BAILII [Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] [DONATE]

High Court of Ireland Decisions
You are here: BAILII >> Databases >> High Court of Ireland Decisions >> McShane v Data Protection Commission (Approved) [2025] IEHC 191 (03 April 2025)
URL: https://www.bailii.org/ie/cases/IEHC/2025/2025IEHC191.html
Cite as: [2025] IEHC 191

[New search] [Printable PDF version] [Help]

[2025] IEHC 191

THE HIGH COURT

JUDICIAL REVIEW

[2022/699JR]

BETWEEN:

EAMON MCSHANE

APPLICANT

AND

DATA PROTECTION COMMISSION

RESPONDENT

AND

HEALTH SERVICE EXECUTIVE

NOTICE PARTY

 

JUDGMENT of Mr. Justice Barry O'Donnell delivered on the 3rd day of April, 2025

 

INTRODUCTION

 

1.                  This is the judgment of the court in respect of a challenge by way of judicial review to a decision made by the respondent. The decision arose from a complaint by the applicant concerning the notice party. The complaint was processed and decided by reference to the powers of the respondent under the Data Protection Act 2018 (the 2018 Act) and the underlying legislation, the General Data Protection Regulation (EU) 2016/679 (GDPR).

 

2.                  The applicant in this case is a fire prevention officer employed by the Notice Party ("the HSE"). On the 15 December 2021, he made a complaint to the respondent ("the DPC") in respect of a data breach concerning personal data on a phone that had been provided to him by the HSE in connection with his work. The complaint gave rise to exchanges between the applicant, the DPC and the HSE. On the 23 May 2022, the DPC decided that the matter should be concluded on the basis that the HSE was not a "data controller" for the purposes of the relevant legislation. The reason for the decision was the HSE had not authorised or permitted the applicant to use his work phone for personal use. The decision, which was in the form of an email to the applicant's solicitors, noted, inter alia: "Based on the information you have provided to this office, there is no basis for which the HSE could be considered the controller of your client's personal data that he himself stored on his HSE issued phone without their apparent knowledge or agreement."

 

PROCEDURAL HISTORY AND THE GRANT OF LEAVE

 

3.                  The initial ex parte application was opened on the 15 August 2022 and adjourned to the 23 January 2023. On the 23 January 2023, the High Court directed that the application for leave should be made on notice to the other parties. The consequent decision of the High Court is set out in a judgment of Bolger J. dated the 19 October 2023. It is clear from that judgment that one of the bases on which the DPC and HSE resisted the grant of leave was that the applicant had not pursued a statutory appeal remedy. However, the court determined that leave should be granted, and that the applicant had "satisfied the not very high standard ... to assert an entitlement to leave". Hence, on the 19 October 2023 the High Court granted leave to the applicant to bring these judicial review proceedings.

 

4.                  At the hearing of the action, the DPC and the HSE contended, among other arguments, that the applicant had sought to expand his case beyond the case in respect of which leave had been granted. Hence, it is important for an understanding of what follows to set out precisely what relief was sought and the grounds upon which leave was granted.

 

5.                  The focus of the challenge is on the 23 May 2022 decision, and in that regard, in addition to ancillary orders, the applicant sought the following substantive relief:

a.             An Order of certiorari quashing the dismissal of the applicant's complaint against the HSE dated the 15 December 2021 that was dismissed by the DPC on the 23 May 2022.

b.             An Order of mandamus compelling the DPC to investigate the applicant's complaint to the DPC on the 15 December 2021 that was dismissed on the 23 May 2022.

c.             A declaration that the process followed by the DPC in the applicant's case, with regard to the finding on the 23 May 2022 that the HSE was not a data controller under the General Data Protection Regulation (EU) 2016/679, and or dismissing the applicant's complaint on foot of same, was unlawful under the circumstances.

 

6.                  The factual grounds upon which relief is sought are set out in the applicant's statement of grounds and in an affidavit sworn by him on the 5 August 2022. The applicant's case before this court was predicated on a posited distinction between two categories of personal data that were stored on the work phone. First there was 'work related personal data', by which, as I understood the case, the applicant meant data that identified or related to him and which was collected and stored in the course of and for the purposes of his work related activities. Second, there was 'non-work related personal data', which referred to data that was collected and stored on the work phone when the applicant used his work phone for his personal business. I have summarised the factual grounds as follows:

a.             The applicant was a fire prevention officer employed by the HSE; he was provided a mobile phone to use in the course of his employment.

b.             The applicant's "work related" personal data was processed on the mobile phone. That data was described as including his name, phone number, work email address, email records, records and contents of work texts/messages, phone call logs, voicemails, location data on the phone to include the applicant's physical geographical location, and metadata on the phone.

