satisfactory conclusion. From my general experiences with legal practitioners to date, I consider this to have been an isolated case and not representative of the legal profession in general. However, should a similar type case arise in future from any source, I will have no hesitation in publicly naming the party involved, and in vigorously pursuing proceedings for any offences under the Act.
Ex-directory phone number obtained by insurance broker – Information Notice used to establish circumstances
Two people complained to me, separately, that a particular firm of insurance brokers had obtained their ex-directory telephone numbers and used these to contact them to try to sell insurance products. They were surprised to be contacted at home, since they had taken the trouble to opt for ex-directory numbers, and they were indignant at what they saw as an aggressive invasion of their privacy. Both complainants speculated that the brokers had got their phone numbers in some illicit way, though neither offered any evidence for this.
I issued an Information Notice under section 12 of the Act to the brokers. In response to the Information Notice, the brokers stated that in the majority of cases they obtained the telephone numbers of prospective clients from the telephone directory, but in some cases they got them from referrals by existing clients (in other words, existing clients were encouraged to suggest other people who might be interested in the company’s products and services). However, the brokers indicated that they did not keep records as to who made such referrals and consequently they were unable to explain how they had come into possession of information relating to the complainants.
My decision was that in all the circumstances the investigation had not established that a contravention of the Act had taken place in these cases. In reaching this decision I took into account the fact that the data controller’s account of the events had been given to me by way of response to an Information Notice, and that section 12 provides that –
“A person who, without reasonable excuse, fails or refuses to comply with a requirement specified in an information notice or who in purported compliance with such a requirement furnishes information to the Commissioner that the person knows to be false or misleading in a material respect shall be guilty of an offence.”
However I told the brokers that they should in future retain a record of how details of prospective clients were obtained. They agreed to do so.
Cases
Collins -v- FBD Insurance Plc
[2013] IEHC 137 Judgment of Mr. Justice Feeney delivered on 14th day of March, 2013.
1.1 This is an appeal from a Circuit Court order of the 9th March, 2012 where the Court determined that Michael Collins, the plaintiff in the Circuit Court, was entitled to the sum of €15,000 damages and that he should recover that sum together with costs from the defendant. The defendant has appealed that order by notice of appeal dated the 15th March, 2012.
1.2 In the Circuit Court proceedings Michael Collins claimed a number of reliefs including damages for discrimination and harassment in breach of the Equal Status Acts 2000/2008, damages for negligence and breach of duty including statutory duty and damages for breach of contract. He also claimed damages pursuant to s. 7 of the Data Protection Acts 1988 and 2003 (“the Data Protection Acts”). The order of the Circuit Court did not identify the claim in respect of which the damages were awarded. However, both parties to the appeal proceeded on the basis that the only issues to be considered by the High Court was whether or not the plaintiff was entitled to damages pursuant to s. 7 of the Data Protection Acts and if so, the quantum of such damages. Both parties proceeded on the basis that the Circuit Court had determined that the defendant had breached the provisions of the Data Protection Acts and that the plaintiff in the Circuit Court action had been held entitled to general damages in the sum of €15,000 pursuant to the provisions of s. 7 of the Data Protection Acts and that no special damages or loss had been proved.
1.3 The case initially commenced before the High Court on the basis that the sole issue to be determined was whether as a matter of law the plaintiff respondent is entitled to compensation pursuant to s. 7 of the Data Protection Acts in the absence of evidence of actual loss or damage. When the case commenced it was envisaged by both parties that oral evidence would not be required and that the parties would seek the Court to rule on the issues of the entitlement to general damages under s. 7 of the Data Protection Actsand, if the plaintiff was so entitled, then to determine the quantum of damages. Following further consideration of the matter, the parties agreed and proceeded on the basis that oral evidence should be heard by the Court.
2.1 The factual matters which give rise to this claim commenced with the plaintiff insuring his van bearing registration number 08D 1065 with the defendant insurance company. The van which the plaintiff insured was for use by him in his business of painting and decorating. The insurance cover obtained extended to the loss of the vehicle or damage to it but the policy did not cover any other financial loss due to matters such as the temporary loss of the vehicle. The period of insurance provided for in the policy was for the twelve month period beginning the 31st May, 2008.
2.2 On the 27th September, 2008 the plaintiff’s van was stolen from outside of his home in Finglas following a break-in to his house and the theft and break-in were investigated by An Garda Síochána. Following the theft of his van, the plaintiff made a claim under his policy of insurance on the 2nd October, 2008. The claim was investigated on behalf of the defendant by a claims management company who concluded in a report from its investigator that there was clear evidence that the insurer’s house had been broken into whilst it was unoccupied and that a number of items had been stolen along with the insured’s van and that the claims management company had no reason to suspect that there was anything untoward. The report expressed the view that it was a case for settlement. Following receipt of that report, the defendant insurance company determined to have the plaintiff investigated by a private investigator. The private investigator reported to the insurance company. In the report the investigator stated that his inquiries at the local Garda station had indicated that the Gardaí considered the claim to be a genuine incident but the report went on to state that from other inquiries and information, the private investigator had established that the plaintiff was involved in an incident in Blanchardstown Shopping Centre where a van had been broken into and a strongbox in the rear of the vehicle had been forced open and items stolen and that the investigator had established from court records that it appeared that at Swords District Court on the 26th June, 2004, the plaintiff had been convicted under the Theft Act and had been sentenced to two months in prison. It should be noted that the factually correct position is that the plaintiff pleaded guilty to receiving the stolen goods which were removed from the vehicle that was broken into and that on a plea of guilty, the plaintiff received a three month sentence.
2.3 On the 10th November, 2008 the defendant insurance company wrote to the plaintiff and stated:
“We understand that you may have been convicted of a criminal offence. Please let us have full details of same in writing, together with an explanation as to why this material fact was not disclosed to us. If we do not hear from you within ten days from the date of this letter, we will proceed to cancel the above policy and treat the same as null and void.”
That letter of the 10th November, 2008 was written at a time when the insurance company did not have available to it the plaintiff’s proposal form. On the 19th November, 2008 the plaintiff wrote to the defendant seeking the plaintiff’s proposal form. The proposal form was unavailable to the defendant insurance company as of that date. On the 27th November, 2008, solicitors acting for the plaintiff wrote to the defendant requesting the urgent attention of the insurance company and pointing out that the plaintiff was currently out of work due to the loss of his vehicle. No response was received to the plaintiff’s solicitors’ letter and further reminders were sent on the 11th December, 2008 and the 16th December, 2008.
