Data Protection and the exercise of the Judicial Function in Ireland

• Author: Giacomo Bonetto
• Position: LLM (UCD)
• Pages: 59-78

IRISH JUDICIAL STUDIES JOURNAL

59

[2020] Irish Judicial Studies Journal Vol 4(2)

59

DATA PROTECTION AND THE EXERCISE OF

THE JUDICIAL FUNCTION IN IRELAND

Abstract: This paper aims to clarify the applicable data protection law when courts are acting in their judicial

capacity. The provisions of the General Data Protection Regulation and of the Law Enforcement Data

Protection Directive apply to courts with some considerable exceptions to the rights of data subjects. This does

not exempt courts from fulfilling their obligations as data controllers, and the importance this might have for

their practice and procedures merits a thorough examination this paper hopes to be the basis for.

Author: Giacomo Bonetto, LLM (UCD), is a stagiaire in the cabinet of Advocate General Hogan at the

Court of Justice of the European Union and formerly a Judicial Assistant to the Hon Ms Justice Baker in

the Supreme Court.*

Introduction

The courts established under the Constitution are obliged to exercise their constitutional

function subject only to the law.

1

The right to data protection affects the courts as it does

every other fundamental right in the sense that the courts themselves, as other branches of

government, are obliged to respect it when fulfilling their function under the Constitution,

although courts enjoy immunity from suit in respect of that exercise. This paper is concerned

in particular with, and purports to outline in summary, the foundation of the obligations that

the Data Protection Act 2018 (the Data Protection Act) has imposed upon the judiciary to

ensure the data protection principles are guaranteed in the course of the administration of

justice, whilst restricting the rights of data subjects in order to safeguard judicial

independence and court proceedings.

The General Data Protection Regulation (the Regulation) finds its legal basis in article 16(2)

of the Treaty on the Functioning of the European Union (TFEU),

2

and provides a uniform

data protection regime for all EU Member States.

3

In Ireland, the aspects of the Regulation

which require implementation have been dealt with by the enactment of the Data Protection

Act.

4

Recital 20 of the Regulation explicitly states that its provisions apply to the ‘activities

of courts and other judicial authorities’. The Law Enforcement Data Protection Directive

* I want to express my profound gratitude for the helpful suggestions and advice of the Hon. Ms Justice Marie

Baker. The views expressed are entirely and solely my own.

1

Article 35 of the Constitution.

2

‘The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall

lay down the rules relating to the protection of individuals with regard to the processing of pe rsonal data […]

by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to

the free movement of such data.’ (Emphasis added).

3

European Parliament and C ouncil Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural

persons with regard to the processing of personal data and on the free moveme nt of such data, and repealing

Directive 95/46/EC OJ [2016] L 119/1.

4

For example, the age of consent to the processing of personal d ata was left to be decided to each Member

State (see s 29 of the Data Protection Act).

IRISH JUDICIAL STUDIES JOURNAL

60

[2020] Irish Judicial Studies Journal Vol 4(2)

60

(the Directive),

5

as transposed by national law,

6

outlines the data protection regime applicable

when personal data is processed for the specific purpose of the prevention, investigation etc.

of criminal offences, by specific controllers, ie the ‘competent authorities’. Courts qualify as

competent authorities for the purposes of the Directive when they process personal data

relating to criminal offences for criminal justice purposes.

7

The scope of the Regulation and of the Directive does not include the processing of personal

data when the processing activity falls outside the competence of EU law.

8

It would seem

therefore that, prima facie, the performance of the judicial function by the courts insofar as it

constitutes processing of personal data would be excluded from the scope of the Regulation

when national courts do not apply EU law.

9

However, the scope of the exceptions to the

data protection rights provided for by the Regulation itself, as implemented by the Data

Protection Act, has implicitly extended the applicability of the rest of the data protection

regime to the exercise of the judicial function in general, even when Courts do not apply EU

law. It might constitute a disproportionate restriction of the right to data protection if the

judiciary were exempted tout court from the data protection principles as well as from the data

protection rights when processing personal data in matters which do not require the

application of EU law.

The applicable principles and data subject rights related to the processing of personal data

governed by the Directive are similar to those outlined by the Regulation, as are the

restrictions to the data protection rights established by the Data Protection Act in respect of

both types of processing activities (those governed by the Regulation and those governed by

the Directive). This article will focus on the regime laid down by the Regulation and how it

affects courts acting in their judicial capacity, but it must be borne in mind that a detailed

analysis is also warranted as to when courts can be qualified as ‘competent authorities’ under

the Directive, which may raise specific and different issues from those discussed in general

herein.

10

Therefore, one must ask the usual questions: what is the personal data processed? Who is

the controller? Are there any processors? What are the statutory obligations they must each

fulfil? What are the rights of a data subject? What are the remedies available to a data subject?

In other words, what are the data protection obligations of the courts in the course of, and

in connection with, court proceedings? A brief answer to each of these questions will outline

the data protection regime in the courts. It must be stressed at the outset that the Data

Protection Act refers to ‘courts’ and does not consider the individual judicial office holder.

It may be of interest in the future to conduct a thorough analysis on the implications

stemming from that. First, however, we must examine the intricate interaction between the

5

European Parliament and Council Directive (EU) 2016/680 of 27 April 2016 on the protection of natural

persons with regard to the processing of personal data by competent authorities for the purposes of the

prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties,

and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA O.J.

L/119, 4.5.2016.

6

For Ireland, see Part 5 of the Data Protection Act.

7

Recital 20 of the Directive.

8

See Article 2(2)(a) of the Regulation and Article 2(3)(a) of the Directive.

9

This differentiation i s necessary because the princi ple of effectivene ss of EU law mandates that there must

exist a sufficient remedy to guarantee rights under EU law.

10

According to its Recital 80, the Directive ‘applies also to the activities of national courts and other judicial

authorities’.