Grant Thornton v Scanlan - Breach of Confidence Case
Summary
The High Court of Ireland has issued a judgment in the case of Grant Thornton and Grant Thornton Corporate Finance Ltd v Gerardine Scanlan. The substantive action concerns a claim for permanent injunctions related to information that came into the defendant's possession, alongside a counterclaim for damages due to delays in a data access request.
What changed
This judgment from the High Court of Ireland addresses the substantive action in Grant Thornton and Grant Thornton Corporate Finance Ltd v Gerardine Scanlan, concerning a claim for permanent injunctions related to alleged breaches of confidence. The case, which has a complex procedural history dating back to 2015, also includes the defendant's counterclaim for damages resulting from significant delays by the plaintiffs in responding to a data access request made in 2013.
The court's decision will determine the final resolution of the injunctions sought by Grant Thornton and the damages claimed by Ms. Scanlan. Compliance officers should note the court's findings on breach of confidence, the handling of data access requests, and the potential consequences of delays in responding to such requests, which could lead to damages claims against the entities involved.
What to do next
- Review internal data access request procedures for compliance with Irish data protection laws.
- Assess current timelines for responding to data access requests and identify potential delays.
- Consult legal counsel regarding the implications of this judgment on ongoing or potential litigation.
Source document (simplified)
| | [Home ]
[Databases ]
[World Law ]
[Multidatabase Search ]
[Help ]
[Feedback ]
[DONATE ] | |
| # High Court of Ireland Decisions | | |
| You are here: BAILII >> Databases >> High Court of Ireland Decisions >>
Grant Thornton [A Firm] and Anor v Scanlan (Approved) [2026] IEHC 167 (19 March 2026)
URL: https://www.bailii.org/ie/cases/IEHC/2026/2026IEHC167.html
Cite as:
[2026] IEHC 167 | | |
[New search ]
[Help ]
THE HIGH COURT
Record No. 2015/9954P
[2026] IEHC 167
Between
GRANT THORNTON and GRANT THORNTON CORPORATE FINANCE LTD
Plaintiffs
and
GERARDINE SCANLAN
Defendant
Judgment of Mr. Justice Conor Dignam delivered on the 19 th day of March???? 2026
TABLE OF CONTENTS
Information must be confidential
Circumstances giving rise to duty of confidence
Examination of the Information
Failure/refusal to return information
CONCLUSION ON INJUNCTION APPLICATION
1. These proceedings have a long and procedurally complex history. They are also related to a number of other sets of proceedings. There have been a significant number of interlocutory applications and appeals since the proceedings were instituted in 2015, and a number of written judgments have been delivered. The procedural history is set out in some of those judgments, including a judgment which I delivered at an earlier stage (Grant Thornton (a firm) & anor v Scanlan [2022] IEHC 610), and it is not necessary for me to repeat that background at this stage (though I will refer to some aspects of it later). This judgment concerns the trial of the substantive action. The plaintiffs seek permanent injunctions against the defendant in respect of information that came into the defendant's possession. By way of Counterclaim, the defendants seeks damages from the plaintiffs for their delay in dealing with a data access request by the defendant.
2. The directly relevant facts can be stated in a few paragraphs. There is very little dispute between the parties as to the key facts.
3. By deed of appointment of the 26 th August 2013, Mr. Stephen Tennant of Grant Thornton was appointed as receiver over certain assets of the defendant.
4. The defendant made a data access request to the receiver/Grant Thornton in 2013. There was significant delay on the part of the receiver/Grant Thornton in dealing with this data access request and, in January 2015, the Data Protection Commissioner notified Grant Thornton of the data access request. On the 11 th September 2015, Grant Thornton, in response to the data access request, furnished to the defendant a CD containing information and documents. It transpired that this CD, through error, in addition to the defendant's personal data, also contained a very significant volume of information which did not relate to the defendant. I return to the nature of the information.
5. On the 3 rd October 2015, the defendant alerted Grant Thornton to the fact that the CD contained information which was unconnected with her. In reply, on the 13 th October 2015, Grant Thornton advised the defendant that a data breach had inadvertently occurred and requested that the defendant return the information. The defendant did not do so. There followed correspondence between the parties during which this request was repeated. It will be necessary to refer to this correspondence in greater detail later in the judgment. The plaintiffs sought certain undertakings from the defendant. These were not given. The plaintiffs applied for interim injunctions and these were granted by Gilligan J on the 27 th November 2015. When the application for interlocutory injunctions came before the court on the 4 th December 2015 (having been adjourned from the 1 st December), the defendant gave undertakings and consented to the grant of interlocutory injunctions in relation to, inter alia, dissemination, communication, use, and retrieval of the confidential information (as defined in the schedule to the Order).
6. Prior to this, the defendant had disclosed some of the contents of the CD to two third parties (this is not disputed), and possibly to another third party (this is disputed). She had also copied the contents of the CD onto a number of USB keys and had possibly made a hard copy of the information or some of the information. The plaintiffs claim that they were also contacted by other third parties who had in their possession documents comprising part of the information on the CD, and that documents had been made available to view by the public at large on social media.
?
7. It is claimed that in those circumstances the defendant acted in breach of confidence and breach of duty.
8. On the day of the interlocutory injunction hearing, the defendant gave the plaintiffs the CD and a USB key. It appears that the defendant could not find the remaining USB key(s) and she gave an undertaking to make every effort to locate it/them and, if found, to return it/them to the solicitors for the plaintiffs. The plaintiffs gave an undertaking to furnish to the defendant her personal data, within the meaning of the Data Protection Acts.
9. A Statement of Claim was delivered in February 2016. The plaintiffs' pleaded case included a claim in breach of confidence, a claim under the Data Protection Acts, and a claim for damages. At the same time, the plaintiffs invited the defendant to consent to some of the interlocutory injunctions being made permanent on the basis that there would be no further order as to costs and the plaintiffs would undertake not to enforce the costs order related to the interlocutory injunction. This was rejected by the defendant. This offer and rejection were repeated subsequently. The defendant delivered a Defence and Counterclaim in June 2016. The pleadings were amended on a number of occasions. These amendments included the withdrawal by the plaintiffs of any claim under the Data Protection Acts and of their claim for damages. This is part of the protracted history of the proceedings and, indeed, is a persistent cause of complaint by the defendant. Ultimately, the operative pleadings consist of a Re-Amended Statement of Claim dated the 22 nd April 2021, an Amended Revised Defence and Counterclaim, and an Amended Revised Reply and Defence to Counterclaim dated the 7 th April 2022. The operative Amended Revised Defence and Counterclaim was, unusually, prepared by the plaintiffs, sent to the defendant on the 22 nd November 2021, and accepted by the defendant as her Defence and Counterclaim. It was determined by Allen J on the 31 st March 2022 to be the defendant's Defence and Counterclaim. As just noted, the plaintiffs' claim has narrowed over the course of the amendments to the original pleadings. The operative Re-Amended Statement of Claim does not include any claim on foot of the Data Protection Acts or any claim for damages against the defendant. The defendant makes complaint about the removal of any claims based on the Data Protection Act after they had been part of the plaintiffs' claim for six years. I will have to refer to that later in this judgment.
10. In summary, the claim that is pleaded by the plaintiffs is as follows. The CD contained " personal data relating to the Defendant (within the meaning of the Data Protection Acts) ", and other information which was " confidential information and/or personal data relating to third parties and confidential proprietary information of Grant Thornton, including material which was legally privileged. " For the purpose of the plaintiffs' pleadings, all of this information other than the defendant's own personal data was referred to as " the Confidential Information. " The plaintiffs claim that when the defendant received the CD, she knew or ought to have known that it included information that was not her personal data, and that she knew or ought to have known that she had no entitlement to receive, retain, publish or use it. She was, in other words, obliged to maintain the confidentiality of the information. It is pleaded that she disclosed the information, or some of it, to a third party, Mr. Gerard Scriven, another third party who is unnamed in the Re-Amended Statement of Claim (but who was later identified as Mr. Kevin Brophy), and to a Mr. William McKeogh. It is also pleaded that the plaintiffs received correspondence from other third parties who had in their possession documents comprising part of the Confidential Information and that documents had been made available to view by the public at large on social media. It is claimed that in all of those circumstances the defendant "[W]rongfully, in breach of confidence and in breach of duty...refused to return the Confidential Information and instead, without the consent or authority of Grant Thornton, and without lawful justification or excuse, disseminated the Confidential Information to certain third parties. " The Re-Amended Statement of Claim acknowledges that the defendant returned the CD and a USB key on the 4 th December 2015, after institution of the proceedings. It is pleaded, however, that not all of the Confidential Information has been recovered.
11. In short, the plaintiffs seek relief on the basis of breach of confidence.
12. The defendant's pleaded case is as follows. The defendant admits that she received the CD and that it contained information and documents relating to? " thousands of other parties under the management of other data controllers. " She admits that the release of information outside her data access request was unintended.
13. She describes the information as information comprising " third party information " and " what was identified (after the fact) as 'confidential information' of the Plaintiffs. " This is an important plea because it is the start of a distinction the defendant relies upon between third parties' information and " confidential information " (which she considers to be information that is private to the plaintiffs).
14. She denies that she could have known anything about the contents of the CD and the nature of the information when she received it and pleads that she only became aware of the nature of it when she started reading the information. She then alerted the plaintiffs to the issue.
15. The defendant denies being under any duty to maintain the confidentiality of the information because " the information was unknown to [her] and could not have been understood as confidential. " She in any event denies violating, publishing, disseminating or using any information from the CD.
16. She does, however, admit that she showed some of the information (which she describes as " a negligible amount of information ") to a trusted colleague of twenty years in confidence. This is Mr. Gerard Scriven. She pleads that she did so to attempt to ascertain what had been received and whether it should have been received at all. She also admits to providing some information to Mr. McKeogh and to possibly looking at information on one of the USB keys on Mr. McKeogh's laptops.
17. The defendant denies being under any duty in respect of the information. She also denies refusing to return the information.
18. She also denies communicating any information to Mr. William McKeogh or to Mr. Kevin Brophy, the other third party (who was unnamed in the Statement of Claim).
19. Finally, the defendant raises a Counterclaim for damages pursuant to section 7 of the Data Protection Act arising from the plaintiffs' delay in providing the defendant's personal data on foot of her data access request.
20. In the plaintiffs' Amended Reply and Defence to Counterclaim, they, inter alia, admit a failure to respond to the defendant's data access request within the time limits prescribed by the Data Protection Acts, but deny that she is entitled to any damages or that she suffered any loss or damage.
21. They are, in summary, the cases that are pleaded by the parties. I return to the specific issues that were argued at the hearing. However, as the pleaded case is founded in breach of confidence, and some of the arguments were centred on the circumstances in which such a breach might be said to arise and in which relief might be granted, it may be helpful to first set out the applicable principles.
22. It is well-established that relief for breach of confidence is not dependent on a contractual relationship between the parties, though that is often the context in which such a claim arises. The availability of relief has been variously described as being founded in equity, the duty to be of good faith, and in moral obligation. In House of Spring Gardens Limited & Ors v Point Blank Ltd [1984] IR 611, Costello J said (at page 658):
"I am concerned in this part of my judgment with the law relating to breach of confidence and at the outset I should make it clear that the plaintiffs' case is not based on contract but on certain equitable principles which, it is said, should be applied to the facts of this case...the courts in this country have not yet been called upon to enunciate what those equitable principles are. I will turn, then, to the decisions of the English courts for guidance as to how this court administering equitable principles should decide whether on the facts I have found an obligation in confidence existed and whether a breach of it occurred."
23. Costello J considered a number of English decisions. He noted the statement by Greene MR at page 211 of his judgment in Saltman Engineering Co. Ltd. v Campbell Engineering Co. Ltd. [1948] 65 RPC 203 that:
"The main part of the claim is based on breach of confidence, in respect of which a right may be infringed without the necessity of there being any contractual relationship. I will explain what I mean. If two parties make a contract, under which one of them obtains for the purpose of the contract or in connection with it some confidential matter, even though the contract is silent on the matter of confidence, the law will imply an obligation to treat that confidential matter in a confidential way, as one of the implied terms of the contract; but the obligation to respect confidence is not limited to cases where the parties are in contractual relationship...
24. Costello J also referred to the judgment in Fraser v Evans [1969] 1 QB 349 in which Denning MR said at page 361:
"... Those cases show that the court will in a proper case restrain the publication of confidential information. The jurisdiction is based not so much on property or on contract as on the duty to be of good faith. No person is permitted to divulge to the world information which he has received in confidence, unless he has just cause or excuse for doing so."
25. Costello J also noted that the cases show that there is no simple test for deciding what circumstances will give rise to an obligation of confidence and that there are no hard and fast rules for judging whether or not information can properly be regarded as confidential.
26. At page 663, Costello J went on to set out applicable principles when the court was being asked to exercise its equitable jurisdiction. This statement of principles must, of course, be understood in the context of the particular issues in that case, but nonetheless they are of general application:
"...The court, it should be borne in mind, is being asked to enforce what is essentially a moral obligation. It must firstly decide whether there exists from the relationship between the parties an obligation of confidence regarding the information which has been imparted and it must then decide whether the information which was communicated can properly be regarded as confidential information...Once it is established that an obligation in confidence exists and that the information is confidential, then the person to whom it is given has a duty to act in good faith, and this means that he must use the information for the purpose for which it has been imparted, and he cannot use it to the detriment of the informant..."
27. O'Higgins CJ expressly agreed with this statement of the applicable principles when the matter came before the Supreme Court (page 696).
28. In Attorney General v Guardian Newspapers (No. 2) [1990] 1 AC 109 (the "Spycatcher" case), the House of Lords had to consider the law relating to breach of confidence. It is, of course, important to note that this case concerned attempts by the UK government to restrain publication of materials from a former MI5 officer which would be in breach of his duty of confidence arising from his employment. Thus, specific considerations applied. However, the House of Lords (and the lower courts) did set out principles of more general application.
