High Court - McShane v Data Protection Commission (2025) IEHC 191
| High Court - McShane v Data Protection Commission (2025) IEHC 191 | |
|---|---|
 | |
| Court: | High Court (Ireland) |
| Jurisdiction: | Ireland |
| Relevant Law: | Article 4(1) GDPR Article 4(7) GDPR s. 150(12) Data Protection Act 2018 |
| Decided: | 03.04.2025 |
| Published: | 04.04.2025 |
| Parties: | Data Protection Commission |
| National Case Number/Name: | McShane v Data Protection Commission (2025) IEHC 191 |
| European Case Law Identifier: | |
| Appeal from: | |
| Appeal to: | Not appealed |
| Original Language(s): | English |
| Original Source: | Courts Service (in English) |
| Initial Contributor: | cwa |
A court refused to overturn a DPA's decision which had found that the data subject's employer was not the controller in respect of non-work data on their work phone.
English Summary
Facts
The data subject was a fire prevention officer working for the Irish Health Service Executive (HSE) and was provided with a work phone to be used for work purposes.
In May 2021, the HSE suffered a significant data breach and ransomware attack which compromised a large number of HSE computers and devices, including the data subject’s work phone.
In June 2021, the data subject noticed that his personal email account and personal cryptocurrency account, both of which he had accessed on his work phone, had been compromised. Cryptocurrency to the value of €1,400 had been stolen.
After being left unsatisfied with the HSE’s response to a complaint he had filed in relation to the incident, the data subject complained to the DPC on 15 December 2021.
In an email to the data subject about the issues he raised, the DPC noted that the HSE was not the data controller in respect of the data subject’s non-work-related personal data which was on the work phone as the device was only supposed to be used for work purposes. It was found that there was “no basis” upon which the HSE could be considered the data controller when the personal data (personal email and cryptocurrency account) was stored on the device without the HSE’s knowledge or agreement.
On 15 August 2022, the data subject sought a judicial review before the High Court of the DPC’s decision.
The data subject claimed that the work-related data comprised “personal data” under Article 4(1) GDPR, that the HSE was the data controller in respect of it in accordance with Article 4(7) GDPR, and that the DPC had erred in their findings in respect of their decision. This, according to the data subject, rendered their decision “unreasonable” in accordance with the test laid out in Meadows v Minister for Justice, Equality and Law Reform [2010] 2 I.R. 70. This decision established some criteria for which an administrative decision can be judicially reviewed in Ireland. The data subject also claimed that the DPC had failed in their obligation to investigate the breach of the GDPR which he complained about. The applicant thus sought an order annulling the DPC’s decision.
The DPC opposed the application for judicial review, submitting that the breach considered in the data subject’s complaint to the DPC related solely to the non-work-related personal data present on the device for which the DPC found that the HSE was not the data controller. The decision did not, according to the DPC, consider the work-related personal data on the device. The DPC also noted that the rejection of the complaint amounted to a legally binding decision in accordance with s. 150(12) of the Data Protection Act 2018, and as such, the data subject should have sought a statutory appeal in lieu of a judicial review.
Holding
In respect of the question as to whether the data subject should have pursued a statutory appeal in lieu of judicial review, the Court held that in this instance, this failure would not preclude his application for judicial review. The Court referenced the language adopted by the DPC in their communication to the data subject, noting that they used the term “concerns” rather than a complaint and that it was not expressly stated that they were “dismissing” or “rejecting” the matter. The Court found that in their email, the DPC should have used the language in the legislation and informed the data subject that he had a right of appeal. In the present circumstances, it would be unfair to deny the data subject judicial review on this ground.
In assessing the reasonableness of the DPC’s conduct and their obligation to investigate the alleged infringement, the Court referenced the data subject’s initial complaint. The Court noted that the data subject made their complaint entirely about the alleged breach of his non-work-related personal data on the work device. This, it was held, was addressed by the DPC in their response to him. The Court found that DPC’s decision did not err sufficiently so as to warrant the Court's intervention, and that there were no grounds for finding that the test set out in Meadows was satisfied.
Accordingly, the Court refused the data subject’s application for judicial review.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Judgment ByO'Donnell, Barry J. CourtHigh Court Date Delivered03 April 2025 StatusApproved Neutral Citation[2025] IEHC 191 Record Number2022 699 JR Date Uploaded04 April 2025
