In the Matter for Mount Carmel Medical Group (South Dublin) Ltd (In Liquidation) [2015] IEHC 450 (07 July 2015)

Judgment

Title:	In the Matter for Mount Carmel Medical Group (South Dublin) Ltd (In Liquidation)
Neutral Citation:	[2015] IEHC 450
High Court Record Number:	2014 48 COS
Date of Delivery:	07/07/2015
Court:	High Court
Judgment by:	Keane J.
Status:	Approved

___________________________________________________________________________

Neutral Citation [2015] IEHC 450

THE HIGH COURT

[2014 No. 48 COS]

IN THE MATTER OF MOUNT CARMEL MEDICAL GROUP (SOUTH DUBLIN) LIMITED (IN LIQUIDATION)

AND IN THE MATTER OF THE COMPANIES ACTS 1963 TO 2012

JUDGMENT of Mr. Justice Keane delivered on the 7th July 2015

Introduction
1. This is the Court’s ruling on part of an application brought by the official liquidators (“the liquidators”) of Mount Carmel Medical Group (South Dublin) Limited (“the company”).

2. In the material part of an Order made on the 15th December 2014, the Court:

(i) Granted liberty to the liquidators to enter into an identified Record Transfer and Management Agreement (“the proposed contract”) with St. James’s Hospital (“SJH”).

(ii) Granted liberty to the liquidators to pay out of the assets of the company the support and maintenance fees to certain identified service providers in connection with the operation of the contract.

(iii) Directed the liquidators, following the execution of the contract, to transfer the medical records (“the records”) currently held by or on behalf of the company to SJH.

3. The Court adjourned the application for further argument in respect of the following two other reliefs sought:

(iv) A declaration that SJH will become the data controller of the records with effect from the transfer of the records.

(v) A declaration that, in the event of the liquidators requiring access to the records for the purpose of the liquidation of the company, they will be entitled to such access and SJH shall be at liberty to disclose such Records to the liquidators.

4. On the 18th February 2015, the Court ordered that the Data Protection Commissioner (“the DPC”) be joined as a notice party to the application pursuant to the provisions of Order 15, rule 13 of the Rules of the Superior Court or the inherent jurisdiction of the Court.

The liquidation
5. By Order made on the 5th February 2014, the Court officially appointed the liquidators and directed that the company be wound up. Prior to being wound up, the company operated Mount Carmel Hospital in Churchtown, Dublin.

The data
6. As one would expect, the company routinely created and maintained medical records concerning the persons treated as patients in the hospital. The liquidators estimate that the company currently holds approximately 280,000 records relating to approximately 118,000 patients, dating back to circa 1946. The records include paper files, electronic files, x-rays, blood samples and tissue samples. In addition, there is an x-ray server machine that holds approximately 1.7 million digital images. The liquidators have been advised, and there can be no doubt, that these records fall within the definition of both “personal data” and “sensitive personal data” under the Data Protection Acts 1988 and 2003 (“the DPA”), and that the company is the “data controller” of the data contained in those records as it relates to patients of the hospital as “data subjects” under that legislation.

7. Nor is there any doubt that the special provisions of the Data Protection (Access Modification) (Health) Regulations 1989 (“the Regulations”) apply to the data contained in the records in so far as they constitute “health data” under those regulations; that is, data relating to physical or mental health. Regulation 5(1) prohibits a data controller, such as the company, who is not a health professional from supplying or withholding health data in response to a data access request from a data subject without first consulting with the appropriate health professional.

8. As of the 20th November 2014, the liquidators had received 1,202 data access requests.

9. The DPA do not stipulate any period for which data must be retained by a data controller. Quite the contrary, s. 2(1)(c)(iv) of the DPA requires that personal data shall not be kept for longer than is necessary for the specific, explicit and legitimate purpose or purposes for which it was obtained.

10. In identifying the necessary data retention period, the liquidators point to Health Service Executive (“HSE”) Guidelines which, they assert, while not legally binding, recommend that medical records be retained for various periods ranging up to thirty years in some instances and in perpetuity in the case of blood samples.

The obligations of the company and of the liquidators
11. There is an obvious cost associated both with the retention of records and with meeting the obligations imposed upon a data controller under the DPA in respect of the personal data contained in such records. Because the records contain health data, the liquidators have retained on a part-time basis the services of a senior nurse, who they believe has the necessary experience and qualifications to advise, as an “appropriate health professional”, on the extent to which health data may be supplied in response to any request by a data subject without causing harm to that person, in accordance with the requirements of the Regulations.

12. The cost of the storage and retrieval of the records; the employment of an appropriate health professional; and the provision of the relevant personal data in response to each request rank as continuing expenses in the liquidation. The liquidators acknowledge that such cost is unavoidable for as long as the relevant records are retained by the company and it remains the data controller of the personal data contained in them.

13. Conscious of those costs, the liquidators have considered, and have described to the Court, two specific options for addressing the company’s record storage and data protection obligations in future. The first, simply stated, is the maintenance of the status quo as just described. The second involves the transfer of the relevant records and - as the liquidators envisage - the transfer of the statutory role of data controller in relation to them to another entity, specifically, SJH, pursuant to the terms of the proposed contract.

14. The liquidators have costed each of the two options they describe for an indicative five year period. The total cost of the first option for that period is €636,500 and that of the second option is €430,100. The liquidators have prepared an “estimated outcome account” as at the 10th October 2014 by reference to the implementation of the second option, suggesting an anticipated distribution of approximately 4% of the value of the debts owed to the preferential creditors, but have confirmed that there are sufficient funds in the liquidation to meet the cost of either option (at least for that period). The preferential creditors are the Revenue Commissioners and the Department of Social Protection. They will be the beneficiaries of the relevant cost saving, if it can be properly effected. The liquidators are officers of the court and are under a duty to the creditors of the company not to incur any unnecessary or unreasonable expense in the conduct of the liquidation.

15. SJH has indicated that it is willing to enter into the proposed contract subject to the approval of the Court.

The proposed contract
16. The liquidators have exhibited a copy of the proposed contract. In general terms, it provides for the transfer of the records from the company to SJH and for the provision of certain defined services by SJH in respect of the records, in consideration for the payment of agreed charges by the company to SJH.

17. A number of specific provisions of the proposed contract are of particular relevance to the present application. Clause 4.1 provides:

“At any reasonable time following the date on which the transfer of the Records from [the company] to [SJH] has been completed in accordance with this clause 4 and Schedule 3, and on receipt of reasonable notice, [SJH] shall:

(a) give [the company] and/or [the liquidators] access to, and allow copies to be taken of, the Records as [the company] and/or [the liquidators] may reasonably require; and

(b) allow [the company] and/or the liquidator to take possession of any paper originals of the Records that are still in the possession of [SJH], to the extent reasonably required to take action in respect of any costs, claims, damages, losses, expenses and liabilities arising as a result of, or in connection with, the liquidation of [the company].”

18. Clause 11 states:

“11.1 Each party agrees that as and from the date on which the transfer of records from [the company] to [SJH] has been completed …[SJH] shall act as Data Controller in respect of the Records, in place of [the company].

11.2 In its capacity as the Data Controller in respect of the Records, [SJH] shall:

(a) implement and maintain such technical and organisational measures as are required to comply with the data security obligations under Sections 2(1)(d) and 2C of the [DPA], and as are otherwise required under the Data Protection Law;

(b) comply with the Data Protection Law when providing the Services, including without limitation, when dealing with data subject access requests relating to the Records that are made under Sections 3 and/or 4 of the Data Protection Law; and

(c) comply with the Freedom of Information Acts 2014 in connection with any access requests which fall to be considered under such legislation.”

