Circuit Court jurisdiction
Two recent High Court decisions make it clear that the Circuit Court does not have jurisdiction to hear an appeal against the Data Protection Commissioner’s refusal to investigate a complaint. The jurisdiction of the Circuit Court in such matters is limited to appeals against a decision of the Commissioner taken after an investigation.
The first of these High Court decisions is that of Birmingham J. in Nowak v the Data Protection Commissioner  IEHC 449, delivered on 7 March, 2012.
Nowak concerned a personal access request to the Chartered Accountants of Ireland (“the CAI”), with which he was registered as a student, including a request to access a copy of his exam scripts. The CAI did provide certain data but refused access to the exam scripts.
Mr. Nowak made a complaint to the Commissioner. However, the Commissioner found no substantive breach of the DPA, as exam scripts do constitute “personal data” as defined in s. 2, and declined to investigate the complaint. Mr. Nowak appealed the Commissioner’s “decision” not to investigate to the Circuit Court under s.26 of the DPA.
S. 10(1)(a) provides that the “Commissioner may investigate, or cause to be investigated, whether any of the provisions of [the Acts] have been, are being or are likely to be contravened in relation to an individual either where the individual complains to him of a contravention of any of those provisions or he is otherwise of the opinion that there may be such contravention.”
S. 10(1)(b)(i) further provides that, where a complaint is made, the Commissioner shall investigate the complaint or cause it to be investigated, unless he is of the opinion that it is frivolous or vexatious.
Before the Circuit Court, the Commissioner submitted that he was not obliged to investigate the complaint where there was no substantive breach of the DPA.
The Circuit Court held that it did not have jurisdiction to hear the appeal where the Commissioner had declined to investigate Mr. Nowak’s complaint. The Court concluded that the Commissioner had declined under s. 10(1) having formed the view that the complaint was frivolous or vexatious.
On appeal to it, on a point of law, the High Court held that the entitlement of the aggrieved party to appeal to the Circuit Court, and then of the Circuit Court to hear and determine an appeal, arises only where the Commissioner makes a decision under s. 10(1)(a).
The Court reasoned that the Commissioner makes such a decision only if, having decided that the matter is not frivolous and vexatious, he proceeds to investigate the complaint and makes a decision in relation thereto.
In this case, once the Commissioner determined that the exam script was not Mr Nowak’s “personal data”, and that, therefore, there was no substantive breach of the Acts, he was entitled to conclude that the complaint was “futile, misconceived or hopeless” and so to rely on s. 10(1)(b)(i) to decline to investigate the complaint on the grounds that it was frivolous or vexatious.
The High Court’s decision in Nowak was recently followed, on 5 February 2013, by Peart J. in the High Court in Fox v The Office of the Data Protection Commissioner  IEHC 49.
Peart J., who dealt only with the net issue of the statutory interpretation of s. 10(1)(b)(ii), held that the reference in that section to “the decision” related to a decision made following an investigation by the Commissioner, and this did not include an opinion of the Commissioner that the complaint is frivolous or vexatious under s. 10(1)(b)(i).
Standard of Review in appeals under the DPA
In Nowak, Birmingham J. observed that, had the Court had jurisdiction to hear the appeal, the correct standard of review would have been the deferential standard as outlined in Ulster Bank v Financial Services Ombudsman  IEHC 323. In other words, to establish whether a decision was vitiated by a serious and significant error or series of errors, the Court would have regard to the degree of expertise and specialist knowledge of the decision-maker. In Nowak, Birmingham J.emphasised the experience and expertise of the Commissioner in this regard.
These non-binding comments were subsequently acknowledged by Hedigan J. in Dublin Bus v The Data Protection Commissioner  IEHC 339.
Impact of ongoing legal proceedings on the right of access
The point of law before the High Court in Dublin Bus was whether the existence of legal proceedings between a data subject and a data controller precluded that data subject from making an access request under section 4 of the DPA.
In this case, the Commissioner had issued an enforcement notice to Dublin Bus requiring it to provide the data subject with access to CCTV footage relating to her on foot of her access request. The footage recorded the data subject’s fall on a bus, which was the subject of personal injury proceedings. Dublin Bus had initially refused to provide the CCTV footage on the basis that it had been prepared in anticipation of potential litigation and was thus legally privileged.
In his decision, delivered on 8 August, 2012, Hedigan J. upheld the decisions of the Commissioner and the Circuit Court and found that the existence of legal proceedings between a data subject and a data controller was not an exception to the right of access under the DPA. The data subject was therefore entitled to access the CCTV footage.
Damages for breaches of the DPA
Finally, and most recently, in Michael Collins v FBD Insurance Plc  IEHC 137, the High Court considered the scope of tortious liability of data controllers for breaches of their statutory duty of care towards data subjects under section 7 of the DPA. In his judgment, delivered on 14 March, 2013, Feeney J. vacated the Circuit Court’s award of €15,000 in general damages to Mr Collins. Feeney J. held that there was no automatic entitlement to compensation for a breach of the duty of care. Data subjects will only be entitled to compensation on proving that loss or damage was suffered as a result of the breach. Further commentary on this judgment can be found here.