29. Bingham LJ considered the principles when the matter was in the Court of Appeal. He referred to some of the same English cases as Costello J in House of Spring Gardens. He said at page 215:
"The cases show that the duty of confidence does not depend on any contract, express or implied, between the parties. If it did, it would follow on ordinary principles that strangers to the contract would not be bound. But the duty "depends on the broad principle of equity that he who has received information in confidence shall not take unfair advantage of it:" Seager v. Copydex Ltd. [1967] 1 W.L.R. 923, 931, per Lord Denning M.R. "The jurisdiction is based not so much on property or on contract as on the duty to be of good faith": Fraser v. Evans [1969] 1 Q.B. 349, 361, per Lord Denning M.R. It accordingly "affects the conscience of the person who receives the information with knowledge that it has originally been communicated in confidence": per Sir Nicolas Browne-Wilkinson V.-C. at the interlocutory stage of this case [1987] 1 W.L.R. 1248, 1265. So it is appropriate that the enforceability of rights of confidence against third parties should be analysed in the traditional terms of equitable rights over property, as Sir Nicolas Browne-Wilkinson V.-C. did [1987] 1 W.L.R. 1248, 1264D, and Nourse L.J. did at an even earlier stage of this case Attorney-General v. Observer Ltd., The Times, 26 July 1986; Court of Appeal (Civil Division) Transcript No. 696 of 1986.
The English law on this subject could not, I think, be more clearly or accurately stated than it was by the High Court of Australia in Moorgate Tobacco Co. Ltd. v. Philip Morris Ltd. (No. 2) (1984) 156 C.L.R. 414, 437-438:
"It is unnecessary, for the purposes of the present appeal, to attempt to define the precise scope of the equitable jurisdiction to grant relief against an actual or threatened abuse of confidential information not involving any tort or any breach of some express or implied contractual provision, some wider fiduciary duty or some copyright or trade mark right. A general equitable jurisdiction to grant such relief has long been asserted and should, in my view, now be accepted: see Commonwealth of Australia v. John Fairfax & Sons Ltd. (1980) 147 C.L.R. 39, 50-52. Like most heads of exclusive equitable jurisdiction, its rational basis does not lie in proprietary right. It lies in the notion of any obligation of conscience arising from the circumstances in or through which the information was communicated or obtained."
A third party coming into possession of confidential information is accordingly liable to be restrained from publishing it if he knows the information to be confidential and the circumstances are such as to impose upon him an obligation in good conscience not to publish. No such obligation would in my view ordinarily arise where the third party comes into possession of information which, although once confidential, has ceased to be so otherwise than through the agency of the third party."
30. In the House of Lords, Lord Griffiths, having noted that the particular case concerned an attempt by the Government to seek the protection of the law of confidence, went on to consider the general principles in that area of the law. He said at page 268:
"Although the terms of a contract may impose a duty of confidence the remedy is not dependent on contract and exists as an equitable remedy. Megarry J. identified the three essentials to found the duty in Coco v. A.N. Clark (Engineers) Ltd. [1969] R.P.C. 41,47:
"three elements are normally required if, apart from contract, a case of breach of confidence is to succeed. First, the information itself, in the words of Lord Greene M.R. in the Saltman case [(1948) 65 R.P.C. 203, 215] must 'have the necessary quality of confidence about it.' Secondly, that information must have been imparted in circumstances importing an obligation of confidence. Thirdly, there must be an unauthorised use of that information to the detriment of the party communicating it."
...
The duty of confidence is, as a general rule, also imposed on a third party who is in possession of information which he knows is subject to an obligation of confidence: see Prince Albert v. Strange (1849) 1 Mac. & G.25 and Duchess of Argyll v. Duke of Argyll [1967] Ch. 302. If this was not the law the right would be of little practical value..."
31. Lord Goff said in the same case (page 281):
"I start with the broad general principle (which I do not intend in any way to be definitive) that a duty of confidence arises when confidential information comes to the knowledge of a person (the confidant) in circumstances where he has notice, or is held to have agreed, that the information is confidential, with the effect that it would be just in all the circumstances that he should be precluded from disclosing the information to others. I have used the word "notice" advisedly, in order to avoid the (here unnecessary) question of the extent to which actual knowledge is necessary; though I of course understand knowledge to include circumstances where the confidant has deliberately closed his eyes to the obvious. The existence of this broad general principle reflects the fact that there is such a public interest in the maintenance of confidences, that the law will provide remedies for their protection.
I realise that, in the vast majority of cases, in particular those concerned with trade secrets, the duty of confidence will arise from a transaction or relationship between the parties - often a contract, in which event the duty may arise by reason of either an express or an implied term of that contract. It is in such cases as these that the expressions "confider" and "confidant" are perhaps most aptly employed. But it is well settled that a duty of confidence may arise in equity independently of such cases..."
32. Mahon v Post Publications Limited [2007] 3 IR 338 is a relatively recent restatement by the Supreme Court of the general principles. Again, the context of this case is very different to the current case. In relation to the applicable general principles, Fennelly J said at paragraph 114:
"114. The law with regard to confidential information is of comparatively modern origin. It was above all developed to regulate the behaviour of private parties and was based on the doctrine of trust. It is independent of contract. A recipient of a confidence must not breach it by communicating the confidential information to third parties. It is, of course, capable of application both to purely personal and to non-commercial information..."
33. In order for relief to be granted the information must be confidential, the circumstances in which it was imparted must import an obligation of confidence, and the recipient of the information must be guilty of improperly using that information. Costello J appeared to suggest at paragraph 663 of his judgment in House of Spring Gardens that the first step is to determine whether there exists from the relationship between the parties an obligation of confidence. However, that should be seen in the context of there being an existing relationship in that case. Later authorities suggest that the first consideration is whether the information is confidential. That seems to me to make sense as relief is only available in respect of confidential information. Furthermore, in cases where there is not a pre-existing relationship, the question of whether there is an obligation of confidence turns on whether the information is confidential. It therefore makes sense to consider this first.
Information must be confidential
34. Thus, the starting point in the consideration of whether the court should grant relief in respect of an alleged breach of confidence is that the information in question must be confidential, or, as it was put by Greene MR in the Saltman case (referred to by Griffiths LJ in the Spycatcher case), it must " have the necessary quality of confidence about it ". Greene MR said: "...I think that I shall not be stating the principle wrongly, if I say this with regard to the use of confidential information. The information, to be confidential, must, I apprehend, apart from contract, have the necessary quality of confidence about it, namely, it must not be something which is public property and public knowledge."? This has been considered in many of the aforementioned authorities. Costello J pointed out in House of Spring Gardens that there are no hard and fast rules for judging whether or not information can properly be regarded as confidential.
35. In the Spycatcher case, Griffiths LJ, having identified the three necessary elements for the imposition of a duty of confidence; the first one being that the information is confidential, said:
"The first of these elements will not normally be present if the information is in the public domain - "it must not be something that is public property and public knowledge" per Lord Greene M.R. in Saltman Engineering Co. V. Campbell Engineering Co. Ltd. (1948) 65 R.P.C 203, 215. Furthermore, information may lose its original confidential character if it subsequently enters the public domain. If the confider publishes the information this releases the confidant from his duty of confidence: see O.Mustard and Son v. Dosen (Note) [1964] 1 W.L.R. 109..."
36. Bingham LJ had said in the Court of Appeal (at page 214):
"The essence of the confidant's duty is to preserve the confidentiality of the confider's information (in which expression I include information learned not from but during a period of service with the confider). It is thus an essential ingredient of the duty, and of any cause of action arising on breach or threatened breach, that the information should when imparted have been and should remain confidential. This requirement has been put in a number of different ways, but has always been insisted upon.
In Saltman Engineering Co. Ltd. v. Campbell Engineering Co. Ltd. (1948) 65 R.P.C 203, 215 Lord Greene M.R. said:
"The information, to be confidential, must, I apprehend, apart from contract, have the necessary quality of confidence about it, namely, it must not be something which is public property and public knowledge."[emphasis added]
The information must not be "public knowledge" (Seager v. Copydex Ltd. [1967] 1 W.L.R. 923, 931G per Lord Denning M.R.), nor in the public domain Woodward v. Hutchins [1977] 1 W.L.R. 760, 764D per Lord Denning M.R. To be confidential information must have what Francis Gurry recently called the basic attribute of inaccessibility: see Gurry, Breach of Confidence (1984), p. 70. The information must have been acquired in circumstances importing a duty of confidence (Coco v. A. N. Clark (Engineers) Ltd. [1969] R.P.C. 41, 47, per Megarry J) but "However confidential the circumstances of communication, there can be no breach of confidence in revealing to others something which is already common knowledge:" [1969] R.P.C. 41, 47.
It is, I think, clear that the duty of confidence ceases to apply to information which, although originally confidential, has ceased to be so otherwise than through the agency of the confidant..."
37. Goff LJ said at page 282 of the Spycatcher case:
"...the principle of confidentiality only applies to information to the extent that it is confidential. In particular, once it has entered what is usually called the public domain (which means no more than that the information in question is so generally accessible that, in all the circumstances, it cannot be regarded as confidential) then, as a general rule, the principle of confidentiality can have no application to it. I shall revert to this limiting principle at a later stage..."
38. In Mahon v Post Publications Limited, Fennelly J said:
"116. Megarry J. gave further thought to the test for establishing the confidential character of information:-
"First, the information must be of a confidential nature. As Lord Greene said in [Saltman Engineering Co. v. Campbell Engineering Co. [1948] R.P.C. 203] at p. 215, 'something which is public property and public knowledge', cannot per se provide any foundation for proceedings for breach of confidence. However confidential the circumstances of communication, there can be no breach of confidence in revealing to others something which is already common knowledge."
39. One particular issue which the authorities have considered is where the information comprises both public information and private information. In the passage from Coco v A.N. Clark (Engineers) Ltd. referred to by Fennelly J (in paragraph 38 above) Megarry J said that "... there can be no breach of confidence in revealing to? others something which is already common knowledge", but he went on to say "...this must not be taken too far. Something that has been constructed solely from materials in the public domain may possess the necessary quality of confidentiality: for something new and confidential may have been brought into being by the application of the skill and ingenuity of the human brain. Novelty depends on the thing itself, and not upon the quality of its constituent parts."
40. Costello J went on to say at page 661:
"The application of the law of confidence in cases where it is suggested that no obligation arose because the information was public appeared again in Seager v. Copydex Ltd ... The Court of Appeal held that the plaintiff was entitled to damages. In the course of his judgment Lord Denning, M.R. referred to the judgment of Lord Greene in Saltman with approval and that of Roxborough J. in Terrapin which I have just quoted, and went on at pp. 931-2:-
"The law on this subject does not depend on any implied contract. It depends on the broad principle ** of equity that he who has received information in confidence shall not take unfair advantage of it. He must not make use of it to the prejudice of him who gave it without obtaining his consent. The principle is clear enough when the whole information is private. The difficulty arises when the information is in part public and in part private. As, for instance, in this case. A good deal of the information which Mr. Seager gave to Copydex was available to the public, such as the patent specification in the Patent Office, or the "Klent" grip, which he sold to anyone who asked. If that was the only information he gave them, he could not complain. It was public knowledge. But there was a good deal of other information he gave them which was private...When the information is mixed, being partly public and partly private, then the recipient must take special care to use only the material which is in the public domain. He should go to the public source and get it or, at any rate, not be in a better position than if he had gone to the public source. He should not get a start over others by using the information which he received in confidence. At any rate, he should not get a start without paying for it."
Circumstances giving rise to duty of confidence
41. The courts have also had to consider the circumstances which might import a duty of confidence. It is well-established that where information is given in the context of a pre-contractual, contractual, or employment relationship it will readily be found that there is a duty of confidence in the recipient. Similarly, if a person takes information without consent, a duty will readily be said to arise. It is now also clear that a duty will arise even where the information has come into the person's possession through an error or accident provided it is clear that the information is confidential. Goff LJ said in the Spycatcher case (page 181):
"I realise that, in the vast majority of cases, in particular those concerned with trade secrets, the duty of confidence will arise from a transaction or relationship between the parties - often a contract, in which event the duty may arise by reason of either an express or an implied term of that contract. It is in such cases as these that the expressions "confider" and "confidant" are perhaps most aptly employed. But it is well settled that a duty of confidence may arise in equity independently of such cases; and I have expressed the circumstances in which the duty arises in broad terms, not merely to embrace those cases where a third party receives information from a person who is under a duty of confidence in respect of it, knowing that it has been disclosed by that person to him in breach of his duty of confidence, but also to include certain situations, beloved of law teachers - where an obviously confidential document is wafted by an electric fan out of a window into a crowded street, or where an obviously confidential document, such as a private diary, is dropped in a public place, and is then picked up by a passer-by..."
42. The UK Court of Appeal had to consider the law of confidence in the very different context of matrimonial proceedings in Imerman v Tchenquiz & Ors [2011] 2 WLR 592. On this particular issue of the circumstances in which the disclosure of material might give rise to a duty of confidence, Lord Neuberger said at paragraph 64:
"It was only some 20 years ago that the law of confidence was authoritatively extended to apply to cases where the defendant had come by the information without the consent of the claimant. That extension, which had been discussed in academic articles, was established in the speech of Lord Goff of Chieveley in Attorney General v Guardian Newspapers Ltd (No 2) [1990] 1 AC 109. He said, at page 281, that confidence could be invoked "where an obviously confidential document is wafted by an electric fan out of a window ... or ... is dropped in a public place, and is picked up by a passer-by."
