O'Brien v The Data Protection Commission and Ors

APPROVED THE HIGH COURT [2026] IEHC 250 Record No.:2022/309 MCA BETWEEN: DENIS O’BRIEN Appellant -and- THE DATA PROTECTION COMMISSION Respondent -and- RED FLAG CONSULTING LIMITED First named Notice Party -and- THE ATTTORNEY GENERAL Second named Notice Party JUDGMENT of Lankford J. delivered on 20th day of February 2026 1 1. This is an appeal pursuant to Section 150 of the Data Protection Act 2018 (“the 2018 Act”) from a decision of the Data Protection Commission (“the DPC”) dated 4 November 2022, in which the DPC dismissed a complaint made by the Appellant, Mr Denis O’Brien, concerning the handling of a data subject access request submitted to the first named Notice Party, Red Flag Consulting Limited (“Red Flag”). Section 150(5) provides that a data subject or other person affected by a legally binding decision of the DPC under Chapter 2 or 3 of the 2018 Act may, within 28 days from the date on which the notice of the decision is received by him or her, appeals against the decision. A legally binding decision includes a decision under Section 109(5)(b) of the Act, which this is. Section 150(6) provides that on hearing an appeal under Section 150(5) the Court can annul the decision, substitute its own determination for the decision or dismiss the appeal. 2. While the originating notice of motion and grounding affidavit did not identify grounds of appeal, same were subsequently set out in a Grounds of Appeal affidavit wherein the Appellant identified six grounds of appeal. These were refined/amended in submissions. In the course of oral hearing before the Court three issues were identified for determination namely: (i) Whether the DPC was correct in holding that Red Flag was entitled to rely upon Section 60(3)(a)(iv) of the 2018 Act in circumstances where the Appellant argued that the section was not consistent with Article 23 General Data Protection Regulation EU 2016/679 (“GDPR”), (ii) Whether the DPC correctly dealt with documents, claimed to be the subject of legal professional privilege, (iii) Whether the DPC was correct in holding that Red Flag had not applied a blanket refusal to the Appellant’s access request and that its refusal to provide a copy of personal data which might reveal the identity of its client was justified under Article 15(4) GDPR on the basis that it would adversely affect the right to confidentiality. 3. As the first issue amounted to an argument that Section 60 (3)(a)(iv) was incompatible with Article 23 GDPR, an order was made that the Attorney General be put on notice of the application, to allow him to defend the legislation should he wish to do so. In due course the Attorney General made submissions which are before the Court along with extensive submissions from the Appellant, Red Flag and the DPC. 2 Background: 4. The data subject access request, made on 13 June 2018, sought access to all personal data relating to the Appellant and information relating to recipients or categories of recipients under Article 15 GDPR. The request arose against the backdrop of long-running litigation between the Appellant and Red Flag, initiated in 2015, concerning a dossier prepared by Red Flag on behalf of an unidentified client (“the dossier”). 5. Red Flag responded to the request by letter dated 13 September 2018, furnishing a limited set of personal data and asserting an entitlement to rely on certain restrictions on the rights of data subjects in respect of other data. In refusing to furnish certain data, Red Flag relied upon: (i) the restriction under Section 60 of the 2018 Act in connection with the establishment, exercise or defence of a legal claim; (ii) the protection of legal privilege under Section 162 of the 2018 Act and, (iii) the protection of the rights and freedoms of third parties provided for in Article 15(4) of the GDPR. 6. In the course of an earlier discovery application in the aforementioned litigation the High Court had expressly held that Red Flag was entitled to withhold/redact certain data. In his initial application to the High Court, the Appellant, Mr. O’Brien, sought an order requiring Red Flag to reveal the name of one of their clients. This application was refused. MacEochaidh J. held that Mr. O’Brien had failed to establish a very strong case in respect of the alleged wrongdoing such as would justify the interference with Red Flag’s duty of confidentiality to their client. 7. An application for discovery was subsequently brought by Mr. O’Brien and MacEochaidh J. in a judgment on 13 December 2016, concluded that documents that would reveal the identity of or tend to identify, Red Flag’s client were not relevant to the issues in dispute between the parties in the proceedings. On this basis, he refused to order discovery of documents relating to the identity of Red Flag’s client. The matter was appealed and in due course the Court of Appeal delivered judgment on 13 October 2017, holding that the lack of relevance of the identity of Red Flag’s client was a reason for the refusal of discovery. In addition, the Court of Appeal said that identifying the said client might involve in the bandying about of his name, when he was not before 3 the court, in a manner which might be damaging in a variety of ways to persons and to the interests of justice. 8. The Appellant suggested in his written submissions that Red Flag’s response was “to all intents and purposes a blanket refusal”, but this argument was not advanced before this Court on appeal. In fact, it appears that the data withheld related solely to the identity of the Red Flag’s client, which had been the subject of applications at an earlier time in High Court and Court of Appeal proceedings as set out above. 9. The Appellant lodged a complaint to the DPC on 2 July 2020. After an extensive written process, the DPC upheld Red Flag’s refusal, finding at paragraphs 83 to 85 of its decision: (i) that Red Flag was entitled to refuse the Appellant’s request under Article 15 insofar as it related to the recipients or categories of recipient to whom the personal data contained in the dossier had been or was to be disclosed on the basis of Section 60 (3)(a)(iv) of the Act. Section 60 must be read in conjunction with Article 23 GDPR and in the light of the history of the proceedings and the extent to which the identity of the Red Flag’s client formed a central issue in the said proceedings; (ii) insofar as Red Flag held personal data relating to the Appellant that was the subject of legal professional privilege, it was not obliged to furnish the Appellant with a copy of such data under Article 15 GDPR by virtue of Section 162 of the Act, and this did not give rise to any contravention of the GDPR and/or the Act; (iii) that Red Flag had not applied a blanket refusal to the Appellant’s access request and, that its refusal to provide a copy of personal data that might reveal the identity of its client was justified under Article 15(4) GDPR on the basis that if a copy of such data were furnished it would adversely affect the right to confidentiality. 