Empty Link Skip to Content

Expertise

Deirdre Crowley is a partner in the Technology, Innovation and Employment groups in Matheson.

Deirdre advises private and public sector clients on a host of privacy, data protection, employment, equality, industrial relations and data protection matters.  Deirdre is currently advising many household name companies on their Brexit readiness together with their employer liability and data protection compliance during Covid.

A highly sought after conference speaker, Deirdre is regularly invited to speak on data protection and employment law compliance issues by organisations such as the Irish Institute for European Law, the Law Society of Ireland and Legal Island. 

Experience Highlights

Recent areas of experience highlights include:

  • Advices on how to continue transferring personal data to the UK in light of Brexit and to the US in light of Schrems II.
  • Complex and contentions data subject access requests in the employment litigation, technology and retail customer context to include supporting companies dealing with regulatory inspections and criminal proceedings resulting from data compliance breaches.
  • The appropriate use of technology in the workplace including CCTV and other body worn monitoring devices, associated data subject access requests and investigations by the Data Protection Commission.
  • Workplace reorganisations including redundancies (singular and collective), changes in terms of employment to include role and location and the employment implications of Covid generally from a restructuring and compliance point of view.
  • Termination of employment issues for senior executives, post termination restrictions, restraint of trade, non-solicit and related injunction and breach of contract litigation.
  • Acting in a Circuit Court contentious discrimination and equality claim for a leading financial services company.

Data Protection and Privacy

Deirdre advises EEA and non-EEA based controllers and processors in relation to the full spectrum of data protection and privacy compliance issues.  Deirdre’s day to day work includes advices on data security breaches, data subject access requests, the drafting of data processing agreements, international transfer of data agreements and commercial agreements designed to best protect clients when they engage in the business of processing personal and / or special category data.

Deirdre has specific experience in advising businesses that have a high risk data processing rating in relation to complex and urgent data breach scenarios.  A particular focus of Deirdre’s practice in the last 24 months is on advising clients on how best to approach dealing with regulatory investigations on behalf of the Data Protection Commission in the aftermath of a reportable data security breach. 

On the data subject access request side, Deirdre works with our Digital Services Group headed by Tom Connor to assist businesses to quickly, efficiently and cost effectively identify in scope data for the purposes of replying to data subject access requests.

Data audits for compliance and due diligence purposes are a routine part of Deirdre’s work.  Focused and practical know-how on the issues of processor / controller / joint controller capacity tests, data mapping, Privacy Officer versus Data Protection Officer considerations, policy and employee contract drafting, the use of CCTV and other monitoring devices in the workplace as well as drafting data protection impact assessments and privacy impact assessments are also frequent topics of advice in Deirdre’s practice.

E-Privacy and eCommerce for the retail, medical, technology and manufacturing sectors is a particular area of expertise and interest of Deirdre’s. 

Employment Law

Deirdre advises on all aspects of the employment relationship from recruitment and selection, through to termination of employment. 

Advices on dealing with complex conduct and performance issues in the context of investigations, disciplinary and appeal processes are a mainstay of Deirdre’s practice.

Equality and Equal Status

Deirdre advises on all aspects of Irish and European equality and discrimination law.

Recent Experience Highlights

Detailed advices on retirement issues and their interplay with ageism and pension risk issues.

Industrial Relations

A robust and experienced advocate, Deirdre frequently appears before the Workplace Relations Commission Adjudicator Service and Labour Court on behalf of clients in respect of all employment, industrial relation and equality issues that fall within their respective jurisdiction.

Deirdre recently advised employers in relation to new sectoral employment orders (“SEO”) in the electrical services and private language colleges sectors and has over many years advised employers on their collective bargaining relationships with both recognised and non-recognised unions. 

Recent Experience Highlights

Recently advised employers in relation to new sectoral employment orders for the English Languages sector and the Electrical Services Sector.

Workplace Relations Commission (“WRC”) Inspections

WRC inspections are creating a lot of work for public and private sector clients.  Deirdre works with clients to deal swiftly with inspections and where possible to implement compliance solutions to bring inspections to a close. 

Where inspections become contentious, Deidre has advised many companies on how best to deal with compliance notices, dawn raids, labour court hearings and any appeal cases required, with a constant focus on early resolution and cost effective disposal of the issues within the scope of clients legal obligations. 

Graham Dwyer Supreme Court Decision - Data Retention in the Spotlight

May 5, 2020, 13:40 PM
Significant and important data retention issues arise in the Graham Dwyer case referred by the Supreme Court to the CJEU on 24 February 2020. Deirdre Crowley and Denise Moran address the potential implications of this referral on public and private sector employers.
Title : Graham Dwyer Supreme Court Decision - Data Retention in the Spotlight
Filter services i ds : a5faa30f-5dbb-45a0-ac57-91b70be7c811;
Engagement Time : 5
Insight Type : Article
Insight Date : Mar 4, 2020, 20:00 PM
Significant and important data retention issues arise in the Graham Dwyer case referred by the Supreme Court to the CJEU on 24 February 2020. Deirdre Crowley and Denise Moran address the potential implications of this referral on public and private sector employers.

