A recent judgment of the High Court considered the issue of exactly who is the data controller under Irish law of personal data held by a company in liquidation. This issue arose, possibly for the first time in this jurisdiction in the recent judgment of Keane J In the Matter of Mount Carmel Medical Group (South Dublin) Limited (In Liquidation) [2015] IEHC 450.
This case concerned the liquidation of a private hospital where for cost reasons the liquidator had agreed to outsource the ongoing management of patient records to St James Hospital, an operating hospital. Under the contract the liquidator would have benefited from an indemnity in relation to amongst other things breaches of the Data Protection Acts. Under normal circumstances such a contract would be considered to be a controller-processor arrangement with the service provider (in this case St James Hospital) merely acting as a data processor on the instructions of the controller. However, in this case the liquidator sought declarations from the Court that the contract transferred full control over the personal data to St James thereby making it the data controller and absolving the company (and the liquidator) from any further obligations as data controller. In fact the liquidator made it clear to the court in its submissions that the purpose of the outsourcing contract was in large part to transfer data protection liabilities to St James Hospital.
The court considered the UK case of Southern Pacific Personal Loans Limited [2013] EWHC 2485 (Ch) where a liquidator was held not to be a data controller since it merely acted as an agent for the insolvent company which had possession of the personal data at issue. Keane J pointed to several factual similarities between Mount Carmel and Southern Pacific but in the end did not find it necessary to make a finding based on Irish insolvency law as to whether a liquidator is a data controller in its own right over personal data contained in records that it has a statutory obligation to retain.
Having considered the matter in detail and having ordered the Data Protection Commissioner to make submissions, the Court declined to grant the declarations sought. Even though the Commissioner supported an amended declaration the court felt that to do so would transgress on the jurisdiction of the Data Protection Commissioner to make determinations concerning the rights of data subjects. The Court was of the view that such matters as the identity of the data controller and the question of each party’s compliance with the Data Protection Acts were properly matters for the Commissioner to decide and that the Court should not interfere with that jurisdiction.
106. In this case, faced with that authority, the DPC, through her Counsel, disavows any suggestion that the ‘enforcement of data protection’ functions allocated to her by the Oireachtas under s. 9 of the DPA – broadly comprising a power to investigate any alleged contravention of the DPA; a power to render decisions in writing in that regard (subject to a right of appeal to the Circuit Court, and a further right of appeal to this Court on a point of law); and a power to issue enforcement notices – should be viewed as conferring upon her an exclusive jurisdiction to make decisions concerning any alleged contravention of the DPA. In adopting that position, the DPC points to the provisions of s. 7 of the DPA whereby a duty of care owed by a data controller or data processor to a data subject is expressly recognised for the purpose of the law of torts, to the extent that it is not already provided for under the common law.
107. S. 7 removes any doubt that there might otherwise have been that there is a right to claim damages in proceedings before the courts for breach of a duty of care owed to a data subject by a data controller or data processor. To that extent, it is plain that the jurisdiction conferred upon the DPC by the Oireachtas to determine certain issues under the DPA is not an exclusive one.
108. However, the fact that this Court has jurisdiction to deal with actions in tort alleging the breach of a duty of care recognised under the DPA does not mean that it should not be alert to the potential problems that the exercise of its discretion to make declaratory orders might create in that context. There seems to me to be a clear danger of overlapping and unworkable jurisdictions, were I to consider making orders determining the future rights of data subjects in proceedings to which those persons are not party, thereby depriving them of any meaningful right to make a complaint to the DPC concerning the company’s processing of their personal data; to have that complaint investigated by the DPC; to have a decision made upon it, subject to a right of appeal to the Circuit Court and, on a point of law, to this Court; or to have any decision in their favour ultimately enforced by the DPC. Indeed, were I to make the declarations now sought, they would have the further obvious effect of adversely predetermining any claim in tort that might later be brought by any data subject against the company, as data controller, for breach of the duty of care recognised by s. 7.
This is a sensible judgment given the statutory obligations which data controllers should meet, it probably would not be in the interests of data subjects for the role of data controller to be decided in advance merely so that liability can be assigned as between parties to a contract concerning personal data.