About this case:

• Citation:
  [2025] IEHC 191
• Judgment:
  External link
• Court:
  High Court
• Judge:
  Mr Justice Barry O'Donnell

Delivering judgment for the High Court, Mr Justice Barry O’Donnell was satisfied that the clear import of the applicant’s complaint remained focused on his personal data and that it was not apparent that the applicant was concerned about whether other “work related personal data” had been accessed improperly.

Background

In December 2021, the applicant, a fire prevention officer employed by the Health Service Executive (HSE), complained to the Data Protection Commission (DPC) in respect of a data breach arising out of a 2021 ransomware attack on the HSE’s computers and technical devices.

The applicant alleged that his work phone provided to him by the HSE had been hacked, allowing his personal email accounts and personal cryptocurrency account to be breached.

On 23 May 2022, the DPC decided that the HSE was not a “data controller” for the purposes of Article 4.7 of the General Data Protection Regulation (EU) 2016/679 (GDPR) as the HSE had not authorised the applicant to use his work phone for personal use.

The applicant was subsequently granted leave to bring judicial review proceedings on grounds inter alia that the “work related personal data” was data that could identify the applicant as an individual and so comprised “personal data” as defined by Article 4.1 GDPR, that the HSE was the “data controller” of that personal data because it mandated the use of the phone for work related purposes, that the DPC departed from its own guidance in concluding that the HSE was not a data controller, and that the approach and decision of the DPC was “unreasonable” in the sense used in Meadows v. Minister for Justice, Equality and Law Reform [2010] 2 I.R. 701.

The applicant sought an order quashing the dismissal of his complaint against the HSE, an order compelling the DPC to investigate his complaint and a declaration that the process followed by the DPC with regard to its finding that the HSE was not a data controller and/or dismissing his complaint on foot of same was unlawful.

The DPC contended that the complaint related solely to non-work related data and that it had had not been asked to address whether the HSE was a data controller in respect of the applicant’s work-related data. 

The DPC also argued that there was no error on its part in finding that the HSE was not the data controller of non-work personal data, in circumstances where the applicant had not been authorised by the HSE to use the phone for personal use.

The DPC further alleged that its decision was legally binding and so the applicant should have brought a statutory appeal pursuant to the Data Protection Act 2018.

The High Court

The court first considered the issue of the availability of a statutory appeal to the applicant, finding that there was some vagueness in the manner in which the DPC characterised its decision such that it would not be fair to the applicant to determine his case other than on the substantive grounds of challenge.

Having regard to the parties’ submissions, Mr Justice O’Donnell considered that “the only fair way to analyse the DPC decision of the 23 May 2022 is by reference to the materials that were before it, and specifically by reference to the particular issues that the applicant sought to agitate”.

The court considered the complaint made to the DPC, noting that same was “specific, and the clear gravamen of the complaint was not that his work device contained work related personal data, but that it contained non work related personal data”.

In particular, the court noted inter alia that on 14 April 2022 the DPC had outlined its understanding of the complaint as relating to his personal data and that it had been open to the applicant to correspond with the DPC to explain that the DPC and HSE had misconstrued his complaint if that was the case at that time.

Mr Justice O’ Donnell emphasised that instead, “the applicant did not clarify what he meant by personal data”.

The court also recognised that a response from the applicant’s solicitor to the HSE by email dated 10 January 2022 which stated that the HSE failed to confirm whether the remit of its investigation included their client’s specific complaint that his personal data held on his HSE phone was accessed without his authority, evidenced that the applicant was concerned with his Gmail, Yahoo, Fitbit and Binance data and did not suggest that he was concerned about whether the HSE had looked into the question of whether other “work related personal data” had been accessed properly.

Mr Justice O’ Donnell expressed that the DPC had “clearly engaged” in an appropriate and proportionate investigation of the individual complaint, and had not adopted an unorthodox interpretation of the definition of data controller.

The judge was also satisfied that the DPC’s decision was not only based on the proposition that in the circumstances the HSE was not the data controller but also referred to the fact that it could not be determined whether the applicant’s personal accounts were accessed as a result of the cyberattack on the HSE, rather than being compromised by a different route.

In those circumstances, the court could not find that the decision was ultra vires the DPC or unreasonable or irrational in the manner set out in inter alia Meadows, and was made on the basis of and consistent with the evidence that was before the deciding officer.

Conclusion

Accordingly, the High Court refused the relief sought.

McShane v Data Protection Commission [2025] IEHC 191