Public Accounts Committee’s Request for Information and GDPR

Last year the Public Accounts Committee sent a request for information to the Dept.of Finance in relation to fees charged to that department by barristers.
In a previous blog, data protection consultants GDPRXpert discussed examples of how the GDPR was used as an excuse for not supplying information, in situations where supplying the information was perfectly legitimate. Some examples showed how ill-informed people were, while others belonged at the farcical and ludicrous end of the spectrum. What we are examining today lies at the more nuanced end. Legitimate positions can be taken by both sides but to repeat what we have stated previously, the GDPR does not exist in isolation. Rather, it is about balancing rights and proportionality. Remember the removal of the visitor books from the heritage sites? If you wish to refresh your memory on this go to this GDPRXpert blog.

BACKGROUND

The Public Accounts Committee

The Committee of Public Accounts (PAC) is) is a standing committee of Dáil Éireann which focuses on ensuring public services are run efficiently and achieve value for money. It acts as a public spending watchdog and by virtue of this role it has become one of the most powerful Oireachtas committees. It has a key role to play in ensuring that there is accountability and transparency in the way government agencies allocate, spend and manage their finances, and guaranteeing that the taxpayer receives value for money. PAC is a standing committee of the Dáil and is responsible for examining and reporting on reports of the Comptroller and Auditor General on departmental expenditure and certain other accounts. It also considers the Comptroller and Auditor General’s reports on his or her examinations of economy, efficiency, effectiveness evaluation systems, procedures, and practices.

Despite a recent adverse court decision relating to questioning of former Rehab Ireland CEO Patricia Kerins, the committee can rightly claim to do an excellent oversight job on behalf of the Irish taxpayer. Our view is clear. That particular episode was caused by some overzealous committee members and an overzealous chairman. ‘Over the top’ is the most appropriate colloquialism to describe the treatment of Ms Kerins. Giving the judgment of the entire court the Chief Justice stated, “the actions of the PAC as a whole were such they condoned the “significant departure” by at least three members of PAC from the terms of its invitation to Ms Kerins to appear before it”. (See Irish Times, 29 May 2019, “Supreme Court says PAC treated Angela Kerins in ‘unlawful’ manner”). The most consistent criticism stemmed from the manner in which PAC acted outside its remit and terms of reference.

Our view is that the PAC performs an excellent oversight job to ensure value for money for the taxpayer. Data protection consultants GDPRXpert.ie were impressed by the committee when it recently had Helen Dixon and some of her staff at a hearing in September of last year (2019). GDPRXpert.ie are making that link available here. At present, the committee has an excellent chairperson in Sean Fleming, and well-briefed committed members.

Apple is  happy to appeal

The Apple Money

There was much criticism from public representatives, the media and the general public when the Government decided to appeal the decision in the Apple case. Indeed, Fintan O’Toole described it as a disastrous miscalculation. The European Commission had found that Ireland had provided €13BN to Apple, which in the opinion of the Commission represented illegal state aid under EU Competition Law. The Commission said Apple’s tax arrangements in Ireland gave it ‘a significant advantage over other businesses that are subject to the same national taxation rules’, violating EU state aid laws. Although the government had indicated back in 2016 its intention to appeal the decision it was still compelled to collect the money owed. Over €14BN (principal amount + interest) was placed in an escrow account by Apple, until the appeal process is concluded. At the end of last year, the government confirmed that over €7Million had been spent on legal fees, consultancy fees, and other related costs.

Money, money, money.

 

Bearing in mind the role of the PAC which we have described earlier, it was to be expected that the committee may have had questions about the use of public money in the context of this appeal. Legal fees formed the bulk of the costs associated with the appeal to date, and the appeal process is still not exhausted. There is a possibility that, depending upon the result from the lower General Court, the case could yet end up before the CJEU and drag on for a few more years. The knowledge that this possibility was real may have augmented the desire of the PAC for some further information on the value for money aspect of the legal fees. The Dept of Finance was responsible for the payment of the legal and other costs associated with the appeal.

The GDPR Perspective

Prior to the introduction of the GDPR there never seemed to be an impediment to the release of legal fees charged by legal teams involved in, for example, the various tribunals over the years. Legal firms were named and their charges were public knowledge (thanks to the terms of reference and /or the FOI Act). A PAC report from January 2011 details how legal fees can reach exorbitant levels and the vast amounts paid to individual legal professionals. Again, there is no surprise and nothing unexpected or unusual in the PAC requesting the information on barrister charges in relation to the Apple appeal.