43. The courts have also had to consider what obligations fall on a person who comes into possession of information in circumstances which give rise to a duty of confidence. Neuberger LJ said at paragraphs 69-73 of his judgment in Imerman:
"69. In our view, it would be a breach of confidence for a defendant, without the authority of the claimant, to examine, or to make, retain, or supply copies to a third party of, a document whose contents are, and were (or ought to have been) appreciated by the defendant to be, confidential to the claimant [emphasis added]. It is of the essence of the claimant's right to confidentiality that he can choose whether, and, if so, to whom and in what circumstances and on what terms, to reveal the information which has the protection of the confidence. It seems to us, as a matter of principle, that, again in the absence of any defence on the particular facts, a claimant who establishes a right of confidence in certain information contained in a document should be able to restrain any threat by an unauthorised defendant to look at, copy, distribute any copies of, or to communicate, or utilise the contents of the document (or any copy), and also be able to enforce the return (or destruction) of any such document or copy. Without the court having the power to grant such relief, the information will, through the unauthorised act of the defendant, either lose its confidential character, or will at least be at risk of doing so. The claimant should not be at risk, through the unauthorised act of the defendant, of having the confidentiality of the information lost, or even potentially lost.
...
72. If a defendant looks at a document to which he has no right of access and which contains information which is confidential to the claimant, it would be surprising if the claimant could not obtain an injunction to stop the defendant repeating his action, if he threatened to do so. The fact that the defendant did not intend to reveal the contents to any third party would not meet the claimant's concern: first, given that the information is confidential, the defendant should not be seeing it; secondly, whatever the defendant's intentions, there would be a risk of the information getting out, for the defendant may change his mind or may inadvertently reveal the information.
73. An injunction to restrain passing on, or using, the information, would seem to be self-evidently appropriate - always subject to any good reason to the contrary on the facts of the case. If the defendant has taken the documents, there can almost always be no question but that he must return them: they are the claimant's property. If the defendant makes paper or electronic copies, the copies should be ordered to be returned or destroyed (again in the absence of good reason otherwise). Without such an order, the information would still be "out there" in the possession of someone who should not have it. The value of the actual paper on which any copying has been made will be tiny, and, where the copy is electronic, the value of the device on which the material is stored will often also be tiny, or, where it is not, the information (and any associated metadata) can be deleted and the device returned."
44. The judgment in Mahon v Post Publications is also important because a central part of the defendant's case is that the plaintiffs have no locus standi or entitlement to enforce the confidentiality of third parties' information. I deal with this when considering this aspect of the defendant's case later in the judgment.
45. I turn now to summarise the arguments made by the parties. Their positions have already been set out to some extent in the section dealing with their pleaded cases. It would be helpful to first identify the facts that are not in dispute.
46. It is not in dispute that the CD was provided to the defendant or that it contained her personal information, third parties' information and information relating to the plaintiffs. The defendant describes the latter two categories as " other information comprising of third party information " and " what was identified (after the fact) as 'confidential information' of the plaintiffs " respectively.
47. Nor is it in dispute that the release by the plaintiffs of information outside of the defendant's personal information was unintended.
48. The defendant admits to copying the information contained on the CD onto a number of USB keys. She emphasised at the hearing that she only made one copy of the CD onto USB keys but because of the volume of information on the CD she had to use several such keys. She was unsure of how many, but she says it was two or three keys. She handed one of them over at the interlocutory injunction hearing.? She admits to being unable to find the remaining key(s).
49. It is also not in dispute that the defendant sent a photograph of lever arch folders to the plaintiffs and that they at least appeared to the recipient to contain copies of documents from the CD. The defendant said at the hearing that they did not in fact contain such copies.
50. The defendant admits to having provided information on the CD to a third, party, a Mr. Gerard Scriven.
51. The defendant also admits to having shown another third party, a Mr. William McKeogh, some of the information. She says that she only showed Mr. McKeogh her own information. She pleaded in the past (paragraph 14 of her Revised Defence and Counterclaim of the 21 st December 2017) that it was possible that some of the material might have been uploaded onto Mr. McKeogh's laptop when they looked at material on one of the USB keys, though she seems to have resiled from that plea.
52. The plaintiffs' arguments can be summarised as follows. The information that was provided to the defendant (other than her own personal information) was confidential and was provided to her through error. The defendant knew or ought to have known that the information was confidential and she therefore had no right to receive, retain, copy or publish the information. She was, it is submitted, under a duty not only to maintain the confidentiality of the information, but to return it to the plaintiffs. It is submitted that, on the defendant's own admissions, she did not return the information immediately, she copied the information, and disclosed it, or some of it, to third parties (Mr. Scriven and Mr. McKeogh). It is also submitted that the defendant refused to return the information. It is also submitted that she has not returned all of the information because she has not returned the missing USB key(s). These, it is submitted, constitute a breach of confidence on the part of the defendant.
53. The defendant makes a number of arguments in response.
54. First, she draws a distinction between information relating or belonging to third parties and information relating or belonging to the plaintiffs. Indeed, she goes further and submits that the plaintiffs also draw such a distinction. She submits that she has never refused to return information relating or belonging to the plaintiffs, i.e. information in the second of those categories. She also submits that while she did not return the third parties' information (until the adjourned date for the interlocutory injunction application), she did not in fact refuse to return it. She also vigorously denies that she is under any obligation to do so.
55. Second, she submits that the information does not have the quality of confidence that is required for a breach of confidence. The defendant makes this submission on essentially three bases: (a) some of the documents are publicly available, such as birth certificates; (b) much of the information is publicly available or already in the public sphere, or will be, because it is part of legal packs when lands are being sold; and (c) there have been previous leaks of information from Grant Thornton and this has led to some of the information appearing on social media. She also appears to rely on the fact that a copy of the CD was also sent to the Data Protection Commissioners. The point was made on behalf of the plaintiffs that the absence of the quality of confidence was not pleaded by the defendant. I am satisfied, though with reservations, that the defendant is entitled to make this argument. Firstly, the defendant does plead that " If information, confidential or otherwise, was issued to any other party and/or available to the public at large, it was directly from the Plaintiffs in relation to ongoing negligence with private information entrusted to them by data controllers and further indication of very serious security issues regarding the protection of private information the Plaintiffs are lawfully obliged to adequately secure." While this does not expressly plead that the information did not have the required quality of confidence, it is sufficient for the plaintiffs to have known that part of the defendant's arguments would be that at least some of the information is publicly available and it therefore does not have the quality of confidence. Secondly, in order for the plaintiffs to establish a duty and a breach of confidence, they have to establish that the material has the required quality of confidence. They were therefore not prejudiced in having to deal with the defendant's argument.
56. The defendant's third argument is that there was no need, and certainly no urgent need, for the plaintiffs to seek an interim or interlocutory injunction. There was, as the defendant put it, " no fire ". As part of this, the defendant says that the plaintiffs displayed a laconic attitude to the data breach and then suddenly, without any good reason, sought an injunction.
57. Fourth, she also vigorously disputes that the plaintiffs have any entitlement to seek or obtain any Order in respect of the return of the personal data or information of third parties. This is a central part of her case.
58. I deal with these arguments during the course of the following discussion of the ingredients of the action for relief against breach of confidence.
59. It is important to note that for the most part the nature of the information on the CD was dealt with by the parties by way of examples and by reference to categories or types of information/documentation rather than by an examination of each document or piece of information on the CD. The defendant delivered written submissions during the hearing just before giving evidence. She submitted that the plaintiffs, if they wished to assert that a piece of information or document was confidential, must address that particular material. That is not the way the parties had proceeded until that point and in reality it is not the way the defendant proceeded even after that point. I am told that there is information relating to thousands of people on the CD. It would be wholly unworkable if it was necessary for the parties and the Court to go through each and every piece of information or documentation to examine whether it specifically had the quality of confidence to begin with and, if so, whether it specifically had retained that quality.
60. The material on the CD contained things like: progress reports from the plaintiffs to the relevant charge-holder(s); VAT calculations; deeds of appointment of receivers; letters from receivers setting out fees charged by the receiver in the disposal of property; birth certificates; auctioneers' invoices; Vat receipts; details of security advanced on property; a spreadsheet headed "Court Liquidations FY14 - Month by Month Billings" containing headings including (but not limited to) Date of Appointment, Lead Appointee, Fees Discharged in each of 5 months, and Amounts; fee notes from Grant Thornton to clients for services; invoices from auctioneers to Grant Thornton; BER Certs prepared for receiver headed "Specific Assets of [Redacted] in receivership c/o Stephen Tennant"; spreadsheet headed "VAT Danske Property List" which contained headings "Property ID", "Date of Appointment", "Legal Firm", "Borrower Name", "Security Address", "Net Fee," "VAT inclusive Fee" "Date VAT fee paid" "GT initials"; fee notes from solicitors to Grant Thornton in respect of the sale of property (name of property redacted in discovery); invoice to Grant Thornton in respect of insurance on specific property (redacted in the discovery); invoices in respect of property management services; emails from Grant Thornton to Revenue inquiring about VAT refunds (identifying, inter alia, the borrower and the security address). These examples were either given by Mr. Connaughton or Ms. Scanlan in evidence and/or were contained in the discovery made by the plaintiffs. Very many of these documents naturally identify the particular borrower or property in question and personal details about the borrower. In the documents provided in discovery those details are redacted but they were not redacted on the CD.
61. In my view, there can be little doubt that, when taken as a whole, and subject to a consideration of the points raised by the defendant, the nature of this information is private and confidential. The information consists of information relating to the financial affairs and business of the plaintiffs and of third parties. Many of the documents contain information about both third parties and the plaintiffs. I emphasise that my conclusion that the information is private and confidential in nature does not mean that each and every piece of the information has that quality. For example, as the defendant pointed out at the hearing, a birth certificate is not private and confidential. This has consequences for the relief that might be granted rather than for whether the information as a whole has the required quality of confidence.?
62. As noted above, the defendant draws a distinction between information relating or belonging to the plaintiffs and third parties' information or data relating or belonging to third parties. She accepts that information relating or belonging to the plaintiffs is confidential (provided it is confidential information) and emphasises that she gave an undertaking in relation to this information.
?
63. However, it bears note that she appears to in fact be of the position that there is no such information contained on the CD. This appears to be on two bases: (i) that all documents, even those that could be seen as having been generated by, or are internal to, the plaintiffs, such as progress reports, fee notes, invoices from auctioneers, and property lists, also contain personal data of third parties; and (ii) that the information relating to the plaintiffs is not confidential. For example, at the hearing, she submitted that the relief that is sought " is over personal data, nothing in the evidence is to do with proprietary or legally privileged information of Grant Thornton, it is personal data of private citizens that they use for their own commercial purposes. Nothing here is privileged or that I couldn't get anywhere else. So there is no confidentiality about the information that is provided here, they are just spreadsheets, they are just dockets, they are birth certificates. I can get that online and, you know, that is just not commercially sensitive information". She also instanced spreadsheets and said " all those spreadsheets contain people's name, properties, home addresses, all of their information. That is not proprietary information. That is information that Grant Thornton use for the commercial imperative. " She also said " as far as I am concerned and aware to this date today, the information we were dealing with is very much personal data of third parties. I have never seen proprietary information or legally privileged information of Grant Thornton. And they had specifically actually drawn a line between the two in the Statement of Claim where you can see that it is third party data of others and including proprietary legally privileged information ". So, while the defendant accepts that information relating to the plaintiffs is confidential, she does not accept that there is really any such information on the CD partly because the materials that contain the plaintiffs' information also contains third parties' information or data and it is therefore not the plaintiffs' information.
64. The plaintiffs do not accept that there is such a distinction. I return to this later and for the moment will proceed on the basis that the information can be divided in the manner contended for by the defendant.
?
65. The defendant's position in relation to the confidentiality of the plaintiffs' information is clear. She accepts that in principle it is confidential in nature (but her position is that there is really no such information on the CD). However, her position in relation to whether or not the third parties' information has the required quality of confidence is less clear. She made conflicting statements in the course of her evidence.
66. She said, " there is no confidentiality about the information that is provided here, they are just spreadsheets, they are just dockets, they are birth certificates. " She also said that they are not highly sensitive documents because they are available everywhere. She said, " You can go to any auction site in this country and download all that information. " She instanced a VAT receipt and said it is not sensitive because people are entitled to that as part of their data access rights, then went on to say that it is not confidential because you could download it from Revenue on a property disposal and sometimes VAT receipts are available in the legal packs for sales as well to show that if there is a VAT liability to the property, it is actually discharged.
67. However, on the other hand she also said, " Absolutely admitted, it was personal information that should have been kept confidential by Grant Thornton...". She said in oral submissions that " I have admitted that I knew the information was confidential, I knew the information was personal data of citizens that was required to be kept confidential..." In her written submissions she stated " If an individual gives their personal data to an organisation, they have a duty to keep the details private and safe. " She also said that the plaintiffs' duty of care to the third parties was to protect the privacy of those people.
68. It seems to me that there are two limbs to the defendant's position in relation to the nature of the third parties' information. ?Firstly, that in principle it is confidential in nature but that it is not the plaintiffs' confidential information, because she went on in the quotes from her evidence to say " but it doesn't make it their [Grant Thornton] confidential information" and " That does not mean that it is Grant Thornton's confidential information ". This is consistent with her submission that the plaintiff has no entitlement to enforce the confidence of that information, which I come to later. The second limb (this also applies to what she considers the plaintiffs' information) is that much of the information is not in fact confidential.
69. I deal with the first of these when discussing the plaintiffs' entitlement to seek relief. In relation to the second limb, as apparent from some of the quotes at paragraph 66, the defendant's point is that the information does not have the required quality of confidence because some of it never had that quality and other parts of it had that quality but have lost it. This is on the basis that: (i) some of the information or documents are publicly accessible; (ii) some of the information has been part of legal packs made available online in relation to previous sales of land; (iii) some of it will form part of such legal packs; and (iv) information from the CD has already made its way on to social media through other means and data breaches and is, therefore, publicly available.
70. It is clear from the authorities above, that in order to be confidential in the first place and thereafter to retain that quality of confidence, information must not be " public knowledge ", " public property, "common knowledge " or be otherwise in the public domain.