c.             The applicant also used the mobile phone for personal use. In doing so, the phone contained "non-work related" personal data, e.g. personal emails, etc. The applicant acknowledges at the hearing that this was not an acceptable use of the mobile phone.

d.             In May 2021, the HSE was subject to a significant data breach and ransomware attack that affected numerous computer and technical devices.

e.             In June/July 2021, the applicant discovered that his personal email accounts had been hacked as well as a personal cryptocurrency account, and some €1,400 of cryptocurrency had been stolen.

f.              The applicant believed his work mobile phone was the source or cause of the hack, and as such, believed his work mobile phone had been affected by the hack of May 2021. He made a complaint to the HSE in September 2021. The applicant was not satisfied with the HSE's response.

g.             On the 15 December 2021, the applicant made a complaint to the DPC. The DPC engaged with the applicant and the HSE, seeking further information.

h.             During the investigation, the HSE claimed the applicant had put unauthorised personal data on the phone or used the phone to access same. The DPC formed the view that, in the circumstances, the HSE was not a "data controller", within the meaning of that term in art. 4.7 of the GDPR. This was because they did not authorise the use of the personal data on the phone.

i.               Accordingly, on the 14 April 2022, the DPC wrote to the applicant asking why he considered that the HSE was a data controller under the GDPR.

j.               The applicant responded by email on the 20 April 2022 (this mistakenly is dated 24 April 2022 in the statement of grounds). In the statement of grounds, the applicant states that the email explained that the phone was provided to him by the HSE in the course of his employment. He goes on to suggest that the email set out that the applicant's "personal data was on the phone, and used on the phone in connection with work related purposes, regardless of any personal use of the phone by the Applicant". Hence, it was stated, "regardless of any other use to which the phone was put, there was still "work related" personal data on the phone, i.e. data personal to the applicant, such as his name, phone number, work email address and records thereof, records and contents of work texts/messages, phone call logs, voicemails, location data on the phone to include the applicant's physical geographical location, metadata on the phone, etc". With respect, this is not an accurate way to describe or characterise the contents of the 20 April 2022 email, and I will set out the contents of that email later in the judgment.

k.             On the 23 May 2022, the DPC dismissed the applicant's complaint against the HSE. This was on the basis of a finding that the HSE was not a "data controller" under the GDPR.

l.               The applicant attempted to appeal the DPC decision to dismiss the complaint and finding that the Notice Party was not a "data controller" by way of letter dated the 27 May 2022, and that was rejected by the DPC in a letter dated the 21 June 2022.

 

7.                  The legal grounds upon which leave was granted to apply for judicial review are set out in the statement of grounds, and can be summarised as follows:

a.             The work related personal data (as that term was used by the applicant) was data that could identify the applicant as an individual. A such it comprised "personal data" as defined by art. 4.1 of the GDPR:

"any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, material, economic, cultural or social identify of that natural person."

b.             The HSE properly was the "data controller" in respect of that personal data because it mandated the use of the phone for work related purposes and determined that the applicant's "work related" personal data was processed on the mobile phone. In that regard, the statement of grounds refers to the definition of "data controller" in art. 4.7 of the GDPR: -

"the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law."

c.             The applicant asserted that his approach to work related personal data was consistent with the DPC's guidance note entitled "What are "personal data" and when are they "processed"?". Hence, it was argued that the DPC departed from its own guidance in concluding that the HSE was not a data controller in the circumstances that presented.

d.             In addition to contending that the DPC acted ultra vires and erred in the manner described above, the applicant also contended that the approach adopted, and the decision was unreasonable in the sense that term is used in Meadows v. Minister for Justice, Equality and Law Reform [2010] 2 IR 701.

e.             Further grounds relied on Article 40.3 of the Constitution and article 8 of the European Convention on Human Rights, but these were not pursued at hearing.

 

 

 

 

THE RESPONSE FROM THE DPC AND HSE

 

8.                  The DPC filed its statement of opposition on the 29 November 2023. The DPC made preliminary objections that the applicant had failed to avail of the statutory appeal mechanism provided for in section 150(5) of the 2018 Act. Separate objections are made to the effect that the applicant was utilising the judicial review mechanism to challenge the merits of the decision. Finally, the DPC objects to the delay on the part of the applicant in bringing the proceedings.

 

9.                  In terms of its substantial grounds of opposition, in addition to denials, the DPC makes the following contentions:

 

10.              First, the DPC makes the point that by the time of the contested leave application the applicant accepted that he should not have used his work phone for personal use. If the applicant had not used the work phone in that way, the non-work data would not have been on the phone and hence not accessible through the phone.

