On 6 October 2014, Bray District Court convicted a firm of private investigators, M.C.K. Rentals Limited (“MCK Rentals”), of unlawfully obtaining access to personal data and disclosing it to another person in contravention of the Data Protection Acts 1988 and 2003 (the “DPA”). The court also convicted the two directors in their personal capacity for their part in the offences committed by MCK Rentals.
More recently on 24 November 2014, Dublin Metropolitan District Court convicted Michael J. Gaynor, a private investigator trading as MJG Investigations, of unlawfully obtaining access to personal data and disclosing it to another person in contravention of the DPA. Mr Gaynor was also prosecuted for processing personal data without having registered as a data processor with the Office of the Data Protection Commissioner (the “DPC”).
These prosecutions arose out of investigations undertaken by the DPC. The DPC discovered that MCK Rentals was retained by a number of credit unions to ascertain the current addresses of a number of credit union customers in arrears. The credit unions provided certain of the customers’ personal data (e.g. PPS numbers and dates of birth) to MCK Rentals, which then was alleged to have used this data, together with a technique known as ‘blagging’, to deceptively obtain information from the Department of Social Protection and the Health Service Executive.
Mr Gaynor was also retained by a number of credit unions for similar purposes. Mr Gaynor had previously been a long serving member of An Garda Síochána and was alleged to have unlawfully obtained access to information held by the Electricity Supply Board and on the Garda PULSE and National Immigration Bureau databases by using contacts that were known to him from his previous career in An Garda Síochána.
The DPC initiated a prosecution against MCK Rentals for breaches of Section 22 of the DPA and also prosecuted its two directors for breaches of Section 29 of the DPA. Section 22 provides that it is an offence to obtain access to personal data without the prior authority of the data controller by whom the data is kept and to disclose the data to another person. Section 29 provides for the prosecution of company directors where an offence under the DPA by a company is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of, the company directors.
Bray District Court convicted MCK Rentals of five counts of breaching Section 22 of the DPA and imposed a fine totalling €7,500 (€1,500 for each count) against MCK Rentals. The court also convicted the two directors of one count each of breaching Section 29 of the DPA and imposed a fine of €1,500 on each of the directors.
The DPC initiated a prosecution against Mr Gaynor for breaches of Section 22 of the DPA and Sections 19(4) and (6) of the DPA. Under Sections 19(4) and (6) it is an offence to process personal data without having registered with the DPC in circumstances where there is a requirement to so register under Section 16 of the DPA.
Dublin Metropolitan District Court convicted Mr Gaynor of two counts of breaching Section 22 of the DPA and imposed a fine totalling €5,000 (€2,500 for each count) against Mr Gaynor. Mr Gaynor also pleaded guilty to nine other offences contrary to Section 22 and 60 offences contrary to Sections 19(4) and (6), which were taken into account by Dublin Metropolitan District Court in the sentence it imposed.
Significance of Prosecutions
These cases represent a significant development in the prosecution of offences under the DPA. The MCK Rentals case is the first time that the DPC has prosecuted private investigators for breaches of the DPA. It is also the first occasion on which company directors have been prosecuted in a personal capacity by the DPC for their part in the commission of offences under the DPA by their company.
The subsequent prosecution and conviction of Mr Gaynor for offences under the DPA demonstrates the DPC’s resolve to continue to pursue and prosecute private investigators who fail to conduct their business in compliance with the DPA. This case also represents the first prosecution to be completed by the DPC for the processing of personal data without having registered as a data processor with the DPC.
These cases illustrate the importance to large organisations of implementing and maintaining robust security measures to protect the personal data that they hold from any attempts to unlawfully solicit access to such data. They also demonstrate to private investigators that there is a real risk of prosecution if they fail to conduct their activities in accordance with the DPA. Clients of private investigators should also pay heed to this decision as the critical comments directed towards the credit unions in the press releases issued by the DPC in respect of these cases indicate that the DPC may also be willing to investigate the private investigator’s client where the private investigator has breached the DPA whilst acting on the client’s behalf.
Perhaps the most significant development arising from these cases is, however, the successful prosecution of the MCK Rental’s directors in their personal capacity. This should make clear to company directors the importance of ensuring that the company complies with its obligations under the DPA and the potential consequences for the directors if the company fails to do so with their knowledge or neglect.