71. The defendant submitted that some of the information is publicly accessible and therefore never had the required quality of confidence. She referred to birth certificates, VAT receipts and fee notes from the plaintiffs to their clients. In relation to the latter, the defendant says that the information is accessible because an individual could calculate what individual fees were paid to the plaintiffs by examining the client companies' returns to the CRO. I do not accept that the individual fees could be calculated from returns to the CRO, but even if the individual fees could be calculated, the level of effort required to do so in itself means that the information is not publicly available or common knowledge. The defendant also referred to VAT receipts and said that they are not confidential because people are entitled to them as part of their data access rights, that they can be downloaded from Revenue on a property disposal, and are sometimes available in legal packs. I do not believe these points establish that VAT receipts are publicly available or accessible documents. The fact that the person whose property is affected may obtain such a receipt by way of data access request does not mean that it is available to the public. There is no evidence that a member of the public can download a VAT receipt relating to someone else's lands. Birth certificates are, of course, different because they are documents of public record which may be obtained by members of the public. However, the fact that the information contains a small number of records which are publicly accessible can not affect the overall assessment of the nature of the information. It also seems to me that there is a significant qualitative difference between such records being disclosed in bulk and application having to be made to obtain the record. Furthermore, the context is relevant and significant. The release of a person's birth certificate along with other personal information about them, including their address and sensitive financial affairs, is qualitatively different to a birth certificate being provided to an individual by a government office on application. I do not accept that the mere fact that the information contains some documents which may be accessed by members of the public means that the information on the CD does not have the quality of confidence.
72. The other basis upon which the defendant says that the information is not confidential at all is that some of it will be part of legal packs when the relevant lands are being sought. The possibility, or even certainty, that information or documents will become publicly available at some point in the future can not mean that they are not confidential before they become public. As Neuberger LJ said at paragraph 69 of Imerman " It is of the essence of the claimant's right to confidentiality that he can choose whether, and, if so, to whom and in what circumstances and on what terms, to reveal the information which has the protection of the confidence. " The information, if confidential, remains confidential and does not lose that quality until it becomes public.
73. The position in relation to information or documents which have already been part of legal packs is different. I accept that they no longer have the required quality of confidence. They had that quality at one time but once they were published as part of legal packs they lost that quality. Indeed, this was accepted in substance (though not in those terms) by Mr. Connaughton, who gave evidence for the plaintiffs. He said in cross-examination that " the purpose is to protect the private and confidential information, and anything that is already in the public domain obviously wouldn't be covered by that ".
74. It is common case that some of the information has appeared on social media. As a matter of general principle, information contained on the CD which had already become public, if any, can no longer be considered confidential (provided it was not the confidant - in this case the defendant - who made it public). The defendant claims that some of the information on the CD was released by the plaintiffs in earlier data breaches and ended up on social media.
75.?One of the main examples given by the defendant and relied upon by her was an earlier data breach to a Ms. Teresa Barrington in 2013. It seems to be accepted by the plaintiffs that data was improperly released to Ms. Barrington in 2013. However, they do not accept that the defendant established that this data breach comprised information that was on the CD. The defendant did not call Ms. Barrington to give evidence but rather said that Ms. Barrington previously swore an affidavit saying that she received the same data as the defendant had received. The defendant sought to rely on this. This affidavit came about because the Order that was made by Gilligan J was served on Ms. Barrington by the plaintiffs' solicitors. The affidavit was put to the defendant on behalf of the plaintiffs to demonstrate that it did not say what the defendant claimed. At paragraph 2(b) of the affidavit, Ms. Barrington said " The Plaintiffs are WRONG in attempting to connect the Plaintiffs [sic] paper data breach to me in 2013 with the Plaintiffs [sic] electronic data breach to the Defendant in 2015 as there is *no link between the 2015 and the 2013 data breaches** save both were perpetrated by the Plaintiffs.* " (emphasis in original). There is a heading at paragraph 20 "No Link Between 2015 and 2013 Data Breaches". Ms. Barrington then says at paragraph 20 " I say that the paper data breach I received by post in December 2013 is not the subject matter of the Court Order. The Court Order is only relevant to a [sic] electronic data breach of September 2015 some two years later and has no relevance to the paper data protection breach to me in 2013. " The defendant sought to explain these averments by saying that Ms. Barrington meant that there was no connection between her and the defendant. She also emphasised that the plaintiffs' solicitor had served the Order on Ms. Barrington and it follows that the plaintiffs must have believed that Ms. Barrington must have had some of the same documentation. The defendant argued that it is misleading to say that Ms. Barrington was saying that there is no connection between the two data breaches, and that what she was actually saying was that she should not be under the 2015 Court Order because that order is effective from 2015 and she was in receipt of a separate data breach. The defendant agreed with counsel for the plaintiffs that if Ms. Barrington had any of the confidential information which was covered by Gilligan J's Order she was under an obligation to return it and that her response was that she did not have any information because what she got in 2013 was different from what the defendant received in 2015.
76. The defendant could have called Ms. Barrington and did not do so. It is not open to her to give evidence as to what Ms. Barrington meant. In any event, the words speak for themselves, and in my view, they can only be understood as meaning that Ms. Barrington did not have any documents that were on the CD (i.e. documents the subject of Gilligan J's Order). There is no evidence upon which I could conclude that information which was contained on the CD was provided to Ms. Barrington in 2013.
77.?In relation to the information that ended up online, Mr. Connaughton, on behalf of the plaintiffs, said in evidence that he was not claiming that the defendant was responsible for information being placed online. He said that he does not know who is responsible for it. He later said that " I don't know whether you are responsible or whether you are not responsible...All I can tell you is that this information appeared. It emanated from anonymous sources and that is as much as I can say. " He then said that " I wouldn't suggest for a moment that you are responsible for it. " Senior Counsel for the plaintiffs also confirmed that they were not making the case that the defendant was responsible for this online activity. He said " At no stage, and not in our pleadings do we say that we attribute responsibility for those disclosures to Ms. Scanlan. We are not in a position to prove that, and therefore, we don't seek to prove it. But we say that the orders should be made based on, firstly the fact of refusal, secondly the disclosure to Mr. Scriven, thirdly the disclosure to Mr. McKeogh, fourthly the fact that there are USB keys at large. And the additional information in relation to what happened thereafter is not to establish a breach on the part of Ms. Scanlan, but is evidence as the basis for Mr. Connaughton's concern and the necessity for the orders that are sought on a permanent basis. " In those circumstances, I can not find that the defendant was responsible for material from the CD ending up online.
78. It is, however, common case that material did appear online. Particulars of these disclosures were given by the plaintiffs in Replies to Particulars: (i) on the 25 and 26 th November a facebook profile under the name "Due Dilliger" posted comments that included an annotated screenshot of part of the Confidential Information, (ii) on the same day a Twitter account under the name "Due Dilliger" tweeted the same annotated screenshot tagging the journal.ie and the plaintiffs' Twitter accounts. In the Replies to Particulars, the plaintiffs also gave the following details: (iii) the plaintiffs received an email from "The Research Routers" with an email name of "Due Dilligence" on the 26 th November 2015 which attached a document which was in the Confidential Information, (iv) the plaintiffs' Cork office received a letter dated the 15 th April 2016 from "A concerned member of the public" enclosing a memory stick including Confidential Information, and (v) the plaintiffs were provided with anonymous letters dated the 10 th March 2016 and 31 st March 2016 that had been sent to Baker Tilly Ryan Glennon and Byrne Wallace which included part of the Confidential Information. In my view, the information at (i), (ii) and (iii) no longer have the required quality of confidence. I am not satisfied that is the case in relation to (iv) and (v). I return to these below.
79. The defendant also referred to the fact that a copy of the CD was provided to the Data Protection Commissioner. It was not entirely clear whether she was claiming that the provision of a copy of the CD is in itself a basis for the loss of the quality of confidence or that the Data Protection Commissioner was the source of information coming into the public sphere. I do not accept that the provision of the information to the Data Protection Commissioner would in itself cause the information to lose the quality of confidence. In relation to the second point, there is absolutely no evidence upon which I could conclude that the Data Protection Commissioner allowed the information to get into the public domain.
80. I am therefore satisfied that the information overall has and retains the required quality of confidence. The issues about public records such as birth certificates, documents that were part of legal packs, and material that appeared online will have to be revisited when considering the question of relief.
81. I am satisfied that the information was disclosed to the defendant in circumstances importing a duty of confidence.
82. As is clear from the authorities referred to above, while very often the circumstances which import such a duty of confidence will involve a contractual or pre-contractual relationship, such a relationship is not necessary, and a duty of confidence might arise even where a person comes into possession of material through error.? As Goff LJ put it in the Spycatcher case, such a duty can arise " where an obviously confidential document is wafted by an electric fan out of a window into a crowded street, or where an obviously confidential document, such as a private diary, is dropped in a public place, and is then picked up by a passer-by. "
83. Goff LJ in the Spycatcher case said that an equitable duty of confidence will arise where the information is acquired accidentally, because of the recipient's knowledge that the information is confidential.
84. The information was disclosed to and received by the defendant through an error on the part of the plaintiffs. I am fully satisfied that the reasonable person would have realised that the information on the CD was confidential. Indeed, it is clear that the defendant realised this very soon after receiving the CD as she entered into correspondence with the plaintiffs, stressing the gravity of the breach. In fact, the defendant's whole approach to the information, and to the plaintiffs' wrongful disclosure of it, was on the basis that it concerned confidential, private, information.
85. The defendant denies in her Defence and Counterclaim that she knew or ought to have known that the information on the CD related to the plaintiffs or third parties or that it was confidential. However, it is clear that this refers to the period immediately after she received the CD, i.e. before she examined the material, because she admits that she " eventually became aware of other named parties on the CD and immediately notified the Plaintiffs of this discovery. " I am satisfied that from this point on, she knew, or ought to have known that the information, including the personal data of third parties, was confidential information. Her actions subsequent to that date are inconsistent with any contrary belief.
86. In my view, the circumstances are clearly such as to import a duty of confidence.
87. There has been no express statement in this jurisdiction of precisely what the duty of confidence encompasses. In the passages quoted above from Imerman v Tchenguiz, Neuberger LJ held that a person who receives information in circumstances which import an obligation of confidence is under a duty to return the information, and is under a duty not to examine or copy it, or to distribute or communicate it to other parties.
88. The defendant submitted that Imerman was of no relevance because it was a matrimonial case, and it could, in any event, only be a persuasive authority. In my view, this aspect of the judgment is of broader application than simply in matrimonial cases. It also seems to me that it is logical that the duty must encompass those actions identified by Neuberger LJ. Otherwise, the right to confidence would stand for very little.
89. The defendant is potentially in breach of her duty of confidence in a number of respects.
Examination of the Information
90. She read the information. In Imerman, Neuberger LJ goes so far as to say that " looking at documents which one knows to be confidential is itself capable of constituting an actionable wrong. " In the circumstances of this case, the mere fact that the defendant initially looked at the documents or even read some of them is insufficient to conclude that there was a breach of confidence or that an injunction should be granted. A defendant must look at the information knowing that it is confidential or in circumstances in which she ought to know it is confidential. The CD was simply sent to the defendant. There was no hard copy index or instruction sheet. Furthermore, as I understand it, the defendant's information was intertwined with the other information. Thus, it was only upon looking at the contents of the CD, and perhaps reading a very small number of documents, that the defendant could have known that it contained confidential information relating to other persons. Thus, the mere fact that the defendant initially looked at information on the CD could not in itself amount to a breach of confidence.
91. However, it is important to note that in cross-examination, the defendant accepted that shortly after receiving the CD she knew something was amiss and that she had received information which was plainly not her personal data. She said that as soon as she opened the CD she knew that she had received more than she should have. She accepted that she told Gilligan J on the day of the interlocutory injunction application that the files contained " very serious private information ".
92. It was a breach of duty for her to continue to read the information once she realised that it contained private information relating to other parties. On her own evidence, this occurred very shortly after she first looked at the contents of the CD. Despite this, she continued to read the material on the CD. Indeed, she describes herself as carrying out "a full interrogation" and "examination" of the information and "its impact on third parties". Mr. Scriven, who was called by the plaintiff, said in direct examination that he was asked by the defendant to engage with the plaintiffs (in particular Mr. Tennant) in relation to the matter and that he met Mr. Tennant and a Mr. McAteer.? He explained that he wanted to impress on them the benefit of engaging with the defendant in relation to the CD. He said this was because "...it was one thing to receive the CD but Ms. Scanlan's understanding of the nature and content of the actual data that was on it was exacerbating it probably even more. " The defendant did not challenge this. Mr. Scriven agreed with her when she put it to him that her " concern was escalating." In re-examination he said that "...Ms. Scanlan was getting more exacerbated by the interrogation of the data and what assistance that should be provided to the people whose data was listed on it. " On her own account, she had read 122 files by the 16 th October 2015. She seems to offer at least two reasons for continuing to read the materials even after becoming aware that they contained third parties' information. The first is the statement just referred to, i.e., to carry out an examination of the information and its impact on third parties, and the second is to find her personal data in circumstances where she had waited two years for her personal data from the plaintiffs. I do not accept that she had an entitlement to continue to examine the document on either basis. Her right to her personal data within a statutorily prescribed period, and the reliefs available to her in respect of a breach of that right, do not confer a right on her to interrogate information or documents which she knows contains personal information relating to third parties.
Failure/refusal to return information
93. The defendant also retained the information. She only returned the CD (and one of the USB keys) on the adjourned date for the interlocutory injunction hearing. She claimed at the hearing of the substantive action that she did not refuse to return the material. This is largely irrelevant. Her obligation was to return it immediately when she knew it contained third parties' information and, whether or not she expressly refused to do so, the reality is that she did not return it until after the proceedings had issued. Her actions and statements in correspondence clearly suggested that she had no intention of immediately returning it.
94. As noted above, the defendant brought the data breach to the plaintiffs' attention. She did so by letter of the 3 rd October 2015 to the plaintiffs' data officer. She referred to having received a file (the CD) on the 11 th September and went on to say:
"... While I did receive my own data in that file I was concerned to find various items of information including among others, Deeds of Appointments of receivers on the properties of other unconnected third parties. I have attached copies of some of the documents for your notice.
I am unsure what to do with these many and various documents and would be obliged if you would write by return outlining what your advice would be as to the best course of action in this situation.
