When the office of the DPC was set up in 1988, Tim Berners- Lee was two years away from devising the worldwide web. Today, it is estimated that 1.4 billion individuals access Facebook on a daily basis.
The potential for catastrophic consequences from the misuse of this wealth of information has been highlighted by the recent Cambridge Analytica fiasco, which saw the data of 50 million users harvested for the purposes of micro-targeting US voters for the benefit of political actors.
This, according to Cambridge Analytica, and as seen in Channel 4 News’ recently released undercover footage, is being cited as one of the reasons why Donald Trump won the US presidential election.
The DPC is a specialist body with particular expertise in the area of data protection.
While the courts have a role in the supervision of the performance of its duty, as a result of this particular expertise, the courts have afforded curial deference to the DPC in the exercise of her function.
It is only in circumstances of ‘unreasonableness’ that the courts will interfere with determinations of the DPC.
Deference
In Orange Communications Limited v Director of Telecommunications Regulations ([2000] 4 IR 159), Keane CJ cited the following from an Australian decision with approval: “an appeal from a decision of an expert tribunal is not exactly like an appeal from a decision of a trial court.
Presumably, if parliament entrusts a certain matter to a tribunal and not (initially at least) to the courts, it is because the tribunal enjoys some advantage the judges do not.
For that reason alone, review of the decision of a tribunal should often be of a standard more deferential than correctness … I conclude that the … standard should be whether the decision of the tribunal is unreasonable … An unreasonable decision is one that, in the main, is not supported by any reasons that can stand up to a somewhat probing examination.
Accordingly, a court reviewing a conclusion on the reasonableness standard must look to see whether any reasons support it.”
A mere defect in reasoning is not, therefore, sufficient to warrant interference in a decision of the DPC.
This deferential approach was recently reiterated in Savage v Data Protection Commissioner ([2018] IEHC 122). In that case, Mr Savage complained to the DPC about the results of a search operated by Google Ireland Limited.
When users searched for him, they were offered a Reddit.com page where he had been referred to as ‘North County Dublin’s homophobic candidate’.
Mr Savage complained to Google, who robustly defended its role in the search on the basis of the decision of the CJEU in Google Spain v AEPD & Maria Costeja (case C‑131/12). Mr Savage then lodged a complaint with the DPC.
That complaint was rejected on the basis of the criteria devised by the work of the Article 29 Data Protection Working Party, which was set up following the Costeja case. Mr Savage appealed that rejection to the Circuit Court.
The Circuit Court allowed his appeal on the basis that the comments alleging him to be a homophobe constituted inaccurate data, rather than the opinion of a user of the Reddit.com forum.
The facts of this case are not of particular import; it is the criticism of the standard applied by the Circuit Court that is of real consequence. The High Court allowed Mr Savage’s appeal on the basis that it came to a ‘contrary’ conclusion to the DPC.
White J concluded that this was the wrong standard to apply to an appeal of a decision of the DPC, stating that an appellant must show that there was a “serious error either in law or in fact” and that the Circuit Court failed to afford the decision of the DPC “appropriate curial deference”.
It is clear that the courts will afford the DPC a wide margin of appreciation in the performance of her dispute resolution function. This will be the case whether it is merely a single complaint made by one individual about the use of their personal data or a situation akin to that of the Cambridge Analytica scandal.
Time to lose it?
The exposure of the work of Cambridge Analytica has revealed that the role of a data supervisory authority could have potentially far-reaching consequences, greatly in excess of those previously contemplated.
The determinations of such a body could have ramifications for the legitimacy of the democratic system.
Although there is no suggestion of Cambridge Analytica operating in this jurisdiction, given the large number of multinational technology companies located here, it is not inconceivable that there is a similar operation within the State.
Were the DPC to determine that use of data by such an entity was not in breach of the data protection legislation if that issue arose for her consideration, its determination might materially affect an election, as it was claimed occurred in the US.
The courts are the ultimate guardians of the democratic process. While the expertise of the DPC in data protection is unquestionable, it has no role in the wider issue of the maintenance of a transparent system of democracy.
The proliferation of widely available and highly detailed information on voters through the use and, in the case of Cambridge Analytica, misuse of online platforms such as Facebook, requires the courts to exercise closer scrutiny over the use of data, particularly data used for political ends.
To allow the courts to continue to ignore their responsibility to protect the democratic process through the application of curial deference and a standard of ‘unreasonableness’ is to allow bodies like Cambridge Analytica operate in the shadows of democracy to ensure certain political outcomes.
Now, with the introduction of the GDPR on 25 May 2018, the courts will be armed with an additional method of bringing rogue actors to heel: the award of compensation.
The legislature of 1988 can scarcely be criticised for failing to anticipate the course that the internet has taken. History will, however, judge us harshly if we fail to react to it appropriately.
The recently revealed political subterfuge engaged in by Cambridge Analytica is a shot across the bow of democracy; the courts should not allow it to reverberate without response.