10. This decision is the subject of the Section 150 appeal. The test to be applied: 4 11. The test to be applied in a statutory appeal was considered by the Supreme Court in Orange Limited v Director of Telecommunications (No.2) [2000] 4 IR 159. This case involved an appeal under the Postal and Telecommunications Services Act 1983. Keane CJ. held that an appeal of this nature was not intended to take the form of a re- examination from the beginning of the merits of the decision appealed. It is not a question of the High Court substituting its adjudication for that of the Respondent. The High Court, however, is not solely confined to the issues which might arise if the decision was being challenged by way of Judicial Review. The Appellant must establish that, taking the adjudicative process as a whole, the decision reached was vitiated by a serious and significant error or a series of such errors. At page 184 of the judgment Keane CJ. said; “in arriving at a conclusion on that issue the High Court will necessarily have regard to the degree of expertise and specialised knowledge available to the first Defendant”. This test has been approved by the Supreme Court in Nowak v Data Protection Commissioner [2016] 2 IR 585 as being applicable to appeals under the Data Protection Act 1988. 12. As highlighted by Keane CJ., when determining a statutory appeal, the Court is required to give deference to the DPC's determination of mixed questions of fact and law. However, as set out by Finlay Geoghegan J. in Miller v Financial Services Ombudsman [2015] IECA 126 at paragraph 15; “the Court should not adopt a deferential stance to the decision or determination on the question of law”. 13. In EMI Records (Ireland) Ltd and Ors v Data Protection Commissioner [2012] IEHC 264 Charlton J. dealt with the nature of curial deference in an appeal from a decision of the DPC. He said at paragraph 20; “curial deference does not aid such a specialist tribunal beyond according due respect for its expert factual assessment or decision on the balance of competing interests. Curial deference cannot extend to sanctioning breaches of the rules as to jurisdiction or the bypassing of the tribunal of the obligation to incorporate fair procedures”. 14. The issues presented in this appeal are mixed questions of fact and law. The DPC having applied the statutory framework to the complaint, made certain inquiries and thereafter reached its conclusion. The Court is not permitted or required to determine all the issues afresh. Deference must be paid to the DPC’s findings on all but pure questions of law. Legislative background to the issue: 5 15. The GDPR was enacted to harmonise privacy laws across Europe. Article 15 of the Regulation, which is in issue in this case, sets out data access rights as follows: “(1). The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: (a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. (2). Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer. (3). The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. 6 (4). The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.” 16. Article 15 GDPR therefore, amongst other things, gives a data subject an entitlement to access his or her own personal data, information in relation to the recipients or categories of the recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations, and to information in relation to the processing of same. It also gives the data subject the right to obtain a copy of the personal data held by the controller but the right to obtain a copy shall not adversely affect the rights and freedoms of others. 17. Article 23(1) GDPR provides that Member States are permitted to introduce legislative measures to restrict data access rights where that restriction is designed to achieve certain public policy goals. The Article which is headed ‘Restrictions’, provides as follows: “Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard: (a) national security; (b) defence; (c) public security; (d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; (e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters, public health and social security; (f) the protection of judicial independence and judicial proceedings; 7 (g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions; (h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g); (i) the protection of the data subject or the rights and freedoms of others; (j) the enforcement of civil law claims.” 18. Article 23(2) GDPR sets out what must be contained in legislative measures being introduced under Article 23(1) GDPR. It provides as follows: “In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to: (a) the purposes of the processing or categories of processing; (b) the categories of personal data; (c) the scope of the restrictions introduced; (d) the safeguards to prevent abuse or unlawful access or transfer; (e) the specification of the controller or categories of controllers; (f) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing; (g) the risks to the rights and freedoms of data subjects; and (h) the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.” 19. The Data Protection Act 2018 gives effect to the GDPR and in particular Section 60 of the Act provides for certain restrictions on the right of access to data mandated by Article 15 GDPR, as permitted by Article 23(1) GDPR. Section 60 provides as follows: “(1) The rights and obligations provided for in Articles 12 to 22 and Article 34, and Article 5 in so far as any of its provisions correspond to the rights and obligations in Articles 12 to 22— (a) are restricted to the extent specified in subsection (3), and (b) may be restricted in regulations made under subsections (5) or (6). 