2.4 In early January 2009, the plaintiff’s van was recovered and returned to him. As of the date that the van was returned, the defendant insurance company had neither paid out under the policy of insurance nor responded to the correspondence from the plaintiff’s solicitors nor had it provided the plaintiff with a copy of his proposal form. That form had been signed and completed at the inception of the policy. On the 12th January, 2008 the plaintiff’s solicitors wrote to the defendant pursuant to the Data Protection Acts formally calling upon the defendant pursuant to s. 4 to furnish a copy of the plaintiff’s file, including a copy of the original proposal form. The cheque enclosed with the request was for a sum greater than the required amount and correspondence was exchanged to achieve the payment of the actual required amount. A cheque for the correct sum was forwarded by the plaintiff’s solicitors to the defendant by letter dated the 19th February, 2009. On the 25th March, 2009, the defendant forwarded to the plaintiff’s solicitors a letter enclosing the documentation that the defendant held on its file in respect of Michael Collins. By that date, the plaintiff’s solicitors had already been in contact with the Data Protection Commissioner and had, by letter of the 9th March, 2009, requested the Commissioner to inquire into the insurance company’s delay in dealing with the request from the plaintiff. Following receipt of the insurance company’s letter of the 25th March, 2009, enclosing certain documentation, the solicitors for the plaintiff again wrote to the Data Protection Commissioner by letter of the 30th March, 2009 raising concerns as to how the insurance company had come upon certain information and whether or not, in obtaining such information, there had been a breach of the Data Protection Acts. Following further correspondence between the Data Protection Commissioner, the plaintiff’s solicitors and the defendant insurance company, the solicitors for the plaintiff, by letter of the 16th September, 2009 to the Data Protection Commissioner, formally requested a decision from the Commissioner under s. 10 of the Data Protection Acts in relation to the complaint brought on behalf of Michael Collins against FBD Insurance Company. That request was ultimately responded to by a decision of the Data Protection Commissioner dated the 1st August, 2010 concluding that the defendant insurance company had been in breach of s. 4(1)(a) of the Data Protection Acts “by not providing all the relevant personal data within the forty day time limit specified”, and, secondly, had been in breach of s. 4(7) “by not notifying Lawlor Partners Solicitors [the plaintiff’s solicitors] when it released certain personal data on the 25th March, 2010 of its reasons for refusal to supply other personal data in its possession and of the data’s subject right to complain to the Data Protection Commissioner about that refusal”.
2.5 As part of the correspondence which was exchanged prior to the first decision of the Data Protection Commissioner, the Data Protection Commissioner wrote to the plaintiff’s solicitors by letter of the 11th August, 2009 indicating that the Commissioner had been informed in a recent letter that the insurance company’s actions arose because “the reasons the claims handlers became suspicious on this case came down to the occupation of the insured. The claims handler in the case of Mr. Michael Collins asked the question on previous convictions because the client’s occupation is stated to be a painter and decorator”. During the hearing in this Court, it was accepted and acknowledged on behalf of the insurance company that that was a false explanation, based upon incorrect information and that by the date that the insurance company had written to the plaintiff on the 10th November, 2008 stating that they understood that Mr. Collins may have been convicted of a criminal offence, the insurance company were in fact of a possession of the claims management company’s report dated the 13th October, 2008 and the private investigator’s report which referred to a criminal conviction. The explanation provided by the defendant for raising the possibility of a criminal conviction was, on the face of it, concocted.
2.6 Following receipt of the first decision of the Data Protection Commissioner dated the 1st August, 2010, further correspondence was exchanged between the plaintiff’s solicitor and the office of the Data Protection Commissioner. On the 9th September, 2010 the plaintiff’s solicitors made a complaint against FBD Insurance Company on behalf of the plaintiff. Eventually, that complaint resulted in the second decision of the Data Protection Commissioner which was dated the 14th April, 2011 wherein it was identified that on the 9th September, 2010 a request had been made to investigate alleged breaches of the Data Protection Acts relating to the use by FBD of a private investigator and the production by him of a report on Mr. Collins which included information on an unrelated incident involving Mr. Collins which had resulted in a criminal conviction. The decision of the Data Protection Commissioner set out details of the investigation and an analysis of the data protection issues and concluded on the final page with the decision. The Commissioner was of the opinion that FBD Insurance had contravened the Acts and, in particular, s. 2(c)(3):
“. . . by failing to ensure that all the processing of your client’s [Mr. Collins’] personal data was carried out in pursuance of a contract in writing or in another equivalent form between the data protection controller (FBD) and the data processor (private investigator), that the contract provide that the data processor carry out the processing only on and subject to the instructions of the data controller and that the data processor comply with obligations equivalent to those imposed on the data controller by s. 2(1)(d) of the Act”.
The Commissioner also gave the opinion that the insurance company failed “to ensure that the data processor provide sufficient guarantees in respect of the technical security measures, and organisational measures governing the processing” and also failed to “take reasonable steps to ensure compliance with those measures”. The decision also found that FBD Insurance failed to comply with 2(c)(3) and s. 2(1):
“by (i) securing access to court records through the agency of the private investigator which recorded sensitive data – a criminal conviction – related to your client [Mr. Collins], other than in a manner prescribed by the District Court rules and (ii) in failing to take reasonable steps to ensure that the private investigator did not thus unfairly obtain personal data related to your client [Mr. Collins]”.
2.7 The second decision of the Data Protection Commissioner of the 14th April, 2011 concluded by stating in relation to damages that data controllers are liable under s. 7 of the Data Protection Acts to an individual for damages if they fail to observe the duty of care they owe in relation to personal data in their possession and that it was a matter for any individual who feels that he might have suffered damage from a contravention by a data controller of its data protection responsibilities to take legal advices appropriate but that the office of the Data Protection Commissioner has no function in relation to the taking of proceedings under s. 7 or in giving any such legal advice.
2.8 The decisions of the Data Protection Commissioner were not appealed.
2.9 By civil bill dated the 12th May, 2011, Michael Collins commenced Circuit Court proceedings against FBD Insurance Company Plc including claims for a number of reliefs including a claim for damages under s. 7 of the Data Protection Acts arising from the contraventions by FBD of its data protection responsibilities as detailed in the two decisions of the Data Protection Commissioner. The claim pursuant to s. 7 was the only clam proceeded with in the Circuit Court and it was in respect of that claim under s. 7 of the Data Protection Acts that damages were awarded to the plaintiff by the Circuit Court.
2.10 The second decision of the Data Protection Commissioner identified that the defendant insurance company in its disclosure of documents made on the 25th March, 2009 to the plaintiff’s solicitors had omitted therein to identify or reveal the existence of a report from the private investigator and the decision of the Data Protection Commissioner had identified that there was no written contract in place between the insurance company and the investigator as required by the Acts.