 

11.              Second, the DPC contends that the complaint made by the applicant - which was in the form of a letter from his solicitors - related entirely to non-work related personal data. As such, the DPC had not been asked to address whether the HSE was a data controller in respect of the applicant's "work related personal data". That initial engagement was reflected in the process that was engaged following receipt of the complaint from the applicant. The process involved the following:

a.             A consideration of the response by the HSE which was set out in a letter dated the 17 December 2021 to the applicant's solicitors. That letter asserted that the breach that the applicant complained of concerned his personal non work data. The HSE ICT Acceptable Use Policy provided that, absent express agreement, non-work use of the phone was not permitted.

b.             On the 14 April 2022 the DPC wrote to the applicant's solicitors requesting evidence that the HSE was responsible for the personal data breach and how the HSE could be treated as a data controller when the personal data was processed in contravention of the HSE ICT Acceptable Use Policy.

c.             On the 20 April 2022, the applicant's solicitors responded setting out that the personal data was accessed by a cyber-criminal during what was described as the "well documented HSE data breach last year", but that despite requests the HSE had not confirmed that the applicant's personal data was breached. The response also noted that the ICT policy was an "employment matter" and "any alleged breach of that HSE Policy does not allow the HSE to escape its obligations under data protection law as data controller".

 

12.              Third, the DPC contends that the decision of the 23 May 2022 amounted to a rejection of the complaint within the meaning of section 109(5)(a) of the 2018 Act, and was a "legally binding decision" for the purposes of section 150(12) of the 2018 Act. It followed, according to the DPC, that at that point the applicant ought to have pursued a statutory appeal. In the premises where the decision of the 23 May 2022 was a legally binding decision, the attempt by the applicant to appeal that decision in the form of a letter dated the 27 May 2022 was misconceived.

13.              Fourth, the significance of the 27 May 2022 letter was that it was only at that stage that the applicant raised the issue of the presence of work related personal data on his work phone.

 

14.              In those premises, the DPC argues that there was no error in the finding that the HSE was not the data controller of the non-work personal data. This was on the basis that the applicant had not been instructed or authorised to use the work phone for non-work related purposes. As such, the HSE did not determine the purposes and means of processing of the non-work data, and, thus properly understood, did not fall into the legal definition of a data controller for that purpose. Insofar as the work related personal data may or may not constitute "personal data" for the purposes of the GDPR, this was not the subject of the complaint.

 

15.              The DPC's opposition was supported by an affidavit sworn by Ian Chambers on the 20 November 2023. Mr. Chambers is a Deputy Commissioner with the DPC. The affidavit sets out the history and progress of the applicant's complaint and exhibits the relevant documents, which mirror largely the documents exhibited by the applicant. The affidavit contained some commentary on the correspondence and the decision, which were the subject of objections at the hearing by the applicant. In that regard, I agree with the applicant that because Mr. Chambers was not the officer who dealt with the complaint it was not open to him to give evidence that expanded on the reasons underpinning the decision. The decision will stand or fall on its own terms having regard to the statutory context, applicable legal principles, and the history of the complaint. However, I am satisfied that Mr. Chambers was in a position to comment on the general practices of the office and on the overall context of the proceedings.

 

16.              The court also was provided with an affidavit sworn on behalf of the HSE by Mary Deasy on the 14 December 2023. Ms. Deasy is the HSE Data Protection Officer.

17.              Ms. Deasy set out her understanding of the history of the applicant's complaint from the perspective of the HSE. In that regard, it was asserted that the first communication from the applicant to the HSE was in the form of a letter from his solicitors dated the 24 September 2021. That letter asserted that certain of the applicant's accounts had been accessed without his consent. The accounts included his Gmail, Yahoo and Fitbit accounts. The applicant also complained that a Binance cryptocurrency account was accessed and that €1,400 in value had been taken. The letter went on to request that the HSE admit liability and provide compensation. The basis of the complaint was that the applicant's personal data had been held by the HSE and there had been a breach.

 

18.              Before the HSE provided a substantive response on the 17 December 2021, the applicant had made the complaint to the DPC on the 15 December 2021. The HSE letter of the 17 December 2021 recorded that an investigation had been carried out. That investigation reached a view that the applicant had breached the HSE's ICT Acceptable Use Policy, which, at the relevant parts, provided for three specific matters. First, that work related IT devices including phones were for business related use. Personal use of work related devices was discretionary and required prior line manager permission. Second, confidential information could only be stored on work related IT Devices with prior permission. Third, the policy emphasises that the HSE will not be responsible for fraud or theft that results from a user's personal use of a HSE IT device. The letter asserted that in this case there was no permission from the line manager for the applicant's personal use of the work phone. In those premises, the HSE refused to accept responsibility for any loss suffered by the applicant.