I presume there is no need to impress on you the urgency this matter demands."
95. She did not receive a reply from the plaintiffs and wrote again, by email, on the 13 th October 2015. A Ms. Barry of the plaintiffs replied by email on the 14 th October 2015. She attached a letter which stated, inter alia:
?
"We acknowledge receipt of this letter and the breach which has occurred.
The breach will be addressed in line with the requirements under Data Protection legislation. Our obligations in this regard lie with the individuals whose data has been breached.
We request that all third party information you have received is returned to us and no copies are retained. I have enclosed a prepaid envelope."
96. The defendant replied by email on the 16 th October 2015, stating:
"Thank you for your response. I received your letter today. So far I've only been able to review 122 files of my data with a cursory review of the rest provided.
It would be helpful however, if you could provide the addresses of the victims of the data breach. I'd feel more comfortable sending the data directly to them considering Grant Thornton already mislaid it."
97. Thus, having asked for the plaintiffs' " advice...as to the best course of action ", and the plaintiffs, in reply, having asked for the return of all third party information, the defendant did not return it and instead indicated that she was reviewing the files and that she would prefer to deal with the third parties directly.
98. Ms. Barry replied by email of the 19 th October 2015. She stated:
"Firstly, please note the email contact list below is not appropriate - this is a matter solely between you, Grant Thornton and Danske Bank, whom we are liaising with separately.
While I appreciate your concern I cannot provide you with the contact information for the individuals whose data has been breached. This would not be appropriate as it would be an additional and intentional breach of the data protection act.
The third party documents were not mislaid, copies were simply sent to you in error. We are fully aware of our obligations under the data protection act arising from the breach and I can assure you we will fully comply with same.
Please return all third party information in the prepaid envelop [sic] provided as requested.
As for the matters of your data access request and the notification of this breach between you and Grant Thornton, subject to return of the third party information, the matter is now closed."
99. The defendant replied by email of the 5 th November 2015 as follows:
"Thank you for your email dated 19 th October. Please see attached. Can you confirm your Department is satisfied the matter is indeed now closed regarding the information issued to me September 11 th 2015?"
100. This email is of some significance because the defendant attached to it a photograph containing a large number of lever arch folders, some of which were open on a table and clearly contained documents. I return to this later.
101. The defendant wrote to the receiver, Mr. Tennant, on the 10 th November 2015.
"I am writing to you to give full authorisation to discuss the matter of my Receivership, Data Access Request and/or peripheral interests around that subject with Mr Gerard Scriven for the duration of one meeting organised for the week starting 9/11/2015."
102. The reference to the defendant giving authorisation to Mr. Tennant to discuss matters with Mr. Scriven is a reference to a proposed meeting between Mr. Tennant and Mr. Scriven. That meeting took place later.
103. Ms. Barry replied to the defendant's email of the 10 th November 2015 (to which the photograph of the lever arch folders was attached) on the 12 th November 2015. Ms. Barry stated:
"As noted in my previous correspondence, it is with reference to your data access request that we consider the matter to be closed. We have responded to your requests as required in line with Regulations. If however you have specific questions with regard to your data we will be happy to deal with these queries.
Your advisor Mr Scriven has been in contact with the Receiver, Mr Tennant, and Mr Tennant has confirmed he is happy to meet him to discuss the matter.
With regard to the other information you received in error, we are anxious to rectify the situation and fulfil our obligations to those individuals whose data may have been breached.
We are aware of our obligations under the data protection act and we will fully comply with these.
However in order to do so we require return of all third party information supplied in error. We should be obliged therefore if you could do this immediately and confirm that you have destroyed and or deleted any copies and have not shared this information with any other party.
I look forward to hearing from you at your earliest convenience."
104. The defendant replied on the 13 th November 2015 saying, as follows:?
"To date, I have had little indication from Grant Thornton this matter has been dealt with appropriately or in line with Regulations. There has been little interest and/or interrogation as to the scope, breach or the impact of disclosed data on the victims therein. Therefore, I am not confident Grant Thornton are giving the matter due consideration and so are not in a position to comply with obligations under the Data Protection Act.
I am compelled to point out when I issued a formal data access request to Grant Thornton in September 2013, your agency was unresponsive. Further formal requests were issued to your office. The Data provided to me verifies the receipt of these access requests, among others. The obligation under the Data Protection Act is for an agency to comply fully with an access request within 40 days. To not do so is a 'criminal offence'.
I did not receive a response for two years. Then it was only issued under threat of prosecution from the appointed Data Commissioner. The distinct lack of urgency on this matter has also further eroded any confidence in this regard.
I have not completed my full and final interrogation and examination of the provided information or indeed its impact on people in which your agency has been involved. When that is clear I will be in a position to assure all injured parties are allowed to fully explore options under any provided laws and regulations provided."
105. Ms. Barry replied by email the same day, stating, inter alia:
"As you have pointed out you received information relating to other parties, which was in error.
We do not believe you have any responsibility to those other parties.
The obligation to these parties rests with us and we are anxious to fulfil those obligations.
In order that we may do so and as requested on two previous occasions can we again request that:
You return all third party data received in error to allow us to meet our obligations and assess the impact of the breach;
You confirm that you have not shared this information with any other party and consequently no further breach has occurred; and
You confirm that all hard and soft copies of the data which relates to parties other than yourself has been deleted."
106. By email of the same day, the defendant stated that she was not in a position to " confirm on points 1, 2 or 3 ".
107. Ms. Barry replied on the 13 th November, the same day:
"We are at a lost [sic] to understand why you are not in a position to deal with our request to return any data sent to you in error and also why you cannot confirm whether or not you have shared the data.
If you are not in a position to return data which does not relate to you and was sent to you in error perhaps you would explain to us why?"
108. The 13 th November 2015 was a Friday and the defendant replied on the Monday, the 16 th November, saying, inter alia:
"Thank you for your email received Friday evening and I note your comments therein. While you may be at a loss in understanding the situation, I'm most certainly at a loss with regard to how Grant Thornton have failed to deal with their obligations to formal data access requests for over 2 years.
Furthermore it is my understanding that Gerard Scriven and Mr Tennant have not met."
109. There then followed a letter dated the 24 th November 2015 from McCann FitzGerald on behalf of the plaintiffs. It stated, inter alia:
"As you are aware, the information provided to you included in error a large amount of confidential information and personal data that does not relate to you, but is personal data and confidential information relating to third parties and/or confidential proprietary information belonging to our client, and also included material which is legally privileged (together the " Confidential Information ").
As soon as you made our client aware of this error, our client requested the immediate return of the Confidential Information, confirmation that you have not shared it with any other party and confirmation that all copies have been deleted. Regrettably, you have to date refused to provide this confirmation or return the Confidential Information, despite repeated requests. Indeed, in correspondence from 13 November you explicitly said that you were not in a position to do so. Instead we are instructed that you have indicated that you intend to make contact with parties to whom the data relates and/or otherwise make use of the Confidential Information of our client.
We are instructed that you have already given access to some of the Confidential Information to another individual, a Mr Gerard Scriven. In addition to this disclosure, our client received a voicemail from a data subject on 16 November 2015 indicating that you had contacted him in relation to personal data of his that appears in the Confidential Information. Such use of the Confidential Information is entirely inappropriate and not authorised by our client.
As our client has already told you, the Confidential Information in question is highly confidential and was disclosed to you in error. The Confidential Information was and remains the confidential property of our client. In the circumstances, you are subject to legal obligations in respect of the Confidential Information and your actions in relation to it may result in you being held liable inter alia for breach of confidence. To be clear, you are not entitled or authorised to have the Confidential Information or to make use of it in any way or to copy it or provide it to any other person. Our client is addressing the data breach directly with the Data Protection Commissioner, in accordance with its obligations.
You should note that to the extent that the Confidential Information includes personal data, your continued possession and any processing of that personal data creates obligations for you under the Data Protection Acts 1988 and 2003 (the " DPA "). Please note that you do not have our client's authority to retain or process such personal data, and that your continued retention and processing is a breach of the DPA. This includes the restrictions in the DPA under section 22 in connection with the disclosure of personal data to third parties, which would constitute a criminal offence. In addition, any further processing of personal data by you will constitute breaches of the fair collection and processing and other obligations under the DPA. Our client has informed the Data Protection Commissioner that you currently hold the third party personal data and that you have refused to return it to us.
We now call on you immediately to undertake:
Not to copy, make use of, publish or communicate to any third party the fact or contents of the Confidential Information provided to you by Grant Thornton on 11 September 2015.
That you will immediately return all such Confidential Information, together with any copies made, to Grant Thornton (c/o Fiona O'Beirne, McCann FitzGerald, Riverside One, Sir John Rogerson's Quay, Dublin 2).
That you will immediately and permanently delete any soft copies of the Confidential Information that have been created by you.
To provide us with the details of any third party to whom you have disclosed the Confidential Information or any part thereof.
Unless you furnish undertakings in the above terms no later than 5pm on Thursday 26 November 2015, we have instructions to commence High Court proceedings against you without further notice seeking an interlocutory injunction against you in those terms, together with a permanent injunction, damages and legal costs."
110. The defendant did not reply, and McCann Fitzgerald sent a further letter on the 26 th November 2025, stating:
"We refer to our letter of 24 November. We note that you have failed to provide the undertakings requested or any response to our letter. Indeed our client also now has reason to believe that, despite the terms of our letter, and our client's previous requests, you have proceeded to make further unauthorised and illegal disclosures of Confidential Information.
In light of your very serious, deliberate and unlawful actions in this regard, which have further exacerbated the matter, our client now intends to proceed with such action as may be necessary, including seeking court injunctions against you to restrain your continued unlawful and highly damaging acts, without further notice to you."
111. In fact, at this stage, the defendant had blocked the receipt of any emails from the plaintiffs or their solicitors. She explained in evidence that she did not like what was going on and was getting tired of it so she decided to block any emails coming from those parties.
112. She did, however, reply to the letter of the 24 th November 2015 on the 27 th November 2025. She said in evidence that she was in fact shown a letter which had been sent to Mr. Scriven and she then retrieved the letter from McCann Fitzgerald from her blocked emails. She wrote:
"I refer to your letter dated 24 th November and note the contents therein. Please note I have refused to provide the undertakings demanded by your client on the basis I am not in a position to do so.
In the light of some very serious concerns and issues raised by the provided data, I have been advised there is evidence of demonstrative criminal fraud. Furthermore, in the light of extremely serious developments of now public interest as highlighted in recent days and hours, I have a legal and moral obligation to protect my interest and the interests of the other victims listed in the files.
Your client was informed of the Data Breach immediately and had several opportunities to engage and discuss grave concerns regarding the private practice of your their [sic] business within the context of my own case. Your client quickly decided the 'matter was closed' at each communication and subsequently opted for legal process when it was clear the scope and content of the data would raise some difficult questions.
Furthermore, your client now has the audacity to threaten High Court proceedings when the Data was not 'procured' by me. I am the victim of your client's gross negligence. If your Client prefers to use Court process, I have no reservations whatsoever in informing the Court of the nature of the information provided and why I cannot be a party to aiding your Client in an attempt at covering up what now appears to be evidence of fraud. The High Court is not an arena I'm uncomfortable with and I have taken my own legal advice to be assured of due process in this regard.
In addition, I will be asking the media to take a specific interest in the case when it comes before the Courts as this is now clearly a matter of public interest."
113. As noted earlier, a meeting took place between Mr. Scriven and Mr. Tennant (and Mr. McAteer of the plaintiffs). Mr. Scriven described his purpose in attending this meeting as being to emphasise the benefits to the plaintiffs of engaging with the defendant. He did not agree with the approach of the defendant but nonetheless wanted to urge on the plaintiffs the depth of the defendant's feelings and to encourage them to engage with her. As noted earlier, he described the defendant as getting more exacerbated by her interrogation of the data and what assistance should be provided to the people whose data was on it. He was clear that he had no authority to agree on behalf of the defendant to return the information.
114. As is clear from the correspondence, the defendant is correct that she did not expressly refuse to ever return the information. However, equally, she did not return it and she refused to give an undertaking to do so. Furthermore, it is absolutely clear that she was refusing to return it until she had carried out a " full and final interrogation and examination of the provided information or indeed its impact on people in which your agency has been involved. " This in effect amounts to a refusal to return the information in accordance with her obligation. Furthermore, she was not entitled to carry out such an interrogation and examination. To the extent that the defendant considered that there was evidence of unlawful or wrongful conduct or fraud, her entitlement, if any, to refuse to return the material extended no further than providing the information to the appropriate authorities, such as An Garda S?och?na.
115. Even now, the full information has still not been returned. At least one, and possibly two, USB key(s) has/have not been returned. The defendant confirmed in evidence that the missing USB key(s) have never been found and has/have not been found in her house. She went on to say that " that's not to say they are not there ". It was put to her that "...they could be in your house but you don't know " and she confirmed she does not know. This is a very surprising statement. It is extremely surprising and concerning that years after Gilligan J made his Order the defendant is not in a position to say whether or not the missing key(s) is/are in her own home, or even to explain that she has searched her house. The defendant also provided no evidence in relation to any interactions she has had with Mr. McKeogh since Gilligan J made his orders. Those matters are simply left with the defendant raising the possibility that material was downloaded onto his laptop. Furthermore, there is a serious issue about whether or not a hard copy of some of the information was made by the defendant.
116. The defendant has admitted that she disclosed information from the CD to third parties.
117. She admits disclosing third parties' information to Mr. Scriven. She also admits showing materials to Mr. McKeogh, though she claims that she only showed him her own personal data. She put it to Mr. Connaughton that " ...actually Mr. McKeogh never got anything from me at all. I mean, anything that he saw was actually my own data and I believe there are e-mails submitted as well regarding my own data and I think Mr. Jeffers recognised that I gave him my data, and that was in response to the conduct of the receivership and nothing else. " She also said in her evidence that " I had communicated with Mr. McKeogh - and I have those emails there - that I wanted him to look at my data and I had given him some of my data by-email. But at no point did I give, show, offer, exchange data with Mr. McKeogh, it was none of his business... "
118. In relation to the disclosure to Mr. Scriven, in his direct evidence, Mr. Scriven said that he took the CD and went through it on a PC. It is not clear whether he meant that he physically took the CD, because he went on in the same passage to say " so we did load the PC or one of the work PCs with the CD and we went through the files at that stage. " I am proceeding on the basis that he did not physically take the CD and that he and the defendant looked at its contents and " went through the files " together. It is clear from this evidence that this examination was not limited to the defendant's own personal data; nor could it have been in circumstances where, on the defendant's case, her data was intertwined with the other information on the CD.
