“It was like that when I got here” and other problems
An interesting data protection decision was published from the District Court recently. The decision of Quirke J. in Shuvo v McCauley concerns the relevance of some core data protection principles in the context of the performance of an administrative function by a member of An Garda Siochana, in this case the decision making around the awarding of a taxi licence.
The upshot of the decision is that, because a member of An Garda Siochana involved in a decision making process on the renewal of a taxi licence obtained personal data relating to the applicant without a clear lawful basis and without appropriate transparency as to the processing of personal data, the decision to refuse the renewal was overturned.
This case is interesting as it touches on many of the topics and key learning points that Castlebridge tries to hammer home with public sector clients regarding law enforcement processing of personal data and the interplay between the Data Protection Act 2018 and the Data Sharing and Governance Act 2019.
In paragraph 76 of the decision, the judge comments that “this is a decision on the exact facts of one case”. Therefore, it’s worth summarising the fact pattern in this case for reference:
- A decision maker in a body tasked with a statutory function used personal data obtained without a clear lawful basis from another public body to make a decision relating to a data subject.
- The obtaining of this data from the other public body was not disclosed to the data subject prior to the processing taking place
- Reliance was initially placed on specific statutory provisions as the lawful basis for disclosure, (specifically s8(1) and (2) of the Immigration Act 2003, Section 41(b) of the Data Protection Act 2018, and section 261(2) of the Social Welfare Act 2005 as amended).
- Section 38 and Section 49 of the Data Protection Act 2018 were also cited as basis for the request of disclosure of personal data from the other public body and as a lawful basis for processing.
Law Enforcement Function vs Function assigned to Law Enforcement
The first thing that crops up when looking at this case is the importance of distinguishing between a “law enforcement function” under Part 5 of the Data Protection Act 2018 (which transposes the Law Enforcement Directive, Directive 2016/680/EU, into Irish law) and what I will refer to here as a “function assigned to law enforcement”.
A ‘law enforcement function’ isn’t defined directly in either Section 69 of the DPA 2018 or the Directive. Rather we need to look at the definition of “competent authority” in the legislation to glean that a ‘law enforcement function’ is one that relates to the” prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties in the State, including the safeguarding against, and the prevention of, threats to public security“. So, if you have a piece of legislation that sets out categories of offences, a body that is tasked with the prevention, investigation, detection, prosecution, or execution of offences relating to those offences is a Competent Authority with a law enforcement function.
On that basis, An Garda Síochána is a competent authority tasked with law enforcement functions. As is the Military Police of the Irish Defence Forces, the Revenue Commissioners, and even the ISPCA, to name but a few.
But this case relates to a function that is delegated to the Gardaí under the Taxi Regulation Act 2013, specifically Section 8 of that Act. This is an administrative function that is assigned to the Gardaí, not a law enforcement function, as it is not one of the things enumerated in the definition of ‘Competent Authority’ in Section 69 of the Act. As such, Part 5 of the Data Protection Act 2018 doesn’t apply and we find ourselves in the general area of the GDPR and Part 3 of the Data Protection Act 2018 when considering what the scope of the duties of the Controller are when processing personal data for that purpose.
Teachable Moment #1: Law Enforcement bodies may have functions assigned to them or delegated to them under legislation which are not within the scope of a Part 5 ‘law enforcement function’. It’s important to pay attention so that the correct provisions of GDPR/DPA 2018 applied!
The Importance of a clear legal basis and transparency for processing personal data
A key issue in this case is that the original request for data from the Department of Justice relating to the applicant had no legal basis. The process it was to be used in (a decision on suitability to have a taxi licence) was not a function under the Immigration Act 2003 or the Social Welfare Consolidation Act 2005. Nor was it for the purposes of the prevention, investigation, or detection of a criminal offence, which were the grounds cited in the initial request for data from the Department of Justice.
It was for an administrative purpose under Section 8 of the Taxi Regulation Act 2013, a function conferred on the Gardaí under an enactment. This could have brought Section 38 of the Data Protection Act in to play as that provided for a general basis for processing where it was necessary for the performance of a function conferred under an enactment (s38(1)(a)). For special category data, Section 49 of the Data Protection Act 2018 might arguably have provided some basis for processing special category data or data relating to the data subject.
However, as the Court correctly finds, section 38 of the Data Protection Act 2018 has been set aside by Section 6(2) of the Data Sharing and Governance Act 2019 for an sharing of data between public bodies which is not necessitated by a specific legislative requirement. There is no longer a general power under the DPA2018 that makes processing lawful if it is required for a function under an Act.
