Last year the Public Accounts Committee sent a request for information to the Dept.of Finance in relation to fees charged to that department by barristers.
In a previous blog, data protection consultants GDPRXpert discussed examples of how the GDPR was used as an excuse for not supplying information, in situations where supplying the information was perfectly legitimate. Some examples showed how ill-informed people were, while others belonged at the farcical and ludicrous end of the spectrum. What we are examining today lies at the more nuanced end. Legitimate positions can be taken by both sides but to repeat what we have stated previously, the GDPR does not exist in isolation. Rather, it is about balancing rights and proportionality. Remember the removal of the visitor books from the heritage sites? If you wish to refresh your memory on this go to this GDPRXpert blog.
BACKGROUND
The Public Accounts Committee
The Committee of Public Accounts (PAC) is) is a standing committee of Dáil Éireann which focuses on ensuring public services are run efficiently and achieve value for money. It acts as a public spending watchdog and by virtue of this role it has become one of the most powerful Oireachtas committees. It has a key role to play in ensuring that there is accountability and transparency in the way government agencies allocate, spend and manage their finances, and guaranteeing that the taxpayer receives value for money. PAC is a standing committee of the Dáil and is responsible for examining and reporting on reports of the Comptroller and Auditor General on departmental expenditure and certain other accounts. It also considers the Comptroller and Auditor General’s reports on his or her examinations of economy, efficiency, effectiveness evaluation systems, procedures, and practices.
Despite a recent adverse court decision relating to questioning of former Rehab Ireland CEO Patricia Kerins, the committee can rightly claim to do an excellent oversight job on behalf of the Irish taxpayer. Our view is clear. That particular episode was caused by some overzealous committee members and an overzealous chairman. ‘Over the top’ is the most appropriate colloquialism to describe the treatment of Ms Kerins. Giving the judgment of the entire court the Chief Justice stated, “the actions of the PAC as a whole were such they condoned the “significant departure” by at least three members of PAC from the terms of its invitation to Ms Kerins to appear before it”. (See Irish Times, 29 May 2019, “Supreme Court says PAC treated Angela Kerins in ‘unlawful’ manner”). The most consistent criticism stemmed from the manner in which PAC acted outside its remit and terms of reference.
Our view is that the PAC performs an excellent oversight job to ensure value for money for the taxpayer. Data protection consultants GDPRXpert.ie were impressed by the committee when it recently had Helen Dixon and some of her staff at a hearing in September of last year (2019). GDPRXpert.ie are making that link available here. At present, the committee has an excellent chairperson in Sean Fleming, and well-briefed committed members.
The Apple Money
There was much criticism from public representatives, the media and the general public when the Government decided to appeal the decision in the Apple case. Indeed, Fintan O’Toole described it as a disastrous miscalculation. The European Commission had found that Ireland had provided €13BN to Apple, which in the opinion of the Commission represented illegal state aid under EU Competition Law. The Commission said Apple’s tax arrangements in Ireland gave it ‘a significant advantage over other businesses that are subject to the same national taxation rules’, violating EU state aid laws. Although the government had indicated back in 2016 its intention to appeal the decision it was still compelled to collect the money owed. Over €14BN (principal amount + interest) was placed in an escrow account by Apple, until the appeal process is concluded. At the end of last year, the government confirmed that over €7Million had been spent on legal fees, consultancy fees, and other related costs.
Bearing in mind the role of the PAC which we have described earlier, it was to be expected that the committee may have had questions about the use of public money in the context of this appeal. Legal fees formed the bulk of the costs associated with the appeal to date, and the appeal process is still not exhausted. There is a possibility that, depending upon the result from the lower General Court, the case could yet end up before the CJEU and drag on for a few more years. The knowledge that this possibility was real may have augmented the desire of the PAC for some further information on the value for money aspect of the legal fees. The Dept of Finance was responsible for the payment of the legal and other costs associated with the appeal.
The GDPR Perspective
Prior to the introduction of the GDPR there never seemed to be an impediment to the release of legal fees charged by legal teams involved in, for example, the various tribunals over the years. Legal firms were named and their charges were public knowledge (thanks to the terms of reference and /or the FOI Act). A PAC report from January 2011 details how legal fees can reach exorbitant levels and the vast amounts paid to individual legal professionals. Again, there is no surprise and nothing unexpected or unusual in the PAC requesting the information on barrister charges in relation to the Apple appeal.
What is surprising is the response of the Dept. of Finance to this request for information.
A response from the Dept. briefly outlined its reason for its non-compliance with the request for information. In essence, the Dept cited the GDPR as the justification for not acceding to the request. The rationale seems to be very simplistic and dogmatic:
The information is personal data under the GDPR;
We have a lawful basis to process personal data but in this case, our advice is not to share the data;
The individual right to privacy trumps any right the PAC may have to access the data; and
that’s our story and we’re sticking to it!
