22/03/2021 Briefing

Does the Data Protection Act 2018 recognise legal privilege?

Yes, the Data Protection Act 2018 provides that controllers or processors under investigation by the DPC do not have to hand over privileged information. While the Act confirms the right to legal privilege, the right also exists outside of statute and is recognised as a fundamental right.

The DPC confirms in the 2020 Annual Report that the 2018 Act incorporates the common law principles relating to privilege. This is a welcome confirmation, particularly in light of the increased investigative powers the 2018 Act affords authorised officers of the DPC.

It also reflects the explanatory note to the General Scheme of the Data Protection Bill (published in May 2017) which proposed that specified rights of data subjects, and obligations of data controllers, under the GDPR would not apply to:

  • personal data processed for the purpose of seeking, receiving or giving legal advice (i.e. legal advice privilege); and
  • personal data in respect of which a claim of privilege could be made for the purpose of or in the course of legal proceedings, including personal data consisting of communications between a client and his or her legal advisers or between those advisers (i.e. litigation privilege).

The explanatory note accompanying the General Scheme of the Bill stated that these exclusions were intended “to protect legal privilege to the extent necessary and proportionate in a democratic society”.

This also reflects recital 4 of the GDPR which flags that the right of protection of personal data is “not an absolute right” and must be balanced against other fundamental rights.

What categories of legal privilege are recognised by the DPC?

The 2020 Annual Report 2020 specifically refers to the two most common strands of legal professional privilege: (i) “legal advice privilege” and (ii) “litigation privilege”.

However, there is no reason why other less common forms of privilege such as regulatory privilege should not equally be protected from disclosure, when validly claimed. Regulatory privilege is broadly similar to litigation privilege, and protects communications and/or documentation generated in the course of, or in contemplation of, a regulatory investigation from disclosure.

Given the current direction of travel of the regulatory environment in Ireland and elsewhere, claims to regulatory privilege by controllers and processors under investigation by the DPC and/or any other regulator are likely to become much more prevalent.

How will the DPC challenge claims of privilege?

The 2020 Annual Report provides some interesting insights into how the DPC intends to interrogate and/or challenge a claim to privilege.

In particular, it states that in any examination of this nature, the DPC will require:

considerable information, including an explanation as to the basis upon which a Data Controller, is asserting privilege so that we can properly evaluate the validity of reliance on Section 162.  Essentially, the DPC will seek a narrative of each document containing personal data.

The DPC has not to date provided any guidance on the extent of the narrative it requires. In our experience, many regulators expect that regulated bodies claiming privilege should provide extensive detail to support their claim, much more detail in fact than would typically be required or ordered by a court in traditional litigation.

The extent to which regulators are interrogating claims to legal privilege and requesting detailed explanations as to why a document is said to be legally privileged is an emerging trend both in Ireland and abroad. It will be interesting to see how the Irish courts, if given the opportunity, interpret the scope of a regulator’s power in this regard. We are also watching with interest to see how the DPC approaches this issue in practice, and equally how controllers and processors react to potentially extensive information requests.

Can the DPC decide whether documents are privileged or not?

It is open to the DPC to challenge a claim to privilege and indeed to request sight of the disputed documents, on a voluntary basis, to assess whether the claim is valid. Case study 4 in the 2020 Annual Report is an example of a case where the DPC found, following a review of the documents in question, that a claim to litigation privilege was not, in its view, properly made.

Pursuant to its powers, the DPC can also apply to the High Court for a determination on the privileged status of documentation. To bring an application of this nature, the DPC must have reasonable grounds for believing the documentation in question does not contain privileged material and have reasonable grounds to suspect that it contains evidence relating to an infringement of the GDPR. We are not aware of the DPC exercising its power to seek a court determination on privilege to date.

However, absent a court determination on privilege, the DPC cannot force a controller to disclose documentation over which it claims privilege.

Controllers and processors should give careful consideration to voluntarily providing legally privileged information to the DPC and should seek appropriate written assurances in advance that any voluntary provision will not amount to a waiver of legal privilege and will be protected from disclosure in any future ancillary proceedings or investigations. Further, the Data Protection Act 2018 prohibits DPC personnel from disclosing confidential information obtained while performing functions under the 2018 Act or the GDPR unless required or permitted by law, or duly authorised by the Data Protection Commissioner, to do so, and as such may be part of additional comfort that can be provided.

Can the DPC consider non-disclosure of legally privileged documentation as evidence of non-cooperation?

No – a refusal to disclose privileged documentation in response to an access request cannot formally be used to penalise an entity and any attempt to do so would arguably amount to a breach of fair procedures.

See related articles also: