McShane v Data Protection Commission (Approved)

Factual and Procedural Background

The Applicant, employed as a fire prevention officer by the Notice Party, was provided a mobile phone for work use. On 15 December 2021, the Applicant lodged a complaint with the Respondent concerning a data breach involving personal data stored on that phone. The complaint arose following a significant ransomware attack on the Notice Party's systems in May 2021, after which the Applicant's personal email and cryptocurrency accounts were reportedly hacked, resulting in a loss of funds. The Applicant believed the work phone was the source of the breach.

The Respondent investigated and, on 23 May 2022, decided to dismiss the complaint on the basis that the Notice Party was not a "data controller" under the General Data Protection Regulation (EU) 2016/679 ("GDPR") because the Applicant had used the work phone for personal purposes without authorization, and thus the Notice Party did not determine the purposes and means of processing the personal data in question.

The Applicant sought to appeal this decision but was informed that a statutory appeal was not available. Subsequently, the Applicant applied for judicial review, and on 19 October 2023, the High Court granted leave to proceed with the judicial review on a "not very high standard" to assert entitlement to leave.

The judicial review focuses on the lawfulness of the Respondent's 23 May 2022 decision, specifically challenging the finding that the Notice Party was not a data controller in respect of the personal data stored on the work phone.

Legal Issues Presented

1. Whether the Respondent lawfully determined that the Notice Party was not a data controller under the GDPR in respect of the personal data stored on the Applicant's work phone.
2. Whether the Applicant was obliged to exhaust the statutory appeal mechanism before seeking judicial review, given the nature of the Respondent's decision.
3. Whether the Respondent failed to properly investigate the Applicant's complaint with due diligence as required under the GDPR and the Data Protection Act 2018.

Arguments of the Parties

Applicant's Arguments

• The Applicant contended that the Respondent erred in law by concluding the Notice Party was not a data controller, as work-related personal data stored on the phone should have been considered personal data for which the Notice Party was responsible.
• The Applicant argued the Respondent departed from its own guidance by failing to investigate whether the Notice Party complied with its obligations as a data controller concerning the work-related personal data.
• The Applicant asserted that the Respondent did not conduct a proper investigation with due diligence, dismissing the complaint prematurely ("in limine").
• The Applicant claimed a breach of the right to good administration, emphasizing that the Respondent's decision was vague and failed to inform him of the statutory appeal rights.
• The Applicant relied on relevant GDPR provisions, CJEU case law, and the Respondent's own guidance to support the obligation for a thorough investigation.

Respondent's Arguments

• The Respondent contended that the complaint related solely to non-work related personal data, which the Applicant had stored on the work phone without authorization, and therefore the Notice Party was not a data controller for that data.
• The Respondent argued that the Applicant should have pursued the statutory appeal mechanism following the 23 May 2022 decision, which was a legally binding rejection of the complaint.
• The Respondent maintained that it conducted an appropriate and proportionate investigation consistent with its statutory duties and the nature of the complaint.
• The Respondent emphasized that the Applicant accepted unauthorized personal use of the phone, undermining the claim that the Notice Party controlled the processing of the non-work related personal data.
• The Respondent relied on the Data Protection Act 2018 and GDPR provisions to justify its findings and procedural approach.

Table of Precedents Cited

Precedent	Rule or Principle Cited For	Application by the Court
Meadows v. Minister for Justice, Equality and Law Reform [2010] 2 I.R. 701	Test for unreasonableness in judicial review.	Applied to assess whether the Respondent's decision was irrational; court found no irrationality.
Petecel v Minister for Social Protection [2020] IESC 25	Requirement to exhaust statutory appeal remedies before judicial review.	Referenced in considering whether the Applicant should have pursued statutory appeal; court found some vagueness in Respondent's decision justified proceeding with judicial review.
Ryan v Data Protection Commissioner [2024] IECA 152	Discretion of supervisory authority in handling complaints; obligation to handle complaints with due diligence.	Used to confirm the scope of Respondent's discretion and that the investigation was appropriate and proportionate.
Hayes and Foley v. The Environmental Protection Agency and Others [2024] IECA 162	Scope of judicial review proceedings must align with pleaded case and granted leave.	Applied to restrict Applicant from expanding grounds beyond those for which leave was granted.
Hayes v. The Property Services Appeal Board [2023] IEHC 282	Importance of complainant fully setting out basis of complaint; decision based on original complaint material.	Guided court to assess Respondent's decision based on materials before it and the specific complaint made.
TR v Land Hessen (Case C-768/21)	Supervisory authorities must handle complaints with all due diligence appropriate to the case.	Applicant relied on this to argue for a more thorough investigation; court considered this in assessing Respondent's discretion and diligence.
Data Protection Commissioner v. Facebook Ireland Ltd (Case C-311/18) (Schrems II)	Margin of discretion afforded to supervisory authorities in complaint handling.	Referenced in opinion supporting the discretion of the Respondent in handling complaints.

Court's Reasoning and Analysis

The court carefully delineated the scope of the judicial review to the grounds on which leave was granted, rejecting attempts by the Applicant to broaden the issues beyond the original complaint regarding non-work related personal data. The court emphasized the necessity for complainants to clearly define the basis of their complaints, referencing precedent to underline that supervisory authorities are entitled to consider complaints as presented without speculating on broader unarticulated issues.

The court acknowledged some vagueness in the Respondent's decision and communication, particularly regarding the statutory appeal process, which justified allowing the judicial review to proceed despite the usual requirement to exhaust statutory remedies.

On the substantive issue, the court found that the Respondent’s decision was lawful and properly based on the evidence and the complaint as presented. The Respondent reasonably concluded that the Notice Party was not a data controller in respect of the non-work related personal data because the Applicant used the work phone for personal purposes without authorization, and the Notice Party did not determine the purposes and means of processing that data.

The court rejected the Applicant's contention that the Respondent failed to investigate with due diligence, finding that the Respondent’s investigation was appropriate and proportionate to the specific complaint. The court also rejected any ultra vires or irrationality claims, concluding that the Respondent acted within its statutory discretion and in accordance with legal principles.

Holding and Implications

The court REFUSED the application for judicial review, upholding the Respondent's decision of 23 May 2022 dismissing the Applicant's complaint.

The direct effect is that the Respondent's legal characterization of the Notice Party as not being a data controller for the personal data stored on the Applicant's work phone stands. No new precedent was established, and the court emphasized the importance of adhering to the scope of complaints and the procedural requirements for statutory appeals.