This is Fred Logue’s presentation given on 28 June 2019 at UCC’s “Communicating Europe” event held in UCC
FP Logue received confirmation recently that the Department of Employment Affairs and Social Protection has agreed to pay social welfare benefits to a client who refused to register for the Public Services Card (PSC).
Our client had presented a passport and proof of address with an application for benefits and received a formal decision from the Deciding Officer that the payments would be available for collection in the local post office in due course.
Some days later our client was informed by a member of staff that the approval had been a mistake and that the payments would be suspended until such time as an application for the PSC was processed. Our client refused to make the application and asked for written reasons to be provided. The position was subsequently confirmed in writing that payments were suspended until a PSC application was processed.
We wrote to the relevant official on our client’s behalf pointing out that there was no requirement under social welfare law for an applicant to register for the PSC and that the payment had been unlawfully suspended and that our client had been grossly misinformed as to their rights by officials.
We have now received confirmation that payments have been released confirming our assertion that a PSC registration is neither mandatory nor compulsory for the purposes of accessing social welfare benefits.
It’s nearly a year since GDPR came into force and we are beginning to see what the world looks like post-GDPR. Just yesterday we saw the French regulator hand out a €50 million fine to Google and it seems there is more to come. We are seeing the rise of the non-profit complainant taking on cases for individuals. DPOs are beginning to find their feet and the first cohort is starting to experience what it is really like to hold this position in the public sector and large organisations.
There are still many questions on people’s minds:
- Will there be an avalanche of litigation?
- What is the DPO really supposed to do?
- Will the GDPR change the way the State and the public sector handle personal data?
- How are big organisations adapting?
#InfoLaw2019 you can find out the answer to these questions and more from some of Ireland’s leading lawyers, DPOs and industry professionals. We’ll give more details of speakers and topics in the next week or two, check our website for more details or you can order your discounted early-bird ticket below:
The biggest data protection myth out there is that third party personal data cannot be disclosed under a subject access request that covers “mixed” personal data, i.e. information that contains personal data of more than one individual.
If I had €10 every time a data controller made this claim I wouldn’t need to write this update because I’d have already retired a rich man and would be sitting in my vineyard in the South of France enjoying the good life.
The reality is that there is no presumption against disclosure of third party personal data in a mixed access request. Obviously third parties have privacy rights which cannot be adversely effected but that doesn’t mean they have to consent to disclosure. A data controller has to balance competing interests and make a decision in line with the GDPR, that’s what the law says.
While it may be a difficult to decision to make in some circumstances, generally there should be no real issue since the GDPR facilitates the processing of others people’s personal data as long as it is lawful, responding to a subject access request is no different.
Data controllers are risking legal proceedings or complaints to the Data Protection Commission if they wrongly assume that all third party data must be purged when responding to subject access requests.
In many situations the rationale for the subject access request is to access information about other people, for example family members or professionals and in those circumstances data subjects may have a very strong legitimate interest in accessing mixed data.
B v General Medical Council
The English Court of Appeal considered this issue in the case of B v General Medical Council  EWCA Civ 1497 which concerned a request by a patient to access a report prepared by the General Medical Council after the patient had complained about his treatment by a doctor. The doctor objected to the release of the report saying it contained both his and the patient’s personal data and therefore his right of privacy prevented the report being released to his former patient.
The General Medical Council nevertheless decided that on balance the rights of the patient favoured releasing the report to him. The doctor successfully appealed to the High Court but that appeal was overturned in the Court of Appeal on the basis that there is no presumption in favour of refusing access to mixed data and the data controller is best placed to make that evaluation and in this instance had done so correctly and lawfully.
Data controllers need to take heed
This case shows that data controllers have a wide margin of discretion but nevertheless have to weigh up the competing interests when handling a subject access request for access to mixed personal data. There is no presumption that mixed data must be refused or that the third party data subject must consent to release.
Any data controller that handles a subject access request based on these presumptions risks litigation or a complaint to the Data Protection Commission.
This article was also published on LinkedIn
We’ve added a new section to our site that tracks the key cases where we have acted, this includes several important cases in environmental law and information law where important environmental and information rights have been clarified by the courts and other bodies
Visit https://www.fplogue.com/key-cases/ to find out more
Image: Licensed under CC BY-SA 3.0 http://alphastockimages.com/
From our guest intern Patrick Barrett LLM:
Collins English Dictionary defines ‘expeditious’ as “quick and efficient”. In today’s fast paced society, where people bemoan their lack of free time and hectic schedules, the expectation of expeditious service has become customary.
European law provides a right of access requests to environmental information held by public bodies. If an applicant is unhappy with the outcome of their request, they may seek an expeditious review from an independent adjudicator called the Commissioner for Environmental Information.