As the Gardaí didn’t cite Section 49, the Court could not determine if it provided a lawful basis, and the Court highlights in paragraph 68 that the lawfulness of processing relying on S49 has not been proven in this case. However, it’s important to note that s49 only applies to special category data so might not actually be of assistance in this case or in other more general cases. In any event, it isn’t possible to separate special category data from non-special category data so the Section 38 DPA/Section 6(2) DSGA problem likely still remains.
It is noteworthy that the Court found it noteworthy in two paragraphs (paragraph 42 and paragraph 44) that no reference was made by the Gardaí to either Section 38 of the Data Protection Act 2018 or Section 49 as a basis for processing.
It is also noteworthy that the Court highlights that the lack of transparency in processing is an issue that might affect the lawfulness of processing (hint: it will. Bara and Schrems II are very clear on the need for transparency of processing even where there is a lawful basis), and the judgement strongly hints that a Data Sharing Agreement under the DSGA 2019 is needed.
This echoes the DPC’s decision re the Department of Health where they considered the application of Section 38 of the Data Protection Act 2018 and the application of the Data Sharing and Governance Act 2019 to the sharing of data by the HSE and other Public Bodies with the Department. Readers are pointed to paragraphs 9.15 and 9.16 of the DPC’s decision where they are clear that:
- Section 38 of the Data Protection Act 2018 has been disapplied by Section 6(2) of the DSGA 2019 and cannot be relied on as a basis for sharing of personal data as there is, in effect, a statutory prohibition on sharing outside the scope of the Data Sharing and Governance Act 2019, unless a specific statutory basis for a specific instance of sharing exists under other legislation.
- Data Controllers should have been putting Data Sharing agreements in place by July 2021.
Teachable Moment #2: It’s really important to be clear on the actual legal basis for processing, particularly when data is being shared between organisations. This is a fundamental data protection requirement and is just good Data Governance. I personally think the non-citing of s49 here in the first instance has allowed a bullet to be dodged, but it’s only a matter of time before the question of whether special category data (the data that reveals a protected class of data) can be processed separately from non-personal data comes before the Courts in Ireland.
The need to apply EU Law when interpreting Irish Law
At paragraph 64 of the judgement the Court references the submission from the Garda Superintendent that as the matter relates to domestic law there is no need to consider EU law. Quite rightly, short shrift is given to this in the subsequent paragraph. Domestic law has recognised the subsidiarity principle and, specifically, the need to consider the application of the EU Charter of Fundamental Rights (which, as an aside, is incorporated in to Irish law via the Lisbon Treaty).
This is a recurring theme however in cases involving the application of EU law to administrative functions of public bodies. As it is not just limited to data protection matters, arguably the State needs to invest in some training on EU law fundamentals for decision makers.
This highlights an important data governance principle: it’s important for people who are making decisions in relation to data and data processing to be aware of and understand all relevant legal and regulatory obligations and core principles relevant to the processing at hand. As the DAMA DMBOK puts it: “Data governance is about how people and processes behave in relation to data”.
Teachable Moment #3: EU law is Irish law because we have to apply EU law, in particular the Charter, when interpreting domestic law. This is such a well established principle I have a concussion from beating my head of the desk trying to get that point across. From a Data Governance perspective, it means that people making decisions about or with data need to be aware of the holistic regulatory environment, at least at a principles level.
The “It was like that when I got here” defence
In paragraph 46 the Court references the Superintendent’s description of the process he believed to be necessary and which was “the system he inherited from his predecessor”. This case is a good illustration of the inherent weakness in the “it was like that when I got here” defence and highlights the need for ongoing and constant review of processes and procedures against current legislative and regulatory requirements as part of the general Data Governance framework of the organisation.
Teachable Moment #4: The concept of “appropriate organisational and technical controls” in GDPR brings with it the idea of continuous improvement. This is a fundamental governance principle. On a practical basis, if you inherit a process, look at it, and find it is deficient, you can blame your predecessor for any failures. If you blindly follow the same process without checking it is still ‘fit for purpose’, then the fallout falls to you to manage.
The Direct Approach is sometimes the best
Interestingly the Court raises the question in paragraph 75 of whether the outcome would be different if the Mr Shuvo had been asked directly to provide the information or clarification that had been sought from the Dept of Justice. A similar question was raised in the DPC’s decision regarding the Department of Health where the DPC made the point that direct engagement with the affected families might have better served the public interest being pursued.
Conclusion
Quirke J. is at pains in her judgement to make clear that the case hinges on a specific fact pattern and should not be automatically considered directly applicable to other contexts. However, notwithstanding that:
- The fact pattern is one which occurs all to often in data sharing, particular in the Irish Public Sector
- The assessment of the application of the various legal grounds for processing is what is fundamentally required under GDPR
- The finding and outcome are in line with established DPC decisions and precedent on similar fact patterns.
Therefore, it is important that Public Bodies get their house in order in respect of the governance of data sharing!