2.11 The proceedings before the High Court were a re-hearing of the case considered by the Circuit Court and during the course of the hearing counsel for the defendant acknowledged that the FBD Insurance Company had breached the Data Protection Acts and accepted the findings of the Commissioner in relation to such breaches and confirmed that no appeal had been taken against the findings made by the Commissioner. Whilst the civil bill had identified particulars of special damage in the form of loss of earnings and alternative transport, no figure was identified in respect of such special damage nor was any loss proved in Court. At the commencement of the hearing before the High Court, it was acknowledged on behalf of the plaintiff that there had been no out of pocket expenses or special damages incurred by the plaintiff arising from the breaches of the Acts. It was on that basis that the issue which was before the Court was whether or not the plaintiff was entitled under s. 7 of the Act to an award of general damages in the absence of any damage including special damage. During the course of the evidence certain limited evidence was led in relation to loss of earnings arising from the plaintiff being without his van for a number of months. That evidence was so imprecise and indefinite that I was unable to conclude that the plaintiff suffered any provable damage or to relate any claimed damage to the breaches of the Data Protection Acts committed by the defendant.
3.1 The plaintiff claims that he is entitled to damages pursuant to s. 7 of the Data Protection Acts for the breaches of the Acts committed by the defendant. In the two decisions of the Data Protection Commissioner, four breaches were identified. Those breaches were:
(a) the failure by the insurance company to furnish data within forty days;
(b) the failure by the insurance company to disclose that documentation; in its possession had been released;
(c) the failure by the insurance company to have the necessary and required contract in place with a private investigator before using such investigator; and
(d) the failure by the insurance company to access District Court conviction orders in the proper manner.
3.2 Section 7 of the Data Protection Act deals with the duty of care owed by data controllers and data processors. Section 7 provides:
“For the purposes of the law of torts and to the extent that that law does not so provide, a person, being a data controller or a data processor, shall, so far as regards the collection by him of personal data or information intended for inclusion in such data or his dealing with such data, owe a duty of care to the data subject concerned.”
It is the extent of the civil liability for breach of statutory duty as identified in s. 7 which is central to the matters which I must consider. The plaintiff contends that he is entitled to damages pursuant to s. 7 of the Act as there has been a breach of the Act by the defendant. The plaintiff contends that s. 7 establishes a statutory duty of care and allows for a remedy for a breach under the law of torts. The plaintiff also contends that to recover damages under s. 7 of the Act, a data subject does not have to show a loss and damages may be awarded by a Circuit Court Judge, or on appeal by a High Court Judge, so as to allow the data subject enforce his data protection rights. The defendant contends that a plaintiff is not entitled to any award of damages pursuant to s. 7 unless the plaintiff proves actual loss or damage. I must therefore determine what is the extent of damage recoverable under s. 7 of the Data Protection Acts. Section 7 of the Data Protection Acts establishes a statutory duty of care and allows for a remedy for a breach under the law of torts. Section 7 is a statutory provision which expressly provides that a civil action may be taken. Section 7 imposes a statutory duty of care on data controllers and data processors to the extent that the law of torts does not already provide, as regards the collection of personal data and their dealing with the data; the duty is owed to the data subject concerned. The question comes down to whether or not the damages provided for by s. 7 requires that there be proof of damage suffered by a plaintiff as a necessary pre-condition to an award of damages.
3.3 The long title to the Data Protection Act 1988 reads in part as follows:
“An Act to give effect to the convention for the protection of individuals with regard to automatic processing of personal data done at Strasbourg on the 28th day of January, 1981, and for that purpose to regulate in accordance with its provisions the collection, processing, keeping, use and disclosure of certain information relating to individuals that is processed automatically.”
The convention referred to is the Strasbourg Convention. Section 7 of the Data Protection Acts seeks to provide for remedies as envisaged under Directive 95/46/EC of the 24th October, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Article 23 of the Directive reads under the heading “Liability”;
“Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered.”
What is envisaged by Article 23 is that a person who has suffered damage is entitled to be compensated. Paragraph (55) of the preamble to the same Directive reads:
“Whereas, if the controller fails to respect the rights of data subjects, national legislation must provide for a judicial remedy; whereas any damage which a person may suffer as a result of unlawful processing must be compensated for by the controller, who may be exempted from liability if he proves that he is not responsible for the damage, in particular in cases where he establishes fault on the part of the data subject or in case of force majeure; whereas sanctions must be imposed on any person, whether governed by private of public law, who fails to comply with the national measures taken under this Directive.”
The Directive mandates that in the event of a breach that sanction shall apply and Article 24 of the Directive states in relation to sanctions:
“The Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Directive.”
3.4 What is obligated under the Directive is that a Member State is obliged to have in place a provision which provides that a person who has suffered damage as a result of an unlawful processing operation or an act incompatible with national provisions is entitled to receive compensation from the controller for the damage suffered. The obligation does not extend to an automatic payment of compensation. It is open to the Member State to provide that the compensation permissible in a Member country’s legislation extends beyond the Directive. That is a matter for each individual Member State. Article 23 provides that a wronged individual may be entitled to payment of compensation but subject to proof of the damage that they have suffered.
3.5 Section 7 of the Data Protection Acts transposes the Directive into Irish law. Section 7 imposes a statutory duty of care on data controllers to the data subject. It is stated in the legal submissions on behalf of the plaintiff that:
“The drafting of the section (s. 7) is perhaps not inspired and academic commentary is sparse. Almost all Irish authority on statutory duty relate to the existence of statutory duty existing in parallel to a common law duty and generally in the context of occupational injury”.
I accept that the drafting of s. 7 is imperfect and, to some extent imprecise. However, what is clear is that s. 7 does not provide, within its terms, for strict liability or for the automatic payment of compensation. It limits compensation by a provision providing for the existence of a duty of care within the law of torts. The section does not in its express terms seek to go beyond the obligation for compensation contained in the Directive.
