Court of Appeal - IECA 152: Difference between revisions
mNo edit summary |
mNo edit summary |
||
| (5 intermediate revisions by 2 users not shown) | |||
| Line 64: | Line 64: | ||
}} | }} | ||
The Court found that the | The Court of Appeal found that the DPA’s decision to prioritise an ex officio inquiry and defer handling of a related complaint was appropriate and within the margin of discretion allowed to a DPA. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
On 12 September 2018, a data subject submitted a | On 12 September 2018, a data subject submitted a petition to the DPC concerning Google Ireland Ltd’s (the controller) data processing for targeted advertising through its real time bidding (RTB) online advertising system. A petition is an informal request which does not give a petitioner party rights in a GDPR procedure. Thus, in 2019, the data subject followed up his petition with a complaint alleging violations of Articles 5(1)(a), (c) and (f) GDPR. In particular, the complaint emphasised the lack of adequate safeguards to ensure the integrity of personal data. The complaint claimed that the controller’s use of the RTB system on millions of websites and broadcasting of personal and sometimes sensitive data to other tracking companies with no controls constituted the biggest data breach ever seen. | ||
In January 2020, the DPC informed the data subject that it had initiated an | In January 2020, the DPC informed the data subject that it had initiated an ex officio inquiry into substantially the same issues as the complaint. While the DPC confirmed that the data subject’s case was being treated as a complaint, the DPC also said that it was examining matters in the context of an inquiry that could substantially overlap with and influence the outcome of the complaint. Thus, it stated that it would handle the complaint in line with and based upon the progress of the inquiry. | ||
As the | As the inquiry unfolded, it became clear that the data subject and DPC disagreed about how confidentiality and security concerns were implicated. The scope of the DPC's inquiry focused on legal basis and transparency issues rather than the [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] claims. In several communications, the DPC stressed that it would “continue[] to have an open mind in relation to the central matters” of the inquiry and that when it resumed its examination of the Complaint, it would again consider whether issues relating to data security should be the subject of scrutiny. It also noted that the result of its investigation may end up being functionally the same, with the effect that the processing would be prohibited. The data subject repeatedly stressed that the DPC had misunderstood his complaint and that the key concern was precisely the security vulnerability of RTB systems. | ||
On 14 March 2022, the data subject sought judicial review from the High Court. The data subject claimed that the DPC is obliged to carry out an investigation into each issue raised in a complaint. | On 14 March 2022, the data subject sought judicial review from the High Court. The data subject claimed that the DPC is obliged to carry out an investigation into each issue raised in a complaint. | ||
The data subject | The High Court rejected the data subject's arguments. It noted that the DPC has discretion in the sequencing and extent of its investigations and inquiries, and that it is thus “incorrect to say that a supervisory authority cannot defer consideration of a complaint pending the completion of related investigations or inquiries.” The DPC’s decision to defer consideration of one aspect of the complaint pending the completion of the inquiry, the High Court said, does not amount to a refusal to investigate or handle the complaint; it is instead a permissible sequencing decision. | ||
The data subject subsequently appealed the ruling to the Court of Appeal. | |||
=== Holding === | === Holding === | ||
The Court of | The Court of Appeal upheld the High Court’s judgment, finding no error in its conclusion that the DPC’s decision to prioritise the inquiry and defer handling of complaint was appropriate and within the margin of appreciation allowed to a supervisory authority. | ||
The Court of Appeal for the first time formally acknowledged that DPAs are obliged to handle complaints with “all due diligence,” citing to landmark CJEU cases [https://curia.europa.eu/juris/liste.jsf?num=C-311/18 C-311/18 ''Schrems II''] and [https://curia.europa.eu/juris/document/document.jsf;jsessionid=C8FBE306DB7FB15283DE75A319E17A07?text=&docid=280428&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=1060950 C-26/22 and C-64/22 ''UF and AB v. Land Hessen and Schufa Holding AG'']. At the same time, it acknowledged that DPAs are also afforded a measure of discretion in their handling of complaints. In this case, the Court of Appeals considered that there was substantial overlap between the subject matter of the Complaint and the investigations undertaken in the course of the inquiry with regard to legal basis, transparency and data minimisation. This amounted to a reasonable basis to defer the handling of the Complaint pending the inquiry’s outcome. | |||
The Court also considered that insofar as, by addressing other aspects of the complaint, the DPC might address the concerns of the appellant in relation to Article 5(1)(f), the DPC had not breached [[Article 77 GDPR|Article 77 GDPR]] or the DPA 2018. | The Court also considered that insofar as, by addressing other aspects of the complaint, the DPC might address the concerns of the appellant in relation to Article 5(1)(f), the DPC had not breached [[Article 77 GDPR|Article 77 GDPR]] or the DPA 2018. | ||
== Comment == | == Comment == | ||
The High Court and Court of Appeal cases are centrally concerned with sequencing issues. The judgments focus on the DPC's discretion to defer complete resolution of a data subject's complaint pending the outcome of a related | The High Court and Court of Appeal cases are centrally concerned with sequencing issues. The judgments focus on the DPC's discretion to defer complete resolution of a data subject's complaint pending the outcome of a related inquiry. | ||
The High Court considered the case limited to the question of sequencing and did not engage with questions concerning the data subject's ability to challenge the | The High Court considered the case limited to the question of sequencing and did not substantively engage with questions concerning the data subject's ability to challenge the inquiry decision or the inquiry's pace of progression. This leaves open a number of questions. For example, it is unclear whether the data subject would be able to obtain judicial review in this case on the question of DPC inaction after the inquiry is completed. Another question is whether the data subject would have a viable inactivity challenge based on timing (given the 5 years and counting it has taken for the DPC to resolve the complaint). Though it did not substantively rule on this question, the Court of Appeal noted that the data subject was 'wise' not to bring it into the complaint because "[t]he time that the inquiry is taking must be seen against the background of its undisputed complexity and the appellant's own description of RTB as involving "''the world's biggest data breach''." | ||
== Further Resources == | == Further Resources == | ||
Latest revision as of 13:40, 10 July 2024
| Court of Appeal - IECA 152 | |
|---|---|
 | |
| Court: | Court of Appeal (Ireland) |
| Jurisdiction: | Ireland |
| Relevant Law: | Article 77 GDPR |
| Decided: | 24.06.2024 |
| Published: | |
| Parties: | Johnny Ryan Irish Data Protection Commission |
| National Case Number/Name: | IECA 152 |
| European Case Law Identifier: | |
| Appeal from: | |
| Appeal to: | Unknown |
| Original Language(s): | English |
| Original Source: | The Courts Service of Ireland (in English) |
| Initial Contributor: | lm |
The Court of Appeal found that the DPA’s decision to prioritise an ex officio inquiry and defer handling of a related complaint was appropriate and within the margin of discretion allowed to a DPA.
