Clarifying Data Controller Status under GDPR for Unauthorized Personal Use of Work Devices

Introduction

McShane v Data Protection Commission ([2025] IEHC 191) concerns a judicial review challenge by Eamon McShane, a Fire Prevention Officer employed by the Health Service Executive (“HSE”), to the decision of the Data Protection Commission (“DPC”) dismissing his complaint that his personal data on an HSE-issued mobile phone had been breached. McShane alleged that both “work-related” and “non-work-related” personal data on the device were subject to unauthorized access following a broader HSE ransomware attack in May 2021. The DPC concluded, on 23 May 2022, that the HSE was not a “data controller” for the applicant’s personal data because it had not authorized personal use of the phone. McShane obtained leave to challenge that finding. The High Court was asked to quash the dismissal (certiorari), mandate a proper investigation (mandamus), and declare the DPC’s process unlawful.

Summary of the Judgment

Delivered by Mr. Justice Barry O’Donnell on 3 April 2025, the judgment:

1. Dismissed the DPC’s preliminary contention that McShane should have pursued a statutory appeal rather than judicial review, finding the DPC’s decision language too vague to trigger an obvious appeal route.
2. Held that the DPC investigated McShane’s complaint “with all due diligence,” focusing appropriately on the non-work personal data McShane himself had stored in contravention of HSE policy.
3. Found that the HSE was not a “data controller” in respect of non-work-related personal data because it neither determined its purposes nor authorized its processing, as required by Article 4(7) GDPR.
4. Refused all substantive relief, concluding the DPC’s decision was lawful, rational, and within its statutory powers under the Data Protection Act 2018 (“2018 Act”) and the GDPR.

Analysis

Precedents Cited

• Meadows v Minister for Justice ([2010] 2 I.R. 701) – Established the Wednesbury standard of irrationality for administrative decisions.
• Petecel v Minister for Social Protection ([2020] IESC 25) – Confirmed that statutory appeal mechanisms ordinarily must be exhausted before judicial review.
• Ryan v Data Protection Commissioner ([2024] IECA 152) – Held supervisory authorities handle complaints “with all due diligence” but enjoy discretion in appropriate investigations under Article 57(1)(f) GDPR.
• TR v Land Hessen (C-768/21) – Emphasized GDPR supervisory authorities must inform complainants of progress and outcome within a reasonable period, handling complaints diligently.
• Schrems II (Data Protection Commissioner v Facebook Ireland Ltd) (C-311/18) – Advocate General underscored supervisory authority latitude in complaint handling.
• Hayes & Foley v Environmental Protection Agency ([2024] IECA 162) – Reaffirmed that judicial review grounds must mirror those on which leave was granted.

Legal Reasoning

The Court’s reasoning unfolded in two main strands:

1. Alternative Remedy: Although statutory appeal under Section 150(5) of the 2018 Act was available, the DPC’s dismissal/rejection email of 23 May 2022 failed to specify which statutory power it invoked or to inform McShane of appeal rights. The Court found the decision sufficiently vague that equity favored allowing judicial review rather than dismissing the claim for failure to exhaust remedies.
2. Substantive Merits: The Court analyzed the materials before the DPC when it decided McShane’s complaint:
   • The original complaint and correspondence focused exclusively on personal (non-work) accounts (Gmail, Yahoo, Binance, Fitbit) accessed via the phone in breach of HSE IT policy.
   • When asked by the DPC how HSE could be controller of data processed without authorization, McShane’s reply reinforced that argument in terms of improper access, not elaborating any grievance about “work-related” personal data.
   • Under Article 4(7) GDPR, a “controller” is the entity that determines purposes and means of processing personal data. The unauthorized storage by McShane himself precluded HSE’s controller status.
   • The DPC applied its discretion “to the extent appropriate” and reached a lawful, rational conclusion fully supported by the factual matrix and legal definitions.

Impact on Future Cases

This decision clarifies several points:

• Employers (or other entities) cannot be deemed GDPR “data controllers” over personal data that employees store or process on work devices without authorization.
• DPC decisions must clearly identify the statutory basis of complaint handling (e.g., dismissal under Section 109(5)(a) or rejection under Section 109(5)(b)) and expressly inform data subjects of appeal rights under Section 150.
• Judicial review of DPC actions remains available where decision letters are vague as to remedy routes, reinforcing principles of good administration and fair notice.
• Complaint handling by supervisory authorities must be “appropriate” to the case: focus is guided by the complaint’s precise scope and supporting materials, without imposing open-ended investigations.

Complex Concepts Simplified

• Data Controller (Article 4(7) GDPR): The person or body that decides why and how personal data are processed. Unauthorized user data does not make the device-provider a controller.
• Section 109(5)–(6), 2018 Act: Provides for rejection or dismissal of complaints by the DPC, which must be communicated in writing with appeal information.
• Ultra Vires: A decision beyond the decision-maker’s legal power.
• Irrationality (Wednesbury): A decision so unreasonable that no reasonable authority could have reached it.
• Leave to Apply for Judicial Review: Preliminary permission granted when an applicant demonstrates arguable grounds; delimitations prevent introduction of new issues without further leave.

Conclusion

McShane v Data Protection Commission establishes that personal data placed on a work-issued device without authorization remains beyond the scope of an employer’s GDPR controller obligations. It underscores the necessity for supervisory authorities to:

• Frame decisions with statutory precision and clear appeal pathways,
• Investigate within the explicit parameters of the complaint, and
• Apply definitions of key GDPR roles (controller, processor) in line with Article 4.

For employers, DPC officers, and legal practitioners, this judgment provides a structured roadmap for complaint handling, delineates controller boundaries, and respects procedural fairness in data protection enforcement.