3.6 Insofar as it may be said that the terms of s. 7 are ambiguous or unclear, s. 7 must be interpreted in the light of Article 23 of the Directive. The interpretation of Directives requires not only the construction of the Community Directive or text but also of the national implementing legislation. It is accepted that national legislation ought to be interpreted so as to give effect to the intention identifiable from the text of the Directive itself. Directives are commands addressed to each Member State and each State has a duty to give effect to its obligations under the Directive. That duty does not extend to going beyond the obligation required in the Directive even though the possibility of doing so is permitted, provided the Member State does so clearly within the legislation implementing the Directive. It is submitted by the defendant that the Directive limits the obligation to provide for an entitlement to compensation for the data controller to damage suffered by a person who can prove that they have, in fact, suffered damage arising from a breach of their rights pursuant to the legislation. I accept that submission. It is also the case that s. 7 in the Irish legislation does not, on the face of it, provide for compensation for strict liability or for the automatic payment of compensation but limits compensation to the existence of a duty of care within the law of torts. It is consistent with the general principles of the Irish law of torts that a person seeking compensation arising from a breach of statutory duty must establish that the loss or damage which they have sustained flowed from that breach unless the statutory duty involved is one of strict liability. The Directive does not provide for strict liability or the automatic payment of compensation nor does s. 7 of the Irish legislation so provide, either by its express terms or by reference to a duty of care within the law of torts.
3.7 Consideration of the legislation by which a number of Member States have incorporated the Directive into their national law demonstrates that those countries have proceeded on the basis that there is no need or requirement to go beyond providing for compensation on proof of damage (see the provisions of s. 69 of the Danish legislation on processing of personal data of 2000 and s.8 of the Federal Data Protection Act 2001 of Germany dealing with compensation by a private body which is limited to the harm caused and also s. 15 of the Italian Personal Data Protection Code of 2003 which deals with compensation for damage to another).
3.8 Insofar as it can be claimed that there is an ambiguity within the words of s. 7, that section is required to be interpreted in the light of Article 23 of the Directive and on that basis, and by reference to the terms of s. 7 itself, I am satisfied that s. 7 does not provide for either strict liability or the automatic payment of compensation but limits itself to providing for the existence of a duty of care within the law of torts. For that duty of care, in circumstances where it is a breach of statutory duty to extend to the payment of damages without proof of damage or loss, it would mean that strict liability applied. For that to arise, the section itself would have to have so provided.
4.1 As recognised by the plaintiff in the legal submissions submitted on his behalf, almost all Irish authority on statutory duty relates to the existence of statutory duty existing in parallel to a common law duty and generally in the context of occupational injury. Occupational injury claims are often brought on the basis that there has been a breach of the Safety, Health and Welfare at Work Act of 2005 and the regulations made thereunder. That Act, like the Data Protection Acts, has its origin in obligations placed upon Ireland pursuant to a European Directive which provided for significant rights and protections to individual citizens. An individual claimant seeking to rely on a breach of the extensive statutory obligations pursuant to the Safety, Health and Welfare at Work Act 2005 and seeking compensation must establish that he or she has suffered damage flowing from the particular breach in respect of which complaint is made. In other words, the person seeking compensation arising from a breach of statutory duty under the Safety, Health and Welfare at Work Act 2005 must prove damage flowing from a breach and unless that is established, there is no entitlement to damages as the Act does not provide for a strict liability.
4.2 The provisions of s. 7 of the Data Protection Acts provides for an obligation on a data controller or a data processor to exercise a duty of care. A breach of that duty of care can result in the award of damages. However, the section does not provide for automatic damages for a breach of the Act and there is no reference or identification of any strict liability. The Act does deal with and expressly provides for sanctions or penalties for criminal liability (see s. 31). In addressing the requirement to implement the Directive and a need for liability under the Act, the legislature was addressing the requirement to provide for “any person who has suffered damage” and to provide for compensation “for the damage suffered”. The implementation by Ireland, in its legislation, could have gone further and Ireland as a Member State could have provided for greater protection than required under Directive 95/46 (see the case of Re Criminal Proceedings against Lindqvist [2004] QB at para. 49, which identifies that nothing prevents a Member State from extending the scope of the national legislation implementing Directives). In Ireland the legislature determined to implement the Directive into Irish law by reference to a statutory duty of care obligation and not by reference to strict liability.
4.3 As a matter of construction, the statutory obligation which provides for a private remedy for breach of statutory duty under the Data Protection Acts was imposed, not as a strict liability, but as a duty of care obligation. If the statute provides a express means of enforcing a duty, that normally indicates that the statutory right was intended to be enforceable by that means. The entitlement to damages and the scope of such damages is dependent upon a true interpretation of the relevant statutory provision. In this case, where it is clear that there is no strict liability and that liability and the entitlement to compensation is predicated upon and dependent upon a claimant establishing a breach of a statutory duty of care, it necessarily follows that a claimant must establish that the breach has caused the claimant damage if that claimant is to be entitled to damages. In this instance, the entitlement is not to damages for breach of duty, but compensation for breach of duty. Compensation is intended to place an individual in the position which that individual would have been apart from the wrong done. In general, an entitlement to damages for distress, damage to reputation or upset, are not recoverable save where extreme distress results in actual damage, such as a recognisable psychiatric injury.
4.4 Section 7 is limited and goes no further than providing for a duty of care that is a duty of care within the law of torts. To obtain a compensation for a breach of duty of care, it is necessary for a claimant to establish that there has been a breach, that there has been damage and that the breach caused such damage. The tort of negligence, unlike the tort of trespass to person, requires proof of damage. Such requirement is demonstrated in the judgment of Clark J. in Larkin v. Dublin City Council [2008] 1 IR 391 where Clark J. held, in dismissing the plaintiff’s claim, that the defendant had breached its duty to ensure that the results of assessments for appointment to a post were not presented to the candidates until their accuracy had been checked, but that despite that breach by the defendant, the plaintiff had not established that he had suffered from any recognisable psychiatric illness and was therefore excluded from the recovery of damages for public policy reasons. A person seeking compensation arising from a breach of statutory duty under an Act must establish that the loss or damage that such person has suffered flowed from the breach, unless the statutory duty involved is one of strict liability. Here, the statute does not provide for strict liability and for me to interpret s. 7 of the Data Protection Acts as enabling a claimant to benefit from an award of damages for non-pecuniary loss, would be for me to expand the scope of s. 7 beyond that provided for in the Act or required by the Directive. The Directive in issue in this case requires for there to be compensation for damage suffered and s. 7 does not extend beyond that obligation. Section 7 provides an obligation of duty of care and allows for a remedy under the law of torts and the law of torts generally provides for compensation to be based upon certain criteria which includes the proof of damage.
5.1 The defendant sought to rely on various English decisions concerning the U.K.’s legislation implementing the Directive, namely, the Data Protection Act 1998. However, consideration of the provisions of that Act and, in particular, s. 13(2) dealing with compensation which allows for compensation to an individual “. . . who suffers distress by reason of any contravention”. The U.K. Act goes beyond the requirements in the Directive and expressly provides for compensation for distress. The Irish legislation does not. In those circumstances, I have decided this case without regard to the English authorities as the statutory approach to damages is different.
