Last June, Tánaiste and Minister for Defence Micheál Martin announced the appointment of Peter Ward SC (pictured right) to examine the administration of cases involving Defence Forces personnel charged or convicted of criminal offences. The Report (pdf) was published this week. One of the headlines about it caught my eye:

Soldier jailed for sexual assault was able to remain in Army due to ‘data protection’ concerns

A soldier was able remain in the Defence Forces while in prison for sexual assault after the court authorities refused to hand over details of his offences to the military due to “data protection” concerns.
… The report, by senior counsel Peter Ward, found various instances of information on criminal convictions held by civilian authorities not being shared with the Defence Forces. In some cases, this significantly delayed the discharge process. …

In a post on Twitter (I still can’t call it X), Mark Hennessy (Ireland and Britain Editor of the Irish Times) commented that this was a

… scandalous misuse of the GDPR legislation, displaying a complete lack of common sense, amongst other failings. Court documents are public documents, unless there are legitimate grounds for them not being so, and this is clearly not the case her

On the basis simply of the above press report, I was inclined to agree. So I did a little more digging and thinking. I started with Ward’s Report (pdf) on The Management of Members of the Defence Forces Charged With, or Convicted of, Serious Criminal Offences (pp43, 49-50, 55, 69):

In 2022, Soldier 1 was charged with an allegation of a sexual nature. … A year after charging, Soldier 1 was convicted in the District Court of a charge related to sexual assault. The exact details of the charge were not disclosed to the Liaison Officer. … A month later, in order to initiate the discharge process, the Defence Forces requested a copy of the criminal conviction certificate from the relevant court office. This was refused “due to data protection”. … Seven months following conviction, Soldier 1 received a custodial sentence. The following month, the Defence Forces again wrote to the court offence requesting a copy of the certificate of conviction. This was again refused “due to data protection” the following month. The Defence Forces followed up with the court office on three occasions over the course of the following two months, following legal advice and referencing GDPR guidelines. Eleven months following the first request, correspondence was received from the DPO of the Courts Service. …

142. The Defence Forces stated that prior to 27 June 2024, there was no formal mechanism to obtain a certificate of conviction from the Courts Service. In many cases the courts were not in a position to provide such certificates and cited GDPR concerns for such a refusal. As a result, some Unit Commanders could not proceed with the proposed discharges in an expeditious manner. This delay was encountered in a number of cases. In one case analysed by the Defence Forces, officers contacted the relevant court office five times over a period of ten months following the conviction for a sexual assault seeking a certificate of conviction. This was refused “due to data protection”. Since June 2024, a process has been put in place whereby an application is made to court for an order releasing the certificate of conviction to the Defence Forces. This application is made on foot of an Affidavit sworn by the Officer in Command.

163. It is … important to record that … there is not any member of the Defence Forces who continues to serve despite having been convicted of rape or sexual assault in the criminal courts where that process has come to completion. …

Recommendation 34
It is recommended that consideration be given to enacting a legislative provision imposing an obligation on the Courts Service to furnish information concerning a conviction of a serious criminal offence of any member of the Defence Forces, upon request by the Defence Forces and in compliance with data protection
obligations.

As paragraph [163] makes clear (and see also p41), Soldier 1 was eventually discharged. Moreover, as paragraph [142] makes clear, the circumstances in that case are unlikely to be repeated, and Hennessy’s objections thankfully no longer apply. And, to remove all doubt, Ward recommends that that Courts Service should supply information such as certificates of conviction to the Defence Forces (Recommendation 34). Welcoming the Report (and as noted here) the Tánaiste said

While it is clear that the breadth of the … recommendations will require significant amendments to primary legislation, and this will take time, I am accepting them in their entirety, and they will be implemented.

Nevertheless, I’m not sure that the approach of the Courts Service before June 2024 was well founded. In the ordinary course of events, Article 34.1 of the Constitution requires that Justice “shall be administered in public”. So, in the ordinary course of events, any conviction will be a matter of public record, and there should be no reason why the Courts Service would not be able to supply a certificate of conviction to the Defence Forces. However, Article 34.1 provides that Justice may be administered otherwise than in public “in such special and limited cases as may be prescribed by law”; and the exclusion of the pubic from trials, reporting restrictions, and anonymity, have been provided for in a wide range of legislation. For example, when the Defence Forces sought the certification of conviction from the Courts Service in the case of Solider 1, section 8(1) of the Criminal Law (Rape) Act, 1981, as amended by section 6(2)(b) of the Criminal Law (Sexual Offences) Act 2006, provided

After a person is charged with a rape offence no matter likely to lead members of the public to identify him as the person against whom the charge is made shall be published in a written publication available to the public or be broadcast except –
…
(b) after he has been convicted of the offence.