19. Schedule 1 to the proposed contract comprises a list of the services that are to be provided to the company by SJH. That schedule states, in material part:

“The following services shall be provided by [SJH], together with such other services as may be agreed in writing between the parties from time to time:

…

• dealing with obligations as a data controller in accordance with the Data Protection Acts 1988 and 2003, including, but not limited to, dealing with data subject access requests relating to the Records, in accordance with the obligations of Data Protection Law, including without limitation, the obligation to consult with an appropriate health professional to determine whether the release of health information pursuant to a data subject access request would cause serious harm to the physical or mental health of the data subject;

…

• retaining the Records for such period of time as complies with all Applicable Laws and reflects best medical practice;

….”

20. Returning to the main body of the proposed contract, clause 8 provides:

“[SJH] shall indemnify [the company] and [the liquidators] from and against all damages, costs, charges and expenses arising from or incurred by [the company] or the [the liquidators] by reason of:

(a) any breach of this agreement by [SJH] or its directors, officers, employees, agents or sub-contractors; or

(b) any breach of Applicable Laws by the Hospital or its directors, officers, employees, agents or sub-contractors, which relates to or is connected with the obligations of [SJH] under this Agreement.”

21. The liquidators are expressed to be parties to the agreement in order to receive the benefit of the indemnity just described.

22. Under clause 1, “Applicable Laws” are defined to mean:

“[A]ny laws (including, for the avoidance of doubt, the Data Protection Law, the Freedom of Information Act 2014 and the Blood Bank Laws), that are applicable to a party and/or to the provision of the Services, and shall include, without limitation, common law, statute, statutory instrument, proclamation, bye-law, directive, decision, regulation, rule, order, notice, guidelines, code of practice, code of conduct, rule of court, instrument or delegated or sub-ordinated legislation.”

23. Under the same clause, “Data Protection Law” is defined to mean:

“[T]he Data Protection Acts 1988 and 2003, the Data Protection (Access Modification) (Health) Regulations 1989 and any other data protection or privacy regulation applicable in Ireland from time to time.”

24. A further particularly noteworthy aspect of the proposed contract is that, although SJH is obliged to retain the records “for such period of time as complies with all applicable laws and reflects best medical practice,” and although the agreement is to continue in full force and effect for an indefinite period after it commences, Schedule 2 makes it plain that the charges payable by the company are capped in the specific amounts specified in that schedule.

A third option
25. When the present application came before Barrett J. on the 1st December 2014, he directed that the liquidators consult with the DPC concerning the implications of the proposed contract, and he adjourned the matter for that purpose. The liquidators have exhibited a letter that their solicitors subsequently wrote to the DPC on the 5th December 2014. That letter includes the following passage:

“The [liquidators] considered the prospect of outsourcing the storage and management of the Records to [SJH] in circumstances where the Company would remain as data controller. This option was not, however, considered to be practicable as the Company will cease to exist (and will no longer constitute a data controller in respect of the Records) prior to the expiry of the retention periods under the HSE Guidelines for a number of different categories of the Records.”

26. The reasoning underpinning the passage just quoted is not easy to follow, in circumstances where the liquidators plainly envisage that, under the option they are currently pursuing, immediately upon the execution of the proposed contract SJH will assume the obligations of sole data controller in respect of the records (and the company will relinquish, or be absolved, of those obligations), which arrangement will continue after the dissolution of the company at the conclusion of the winding up process, should that event occur prior to the expiration of any of the relevant medical record retention periods under the HSE guidelines. If that situation is considered unproblematic, it is difficult to see why it would not be similarly unproblematic if the company were to remain sole or joint data controller of the records until the date of its dissolution and if an entity such as SJH were then to assume sole responsibility as data controller of those records pursuant to a prior contract or agreement otherwise broadly similar to the contract now proposed.

27. Presumably by reference to the liquidators’ view that it is impracticable, the option just described has not been costed or, at least, no costing in respect of it has been presented to the Court for the purpose of the present application. However, it does not seem unreasonable to suppose that, while such an arrangement would likely prove more expensive than the liquidators’ preferred option, since some additional cost must almost inevitably be involved in the company’s sharing the role of data controller with SJH, it should still be less expensive than the other option considered by the liquidators, whereby the company would remain sole data controller and would continue to shoulder exclusively the full financial and administative burden of discharging that role and of continuing to retain the records as required under the HSE guidelines.

The declaration sought
28. The principal declaration originally sought in the liquidators’ notice of motion is one that “[SJH] will become the data controller of the [personal data contained in the] records with effect from the transfer of the records.” In an affidavit sworn subsequently on the liquidators’ behalf, one of them confirms that it is their intention to transfer the original records to SJH but goes on quite properly to apprise the Court concerning the proposed retention by the company of certain categories of original or copy records and, by necessary implication, of the personal data contained in those records.

29. The first such category is the personal data contained in the medical records relevant to certain claims of medical negligence that have been made against the company. For ease of reference, I will refer to that data as “the existing claims personal data.” The company has furnished its insurers, at the latter’s request, with copies of those records, in order to comply with the terms of the relevant insurance cover.

30. The second category of personal data is that contained in the records relating to the two week period after the appointment of the liquidators, during which the company continued to trade for the purpose of its orderly wind down and its existing insurance arrangements were maintained. The liquidators have been advised that the medical records generated during that period form part of the liquidators’ books for the purposes of s. 57 of the Company Law Enforcement Act 2001, such that they must be retained to ensure compliance with that provision. By reference to the company’s obligations to its insurers, copies of the medical records of the patients treated during this period (and, by necessary implication, the personal data contained in those records) have been retained by the company. The same records and the same personal data are being retained by, or on behalf of, the liquidators, by reference to their obligations as they perceive them to be under the 2001 Act, quite separate from any obligation of the company. For ease of reference, I will refer to the personal data concerned as “the wind-down period personal data.”

31. The retention of copy records in the two categories just described (and of the personal data contained in them) has obvious implications for any declaration that the court might otherwise be disposed to make concerning the status of the company as a data controller in respect of the personal data contained in the records transferred to SJH. For clarity and correctness, any such declaration would have to be framed in such a way as to make clear to all persons having notice of the Order in which it is contained, what personal data contained in the records are being retained by the company, despite the proposed transfer of the original records to SJH. As I believe the liquidators now acknowledge, a bare declaration that “[SJH] will become the data controller of the [personal data contained in the] Records with effect from the transfer of the Records” or that “from the time of the transfer of the medical records to [SJH], the Company will no longer act as the data controller of the [personal data contained in the] medical records,” being the alternative modified forms of declaration put forward in the liquidators’ submissions, would, in those unqualified terms, be potentially misleading.

32. In that context, the supplemental affidavit sworn on behalf of the liquidators, to which reference has already been made, contains the following averment:

“[W]e draw the attention of this Honourable Court to Schedule 3 of the contract exhibited at [the relevant exhibit] to [the first affidavit], which sets out the medical records proposed to be transferred to [SJH], namely all original medical records. Subject to the directions of this Honourable Court, we do not propose to transfer the records referred to at paragraphs 5 [

those containing the existing claims personal data] and 9 [those containing the wind-down period personal data

] above and thereafter seek to immediately reaccess them. Instead, we propose to retain the said records subject to our obligations, and where relevant the obligations of the Company’s insurers, as data controllers.”

33. Unfortunately, neither Schedule 3 nor Schedule 4 of the proposed contract is included as part of the relevant exhibit in the papers that were provided to the court. However, nothing seems to turn on this omission in view of the assertion in the averment just quoted that the records identified in Schedule 3 are “all original medical records.” Insofar as the liquidators now propose to retain the original medical records containing either the “the existing claims personal data” or “the wind-down period personal data,” or both, rather than merely copies of those records, any declaration that might be granted would have to make clear the position of the company or that of SJH, depending on how the declaration may be framed, in relation to what data has been retained by the company and what data has been transferred to SJH.