Some possible solutions
Names of tax defaulters are published by the Revenue Commissioners. The commissioners have a clear legal basis for this under the Tax Consolidation Acts. Despite being underpinned by legislation it still represents an interference with privacy rights. Crucially, it is not disproportionate and is done in the public interest. It is arguable that this is much more invasive than a barrister’s fees being disclosed to the PAC. Any barrister doing legal work for govt. departments would expect that their fees could be reviewed by civil servants and others at some point in the future.
There are no confidentiality agreements regarding fees for legal work done for the State. Legal privilege is one thing. Legal confidentiality over fees charged is a whole other thing. Transparency and accountability are overriding factors when it comes to assessing taxpayer value for money spent.
Historically, the practice of disclosing the names of barristers, along with the fees paid to them by Government departments and public bodies, is a longstanding one, and the refusal to disclose similar information represents an unannounced change of practice. Citing the GDPR as the reason for this change of practice is unjustified. The GDPR does not preclude the information on any barrister’s fees being disclosed to the PAC.
The routes available to the PAC
Art.6 (1) (f) of GDPR provides an appropriate legal basis exists for the PAC to process the personal data concerned, i.e the names and fees charged by individual barristers. It states, “processing is necessary for the purposes of the legitimate interests pursued by a controller or a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject…” Here is a valid reason for the Dept. of Finance to furnish the details. PAC is not a “public authority” for the purposes of the GDPR or the DPA 2018, and so strict limitations on the use of the “legitimate interests” basis do not apply. (See Recital 47, GDPR)
Under s.60 of the Data Protection Act 2018 restrictions are set on the obligations of data controllers and the rights of data subjects for “important objectives of general public interest”. The rights and obligations referred to are those under Arts 12-22 and Art 34 GDPR. S.60 (3) (c) DPA 2018 continues with restrictions where the personal data are kept “by the C&AG for the performance of his or her official functions”.
Bearing in mind the role of the C&AG (The C&AG’s mission is to provide independent assurance that public funds and resources are used in accordance with the law, managed to good effect and properly accounted for and to contribute to improvement in public administration) it is proper that the information the PAC is seeking would be available without question to the C&AG from the Dept of Finance. It is certain that the C&AG would look favourably on any request from the PAC for the details of the legal charges they are seeking. There would be a clear understanding by the C&AG of the legitimacy of the request from the PAC. Unlike the action of the Dept of Finance, there would be no hiding behind the GDPR.
If complications and confrontations continue in relation to requests by the PAC for information that contains personal data, there is a longer-term measure that could be utilised. This would involve amending the Data Sharing and Governance Act of 2019. A most appropriate amendment is one that includes the PAC within the definition of “public body”. Personal data from other public bodies could then be shared with the PAC. Appropriate restrictions could be placed on the categories of data to be shared. Data sharing within the amended act would be such that is necessary and proportionate to facilitate the proper functioning of the PAC in “ensuring public services are run efficiently and achieve value for money”.
However, it never should have to come to this. It would not if departments such as the dept. of finance looked at the request in light of the public interest and in the light of the work the PAC does in the public interest. The PAC places transparency and accountability foremost in its quest to ensure public money spent achieves value for money.
In a letter to the PAC, Deputy Commissioner Dara Walsh reiterated a view shared by many within the data protection community. This view is that the privacy interests of individual barristers do not trump or override the public interest in seeing how State money was being spent. “Barristers could have no expectation that the legal fees expended by the DPC as a public body would not be subject to parliamentary and public scrutiny,” he concluded. Furnishing the details of fees to the PAC may also serve to show there is or there is no impropriety involved. Simply put: barrister A is not getting all the work.
Somewhat ironically, Graham Doyle, deputy data protection commissioner, said the DPC was also recently before the PAC and asked about similar payments to third-party organisations and individual service providers, such as barristers. Not only did it provide the information on the companies, but also gave a detailed breakdown on individual barristers, and this was after the introduction of the GDPR (https://www.irishexaminer.com/breakingnews/ireland/state-can-fully-disclose-apple-legal-bill-961631.html ) The commonsense answer suggested by the PAC, and supported by the DPC, is that people tendering for such work be made aware their payments will be publicly disclosed.
P.S. Considering that a general election has just been announced, we will repost a previous blog on the GDPR and elections. It is important that candidates and voters are aware of rights and responsibilities, at a time where personal data are being quickly processed.
Patrick Rowland, GDPRXpert.ie
We are GDPR and Data Protection Consultants, with bases in Carlow/ Kilkenny and Mayo, offering a nationwide service.
For more details visit www.gdprxpert.ie