119. The defendant's position is that she was entitled to disclose the information to Mr. Scriven. She said in her oral submissions, " I can't make a mistake by saying to Mr. Scriven, "what's that? Am I supposed to have that? I am not supposed to have that, am I?" So no wrong was done by showing Mr. Scriven ".
120. Even if the defendant was entitled to seek Mr. Scriven's assistance in deciding what was on the CD and whether she should have it, it is absolutely clear from both her own evidence and that of Mr. Scriven that her interrogation of the material and her discussions with Mr. Scriven went much further than that.
121. It should be pointed out that the plaintiffs make no criticism of Mr. Scriven in these proceedings. They ultimately sought an undertaking from Mr. Scriven in relation to the information and Mr. Scriven gave that undertaking.
122. The claim by the defendant that the only information that Mr. McKeogh saw was her own data does not stand up to scrutiny. She appeared to suggest that she only emailed him some of her own information, but she went on in her evidence from the passage just quoted to say that at one stage she put one of the USB keys into Mr. McKeogh's laptop. The defendant said that her data was entirely intertwined with other parties' on the CD and that she had to interrogate the information to find references to her. She said " I was interrogating the data but I had no choice, they gave me no choice for two months but to get down into the data and find my data, which meant I had to open spreadsheets, do a search on my name to get my own data, which was a nightmare. " According to the defendant's evidence, these USB keys were a direct copy of the CD. Thus, her own data was intertwined with third parties' data on the USB key that she looked at with Mr. McKeogh. It is impossible to understand how they could have looked at her data without Mr. McKeogh looking at the information on the CD relating to the plaintiffs and third parties.
123. The defendant also said that there was a possibility that material from a USB key could have uploaded onto Mr. McKeogh's laptop when they inserted the key into the laptop. She said, " So at one stage I believe that I did actually have one of the keys in my possession, I may have put it into his laptop, and my concern at that point was there an automatic upload to his machine. Now clearly there wasn't because no one has ever heard of Mr. McKeogh, I don't think anybody has ever followed up with Mr. McKeogh, Mr. McKeogh don't exist any more. So there was no dissemination or breach or insecurity from there. " I do not need to determine whether information uploaded to Mr. McKeogh's laptop or not because it is clear that even if it did not, the defendant disclosed information, other than her own data, to Mr. McKeogh.
124. On her own evidence and admissions, therefore, the defendant accepts disclosing at least some of the contents of the CD relating to third parties to other persons.
125. Mr. Connaughton also gave evidence that the plaintiffs were contacted by a Mr. Kevin Brophy who said that he had been contacted by the defendant about his information that was on the CD. The defendant denies contacting Mr. Brophy or disclosing information to him. In circumstances where Mr. Brophy was not called to give evidence I can not conclude that the defendant either contacted him or disclosed information from the CD to him.
126. As discussed above, it was clarified on behalf of the plaintiffs that they were not claiming that the defendant was responsible for the appearance of information from the CD online and on social media. The defendant denies any responsibility and, in circumstances where the plaintiffs are not making that claim, there is no basis upon which I could conclude that she was responsible for the appearance of these documents online or on social media.
127. The plaintiff has also admitted making at least one copy of the information, i.e., copying the CD onto USB keys. She said that she only made one copy of the CD but that it was over a number of separate USB keys due to the sheer volume of the information. I accept that this is the case. Her explanation for doing so is that her house is full of animals and that a CD would not survive. I take this to mean that any sort of mobile storage device might not survive and therefore she wanted to have more than one copy as backup; otherwise copying onto USB keys would make no sense because if a CD could be destroyed by the animals so also could USB keys. The defendant was not entitled to make a copy once she knew the CD contained confidential information about third parties. However, her evidence was that she copied the CD before she considered the contents. Indeed, she says that it was the fact that it required several USB keys that alerted her to the fact that it must contain more than just her own data. That being the case, making the copy was not in breach of confidence. However, once she became aware of its contents her obligation was to return or destroy the copy. Her anxiety to ensure that she would have a copy if anything were to happen to the CD is inconsistent with the fact that she mislaid one, and possibly two, of the USB keys.
128. There is also a serious issue about whether the defendant made a hard copy of some of the information. This arises as follows. As can be seen from the correspondence set out above, on the 14 th October 2015, Ms. Barry asked the defendant to return the information and enclosed a pre-paid envelope for that purpose. That was perfectly understandable in circumstances where the information had been provided on a single CD, and it had been sent to the defendant in a single envelope. In reply, the defendant stated that so far she had only been able to review 122 files. On the 19 th October 2015, Ms. Barry repeated the request that the defendant return the third party information in the prepaid envelope. In reply, the defendant sent a photograph of a number of lever arch folders including some open ones on a table clearly containing documents. This clearly suggested, and, I am satisfied, was intended to suggest, that the defendant had made hard copies of the information, or some of it, and they would not fit in the prepaid envelope. It was put to her in cross-examination that the picture was to suggest that the information would not fit in the envelope. She agreed. However, she said that " It was a way of me demonstrating that it wouldn't quite fit. It didn't mean that I actually had printed it all off and put it on the desk. It was meant to be a bit smart, in other words, it won't fit in the envelope you provided to me. " This makes no sense. She said that she was annoyed by them sending a stamp-addressed envelope and was being a bit " smart " or a " bit tongue-in-cheek " in sending them the photo. During the course of her oral submissions, she said " Printing, by the way printing off data into folders which I didn't to, it was just literally a picture I took to make a point, I am not sure what the lawful wrong is there in actually printing them and putting them into folders. "?
129.?I am satisfied that the defendant did make a hard copy of at least some of the material. Even if this is incorrect, the photograph was clearly intended to convey to the plaintiffs that she had done so and it was perfectly understandable that the plaintiffs believed that the defendant had made an additional copy of the material.
130. Furthermore, the entire approach of the defendant must be considered in determining whether the relief sought is appropriate or necessary. She is clearly of the view that she is entitled to personally protect the data of third parties. At one stage in her evidence she said, " I for seven years have stood in the gap regarding peoples' right to control and restrain Grant Thornton from using their personal data indiscriminately. " In the correspondence set out above, she stated that she wanted to deal directly with the individual third parties and that she had " a legal and moral obligation to protect my interest and the interests of the other victims listed in the files ".
131. The defendant emphasised that there appeared to be no "fire" in the lead up to the plaintiffs' application for an injunction. By this she means that there was no urgency and no need for the application. She returned to this point several times during the hearing. She emphasised a number of matters. Firstly, she pointed to a disinterested attitude and approach by the plaintiffs when she initially raised the fact of the data breach with them and in the weeks after that. She put it to Mr. Connaughton that she was doing all the running. Secondly, she relied on the fact that when the plaintiffs were going to court they were not aware of her having shown materials to Mr. McKeogh. They were only aware of her giving materials to Mr. Scriven and he had given his undertaking before the application was made. Thirdly, at the hearing, Mr. Connaughton said that the plaintiffs were not claiming that she was responsible for the appearance of materials online and therefore this was not a basis for applying for an injunction against her.
132. I am not convinced that the question of whether or not there was a "fire", in the sense of an urgency warranting an application for interim and interlocutory relief, is particularly relevant to the question of whether a permanent injunction should be granted, but I will proceed on the basis that it is.
133. It is important to recall that the defendant consented to the interlocutory injunctions. That was the stage at which the defendant should have raised the argument that there was no need for injunctive relief. She chose not to do so.
134. I do not accept that the plaintiffs' attitude and approach was laconic or disinterested or that they treated the data breach as unimportant. Nor do I accept that the defendant was doing all the running. The plaintiffs undoubtedly failed to reply to the defendant's initial letter and she had to send a reminder ten days later. This should not have been necessary. Thereafter, however, the plaintiffs repeatedly requested the defendant to return the material and she did not do so. The evidence also shows that there was engagement between the plaintiffs and the Data Protection Commissioner. The defendant criticises the plaintiffs for not engaging with her in relation to the breach, suggesting that this shows they were disinterested. It is difficult to see what engagement was being sought by the defendant. It is also difficult to see how the plaintiffs could have engaged with her in respect of information relating to third parties. One specific point made by the defendant is that the plaintiffs did not even seek to ascertain from her what was on the CD. However, they did, as I have said, request the return of the CD and all of the information. It is not clear to me why the defendant felt it was necessary for them to ascertain what was on the CD when they were requesting that it be returned to them.
?
135. The second and third points can be dealt with together. Mr. Connaughton and Senior Counsel for the plaintiffs were clear that the application for interim and interlocutory relief was grounded on the fact that the plaintiffs had been trying to get the information back from the defendant and she was not giving it back. Mr. Connaughton described the "fire" as that they had requested the information back and she had refused to return it. The defendant, of course, denies that she had refused to give it back. I have dealt with this already. It did appear from the Revised Amended Statement of Claim (which of course came after the injunction application) that the plaintiffs were relying on the contacts they had from third parties and the appearance of materials online to seek the injunctions against the defendant. This suggested to me that they were alleging that the defendant was responsible for these disclosures. However, Senior Counsel for the plaintiffs said in court that they were not making that case and that some of these matters were referred to simply to explain the plaintiffs' concerns about the possibility of further disclosures. Thus, the sole basis for seeking the reliefs at the interim and interlocutory stage that I can consider is the defendant's failure or refusal to return the materials.
?
136. I am satisfied that the defendant's failure or refusal to return the CD warranted the application being made.
137. The plaintiffs, in seeking permanent relief, only rely on the fact that the defendant disclosed information to Mr. Scriven and Mr McKeogh, copied the information, and has still not returned all of the information.
138. As noted above, the defendant distinguishes between the plaintiffs' information and third parties' information. The significance of this distinction is that the defendant accepts that the plaintiffs may seek and obtain relief in respect of their own information but submits that the plaintiffs are not entitled to obtain relief in relation to third parties' information. The plaintiffs do not accept that there is such a distinction. Senior Counsel for the plaintiffs submitted " almost all companies hold personal data relating to third parties, and of course they have to process that data in accordance with their statutory obligations which are now set out in DPA and the GDPR, but just because a document or a piece of information may contain personal data of a third party, that does not mean that the document is not also the confidential proprietary information of the company concerned. " He also submitted that a customer list or bank statement " will inevitably contain the personal data of a customer, may contain their name, address, telephone number, e-mail address, perhaps even their purchasing history. But that does not mean that the same information is not and cannot be the confidential information of the company who owns the customer list or the bank concerned. So it can clearly be both confidential information and also contain personal data. And there is just no merit I say to the argument. " He also submitted that "...the mere fact that a confidential document contains the personal data of a third party, we say, does not alter the status of that document or render it unconfidential in some way..."
139. It seems to me that in fact there are three types of information. There is information that is the personal information of third parties; for example, name, address, details of borrowings and the secured property. A clear example of this is a birth certificate. The second type is information that is clearly company information, even though it will also include some personal information of third parties; for example, details of work in progress, or correspondence with the Revenue about VAT refunds. The third type is a mixture of both of these types of information. This type accounts for the bulk of the information contained on the CD; examples include a fee note sent by the plaintiffs to a chargeholder, or spreadsheets such as the one headed "VAT Danske Property List which contained headings "Property ID", "Date of Appointment", "Legal Firm", "Borrower Name", "Security Address", "Net Fee", "VAT inclusive Fee", "Date VAT paid", and "GT initials". That is information which is personal information of the third party and information of the plaintiffs. In my view, where the information is information of this third type, it is both personal third party information and company information. As it is also company information the question of whether the plaintiffs would be entitled to any relief in respect of it does not arise because they would clearly be entitled to relief (subject to the other considerations). However, in case I am wrong on this and this information is more correctly seen as two distinct categories (albeit in the same document) I do consider the question of whether the plaintiffs are entitled to relief in respect of the third parties' information element. I also do so because this question arises in relation to the first type of information.
140. I am satisfied that the plaintiffs would be entitled to such relief (if all other matters are satisfied).?
141. The defendant had previously argued that the High Court had no jurisdiction in respect of the plaintiffs' claim under the Data Protection Acts in relation to third parties' information. This was rejected by Pilkington J in Grant Thornton v Scanlan [2020] IEHC 509 and Pilkington J's decision was upheld by the Court of Appeal (Grant Thornton v Scanlan (Court of Appeal, 1 st March 2021)).
142. The defendant also previously argued that the only basis that was pleaded for the plaintiffs' claim in respect of third parties' information was their original claim under the Data Protection Act. It will be recalled that the plaintiffs withdrew their original claim under the Data Protection Acts and the Acts are not relied upon in the operative Statement of Claim. This led to the defendant claiming that the plaintiffs no longer had a claim in respect of the third parties' information on the basis that the breach of confidence claim did not apply to the third parties' information. This was dealt with by Haughton J in his judgment of the 17 th October 2022 (delivered ex tempore). Haughton J decided that the plaintiffs' claim for relief against breach of confidence always encompassed the information on the CD relating to third parties. He said:
"At paragraph 2 of her grounding affidavit, filed on 26 th April 2021, Ms. Scanlan identifies the purpose behind her motion as being:
" To have matters clarified and/or dismissed in light of an altered statement of claim issued by the Plaintiffs."
In my view Allen J was being kind to Ms. Scanlan in characterising her motion as effectively a motion for case management. Because it was, as I indicate later, either misconceived or pursuing orders more appropriate to the trial of the action. Where full pleadings have been exchanged, it would have been inappropriate for the High Court to determine such a motion or, as part of case management, matters at issue on the pleadings when these are the very issues that fall to be litigated and determined at trial.