34. Finally in this context, it is worth noting that the two alternative forms of declaration suggested by the liquidators are not necessarily correlative. That is to say, the proposition that SJH is data controller of the personal data contained in the transferred records does not strictly imply that the company is not, since the definition of data controller under the DPA expressly envisages that the contents and use of personal data may be controlled by a person “either alone or with others.”

Data protection
35. The DPA give effect to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“Directive 95/46”). It has frequently been observed that there is an inevitable tension between the privacy rights of data subjects and the free movement of personal data. That tension, of course, is what data protection law attempts to balance or regulate.

36. Recital (10) of the Preamble to Directive 95/46 states:

“Whereas the object of the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognized both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms and in the general principles of Community law, whereas, for that reason, the approximation of those laws must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the Community;”

37. Moreover, as recent decisions of the European Court of Justice confirm, the provisions of Directive 95/46, insofar as they govern the processing of personal data liable to infringe fundamental freedoms, in particular the right to privacy, must necessarily be interpreted in light of the fundamental rights set out in the Charter of Fundamental Rights of the European Union (“the Charter”): see, for example, Ryneš v. ฺ๘ad pro ochranu osobních ๚daj๙, Case C-212/13 (para. 29) ; and Google Spain Sl and Google Inc v Agencia Espa๑ola de Protección de Datos (AEPD) and González, Case C-131/12 (para. 68).

38. Article 7 of the Charter guarantees the right to respect for private life, whilst Article 8 of the Charter expressly proclaims the right to the protection of personal data. Article 8(2) and (3) specify that such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law, that everyone has the right of access to data which have been collected concerning him or her and the right to have the data rectified, and that compliance with these rules is to be subject to control by an independent authority. Those requirements are implemented, inter alia, by Articles 6, 7, 12, 14 and 28 of Directive 95/46.

39. Privacy rights in our law derive from the Constitution; from statute law, such as the DPA, which must be interpreted or applied, so far as is possible, in a manner compatible with the State’s obligations under the provisions of the European Convention on Human Rights (“ECHR”), pursuant to s. 2 of the European Convention on Human Rights Act 2003; from the common law; and from the applicable provisions of European Union law.

Declaratory judgments
40. As Walsh J. pointed out in Transport Salaried Staff’s Association & Ors. v. Córas Iompair Éireann [1965] I.R. 180, the modern law governing the grant of declaratory orders finds it origin in s. 155 of the Court of Chancery (Ireland) Act, 1867, the words of which were repeated in O. 25, r. 5 of the Rules of 1905, then in O. 19, r. 29 of the 1962 Rules. It finds its present expression in O. 19, r. 29 of the Rules of the Superior Courts 1986 (“the RSC”), which provides:

“No action or pleading shall be open to objection on the ground that a merely declaratory judgment or order is sought thereby, and the Court may, if it thinks fit, make binding declarations of right whether any consequential relief is or could be claimed or not.”

41. In O’Doherty v. Attorney General & Anor. [1941] IR 569, Gavan Duffy J. expressed the view that the jurisdiction concerned is reinforced, or underpinned, by Article 34 of the Constitution, whereby this Court is

“invested with full original jurisdiction in and power to determine all matters and questions whether of law or fact, civil or criminal.”

42. In the Transport Salaried Staff’s Association case, Walsh J. went on to describe the evolution of the jurisdiction to make declaratory orders in the following terms:

“In modern times the virtues of the declaratory action are more fully recognised than they formerly were and English decisions and dicta in recent years have indicated a departure from the conservative approach to the question of judicial discretion in awarding declarations. A discretion which was formerly exercised ‘sparingly’ and ‘with great care and jealousy’ and ‘with extreme caution’ can now, in the words of Lord Denning in the

Pyx Granite Co. Ltd. Case

[1958] 1 Q.B. 554 (at p. 571), be exercised ‘if there is good reason for so doing,’ provided, of course, that there is a substantial question which one person has a real interest to raise and the other to oppose. In

Vine v. The National Dock Labour Board

[1957] 2 W.L.R. 106, Viscount Kilmuir L.C., at p. 112, cites with approval the Scottish tests set out by Lord Dunedin in

Russian Commercial and Industrial Bank v. British Bank for Foreign Trade Ltd.

[1921] 2 A.C. 438, who said at p. 488: ‘The question must be a real and not a theoretical question; the person raising it must have a real interest to raise it;

he must be able to secure a proper contradictor, that is to say, some one presently existing who has a true interest to oppose the declaration sought.

’

It is also to be observed that the fact that the declaration is needed for a present interest has always been a consideration of great weight.”

(emphasis supplied)

43. There are two other decisions that, in the course of argument, I drew to the attention of both Counsel for the company and Counsel for the Data Protection Commissioner as appearing to me to contain principles of some relevance to the proper exercise of the Court’s discretion.

44. The first is that of Johnston J. in Blythe & Ors. v. Attorney General (No. 2) [1936] I.R. 549. The plaintiffs in that case were the members of the National Executive of Fine Gael, which had resolved to form a subordinate organisation to be known as ‘The League of Youth.’ They brought their action against the background of Article 2A of the Constitution of the Irish Free State, as inserted by the Constitution (Amendement No. 17) Act 1931, whereby associations that engaged in, or promoted, certain specified unlawful or subversive activities were deemed unlawful associations, and whereby an order made by the Executive Council declaring its opinion to that effect was to be conclusive evidence of that fact. Previous associations formed by the plaintiffs, most notably the Young Ireland Association, had been declared unlawful. The plaintiffs sought four separate, though related, declarations to the following effect: that they had the right to form and maintain the association at issue under the Free State Constitution; that the objects of the association, as set forth, were lawful; that the organisation of the association was lawful; and that the association itself was, therefore, lawful.

45. Having identified the reliefs claimed, Johnston J. continued (at pp. 553-5):

“The action is therefore based upon the jurisdiction which is to be found in Or. XXV, r. 6: ‘No action or proceeding shall be open to objection on the ground that a merely declaratory judgment or order is sought thereby, and the Court may make binding declarations of right whether any consequential relief is or could be claimed or not.’

The history of this very modern jurisdiction is interesting but it is sufficient now to say that it originated in sect. 155 of the Chancery (Ireland) Act, 1867, which provided that ‘no suit in the Court shall be open to objection on the ground that a merely declaratory decree or order is sought thereby; and it shall be lawful for the Court to make binding declarations of right without granting consequential relief.’

But the right of a person to come to the Court for a declaration of right is not by any means unlimited. As was pointed out by Lord Macmillan in his recent address, mankind lives in an atmosphere of juristic rights and corresponding duties. Every act that a human being performs in the course of an ordinary day is an exercise of some right or the submission to some duty. But it does not follow that the Rule of Court in question confers jursidiction upon the Court to make declarations of right in regard to every matter that a member of the community chooses to bring before it. No Court has attempted to lay down all the circumstances under which and all the occasions upon which a declaratory order will be made. It has, however, been laid down in many cases that the making of such orders is a matter of discretion - a discretion which, of course, must be exercised judicially - and that the jurisdiction must be exercised cautiously. It is only binding declarations that can be made. That must mean a declaration that is binding upon some one else who can, and who, in the opinion of the Court, ought to be bound.