8 (2) Subsection (1) is without prejudice to any other enactment or rule of law which restricts the rights and obligations referred to in that subsection. (3) Subject to subsection (4), the rights and obligations referred to in subsection (1) are restricted to the extent that— (a) the restrictions are necessary and proportionate— (i) to safeguard cabinet confidentiality, parliamentary privilege, national security, defence and the international relations of the State, (ii) for the prevention, detection, investigation and prosecution of criminal offences and the execution of criminal penalties, (iii) for the administration of any tax, duty or other money due or owing to the State or a local authority in any case in which the non-application of the restrictions concerned would be likely to prejudice the aforementioned administration, (iv) in contemplation of or for the establishment, exercise or defence of, a legal claim, prospective legal claim, legal proceedings or prospective legal proceedings whether before a court, statutory tribunal, statutory body or an administrative or out-of-court procedure, (v) for the enforcement of civil law claims, including matters relating to any liability of a controller or processor in respect of damages, compensation or other liabilities or debts related to the claim, or (vi) for the purposes of estimating the amount of the liability of a controller on foot of a claim for the payment of a sum of money, whether in respect of damages or compensation, in any case in which the application of those rights or obligations would be likely to prejudice the commercial interests of the controller in relation to the claim, (b) the personal data relating to the data subject consist of an expression of opinion about the data subject by another person given in confidence or on the understanding that it would be treated as confidential to a person who has a legitimate interest in receiving the information, or (c) the restrictions are, having regard to the matters specified in subsection (3A), necessary and proportionate to safeguard the performance— (i) by the Commission of its functions, 9 (ii) by the Information Commissioner of his or her functions, or (iii) by the Comptroller and Auditor General of his or her functions. (3A) In determining, for the purposes of subsection (3)(c), whether the restriction of a right or an obligation is necessary and proportionate to safeguard the performance of a function, the Commission, Information Commissioner or Comptroller and Auditor General, as the case may be, shall have regard to— (i) the extent to which the exercise of the right or compliance with the obligation concerned would prejudice the performance of the function, including by— (I) disclosing that a particular function is being performed, in a case in which such disclosure may prejudice the performance of the function concerned, or (II) preventing the processing of personal data for a period of time where any delay to the processing may prejudice the performance of that function, (ii) the need to respect the essence of the right to data protection of a data subject, and (iii) the risks to the rights and freedoms of a data subject which may result from such a restriction. (4) The Minister may prescribe requirements to be complied with when the rights and obligations referred to in subsection (1) are restricted in accordance with subsection (3). (5) Subject to subsection (9), regulations may be made by a Minister of the Government where he or she considers it necessary for the protection of a data subject or the rights and freedoms of others restricting the rights and obligations referred to in subsection (1)— (a) (i) if the application of those rights and obligations would be likely to cause serious harm to the physical or mental health of the data subject, and 10 (ii) to the extent to which, and for as long as, such application would be likely to cause such serious harm, and (b) in relation to personal data kept for, or obtained in the course of, the carrying out of social work by a public authority, public body, a voluntary organisation or other body. (6) Subject to subsection (9), regulations may be made restricting the rights and obligations referred to in subsection (1) where such restrictions are necessary for the purposes of safeguarding important objectives of general public interest and such regulations shall include, where appropriate, specific provisions required by Article 23(2).” 20. Section 162 of the 2018 Act contains a specific exception relating to legal professional privilege (as mandated in Article 23, and in particular, sub-paragraphs (i) and (j) GDPR). Where a claim for privilege is made, Section 151(1) of the Act provides that the DPC may seek the assistance of the High Court to determine whether the information or any part of the information is privileged legal material. The power to seek a determination from the High Court arises where the Commission, or authorised officer, has reasonable grounds for believing that the information is not privileged legal material or, where, due to the manner or extent to which such information is presented, it is impossible or impractical to extract only such information and the Commissioner or authorised officer has reasonable grounds to suspect that the information contains evidence relating to an infringement of a relevant enactment or relevant provision. It is clear that the section requires the Commission or authorised officer to make a determination in the first instance to establish reasonable grounds for suspicion. First Ground of Appeal – Section 60 Argument Appellant’s Argument: 21. The Appellant argues firstly that Red Flag was not entitled to refuse the Appellant’s request under Article 15 GDPR, insofar as it related to the recipients or categories of recipient to whom the personal data contained in the dossier have been or will be disclosed, on the basis that Section 60 (3)(a)(iv) of the Act is incompatible with Article 11 23 GDPR. The Appellant contends that if the Court has any doubt on the issue, then the question of compatibility should be referred to the Court of Justice of the European Union (“the CJEU”) for a Preliminary Ruling in accordance with Article 267 of the Treaty on the Function of the European Union. The Appellant argues: (i) that the policy objective under Article 23 GDPR is unclear, its suitability for achieving that policy objective cannot be tested and that because the objective could be addressed in a manner less restrictive of rights, the restrictions are therefore disproportionate. (ii) that Section 60 is incompatible with Article 23(2) GDPR in particular as the subsection requires specific provision as to the category of personal data concerned, the purpose of the restriction and the scope of the restriction and no such provisions are set out in Section 60. 