The gravamen of Ms. Scanlan's remaining complaint in this appeal, as expounded in her notice of motion and affidavits and in her oral submissions, appears to be that Grant Thornton abandoned or were permitted to withdraw their claim under the Data Protection Act 1988-2003, notwithstanding that the subject matter of the claim is personal data relating to third parties which was mistakenly included in a CD furnished to her in response to her data protection request containing certain information and documents.
She, therefore, takes the position that Grant Thornton have no claim left to pursue and at the same time seems to argue that this is now a new claim and that she has to face a new claim. However, Grant Thornton's claim, as pleaded in the re-amended statement of claim, is that the furnishing by it to Ms. Scanlan of confidential third party information or personal data was an inadvertent mistake, an error, and that Ms. Scanlan has wrongfully refused to return same and has disseminated confidential information to certain third parties without lawful justification or excuse.
This is a claim that they have always made. It appears in their plenary summons, in their original statement of claim, in their amended statement of claim and in their re-amended statement of claim. In their re-amended statement of claim they seek a permanent injunction restraining dissemination of the confidential information to third parties, orders for delivery up or destruction of all confidential records or information and the taking of all necessary steps to retrieve or recall from the public domain wrongfully disseminated information.
Grant Thornton no longer plead any claim for damages, whether pursuant to section 7 of the Data Protection Act 1988 or otherwise. This narrowing of their claim is potentially of benefit to Ms. Scanlan because it relieves her of exposure to a claim for damages, although this is certainly not the way she sees it.
Grant Thornton made no new claim, they have only narrowed their claim. Since 2019 they have not maintained any claim for damages and, since March 2021, they have not maintained any claim predicated on the Data Protection Acts 1988-2003. Grant Thornton in their pleadings have never drawn a bright line between company documents or information on the one hand and private or personal data on the other hand, as Ms. Scanlan tries to suggest.
Paragraph 7 of the original statement of claim, which also appears in the re-amended statement of claim, reads:
" While the CD contained personal data relating to the Defendant within the meaning of the Data Protection Acts, as a result of inadvertence it also included other information comprising confidential information and/or personal data relating to third parties and confidential proprietary information of Grant Thornton, including matter which was legally privileged. The information on the CD, other than the personal data relating to the Defendant, is hereafter referred to as the Confidential Information."
143. The defendant now maintains that even if the claim in respect of third parties' information is part of the plaintiffs' claim (which, of course, it is, this point having been determined by Haughton J), they have no locus standi or have no entitlement to reliefs in respect of the third parties' information. She puts this in various terms: she said that the plaintiffs " can't go and recruit an order or some sort of legal remedy on behalf of the person who was violated "; " And common law now is to confer rights on Grant Thornton to pursue orders over personal data of other parties. I am just - it is unstateable and its offensive to the rights of parties who are entitled to control their own data "; and " So, for Grant Thornton now to recruit orders in common law over people's privacy removes this control from them. They are not the parties who are entitled to the orders of this data. "
144. I am satisfied that the effect of Haughton J's decision is that the plaintiffs do have locus standi to bring their claim in respect of the third parties' information. However, I do not believe that his decision determined the particular point of whether the plaintiffs could have an entitlement to relief in respect of the third parties' information. Haughton J expressly said in his judgment in the Court of Appeal:
"Of course that decision, no more than this one, did not determine anything of substance in Grant Thornton's favour. At trial the onus will be on Grant Thornton as plaintiff to establish that the torts that it relies on exist and that such claims are made out. Moreover, at trial, Ms. Scanlan can defend on any of the grounds set out in the NCF draft defence and counterclaim that now stands as her defence and counterclaim, including her pleas that no private or legal wrong is identified or exist at common law, which are legal arguments that take up much of her written submissions on this appeal."
145. The defendant's core point in relation to third parties' information is that the plaintiffs have no entitlement to obtain any Orders in respect of that information.
146. In a discussion with the court towards the end of her submissions the defendant made clear the scope of her position. She confirmed that her position is that if a bank provides financial information about a third party by mistake to another party the bank can not take any action to restrain improper use of that information by the person who received it in error. Her position is that relief can only be obtained by, in that example, the account holder or the subject of the information. Later she confirmed that it is her position that the person who disclosed the information by mistake can not take any action or obtain relief against the person to whom the information was disclosed.
147. The defendant relies heavily on Mahon v The Post Publications. Fennelly J stated at paragraph 134:
"134. Furthermore, I do not accept that the tribunal has power to enforce the confidentiality of documents or information which are, or as may well be the case, may be, confidential to persons who have assisted the tribunal by making statements or giving information or documents. I would not wish to pronounce definitively on whether the decision of the Court of Appeal in England in Fraser v Evans [1969] 1 Q.B. 349 should be followed, without qualification, in this jurisdiction. I would merely make the following observations. The plaintiffs, especially in their notice of appeal, claim the right to seek the orders by way of injunction in the interests of protection of the privacy or good name of persons who may be affected by publication. It would represent a substantial departure from the existing law if courts were to make general orders of prior restraint in protection of the good name of individuals, even in applications at the suit of those individuals themselves. In the exceptional cases where that is done, the person moving the court must place before it cogent material to demonstrate that his or her name will be irreparably and seriously damaged if an impending publication was to take place. The orders sought at present would be made on the presumptive and entirely speculative basis that publication of material circulated by the tribunal would damage the good name of unnamed and unspecified individuals without any showing whatever on the question of damage. Furthermore, it would be done at the behest, not of the individuals, who would not be required to play any part, but of the tribunal."
148. It seems to me that the current case is readily distinguishable from Mahon v Post Publications. The facts in Mahon are particularly important. The plaintiffs were the members of the Tribunal of Inquiry into Certain Planning Matters and Payments. The tribunal's procedure was to investigate modules in private followed by the issuing of a 'brief' to interested parties and then the taking of evidence in public. The brief consisted of, inter alia, copies of statements made by witnesses whom the tribunal intended to call together with copies of documents emanating from a wide variety of sources on which the tribunal itself intended to rely in its public session(s). When the brief was being circulated, the tribunal designated everything in the brief as confidential, stating " The enclosed documents remain the property of the tribunal and the information contained therein is confidential to the tribunal and may not be disclosed to any person other than your legal advisor, who is likewise restrained from disclosing the contents thereof. You must retain the original documents in your possession. If it is your intention to copy any of the documents enclosed, you must seek the consent of the tribunal prior to doing so. " The tribunal had experienced difficulties with documents in such briefs being disclosed to the media and then published. The defendant in the case published two articles pertaining to the tribunal, one of which quoted directly from a number of documents contained in a brief. The plaintiffs sought an injunction restraining the defendant from publishing or using information which the tribunal circulated on a confidential basis in accordance with its practice before such information had been disclosed at a public hearing.
149. There are a number of points of distinction. First, the tribunal was a public body. Second, at its heart, the case concerned the right to freedom of expression under the Constitution and the ECHR, and in particular press freedom. Third, the claim by the tribunal that the documents were confidential was based on the tribunal's own designation of the documents as confidential rather than anything to do with the actual nature of the documents themselves or their contents. Fourth, the tribunal claimed that its procedures were there to protect the good name and right to privacy of people who had given information to the tribunal. Fifth, the case involved prior restraint.
150. The importance of these factors in the case is clear from the reasoning of both the High Court and the Supreme Court. The Supreme Court held, inter alia, that: the right of freedom of expression was subject only to clearly defined exceptions laid down by common law or statute and any party asking a court to interfere with the exercise of freedom of expression, including by the media, by imposing prior restraint of publication must justify it by an exception clearly defined by law; a restriction on freedom of expression must be prescribed by law and be necessary in a democratic society by serving a pressing need and serving one of the listed interests, of which the prevention of disclosure of information received in confidence is one; the interference must be proportionate; the tribunal, as it did not fit within the scope of the traditional type of breach of confidence case between private individuals, had to prove detriment to the public interest; the equitable doctrine of confidence required that the information must in fact have had the necessary quality of confidence about it and there was no authority, statutory or otherwise, express or implied which enabled the tribunal to create such far-reaching confidentiality. Kelly J, whose decision was upheld by the Supreme Court, is reported in the headnote as deciding that " regardless of nature or source, every document in a brief was said by the tribunal to be confidential and there was no authority, statutory or otherwise, express or implied which enabled the tribunal to create such far reaching confidentiality; that confidentiality could only attach to information which was truly confidential; that the orders sought could not be regarded as proportionate; and that it was not the function of the court to redraft an order where that sought by the plaintiffs was too wide. "
151. Fennelly J noted that the case was not of the same character as cases concerning relations between private parties. He said at paragraph 133:
"Unlike the cases concerning communication of confidences, there is no question of trust here. That type of trust of confidence arises from mutual arrangements of some sort, as in the joint venture cases. A person becomes the repository of confidences on an implied basis of trust, firstly in the colloquial sense that the communicator trusts that person and, secondly, in the equitable sense of trust. No such relationship is alleged here. The terms of confidentiality are imposed unilaterally by the tribunal. They are extremely restrictive. They extend to a person's spouse or other close intimates or associates whether personal or business. I cannot accept, as appeared to be suggested at the hearing that these are trivial or unimportant matters, which should not be taken seriously, because the tribunal would never enforce the terms so rigorously. I find myself in agreement with Kelly J., who said that he could "find no authority, statutory or otherwise, express or implied which enables the tribunal to create such far reaching confidentiality, nor in my view should this court enforce it".
152. Unlike Mahon, this case does not involve public bodies. Nor does it involve a balancing exercise between freedom of expression and the confidentiality of information in the same way as in Mahon. The key difference between the two cases is that the information in question in this case is by its nature confidential and, most importantly, is held by the plaintiffs subject to a duty of confidence. That was not necessarily the case in Mahon v Post Publications because the only thing that was claimed in that case to make the information confidential in nature was the tribunal's own designation. They were not holding the information subject to a duty of confidence arising from the nature of the information.
153. That the plaintiffs held the third parties' information subject to a duty of confidence is accepted and, indeed, emphasised by the defendant. She said, for example, that it was personal information that should have been kept confidential by the plaintiffs and that it was required to be kept confidential.
154. In circumstances where the plaintiffs were holding the information subject to a duty of confidence, I am satisfied that they have an entitlement to obtain Orders to protect the confidentiality of that information. The following hypothetical example illustrates the point: a data breach in a bank leads to the release of personal financial data of thousands of customers and the bank learns that the recipient of the information plans to publish all of the personal data within twenty-four hours. On the defendant's case, the bank could not bring urgent proceedings to restrain that threatened publication, or at the least, could not obtain Orders to restrain publication. Instead, the bank would be limited to having to contact each and every individual customer (albeit that this could be done online and through the media) and each customer would have to bring their own proceedings and application to restrain the publication of the data that had been held by the bank. All of this would have to be achieved within twenty-four hours. In my view, that is not consistent with the duty on the bank. Indeed, it is my view that in some circumstances, the duty on the person holding another's personal information may not only entitle but oblige that person to take action in the discharge of their duty.
155. The defendant also submitted that any such entitlement would be inconsistent with the Data Protection Acts being the means which the Oireachtas have put in place give effect to EU law to protect individuals' right to privacy and control over their personal information. I do not accept this. I do not see that they are inconsistent. Indeed, as set out above, the effect of the approach contended for by the defendant would, in certain circumstances, lead to the result that the individual's right to privacy and their right to control their data would be rendered ineffective because they would not have the opportunity to prevent the disclosure of their information.
156. It is also important to note that there is a fundamental inconsistency in the defendant's position. She submits that if the plaintiffs had the right to obtain orders in respect of the third parties' information this would be in breach of the third parties' right to control their own data. She emphasises that the right of control is central to the notion of personal information/data. She submits, therefore, that the plaintiffs could not be entitled to obtain such relief. However, at the same time, she asserts a right for herself to retain and interrogate that data without any authority, permission from, or indeed knowledge of any relevant third party. Those two propositions are inherently inconsistent.
157. I am, therefore, satisfied, for the reasons just discussed, that the plaintiffs are entitled to seek, and (subject to the other considerations) to obtain the relief sought even in respect of the third parties' information.
CONCLUSION ON INJUNCTION APPLICATION
158. I am satisfied that the plaintiffs are entitled to permanent injunctions in circumstances where the information on the CD contained confidential information, where the defendant knew shortly after she first examined the contents of the CD that the information was confidential information relating to the plaintiffs and third parties, where she was under a duty of confidence in respect of the information, and yet she continued to interrogate the information, copied the information or some of it, failed or refused to return the information, and disclosed it, or some of it, to Mr. Scriven and Mr. McKeogh, and has still not returned the copy (or copies) of some of the information.
159. The defendant resisted the injunctions on the points discussed already and also on the basis that they were unnecessary because she has already returned the information and has given an undertaking to make every effort to locate the outstanding USB key(s) and that if they are found, to return them to the plaintiffs' solicitors. That undertaking was given at the interlocutory stage. The plaintiffs have invited the defendant to consent to the injunctions being permanent and confirmed that in those circumstances they would not seek to enforce any costs order. The defendant has rejected those offers and did not indicate in reply that she would make her undertaking permanent. Furthermore, she gave no evidence of the efforts she made to locate the outstanding USB key(s) since she gave that undertaking. Thus, I do not believe that this undertaking is a reason not to grant the injunctions sought.
160. However, the terms of these injunctions must have regard to the fact that some of the documents are accessible as a matter of public record, some of them were accessible and available as part of legal packs when the lands were sold, and that some information appeared online. These are species of documents which do not have the required quality of confidence. It would be unnecessary, unfair and disproportionate (see Mahon v Post Publications, paragraphs 140-145) for the defendant to face the possibility of having to defend an allegation that she disclosed such information in circumstances where such information was or is accessible to many people. This is also consistent with the approach of Mr. Connaughton in his evidence on behalf of the plaintiffs where he said that it would not be reasonable to seek relief in respect of information that is already available to the public.