The limitation upon the exercise of the jurisdiction has been referred to in many cases; but I need mention only one or two of these. In the leading case of Dyson v. Attorney General [1911] 1 KB 410, Cozens Hardy M.R. said (at p. 417): ‘But I desire to guard myself against the supposition that I hold that a person who expects to be made defendant, and who prefers to be plaintiff, can, as a matter of right, attain his object by commencing an action to obtain a declaration that his opponent has no good cause of action against him. The Court may well say: “Wait until you are attacked and then raise your defence,” and may dismiss the action with costs.’ This observation was referred to with approval by Swinfen-Eady M.R. in the case of Clay v. Booth [1919] 1 Ch. 66. He said in that case (p. 78) that ‘The petitioners have not been attacked. No claim has been made against them; but they launched these proceedings to have it determined that some one who has not made a claim and who has not asserted any right, has no claim and no right. In my opinion they are not entitled to do that.’ Both Duke L.J. and Eve J. made observations to the same effect.

Now, in the present case I may express my own personal opinion that the purpose and objects of the League of Youth as set out in the statement of claim are admirable and no exception could be taken to them by any normal person. But the same can be said about the Ten Commandments or any other rule which regulates human conduct. The plaintiffs on the very day on which the League of Youth was constituted and its formulary framed, proceed to issue a writ to have it declared that the organisation was lawful and its principles unexceptionable. I do not think that under the circumstances I have jurisdiction to make any such declaration; if, however, I am wrong in that view and if I have jursidiction then I think that I ought to exercise the discretion that I undoubtedly have and that I ought to dismiss the action on that ground.”

46. The second relevant decision is the more recent one of the Supreme Court in Grianán an Aileach Interpretative Centre Company Limited v. Donegal County Council (No. 2) [2004] 2 IR 625. In that case, the High Court had been prevailed upon, in the context of a dispute between the plaintiff holder of a planning permission and the defendant planning authority concerning the uses of the relevant premises permitted thereby, to make a declaration concerning the proper scope of that planning permission on the basis that the said declaration clearly related “to the legal rights and entitlement of the parties,” despite the contention of the defendant that the Court was being asked to resolve issues that were more properly a matter for the planning authority or An Bord Pleanála under the planning code.

47. The defendant appealed to the Supreme Court, arguing that, while the jurisdiction of the High Court to grant declaratory relief is clear, as is the discretionary nature of that jurisdiction, there is no precedent for granting a declaration as to rights and obligations deriving from a planning permission since, by enacting s. 5 of the Planning and Development Act 2000, the Oireachtas plainly intended that such issues should be exclusively determined by the planning authorities or the Board. The defendant argued that this intention could be discerned from the terms of s. 5 of that Act, which allows a declaration to be sought from the relevant planning authority - subject to review by An Bord Pleanála - concerning what is, or is not, development or exempted development in a given case and from the abolition by the same statute of the previously existing right of appeal from An Bord Pleanála to the High Court.

48. In a judgment with which Murray and McGuinness JJ concurred, Keane C.J. addressed that argument in the following terms (at pp. 637-8):

“29. It has been argued in this case that, even if the defendant or An Bord Pleanála had jurisdiction to enterain such a reference, the High Court was not precluded from adjudicating on the proper construction of the planning permission where a dispute as to it had arisen between two parties with an interest in the matter, i.e., the plaintiff and the defendant. That submission, however, seems to me to be at odds with the approach which has been adopted in this court in recent years to legislation conferring jurisdiction in particular areas on courts and bodies other than the High Court.

30. Henchy J., delivering the judgment of this court in Tormey v. Ireland [1985] I.R. 289, said that where parliament committed certain matters or questions to the jurisdiction of the District Court or the Circuit Court, the function of hearing and determining those matters and questions might, expressly or by necessary implication, be given exclusively to those courts. In Criminal Assets Bureau v. Hunt [2003] 2 IR 168, I made the following observations at p. 183 as to how that principle might be applied to tribunals and bodies other than courts:-

‘There is today in existence a huge range of tribunals and other bodies, of which the appeal commissioners in revenue cases are just one example, which determine matters in controversy between parties and whose functions and powers are properly categorised as “limited functions and powers of a judicial nature” [within the meaning of Article 37.1 of the Constitution]. It is not uncommon for the legislation establishing such tribunals to provide for a limited form of appeal to the High Court from its decisions, usually confined to questions of law. However, in every case, the High Court retains its power under the Constitution to determine whether such bodies have acted in accordance with the Constitution and the law and such a jurisdiction cannot be removed from the High Court by statute. Subject to that qualification, it is clear, as was found in

Tormey v. Ireland

[1985] I.R. 289, that the Oireachtas may confer on such bodies, expressly or by implication, an exclusive jurisdiciton to determine certain issues.’

31. In considering whether the jurisdiction vested in the particular tribunal or body is an exclusive jurisdiction, the following observation of Henchy J. in Tormey v. Ireland [1985] I.R. 289 at p. 295 must be borne in mind:-

‘The jurisdiction to try thus vested by the Constitution in courts, tribunals, persons or bodies other than the High Court must be taken to be capable of being exercised, at least in certain instances, to the exclusion of the High Court, for the allocation of jurisdiction would be overlapping and unworkable.’ ”

Issues and argument
(i) Who is a data controller?

49. S. 1(3A) of the DPA provides that “[a] word or expression that is used in this Act and also in the Directive has, unless the context otherwise requires, the same meaning in this Act as it has in [Directive 95/46].” This provision impels a teleological or schematic approach to the construction of the term “data controller” which is common to the DPA and the Directive.

50. Directive 95/46 defines “data controller” to mean:

“…the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data….”

51. S. 1 of the DPA defines a data controller to mean:

“…a person who, either alone or with others, controls the contents and use of personal data.”

(ii) Who will be the data controller of the records under the proposed contract?

52. On behalf of the company, the liquidators place strong reliance on the terms of clause 11.1 of the proposed contract between the company and SJH whereby those parties agree that, from the date of transfer, SJH is to act as data controller of the records in place of the company. The liquidators further rely on the terms of Recital B at the commencement of the proposed contract whereby the company and liquidators record their willingness to permit SJH to assume sole and exclusive responsibility for the provision of the services concerned, which services are defined in Schedule 1 to the proposed contract to include that of dealing with the obligations of data controller, subject to the terms of the contract. Of course, one of the terms of the proposed contract, set out in clause 4, is that the company reserves to itself the right to access and retrieve, on reasonable notice, the original or a copy of any record it may reasonably require, to the extent reasonably required to take action in respect of any costs, claims, damages, losses, expenses and liabilities arising as a result of, or in connection with, the liquidation of the company.

53. It seems to me that very limited weight can be given to the provisions of inter-company agreements concerning who is to be designated “data controller”, or to assume sole and exclusive responsibility as such, unless that designation and characterisation are each entirely consistent with the answer to the question whether the relevant entity does indeed exercise sole and exclusive control of the contents and use of the personal data concerned. In other words, it is the position in fact that must prevail over any such contractual designation or characterisation.

54. This point is well made in Kuner European Data Protection Law, Corporate Compliance and Regulation, 2nd ed., Oxford 2007 (at pp. 72-3, paras. 2.26-27):

“Parties to data processing transactions often engage in a legal ‘tug of war’ as to whether they are data controllers or data processors, with each one attempting to structure the transaction so that it is a data processor and its counterpart is a data controller with all of the attendant compliance obligations that controllers have. Companies should structure their data processing operations in order to ensure that, whenever possible, ambiguities with regard to the designation of data controllers are avoided, and that the data controllers are associated with establishments in Member States with data protection laws that are favourable to the companies operations. However, in practice this is easier said than done, and companies must be ready to live with a certain amount of ambiguity as to whether they are acting as a data controller, a data processor, or both. The best strategy is to determine early on in the transaction whether the balance of facts argues for the company being defined as a data controller or data processor, structure the transaction to fit this characterisation, and then stick to it as compliance questions arise.

