Helen Dixon, Data Protection Commissioner. Photograph: Cyril Byrne
People who believe they have suffered a breach of their data privacy rights have no entitlement to an oral hearing when they complain to the Data Protection Commissioner, the High Court has ruled.
Judgment in proceedings taken by garda alleging privacy breach by credit union
Monday 15th August – The Irish Times : Elaine Edwards
The judgment was handed down by Mr Justice Robert Haughton last week in a case involving a garda who claimed his credit union showed his confidential financial statements to his father and indicated his loans were in trouble.
Garda Kevin Martin, a member of St Raphael’s Garda Credit Union, claimed his data protection rights were breached when a representative of the credit union turned up at his father’s home in November 2012 and showed him the documents.
The credit union denied that the person who called to the house had discussed or disclosed any sensitive or personal information. Dublin-based Mr Martin, through his solicitors Lawlor Partners, had sought an order that the commissioner conduct an oral hearing into his complaint in circumstances where there was a dispute over what had happened in an alleged oral breach of the Acts.
Mr Justice Haughton ruled that neither the EU data protection directive of 1995, nor the Data Protection Acts of 1988 and 2003 gave the commissioner the power to hold such a hearing.
During a lengthy investigation and exchange of communications with Mr Martin, the commissioner Helen Dixon argued the law did not give her the power to administer an oath, compel the production of documents or compel the attendance of witnesses. She did not provide for, nor did she have the facilities to conduct, an oral hearing, and there was no established practice to conduct oral hearings among the data protection authorities of EU member states.
Dismissing the judicial review proceedings, Mr Justice Haughton said the garda’s claim for reliefs were “rendered moot” by the issuing of a formal statutory decision by the commissioner on March 23rd, 2015. Ms Dixon was not empowered under the Data Protection Acts, 1988 and 2003 to hold an oral hearing in relation to disputed facts arising on investigation of a complaint, nor did she have any inherent power to hold an oral hearing.
The judge also noted in his ruling that the Oireachtas had made very detailed provisions for oral hearings in other legislative frameworks, such as in the Central Bank Act, the Medical Practitioners Act and the Pharmacy Act.
“These are all examples of the kind of legislative provisions that may reasonably be expected to feature in modern legislation if the Oireachtas intends that an administrative body is to have the power to hold effective oral hearings – and which are absent in the present case,” he wrote in his judgment.
Mr Justice Haughton also said Mr Martin could have appealed the commissioner’s decision of March 23rd, 2015 to the Circuit Court, and that court could have joined the Credit Union as a notice party and determined the dispute after hearing oral evidence.
Number of appeals
The commissioner received more than 15,000 queries by email and online, and a further 16,000 helpdesk calls in 2015. A total of 932 complaints were opened for formal investigation.
In a speech to a conference hosted by the Irish Centre for European Law in Dublin last month, Ms Dixon noted the “most resource-intensive” element of her regulatory role was hearing individual complaints. She said she believed there was a “huge divergence” between the strategic and systemic issues that data protection regulators spend a lot of time talking about and what they spend their time investigating in terms of what individuals complained about.