On 24 February 2020, the seven judge Supreme Court delivered its highly anticipated judgment in the case of Graham Dwyer and the Commissioner of An Garda Síochána and others. Although this decision relates solely to the question of the validity of an Irish statute (the Communications (Retention of Data) Act 2011 (2011 Act)) having regard to EU law, the focus on the retention of data, albeit in the context of a criminal investigation, serves as an important reminder to all employers of their obligations regarding the retention of personal data.

Further, the Supreme Court’s commentary on the interplay between an individual’s right to privacy and the requirements for an investigation into, and potential prosecution of, a criminal offence also serves as an important reminder to employers of the balance to be struck between an employee’s right to privacy and the circumstances in which this may be trumped by an employer’s right to lawfully process personal data.

Retaining Personal Data
The 2011 Act governs the retention of data by service providers and access to such data by national authorities in Ireland including, in particular, to An Garda Síochána (the Gardaí). During the murder trial of Mr Dwyer, the DPP placed reliance on evidence which was said to link Mr Dwyer to certain phones, which linked him to data, which was said to identify where those phones were on certain relevant occasions and separately, to link him to certain communications which were found on those phones. A finding that the 2011 Act, which permits the retention and access of certain data, is inconsistent with EU law would likely be relied upon by Mr Dwyer in contending that such data should not have been admitted in evidence, and such raises a question of the safety of his conviction. 

While no express provision is contained in the Data Protection Act (2018 Act) specifically dealing with a request for information by the Gardaí in an employment context, Part 5 of the 2018 Act deals with the processing of personal data for law enforcement purposes and the Gardaí are included in the definition of a “competent authority”.

Separately, section 41 of the 2018 Act deals with the processing of personal data for purposes other than for the purpose for which it was collected. This section expressly provides that personal data may be shared to the extent that such processing is necessary and proportionate for preventing, detecting, investigating or prosecuting criminal offences. This section may be relied upon to respond to a request by the Gardaí for personal data held by an employer in relation to an employee. Where an employer receives a written request for specific information from the Gardaí (not below the rank of chief superintendent) then section 41 comes into play for consideration by employers. As a data controller, where the personal data has not been purged, it is likely that the requested personal data will need to be shared with the Gardaí.

An ever-present challenge for any HR function is the balancing act of observing data minimisation, i.e. the obligation on employers to retain data for no longer than is necessary, and the obligation to comply with statutory retention periods. Employers should rely on their data retention policies to assist in this process and ensure that all personal data which has no lawful basis for its retention is permanently and irretrievably deleted.

Balancing The Right to Privacy
There is no disputing the fact that the right to privacy is a powerful and enabling personal right. It is a right that is recognised by the Irish Constitution, the European Convention on Human Rights and the Charter in Fundamental Rights of the European Union.  Any statutory provision that seeks to trump this right in criminal proceedings, and indeed in the employment context, must have a significant justification.

The Supreme Court stated that the analysis of any measure provided by law to permit the retention of such data would require consideration as to whether the measure affects a protected right. If so, it is then necessary to determine whether any such interference pursues a legitimate objective. Next, and again if so, it must be determined whether the interference is no greater than is necessary to achieve the lawful object and is proportionate in doing so.

A very similar approach is required in balancing the rights of employees and those of the employer. We have seen instances where the Irish Data Protection Commissioner (DPC) has determined that the employer’s legitimate interest trumps the employee’s right to privacy in particular circumstances.

This is particularly evident from the DPC’s May 2019 guidance note on the use of CCTV which provides that there may be situations where it will be deemed legitimate for an employer to rely on CCTV footage for a purpose other than one identified at the outset to, for example, investigate an allegation of gross misconduct or other disciplinary matter and that such is justified on necessity and proportionality to achieve the given purpose. Where an employer can demonstrate that the use of CCTV is necessary to provide evidence and that their access to CCTV footage is proportionate and limited in scope to the specific investigation, the rights of the employee and their expectation of privacy will not be seen as overriding the interests of the employer in such circumstances, and the employee’s right to privacy will not present a barrier to the investigation.

It is likely that any balancing test undertaken which results in an employee’s right to privacy being overridden by an employer’s interests will remain the exception, and employers should exercise great care and caution where they seek to override this right.

Learnings for Employers 
Employers are reminded that a commitment to robustly managing retention periods, to carefully considering applicable exemptions and to actively purging data that has no lawful basis for retention is crucial in ensuring compliance with the 2018 Act and GDPR. The effectiveness of a data retention policy relies solely on its adherence. 

This decision also brings into sharp focus the occasions on which it may be deemed lawful to process employee data where an employer’s legitimate interest trumps the employee’s right to privacy.

Lastly, the ongoing criminal case giving rise to these proceedings also provides a reminder to employers that the burden of proof in the employment context is on the balance of probabilities which is a much lower threshold of determining culpability than in the context of criminal proceedings which is beyond reasonable doubt.

It remains to be seen how the CJEU will interpret EU law in relation to the data retention queries referred to it, how the Supreme Court will give effect to that ruling and how these decisions will impact upon Mr Dwyer’s ultimate quest for his conviction to be successfully appealed.

This article is correct at 26 February 2020.

For more information in relation to this topic, please contact Deirdre Crowley, Partner, or Denise Moran, Associate.

Co Authors
Related Insights