What is surprising is the response of the Dept. of Finance to this request for information.
A response from the Dept. briefly outlined its reason for its non-compliance with the request for information. In essence, the Dept cited the GDPR as the justification for not acceding to the request. The rationale seems to be very simplistic and dogmatic:
The information is personal data under the GDPR;
We  have a lawful basis to process  personal data but in this case, our advice is not to share  the data;
The  individual right to privacy trumps any right the PAC may have to access the data; and
that’s our story and we’re sticking to it!

Individual’s right to privacy V Public Interest

 

Some possible solutions

Names of tax defaulters are published by the Revenue Commissioners. The commissioners have a clear legal basis for this under the Tax Consolidation Acts. Despite being underpinned by legislation it still represents an interference with privacy rights. Crucially, it is not disproportionate and is done in the public interest. It is arguable that this is much more invasive than a barrister’s fees being disclosed to the PAC. Any barrister doing legal work for govt. departments would expect that their fees could be reviewed by civil servants and others at some point in the future.
There are no confidentiality agreements regarding fees for legal work done for the State. Legal privilege is one thing. Legal confidentiality over fees charged is a whole other thing. Transparency and accountability are overriding factors when it comes to assessing taxpayer value for money spent.

Historically, the practice of disclosing the names of barristers, along with the fees paid to them by Government departments and public bodies, is a longstanding one, and the refusal to disclose similar information represents an unannounced change of practice. Citing the GDPR as the reason for this change of practice is unjustified. The GDPR does not preclude the information on any barrister’s fees being disclosed to the PAC.

....or Public Interest Please

The routes available to the PAC

Art.6 (1) (f) of GDPR provides an appropriate legal basis exists for the PAC to process the personal data concerned, i.e the names and fees charged by individual barristers. It states, “processing is necessary for the purposes of the legitimate interests pursued by a controller or a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject…” Here is a valid reason for the Dept. of Finance to furnish the details. PAC is not a “public authority” for the purposes of the GDPR or the DPA 2018, and so strict limitations on the use of the “legitimate interests” basis do not apply. (See Recital 47, GDPR)
Under s.60 of the Data Protection Act 2018 restrictions are set on the obligations of data controllers and the rights of data subjects for “important objectives of general public interest”. The rights and obligations referred to are those under Arts 12-22 and Art 34 GDPR. S.60 (3) (c) DPA 2018 continues with restrictions where the personal data are kept “by the C&AG for the performance of his or her official functions”.

 

Bearing in mind the role of the C&AG (The C&AG’s mission is to provide independent assurance that public funds and resources are used in accordance with the law, managed to good effect and properly accounted for and to contribute to improvement in public administration) it is proper that the information the PAC is seeking would be available without question to the C&AG from the Dept of Finance. It is certain that the C&AG would look favourably on any request from the PAC for the details of the legal charges they are seeking. There would be a clear understanding by the C&AG of the legitimacy of the request from the PAC. Unlike the action of the Dept of Finance, there would be no hiding behind the GDPR.

If complications and confrontations continue in relation to requests by the PAC for information that contains personal data, there is a longer-term measure that could be utilised. This would involve amending the Data Sharing and Governance Act of 2019. A most appropriate amendment is one that includes the PAC within the definition of “public body”. Personal data from other public bodies could then be shared with the PAC. Appropriate restrictions could be placed on the categories of data to be shared. Data sharing within the amended act would be such that is necessary and proportionate to facilitate the proper functioning of the PAC in “ensuring public services are run efficiently and achieve value for money”.
However, it never should have to come to this. It would not if departments such as the dept. of finance looked at the request in light of the public interest and in the light of the work the PAC does in the public interest. The PAC places transparency and accountability foremost in its quest to ensure public money spent achieves value for money.

In a letter to the PAC, Deputy Commissioner Dara Walsh reiterated a view shared by many within the data protection community. This view is that the privacy interests of individual barristers do not trump or override the public interest in seeing how State money was being spent. “Barristers could have no expectation that the legal fees expended by the DPC as a public body would not be subject to parliamentary and public scrutiny,” he concluded. Furnishing the details of fees to the PAC may also serve to show there is or there is no impropriety involved. Simply put: barrister A is not getting all the work.

