Court of Appeal - IECA 152: Difference between revisions
(Created page with "{{COURTdecisionBOX |Jurisdiction=Ireland |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Court of Appeal |Court_Original_Name=Court of Appeal |Court_English_Name=Court of Appeal |Court_With_Country=Court of Appeal (Ireland) |Case_Number_Name=IECA 152 |ECLI= |Original_Source_Name_1=The Courts Service of Ireland |Original_Source_Link_1=https://www.courts.ie/acc/alfresco/281d1bdd-97ef-4ec2-ba77-75a5e7780361/2024_IECA_152.pdf/pdf#view=fitH |Original_Source...") |
mNo edit summary |
||
| Line 69: | Line 69: | ||
=== Facts === | === Facts === | ||
On 12 September 2018, a data subject submitted a complaint to the DPC concerning Google Ireland Ltd’s (the controller) data processing for targeted advertising through its real time bidding (RTB) online advertising system. | On 12 September 2018, a data subject submitted a complaint to the DPC concerning Google Ireland Ltd’s (the controller) data processing for targeted advertising through its real time bidding (RTB) online advertising system. The data subject alleged violations of Articles 5(1)(a), (c) and (f) GDPR. In particular, the complaint emphasised the lack of adequate safeguards to ensure the integrity of personal data. The complaint claimed that the controller’s use of the RTB system on millions of websites and broadcasting of personal and sometimes sensitive data to other tracking companies with no controls constituted a massive data breach. | ||
The data subject alleged violations of Articles 5(1)(a), (c) and (f) GDPR. In particular, the complaint emphasised the lack of adequate safeguards to ensure the integrity of personal data. The complaint claimed that the controller’s use of the RTB system on millions of websites and broadcasting of personal and sometimes sensitive data to other tracking companies with no controls constituted a massive data breach. | |||
In January 2020, the DPC informed the data subject that it had initiated an Inquiry into substantially the same issues as the complaint. While the it confirmed that the data subject’s case was being treated as a complaint, the DPC also said that it was examining matters in the context of an Inquiry that could substantially overlap with and influence the outcome of the complaint. Thus, it stated that it would handle the complaint in line with and based upon the progress of the Inquiry. | In January 2020, the DPC informed the data subject that it had initiated an Inquiry into substantially the same issues as the complaint. While the it confirmed that the data subject’s case was being treated as a complaint, the DPC also said that it was examining matters in the context of an Inquiry that could substantially overlap with and influence the outcome of the complaint. Thus, it stated that it would handle the complaint in line with and based upon the progress of the Inquiry. | ||
As the Inquiry unfolded, it became clear that the data subject and DPC disagreed about how confidentiality and security concerns were implicated. The scope of the DPC's Inquiry focused on legal basis and transparency issues rather than the [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] claims. In several communications, the DPC stressed that it would “continue[] to have an open mind in relation to the central matters” of the Inquiry and that when it resumed its examination of the Complaint, it would against consider whether issues relating to data security should be the subject of scrutiny. The data subject repeatedly stressed that the DPC had misunderstood his complaint and that the key concern was precisely the security vulnerability of RTB systems. | As the Inquiry unfolded, it became clear that the data subject and DPC disagreed about how confidentiality and security concerns were implicated. The scope of the DPC's Inquiry focused on legal basis and transparency issues rather than the [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] claims. In several communications, the DPC stressed that it would “continue[] to have an open mind in relation to the central matters” of the Inquiry and that when it resumed its examination of the Complaint, it would against consider whether issues relating to data security should be the subject of scrutiny. The data subject repeatedly stressed that the DPC had misunderstood his complaint and that the key concern was precisely the security vulnerability of RTB systems. | ||
The High Court rejected the data subject's arguments. It noted that the DPC has discretion in the sequencing and extent of its investigations and inquiries, and that it is thus “incorrect to say that a supervisory authority cannot defer consideration of a complaint pending the completion of related investigations or inquiries.” The Commission’s decision to defer consideration of one aspect of the complaint pending the completion of the Inquiry, the High Court said, does not amount to a refusal to investigate or handle the complaint; it is instead a permissible sequencing decision. | On 14 March 2022, the data subject sought judicial review from the High Court. The data subject claimed that the DPC is obliged to carry out an investigation into each issue raised in a complaint. The High Court rejected the data subject's arguments. It noted that the DPC has discretion in the sequencing and extent of its investigations and inquiries, and that it is thus “incorrect to say that a supervisory authority cannot defer consideration of a complaint pending the completion of related investigations or inquiries.” The Commission’s decision to defer consideration of one aspect of the complaint pending the completion of the Inquiry, the High Court said, does not amount to a refusal to investigate or handle the complaint; it is instead a permissible sequencing decision. | ||
The data subject subsequently appealed the ruling to the Court of Appeal, arguing that the High Court erred in determining that the decision to defer the consideration of the [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] breach claims pending completion of the Inquiry was lawful. | The data subject subsequently appealed the ruling to the Court of Appeal, arguing that the High Court erred in determining that the decision to defer the consideration of the [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] breach claims pending completion of the Inquiry was lawful. | ||
Revision as of 10:03, 9 July 2024
| Court of Appeal - IECA 152 | |
|---|---|
 | |
| Court: | Court of Appeal (Ireland) |
| Jurisdiction: | Ireland |
| Relevant Law: | Article 77 GDPR |
| Decided: | 24.06.2024 |
| Published: | |
| Parties: | Johnny Ryan Irish Data Protection Commission |
| National Case Number/Name: | IECA 152 |
| European Case Law Identifier: | |
| Appeal from: | |
| Appeal to: | Unknown |
| Original Language(s): | English |
| Original Source: | The Courts Service of Ireland (in English) |
| Initial Contributor: | lm |
The Court found that the DPC’s decision to prioritise an Inquiry and defer handling of a related complaint was appropriate and within the margin of discretion allowed to a DPA.