In Independent Newspapers (Ireland) Ltd v IA [2020] IECA 19 (22 January 2020) Murray J (Birmingham P and Whelan J concurring) held the reporting restriction in that case had

60. … a very particular legal status, and very significant constitutional consequences. It ha[d] the effect of imposing an ongoing reporting restriction on proceedings which, in accordance with the mandate of Article 34.1 of the Constitution, must be heard in public. That provision exists not for the sole benefit of the media which enjoys its protection, but also for that of the public which has a right to both receive information regarding such proceedings and to the benefit of the check on judicial power it entails (see Gilchrist v Sunday Newspapers Ltd [2017] 2 IR 284, [2017] IESC 18 (23 March 2017) [3]). The balancing exercise arising where there has been a delay in seeking to setaside such an order is dominated by that constitutional imperative, not by the interests ofthe parties to the proceedings.

61. Article 34.1 requires any restriction on the public administration of justice to be in accordance with law. Where such a restriction assumes the form of a court order either implementing the terms of a statutory provision, or protecting a constitutional or other compelling entitlement of the kind envisaged by the decision in Gilchrist v Sunday Newspapers, the restrictions must be limited to those … in which the necessity for deviation from the administration of justice in public … [is] ‘truly compelling’ (Gilchrist [40]). …

The anonymity provision in section 8(1) of the 1981 Act cannot have prevented the Courts Service from supplying a certificate of conviction to the Defence Forces, because, as paragraph (b) makes clear, “once an accused has been convicted, his right to anonymity evaporates under the express terms of section 8(1) …” (IA [84] (Murray J), referring to Thomas O’Malley Sexual Offences (2nd ed, Round Hall, Dublin, 2013) [17-20]). Furthermore, it is not clear to me that supplying a certificate of conviction to the Defence Forces would, in any event, have amounted either to a publication “in a written publication available to the public” to a “broadcast”. Moreover, in light of the approach of Murray J IA (above), any anonymity provision must be narrowly construed against the constitutional imperative of open justice in Article 34.1 of the Constitution, one of the reasons for which is that the public has a right to receive information regarding criminal proceedings – and this right must be a fortiori for the Defence Forces in the case of one of their members. In addition, where reporting restrictions do not apply, then, as a consequence of the principle of the open administration of justice in Article 34.1, at least in civil cases, the public are entitled to have access to public court documents, and no specific application or court order is required (Allied Irish Bank plc v Treacy (No 2) [2013] IEHC 242 (21 March 2013) [21]-[23] (Hogan J) (noted here)). If this applies, mutatis mutandis, to criminal cases as well, then there may in fact be no need for the Defence Forces to make an application to the court for the release of a certificate of conviction even in case such at that of Soldier 1. (For the sake of completeness, it should be noted that section 8 of the 1981 Act has been further amended by section 11 of the Criminal Law (Sexual Offences and Human Trafficking) Act 2024). So (unless I am missing something*) for all of these reasons, the basic position seems to be that section 8 of the 1981 Act poses no obstacle to the Courts Service supplying a certificate of conviction to the Defence Forces.