6.1 In this case the plaintiff has failed to prove any damage resulting from the breach of the duty of care owed by the defendant. While certain limited evidence was led by the plaintiff in relation to the consequences of delay, no evidence was led to prove such damage or to establish that any damage flowed from the admitted breach of statutory duty on the part of the defendant. In those circumstances, the plaintiff in this case is not entitled to any damages as he has failed to establish that he has suffered any loss or damage within the scope of s. 7 of the Data Protection Acts. The statutory position in Ireland is that no matter how blatant the breach that the person the subject of the breach can only receive damages on proof of loss or damage caused by the breach.
7.1 Whilst I am satisfied that the plaintiff is not entitled to an award of damages, and that therefore the Circuit Court order should be vacated, the Court will have regard to both the manner in which the defendant company conducted itself in relation to the investigations carried out by the Data Protection Commissioner, and also to the fact that the issue as to the limitation of the nature of damages under s. 7, which has resulted in the defendant succeeding in this appeal, was not argued in the Circuit Court when addressing the question of costs.
Realm Communications Ltd -v- Data Protection Commissioner
[2009] IEHC 1
JUDGMENT delivered by Mr. Justice McCarthy on the 9th day of January 2009
1. Pursuant to the European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003, made, pursuant to s. 3 of the European Communities Act 1972, by Statutory Instrument No. 535 of 2003 (“The Regulations”) and in particular Regulation 13(1)(b):-
“A person shall not use or cause to be used any publicly available electronic communications service to send an unsolicited communication for the purpose of direct marketing by means of electronic mail, to a subscriber, who is a natural person, unless the person has been notified by that subscriber that for the time being he or she consents to the receipt of such communication”.
and by the provisions of Regulation 13(9)(a):-
“A person who fails to comply with paragraph (1) … shall be guilty of an offence”
and, in turn, by s. 31(1A) of the Data Protection Act 1988 (as amended by the Regulations):-
“A person guilty of an offence under the … regulations … shall be liable on summary conviction to a fine not exceeding €3,000 …”
2. There are pending before Dublin Metropolitan District Court some 60 summonses charging the applicant (“Realm”) with offences contrary to Regulation 13(9(a) although they are perhaps infelicitously worded, to put it no further, in as much as the offence is one contrary to Regulation 13(1)(b) of using or causing to be used an electronic communications service contrary to the prohibition in s. 13(1)(a) of the Regulations, the penalty provision being s. 31(1A) of the Act.
3. On the 28th April, 2008, my colleague Peart J. afforded leave to Realm to seek certain relief to restrain the continuance of those proceedings by the Data Protection Commissioner (“the Commissioner”) (and of course they are stayed pending the outcome hereof). That relief (so far as it is substantive and relevant at this juncture) is set out in the statement grounding application for leave to apply for judicial review (“Realm’s Statement”) at paragraphs 1 to 5 inclusive, as follows:-
“(1)A declaration that the respondent acted unlawfully in issuing summonses for alleged contraventions of Regulations 13(1)(b) and Regulation 13(9)(a) of the European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations, 2003 (S.I. No. 535/2003) (“the 2003 Regulations”) and section 31(A) of the Data Protection Acts, 1988 and 2003 (“the Acts”) (as inserted by Regulation 17(1) of the 2003 Regulations) in circumstances where the respondent has failed in his statutory obligation to arrange within a reasonable time for the amicable resolution between the Applicants and the complainants of complaints in relation to the alleged contraventions the subject of summonses.
(2) A declaration that the Respondent can only lawfully exercise his power under the Acts to summarily prosecute on foot of complaints of contraventions of the 2003 Regulations if section 10(1) of the Acts has been complied with.
(3) A declaration that the Respondent has failed to satisfy the statutory precondition to the exercise of his power to prosecute a contravention of the said Acts and/or the 2003 Regulations, that section 10(1) of the Acts be complied with.
(4) An Order by way of Certiorari quashing the Respondent’s decisions to institute the summary prosecutions instituted by the respondent against the Applicant, as set out in the Schedule to this Statement of Grounds.
(5) An Order by way of prohibition preventing the Respondent from further prosecuting the said summonses.”
4. The grounds upon which leave was granted are those set out at paragraphs 1 to 7 inclusive of para. E of Realm’s Statement, as follows:-
“(1) The Respondent is a statutory officer who is appointed by the provisions of the Data Protection Act 1988, as amended to be the supervisory authority in the State for the purposes of enforcing the State’s obligations to its citizens in respect of data protection matters.
(2) Under the terms of the Data Protection Act 1988, as amended the Respondent is given a range of civil and criminal enforcement powers, including the powers to issue enforcement notices and prohibition notices and to institute summary prosecutions, in respect of contraventions of the Acts and the 2003 regulations.
(3) Regulation 17(1) of the 2003 Regulations (which give effect to Directive 2002/58/EC) (“the Directive”) provides, inter alia, that section 10 of the 1988 Act as amended (including the provisions of section 10(1) in relation to complaints) shall apply to the 2003 Regulations. The provisions of section 10(1) of the 1988 Act as amended accordingly apply to a complaint made to the Respondent that there has been a contravention of, inter alia, Regulations 13 of the 2003 Regulations.
(4) The Respondent asserts that he has received a number of complaints from consumers that they have received unsolicited communications from the Applicant in contravention of Regulations 13(1)(b) and 13(9)(a) of the 2003 Regulations.
(5) Despite the clear obligation on the Respondent, pursuant to section 10(1) of the 1988 Act as amended, to arrange within a reasonable time for the amicable resolution by the parties concerned of the matter a subject of the complaint before deciding to take any enforcement steps (including summary prosecution) the Respondent unlawfully and/or irrationally and/or in excess of jurisdiction failed to make any attempt at all for the amicable resolution by the parties of the complaints concerning alleged contraventions of the 2003 Regulations, before deciding to prosecute same.
(6) The Respondent has acted unlawfully and/or irrationally and/or in excess of jurisdiction in deciding to prosecute the Applicant for alleged contraventions of Regulation 13 of the 2003 Regulations without complying with a necessary statutory precondition of the commencement of such proceedings and/or in failing to arrange for amicable resolution for the said complaints before instituting the summary prosecutions.
(7) The Respondent has acted in breach of the Applicants’ rights to fair procedures and natural justice, including its rights pursuant to Article 40 of the Constitution and Article 8 of the European Convention on Human Rights and its rights under the Acts and 2003 Regulations.
