Insolvent companies often hold a large volume of personal data, such as customer lists or user data. Who is responsible for this information? Recently, the Irish High Court decided a case concerning the transfer of patient records from a private hospital in liquidation. The Court was asked to declare that upon transfer of patient records, the recipient, rather than the insolvent company or its liquidator, would be the “data controller” of the personal data in those records meaning that the recipient, not the insolvent entity or liquidator, would be responsible for future compliance with data protection law.
The case is a useful reminder that the identity of a data controller is a matter of fact and not contractual drafting.
The case relates to the liquidation of the Mount Carmel Medical Group (the “Company”), which had operated a private maternity hospital in Dublin. As a result of its operations, the Company held a wide number of hospital records. These records needed to be maintained for medical reasons. The liquidator proposed to transfer these records to St James’s Hospital (“SJH”), a large public hospital, which would provide patient data management services. The liquidator asked the Court to clarify the impact of data protection law on this proposal.
In particular, the liquidator asked whether SJH:
- Would be the data controller of the data upon transfer of the records; and
- Could disclose the records to the liquidator, if the liquidator needed access to the records after the transfer.
The transfer concerned patient records, relating to approximately 118,000 patients and dating back to about 1946. In light of the potential for serious impact on data protection rights – given that much of the data is “sensitive personal data” – the Court notified the Data Protection Commissioner (“DPC”). However, the Court pointed out (as the DPC had acknowledged) that the DPC has no power to pre-authorise or approve such a transfer arrangement.
A rather unique factor to the liquidation was the fact that the Company was not likely to be fully wound down for 18-20 years. This was aimed at taking account of potential legal actions against the Company by persons born at the hospital who had not yet passed the age of 18.
Transfers of Data & Transfers of Obligations
The proposed contract between the parties stated that after transfer, the recipient, SJH, would become the data controller in respect of the records. Notably, there was no transfer of a business under the contract but merely a transfer of personal data and the associated data protection law responsibilities.
The judge made clear that one shouldn’t give undue weight to the person who the contract designates as the data controller. Instead, the identity of the data controller is a question of fact. The emphasis must centre on who will, in reality, exercise control over the data.
Ultimately, the Court considered it was inappropriate to exercise its discretion to make a declaration. The Court weighed a number of factors, including:
- that there was no precedent for making such a declaration;
- that it had concerns of overlapping jurisdiction with the DPC; and
- the danger of limiting data subjects from taking future legal actions against the appropriate person.
Implications of the Case
The case is an important reminder that, in general, it is the facts and circumstances, rather than the contract itself, which identify the data controller. This case also provides clarity on the scope of the court’s role in making declarations regarding personal data. It is interesting to note that even where the DPC supported the Court in making the declaration requested, the Court declined to exercise its power.
Unfortunately, the case has failed to clarify where the legal obligations lie. The Court’s reluctance to exercise its power means that neither the DPC nor the Courts appear to be able to grant any sort of advance pre-approval for similar transactions.
Interestingly, it also appears to mark the first time that the far-reaching Google Spain decision has been cited by the Irish Courts, as the Court emphasised that the fundamental right to privacy must be weighed in such decisions. This reflects a growing trend across Europe to take account of such rights in the context of data protection. For more on Google Spain, see our analysis here.