22. The Appellant argues secondly that Section 60 of the Act has no coherent meaning and that it does no more than enshrine the principle of legal privilege. The Appellant argues that the subsection is vague and confusing and that it fails to identify the specific purpose or subject matter in respect of which necessary and proportionate restrictions are permitted. Given the existence of Section 162 which deals with legal privilege, the Appellant argues that Section 60 provides for a restriction which applies to any document which has ever been litigation privileged. It is described by the Appellant as providing for a form of “extended litigation privilege”. The Appellant suggests that the only permissible interpretation of Section 60 is that it applies to personal data “access to which must make it impossible to conduct or defend litigation proceedings” (emphasis added) and says that this condition is not satisfied in this case. DPC’s Response: 23. The DPC argues that the right of access to one’s personal data is not an absolute right and that the GDPR requires a balancing exercise to be carried out in accordance with the principle of proportionality. The policy objective of Article 23 GDPR is the protection of inter alia the public interest in the enforcement of civil law claims (Article 23(1)(j)) and this is reflected in Section 60. The DPC argues that this objective is addressed in a manner which is proportionately restrictive given the very broad category to which it applies. The DPC argues that Section 60(3)(a)(iv) is readily capable 12 of interpretation in a manner compatible with Article 23. The provisions set out in subparagraphs (a) to (h) of Article 23(2) GDPR are to be adopted in any legislative measure which imposes restrictions under Article 23(1) GDPR but this obligation is subject to a qualification of relevance which is met in the case of Section 60(3)(a)(iv). 24. The DPC says that the privilege exception is independently addressed as a ground of restriction in Section 162 of the Act. Section 60 is intended to cater for the wide array of other contexts in which the exercise of data protection rights against the background of intended or ongoing litigation could undermine or adversely affect such litigation. It argues that Section 60 (3)(iv) of the Act was enacted to ensure specific compliance with the requirements of Article 23(1) GDPR. Discussion on the compatibility of Section 60 with Article 23 GDPR: 25. In addressing the issue of the compatibility of Section 60 and Article 23(2) GDPR regard must be had to the Marleasing principle of interpretation, also known as the doctrine of indirect effect. This principle was recently applied by Charlton J. in DPP v Quirke [2023] IESC 5 wherein he cited the decision of the European Court of Justice in Marleasing SA v La Commercial Internacional de Alimentacion SA Case C-106/89. In that case the European Court of Justice Considered the issue of how a national court ought to interpret domestic legislation giving effect to EU law. The Court said: “the member states obligation arising from a directive to achieve the result envisaged by the directive and their duty under Article 5 of the treaty to take all appropriate measures whether general or particular to ensure the fulfillment of that obligation, is binding on all the authorities of member states including, for matters within their jurisdiction, the courts. It follows that, in applying national law whether the provisions in question were adopted before or after the directive, the national court called upon to interpret it is required to do so, as far as possible, in the light of the wording and the purpose of the directive in order to achieve the result pursued by the latter and thereby comply with the third paragraph of Article 189 of the Treaty.” 26. A national court is not required to interpret domestic law contra legem, but it is clear that the Courts’ starting point must be to consider whether a provision can be interpreted in a manner that gives full effect to the rules of EU law subject to that. Section 60 of the Act benefits not only from a presumption of constitutionality, but also a 13 presumption of compatibility with EU law. The Court must strive to interpret that section insofar as possible in a manner which gives full effect to the rules of EU law. 27. Ordinary principles of statutory interpretation apply. As set out by Murray J. in A, B & C v Minister for Foreign Affairs and Trade [2023] IESC 10: “Language, context and purpose are potentially in play in every exercise in statutory interpretation, none ever operating to the complete exclusion of the other. The starting point in the construction of a statute is the language used in the provision under consideration, but the words used in that section must still be construed having regard to the relationship of the provision in question to the statute as a whole, the location of the statute in the legal context in which it was enacted, and the connection between those words, the whole act, that context, and the discernible objective of the statute”. 28. In the interpretation of legislation by the European Courts, three broad approaches can be identified namely; the literal or textual approach, the schematic approach and the teleological approach. These were considered recently by Barr J. in Friends of the Irish Environment Clg v The Minister for Agriculture Food and the Marine, Ireland and the Attorney General [2022] IEHC 64. As set out by Barr J. at paragraphs 90 to 93, the literal or textual approach is well known in the common law world where words are given their natural and ordinary meaning. The schematic approach requires the consideration of words and expressions in the context of the provision in which they appear and also by reference to how that provision exists in the scheme as a whole. Interpretations that are consistent with the identified scheme are preferred over interpretations that are not. The teleological approach requires the Court to seek the interpretation which best serves the purpose for which a provision was enacted. 