English Summary
Facts
On 12 September 2018, a data subject submitted a petition to the DPC concerning Google Ireland Ltd’s (the controller) data processing for targeted advertising through its real time bidding (RTB) online advertising system. A petition is an informal request which does not give a petitioner party rights in a GDPR procedure. Thus, in 2019, the data subject followed up his petition with a complaint alleging violations of Articles 5(1)(a), (c) and (f) GDPR. In particular, the complaint emphasised the lack of adequate safeguards to ensure the integrity of personal data. The complaint claimed that the controller’s use of the RTB system on millions of websites and broadcasting of personal and sometimes sensitive data to other tracking companies with no controls constituted the biggest data breach ever seen.
In January 2020, the DPC informed the data subject that it had initiated an ex officio inquiry into substantially the same issues as the complaint. While the DPC confirmed that the data subject’s case was being treated as a complaint, the DPC also said that it was examining matters in the context of an inquiry that could substantially overlap with and influence the outcome of the complaint. Thus, it stated that it would handle the complaint in line with and based upon the progress of the inquiry.
As the inquiry unfolded, it became clear that the data subject and DPC disagreed about how confidentiality and security concerns were implicated. The scope of the DPC's inquiry focused on legal basis and transparency issues rather than the Article 5(1)(f) GDPR claims. In several communications, the DPC stressed that it would “continue[] to have an open mind in relation to the central matters” of the inquiry and that when it resumed its examination of the Complaint, it would again consider whether issues relating to data security should be the subject of scrutiny. It also noted that the result of its investigation may end up being functionally the same, with the effect that the processing would be prohibited. The data subject repeatedly stressed that the DPC had misunderstood his complaint and that the key concern was precisely the security vulnerability of RTB systems.
On 14 March 2022, the data subject sought judicial review from the High Court. The data subject claimed that the DPC is obliged to carry out an investigation into each issue raised in a complaint.
The High Court rejected the data subject's arguments. It noted that the DPC has discretion in the sequencing and extent of its investigations and inquiries, and that it is thus “incorrect to say that a supervisory authority cannot defer consideration of a complaint pending the completion of related investigations or inquiries.” The DPC’s decision to defer consideration of one aspect of the complaint pending the completion of the inquiry, the High Court said, does not amount to a refusal to investigate or handle the complaint; it is instead a permissible sequencing decision.
The data subject subsequently appealed the ruling to the Court of Appeal.
Holding
The Court of Appeal upheld the High Court’s judgment, finding no error in its conclusion that the DPC’s decision to prioritise the inquiry and defer handling of complaint was appropriate and within the margin of appreciation allowed to a supervisory authority.
The Court of Appeal for the first time formally acknowledged that DPAs are obliged to handle complaints with “all due diligence,” citing to landmark CJEU cases C-311/18 Schrems II and C-26/22 and C-64/22 UF and AB v. Land Hessen and Schufa Holding AG. At the same time, it acknowledged that DPAs are also afforded a measure of discretion in their handling of complaints. In this case, the Court of Appeals considered that there was substantial overlap between the subject matter of the Complaint and the investigations undertaken in the course of the inquiry with regard to legal basis, transparency and data minimisation. This amounted to a reasonable basis to defer the handling of the Complaint pending the inquiry’s outcome.
The Court also considered that insofar as, by addressing other aspects of the complaint, the DPC might address the concerns of the appellant in relation to Article 5(1)(f), the DPC had not breached Article 77 GDPR or the DPA 2018.
Comment
The High Court and Court of Appeal cases are centrally concerned with sequencing issues. The judgments focus on the DPC's discretion to defer complete resolution of a data subject's complaint pending the outcome of a related inquiry.
The High Court considered the case limited to the question of sequencing and did not substantively engage with questions concerning the data subject's ability to challenge the inquiry decision or the inquiry's pace of progression. This leaves open a number of questions. For example, it is unclear whether the data subject would be able to obtain judicial review in this case on the question of DPC inaction after the inquiry is completed. Another question is whether the data subject would have a viable inactivity challenge based on timing (given the 5 years and counting it has taken for the DPC to resolve the complaint). Though it did not substantively rule on this question, the Court of Appeal noted that the data subject was 'wise' not to bring it into the complaint because "[t]he time that the inquiry is taking must be seen against the background of its undisputed complexity and the appellant's own description of RTB as involving "the world's biggest data breach."
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