5. Reference is made, both in the grounding affidavit sworn on behalf of Realm and at para. 37 of Realm’s outline (legal) submissions to certain guidelines published on the Commissioner’s website under the heading “Complaint Outcome” and to a subsequent “Guidance Document”, apparently also published on such website, the tenor of the first of which is that all complaints do not necessarily result in prosecutions but that in the first instance the Commissioner attempts to resolve matters amicably. The second is, apparently, a bald statement to the effect that the Commissioner is obliged to seek an amicable resolution of complaints. It is not contended on behalf of the applicant that anything in the nature of an estoppel or legitimate expectation could give rise to an inhibition of prosecution here, and in my view, rightly. The core basis, accordingly, for seeking to inhibit prosecution is that summarised in para. 1 under the heading of “the Relief Sought” in Realm’s statement and, accordingly, amounts to the proposition that it is a condition precedent to a prosecution in respect of the offences now pending that an attempt be made to seek amicable resolution of the complaints giving rise to the charges. This arises because of the provisions of s. 10(1) of the Acts which is as follows:-
“10.(1)(a) The Commissioner may investigate, or cause to be investigated, whether any of the provisions of this Act have been, are being or are likely to be contravened by a data controller or a data processor in relation to an individual either where the individual complains to him of a contravention of any of those provisions or he is otherwise of opinion that there may be such a contravention.
(b) Where a complaint is made to the Commissioner under paragraph (a) of this subsection, the Commissioner shall
(i) investigate the complaint or cause it to be investigated, unless he is of opinion that it is frivolous or vexatious, and
(ii) as soon as may be, notify the individual concerned in writing of his decision in relation to the complaint and that the individual may, if aggrieved by his decision, appeal against it to the Court under section 26 of this Act within 21 days from the receipt by him of the notification.”
6. I have herein referred to the Data Protection Acts 1988 – 2003 and the Regulations for convenience sake as “the Acts” unless otherwise appears: this is so notwithstanding the fact that they were amended by the Regulations. These, transposed into Irish law the Directive.
7. The Statement of Opposition of the 3rd June, 2008 (“the Commissioner’s Statement”) is extensive and I accordingly do not propose to set the grounds therein out in full but merely to summarise the substantive elements, as follows:-
“(a) That (of course) the power of the Commissioner to investigate compliance with, or a possible contravention of, the provisions of the Acts provides the “necessary underpinning” for the exercise of his powers of enforcement and he asserts that there are three separate bases for investigation, firstly, being that arising under s. 10(1) aforesaid, secondly s. 10(1A), which provides that:
‘The Commissioner may carry out or cause to be carried out such investigations as he or she considers appropriate in order to ensure compliance with the provisions of this Act and the … Regulations … and to identify any contravention thereof”
and, thirdly, pursuant to s. 10(1B) which provides that:-
“The Commissioner may carry out or cause to be carried out such investigations as he or she considers appropriate in order to ensure compliance with (inter alia Regulation 13) and to identify any contravention thereof”
(b) That an unsuccessful attempt by the Commissioner to arrange for amicable resolution is “solely and exclusively a condition precedent” to a decision (and the notification to a complainant of a decision) under s. 10(1)(b) of the Act and not a condition precedent to the exercise of any of his investigation powers or to the exercise of any of his enforcement powers or, most importantly in the present context, his capacity to prosecute.
(c) That the requirements of s. 10(1)(b) in respect of complaints by natural persons do not displace the Commissioner’s entitlement to conduct a separate investigation (whether related or distinct) pursuant to other investigatory powers even if such investigation is the subject of an individual complaint.
(d) That the term “reasonable time”, referred to in s. 10(1)(b)(ii) is to be construed by reference to all of the surrounding circumstances (including the fact that the Commissioner might have conducted an extensive investigation into the complaints with all due expedition).
(e) That in as much as the Regulations transpose the Directive, and such Directive does not contemplate a “prior requirement to mediate” (whereby any such requirement would be outside the terms of the Directive) no such construction of the power of prosecution is permissible and, in addition, “would not be required or necessitated by the terms of the Directive”.
(f) That the Commission has not acted in breach of the applicant’s right to fair procedure and natural justice or of its rights under the Acts or the Regulations or, in the, any breach of its rights under the Constitution or Article 8 of the European Convention on Human Rights and Fundamental Freedoms.”
The allegation of breach of rights under Article 40 or Article 8 aforesaid has not been pursued, nor has an assertion of a breach of natural justice or fair procedures. I think that this was the correct course in as much as if there is, as a matter of law, a capacity to prosecute without a condition precedent, I know of no rule of law which imposes any obligation on the prosecutor to hear the putative accused before deciding upon, and commencing, a prosecution.
8. The relevant affidavits for the purpose of this judgment are those of Mr. Higgins (Realm’s Managing Director) of the 25th April, 2008, and of Mr. Davis (Deputy Data Protection Commissioner) dated the 3rd June, 2008. I have, of course, to a degree, referred to the facts of the matter above. So far as material, as to further relevant facts deposed to therein, Mr. Higgins says that disclosure of documents took place at Realm’s request, by the Commissioner qua prosecutor (as ordinarily occurs in the case of prosecutions on indictment but, exceptionally, only, in the case of summary prosecution) (and rightly disclosed in the present case if only because it avoided the necessity for discovery herein) and that the prosecutions were based on the complaints of fourteen complainants. This term is not used in this context as a term of art and there is no such term in the Acts. He says that there was a good working relationship between Realm and the Commissioner, that there was co-operation in respect of a number of individual instances of alleged contraventions of the Acts or Regulations and that Realm welcomed the introduction of the regulatory procedure. He refers to a so called “dawn raid” and to the fact that during such raid a journalist contacted him and that subsequently, before service of summonses, a journalist also communicated with him in relation thereto. I am not required to address whether or not these enquiries resulted from “leaks”, or, if they did, what the legal consequences (if any) thereof might happen to be. I accordingly ignore this aspect of the matter.
9. It would appear from Mr. Davis’s affidavit that the Commissioner seeks to deal with enforcement issues without recourse to prosecution whilst remaining “fully entitled to adopt the latter course”, that so called mediation in respect of individual complaints would not be effective so far as repeated offenders are concerned, that a small portion of recipients of unsolicited texts make complaints and that the proportion of those who do so is in the order of one in ten thousand whereby, he asserts, if the condition precedent alleged exists the remedy (presumably of prosecution) would be ineffective. He further asserts that any obligation to mediate successive complaints would mean that the respondent, whilst engaged in mediation in respect of some complaints, might be in receipt of further complaints against the same person to the point of a course of conduct and that the Commissioner treats the handling of complaints that might or might not result in a decision by him (under s. 10(1)) as an entirely separate activity to the function of prosecuting breaches: apparently, these are dealt with by separate units in the Commissioner’s office. Mr. Davis refers to the so called dawn raids and to the fact that they occurred against a background of “significant concern” regarding the sending of so called SMS messages (being unsolicited mobile telephone text messages) for marketing purposes without the consent of the recipient.
