Circuit Court: Courts Service loses appeal against finding that it breached pre-GDPR data protection legislation
The Courts Service has lost an appeal against the Data Protection Commissioner’s finding that it breached pre-GDPR legislation by publishing the name of a notice party who had been granted anonymity.
Dismissing the appeal, Judge Francis Comerford said the Courts Service was obviously a data controller, and agreed with the Data Protection Commissioner that it was unnecessary to have “complete control” over all aspects of the process in order to fall within the definition of data controller.
The notice party in the present proceedings, PM, was a notice party in another case concerning sexual abuse. In January 2014, the High Court judge made an order that nothing that could identify PM should be published.
In May 2014, the same High Court judge delivered judgment in those proceedings – and, as delivered, the judgment contained PM’s name at various points. The Courts Service disseminated the judgment on its website with PM’s name included, and the judgment was also disseminated to various libraries which maintain databases of judgments.
Soon after, the Courts Service was notified by a solicitor involved in the case that the dissemination was in breach of the High Court order granting anonymity. Consequently, the Courts Service removed the judgment from its website and requested the various libraries to delete it; however, this did not prevent a report of the case including PM’s name from “appearing in at least one instance in the print media”.
Data Protection Commissioner’s decision
In July 2014, PM made a complaint to the Data Protection Commissioner who did not initially indicate that there had been a breach of data protection law. In June 2016, PM “revitalised his complaint” and the Commissioner opened an investigation.
In June 2018, the Commissioner issued a decision on the matter, finding that the Courts Service was a data controller for the purposes of the legislation. In stating that “complete control over all aspects of data processing” was not necessary for satisfying the definition of a data controller, the Commissioner was “heavily influenced” by the CJEU’s ruling in C-210/16 Wirtschaftsakademie Schleswig-Holstein.
Considering the Data Protection Acts 1988 and 2003, the Commissioner found:
- There had been a breach of section 2(1)(d) in failing to have in place appropriate security measures to prevent unauthorised disclosure;
- There had been a breach of section 2A (disclosures of personal data);
- There had been a breach of section 2B (disclosure of sensitive personal data).
Appeal to the Circuit Court
The Courts Service appealed against the decision of the Commissioner, arguing that it has no control over the contents of a court judgment, and no control once a direction is given by a judge to publish a judgment as to whether it should be published or not.
The Courts Service contended that it was not exercising one of its own functions but was taking steps with regard to a function directly connected with the administration of justice which could only be a matter for the judiciary. Considering BPSG Ltd v Courts Service and ors  2 IR 343 and DPP v Nash, the Courts Service submitted that the publishing of a judgment is an act required to be performed by a judge as part of the administration of justice, so that the Courts Service must publish the judgment on its website in whatever form it is delivered to it by the judge.
Judge Comerford agreed with the Commissioner’s application of C-210/16 Wirtschaftsakademie Schleswig-Holstein and the finding that “complete control” over all aspects of the process was unnecessary. He said that the decisions followed by C-210/16 Wirtschaftsakademie Schleswig-Holstein had the effect that personal rights should be protected by affording a wide scope to the definition of data controller. Judge Comerford said it was not a requirement for a data controller to have sole control, and that “a very limited degree of control, perhaps even just the capacity to cease involvement in the facilitation of the processing, can suffice provided the data controller is acting for its own purposes and not solely as an agent of another”.
Furthermore, Judge Comerford said that C-210/16 Wirtschaftsakademie Schleswig-Holstein supported “the view that in interpreting the Irish statutory definition of data controller that where there is more than one person who has control, it is not necessary that each of these persons have control of both contents and use, but one person could have control of content and another control of use, and indeed the levels of the control can encompass what might be described as influence or to the negative control that comes from declining to participate”.
Judge Comerford said it was difficult to come to any view but that the Courts Service was obviously a data controller. He said that the website was set up as a convenient reference for the public – less directly for the purpose of the administration of justice.
In all the circumstances, Judge Comerford said he could see no basis for saying the Commissioner was in error in identifying the appellant as a data controller. He rejected the suggestion that each individual judge whose judgment is on the database is the sole data controller of that judgment.
Judge Comerford also considered that, although there had been significant breaches of fair procedures in the Commissioner reaching the June 2018 decisions, these breaches could not serve to unseat or condemn the decisions that there had been a breach under sections 2A and 2B.
Judge Comerford said that the requirements of fair procedures did require a clarification of the decision that there was a breach of Section 2(1)(d), and in condemning this decision, Judge Comerford said there must be an express statement that the extent of the breach was limited to the unauthorised disclosure between 12 and 15 May 2014.