29. Article 23(2) GDPR imposes an obligation on Member States when adopting a legislative measure imposing restrictions under Article 23(1) GDPR, to adopt provisions addressing the matters in subparagraphs (a) to (h) of Article 23(2) GDPR. It is clear however, from the language used that this obligation is subject to qualification. A broad reading of the GDPR, as is mandated by the schematic approach, reflects the balancing act which is required in dealing with data protection. By way of example Recital 4 of the GDPR expressly confirms that the right to protection of personal data “must be considered in relation to its function in society and to be balanced against other fundamental rights, in accordance with the principle of proportionality”. 30. It is well established that the right of access to one's personal data, dealt with in Article 15(4) GDPR is an important element of the fundamental right to data protection but that 14 it is not an absolute right. The case law of the Court of Justice of the European Union is well settled in this regard as set out in Volker und Markus Schecke GbR and Hartmut Eifert v Land Hessen Joined Cases C-92/09 and C-93/09. At paragraph 18 of that judgment the court said: “The right to the protection of personal data is not, however, an absolute right, but must be considered in relation to its function in society”. 31. In the context of Article 15(1)(c) GDPR the CJEU has held that a data subject will generally be entitled to information on the actual recipients of personal data but that this right is not absolute and may be qualified where it is not possible to identify the recipients or where the requests for access are manifestly unfounded or excessive within the meaning of Article 12(5) GDPR. In UI v Österreichische Post AG Case C-154/21 the Court considered the effect of Article 15(1)(c). No provision of national law applied and therefore Article 23 was not considered by the Court. The Court said at paragraph 47 of that judgment that it must be emphasised that; “as is apparent from Recital 4 of the GDPR the right to the protection of personal data is not an absolute right. That right must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality as the Court reaffirmed, in essence, in paragraph 172 of the judgment of 16 July 2020, Facebook Ireland and Schrems Case C-311/18”. 32. In this case, while the data subject is entitled to information or access to data under Article 15 GDPR this is subject to restrictions contained in Section 60 (a)(iv) as mandated under Article 23(1) GDPR. Article 23(1) GDPR requires such a restriction to respect “the essence of the fundamental rights and freedoms” and “it must be a necessary and proportionate measure in a democratic society to safeguard” one of a number of interests including specifically at subparagraph (i) the protection of the data subject or the rights and freedoms of others and at subparagraph (j) the enforcement of civil law claims. 33. Article 23(2) GDPR sets out a number of specific provisions that any legislative measure referred to in Article 23(1) GDPR shall contain. This requirement that certain specific provisions be contained in restrictive legislation is qualified by the words “at least where relevant”. Applying well established principles of statutory interpretation and utilising a literal reading of Article 23(2) GDPR, the Article must be understood as meaning that it is only the provisions within the Article that are relevant to the specific derogation in question that are required to be adopted in the legislative measure dealing with that derogation. 15 34. Section 60 (3)(a)(iv) of the 2018 Act on a plain reading requires the restriction to be “necessary and proportionate”. This is a threshold expressly identified in Article 23 (1) GDPR. It is a test or threshold well known in Irish and EU law and one which necessitates a case-by-case analysis of the risks to the rights and freedoms of the data subject and a case-by-case application of CJEU case law. In any proportionality inquiry the relevant interests of the parties must be identified, and weight must be ascribed to those interests in order to carry out a balancing operation. 35. The scope of the restriction imposed is identified in Section 60 as it specifies that the particular data subject rights and obligations that may be restricted are those contained in subsection (1) of the section, being “Articles 12 to 22 and Article 34 and Article 5 insofar as any of its provisions correspond to the rights and obligations in Articles 12 to 22”. 36. In addition, Section 60 (3)(a)(iv) of the Act defines the purposes of the processing or categories of processing, setting out that the restriction is expressly concerned with “processing in contemplation of or for the establishment, exercise or defence of, a legal claim, prospective legal claim, legal proceedings or prospective legal proceedings, whether before a court, statutory body or an administrative or out of court procedure.” 37. Section 60 (4) of the 2018 Act states that “The minister may prescribe requirements to be complied with when the rights and obligations referred to in section (1) are restricted in accordance with subsection (3)”. Section 60 (5) and Section 60 (6) deal with the making of such regulations. The powers granted to the Minister pursuant to these two subsections have been exercised in the form of detailed regulations in respect of certain areas of law including the making of regulations in respect of Health, the Central Bank and the Corporate Enforcement Authority. It is clear that Section 60 (3)(a)(iv) is distinct from other restrictions under Section 60 (3) which have been the subject of regulations made under Section 60 (5) and 60(6). 38. Section 60 (3)(a)(iv) is to be applied on a free-standing basis subject to the criteria of necessity and proportionality. Section 60 (3)(a)(iv) allows for the restriction of access to data in the context of legal claims subject to the requirement that such restrictions are necessary and proportionate. This is to further a legitimate objective identified in Article 23(1)(j) GDPR “namely the enforcement of civil law claims”. This is an area in which there is a need for operational flexibility. It is difficult to envisage a legislative measure which could be implemented which would include provisions specific to this particular category to reflect all the matters listed in Article 23(2)(a) to (h). 