A recent Supreme Court judgment demonstrates the importance of protecting individuals’ rights to privacy when conducting regulatory investigations. These rights stem from the Irish Constitution and the European Convention on Human Rights (ECHR). The preservation of privacy rights in investigations will be reinforced by the introduction of the GDPR in May 2018 and the transposition of the Law Enforcement Directive (Directive) in Ireland.
Recent Supreme Court judgment
CRH Plc, Irish Cement Ltd (ICL) and Séamus Lynch v The Competition and Consumer Protection Commission (CCPC)
In May 2017, the Supreme Court delivered judgment in an appeal lodged by CCPC against an injunction granted in favour of the respondents to include ICL. The case related to a ‘dawn raid’ carried out by CCPC in accordance with its statutory powers to obtain information potentially required for an investigation into alleged breaches of competition law by ICL. CCPC obtained a search warrant and seized material from ICL's premises including the entire email account of a senior executive of ICL which contained more than 100,000 emails.
ICL argued that a significant proportion of the emails were outside the scope of the search warrant and were not related to the investigation. The High Court found in favour of ICL and granted an injunction restraining CCPC from examining the email account. The injunction was granted on the basis that the email account was not included within the terms of the search warrant, nor was its seizure permitted on a plain interpretation of CCPC's statutory powers. The court considered that to infer a right that was outside the scope of CCPC’s statutory permission could amount to a breach of an individual’s right to privacy under the Irish Constitution and Article 8 of the ECHR.
CCPC appealed the decision; however, the Supreme Court dismissed the appeal.
Key aspects of judgment
The Supreme Court held that CCPC should have sought to ensure that the privacy rights of ICL personnel were protected while carrying out its investigation. Any interference with these rights would need to be proportionate to the legitimate aim pursued i.e. in accordance with law and necessary in pursuing an investigation into a potential breach of competition law. The court held that ICL should write to CCPC to list any private material that was seized, setting out why this material required the protection of privacy rights. An initial electronic examination of the material could then be carried out by using word-specific searches, in order to identify any documents that are private and, therefore, not relevant to the investigation. Once identified, these materials should be destroyed. The court suggested that a representative of the senior executive be entitled to attend this initial examination.
The Supreme Court also suggested that CCPC consider preparing a code of practice, involving individual protocols, for future cases.
The Supreme Court judgment demonstrates that regulators must seek to acknowledge and protect individual rights to privacy under Irish and EU law when searching for and seizing material during an investigation. These privacy rights will be further enhanced by the introduction of the GDPR and the Directive. The Directive aims to protect the rights of persons with regard to the processing of personal data by competent authorities for the purpose of preventing, investigating, detecting or prosecuting criminal offences or the execution of criminal penalties and on the free movement of this data. Article 10 of the GDPR will also afford protection, by way of appropriate safeguards for the rights and freedoms of data subjects, in the processing of personal data relating to criminal convictions and offences. The Data Protection Bill 2017 will transpose the Directive into Irish law and will give effect to the GDPR.
Tips for regulators
- Regulators must act proportionately and should ensure that search warrants are clear in terms of material that can be seized.
- If the legislative power of a regulatory body is not clear in terms of material that can be taken, copied, retained and subsequently analysed, the regulator should consider preparing a code of practice to include an appropriate methodology for conducting an initial examination of the material.
- If private or sensitive material is at risk, the regulator should consider any submissions advanced by the raided company in this regard. It should engage with the company to agree an initial examination of the material by using appropriate search terms; potentially with a representative of the company present.