10. The applicant has set out a conspectus of the Directives giving rise to the present law in the State and it is submitted that the proper construction of s. 10 of the Acts “in light of the scheme of the Communications Data Protection Directive, the 2003 Regulations and the Acts as a whole” gives rise to the condition precedent to the taking of enforcement actions, including prosecutions. The proposition advanced, based upon Bell and Ray in EU Electronic Communications Law, that the Directive aims to harmonise the law in this field and to thereby encourage free movement of data, electronic communications equipment and services seems uncontroversial as do the recitals (6, 40, 41 and 47) in the Directive, which are quoted.
11. The first of these recitals, inter alia, is to the effect that the “Internet is overturning traditional market structures” and that “publicly available electronic communications services over the Internet opened up new possibilities for users and also new risks for their personal data and privacy”, that, (as set out in recital 40) “safeguards should be provided for subscribers against intrusion of their privacy by unsolicited communications for direct marketing purposes, in particular by means of automated calling machines, telefaxes, and e-mails, including SMS messages” and that “where the electronic contract details are obtained, customers should be informed about their further use for direct marketing and be given the opportunity to refuse such usage…” (as appears from recital 41). As appears from recital 47, penalties must be imposed for failure to comply with national measures taken under the Directive. There is nothing in these recitals or in any other part of the Directive, either quoted by Realm or otherwise which supports a contention that attempted amicable resolution is a condition precedent to enforcement, whether by prosecution or otherwise (in the case of complaints by natural persons). There seems to me to be no difference between the scheme of the domestic law implementing the Directive or any sufficient distinction between the Directive and the Acts or Regulations to assist in respect of the proposition advanced and therefore it suffices to have regard only to the national provisions.
12. Reference is made to a schematic or teleological approach to the interpretation of the Directives’ provisions but even if it was necessary to have regard to the Directive for the purpose of gaining a true understanding, or properly interpreting or construing our legislation (which it is not) it might, firstly, be arguable that such schematic or teleological interpretation is unnecessary but if it was, it seems to me that there is nothing in the application of that principle of interpretation (as summarised in the passage from Dodd on Statutory Interpretation in Ireland, quoted in the applicant’s submissions), which adds anything to Irish law since the Directive is fully and properly transposed into it (and no proposition is advanced here to the effect that it is not), or having regard to Irish law only.
13. Further in the European context reference is made by Realm to Article 13 of the Directive (“unsolicited communications”) and it is suggested that having regard to its provisions “out of court resolution of complaints” is “entirely consistent with this scheme”. I do not doubt that this is so but that is not the point. What is in issue is not whether or not it is consistent with but whether or not it is a condition precedent to prosecution, involving, as it does, in the event of conviction, the imposition of penal sanctions as required by the Directive. I do not understand on what basis it is submitted that, by reference to that Article of the Directive, (as at paragraph 32 of the applicant’s submissions) that “in the event that there is a complaint as to the manner in which such texts are received or whether they comply with the Regulations, an attempt to amicably resolve is a sensible precondition to any more serious enforcement measures” – it may be but, again, it tells us nothing as to whether or not such a condition precedent arises; such a proposition does not follow directly or indirectly from Article 13, in any event: it is simply a bald assertion, unsupported by a chain of reasoning.
14. It is undoubtedly the position, as pointed out by the parties, that the Directive imposes no explicit obligation on the State, in implementing it, to provide for an attempted amicable resolution as a condition precedent to enforcement. Realm points out that the Directive as implemented in Irish law seeks to strike a balance between the legitimate interests of businesses in using electronic communications networks, on the one hand, and privacy and data protection rights of persons in respect of information confidential to them. There is no reason to suppose that it must follow therefrom that Irish law, in implementing the Directive, must include the inhibition on prosecution for which Realm contends. One cannot but say that it would be permissible to do so (unless of course it was to undermine the scheme of protection or other desiderata, such as the free movement of services) but that is a far cry from saying that on any view of the Directive it is essential in order to strike an appropriate balance between those competing interests.
15. It is further submitted that the existence of a provision pertaining to amicable resolution as a condition precedent to prosecution is consistent with the wording of s. 10 of the Acts; one can understand, of course, why the statutory scheme might direct the Regulator, in certain instances, to attempt to amicably resolve complaints, but, again, one can understand why it might not, for example, because of the difficulty of addressing egregious and repeated breaches by the same party with respect to the same complainant, thus giving rise to a situation where an amicable resolution had to be attempted in respect of each or any complaint received no matter how ineffective or time consuming that might be as a matter of practice. I cannot see why the Oireachtas should be taken to have intended this, when it does not say it.
16. At the end of the day one only tool of interpretation is required, namely, consideration of the Statute, as amended, in accordance with the natural and ordinary meaning of the words used therein. This form of interpretation is itself relied upon by Realm. Realm make the point that its interpretation is consistent with the Commissioner’s published material. This may be so but the Commissioner’s published material may or may not, in a given case, correctly express his legal powers or duties. I do not think that it is an aid to interpretation by a court that a party has, on some previous occasion, taken a given view of the interpretation of a Statue, but now takes a different view. Any prior erroneous view as to, say, the powers or duties of an entity such as the Commissioner are of no assistance to a court in deciding the correct view in law. There may, of course, from time to time, be other consequences of error and they are not relevant in this action. I need hardly say that one considers the provisions of s. 10 only in their statutory context as a whole. Such an approach could give no different a result by reference to the Directive itself as I have said above.
17. The natural and ordinary meaning of the words of the Statute seem to me to give rise to investigatory powers under the three heads pleaded in the Statement of Opposition, i.e. pursuant to s. 10(1), pursuant to s. 10 (1)(a) and s. 10(1)(b). These powers are undoubtedly overlapping: all three afford a general power of investigation but the difference between s. 10(1) and the others is an obligation in certain circumstances to attempt to arrange an amicable resolution concerning the matter in complaint. There is no suggestion here but that such complaints have been made: it is said at para. 21 of Mr. Higgins’s affidavit that “it seems clear” that these prosecutions were commenced “on the basis of complaints received by (the Commissioner)” from (presumably) the persons named in the summonses. One would have thought, however, that the process of investigation would extend beyond the mere mechanical receipt of a complaint. The very use of the term poses difficulties because presumably a complaint will be of greater or lesser substance (in terms of the detail afforded and the capacity to address such complaint without further or more extensive investigation). One would have thought that in every case investigation beyond mere receipt of the complaint would be required if the investigation was to be competent, if only by verification of some technical detail (e.g. a telephone number) furnished by a complainant.