16 39. The Minister has implemented legislative measures in the form of detailed regulations in areas where public bodies retain data. These regulations address the requirements set out in Article 23(2) GDPR because such requirements are relevant and it is possible and necessary to do so. The same cannot be said in relation to data held “in contemplation of or for the establishment, exercise, or defence of a legal claim, prospective legal claim, legal proceedings, or prospective legal proceedings whether before a court, statutory body, or an administrative or out of court procedure” – the s60(3)(a)(iv) exemption. This category of data is hugely broad, covering an extraordinarily varied number of data controllers and it would not be possible to identify in advance, at the level of abstraction required, specific provisions relevant to all persons falling within this category. 40. The Appellant has placed reliance on the UK Court of Appeal decision in R v (The Open Rights Group and Another) v The Secretary of State for the Home Department and Another [2021] EWCA Civ 800. The Open Rights decision is the only reported decision dealing specifically with the meaning and scope of Article 23(2) GDPR. It is a decision of the Court of Appeal of England and Wales and as such it is not binding in this jurisdiction but is of assistance in a consideration of the Article. This case concerned the lawfulness of statutory restrictions on data protection rights in the context of immigration (the “Immigration Exemption”) as provided for in the UK Data Protection Act 2018. The terms of the original Immigration Exemption were as follows: “The GDPR provisions listed in subparagraph (2) do not apply to personal data processed for any of the following purposes –the maintenance of effective immigration control, or the investigation or detection of activities that would undermine the maintenance of effective immigration control, the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) and (b)”. 41. The matter initially came before the Court by way of Judicial Review. The Appellants sought a declaration that the Immigration Exemption was unlawful, arguing that it was incompatible with the GDPR and/or with the charter of fundamental rights of the European Union. The claim was dismissed at first instance but on appeal the Court of Appeal concluded that the Immigration Exemption was in fact non-compliant with Article 23 GDPR. Warby LJ. At paragraph 29 of that judgment: “There presently exists no legislative measure that contains specific provisions in accordance with the mandatory requirements of Article 23(2) of the GDPR. In the absence of any such measure, the Immigration Exemption is an unauthorised derogation from the 17 fundamental rights conferred by the GDPR, and therefore incompatible with the regulation.” 42. The Court of Appeal did not accept that Article 23(2) GDPR amounted to a high-level aide-memoire to the State about matters which it should have in mind when deciding whether to derogate from fundamental rights. The Court determined that Article 23(2) GDPR was effectively a checklist, cast in mandatory terms, which called for “specific provisions”. The Court did not accept the argument that such “specific provisions” could be found in general principles of Human Rights or Administrative law, or in existing Articles of the GDPR. At paragraph 49 of the judgment the Court indicated that Article 23(2) required “any derogation to be affected by a “legislative measure” that is tailored to the derogation, legally enforceable, and contains provisions that are specific to the listed topic - to the extent that these are relevant to the derogation in question- precise, and produce a reasonably foreseeable outcome”. 43. The Court, however, did not suggest that the obligation was absolute or unqualified. At paragraph 54 the Court said; “It may be open to the legislature to conclude that one or more of the matters listed in Article 23(2) is not relevant to this particular exemption. It may even be entitled to conclude that although a particular matter is relevant it is unnecessary to set limits any narrower than those contained in the GDPR itself. But that is not the way the respondents had put their case at this stage. The reason there are no specific provisions is not that the legislature has gone through any reasoning process of this kind. On the contrary, the respondents’ stance has been consistent throughout: that as a matter of principle no such process is required, as it is enough for individual decisions to comply with the general requirements of the GDPR itself, extraneous legislation such as the Human Rights Act 1998, and other measures of legal control. That stance in my judgment, is legally wrong.” 44. The Immigration Exemption contained a restriction on the obtaining of data, by a data subject, which was of huge scope and breadth. It applied in general terms to the entire function of maintaining effective immigration control subject only to a prejudice test. It covered a very significant body of decision making and it is clear from the judgment that there were serious concerns about the accuracy and reliability of the decision makers. It operated as a highly significant brake on access to personal data, applying to over 10,000 cases in 2018 alone. The Court held that the importance of the rights at stake and the sensitivity of the context in the area in which it applied were an important 18 additional factor. An amended Immigration Exemption was subsequently introduced and was also found to be incompatible with Article 23 GDPR. 45. No real assistance is to be found in the decisions of the CJEU which has not addressed Article 23(2) GDPR in any detailed way. The CJEU’s judgment in La Quadrature du Net and Others v Premier Ministre and Ministère de la Culture Case C-470-21 was referred to in Warby LJ. in Open Rights. In that case the CJEU noted that any legislative measure adopted on foot of Article 23(1) GDPR must comply with the specific requirements set out in Article 23(2) of the Regulation. At paragraph 210 of that judgment the Court said that the power to impose restrictions under Article 23(1) GDPR must be exercised “only in accordance with the requirement of proportionality, according to which derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary”. The CJEU did not specifically address the scope and extent of the obligation, and in particular, did not address the phrase “where relevant”. 