However, it is not recommended to attempt to ‘fine tune’ the designation of data controllers by the use of intra-company agreements and other mechanisms designed to demonstrate to the outside world that the controller is or is not a particular entity, if these designations do not really fit the facts. In a dispute, the [relevant national data protection authorities] tend to look behind any legal fictions which companies have constructed, and concentrate on the facts of how control is actually exercised. For example, concluding a contract in which one party is designated as data controller and the other as data processor will be an indication of their roles, but will not be determinative.”

55. It seems to me that the foregoing analysis in respect of intra-company agreements that purport to designate a party as data controller or data processor as the case may be, must apply, a fortiori, to an inter-company agreement in which one company purports to relinquish entirely any role as data controller or data processor in favour of the exclusive role of the other company in that regard, while at the same time reserving a contractual entitlement to retrieve any record (and the relevant personal data it contains) to the extent it considers reasonably necessary for a wide range of broadly defined purposes of its own, and to do so at any time (on reasonable notice).

56. The liquidators’ submissions are disarmingly candid on this point in observing that, in the absence of a declaration that the company is not a data controller in relation to the records, there is a risk under the proposed contract that the company could continue to be construed as the data controller of the records with SJH construed as a data processor on its behalf. But, of course, if the position in fact requires that the company should be so considered by reference to the proper definition of “data controller” in EU and Irish law, as applied to the arrangement actually operated between the company and SJH, then it would be entirely wrong (indeed, unlawful) to grant a declaration to the contrary merely to save the company from the consequences (primarily, the expense) that would otherwise follow. The Court has no discretion to disapply either Irish or EU law in pursuit of a more cost effective company liquidation process, desirable and all as that object may otherwise be.

57. On this fundamental question of fact, the liquidators went on, by necessary implication, to argue that, once the transfer of the records is complete, the company will no longer “determine the purposes and means of processing” or “control the contents and use” of the personal data contained in the records, despite the fact that, under clause 4 of the proposed contract, the company reserves to itself the right to access and retrieve, on reasonable notice, the original or a copy of any record it may reasonably require (and, by necessary implication, the personal data contained in every such record), to the extent reasonably required to take action in respect of any costs, claims, damages, losses, expenses and liabilities arising as a result of, or in connection with, the liquidation of the company.

58. The liquidators contend that this is so because, as they argue, on a proper construction of clause 4 of the proposed contract, SJH is to be to the sole and exclusive arbiter of the following questions: whether SJH is required to provide the company with access to, and allow it to take a copy of, a given record, as one that the company “may reasonably require”; whether SJH is required to allow the company to take possession of any given original record as one “reasonably required [by the company] to take action in respect of any costs, claims, damages, losses, expenses and liabilities arising as a result of or in connection with the liquidation; and whether SJH has been provided by the company with “reasonable notice” of any such requirement.

59. Despite the fact that the company is to have a contractual entitlement to retrieve the original, or take a copy, of any of the records transferred to SJH at any time, the liquidators submit that the requirement of reasonableness associated with that entitlement is so fundamental a qualification upon it that the company is left with only “a limited right of access” to the records. With commendable frankness, the liquidators then concede that the existence of even this - as they contend, ‘limited’ - right of access to the records on the part of the company, creates a risk, as they put it, that the company remains a data controller. Thus, they submit, a declaration should be made that the company is not a data controller in order to give precedence to the express wording of the contract and the clear intention of the parties to that effect, over the applicable statutory definition, which - the liquidators appear to acknowledge - might otherwise result in a finding that the company is, indeed, a data controller.

60. For reasons I hope will become clear, I do not propose to address in the present judgment of any the following questions: whether the relevant clause properly construed means that SJH - a public hospital - has agreed to determine what records are reasonably required by the company’s liquidators for the purposes of the company’s liquidation; whether, if SJH has so agreed, it is in any position to make that determination; and whether, if both of those things are so, that would make SJH, to the exclusion of the company, the sole entity determining the purpose and means of processing, or the sole entity controlling the contents and uses of, the relevant personal data contained in those records, thus rendering SJH sole data controller of that data.

61. The position adopted by the DPC on this issue is, in my view, a surprising one, in that it seems to entail an acceptance of the proposition that the effect of the proposed contract will be, in the first instance, to render SJH sole data controller of the personal data contained in the records, once the records are transferred. The DPC submits that this is so because “if the personal data has been transferred to SJH, and SJH is effectively controlling the use of the personal data, then so far as the [DPC] is concerned it de facto will be the data controller.” It seems to me that the qualification just quoted deprives the DPC’s support for the liquidators’ application of any real force, since the issue of “effective control” of the contents and use of personal data is at the core of the definition of data controller, both de facto and de jure. Again, for reasons that I will come to later, I do not believe it is appropriate to purport to determine that factual question in the context of the present application.

62. One possible explanation for the stance adopted by the DPC as just described is the suggestion contained in the written submissions furnished on her behalf that the present application presents the stark alternatives that either SJH is to become sole data controller of the personal data contained in the relevant records or that those records (and the personal data contained in them) are to be “simply destroyed as a consequence of the liquidation.” The DPC submits that, for this reason, the Court might consider exercising a jurisdiction to make the declaration sought derived from the protection of “the fundamental rights and freedoms of natural persons and, in particular, their right to privacy with respect to the processing of personal data” identified in Article 1(1) of Directive 95/46 as one of the objects of that directive.

63. There are a number of reasons, by reference to the evidence presently available to the Court, why the characterisation of the situation as presenting a stark choice of that kind appears to me to be incorrect.

64. First, although the proposed contract recites that SJH is to “act as data controller of the records in place of [the company],” there is nothing to suggest that the willingness of SJH to assume the relevant obligation as data controller of the relevant personal data for an indefinite term on receipt of an agreed payment is contingent upon the liquidators’ repudiaton of any role as joint data controller. Certainly, it has never been suggested to the Court that SJH would be unwilling or unable to enter into an agreement similar to that now proposed but which does not express the position of SJH as data controller to be exclusive.

65. Second, the liquidators have informed the Court, through Counsel, that they currently take the view that they will not be able to apply for the dissolution of the company for a period in the region of a further eighteen or twenty years in deference to advice they have received concerning the operation of the Statute of Limitations as it affects potential claims by persons who were born in the hospital but who have not yet attained their majority.

66. Third, the company has acknowledged that it will be a data controller in respect of “the existing claims personal data” and “the wind-down period personal data” contained in the original medical records that it now proposes to retain rather than transfer under the proposed agreement. Obviously, there is no suggestion of the imminent destruction of any of those records or of the personal data they contain. It is therefore difficult to see why the remainder of the records should be treated differently in the event that SJH is not declared to be the sole data controller in respect of them.

67. Fourth, the alternatives presented by the liquidators on behalf of the company are not those of the transfer of the records to SJH as sole data controller, on the one hand, or the destruction of the records, on the other. They are those of incurring the costs associated with the implementation of the proposed contract, on the one hand, or incurring the more significant cost associated with retaining possession of the records and continuing to act as sole data controller of the personal data they contain, on the other.

68. Accordingly, there is no reason to believe that the only alternative to an arrangment whereby SJH is deemed sole data controller of the records is the destruction of the records (and of the personal data they contain) by the company, thereby engaging the fundamental rights and freedoms of the former patients whose personal data is contained in those records and, in particular, the right of such persons to privacy with respect to the processing of personal data. On the contrary, as will be addressed at greater length below, there is, to put it no further, an argument to be made that the invocation of the relevant rights of those former patients as data subjects militates against the grant of a declaration that would, on one view, impermissibly limit those rights by wrongly restricting the range of persons, as data controllers, against whom they may be lawfully exercised.