 

19.              Ms. Deasy also noted that the HSE Electronics Policy imposes similar requirements on the use of work devices, including a prohibition on the use of the device to access third party internet facilities, such as Gmail, Yahoo, Fitbit or Binance. In those premises Ms. Deasy contended that the HSE had responded to the specific issues raised by the applicant.

 

20.              Ms. Deasy took issue with the applicant's email dated the 20 April 2022 which responded to a query from the DPC. As will be recalled, in that email the applicant's solicitor asserted that the applicant had asked the HSE to confirm whether his personal data had been breached or accessed during the HSE data breach by cyber criminals. Ms. Deasy asserted that this was not what was sought by the applicant. Instead, the applicant made a complaint about unauthorised access to his personal accounts on the work phone, and Ms. Deasy stated that this had been investigated. In addition, Ms. Deasy rejected the contention that compliance with the ICT Policy was an employment matter. She stated that the unauthorised personal use of the work phone meant that the HSE was not the data controller for the personal data that was the subject of the complaints.

 

21.              Ms. Deasy also comments on the underlying contention that the applicant's personal data was accessed because his work phone was compromised during the cyber-attack. While this really is not relevant to the matters directly engaged in these proceedings, Ms. Deasy asserts that there is no evidence that HSE mobile phone devices were compromised in the cyberattack and that the applicant has never presented any evidence to suggest a link between the cyberattack and any alleged accessing of his personal accounts.

 

 

 

 

 

SUBSEQUENT AFFIDAVITS AND ISSUES

 

22.              The applicant swore a replying affidavit on the 31 January 2024. I have no doubt that much of the material in the replying affidavit is irrelevant to issues in respect of which leave was granted. The applicant seeks to adduce evidence of broader alleged failings by the HSE in connection with the provision of ICT devices and the procedures that were followed when the applicant made his initial complaint. Whether or not there is any merit to those complaints - and I am not going to comment on that - they were not matters that were raised in the complaint to the DPC or that formed the basis of the decision that is impugned in these proceedings.

 

23.              The court is not conducting any form of inquiry into HSE IT policy or practice, nor is it conducting an inquiry into the origins of the cyberattack or whether any underlying vulnerabilities contributed to the effects of that attack. The court is concerned solely with determining the issues on which leave was granted. The process before this court should not be utilised to attempt to impugn the actions of the DPC by reference to matters that were not the subject of the complaint that the applicant asked the DPC to consider.

 

24.              The applicant also seeks to make the argument that, even if it was operated in accordance with the HSE ICT Policy, the work phone contained or processed various forms of personal data. Again, whether or not that is so, that is not the issue that prompted the complaint to the DPC or the issue that the applicant, through his solicitors, sought to agitate in that complaint. In that regard, I do not consider it appropriate for the applicant to seek to utilise a replying affidavit effectively to argue that the DPC ought to have conducted a form of own motion investigation into the broader issues around the use of work phones by the HSE when this is not what was requested.

25.              The applicant's affidavit prompted a further exchange of affidavits which essentially addressed the issues and canvassed objections to the approach that had been adopted by the applicant. For the reasons summarised above, I do not consider it necessary to set out the arguments and counter arguments that were made, as I am of the firm view that they very clearly fall outside the scope of the issues in respect of which leave was granted and which were agitated in the first instance in the complaints to the HSE and the DPC.

 

THE ARGUMENTS AND DISCUSSION

 

The alternative remedy

26.              The applicant first addressed the issue of whether he ought to have pursued a statutory appeal. He asserted that there was some lack of clarity on the part of the DPC around the process in which it was engaged. In that regard, the applicant highlighted that the language used by the DPC in the course of the process variously referred to "concerns" rather than "complaints", and that the decision on the 23 May 2022 was not expressly described as a "dismissal" or "rejection". Further, the applicant asserts that if the decision of the 23 May 2022 was a legally binding decision for the purposes of section 150 of the 2018 Act, it ought to have described itself as such, and also informed the applicant of the right to an appeal under the relevant provisions. All of these issues, in the view of the applicant, amounted to a breach of his right to good administration. In addition, there was an argument that the process undertaken by the DPC did not amount to a proper investigation, and that the complaint or concern was dismissed in limine.

 

 

27.              For its part the DPC contended that one of the tasks of the DPC as a supervisory authority is that provided for by art. 57(1)(f) of the GDPR, which is to:

"handle complaints lodged by a data subject ... and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period..."

 

28.              The DPC contends that section 109 of the 2018 Act provides a range of possible outcomes that arise from the handling of complaints, which can include a "dismissal" of a complaint per s.109(5)(a) or a "rejection" of a complaint per s.109(5)(b). The DPC contend that properly construed what happened in this instance was that the applicant's complaint was rejected.