If this is the basic position, the question arises as to whether the GDPR makes any change to it. The GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJ L 119, 4.5.2016, p. 1–88) (General Data Protection Regulation)) came into full application on 25 May 2018. Article 5(1)(a) requires that “personal data shall be processed lawfully”, and Article provides six bases of lawful processing; in particular, Article 6(1)(e) provides that processing shall be lawful where it is necessary “necessary for the performance of a task carried out in the public interest”. The processing at issue here is the supply by the Courts Service of a certificate of conviction to the Defence Forces, so that the latter can determine whether to discharge one of their members convicted of a serious criminal offence. And that is plainly a task carried out in the public interest. In Case C?439/19 B v Latvijas Republikas Saeima (CLI:EU:C:2021:504; CJEU, Grand Chamber; 22 June 2021) [B] and Case C-200/23 Agentsia po vpisvaniyata v OL; Varhovna administrativna prokuratura (intervening) (ECLI:EU:C:2024:827; CJEU, First Chamber; 4 October 2024) [Apv] the CJEU held that, “in order to satisfy the conditions imposed by that provision, it is necessary that that processing genuinely meets the objectives of general interest pursued” (B [109], Apv [110]). Again, the processing here genuinely meets the interests of the Defence Forces. The CJEU went on to hold that this interest must be met “without going beyond what is necessary in order to achieve those objectives” (B [109], Apv [110]). Given that the processing here occurs pursuant to an application to the Courts Service on a case-by-case basis, this requirement of necessity is plainly met. Finally, here, the CJEU added that the “requirement of necessity is not met where the objective of general interest pursued can reasonably be achieved just as effectively by other means less restrictive of the fundamental rights of data subjects” (Apv [111]). There are no less restrictive means than a case-by-case application by the Defence Forces to the Courts Service for the relevant personal data. Consequently, all of the requirements for processing on the basis of the public interest pursuant to Article 6(1)(e) are met here.

However, even where there is such a lawful basis for processing, Article 10 GDPR goes on to provide:

Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. …

Article 10 is given further effect by section 55 of the Data Protection Act 2018; in particular, section 55(2)(c) provides that processing under the control of official authority includes processing required for

(c) protection of the public against harm arising from dishonesty, malpractice, breaches of ethics or other improper conduct by, or the unfitness or incompetence of, persons who are or were authorised to carry on a profession or other activity;

The processing at issue here is plainly for the protection of the public against harm arising from the dishonesty and improper conduct of convicted members of the Defence Forces, and is thus permitted by section 55.

The enhanced protection provided by Article 10 GDPR and section 55 of the 2018 Act is justified by the particular sensitivity of the data at issue; in particular, since such data can give rise to social disapproval, the grant of access to it is liable to stigmatise the data subject (see B v Latvijas Republikas Saeima (above) [74]-[75]). These are general reasons for caution in the disclosure of personal data relating to criminal convictions, but they by no means preclude it where it is warranted in a particular case. The supply by the Courts Service of a certificate of conviction to the Defence Forces is plainly carried out under the control of official authority; and general considerations of caution relating to social disapproval or stigmatisation should not preclude it where members of the Defence Forces have been charged with, or convicted of, serious criminal offences.

So (unless I am missing something*) for all of these reasons, the GDPR provides no obstacle to the Courts Service supplying a certificate of conviction to the Defence Forces.

The processing of personal data in the criminal context might also engage the Law Enforcement Directive (the LED) (Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89–131)). This deals with the processing of personal data by data controllers for “law enforcement purposes”; this processing falls outside of the scope of the GDPR; and Article 10 GDPR extends the protection of the GDPR to the processing of certain criminal data that is not included in the scope of the LED.

Part 5 of the 2018 Act transposes the Directive into Irish law. Section 70(1)(a) defines the law enforcement purposes to which Part 5 applies:

(i) the prevention, investigation, detection or prosecution of criminal offences, including the safeguarding against, and the prevention of, threats to public security, or

(ii) the execution of criminal penalties …

I don’t think that the supply of a certificate of conviction by the Courts Service to the Defence Forces comes within this definition, so I don’t think that the LED, as transposed by Part 5 of the 2018 Act, applies. However, if it did apply, then section 71(2)(a) provides that the processing is lawful where it is “is necessary for the performance of a function of a controller for a purpose specified in section 70 (1)(a) and the function has a legal basis in the law of the European Union or the law of the State”. Assuming that there is a purpose specified in section 70(1)(a), the question is whether there is a legal basis in Irish law for the processing in question here. None is mentioned in the Report. It may therefore be that the data protection concerns that motivated the Courts Service are based in the LED rather than the GDPR. Even so, I don’t think they are well founded here either.

Of course, many hoops had to be considered here. A legislative provision enabling the supply of a certificate of conviction by the Courts Service to the Defence Forces would make things a lot simpler. I therefore look forward to the implementation of the Report in due course. In the meantime, the process that has been put in place since June 2024 providing for an application to court for an order releasing the certificate of conviction to the Defence Forces will fill the gap. But (unless I am missing something*) the Courts Service’s caution before that does not seem to be well-founded. Nonsense about the GDPR, or officious reliance on it, have earned the hashtag GDPRubbish. This may very well provide another example.

*And, if I am missing something, then please let me know – and we can this analysis to the hashtag too. Thanks.