69. In the circumstances just described, a question arises concerning the whole basis upon which the DPC has concluded that the present application, in the context of the transfer envisaged, represents “a reasonable, practical, proportionate and well thought out solution to a difficult problem,” particularly since, in neither her correspondence nor the written submissions furnished on her behalf does the DPC describe the nature of the problem as she perceives it.

70. In their written submissions, the liquidators identify the primary purpose for which they may require to access or retrieve any record transferred under clause 4 of the proposed contract as that of enabling them (or their insurers) to deal with any claim against the company that may be notified to them in future. The liquidator’s point out in those submissions that, as one might expect, they have an obligation to co-operate with the company’s insurers in the defence of any such claim. They continue by noting that access to the personal data in the transferred records may be required as part of the process of debt collection, before acknowledging that there may also be other circumstances of which they are presently unaware that may require access to those data.

71. Were the liquidators to obtain a declaration to the effect that SJH is the sole data controller of the personal data contained in the records or that the company is not the data controller of those data, then, as both the company and the DPC acknowledge, that would create obvious difficulties under ss. 2, 2A, 2B and 2D of the DPA in respect of the release of that personal data by SJH to the company in that, having escaped all of the obligations of a data controller, the company would also have lost all of the entitlements of one.

72. It is for this reason that the liquidators seek a further declaration in the following terms:

“In the event of the [liquidators] requiring access to the Records for the purposes of the liquidation of the Company, they will be entitled to such access and SJH will be at liberty to disclose such records to the [liquidators].”

73. The liquidators submit that the incorporation of a declaration in those terms in an Order of the Court would bring the release or transfer by SJH of the relevant data to the liquidators within the terms of s. 8(e) of the DPA, whereby:

“8.-Any restrictions in this Act on the processing of personal data do not apply if the processing is-

…

(e) required …by order of a court.”

74. While they contend that a declaration in the terms just described would bring the actual release or transfer of the relevant personal data within the exemption from restriction provided under s. 8(e) of the DPA, the liquidators acknowledge that the company would immediately assume, or resume, the role and obligations of data controller in respect of the processing by it of that personal data thereafter. Indeed, presumably for the avoidance of any doubt in that regard, in the supplemental written submission delivered on their behalf, the liquidators invite the Court to make a third declaration in the following terms:

“That the company shall be the data controller of any records (including copies of records) disclosed to the liquidators pursuant to [the preceding declaration].”

75. The DPC concurs, submitting that an Order of the Court requiring SJH to disclose to the company any personal data contained in a record required by the company would ‘legitimise’ the release or transfer of that data back to the company (presumably, under s. 8(e) of the DPA), and that the company and SJH would thereafter be subject to regulation by the DPC in respect of their “data control/data processing activities, and the [DPC] reserves the full extent of her rights and duties to regulate in that regard.”

76. Before leaving the issue of the identification of the data controller of the personal data contained in the records, consideration must be given to a recent decision of the Chancery Division of the High Court of England and Wales that was helpfully drawn to the Court’s attention by the DPC. In Re Southern Pacific Personal Loans Limited [2013] EWHC 2485 (Ch), Richards J. was asked to consider whether the liquidators of a company should be viewed as data controllers of certain data either jointly or in common with the company in liquidation.

77. Three separate aspects of that case strike me as noteworthy. The first is that the High Court invited the Information Commissioner (the equivalent in that jurisdiction of the DPC) to appear and make representations on the liquidators’ application for the determination by the court of certain questions under s. 112(1) of the Insolvency Act 1986, a procedural step very similar to that which I took in this application by directing that the DPC be joined as a party to it.

78. In order to consider properly the second noteworthy aspect of that case, it is necessary to briefly consider the facts. The company was a member of the Lehman Brothers group of companies and entered creditors’ voluntary liquidation in 2012, resulting in the appointment of the applicants as liquidators. The company’s business comprised the provision of personal loans to individuals resident in Great Britain, although it ceased making loans in 2007. The position concerning the borrower personal data processed by the company was summarised by Richards J. as follows:

“6. From the start of its business, the company collected and retained data relating to its borrowers. The data included names and addresses, the amount of loans, the borrowers’ repayment records and details of proceedings brought against them by third parties. The data clearly comprises or includes ‘personal data’ for the purposes of the Data Protection Act 1998 (the DPA). The company was a ‘data controller’ within the meaning of the DPA and was and remains registered as such.

7. From 2006 the data in question was stored with a loan servicing company called Acenden Limited (Acenden), which is also a member of the Lehman group. Acenden performed various servicing activities in respect of loans made by the company. They included dealing with customer enquiries, monitoring and collecting loan repayments, initiating legal actions for loans in default, handling complaints, producing annual statements and quarterly arrears statements, retaining records of mortgage files and correspondence and processing data subject acccess requests (DSARs) made under the DPA. It was a ‘data processor’ for the purposes of the DPA and was and remains registered as such.”

79. It seems to me that it might well be instructive to compare the respective roles of the two companies just described with the respective roles in this case of the company and SJH under the proposed contract, in particular having regard to the significant factual similarities between the two arrangements and, yet, the completely different self-designation of the legal roles of the participants in each for the purpose of the applicable legislation, which in both jurisdictions derives directly from the requirements of Directive 95/46. Differently expressed, it is interesting to note that, in Re Southern Pacific Personal Loans Limited, it does not appear to have occurred to either the court or the parties that the existing agreement between the company in liquidation and the service company could possibly have had the affect of rendering the latter the data controller of the relevant personal data to the exclusion of any such role on the part of the former.

80. The third noteworthy aspect of that case relates to the conclusion of Richards J. that the liquidators of the company concerned were not data controllers for the purposes of the relevant legislation in that jurisdiction. While, of course, no such issue arises as between the liquidators and the company in this case, it is interesting to consider that, in reaching that conclusion, Richards J. placed significant emphasis on the company’s ownership of the intellectual property rights in the relevant data, so that, in exercising any such rights in the course of the liquidation, the liquidators would be acting as the agents of the company, rather than exercising control of the data on their own behalf. Whether the position is different where, as in this case, the liquidators have been advised that the medical records containing the ‘wind-down period personal data’ form part of the liquidators’ books for the purposes of s. 57 of the Company Law Enforcement Act 2001 and that, accordingly, they must retain those records to comply with that provision, is another question that need not be addressed, much less resolved, in the context of the present application.

(iii) Is there a proper contradictor?

81. As already noted, in the Transport Salaried Staff’s Association case, having qualified the dictum of Lord Denning in Pyx Granite Co. Ltd to the effect that the discretion to make a declaration may be exercised if there is good reason for so doing with the words “provided, of course, that there is a substantial question which one person has a real interest to raise and the other to oppose,” Walsh J. went on to cite, with evident approval, the comment of Viscount Kilmuir L.C. in Vine v. The National Dock Labour Board that an applicant “must be able to secure a proper contradictor, that is to say, some one presently existing who has a true interest to oppose the declaration sought.”

82. The present application has been brought on notice to the company’s preferential creditors, who are the Revenue Commissioners and the Department of Social Protection. It need hardly be pointed out that they have no true interest in opposing it, since any significant limitation of the company’s obligations as data controller holds out the prospect of a significant potential saving in the expense of the liquidation and, in consequence, creates the expectation of a larger distribution to each of those creditors at its conclusion. Neither of those preferential creditors is an affected data subject.