English Summary
Facts
On 12 September 2018, a data subject submitted a complaint to the DPC concerning Google Ireland Ltd’s (the controller) data processing for targeted advertising through its real time bidding (RTB) online advertising system. The data subject alleged violations of Articles 5(1)(a), (c) and (f) GDPR. In particular, the complaint emphasised the lack of adequate safeguards to ensure the integrity of personal data. The complaint claimed that the controller’s use of the RTB system on millions of websites and broadcasting of personal and sometimes sensitive data to other tracking companies with no controls constituted a massive data breach.
In January 2020, the DPC informed the data subject that it had initiated an Inquiry into substantially the same issues as the complaint. While the it confirmed that the data subject’s case was being treated as a complaint, the DPC also said that it was examining matters in the context of an Inquiry that could substantially overlap with and influence the outcome of the complaint. Thus, it stated that it would handle the complaint in line with and based upon the progress of the Inquiry.
As the Inquiry unfolded, it became clear that the data subject and DPC disagreed about how confidentiality and security concerns were implicated. The scope of the DPC's Inquiry focused on legal basis and transparency issues rather than the Article 5(1)(f) GDPR claims. In several communications, the DPC stressed that it would “continue[] to have an open mind in relation to the central matters” of the Inquiry and that when it resumed its examination of the Complaint, it would against consider whether issues relating to data security should be the subject of scrutiny. The data subject repeatedly stressed that the DPC had misunderstood his complaint and that the key concern was precisely the security vulnerability of RTB systems.
On 14 March 2022, the data subject sought judicial review from the High Court. The data subject claimed that the DPC is obliged to carry out an investigation into each issue raised in a complaint. The High Court rejected the data subject's arguments. It noted that the DPC has discretion in the sequencing and extent of its investigations and inquiries, and that it is thus “incorrect to say that a supervisory authority cannot defer consideration of a complaint pending the completion of related investigations or inquiries.” The Commission’s decision to defer consideration of one aspect of the complaint pending the completion of the Inquiry, the High Court said, does not amount to a refusal to investigate or handle the complaint; it is instead a permissible sequencing decision.
The data subject subsequently appealed the ruling to the Court of Appeal, arguing that the High Court erred in determining that the decision to defer the consideration of the Article 5(1)(f) GDPR breach claims pending completion of the Inquiry was lawful.
Holding
The Court of Appeals upheld the High Court’s judgment, finding no error in its conclusion that the DPC’s decision to prioritise the Inquiry and defer handling of complaint was appropriate and within the margin of appreciation allowed to a supervisory authority.
While the Court of Appeals acknowledged that DPAs are obliged to handle complaints with “all due diligence,” DPAs are also afforded a measure of discretion in their handling of complaints. In this case, the Court of Appeals considered that there was substantial overlap between the subject matter of the Complaint and the investigations undertaken in the course of the Inquiry with regard to legal basis, transparency and data minimisation. This amounted to a reasonable basis to defer the handling of the Complaint pending the Inquiry’s outcome.
The Court also considered that insofar as, by addressing other aspects of the complaint, the DPC might address the concerns of the appellant in relation to Article 5(1)(f), the DPC had not breached Article 77 GDPR or the DPA 2018.
Comment
The High Court and Court of Appeal cases are centrally concerned with sequencing issues. The judgments focus on the DPC's discretion to defer complete resolution of a data subject's complaint pending the outcome of a related Inquiry.
The High Court considered the case limited to the question of sequencing and did not engage with questions concerning the data subject's ability to challenge the Inquiry decision or the Inquiry's pace of progression. This leaves open a number of questions, including the data subject's right to obtain judicial review on the question of DPC inaction after the Inquiry is completed and whether it may bring an inactivity challenge based on timing given the 5 years and counting it has taken for the DPC to resolve the complaint.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
