Significant and important data retention issues arise in the Graham Dwyer case referred by the Supreme Court to the CJEU on 24 February 2020. Deirdre Crowley and Denise Moran address the potential implications of this referral on public and private sector employers.
On 24 February 2020, the seven judge Supreme Court delivered its highly anticipated judgment in the case of Graham Dwyer and the Commissioner of An Garda Síochána and others. Although this decision relates solely to the question of the validity of an Irish statute (the Communications (Retention of Data) Act 2011 (2011 Act)) having regard to EU law, the focus on the retention of data, albeit in the context of a criminal investigation, serves as an important reminder to all employers of their obligations regarding the retention of personal data.
Further, the Supreme Court’s commentary on the interplay between an individual’s right to privacy and the requirements for an investigation into, and potential prosecution of, a criminal offence also serves as an important reminder to employers of the balance to be struck between an employee’s right to privacy and the circumstances in which this may be trumped by an employer’s right to lawfully process personal data.
Retaining Personal Data
The 2011 Act governs the retention of data by service providers and access to such data by national authorities in Ireland including, in particular, to An Garda Síochána (the Gardaí). During the murder trial of Mr Dwyer, the DPP placed reliance on evidence which was said to link Mr Dwyer to certain phones, which linked him to data, which was said to identify where those phones were on certain relevant occasions and separately, to link him to certain communications which were found on those phones. A finding that the 2011 Act, which permits the retention and access of certain data, is inconsistent with EU law would likely be relied upon by Mr Dwyer in contending that such data should not have been admitted in evidence, and such raises a question of the safety of his conviction.
While no express provision is contained in the Data Protection Act (2018 Act) specifically dealing with a request for information by the Gardaí in an employment context, Part 5 of the 2018 Act deals with the processing of personal data for law enforcement purposes and the Gardaí are included in the definition of a “competent authority”.
Separately, section 41 of the 2018 Act deals with the processing of personal data for purposes other than for the purpose for which it was collected. This section expressly provides that personal data may be shared to the extent that such processing is necessary and proportionate for preventing, detecting, investigating or prosecuting criminal offences. This section may be relied upon to respond to a request by the Gardaí for personal data held by an employer in relation to an employee. Where an employer receives a written request for specific information from the Gardaí (not below the rank of chief superintendent) then section 41 comes into play for consideration by employers. As a data controller, where the personal data has not been purged, it is likely that the requested personal data will need to be shared with the Gardaí.
An ever-present challenge for any HR function is the balancing act of observing data minimisation, i.e. the obligation on employers to retain data for no longer than is necessary, and the obligation to comply with statutory retention periods. Employers should rely on their data retention policies to assist in this process and ensure that all personal data which has no lawful basis for its retention is permanently and irretrievably deleted.
Balancing The Right to Privacy
There is no disputing the fact that the right to privacy is a powerful and enabling personal right. It is a right that is recognised by the Irish Constitution, the European Convention on Human Rights and the Charter in Fundamental Rights of the European Union. Any statutory provision that seeks to trump this right in criminal proceedings, and indeed in the employment context, must have a significant justification.
The Supreme Court stated that the analysis of any measure provided by law to permit the retention of such data would require consideration as to whether the measure affects a protected right. If so, it is then necessary to determine whether any such interference pursues a legitimate objective. Next, and again if so, it must be determined whether the interference is no greater than is necessary to achieve the lawful object and is proportionate in doing so.
A very similar approach is required in balancing the rights of employees and those of the employer. We have seen instances where the Irish Data Protection Commissioner (DPC) has determined that the employer’s legitimate interest trumps the employee’s right to privacy in particular circumstances.
This is particularly evident from the DPC’s May 2019 guidance note on the use of CCTV which provides that there may be situations where it will be deemed legitimate for an employer to rely on CCTV footage for a purpose other than one identified at the outset to, for example, investigate an allegation of gross misconduct or other disciplinary matter and that such is justified on necessity and proportionality to achieve the given purpose. Where an employer can demonstrate that the use of CCTV is necessary to provide evidence and that their access to CCTV footage is proportionate and limited in scope to the specific investigation, the rights of the employee and their expectation of privacy will not be seen as overriding the interests of the employer in such circumstances, and the employee’s right to privacy will not present a barrier to the investigation.
It is likely that any balancing test undertaken which results in an employee’s right to privacy being overridden by an employer’s interests will remain the exception, and employers should exercise great care and caution where they seek to override this right.
Learnings for Employers
Employers are reminded that a commitment to robustly managing retention periods, to carefully considering applicable exemptions and to actively purging data that has no lawful basis for retention is crucial in ensuring compliance with the 2018 Act and GDPR. The effectiveness of a data retention policy relies solely on its adherence.
This decision also brings into sharp focus the occasions on which it may be deemed lawful to process employee data where an employer’s legitimate interest trumps the employee’s right to privacy.
Lastly, the ongoing criminal case giving rise to these proceedings also provides a reminder to employers that the burden of proof in the employment context is on the balance of probabilities which is a much lower threshold of determining culpability than in the context of criminal proceedings which is beyond reasonable doubt.
It remains to be seen how the CJEU will interpret EU law in relation to the data retention queries referred to it, how the Supreme Court will give effect to that ruling and how these decisions will impact upon Mr Dwyer’s ultimate quest for his conviction to be successfully appealed.