Challenging times for Ireland’s Data Protection Commissioner
For the second time in two years, the DPC’s critics are asking: who is policing Ireland’s privacy police?
Data privacy: Criticism of Ireland’s data protection regime is not new around Europe
Austrian privacy campaigner Max Schrems
Helen Dixon, Data Protection Commissioner
Gerard Rudden, partner with solicitors Ahern Rudden Quigley and a prize-winner at last week’s Irish Law Awards in relation to the Schrems case
Life is about to get less comfortable for Ireland’s Data Protection Commissioner (DPC). For the second time in two years, judges at Europe’s highest court are to adjudicate on a case passed to them by an Irish court. For the second time it involves a case the DPC declined to take on. For the second time in two years, the DPC’s critics are asking: who is policing Ireland’s privacy police?
Criticism of Ireland’s data protection regime is not new around Europe. As frontline regulator for 500 million EU citizens in the case of big companies based in Ireland, like Facebook, critics have raised concerns about the DPC’s commitment – and resources – to meet its mandate of securing citizens’ rights to privacy, and ensure they have access to data held on them.
Commissioner Helen Dixon, in the job since 2014, challenges these critics by pointing to a doubling of resources and a new Dublin office.
Her office operates under Ireland’s data protection acts, dating from 1988 and its 2003 amendment, obliging it to investigate all claims it receives (13,500 last year in total) unless they are deemed unlikely to succeed – in legal language “frivolous and vexatious”. Such contacts with the DPC fail to clear its first hurdle.
Among the cases discarded by the DPC in round one, however, were two cases with far-reaching consequences for privacy in Europe – and for the DPC’s own operations.
Both cases were taken by men who believed they had been denied access to personal data. Both asked the DPC to get involved. In both cases the DPC declined.
Mr Schrems, an Austrian privacy campaigner, took on Facebook’s global operation based in Ireland, concerned that the social network’s data collection policies breach European privacy laws.
As a law student, he filed a complaint with the DPC over Facebook in 2011, starting a multi-pronged legal battle that gathered momentum after revelations of mass US surveillance by whistleblower Edward Snowden.
He eventually withdrew one element of his case, but another went all the way to the European Court of Justice (ECJ), the EU’s highest legal forum. In a landmark ruling last year on foot of his case, the Luxembourg court toppled the 15-year Safe Harbour agreement, one of the major channels of data transfers between Europe and the US.
But this landmark ruling only came about because Mr Schrems refused to accept the Irish DPC’s view that his case had no legal merit.
He took a judicial review against this decision and, in the High Court, the Portarlington-based data protection office insisted that its hands were tied in the matter because of European Commission provisions, a point on which the High Court agreed.
But, tied hands or not, the High Court recognised the implications of the Schrems case, knocked it on to the ECJ, and eventually ordered the DPC to investigate Facebook.
Challenge to DPC
Another determined student who has now challenged the DPC is Peter Nowak. After four failed attempts to pass an exam set by the Institute of Chartered Accounts of Ireland (ICAI), the trainee accountant asked to see his exam scripts. The ICAI declined, saying that they were not obliged to do so.
The DPC agreed, advising Mr Nowak in June 2010 that “exam scripts do not generally fall to be considered . . . because this material would not generally constitute personal data”. In its reply to a formal complaint by Mr Nowak, the DPC took a similar approach as in the Schrems case, deciding the complaint was “frivolous and vexatious”.
But both students refused to go away.
Mr Nowak took a different route to Mr Schrems, pursuing his claim through the circuit court, the High Court and the Court of Appeal.
Only when he got to the Irish Supreme Court did that court say it was not at all sure of whether an exam script constitutes personal data – and decided to ask the ECJ for guidance.
Which raises two questions. First: if the Supreme Court is not sure whether an exam script constitutes personal data, why are the DPC’s lawyers so certain?
And second: is it just bad luck that, for the second time in two years, Irish courts have asked the EU’s highest legal instance to look closer at privacy cases where Ireland’s data watchdog said there was no case to answer?
Until now the DPC, founded in 1988, has argued that, under Irish law, its “frivolous and vexatious” dismissals are a preliminary step before opening a formal complaint and, as such, not subject to appeal.
Until the Nowak case, Irish courts have followed this line of thinking. But this may no longer be the case. In its Nowak judgement, the Supreme Court has queried why Ireland’s data protection acts offer appeals only after full investigations and not preliminary rulings.
“A decision that a complaint is misconceived as a matter of law, or is otherwise frivolous or vexatious, is just as likely to be wrong and in need of correction as any other decision made by the Commissioner on matters of fact or law or both,” it said.
The Supreme Court arrives at the “simple conclusion” that, contrary to the DPC claims, the Nowak case did have an appeal to the Circuit Court.
Does this mean the DPC, after years claiming otherwise, is now subject to the scrutiny of the courts over all the cases it refuses to take on?
“Yes, that is exactly what it means. The Supreme Court has dismissed this argument in its entirety,” said Gerard Rudden, partner with solicitors Ahern Rudden Quigley and a prize-winner at last week’s Irish Law Awards in relation to the Schrems case.
Seasoned DPC complainant Max Schrems says the Nowak ruling effectively pulls the plug on the DPC’s self-imposed immunity from judicial scrutiny.
Prior to this, he says, “it was unlikely that people would pursue the only real avenue open to them, the expensive, complicated and difficult judicial review”.
Mr Nowak has welcomed the judgement, hoping it will “teach the DPC to sensibly and diligently approach every complaint made to that office”.
Opening the door to the Nowak ruling was Luxembourg Schrems ruling. While the headlines focused on its shredding of the “Safe Harbour” data transfer rules, the court also took issue with the lack of an appeal mechanism in data protection cases in Ireland.
After passing that baton to the Supreme Court, it ruled the Nowak case a “significant” data protection case. The DPC refusal, it argued, was “precisely the sort of issue that should be capable of appeal to a court of law”.
‘Not reasonably forseeable’
Responding to written questions from The Irish Times, the DPC said “the path these very specific Schrems and Nowak matters took was not reasonably foreseeable”. The Portarlington agency said it deals with thousands of individuals each year who receive a satisfactory outcome to matters they raise.
“The vast majority of issues are amicably resolved by the office and we are not aware of cases other than those to which you refer which concern ‘frivolous and vexatious’,” it added.
However, DPC officials concede they have no system in place for classifying cases they dismiss as “frivolous and vexatious”, and thus cannot put a number on the number of cases over the years the DPC has declined to investigate for this reason.
For DPC critics around Europe, the Nowak case raises further questions about Ireland’s data protection regime which already faced scrutiny after the Schrems verdict.