46. There is a clear distinction between the decision in Open Rights and the matter before the Court. The Immigration Exemption contained nothing specific or otherwise about any of the matters listed in Article 23(2) GDPR. Section 60 (3)(a)(iv) on the other hand provides that any restriction is to be “necessary and proportionate”, it identifies and limits the particular data subject rights and obligations that may be restricted, and it defines the purposes of the processing or categories of processing. The Immigration Exemption was subject only to a prejudice test to be applied by case workers making it an extremely broad test applied generally to a wide range of situations. Furthermore, the Immigration Exemption did not reference the requirement of proportionality which is an important consideration in the context of Article 23(1) GDPR. Section 60 (3)(a)(iv), although it does not deal exhaustively with all matters set out in the Article 23(2) “checklist”, does contain a requirement that the restrictions be necessary and proportionate and it seems to me that this is sufficient to render it compatible with Article 23(2) GDPR. 47. As to the policy objective argument, the policy considerations in Article 23 GDPR are clearly set out. A Member State is permitted to restrict, by way of a legislative measure, the scope of the obligations and rights provided for in certain Articles to include Article 15 when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard certain matters. These matters include the protection of the data subject or the rights 19 and freedoms of others (subparagraph (i)) and the enforcement of civil law claims (subparagraph (j)). This policy objective is reflected in Section 60(3) and allows for necessary and proportionate restrictions in the context of inter alia the contemplation of, or for the establishment, exercise, or defence of a legal claim, or prospective legal claim. 48. With reference to the argument that the restrictions are disproportionate to the policy objective it must be noted that the concepts which are to be applied to the restrictions are necessity and proportionality. These are familiar concepts in Irish law and derive their clarity from regular application in Irish Data Protection law and in EU law. These are not disproportionate restrictions and do not require further explanation in the 2018 Act. Discussion on the overlap between Section 162 and Section 60 of the Act: 49. Section 162 of the Act specifically provides for an exception in relation to legal professional privilege stating that; “The rights and obligations provided for in— (a) Articles 12 to 22 and 34 of the Data Protection Regulation (as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22), and (b) sections 87, 90, 91, 92 and 93 and section 71, insofar as it relates to those sections, do not apply— (i) to personal data processed for the purpose of seeking, receiving or giving legal advice, (ii) (ii) to personal data in respect of which a claim of privilege could be made for the purpose of or in the course of legal proceedings, including personal data consisting of communications between a client and his or her legal advisers or between those advisers, or (iii) where the exercise of such rights or performance of such obligations would constitute a contempt of court”. 50. The language of Section 162 amounts to a familiar description of legal professional privilege. This is a concept clearly understood in common law. In contrast the language of Article 23(1) GDPR refers to restrictions which are necessary and proportionate to 20 safeguard “the enforcement of civil law claims”. Section 60(3)(a)(iv) is designed to give effect to this. It recognises the important public interest in the enforcement and defence of civil law claims. Such claims and the defence thereof may often involve the “protection of the data subject or the rights and freedoms of others” which is an objective enshrined by Article 23(1) GDPR. The freedoms of others would include another’s right to privacy (Article 8 ECHR) and the right to a fair trial (Article 6 ECHR). To this extent the restriction permitted by Section 60(3)(a)(iv) is necessarily broader than that permitted by Section 162. In the context of Section 162 a litigant might not be able to refuse to furnish the identity of a client on the grounds of legal professional privilege but such an argument could be made under Section 60(3)(a)(iv) where it was necessary and proportionate to do so bearing in mind the balancing of competing rights, to include perhaps, the rights and freedoms of others, fair trial rights and data subject rights. 51. It seems to me that there is no basis for asserting that Section 60 has no coherent meaning or that it does no more than enshrine the principle of legal privilege. Section 162 and Section 60 offer separate and distinct grounds upon which a data subject’s request may be refused or limited. DPC’s Decision: 52. The DPC had regard to extensive written submissions of the parties and the history of High Court litigation in arriving at its conclusion that Red Flag was entitled to rely on Section 60(3)(a)(iv) to refuse access to information sought by the Appellant relating to the identity of Red Flag’s client. Red Flag submitted that the protection of its client’s identity formed an important part of its defence in High Court proceedings and asserted that it was necessary to avoid undermining or interfering with same. 53. The Appellant emphasised that the rights of a data requester are entirely separate and distinct from those of a litigant in proceedings and are unaffected by the existence of proceedings, relying on the judgment of Hedigan J. in Dublin Bus v Data Protection Commissioner [2012] IEHC 339. This is undoubtedly correct. DPC in its decision accepted that this was so but said that while the complaint was, as a matter of form entirely separate from the proceedings between the parties, those proceedings formed a significant part of the backdrop to the complaint. The DPC emphasised that the sole question for determination was whether red flag had complied with its obligations under 21 the GDPR and the 2018 Act as appropriate in processing the personal data of the Appellant. 54. Red Flag had determined that the restrictions were “necessary and proportionate” as required by Section 60(3)(a)(iv) in the context of the defence of the claim and the DPC upheld this view. It would be unrealistic to view the request made by the Appellant in isolation. It is a request that was made in the context of litigation. It therefore falls to be considered within the ambit of Section 60(3)(a)(iv). Restrictions on the furnishing of the data are permissible if necessary and proportionate. A decision on what is necessary and proportionate can only be made against the full factual backdrop of the request and involves a balancing of rights in the interests of the enforcement of civil law claims and the public protection of the right of access to justice. 