Somewhat ironically, Graham Doyle, deputy data protection commissioner, said the DPC was also recently before the PAC and asked about similar payments to third-party organisations and individual service providers, such as barristers. Not only did it provide the information on the companies, but also gave a detailed breakdown on individual barristers, and this was after the introduction of the GDPR (https://www.irishexaminer.com/breakingnews/ireland/state-can-fully-disclose-apple-legal-bill-961631.html ) The commonsense answer suggested by the PAC, and supported by the DPC, is that people tendering for such work be made aware their payments will be publicly disclosed.
P.S. Considering that a general election has just been announced, we will repost a previous blog on the GDPR and elections. It is important that candidates and voters are aware of rights and responsibilities, at a time where personal data are being quickly processed.
Patrick Rowland, GDPRXpert.ie

We are GDPR and Data Protection Consultants, with bases in Carlow/ Kilkenny and Mayo, offering a nationwide service.

For more details visit www.gdprxpert.ie

Long Awaited Ruling on The Right to be Forgotten.

 

Expert data protection consultants, GDPRXpert, examine the recent Google Right to be Forgotten ruling (Case C-507/17).

The case stemmed from an initial request for a preliminary ruling by the French data protection regulator. (Request for a preliminary ruling from the Conseil d’État (France) lodged on 21 August 2017 — Google Inc v Commission nationale de l’informatique et des libertés (CNIL))

 

The implications of the decision in the recent ‘Right To Be Forgotten’ case are likely to be far-reaching and controversial. Before any understanding of these implications can be grasped or a sober and objective assessment made, some knowledge of the context and background is necessary. What EU legislation, and in particular the GDPR,  sets out about the right will act as an additional tool in assessing the rationality of the conclusions reached in the case.  In the light of those conclusions, where does the Right To Be Forgotten (RTBF) now stand? A more insightful question is where should the right now stand? Not everyone will agree on this. Some views may mirror sentiments surrounding the GDPR itself that qualified data protection consultants, such as GDPRXpert, have commented on previously.  

Background and Context to the Case.

It has long been recognised that the RTBF exists under EU law. This has been evident since the 1995 Data Protection Directive (‘The Directive’) and from previous case law. More recently, Art. 17 GDPR  has set it out clearly. What is also established is that the right is a qualified right and not an absolute right. A normal consequence is the balancing of the right against other rights;  against those rights that may be competing in the same sphere. The European Court of Justice (CJEU) in a seminal 2014 case, widely referenced as Google Spain, held that Google was a data controller in its processing of personal data relating to the operation of a search engine.

 

 

Google Spain Case C-131/12 (13 May 2014).

In Google Spain a lawyer (the applicant) was objecting to the fact that anyone who searched his name on the Google search engine would obtain links to an article in a newspaper. That article reported the details of a court attachment order against the applicant for the recovery of social security debts. What is noteworthy is that the case pre-dates the  GDPR. It was a case that initially fell for consideration within the ambit of ‘The Directive’, and specifically Articles 12(b) and 14 (a). Mr. Gonzalez, the lawyer applicant, was seeking to enforce his right of objection. He felt that the material reported in the newspaper article was creating negative publicity, and reflected badly on him in his professional capacity. Some events reported in the article concerning M. Gonzalez had taken place 16 years previously.

Google had no control over the material in the newspaper report, yet it was directing the purposes and means of indexing. Anything that showed up when the applicant’s name was entered in the search box was the result of Google indexing.  Material on third party websites is not controlled by Google. In this case, the information on M.r Gonzalez is still available in the newspaper publication and can be accessed without the help of Google. Nevertheless, Google was ordered by the Court to comply with the request for erasure.

Data protection rights v Freedom of expression and information

The Court held that where a person’s name was used in the search, the search engine is obliged to remove from the list of results any links to web pages published by 3rd parties, and containing information concerning that person. This stands even when the publication of the information on those pages is lawful. On the facts of the case, the Court held that individuals may request search engines to remove links to inadequate, irrelevant or excessive content relating to them online. In this particular case, the interference with a person’s right to data protection could not be justified merely by the economic interest of the search engine.

After Google Spain

Defining the exact parameters and contours of the judgment have stoked uncertainty and fostered controversy for years. As soon as the ruling was announced Google introduced new internal procedures. These procedures were to facilitate changes that the ruling demanded, and enable it to assess requests for erasure. Every request had to be assessed on its own merits to apply the criteria mentioned in EU law and the European Court’s judgment. These criteria relate to the accuracy, adequacy, relevance – including time passed – and proportionality of the links, in relation to the purposes of the data processing (paragraph 93 of the ruling).

