Data Protection and the exercise of the Judicial Function in Ireland

AuthorGiacomo Bonetto
PositionLLM (UCD)
[2020] Irish Judicial Studies Journal Vol 4(2)
Abstract: This paper aims to clarify the applicable data protection law when courts are acting in their judicial
capacity. The provisions of the General Data Protection Regulation and of the Law Enforcement Data
Protection Directive apply to courts with some considerable exceptions to the rights of data subjects. This does
not exempt courts from fulfilling their obligations as data controllers, and the importance this might have for
their practice and procedures merits a thorough examination this paper hopes to be the basis for.
Author: Giacomo Bonetto, LLM (UCD), is a stagiaire in the cabinet of Advocate General Hogan at the
Court of Justice of the European Union and formerly a Judicial Assistant to the Hon Ms Justice Baker in
the Supreme Court.*
The courts established under the Constitution are obliged to exercise their constitutional
function subject only to the law.
The right to data protection affects the courts as it does
every other fundamental right in the sense that the courts themselves, as other branches of
government, are obliged to respect it when fulfilling their function under the Constitution,
although courts enjoy immunity from suit in respect of that exercise. This paper is concerned
in particular with, and purports to outline in summary, the foundation of the obligations that
the Data Protection Act 2018 (the Data Protection Act) has imposed upon the judiciary to
ensure the data protection principles are guaranteed in the course of the administration of
justice, whilst restricting the rights of data subjects in order to safeguard judicial
independence and court proceedings.
The General Data Protection Regulation (the Regulation) finds its legal basis in article 16(2)
of the Treaty on the Functioning of the European Union (TFEU),
and provides a uniform
data protection regime for all EU Member States.
In Ireland, the aspects of the Regulation
which require implementation have been dealt with by the enactment of the Data Protection
Recital 20 of the Regulation explicitly states that its provisions apply to the activities
of courts and other judicial authorities. The Law Enforcement Data Protection Directive
* I want to express my profound gratitude for the helpful suggestions and advice of the Hon. Ms Justice Marie
Baker. The views expressed are entirely and solely my own.
Article 35 of the Constitution.
‘The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall
lay down the rules relating to the protection of individuals with regard to the processing of pe rsonal data […]
by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to
the free movement of such data.’ (Emphasis added).
European Parliament and C ouncil Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural
persons with regard to the processing of personal data and on the free moveme nt of such data, and repealing
Directive 95/46/EC OJ [2016] L 119/1.
For example, the age of consent to the processing of personal d ata was left to be decided to each Member
State (see s 29 of the Data Protection Act).
[2020] Irish Judicial Studies Journal Vol 4(2)
(the Directive),
as transposed by national law,
outlines the data protection regime applicable
when personal data is processed for the specific purpose of the prevention, investigation etc.
of criminal offences, by specific controllers, ie the competent authorities. Courts qualify as
competent authorities for the purposes of the Directive when they process personal data
relating to criminal offences for criminal justice purposes.
The scope of the Regulation and of the Directive does not include the processing of personal
data when the processing activity falls outside the competence of EU law.
It would seem
therefore that, prima facie, the performance of the judicial function by the courts insofar as it
constitutes processing of personal data would be excluded from the scope of the Regulation
when national courts do not apply EU law.
However, the scope of the exceptions to the
data protection rights provided for by the Regulation itself, as implemented by the Data
Protection Act, has implicitly extended the applicability of the rest of the data protection
regime to the exercise of the judicial function in general, even when Courts do not apply EU
law. It might constitute a disproportionate restriction of the right to data protection if the
judiciary were exempted tout court from the data protection principles as well as from the data
protection rights when processing personal data in matters which do not require the
application of EU law.
The applicable principles and data subject rights related to the processing of personal data
governed by the Directive are similar to those outlined by the Regulation, as are the
restrictions to the data protection rights established by the Data Protection Act in respect of
both types of processing activities (those governed by the Regulation and those governed by
the Directive). This article will focus on the regime laid down by the Regulation and how it
affects courts acting in their judicial capacity, but it must be borne in mind that a detailed
analysis is also warranted as to when courts can be qualified as competent authorities’ under
the Directive, which may raise specific and different issues from those discussed in general
Therefore, one must ask the usual questions: what is the personal data processed? Who is
the controller? Are there any processors? What are the statutory obligations they must each
fulfil? What are the rights of a data subject? What are the remedies available to a data subject?
In other words, what are the data protection obligations of the courts in the course of, and
in connection with, court proceedings? A brief answer to each of these questions will outline
the data protection regime in the courts. It must be stressed at the outset that the Data
Protection Act refers to courts and does not consider the individual judicial office holder.
It may be of interest in the future to conduct a thorough analysis on the implications
stemming from that. First, however, we must examine the intricate interaction between the
European Parliament and Council Directive (EU) 2016/680 of 27 April 2016 on the protection of natural
persons with regard to the processing of personal data by competent authorities for the purposes of the
prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties,
and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA O.J.
L/119, 4.5.2016.
For Ireland, see Part 5 of the Data Protection Act.
Recital 20 of the Directive.
See Article 2(2)(a) of the Regulation and Article 2(3)(a) of the Directive.
This differentiation i s necessary because the princi ple of effectivene ss of EU law mandates that there must
exist a sufficient remedy to guarantee rights under EU law.
According to its Recital 80, the Directive ‘applies also to the activities of national courts and other judicial

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT