Does the existence of legal proceedings between a data requestor and a data controller preclude a data requestor making an access request under the Act?

In the case of Bus Atha Claith/Dublin Bus (the Appellant) .v. The Data Protection Commissioner (the Respondent) the High Court considered an Appeal from the decision of the Circuit Court which had upheld a decision of The Data Protection Commissioners to issue an Enforcement Notice requiring the Appellant to prevent a copy of CCTV footage to a personal injury claimant.

The claimant had allegedly fell on a bus. She made an application to the Injuries Board. She also made an access request pursuant to Section 4 of The Data Protection Act 1988 (as Amended) for release of CCTV footage of the incident. Her solicitors had previously attended at the Office of the Appellant and viewed the CCTV footage. The Appellant rejected the Application on the grounds that any such information was prepared in anticipation of potential litigation and was as such privileged. The personal injury claimant notified the Data Protection Commissioner who instigated an investigation into the matter. Shortly after a Personal Injury Summons was issued in The High Court by the personal injury claimant.

The Data Protection Commissioner subsequently issued an Enforcement Notice requiring the Appellant to provide a copy of the CCTV footage to the alleged injured party. The Appellant appealed the decision to The Circuit Court which upheld the decision of The Data Protection Commissioner.

Bus Atha Claith/Dublin Bus Appealed that decision to The High Court on a point of law.

The Appellant submitted that once proceedings (personal injury) had been issued in The High Court it was the forum of sole competence to deal with the adjudication upon such matters. It contended that pursuant to Section 10 (1) (a) of the Act that the Commissioner should have taken account of the claimants motive for seeking the CCTV footage. (It was not contested that the claimant sought the material solely as a means of furthering her litigation). The Data Protection Commissioner was aware of the proceedings between the parties. It was contended by the Appellant that in the circumstances it would have been appropriate to proceed in seeking material by way of an Application for Discovery in The High Court pursuant to the personal injury litigation. The Appellant submitted that any attempt to seek disclosure outside The High Court is mistaken and inappropriate and an attempt to abuse the function of The High Court.

The Judgment by Hedigan J acknowledged that there was very little jurisprudence on Data Protection Law in the State. It referred to the developments in the UK and in particular the case of Durant .v. Financial Services Authority [2003] EWCA Civ 1746.

The Court in Durant accepted that the purpose of the act in entitling an individual to have access to information in the form of personal data is to enable him to check whether the data control processing of it unlawfully impinges his privacy and that it is not to assist him, for example to obtain Discovery of documents that may assist him in litigation or complaints against third parties.

The Respondent Data Commissioner noted that The Circuit Court Judge in the instant case had referred to the case law in England and held that it was not relevant as the English legislation conferred discretion as to whether or not to grant an order for access.

The Respondent noted that Section 26(3) (b) of the Data Protection Act 1988 (as amended) provide that where the Circuit Court has determined an Appeal from a decision made by the Data Protection Commissioner an Appeal may be brought to the High Court on a point of law against such a decision. The Respondent noted that no indication is given in the Act as to what test is to be applied in the Appeal.

The Respondent referred to Ulster Bank .v. Financial Services Ombudsman [2006] IEHC 323 which stated

“To succeed on this appeal the plaintiff must establish as a matter of probability that, taking the adjudicative process as a whole, the decision reached was vitiated by a serious and significant error or a series of such errors”.

The Respondent argued that that test had been subsequently followed by the Circuit Court in a number of Data Protection Appeals and by the High Court in Appeals from the Financial Services Ombudsman.

The Respondent noted that the Ulster Bank test was held by Birmingham J to be the test to apply in a Data Protection Appeal (see Nowak .v. Data Protection Commissioner (unreported 7th March 2012)) (please note that case is currently under Appeal to the Supreme Court).

It was submitted by the Respondent that the decision of the Data Commissioner did not contain a serious and significant error or a series of such errors and that the Circuit Court did not make an error of law in rejecting the Appeal.

It was asserted that the question for the Circuit Court and indeed for the High Court was not what it would have done if it had been faced with the complaint but whether the Commissioner exercised his own discretion in such an arbitrary manner as to render it a decision that no Commissioner could have reached. It was submitted that the answer to that question was inevitably “no”.

It was further submitted by the Respondent that if the drafters of the legislation wished to impose limitations for personal data in circumstances where litigation had been instituted they would have done so expressly.

The Respondent strongly refuted the Appellants submission of any attempt to subvert the jurisdiction of the Court.

Further and in addition the Respondent argued that a person’s right to access to personal data is a fundamental right which is expressly provided for by Article 16 of the Lisbon Treaty and thus, the Respondent argued it is submitted that any exemption to Data Protection law should be narrowly construed since it would be an exemption from a fundamental right.

The High Court in addressing the arguments on behalf of the parties noted that the Appellant had made no attempt in the Notice of Appeal to identify any points of law and stated “From the Courts perspective this is completely unsatisfactory. Simply saying that you are appealing the whole of a Judgment does not amount to a valid appeal on a point of law. An appeal on a point of law is just that. The point of law should be identified and the submissions should be directed to that point”.

The Court acknowledged that when pressed on the matter the Appellant did identify the point of law as follows

“Whether the existence of legal proceedings between a data requestor and a data controller precludes a data requestor making an access request under the Act”.

The Court therefore dealt with the issue on the very narrow point of law as identified by the Appellant above.

It held that the English case law relied on by the Appellant was not relevant on a number of grounds. The Court noted that in effect the Appellant was seeking to carve out a new exception in the Acts to the effect that whenever a data requestor has institute litigation against a data controller he or she is precluded from the data access request under the Acts.

The Court accepted the Respondents submission that if the drafter of the legislation wished to place such limitations on the right to access to personal data then they would have done so expressly.

The Appeal was dismissed.

The text of the Judgment can be found here :