 

29.              It is well established that ordinarily the statutory appeal in a situation such as this should be a disappointed complainant's first option, see for instance Petecel v Minister for Social Protection [2020] IESC 25. This is not a case where leave to apply for judicial review was granted to pursue an argument that the applicant was deprived of a proper investigation by some unfairness. Instead, the case is a simple one that the decision that the HSE was not the "data controller" in respect of the "personal data" concerned in the complaint was ultra vires and / or irrational having regard to the legal definition of those terms in the legislation. On its face, those arguments seem to be ones suitable for a statutory appeal. However, I am satisfied that there was some vagueness in the manner in which the DPC characterised its decision such that, on balance, it would be unfair on the applicant to determine his case other than on the substantive grounds of challenge.

 

30.              Turning to the actual decision of the 23 May 2022, it is clear why the decision was made: (a) the DPC considered that the HSE was not acting as a data controller in this instance because the complaint concerned the accessing of non-work related personal data on the work phone which had been stored or processed on the phone by the applicant himself in contravention of the HSE policy; and (b) the decision notes that it was not possible to determine whether the applicant's personal online accounts were accessed as a result of the cyber-attack or because they were compromised in another manner or on another platform or device.

 

31.               However, the decision does not identify whether the complaint was "rejected" or "dismissed". Instead, the conclusion is stated to be "I am unable to identify a contravention of data protection legislation by the HSE. This office will now conclude our file on this matter.".

 

32.              I am not willing to hold that this is a case in which the applicant's proceedings should be dismissed on the discretionary basis that he failed to exhaust the available statutory remedy. Notwithstanding the fact that the applicant here was agitating his complaint through solicitors, and hence to some extent it should be presumed that they understood precisely what process had been engaged, there is some force in the applicant's contention that there was an element of vagueness in the way that the DPC characterised or framed their response to the complaint.

 

33.              I want to be careful in making clear that this portion of the judgment simply is addressing the question of whether the applicant was obliged to exhaust the statutory remedy rather than seeking judicial review. The applicant was not granted leave to challenge the decision on the basis that the process or decision was impermissibly vague, or that the DPC misdirected itself on whether the matter should have been rejected or dismissed. The court is not making any finding that impugns the decision on those bases. Instead, the court is noting that if a public body seeks to argue that an applicant has failed to exhaust alternative remedies it should be expected that the body equips the applicant to exercise that alternative by identifying precisely what power is being relied upon in determining the matter in issue and identifying the appeal options that flow from that determination. In this case that was not done.

 

34.              I fully accept that the DPC enjoys a measure of discretion in respect of the manner in which it chooses to handle complaints; that is made clear in the Court of Appeal decision in Ryan v Data Protection Commissioner [2024] IECA 152. However, I do not read that decision as suggesting that the DPC simply is at large in relation to the manner in which the complaints - once properly handled - are disposed of. That is a separate matter. The Oireachtas in section 109(5) of the 2018 Act provides the DPC with the ability inter alia to reject or dismiss the complaint, but that does not end the matter. Section 109(6) of the 2018 Act requires the DPC to provide the complainant with a notice in writing informing the complainant of the action that the DPC has decided to take on foot of the complaint.

 

35.              Given that mandatory statutory obligation it seems to me that it follows - although this would have to be subject of argument in an appropriately framed case - that, as a matter of good administration, when describing the action taken there should be specificity as to the statutory characterisation of the action taken, clarity as to whether that outcome is characterised by the DPC as a legally binding action, and clarity that there is a statutory appeal available. None of that occurred in this case.

 

Whether the DPC acted lawfully

36.              On this issue, in written and oral submissions the applicant argued that it was clear that the applicant's complaint related to work related personal data, whether or not he used the device for personal purposes. This meant, according to the applicant, that it ought to have been clear to the DPC that the investigation should have encompassed a consideration as to whether the HSE complied with its obligations as a data controller in respect of that data.

 

37.              The applicant referred to the DPC document, "Guidance Note: Data Protection in the Workplace: Employer Guidance", which contemplated the potential for work devices to store personal data, for instance in the context of work emails.

 

38.              The applicant argued that the DPC was obliged to investigate breaches of GDPR, and relied on observations by the CJEU in cases such as TR v Land Hessen (Case C-768/21) where inter alia the Court stated:

"32. In particular, under Article 57(1)(f) of the GDPR, each supervisory authority is required on its territory to handle complaints which, in accordance with Article 77(1) of that regulation, any data subject is entitled to lodge where that data subject considers that the processing of personal data relating to him or her infringes that regulation, to investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period. The supervisory authority must deal with such a complaint with all due diligence (see, to that effect, judgment of 7 December 2023, SCHUFA Holding (Discharge from remaining debts), C-26/22 and C-64/22, EU:C:2023:958, paragraph 56 and the case law cited)."