The Office of the Commissioner for Environmental Information (OCEI) is an independent statutory body, run by the Commissioner, Mr. Peter Tyndall. The OCEI is quick to point out what it is not on it’s website; it is not a court; it is not formal or adversarial; and it does not assist or advise the public in making Environmental Information requests.
Therefore, the appropriate question is; what does the OCEI do? More precisely, how has the Office performed over the previous four years? In comprehensively analysing the 77 decisions made between 2014 and 2017, the objective findings are as follows:
- How long are reviews taking on average?
There are 77 listed decisions in the four-year period 5 of which do not record the date of appeal. Therefore, it is only possible to ascertain the length of time in 72 cases.
Length of times vary, from 34 days in Francis Clauson and The Commission for Energy Regulation (CEI/16/0022) to a protracted 959-day review in Lar McKenna and EirGrid (CEI/13/0015). Overall the median time calculated stands at 381 days per decision.
- What type of information is being considered in appeals?
The breakdown of AIE Regulations considered by the Commissioner are as such:
Number of times considered:
Article 3 (Interpretation) 33
Article 7 (Action on request) 28
Article 9 (Discretionary grounds of refusal) 24
Article 10 (Incidental provisions related to refusal) 12
Article 8 (Grounds that, subject to Art.10, mandate a refusal) 11
Article 6 (Request for Environmental Information) 6
Article 11 (Internal review of refusal) 5
Article 4 (Scope) 4
Article 12 (Appeal to Commissioner) 1
Article 15 (Fees) 1
- What are the outcomes from appeals to the OCEI?
The outcome of decisions by the Commissioner are:
46 refusals to release information, 26 findings that information should be released, and 7 decisions stating the request be reprocessed.
The Commissioner has recorded 32 affirmations, 27 annulments and 18 variations.
- How many are threshold decisions?
With regard to the 77 decisions 28 concern the issue of whether the information requested is environmental information.
Almost 1 in 8, i.e. 9 decisions, question whether the entity is within the scope of public authority. There are 2 decisions that relate to both definition of public authority and environmental information.
From our analysis the time to make decisions is decreasing. However it is doubtful that the timeframe meets the legal requirements of EU law. The Aarhus Convention clearly states at Article 9(1):
In the circumstances where a Party provides for such a review by a court of law, it shall ensure that such a person also has access to an expeditious procedure established by law that is free of charge or inexpensive for reconsideration by a public authority or review by an independent and impartial body other than a court of law.
A cursory glance at the dictionary definition of expeditious may serve as a poignant reminder that applicants expect, and are entitled to, prompt and efficient recourse.
Since July 2017 it is now possible to get access to legal submissions in CJEU cases which are held by the European Commission. Since the Commission is a party or intervener in a wide range of cases, particularly the more important ones, this means that there is a now a high degree of transparency regarding the arguments of parties in CJEU cases.
We requested access to the pleadings in the well known case of Peter Nowak v. Data Protection Commissioner which concerned the issue of whether an exam script could be personal data.
You can follow the request below using the AsktheEU.org service
The case concerned a request by Mr Nowak for access to his exam script in a professional accountancy exam. The request was refused on the basis that his exam script was not personal data and therefore not accessible under the Data Protection Acts. The Data Protection Commissioner agreed and dismissed his claim as “frivolous or vexatious” i.e. the request was bound to fail.
Each of the Circuit Court, High Court and Court of Appeal agreed and dismissed his appeals. However the Supreme Court held that Mr Nowak was entitled to appeal and as a matter of EU law there was doubt as to whether Mr Nowak’s exam script was personal data. In that case the Supreme Court stayed proceedings and made a preliminary reference to the CJEU.
Both Ireland and the Data Protection Commissioner argued for a narrow definition of personal data. In particular the Data Protection Commissioner acknoweldged that the exam result itself was personal data but the answers to the exam questions in this particular case were not personal data since there were no special circumstances such as, for example, where the exam requires the candidate to expose factual personal information.
Ireland made similar arguments.
The Court ultimately rejected this narrow interpretation and found that information becomes personal data because of the content, purpose or effect which links it with an identifiable individual. In terms of each of these the CJEU found that the information contained in an exam script was linked to the candidate and was therefore personal data and, in principle, accessible under the subject access right.
FP Logue associate, Sandra Conway, was today appointed to the Board of Directors of the Transparency Legal Advice Centre (TLAC).
TLAC is Ireland’s only independent law centre specialising in providing free, independent legal advice and referral services to anyone making disclosures of wrongdoing. TLAC was established by Transparency International Ireland following the introduction of the 2014 Protected Disclosures Act which has lead to a substantial increase in the volume of people reporting concerns arising in the course of their work.