161. The reliefs that are sought are as follows:
"An Order restraining the Defendant (and any person having notice of such Order) from disseminating, communicating by any means whatsoever to any third parties, or otherwise making any use of the confidential information, as more particularly described in the Schedule hereto (the "Confidential Information"), or any part thereof, for any purpose.
Delivery up of all documents and other records containing the Confidential Information belonging to the Plaintiff.
An Order requiring the Defendant to destroy, erase and/or delete the Confidential Information in her possession, in such manner and under such conditions as may be specified by this Honourable Court."
162. There is no reason to amend the second and third of these. However, it seems to me that the first relief must be amended to take account of the fact that some of the information is publicly available, as set out at paragraph 160. The only documents which the defendant correctly pointed to as being documents of public record which are accessible to the public are birth certificates. She did also refer to the information in fee notes being accessible through calculations based on company returns to the CRO and VAT receipts being publicly available, but for the reasons set out above, I do not accept that this information is public information in the sense described in the authorities. It is also common case that some information appeared online and the plaintiffs are not alleging that the defendant is responsible for this. The only information of which there is evidence that it appeared online is an annotated screenshot of part of the information on the CD which appeared in a Facebook profile under the name "Due Dilliger" on the 25 th and 26 th November 2015, in a tweet on a Twitter account under the same name on the same dates, and a document that was attached to an email from "The Research Routers with an email name of "Due Dilligence" of the 26 th November 2015. The plaintiffs also received a letter from an anonymous person enclosing a memory stick which included some information from the CD and anonymous letters that had been sent to Baker Tilly, Ryan Glennon and Byrne Wallace, which also included some of the information. However, these latter two instances do not mean that the attached information was " publicly available " or " common knowledge " or in the public domain, though the fact that some person(s) have that information would obviously be of significance in the event that it is alleged in the future that the defendant disclosed that particular information. I will, therefore, make orders in the terms set out above with the first paragraph being amended to read as follows:
" An Order restraining the Defendant (and any person having notice of such Order) from disseminating, communicating by any means whatsoever to any third parties, or otherwise making any use of the confidential information, as more particularly described in the Schedule hereto (the "Confidential Information"), or any part thereof, for any purpose, save for any birth certificates contained therein, any information or documentation which was included in legal packs for the sale of lands up to the date of the making of this Order, and information which appeared in a Facebook profile under the name "Due Dilliger" on the 25 th and 26 th November 2015, in a tweet on a Twitter account under the same name on the same dates, and a document that was attached to an email from "The Research Routers with an email name of "Due Dilligence" of the 26 th November 2015."
163. It seems to me that the Order must exclude any information that was included in legal packs for the sale of lands up to the date of the making of this Order.
164. I am conscious of Kelly J's statement in Mahon v Post Publications that it is ?"not the function of the court to redraft an order where that sought was too wide." That could not, of course, have been intended to suggest that there is an absolute bar on a court granting relief in amended form. It is best understood in the context of that particular case where there was no consideration of the nature of the documents and, instead, the claimed confidentiality was based on a blanket designation by the tribunal. The court has always had jurisdiction to grant relief in amended form and if Kelly J had intended his decision to alter this long-standing jurisdiction, he would have clearly stated that to be the case.
165. I am also conscious that the amended order places a burden on the plaintiffs. However, it seems to me that this is unavoidable if a correct balance is to be drawn. Furthermore, the need for an amended Order was, in substance, acknowledged by Mr. Connaughton.
166. The operative Counterclaim pleads as follows:
" The Defendant claims substantial damages pursuant to Section 7 of the Data Protection Acts ("the Acts") for the Plaintiffs' failure to provide the Defendant's data access request within the Statutory time permitted or within any reasonable time at all, in violation of and contrary to Section 4 of the Acts and consequently in violation of the Defendant's fundamental rights as enshrined in Article 8, which concealed material facts from the Defendant and had a consequential detrimental effect on the Defendant's litigation. "
167. Thus, the defendant's claim is based on the plaintiffs' failure to comply with their obligation to provide the defendant's data within the period prescribed by section 4 of the Data Protection Acts.
168. There is no doubt but that the plaintiffs failed in their obligations pursuant to the Data Protection Acts. The Acts provided for a forty day period in which a data access request must be complied with. The plaintiffs only provided the CD in response to the defendant's data access request some two years after the request.
169. The plaintiffs admit this failure in their Amended Reply and Defence to Counterclaim. They deny, however, that the defendant suffered any loss or damage as a result of this failure and deny that the defendant is entitled to any damages pursuant to section 7 of the Data Protection Acts. They submitted that no particulars of loss or damage were given and no evidence of such loss or damage was given at the hearing.
170. The plaintiffs' failure pre-dated the commencement of Regulation (EU) 2016/679 (the "GDPR") and the commencement of the Data Protection Act 2018 so the governing legislation is the Data Protection Act 1988.
171. Section 7 of that Act provides, inter alia:
" For the purposes of the law of torts and to the extent that that law does not so provide, a person, being a data controller or a data processor, shall, so far as regards the collection by him of personal data or information intended for inclusion in such data or his dealing with such data, owe a duty of care to the data subject concerned... "
172. Feeney J considered section 7 in Collins v FBD Insurance plc [2013] IEHC 137. In particular he had to consider whether a data subject who is relying on the section must prove loss and damage.
"It is the extent of the civil liability for breach of statutory duty as identified in s. 7 which is central to the matters which I must consider. The plaintiff contends that he is entitled to damages pursuant to s. 7 of the Act as there has been a breach of the Act by the defendant. The plaintiff contends that s. 7 establishes a statutory duty of care and allows for a remedy for a breach under the law of torts. The plaintiff also contends that to recover damages under s. 7 of the Act, a data subject does not have to show a loss and damages may be awarded by a Circuit Court Judge, or on appeal by a High Court Judge, so as to allow the data subject enforce his data protection rights. The defendant contends that a plaintiff is not entitled to any award of damages pursuant to s. 7 unless the plaintiff proves actual loss or damage. I must therefore determine what is the extent of damage recoverable under s. 7 of the Data Protection Acts. Section 7 of the Data Protection Acts establishes a statutory duty of care and allows for a remedy for a breach under the law of torts. Section 7 is a statutory provision which expressly provides that a civil action may be taken. Section 7 imposes a statutory duty of care on data controllers and data processors to the extent that the law of torts does not already provide, as regards the collection of personal data and their dealing with the data; the duty is owed to the data subject concerned. The question comes down to whether or not the damages provided for by s. 7 requires that there be proof of damage suffered by a plaintiff as a necessary pre-condition to an award of damages...
I am satisfied that s. 7 does not provide for either strict liability or the automatic payment of compensation but limits itself to providing for the existence of a duty of care within the law of torts.
...
Section 7 is limited and goes no further than providing for a duty of care that is a duty of care within the law of torts. To obtain a compensation for a breach of duty of care, it is necessary for a claimant to establish that there has been a breach, that there has been damage and that the breach caused such damage. The tort of negligence, unlike the tort of trespass to person, requires proof of damage.
...
In this case the plaintiff has failed to prove any damage resulting from the breach of the duty of care owed by the defendant. While certain limited evidence was led by the plaintiff in relation to the consequences of delay, no evidence was led to prove such damage or to establish that any damage flowed from the admitted breach of statutory duty on the part of the defendant. In those circumstances, the plaintiff in this case is not entitled to any damages as he has failed to establish that he has suffered any loss or damage within the scope of s. 7 of the Data Protection Acts. The statutory position in Ireland is that no matter how blatant the breach that the person the subject of the breach can only receive damages on proof of loss or damage caused by the breach."
173. Similarly, Noonan J said in Duggan v Commissioner of An Garda S?och?na [2017] IEHC 565 that a breach of section 7 of the 1988 Act " is not actionable per se but only on proof of actual damage. " (see also McCann v JM [2015] IECA 281 and Murphy v Callinan [2018] IESC 59).
174. The height of the defendant's case in relation to loss and damage is the plea set out above that the plaintiffs' failure had a consequential detrimental effect on the defendant's litigation, and her submission (not evidence) that the failure had a " direct impact on me losing my property which was only in arrears for ?2,000 ". In submissions, she said:
" So, my section 7 damages is then attacked because not only am I entitled to at least a declaration that Grant Thornton were delinquent in data privacy law and grossly delinquent at that but I would have to specify damage. Now, that would be very contrary to Article 13 of the Convention where we have a right to effective legal remedy. And I would say that while I haven't made it very clear failure to provide that data access request, had a direct impact on me losing my property which was only in arrears for ?2,000. "
175. She also said in her submissions " Now, I haven't specified the damage but damage has ensued, I am seven years in Court and they couldn't provide my data within two years. "
176. In Collins v FBD, Feeney J said, " During the course of the evidence certain limited evidence was led in relation to loss of earnings arising from the plaintiff being without his van for a number of months. That evidence was so imprecise and indefinite that I was unable to conclude that the plaintiff suffered any provable damage or to relate any claimed damage to the breaches of the Data Protection Acts committed by the defendant. "
177. In this case, the defendant gave no evidence of damage caused by the plaintiffs' failure. That precludes me from making any award of damages. Even if the plea and submissions set out above are treated as evidence, they are extremely vague and general and are an insufficient basis upon which I could ground an award of damages.
178. The defendant submitted that the requirement that damages be proven means that she is not provided with an effective remedy. In my view, that is misconceived in the circumstances of this case. This was in fact addressed by Feeney J in Collins v FBD. He said at paragraphs 3.3-3.5 (he continues the discussion in paragraphs 3.6 onwards but it is not necessary to quote these paragraphs):
"3.3 The long title to the Data Protection Act 1988 reads in part as follows:
"An Act to give effect to the convention for the protection of individuals with regard to automatic processing of personal data done at Strasbourg on the 28 th day of January, 1981, and for that purpose to regulate in accordance with its provisions the collection, processing, keeping, use and disclosure of certain information relating to individuals that is processed automatically."
The convention referred to is the Strasbourg Convention. Section 7 of the Data Protection Acts seeks to provide for remedies as envisaged under Directive 95/46/EC of the 24 th October, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Article 23 of the Directive reads under the heading "Liability";
"Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered."
What is envisaged by Article 23 is that a person who has suffered damage is entitled to be compensated. Paragraph (55) of the preamble to the same Directive reads:
"Whereas, if the controller fails to respect the rights of data subjects, national legislation must provide for a judicial remedy; whereas any damage which a person may suffer as a result of unlawful processing must be compensated for by the controller, who may be exempted from liability if he proves that he is not responsible for the damage, in particular in cases where he establishes fault on the part of the data subject or in case of force majeure; whereas sanctions must be imposed on any person, whether governed by private of public law, who fails to comply with the national measures taken under this Directive."
The Directive mandates that in the event of a breach that sanction shall apply and Article 24 of the Directive states in relation to sanctions:
"The Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Directive."
3.4 What is obligated under the Directive is that a Member State is obliged to have in place a provision which provides that a person who has suffered damage as a result of an unlawful processing operation or an act incompatible with national provisions is entitled to receive compensation from the controller for the damage suffered. The obligation does not extend to an automatic payment of compensation. It is open to the Member State to provide that the compensation permissible in a Member country's legislation extends beyond the Directive. That is a matter for each individual Member State. Article 23 provides that a wronged individual may be entitled to payment of compensation but subject to proof of the damage that they have suffered.
3.5 Section 7 of the Data Protection Acts transposes the Directive into Irish law. Section 7 imposes a statutory duty of care on data controllers to the data subject. It is stated in the legal submissions on behalf of the plaintiff that:
"The drafting of the section (s. 7) is perhaps not inspired and academic commentary is sparse. Almost all Irish authority on statutory duty relate to the existence of statutory duty existing in parallel to a common law duty and generally in the context of occupational injury".
I accept that the drafting of s. 7 is imperfect and, to some extent imprecise. However, what is clear is that s. 7 does not provide, within its terms, for strict liability or for the automatic payment of compensation. It limits compensation by a provision providing for the existence of a duty of care within the law of torts. The section does not in its express terms seek to go beyond the obligation for compensation contained in the Directive."
179. It is clear that what is required is that member States provide for a remedy when a person has suffered damage from a breach. Absent any evidence of such damage there is no requirement to provide for the payment of damages.
180. The defendant also submitted that she is entitled to a declaration. However, that relief was not sought, notwithstanding that the defendant was aware that the plaintiffs' defence to her Counterclaim was that she had not suffered any damage.
181. In those circumstances, I must dismiss the defendant's Counterclaim.
182. I will grant the plaintiffs the following reliefs:
" An Order restraining the Defendant (and any person having notice of such Order) from disseminating, communicating by any means whatsoever to any third parties, or otherwise making any use of the confidential information, as more particularly described in the Schedule hereto (the "Confidential Information"), or any part thereof, for any purpose, save for any birth certificates contained therein, any information or documentation which was included in legal packs for the sale of lands up to the date of the making of this Order, and information which appeared in a Facebook profile under the name "Due Dilliger" on the 25 th and 26 th November 2015, in a tweet on a Twitter account under the same name on the same dates, and a document that was attached to an email from "The Research Routers with an email name of "Due Dilligence" of the 26 th November 2015."
Delivery up of all documents and other records containing the Confidential Information belonging to the Plaintiff.
An Order requiring the Defendant to destroy, erase and/or delete the Confidential Information in her possession, in such manner and under such conditions as may be specified by this Honourable Court."
183. I will dismiss the defendant's Counterclaim.
BAILII: Copyright Policy | Disclaimers | Privacy Policy | Feedback | Donate to BAILII
URL: https://www.bailii.org/ie/cases/IEHC/2026/2026IEHC167.html
Named provisions
Related changes
Source
Classification
Who this affects
Taxonomy
Browse Categories
Get Courts & Legal alerts
Weekly digest. AI-summarized, no noise.
Free. Unsubscribe anytime.
Get alerts for this source
We'll email you when BAILII Ireland Recent Decisions publishes new changes.