 

39.              The applicant says that the DPC did not respond to his complaint by acting with all due diligence, which ought to have involved inquiries as to whether there was any personal data processed on his work phone. The fact that the applicant believed that the phone had been hacked ought to have been sufficient to trigger those necessary inquiries.

 

40.              The nature of the arguments pursued at hearing is illustrated by the conclusions that the applicant sets out in his written submissions, which were as follows:

"The Respondent:

a.             did not make any enquiries to the Notice Party as what work-related personal data was on the phone thereby failing to make any proper enquiries as to whether the Notice Party was a data controller.

b.             did not apply their own Guidance Note: Data Protection in the Workplace: Employer Guidance by not enquiring and or investigating as to what data was on the phone for the purposes of establishing whether said data constituted personal data (and then by extension whether the Notice Party was a data controller).

c.              did not make any "assessment in a concrete manner" as per VB and failed to investigate the Applicant's complaint with "due diligence" as per TR.

d.             dismissed the Applicant's claim in limine.

e.              denied the Applicant a statutory entitlement to an investigation as per I.B. v HSE.

f.               breached s.101(1)(f) of the Data Protection Act 2018 by failing to properly or adequately "handle" the Applicant's complaint.

g.             breached s.101(1)(g) of the Data Protection Act 2018 by failing to properly or adequately "examine the lawfulness of processing" of the subject matter of the Applicant's complaint and the employer/employee relationship and data controller/data subject relationship between the Applicant and the Notice Party."

 

41.              It is quite apparent that with the exception of points (a) and (b) above, the grounds set out above on which the applicant contends that the decision of the DPC should be quashed go considerably and materially beyond the grounds in respect of which he sought and was granted leave to apply for judicial review. Furthermore, at no point did the applicant seek to exercise his entitlement to apply to have his grounds extended.

 

42.              Understandably the DPC objected to any attempt on the part of the applicant to extend the grounds of the challenge without first seeking permission. In that regard, the legal principles are very well established and recently were re-iterated by the Court of Appeal in Hayes and Foley v. The Environmental Protection Agency and Others [2024] IECA 162, where Butler J. stated at para. 61:

"Any High Court proceedings are likely to entail significant costs and it is and remains a concern if additional costs are unnecessarily incurred because the case an applicant seeks to run does not conform with the case that they have pleaded. That concern is heightened in the case of proceedings by way of judicial review because the scope of the case is defined not just by the pleadings themselves but also by the fact that in order to bring such proceedings an applicant has to be granted leave to do so on foot of a preliminary application brought for that purpose."

 

43.              In the first instance therefore, the court in this case will only determine the issues that were pleaded and in respect of which leave to apply for judicial review was granted. I do not consider that it is open to the court or appropriate for the applicant to convert a relatively net issue into a broader survey of the obligations of the DPC concerning the proper handling of enquiries or broader investigatory issues. Still less is it appropriate, as appears to have been suggested in the second and later affidavits sworn by the applicant, to conduct a form of inquiry into whether the DPC should have used the applicant's complaint to launch an investigation into the HSE's broader approach to the processing of personal data that may be stored on devices provided to employees.

 

44.              That then leads to a consideration of what the DPC submitted in response to the issues that properly could be said to form the legitimate content of these proceedings. Here the DPC's starting point is a further uncontroversial proposition that the decision it made should be considered by reference to what the applicant put before it when the complaint was made.

 

45.              The DPC illustrated that general proposition by reference to the observations of Phelan J. in Hayes v. The Property Services Appeal Board [2023] IEHC 282.

 

46.              In that case, which dealt with an appeal on a point of law arising from a different statutory code, the appellant was concerned with an admissibility decision where the authority declined to carry out an investigation. At first instance, the authority declined to investigate, relying on a particular statutory provision. That decision was appealed to the respondent board, in which the appellant set out his grounds of appeal. The licensee and the authority provided a response, and the respondent board affirmed the decision not to carry out an investigation.

 

47.              The judgment of Phelan J. sets out that when the appeal was argued the appellant elaborated significantly on certain matters that had not been canvassed as part of the underlying process. The court noted:

"41. It is imperative that a complainant sets out fully the basis for his or her concern when presenting the complaint which is then relied upon in making an admissibility decision. As no right of reply is provided for under the scheme of the 2011 Act in response to submissions filed by the other party and the Authority on an appeal against a decision of the Authority, the complainant's case may well stand or fall on the contents of the original complaint."

