The Data Protection Commission has ruled that Dropbox, the online data storage and sharing company, unlawfully shared private data held by two employees of Red Flag Consulting with lawyers for businessman Denis O'Brien.
The data was given "without a lawful basis", according to the commission, to Eames Solicitors acting for businessman Denis O'Brien who is suing the public relations company.
The commission's judgment is contained in a ruling issued last week on a complaint against Dropbox made in January 2017 by Red Flag employees, Bríd Murphy and Kevin Hiney.
In a 21-page judgment, the commission notes that, after a motion for discovery was withdrawn by Mr O’Brien’s lawyers, Dropbox faced “continuing pressure” from Eames which “culminated in the unauthorised disclosures” to them.
The data commissioner's investigation is linked to a long-running legal action by Mr O'Brien against Red Flag and five named defendants, including Gavin O'Reilly, the company's chairman, and Karl Brophy, its chief executive.
The others on the list are Red Flag employees, Séamus Conboy, Kevin Hiney and Bríd Murphy, and the Galway-based businessman, Declan Ganley, who was added later.
The action began in October 2015 when Mr O’Brien claimed he was the victim of a conspiracy to damage him and his businesses, in the process of which he was defamed. Red Flag et al denied this.
Mr O’Brien’s case revolves around a USB memory stick containing a dossier of 339 files, mainly cuttings of published articles and unflattering assessments of the businessman.
The dossier, but not the USB, originated in Red Flag and Mr O’Brien’s case quickly became a tussle over the businessman’s efforts to get access to Red Flag computers and any digital records relating to the dossier.
Mr O’Brien sought access to the Dropbox accounts of Bríd Murphy and Kevin Hiney. Lawyers for Red Flag opposed this, while Dropbox said it would comply with any court order made.
After legal arguments, the motion for discovery was withdrawn, and no order was made but costs were awarded to Red Flag. However, Eames Solicitors continued to seek the information.
“Dropbox faced continuing pressure from the plaintiff’s solicitors [Eames] to provide further information in relation to the complainants’ [ie Murphy and Hiney’s] Dropbox accounts and usage.
“[T]he prudent course of action for Dropbox would have been to maintain its initial position by refusing to provide any further information sought by the plaintiff in the absence of a court order,” the ruling says in paragraph 68.
The personal data disclosed by Dropbox "may have been limited in nature and some or all of the information may have already been known to the parties to the High Court proceedings", it went on.
“It appears that, by furnishing this further information . . . Dropbox disclosed personal data in respect of matters of some sensitivity and controversy in the High Court proceedings . . .”
During exchanges with solicitors for Dropbox, Gallenalliance, Red Flag's solicitors, Eugene F Collins had charged that "unauthorised" contacts had been "concealed".
Responding, Gallenalliance rejected the complaints made by Eugene F Collins, adding that “a complaint submitted to the Data Protection Commissioner would be entirely meritless”.
However, in its ruling, the commission ruled that Dropbox had “breached Section 2A of the [Data Protection] Acts by processing the personal data [of both] without a lawful basis for doing so”.
Asked to comment, Ms Murphy and Mr Hiney issued a statement saying: “We welcome the very comprehensive and damning ruling of what was a very serious breach of our personal data and are considering our next move.”
Questions submitted to Eames Solicitors, to Denis O'Brien's spokesman, to Gallenalliance, and separately to its managing director John Gallen, did not elicit any response.
In a statement to The Irish Times on May 11th, Dropbox said: "The privacy and security of our users is our top priority. We want to be clear that we do not give access to the contents of a user’s account without proper legal process, and did not do so in this case. As always, we thank the Data Protection Commission for its guidance and engagement with us.”