Ireland: Regulatory Dawn Raids: Data Protection and Privacy Issues

On 5 April 2016, the High Court (Barrett J) gave judgment in CRH plc and Seamus Lynch v The Competition and Consumer Protection Commission[1]. The decision is very significant for regulated entities – including those operating in the financial services sector. This is because it deals with issues which can arise where the regulator obtains information in the course of a regulatory inspection which is not necessary for its investigation. The decision also highlights the increasingly complex role of regulated entities as data controllers.

Background

The Competition and Consumer Protection Commission (the "Commission") carried out a "dawn raid" at the offices of Irish Cement Limited ("ICL") and CRH plc ("CRH") in connection with an investigation into alleged breaches of competition law. The Commission obtained the entire email account of a senior executive in the CRH group who also had held a position in ICL. The plaintiffs' complaint was that by taking the entire email account the Commission thereby gained access to information which was not relevant to the investigation. They claimed that this breached the competition legislation on foot of which the search was conducted, as well as data protection and human rights law.

The Court's Ruling

The court acknowledged that the search process was carefully planned and conducted. It also noted that in a process of this kind it was almost inevitable that the search would capture irrelevant information. The court observed that the competition acts specifically provide for a process whereby information alleged to be subject to legal professional privilege ("LPP") seized in the course of a raid could be kept confidential until its status was determined by the court. However there was no analogous process for dealing with information which was irrelevant and not subject to LPP.

The Commission contended that it had the right to examine all of the material to distil the relevant information from the irrelevant. The plaintiffs objected to this approach, contending that the Commission had no right in the first place to seize or inspect information which was not relevant to its investigation.

The court held that the irrelevant material was not covered by the search warrant and that the Commission had no right to access it. The court granted an injunction restraining the Commission from accessing, reviewing or making use of that material. The court also noted that it was open to the parties to agree a procedure analogous to provisions dealing with LPP – namely a process whereby the confidentiality of the information was preserved pending a ruling by the court as to its relevance.

As regards the plaintiff's claims based on data protection and human rights law, the court refused to grant any relief. The court noted that, in handing over personal data not relevant to the Commission's investigation, ICL itself could have breached data protection law (which requires personal data to be kept confidential). In effect, the court held that this was ICL's problem and it could not shift blame to the Commission.

Conclusions

The case presents significant difficulties for regulators carrying out a dawn raid where the legislation does not provide a procedure for sifting the wheat (relevant information) from the chaff (irrelevant information). A trawl through electronic and physical files is likely to capture some chaff and thereby put the regulator in breach of its statutory mandate.

The case also presents difficulties for the regulated entity. It will, of course, be anxious to comply with its statutory obligation not to obstruct an investigation but equally it must avoid breaching data protection laws where it discloses personal data to a regulator which has no statutory right to the information. The decision puts the regulated entity between a rock and a hard place.