 

48.              The Court went on to make clear that in the circumstances she considered that she had to determine the question of law on the basis of the material before the Authority and the Board on appeal.

 

49.              While clearly there are differences between the process with which the Hayes case was concerned and the process involved in the current case, I consider that the comments made by Phelan J. are apposite. In my view, the court is required to gauge the lawfulness of the DPC decision from the 23 May 2022 on the basis of the materials that were before it at the time, albeit that in this case there had been some further exchange of information after the initial complaint on 15 December 2021.

 

50.              In the circumstances I consider that the only fair way to analyse the DPC decision of the 23 May 2022 is by reference to the materials that were before it, and specifically by reference to the particular issues that the applicant sought to agitate. It would be entirely oppressive for a body such as the DPC to be required not only to handle a complaint that was made on its own terms but also, for that body to have to speculate as to whether there might be additional matters worthy of investigation hidden, as it were, in the shadows of the actual complaint.  

 

51.              As noted above, I do not consider that this approach is controversial. The DPC was asked to handle a complaint that had been expressed in a letter from a firm of solicitors acting for the applicant. That complaint was specific, and the clear gravamen of the complaint was not that his work device contained work related personal data, but that it contained non work related personal data. The complaint as presented in the online form attached a copy of the letter dated the 24 September 2021 that the applicant's solicitors had sent to the HSE. In turn, that letter made clear that the applicant was concerned that there had been a data breach and that his Gmail, Yahoo, Binance and Fitbit accounts had been compromised.

 

52.              On the 10 January 2022, the applicant's solicitor emailed a copy of the HSE response letter of the 17 December 2021 to the DPC. The email also attached a response from the applicant's solicitor to the HSE by email dated the 10 January 2022 which stated that the HSE had failed to confirm the following:

 

"1. Whether the remit of your investigation included our client's specific complaint that his personal data held on his HSE-issued mobile phone was accessed without his authority; and

2. If so, the findings made in that regard." [emphasis added]

 

53.              I am satisfied that the clear import of that response - particularly having regard to the words emphasised by me above - was that the applicant remained focused on the Gmail, Yahoo, Fitbit and Binance data. The response did not suggest that the applicant was concerned about whether the HSE had looked into the question of whether other "work related personal data" had been accessed improperly.

 

54.              The DPC sent a query to the applicant by email on the 14 April 2022. That email noted that the essence of the complaint was that the "HSE was responsible for a breach of his personal data". The email then referred to the HSE letter from the 17 December 2021 and asked (a) for evidence that the HSE was responsible for the data breach, and (b) how the HSE could be a data controller for "personal data processed in apparent contravention of the HSE ICT Acceptable Use Policy".

 

55.              At that point it was perfectly open to the applicant to correspond with the DPC with a view, if that was the case at the time, to explain that the DPC and HSE had misconstrued his complaint by focusing on the non-work related personal data (despite the fact that these were the only types of data referred to in the initial letter to the HSE) and that the applicant was concerned about the broader issue of legitimately stored personal data on his work phone.

 

56.              Instead, as explained above, the applicant did not clarify what he meant by personal data. Given its importance and the way it has been characterised in the statement of grounds, it is worth setting out the material parts of the applicant's email of the 20 April 2022 in full. Having referred to the email from the DPC of the 14 April 2022 the applicant's solicitor states:

"In short, the position is as follows: -

1.      The HSE issued a mobile phone to our client in the course of his employment;

2.      The said HSE-issued phone, and in turn our client's personal data on that phone, was accessed without authority or consent by a cyber-criminal during the course of the well-documented HSE data preach (sic) last year;

3.      Though we have asked the HSE on a number of occasions for confirmation that our client's personal data was breached, this has not been forthcoming from the HSE contrary to its obligations under the GDPR and Data Protection Acts as data controller;

4.      Instead, the HSE has ignored the issues at the core of this complaint and raised an allegation that its internal ICT Acceptable Use Policy was breached by our client. Respectfully, that would be an employment matter and our position is that any alleged breach of that HSE Policy does not allow the HSE to escape its obligations under data protection law as data controller."

 

57.              On my reading of that email when viewed in the context of the correspondence that went before it, it is very difficult to see how that can be seen as some form of clarification that the complaint was intended to concern work related personal data. The applicant complained that there had not been a proper investigation by the HSE into the question of how his data was accessed, and contended that the HSE ICT Acceptable Use Policy was an employment matter that did not affect the HSE obligations. The implication of the last point, as I understand it, was to contend that even if the applicant had used his device without permission to process non-work related personal data, that fact did not prevent the HSE being treated as a controller of that data.

 

58.              Following receipt of the 20 April 2022 email, the DPC made its decision and communicated that to the applicant's solicitors in an email dated the 23 May 2022.

