Dublin Metropolitan District Court - 2023/000119
Dublin Metropolitan District Court - 2023/000119 | |
---|---|
Court: | Dublin Metropolitan District Court (Ireland) |
Jurisdiction: | Ireland |
Relevant Law: | EU Charter of Fundamental Rights |
Decided: | 26.07.2024 |
Published: | |
Parties: | Superintendent Stephen McCauley |
National Case Number/Name: | 2023/000119 |
European Case Law Identifier: | |
Appeal from: | |
Appeal to: | |
Original Language(s): | English |
Original Source: | The Courts Service of Ireland (in English) |
Initial Contributor: | lm |
A court found that a government licensing office breached a data subject’s EU Charter Right to protection of personal data when it obtained immigration data from a ministry without a legal basis.
English Summary
Facts
A data subject applied for a renewal of a Small Public Service Vehicle (SPSV) license to drive taxis. The application included a new question inquiring about his immigration status. The data subject stated that he was a legal immigrant. The Superintendent verified whether the data subject had a criminal record from the local Garda station and requested immigration status information from the Minister for Justice.
The Minister for Justice sent the Superintendent documents pertaining to the data subject, including a refusal to retain the data subject’s residence card because the Minister considered the data subject’s marriage contract to be one of convenience for the purpose of obtaining an immigration permission. The Minister for Justice had thus revoked the data subject’s permission to reside in Ireland. Based on this data indicating ‘fraudulent’ conduct, the Superintendent denied the data subject’s application to renew his SPSV license. It cited section 10(1) of the Taxi Regulation Act 2013, “[t]he licensing authority shall not grant a license . . .unless it is satisfied that he or she is a suitable person to hold a license.”
The data subject appealed the controller’s decision to the District Court on 11 January 2023. The data subject claimed that the Superintendent infringed his data protection and EU Charter rights in obtaining the immigration data, and requested an order directing the Superintendent to renew the license.
The Superintendent argued that it was merely carrying out its function under the Taxi Regulation Act 2023 in assessing whether the applicant for a taxi license is a “suitable person.” It cited three provisions as a legal basis in its request to the Minister for Justice:
- Sections 8(1) and (2) of the Immigration Act 2003: “. . .whenever so requested, an information holder shall give to another information holder such information, including personal information, in his or her possession, control or procurement regarding non-nationals . . . for the Purposes of the administration of the law relating to the entry into and the removal from the State of non-nationals.”
- Section 41(B) of the Data Protection Act 2018: the processing of personal data and special categories of personal data “shall be lawful to the extent that such processing is necessary and proportionate for the purposes – (a) of preventing a threat to national security, defence or public security; (b) of preventing, detecting, investigating or prosecuting criminal offenses,” or under Section 47 of the law, where “(a) is necessary for the purposes of providing or obtaining legal advice or for the purposes of, or in connection with, legal claims . . . or (b) is otherwise necessary for the purposes of establishing, exercising or defending legal rights.”
- Section 261(2) of the Social Welfare Act 2005: “Information held by the Minister for the purposes of this Act . . . may be transferred by the Minister to another Minister of the Government or a specified body . . .”
Holding
The District Court found that a breach of the data subject’s rights under the EU Charter had occurred. It concluded that there was no legal basis for the exchange of information between the controller and the Ministry of Justice.
The Court noted that none of the cited national laws created a legal obligation for the transfer of data. Because the Superintendent was not the controller of the information requested and received, section 38 of the Data Protection Act 2018 could not apply to him. As a result, the Superintendent’s request and receipt of information constituted a deliberate and conscious breach of the data subject’s EU Charter rights.
In effect, the Court could not confirm the Superintendent’s decision and the Superintendent was thus obligated to grant the license. The Court noted that the controller enjoys a wide discretion under the Taxi Regulation Act 2023 to impose terms and conditions to the license.
Comment
Although the court focused its discussion on a breach of the data subject's data protection rights under Article 8 of the EU Charter of Fundamental Rights, its discussion of 'legal basis' seems to be grounded on Article 6(1)(d) GDPR, which contemplates a legal basis stemming from legal obligations.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.