83. SJH has not been made a notice party to the application. That is perfectly understandable because, although one of the alternative forms of declaration sought by the liquidators is that SJH will become the sole data controller of the personal data contained in the records with effect from the date of transfer, SJH has already confirmed its willingness to enter into the proposed contract with that object. It may well have been felt that to make SJH a party to the application in those circumstances would simply have entailed an unnecessary expense in the liquidation. Certainly, SJH would have no true interest in opposing the liquidators’ application in light of the commercial benefits accruing to it under the proposed contract and the fact that it is not an affected data subject.

84. It was in these circumstances that I directed that the DPC be joined as a notice party to the application, in order that there might be a legitimus contradictor in respect of an application plainly capable of impinging upon the data protection rights of any and each person who is a member of that large class whose patient medical records are held by the company. Since the liquidators estimate that the records held by the company relate to approximately 118,000 patients and date back to circa 1946, it is plainly unrealistic to put each of the persons concerned on notice individually.

85. While I am grateful for the assistance provided by the DPC, it must be acknowledged that, as has been pointed out in correspondence sent to the liquidators on her behalf, she has no statutory power to pre-authorise or approve an arrangement such as that represented by the proposed contract that forms the basis for the present application. Nor does she have the level of knowledge of the underlying facts possessed by the liquidators or, indeed, available to the Court, as I believe the preceding paragraphs of this judgment demonstrate. To that extent, I fear that I may have placed the DPC in an invidious position in attempting to assign to her the role of legitimus contradictor in respect of an application concerning a question that, in the words of the submission furnished on her behalf, “is one of fact, i.e. does [the company] control the contents and/or use of the relevant personal data.”

(iv) Jurisdiction to make a declaration

86. Having now had an opportunity to consider the relevant law, I do not doubt that I have jurisdiction in principle to make a binding declaration of right in an appropriate case. That jurisdiction is expressly conferred by O. 19, r. 29 of the RSC and is underpinned by Article 34 of the Constitution.

87. Quite separately (and, in view of the breadth of the jurisdiction already identified, perhaps superfluously), the liquidators rely upon the provisions of s. 280 of the Companies Act 1963 whereby:

“(1) The liquidator or any contributory or creditor may apply to the court to determine any question arising in the winding up of a company or to exercise in relation to the enforcing of calls or any other matter, all or any of the powers which the court might exercise if the company were being wound up by the court.

(2) The court, if satisified that the determination of the question or the required exercise of power will be just and beneficial, may accede wholly or partly to the application on such terms and conditions as it thinks fit or may make such other order on the application as it thinks just.”

(v) A binding declaration of right

88. As the passage from the judgment of Johnston J. in Blythe & Ors. v. Attorney General (No. 2) quoted earlier in this judgment confirms, it is only a binding declaration that can be made, and that means a declaration that is binding upon some one else who can, and who, in the opinion of the Court, ought to be bound.

89. Now, in this case I am quite satisfied that the rights most obviously capable of being affected by the declarations sought are the data protection rights conferred upon data subjects by the DPA. In very general terms, the rights concerned comprise the right of a person to access his or her own personal data held by a data controller, the right to require the rectification of any error in that data, and the right to object to the processing of that data in certain defined circumstances.

90. To declare that a person is not a data controller, as that term is defined under s. 1 of the DPA, in respect of the personal data relating to any data subject, is to make a binding determination that the data subject concerned has no data protection rights as against that person. Both s. 1 of the DPA and Article 2 of Directive 95/46 make it clear that the role of data controller in respect of any given personal data is not a singular one; it is perfectly possible for different persons to control the same personal data jointly.

91. The question of whether a person is a data controller is primarily a question of fact, conditioned by the application of the definition contained in the DPA. There is no scope to substitute a rights balancing test for the application of that definition, such as that whereby necessary processing for the purposes of the legitimate interests of a company is permitted under s. 2A(1)(d) of the DPA, except where it “is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject.”

92. For those reasons, I must reject the argument, implicit in the liquidators’ submissions, that the relevant data subjects’ rights will be “fully protected” if the Court makes the various declarations sought, “as at no point will the patients’ medical records be in the hands of an entity which is not a data controller and which has not registered as a data controller with the [DPC] and is regulated as such.” While it is true that, under the terms of the proposed contract, it should be possible to determine which of the parties to it considers itself sole data controller of any given personal data at any given point in time, that does not necessarily amount to full protection of the data protection rights of each of the data subjects concerned. To accept the company’s submission in that regard would be to confuse what it evidently considers either “adequate protection” or “sufficient protection” for data subjects with the full statutory protection to which every data subject is entitled. The rights concerned are statutory in nature and derive from European Union Law. Under the DPA, a data subject can assert data protection rights against any or all data controllers of the same personal data. The Court has no discretion either to artificially delimit the number of persons against whom those rights can be asserted or to nominate only certain persons within that definition for that purpose.

93. On behalf of the DPC it was submitted that the Court might consider making the first declaration sought in the following amended form (with the suggested amendments shown in italics):

“A Declaration

as between the company and SJH

that SJH will

be the

controller of the records transferred by the company to it

as of the date of

the transfer of the records and the company shall thereupon cease to be the data controller of the records so transferred.”

As I understand the argument advanced on behalf of the DPC in that regard, it is that the addition of the language proposed would assist data subjects to identify the data controller of personal data (assuming they were aware of what records have been transferred to SJH and what records have been retained by the company), and that it would make clear that the Court is merely making a declaration as between the two parties to the proposed contract and not one that would affect (or bind) a data subject.

94. It seems to me that there are two principal problems with that submission. The first is that the whole conceptual framework of the DPA appears to me to be entirely inconsistent with the proposition that a person can be a data controller of the same personal data relating to the same data subject as against some persons but not as against others. Differently put, the whole legal significance of the term data controller derives from the legal relationship it connotes between such persons and those persons whose personal data they control. The term has no meaningful application to the relationship between a data controller and a third party.

95. The second problem is that it seems to me unlikely that the company would be content with a declaration in the terms sought, i.e. one that is effective against SJH but not against any of the affected data subjects, in circumstances where any such declaration would be devoid of any practical benefit or advantage for the company. After all, were it possible to make such an order binding solely as between the company and SJH (but not as between the company and any data subject), it would merely replicate the enforceable private law obligations between the company and SJH that the proposed contract is designed to establish.

96. For those reasons, I do not think it would be either right or proper to make a declaration in those terms.

(vi) Principles governing the discretion to make a declaratory order

97. In Blythe, Johnston J. also acknowledged that the making of a declaratory order is a matter of discretion - albeit one which, of course, must be exercised judicially - and that no court has attempted to lay down all the circumstances under which and all the occasions upon which a declaratory order will, or will not, be made.

98. Even so, it appears to me that some principles relevant to the exercise of the Court’s discretion in the present case do emerge from the jurisprudence.

99. First, as the Transport Salaried Staff’s Association case establishes, the person raising the question upon which the Court is invited to make a binding declaration of right must be able to secure a proper contradictor, being a presently existing person with a true interest in opposing the declaration sought. Despite the participation of the DPC at the Court’s direction, no such proper contradictor has been secured in this case

100. In arguing that the Court should nevertheless be prepared to make a binding declaration, the liquidators point to a particular form of order that has been made by this Court in cases involving the transfer of personal data in the broader context of the transfer of insurance business or credit institution business, which they submit establishes a precedent - in practice, if not in principle - for the orders they now seek. However, while, in relevant part, two such orders produced to me direct the transfer of personal data between legal persons or declare the recipient of such data as “the data controller” of such data for the purposes of the DPA, I could not find in either of them a declaration comparable to that now sought whereby an entity is declared not to be the data controller of particular personal data or another entity is declared to be the sole and exclusive data controller (as opposed to merely “the data controller”) of it.