55. It appears to me that on this ground the Appellant has not identified any errors in the DPC's decision such as would warrant this Court interfering in same. Second Ground of Appeal – Section 162 Argument: Appellant’s Arguments: 56. In the Appellant’s submissions it was argued that the DPC was premature in deciding not to engage Section 151 of the Act. The DPC in response asserted that it would be neither appropriate nor proportionate for the DPC to embark on a detailed inquiry or investigation of the entire set of documentation to establish whether a claim of privilege was properly asserted and verified where there was agreement between the parties that access was not sought to material that was privileged and no specific issues regarding such privilege were identified for determination by the Appellant. In such circumstances the DPC did not have reasonable grounds for either believing that material over which privilege was asserted was not privileged or to suspect that the information contained evidence relating to an infringement of a relevant enactment whether Article 15 GDPR or not. DPC’s Response: 57. The DPC determined that insofar as Red Flag held personal data relating to the Appellant that was the subject of legal professional privilege, it was not obliged to furnish the Appellant with a copy of same. It was noted in the decision that the 22 Appellant had made it clear from the outset that he was not seeking access to any personal data that was covered by legal professional privilege. The DPC had written to the Red Flag and had received confirmation that Red Flag was claiming legal professional privilege over certain documents. The DPC noted in its decision that in certain cases the procedure under Section 151 might be invoked, but the DPC was satisfied it was not necessary to do so in this case. Discussion: 58. The DPC’s argument on this issue is in my view correct and in any event this ground of appeal was not pursued by the Appellant ultimately in argument before the Court. Third Ground of Appeal: Appellant’s Argument: 59. The third ground of appeal relied upon by the Appellant was that the DPC should not have found that Red Flag was justified in refusing to provide a copy of personal data on the basis that this might reveal the identity of its client under Article 15(4) GDPR. The Appellant’s argument was essentially twofold: i) The Appellant argued that neither the 2018 Act nor the GDPR permits the Red Flag and subsequently the DPC to consider purported confidentiality obligations to third parties as an operative factor in determining whether the access data rights can be restricted. The Appellant argued that allowing a restriction on the provision of a copy of personal data by reference to confidentiality would completely undercut the policy objective behind Article 15 GDPR. In particular Article 15(1) GDPR entitles the data subject to know the identity of the recipients of his personal data. ii) The Appellant argued that the DPC was wrong in determining that the Red Flag proceedings were relevant or that the request amounted to a collateral attack on previous court orders. Under this heading the Appellant also argued that there had been a blanket refusal (this appears to be a factually incorrect assertion). 23 DPC’s Response: 60. That the text of Article 15(4) GDPR provides that the right to obtain a copy of personal data pursuant to Article 15(3) GDPR “shall not adversely affect the rights and freedoms of others” which is designed to allow a balance to be struck between competing interests within the framework of the statutory right of access. 61. The finding of the DPC on this ground related solely to the furnishing of a copy of personal data to the Appellant which is covered by Article 15(3) and Article 15(4) GDPR. The DPC noted that even under Article 15(1) GDPR, the right to information is not absolute, being subject to any restrictions which may be imposed under Article 23 GDPR. 62. Red Flag’s client’s right to confidentiality fell within the scope of the phrase “the rights and freedoms of others” as found in Article 15(4) GDPR. Discussion: 63. In the course of the appeal, it was apparent that there had not been a blanket refusal on the part of the Red Flag to furnish personal data to the Appellant. The sole issue in dispute was in respect of data which would identify or tend to identify Red Flag’s client. Red Flag consistently maintained that it was subject to a duty of confidentiality in respect of the personal data in question. Having considered the arguments before it the DPC concluded that the right to confidentiality in principle fell within the scope of the “rights and freedoms of others” as set out in Article 15(4) GDPR. The DPC in its decision, referred to Article 8 ECHR and Article 7 ECHR and cited caselaw of the ECHR including the judgment in Fernandez Martinez v Spain application no. 56030/07. In contrast the Appellant offered no authority in support of his submission that the DPC was not entitled to consider the duty of confidentiality. 64. It is recognised that confidentiality or the right to privacy in certain situations is entitled to protection at law. Article 8 of the ECHR enshrines the right to privacy and Red Flag’s assertion of its client’s right to confidentiality was viewed by the DPC in this light. It was one of the balancing interests to be taken into account as part of an assessment of the rights and freedoms of others. 65. No argument was made by the Appellant in relation to the facts found by the DPC and no error of law has been identified in the DPC's finding under Article 15(4) GDPR other 24 than a bald assertion that an error was made. In the circumstances the Appellant must fail on this ground. Provisional Order as to Costs: 66. As the Appellant has not succeeded on any of the grounds argued before the Court, I direct that he is to bear the costs of both the Respondent and Red Flag. The Attorney General was joined at the Court’s request and in the circumstances, given that the argument was novel and involved a point of some public importance, I direct that the Attorney General bear his own costs. 67. There will be a stay on this order for one month. If any party wishes to argue the issues of costs before me, the Registrar can be notified within that period, and I will sit to hear argument. The purpose of making an order at this stage is to ensure that no further unnecessary costs are incurred. 25