18. In any event, under s. 10(1)(a) the Commissioner is afforded power to investigate, inter alia, in the case of an individual complaint and if one proceeds to s. 10(1)(b)(i) one sees that there is an obligation to investigate (i.e. to exercise that power) where such individual complaint is received, unless it is frivolous or vexatious. Thereafter, in default of an amicable resolution “by the parties concerned” the Commissioner must make a decision and notify the same to the complainant, informing him that if he is aggrieved he may appeal to the Circuit Court pursuant to s. 26 of the 1988 Act. It seems reasonable to conclude, that the term “may” in s. 10(1)(a) affords authority or power to investigate with mandatory investigation only of a complaint by a natural person which it is neither frivolous or vexatious. Of course, as pointed out by Kelleher “the Commissioner, by undertaking the level of investigation necessary to determine whether a complaint is frivolous or vexatious will thereby have discharged any duty to investigate (see 16/08 “Privacy and Data Protection Law in Ireland”). There is nothing in the provision, or elsewhere in the Acts, of course, which in any way inhibits the capacity to prosecute whether on foot of an individual’s complaint or otherwise, and whether the provisions of s. 10(1) are invoked or applicable or not. The proposition must accordingly be that notwithstanding the absence of any explicit inhibition in s. 10 or elsewhere the fact of an obligation to attempt to arrange, within a reasonable time, an amicable resolution in the case of complaints made by natural persons, must be interpreted as importing a limitation on the power of prosecution or a prohibition thereon unless resolution has been attempted and failed.
19. I cannot see any warrant for a court to add to the section or otherwise to the Acts. Accordingly it may well be that in tandem with the preparation of, and the ultimate commencement of, criminal proceedings an attempt at amicable resolution might take place and prima facie there is nothing to inhibit such a course. It would, however, if adopted, be an outcome potentially beneficial to the complainant who of course would have no role in the criminal proceedings except perhaps as a witness and the outcome whereof might not satisfy him in terms of the complaint beyond, perhaps, a moral vindication of his position. I see no absurdity, ambiguity, obscurity or capacity for advancing the proposition that a literal interpretation would fail to reflect the plain intention of the Oireachtas. Hence, I do not think that s. 5 of the Interpretation Act 2005, permits anything other than the normal rule of interpretation. In this regard reliance has been placed by the Commissioner on the judgment of Denham J. in D.B. v. The Minister for Health and Children and the Hepatitis C Compensation Tribunal (Unreported, Supreme Court, 26th March, 2003). Denham J. repeated the approach she took in M. O’C. v. Minister for Health (Unreported, Supreme Court, 31st July, 2001) when she held that:-
“It was well established that in construing statutes effect should be given to clear and unambiguous words, for the words of the statute best declare the purpose of the Act …”.
It seems to me that little more need be said in respect of the manner in which one must approach the interpretation of the statutes or of s. 10.
20. Further, let us suppose an amicable resolution took place. The breach would still exist. There is nothing in the Act which in some sense would “expunge” or render inadmissible evidence of the breach, such that a prosecution could not be maintained. The facts would remain as they always had been whether the complainant was satisfied with his lot or not. The Commissioner has strongly emphasised the nature of the criminal prosecution in the common law which is, as we know, an issue between the State (or the community) and an alleged wrongdoer and that the private interest of any party injured or aggrieved by that wrongdoing constituting the offence (which might, of course, be a civil wrong as well) is irrelevant in point of law. Thus, I accept the proposition that the erection of the condition precedent here would uniquely fetter the prosecutor in the exercise of his discretion and would thus thereby introduce, in point of law, a question of private interest into the community’s right to enforce the law. Of course in the event of an amicable resolution a complainant might prove to be indifferent to the prosecution but that is of no moment. Nor do I think that it could have been in the contemplation of the Oireachtas to place in the hands of a criminal (I speak generally, of course) the capacity to delay and perhaps undermine a prosecution by merely ostensibly engaging in an attempt at amicable resolution whilst, to a greater or lesser extent, placing obstacles in the way of a prospective prosecution for any number of commercial or other reasons. Such things are not unknown in the enforcement of the criminal law! Such a provision would introduce an entirely new phenomenon at variance with the nature of criminal prosecutions. I cannot believe that the Oireachtas would have intended to introduce such drastic change into the administration of criminal justice without explicitly saying so.
21. Of course, in truth, Realm fails to answer the question which must arise, ipso facto, if its assertion about the existence of a condition precedent is correct. This is the issue of what might occur if the attempt was successful. One would have thought that on any view of the Acts nobody could contend that there is a prohibition or bar on prosecution in the event of successful mediation. Presumably it might be the hope of a party such as Realm that no prosecution would be commenced but I cannot see how the Oireachtas would have merely imposed an obligation to attempt to mediate, when such attempt, even if successful, had no bearing on whether or not a prosecution could be initiated. I think that this is explicable only on the basis that the statutory obligation to seek an amicable resolution is unrelated to prosecution. One might see some logic, perhaps, to the proposition that a prosecution was barred in the event of a resolution. Again I do not propose to rewrite the Acts in this respect.
22. We know, also, that pursuant to the Acts a summary prosecution must be commenced within twelve months of the date of the offence and it is presumably possible that the fact of an offence could be brought to the attention of the Commissioner by a complaint within perhaps days of the expiry of the relevant period. The relevant provision is s.30(2) of the Act and the period is an extended period to that ordinarily contemplated pursuant to s. 10(4) of the Petty Sessions (Ireland) Act 1851. Whilst I accept that the term “reasonable time” could only, by definition, be reasonable in relation to the surrounding circumstances (including the time limit applicable for the commencement of a prosecution) there would be cases where there was no reality to attempted amicable resolution within days only and the Oireachtas cannot have intended that some form of charade or merely nominal attempted resolution should be attempted. The position might be different if, of course, the Oireachtas had, say, provided for a suspension of the running of the time during a period of attempted mediation (something which in the event that the unprecedented concept of a condition precedent were to be introduced, might not be irrational).
23. Further, I cannot see how the Oireachtas might have conceived that there could be an effective enforcement of the provisions of the Acts by the criminal law if, in every case where a natural person had complained, whether or not the Commissioner had other sufficient evidence prior to such complaint or garnered it directly or indirectly as a result thereof, the Commissioner might be required not merely to prove the fact of the crime but also the fact that there had been an attempt at amicable resolution being, of course, a real or meaningful attempt rather than something that could be stigmatised as a mere colourable device.
I therefore refuse the reliefs sought.