101. Moreover, without having been apprised in any detail of the underlying facts or circumstances of the cases in which those orders were made, it seems clear to me that each involved a genuine transfer of the control of certain insurance or financial business (and of the personal data relevant to that business) between entities. In this case, no business is being transferred, although it is hoped to transfer the statutory role and administrative responsibility of data controller in respect of certain personal data held by a business in liquidation to another entity through the mechanism of a declaratory order to that effect.

102. A second relevant principle, acknowledged by the Court in Blythe, is what the authors of Hogan and Morgan, Administrative Law in Ireland (4th edn., Dublin, 2010) (at 911) identify as the requirement of ripeness. Although the records containing the personal data at issue here have not yet been transferred because the proposed contract has not yet been executed (pending the outcome of the present application), as in Blythe, in this case the applicants seek a binding declaration that persons who have not yet attempted to exercise a particular right or power can have no entitlement to do so in the future.

103. After the Court drew its concerns in that regard to the attention of the parties, it was submitted on behalf of the DPC that the decision in Blythe was not so much based on lack of ripeness as it was on the principle that the Court should not act in vain. While, as a matter of legal and constitutional history, decisions such as the contemporaneous one of the Supreme Court in State (Ryan) v. Lennon [1935] I.R. 170 serve to illustrate the far reaching ‘special powers’ that were conferred on the Executive Council under Art. 2A of the Free State Constitution, as inserted by the Constitution (Amendment No. 17) Act, 1931, and while one might speculate counterfactually about the legal effect of the declaration sought in that case, had it been made, if met by a conflicting order of the Executive Council, had one subsequently issued, no such analysis or speculation is to be found in the decision of Johnston J. It seems to me that that the kernel of the decision is more correctly formulated, as it is by Hogan and Morgan, in the following terms: “The present case was premature and Johnston J. considered that the case was not a proper one for the exercise of his discretion.”

104. A third relevant principle is one that I distill from the decision of the Supreme Court in Grianán an Aileach Interpretative Centre Company Limited v. Donegal County Council (No. 2) [2004] 2 IR 625. As I have already noted, in that case the Court identified an approach adopted by the courts in recent years to legislation conferring jurisdiction in particular areas on courts and bodies other than the High Court. That approach acknowledges that, in light of the modern proliferation of tribunals and other bodies exercising powers and functions properly categorised as “limited functions and powers of a judicial nature” [within the meaning of Article 37.1 of the Constitution], it is clear that the Oireachtas may confer on such bodies, expressly or by implication, an exclusive jurisdiciton to determine certain issues.

105. Having pointed out that it is not uncommon for the legislation establishing such tribunals to provide for a limited form of appeal to the High Court from its decisions, usually confined to questions of law, Keane C.J. reiterated that, in every case, the High Court retains its power under the Constitution to determine whether such bodies have acted in accordance with the Constitution and the law and such a jurisdiction cannot be removed from the High Court by statute. Subject to that qualification, it is clear that the Oireachtas may confer on such bodies, expressly or by implication, an exclusive jurisdiction to determine certain issues, to the exclusion of the High Court, at least where the allocation of jurisdiction otherwise would be overlapping and unworkable (per Henchy J. in Tormey v. Ireland [1985] I.R. 289 at p. 295.

106. In this case, faced with that authority, the DPC, through her Counsel, disavows any suggestion that the ‘enforcement of data protection’ functions allocated to her by the Oireachtas under s. 9 of the DPA - broadly comprising a power to investigate any alleged contravention of the DPA; a power to render decisions in writing in that regard (subject to a right of appeal to the Circuit Court, and a further right of appeal to this Court on a point of law); and a power to issue enforcement notices - should be viewed as conferring upon her an exclusive jurisdiction to make decisions concerning any alleged contravention of the DPA. In adopting that position, the DPC points to the provisions of s. 7 of the DPA whereby a duty of care owed by a data controller or data processor to a data subject is expressly recognised for the purpose of the law of torts, to the extent that it is not already provided for under the common law.

107. S. 7 removes any doubt that there might otherwise have been that there is a right to claim damages in proceedings before the courts for breach of a duty of care owed to a data subject by a data controller or data processor. To that extent, it is plain that the jurisdiction conferred upon the DPC by the Oireachtas to determine certain issues under the DPA is not an exclusive one.

108. However, the fact that this Court has jurisdiction to deal with actions in tort alleging the breach of a duty of care recognised under the DPA does not mean that it should not be alert to the potential problems that the exercise of its discretion to make declaratory orders might create in that context. There seems to me to be a clear danger of overlapping and unworkable jurisdictions, were I to consider making orders determining the future rights of data subjects in proceedings to which those persons are not party, thereby depriving them of any meaningful right to make a complaint to the DPC concerning the company’s processing of their personal data; to have that complaint investigated by the DPC; to have a decision made upon it, subject to a right of appeal to the Circuit Court and, on a point of law, to this Court; or to have any decision in their favour ultimately enforced by the DPC. Indeed, were I to make the declarations now sought, they would have the further obvious effect of adversely predetermining any claim in tort that might later be brought by any data subject against the company, as data controller, for breach of the duty of care recognised by s. 7.

109. One final authority that was drawn to my attention by Counsel for the DPC is the decision of this Court (per Charleton J.) in the case of EMI Records (Ireland) Ltd & Ors v. Eircom Ltd [2010] 4 IR 349. At first glance, that case appears to offer some support for the stance adopted by both the liquidators and the DPC on the present application, in that the Court there was prepared to rule on a number of questions which, on one view, were capable of determining the future data protection rights of data subjects who were not a party to those proceedings. But there are a number of significant distinctions between that case and the present one.

110. The first distinction is that one of the primary conclusions reached by Charleton J. was that the data at issue in that case was not personal data at all for the purposes of the DPA, such that the relevant provisions of the DPA were simply not engaged. In that context, the issues in that case seem to me to be conceptually closer to those that arose in Pyx Granite Company Ltd.,, which Keane C.J. was careful to distinguish in Grianán an Aileach Interpretative Centre Company Limited v. Donegal County Council (No. 2) [2004] 2 IR 625. The second distinction is that the proceedings did not involve the invocation of the jursidiction to make declaratory orders but, rather, the resolution of a number of questions that arose in respect of the implementation of a settlement agreement in civil proceedings between certain copyright holders and a particular internet service provider in respect of the unauthorised copying and sharing of copyright material. Third, none of the central issues that I have been obliged to consider in the course of the present application appear to have been presented to Charleton J. in the context of those proceedings. As O’Neill J. observed in Coffey v. Tara Mines [2008] 1 IR 436, ‘[i]t is a well settled principle of our system of jurisprudence that what is not argued is not decided.”

Conclusion
111. For the reasons set out in the preceding paragraphs, I am satisfied that I ought to exercise the discretion I have in relation to the grant or refusal of declaratory orders to refuse to make the orders sought in the particular circumstances of this case.

BAILII: Copyright Policy | Disclaimers | Privacy Policy | Feedback | Donate to BAILII
URL: http://www.bailii.org/ie/cases/IEHC/2015/H450.html

	[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]
	High Court of Ireland Decisions
You are here: BAILII >> Databases >> High Court of Ireland Decisions >> In the Matter for Mount Carmel Medical Group (South Dublin) Ltd (In Liquidation) [2015] IEHC 450 (07 July 2015) URL: http://www.bailii.org/ie/cases/IEHC/2015/H450.html Cite as: [2015] IEHC 450

High Court of Ireland Decisions