Where is that information?

 

Following a successful request, the principal new procedure known as ‘geo-blocking’ will come to the fore.  Geo-blocking, as the word suggests, operates to block access to the information from a searcher’s domain ( More on this later).  After the Google Spain case and up to late 2018, Google had received over 700,000 requests for erasure.  Over 40% of these were categorised as well-founded, and consequently, the related search results were de-listed. One pre-requisite is that the search is based on the person’s name. Other searches, not based on the person’s name, can still lead to the information in the third party link or the link can be accessed directly.  A person would have to put in a request with the data controller for the third party website in order to secure erasure of personal data on that website.  We emphasise again the nature of the right; qualified and limited.

Google and the French Regulator

Google commenced the process of de-listing results. However, the structure and methodology of the de-listing did not meet with the full approval of the French regulator. There was a reason for this. When Google initiated the new de-listing procedure they only de-listed in relation to EU domains such as google.es, google. fr, google. de, and so on. Domains outside the EU, such as google.com, were unaffected, resulting in the information remaining conveniently available. In 2016 Google had introduced the geo-blocking feature that prevented European users from viewing the de-listed results, but it resisted censoring results for people in other parts of the world.  From the viewpoint of the French data protection regulator, Commission Nationale de l’Informatique et des Libertés (‘CNIL’), this was unsatisfactory.

 

What CNIL Wanted

CNIL argued that by only de-listing the EU domains, Google was not giving data subjects’ personal data the protection that the judgment in the case had envisaged. It followed from this, that to ensure full protection of the personal data of data subjects, erasure of the personal data should happen worldwide. If this was not to happen, the certain consequence was going to be access to the personal data via other domains. Other methods, such as circumvention through the use of a Virtual Private Network (VPN) could also be used.

For Google, de-listing worldwide was a disproportionate measure and placed an over onerous burden on the operation of its search engine. (GDPRXpert recently looked at disproportionate measures in the context of the visitor books at OPW sites).  Applying the RTBF ruling in jurisdictions that had strong constitutional protection for freedom of expression and free speech, such as the U.S., was judged as problematic. Google appealed the decision. Principles of territorial jurisdiction and global data flows that seem incompatible with each other must now undergo more judicial scrutiny.

Article 17 GDPR

Google v CNIL was always going to be a complicated case as the array of issues involved was open to differing interpretations. To further complicate the issues, the introduction of the GDPR in May 2018 effectively repealed the old Directive.   Google Spain considered Article 14 of Directive 95/46, but Article 17 GDPR now broadens out the circumstances where the right to erasure will apply. Consequently, there was an inevitable focus on interpreting its application and relevance to the facts in this particular case.

This ‘new right’ to erasure (‘right to be forgotten) is set out under Art. 17 of the GDPR. The grounds for erasure (Art. 17 (1) are enumerated, and the controller is obliged to erase personal data without undue delay where those grounds apply. Primary grounds for erasure include (but are not limited to): the data are no longer needed for their original purpose; consent has been withdrawn and there are no other legal grounds for the processing; the processing was unlawful in the first place and; erasure is required under EU or Member State law. Grounds for refusing to erase the personal data (Art.17 (2)   are also set out, but these are very limited, and only will apply ‘where the processing is necessary’ under those stated grounds.

That word ‘necessary’ crops up again and is open to interpretation. Certified GDPR and data protection advisers, GDPRXpert, have explained in previous blogs how the word ‘necessary’, in the context of the GDPR, means more than ‘useful’ or ‘convenient’.  We saw previously how much of the debate surrounding the Public Services Card shifted and began to examine specific aspects of the card. For example, when exactly was processing deemed ‘necessary’ in relation to a stated particular purpose?

The RTBF is simultaneously more ambiguous and ambitious than other rights and is likely to be the subject of more legal challenges. Different competing rights, ones that require balancing against one another, will lead to most of the confrontations. What is most likely to be the battleground will be the intersection of the RTBF with the right to freedom of expression and information. Strategists of the opposing factions may be forced to look to the degree of erasure or whether any item of data can ever be truly and permanently erased. One thing is certain: nowhere in Art 17 GDPR does it mention de-listing information on a worldwide basis.  None of us need to be a courtroom advocate, but the foregoing should provide us with sharper interpretive tools to assist in our own analysis of the final decision in Google v CNIL .

