The High Court (Court) has rejected a judicial review challenge against the Data Protection Commission's (DPC) refusal to investigate a personal data breach complaint allegedly arising out of a cyberattack on the Health Service Executive's (HSE) information and communication technology (ICT) systems in May 2021.
McShane v Data Protection Commission [2025] IEHC 191
The HSE employed the applicant as a fire prevention officer. In December 2021, he complained to the DPC that personal data on a work mobile phone provided to him by the HSE was unlawfully breached. He alleged that his data was compromised and as a result he suffered a loss of €1,400 from his cryptocurrency account. The applicant used the work mobile phone for personal use, and it contained non-work-related personal data, including personal email accounts and a cryptocurrency exchange account. Non-work phone use was contrary to the HSE's ICT Acceptable Use Policy. Furthermore, the HSE's Electronics Policy prohibited the use of work devices to access third-party internet facilities.
The DPC dismissed the complaint because the HSE was not a data controller (within the meaning of Article 4(7) of the General Data Protection Regulation) of the applicant's personal data stored on the mobile phone. This was because it did not authorise the use of personal data on the phone. In addition, the DPC could not determine whether the individual accounts were accessed because of the cyberattack or by a different route.
The applicant was granted permission to issue judicial review proceedings in relation to the DPC's decision. Those proceedings focused on whether the HSE was the data controller of the personal data concerned.
Procedural objections
Arguments were raised before the Court that the applicant had failed to exhaust the alternative remedy of a statutory appeal and was using the judicial review mechanism to challenge the merits of the DPC's decision. Therefore, the DPC invited the Court to exercise its discretion and dismiss the judicial review. The Court rejected this because there was vagueness in the DPC's characterisation of its decision in its communications with the applicant. It failed to identify whether the complaint was rejected or dismissed. Rather, it concluded that where it could not identify a contravention of the data protection legislation by the HSE, it was closing its file on the matter. The Court, swayed by the DPC's role as a public body, commented that if such a body wants to argue the failure to exhaust alternative remedies point, it must have informed the applicant of the decision, the legal basis for it, and the available appeal options, to equip the applicant to exercise that alternative remedy.
Was the decision that the HSE was not a data controller ultra vires?
The Court analysed the correspondence between the applicant and the DPC to understand the specific complaint before the DPC. It found that the gravamen of the complaint was that the applicant's work phone contained non-work personal data, not that it contained work-related personal data. It rejected the applicant's attempts to recharacterise his complaint to the DPC as relating to legitimately stored personal data on his work phone. Insofar as work-related personal data may or may not constitute "personal data" for the purposes of the GDPR, that was not the subject of the complaint to the DPC.
The Court held that the DPC decision that the HSE was not the data controller of the personal data because its use was unauthorised by the HSE was soundly based on the evidence before it, was rational and within the DPC's lawful authority. The application for judicial review was, therefore, refused.
Takeaways
The decision is notable in upholding the finding that the HSE, as an employer, was not the data controller of non-work related personal data on the employee's work mobile phone. Key to this finding was that the HSE did not determine the purposes and means of processing the applicant's non-work-related personal data on his work phone. However, the decision hinged on the specific complaint made to the DPC, namely that the applicant's non-work-related personal data was accessed improperly. Significantly, the HSE did not authorise the use of the phone for personal purposes.
While this decision is specific to its facts, it is likely to have significant impacts for organisations. It underpins the importance for employers of clear policies around the use of work devices for personal purposes. It also has implications for the assessment of controllership (and therefore, legal responsibility) in the context of responding to personal data breaches and data subject rights requests where the relevant personal data is non-work related and stored on employee devices, against company policy.
Finally, the decision is a helpful reminder to supervisory authorities, such as the DPC, to describe its decisions clearly and provide specific information about the underlying statutory basis for its decision and appeal options available. In this case, the DPC's decision was regarded by the Court as being vague, and thus the Court decided that it would be unfair to dismiss the applicant's case on procedural grounds.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.