59.              In those premises, what were the obligations of the DPC faced with the specific complaint and information before it?

 

60.              In Ryan v. Data Protection Commissioner [2024] IECA 152 the Court of Appeal addressed a refusal by the High Court of an application for a declaration that the DPC had failed to carry out an investigation. The general approach to be adopted by the DPC was described by Binchy J. in the following way starting at para. 79:

"79. The obligation of supervisory authorities such as the respondent to handle complaints with "all due diligence" is well established. It is obvious from the phrase itself that it affords supervisory authorities with a measure of discretion in their handling of complaints, but this is in any event made clear by several provisions of the GDPR, such as recital 141 and article 57, each of which speak of the handling and investigation of a complaint "to the extent appropriate", and also recital 129 which states that measures adopted by supervisory authorities in the exercise of their powers "should be appropriate, necessary and proportionate in view of ensuring compliance with this Regulation, taking into account the circumstances of each individual case, respect the right of every person to be heard before an individual measure which would affect him or her adversely is taken and avoid superfluous costs and excessive inconveniences for persons concerned".

80. In his opinion in the Land Hesse, Advocate General Pikamäe, having emphasised the binding obligation of supervisory authorities to handle complaints lodged by data subjects with the due diligence that "is appropriate to the specific case" (my  emphasis), also stated that "several factors militate in favour of an interpretation to the effect that [supervisory authorities] enjoy a margin of assessment in examining those complaints and a degree of latitude and the choice of appropriate means to carry out its tasks". In expressing this opinion, he relied on the opinion of Advocate General Saugmandsgaard Øe in Data Protection Commissioner v. Facebook Ireland Ltd (Case C-311/18)(Schrems II)."

 

61.              Bearing those observations in mind and also bearing in mind that the margin of discretion afforded to the DPC does not extend to its interpretation of legislation, can it be said that the decision is wrong as a matter of law in finding that the HSE was not a data controller when it came to the processing of the non-work related personal data of the applicant? To a large extent there is no apparent dispute on this specific point, otherwise the applicant likely would not have attempted to turn the focus of the case to the work related personal data arguments.

 

62.              In my view, the DPC clearly engaged in an appropriate and proportionate investigation of the individual complaint that had been made. As made clear in Ryan, the point of the handling exercise is to address complaints in a way that is appropriate to the specific case. Here, as I have found, the specific case made to the DPC related to the applicant's complaint that his Gmail, Yahoo, Fitbit and Binance accounts had been compromised, and, albeit without any evidential basis, that this was attributable to the cyberattack conducted on the broader HSE ICT infrastructure. The applicant did not in reality dispute that the use of the work phone to conduct his personal business was not permitted, and in fact at a later stage in the proceedings before this court that was accepted by the applicant. The DPC did not purport to adopt an unorthodox interpretation of the definition of data controller. Instead, against the backdrop of the factual matrix before it, it found that the HSE had not "determined the purposes and means of the processing" of the data relating to the Gmail, Yahoo, Fitbit and Binance accounts accessed by the applicant on his work phone. That finding appears to me to be self-evident, where that use of the phone clearly was not authorised by the HSE.

 

63.              I should also say that the DPC decision was not only based on the proposition that in the circumstances the HSE was not the data controller, but also referred to the fact that it could not be determined whether the applicant's personal accounts were accessed as a result of the cyberattack on the HSE, rather than being compromised by a different route.

 

64.              Hence, I cannot find that the decision was ultra vires the DPC. Likewise, I can find nothing irrational in the decision, whether that is gauged by the Meadows or O'Keeffe type tests. This was a decision that was open to the DPC in light of the nature of the complaint and  the definition of "data controller"; I am satisfied that he decision was made on the basis of and consistent with the evidence that was before the deciding officer.

 

CONCLUSION

 

65.              In all the circumstances, I have not been persuaded that the applicant is entitled to the relief sought. I am satisfied that the applicant made a specific complaint about specific issues and, within the parameters of that complaint and those issues, the DPC decision was lawful and clearly open to it. Accordingly, the application for judicial review will be refused.

 

66.              As this judgment is being delivered electronically, I will invite the parties to seek to reach agreement on the appropriate final orders including orders in respect of costs. In case it is not possible to reach an agreement I will list the matter before me for argument on final orders at 10.30am on Thursday, the 1 May 2025. However, if there is any argument on costs, I direct that the parties exchange written submissions of no more than 1,500 words no later than the 24 April 2025.

 

BAILII: Copyright Policy | Disclaimers | Privacy Policy | Feedback | Donate to BAILII
URL: https://www.bailii.org/ie/cases/IEHC/2025/2025IEHC191.html