 

Google v CNIL

At the core of the case, there are two differing perspectives. Google is focused on broader economic and societal implications. CNIL is looking through the prism of individual data protection rights. Four questions were submitted to the Court for a preliminary ruling by the French Conseil d’état :

First, whether the de-referencing following a successful request for erasure must be deployed in relation to all domain names irrespective of the location from where the search based on the requester’s name is initiated, even if that occurs outside of the EU;

Second, if the first question is answered negatively, whether the RTBF must only be implemented in relation to the domain name of the Member State from which the search is deemed to have been operated or, third, whether this must be done in relation to the domain names corresponding to all Member States;

Fourth, whether the RTBF implies an obligation for search engine operators to use geo-blocking where a user is  based in (i) the Member State from which the request for erasure emanated or (ii) the territory of the EU searchers non-EU domains.

Expert data protection consultants GDPRXpert have accessed some quality articles on the RTBF for this blog, such as, ‘Google v CNIL: Defining the Territorial Scope of European Data Protection Law’.

The Opinion in  Google v CNIL

A hint of where the case was going became clearer with the preliminary opinion of the Advocate General of the Court (CJEU) on 10 January 2019. With the opinion there came a re-statement of the order of rights. What was emphasised once more was that the RTBF involved a balancing exercise against other rights, and most especially against the right to freedom of expression. The Advocate General concluded that where a claim for de-referencing has been successful, the search engine operator should only be required to effect de-referencing within the EU. This was a non-binding ruling. In most cases, the full court at the Grand Chamber follows the opinion of the Advocate General.

 

The Grand Chamber Decision in Case-C 507/17

The Court held that “The operator of a search engine is not required to carry out a de-referencing on all versions of its search engine. It is, however, required to carry out that de-referencing on the versions corresponding to all the Member States and to put in place measures discouraging internet users from gaining access, from one of the Member States, to the links in question which appear on versions of that search engine outside the EU.”

It went on to cite Google v Spain and stated  that the Court had already held, “ that the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful”.

Under the old Directive, and more recently under the  GDPR, Google Inc’s operations fell within the scope of EU legislation on data protection. Global de-referencing would meet the objective of protection of EU law in full, but there were other considerations. Numerous third States do not recognise the right to dereferencing or have a different approach to that right. The Court added that the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.

Any balance between the right to privacy and the protection of personal data, on the one hand, and the freedom of information of internet users, on the other, is likely to vary significantly around the world.  There was no evidence, in legal texts or anywhere else, that the EU legislature had struck such a balance. Neither was there any evidence that it had chosen to confer a scope on the rights of individuals going beyond the territory of the Member States. In addition, there was no evidence it would have intended to place a de-listing burden on an operator, such as Google, which concerns the national versions of its search engine, as distinct from those of Member States.

EU law does not provide for cooperation instruments and mechanisms as regards the scope of a de-referencing outside the EU. “Thus, the Court concludes that, currently, there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject, as the case may be, following an injunction from a supervisory or judicial authority of a Member State, to carry out such a de-referencing on all the versions of its search engine.”  Nevertheless, EU law does require a search engine operator to carry out such a de-referencing on the versions of its search engine corresponding to all the Member States.

A search engine must take sufficiently effective measures to ensure the effective protection of the data subject’s fundamental rights. What this means in practice is that any de-listing or de-referencing, “must, if necessary, be accompanied by measures which effectively prevent or, at the very least, seriously discourage an internet user conducting a search from one of the Member States on the basis of a data subject’s name from gaining access, via the list of results displayed following that search, through a version of that search engine outside the EU, to the links which are the subject of the request for de-referencing”.

It will be for the national court to ascertain whether the measures put in place by Google Inc. meet those requirements. Lastly, the Court points out that, while EU law does not currently require a de-referencing to be carried out on all versions of the search engine, it also does not prohibit such a practice. Just as in Google Spain, it was acknowledged that removing irrelevant and outdated links is not tantamount to deleting content. The data will still be accessible, but no longer ubiquitous.

Patrick Rowland, GDPRXpert.

We are GDPR and Data Protection Consultants, with bases in Carlow/ Kilkenny and Mayo, offering a nationwide service.

For more details visit www.gdprxpert.ie

Latest News