Transparency International Ireland continues to support public bodies to create a supportive work environment for employees, including sign-posting the facilities offered by TLAC to public sector employees and continues to operate the Speak Up helpline providing support to witnesses, whistleblowers and victims of corruption and other wrongdoing. Since 2011 it has provided information and referral services to over 900 people.
Sandra volunteered with the Speak Up helpline in 2011 as it launched before joining the business integrity initiative at Transparency International Ireland until Jan 2014. She is delighted by the developments within the organisation and proud to support TLAC as a member of the Board.
FP Logue welcomes Sandra’s appointment to TLAC since it fits with the firm’s commitment to transparency and the protection of people who expose corruption and wrongdoing.
The 2014 CJEU judgment in Google Spain represented an historic victory for privacy campaigners when it held that the individual right to privacy and data protection generally took precedence over freedom of expression, and the rights of users to access information published on the internet.
In its judgment the CJEU said that the Google search engine is subject to EU data protection law and that Google has a duty to uphold the rights of individuals to have personal data erased from its search results unless there is a legitimate interest in having public access to that information.
In an age where you are who Google says you are, the judgment was decisive in setting boundaries for the tech giants.
We were curious about the other arguments that had been raised before the CJEU and how they had been dealt with, so we requested the submissions made in the case from the European Commission Legal Service under Regulation (EC) 1049/2001, on public access to European Parliament, Council and Commission documents.
Before July 2017, the European Commission maintained that the written submissions of the parties did not come within the scope of Regulation 1049/2001. The CJEU decision in Commission v Patrick Breyer (Case C-213/15 P) changed this and allowed for access to documents submitted to the court by third parties to be released after a case had been decided. This increased transparency allows for greater understanding of the ECJ’s reasoning and the consideration it gives to the arguments made before it.
The Legal Service shared the written observations to the Court of :
- The European Commission,
- Google Spain SL and Google Inc. (the Appellants),
- the Greek Government,
- the Spanish Government,
- the Italian Government,
- the Austrian Government and
- the Polish Government.
The Commission’s response is set out in its letter:
Of interest was the summary treatment by the Court of arguments of proportionality and the right to operate a business; the “mere economic interest” of the search engine was dismissed despite the protection offered to the ‘freedom to run a business’ under article 16 of the Charter of Fundamental Rights. The concerns raised by Google that in singling it out, it would be unduly prejudiced, quickly dissipated when other search engines, such as Yahoo and Bing (operated by Microsoft) recognised the implications of the judgment for them and adapted.
The submissions are in French, as this is the working language of the European Court of Justice, but if there is something among the documents you’d like to examine in more detail, we’re happy to help – language is no barrier here!
Update: The text of the judgment is available at this link.
In a ground-breaking judgment the High Court has recognised in the Irish constitution a right to environmental protection consistent with the human dignity and well-being of citizens.
The proceedings, brought by the Cork-based environmental NGO Friends of the Irish Environment, concerned a challenge to a decision of Fingal County Council granting the Dublin Airport Authority a five-year extension to a 2007 planning permission for the construction of a third runway at Dublin Airport.
FIE argued various points of European and Irish law including that the Irish constitution granted implicit environmental protections.
While the challenge was ultimately unsuccessful on the technical ground that FIE didn’t have legal standing to bring a challenge under the relevant legislation Mr Justice Barrett nevertheless dealt at some length with the issue of whether there was a personal right to environmental protection in the Constitution.
In summarising its conclusions, the court noted that until recently the exploitation of natural resources had few legal restrictions but lately awareness has grown of the limits to environmental exploitation and of the toll that industrial and technological progress had taken on the environment. Such a historical, exploitative approach, the court said, has been tempered in recent years through European law and through greater public concern about environmental protection and its connection with our quality of life.
It was in this context that the court went on to state:
A right to an environment that is consistent with the human dignity and well-being of citizens at large is an essential condition for the fulfilment of all human rights. It is an indispensable existential right that is enjoyed universally, yet which is vested personally as a right that presents and can be seen always to have presented, and to enjoy protection, under A1t. 40.3.1° of the Constitution. It is not so utopian a right that it can never be enforced.
Concrete duties and responsibilities will fall in time to be defined and demarcated. But to start down that path of definition and demarcation, one first has to recognise that there is a personal constitutional right to an environment that is consistent with the human dignity and well-being of citizens at large and upon which those duties and responsibilities will be constructed.
While the decision of the High Court is open to appeal it nevertheless represents a historic judicial recognition of environmental rights in the Irish Constitution.
FP Logue acts for Friends of the Irish Environment