Right To Know CLG and Data Protection Commissioner

Background
Scope of Review
Preliminary Matters
Analysis and Findings
Decision
Appeal to the High Court

Whether the DPC was justified, under article 9(2)(d) of the AIE Regulations, in refusing access to certain information related to data protection considerations on the National Smart Metering Programme.

13 June 2024

Background

1. On 7 April 2021, the appellant requested information from the DPC relating to the National Smart Metering Programme (the NSMP). The request noted that under the NSMP up to two million smart meters would be installed across homes and small business which “can be read remotely and can be set to record electricity usage as frequently as every half hour.” It also noted that it was the appellant’s understanding that those meters would be read by ESB Networks and that the information obtained would be stored for a period of seven years. Specifically, the appellant sought access to:

(1) “Records of correspondence relating to the NSMP for electricity between DPC and ESBN, CRU, Relevant Government Departments between 1 January 2020 and 7 April 2021.

(2) Records which contain the current position (whether or not a final position and whether or not it has been communicated to the CRU/ESBN etc) of DPC on the following aspects of the processing of personal data under the NSMP for electricity:

(a) Legal bases for the increased frequency of collection of electricity readings.

(b) Identity of the data controller(s)

(c) Lawfulness of the retention of at least one but up to 48 daily reads for seven years by ESBN for all smart meter users

(d) Whether data subjects are adequately informed that the installation of a smart meter is optional

(e) [W]hether data subjects are adequately informed about the nature and purpose of processing, the identity of the data controller and their rights generally.

(f) [W]hether current legislation is adequate or whether new legislation is required given the scale of personal data processing.

(g) [W]hether DPC has received any complaints about NSMP and if so the number of complaints and the general issues raised (please note we are not looking for any information that would identify a complainant).”

2. The DPC did not respond to the appellant’s request within the timeframe provided for in the AIE Regulations. Therefore, on 11 May 2021, the appellant sought an internal review on the basis of a deemed refusal. On 11 June 2021, the DPC issued its internal review decision, wherein it refused access to information relevant to the appellant’s request on the grounds that it was not “environmental information” and, if it was, the information was exempt from release under article 8(a)(iv) of the AIE Regulations.

3. The appellant appealed to this Office on 14 June 2021. During the course of that appeal (reference OCE-108913-C6K9T2 ), the DPC provided this Office with a schedule and copies of 21 documents that it had identified as coming within the scope of the appellant’s request. It refused access to those documents on a number of grounds. It reiterated that, in the first instance, the information sought was not “environmental information” within the meaning of the AIE Regulations. It also argued that even if the information did come within the definition of “environmental information”, it was entitled to refuse the request under articles 8(a)(iv), 9(2)(c) and 9(2)(d) of the AIE Regulations.

4. On 28 October 2022, a decision issued on that appeal, see OCE-108913-C6K9T2 Right to Know and Data Protection Commission. I found that the information sought was environmental information and that refusal was not justified under articles 8(a)(iv), 9(2)(c) or 9(2)(d) of the AIE Regulations. On that basis, I directed release of the information sought by the appellant.

5. On 22 November 2022, the DPC wrote to this Office taking issue with the finding, at paragraphs 40 and 41 of the decision, that the DPC’s reliance on article 9(2)(d) of the AIE Regulations was not justified because “there [were] no documents identified on the schedule that are internal to the DPC” and “having reviewed the documents relevant to this request, I [was] satisfied that they do not qualify as “internal communications” within the meaning of article 9(2)(d), as they consist of correspondence between the DPC, CRU, ESBN and other parties.”

6. The DPC’s letter of 22 November 2022 identified four documents on the schedule which it considered to be “internal communications” – Documents 5, 6, 13 and 20. It accepted that it had not “explicitly tagged” those documents as being internal to the DPC but submitted that “the title, description, senders, recipients and contents of each clearly point to them being internal documents of the DPC” and that they were “clearly not records of correspondence between the DPC and other bodies”. On that basis, it sought confirmation of this Office’s position on the application of the decision in OCE-108913-C6K9T2 to Documents 5, 6, 13 and 20.

7. Having considered my jurisdiction under the AIE Regulations, this Office took the view, and informed the DPC, that it was not possible to revisit or amend a decision that had been issued and that the findings set out in the decision in OCE-108913-C6K9T2 applied to all 21 documents identified by the DPC.

8. The DPC appealed the decision in OCE-108913-C6K9T2 to the High Court by Notice of Motion dated 3 January 2023. That Notice of Motion was based on a Grounding Affidavit sworn by an Assistant Commissioner of the DPC, paragraph 11 of which referred to Documents 5, 6 and 20 on the schedule provided to the OCEI on 21 July 2021 as the “Internal Communications Records.” It did not make reference to Document 13 which was also referenced in the letter to my Office of 22 November 2022. Paragraph 15 of the Grounding Affidavit stated that it is “particularly that part of [the Decision in OCE-108913-C6K9T2] that deals with the Internal Communications Records, that is the subject of this appeal.” For the avoidance of doubt, my references to “appellant” below continue to refer to the original requestor.

9. On 4 January 2023, the appellant’s solicitor wrote to the DPC’s solicitor, noting that the appeal to the High Court appeared to relate only to Documents 5, 6 and 20. It asked to be provided with a copy of the relevant schedule and for the 18 records/documents which are not disputed to be released.

10. On 12 January 2023, the DPC’s solicitors responded to the appellant attaching a copy of the schedule and copies of the documents referred to therein with the exception of the documents “the subject of the [High Court] Appeal which are listed at numbers 5, 6 and 20.”

11. On 16 January 2023, the appeal to the High Court was settled with the High Court issuing an order by consent that the decision be remitted to this Office.

12. I have now completed my review under article 12(5) of the AIE Regulations. In carrying out my review, I have had regard to the submissions made by the appellant and the DPC. I have also examined the contents of the documents at issue. In referring to the documents I have adopted the numbering system used by the DPC on the schedule provided to this Office on 20 July 2021, a copy of which was provided to the appellant on 12 January 2023. In addition, I have had regard to:

the Guidance document provided by the Minister for the Environment, Community and Local Government on the implementation of the AIE Regulations (the Minister’s Guidance);
Directive 2003/4/EC (the AIE Directive), upon which the AIE Regulations are based;
the 1998 United Nations Economic Commission for Europe Convention on Access to Information, Public Participation in Decision-Making and Access to Justice in Environmental Matters (the Aarhus Convention);
the Aarhus Convention—An Implementation Guide (Second edition, June 2014) (‘the Aarhus Guide’);
the decision of the Court of Justice of the European Union in C-619/19 Land Baden-Württemberg v DR (Land-Baden Württemberg); and
the decision of the High Court in M50 Skip Hire & Recycling Limited v Commissioner for Environmental Information [2020] IEHC 430 (M50).

13. What follows does not comment or make findings on each and every argument advanced but all relevant points have been considered.

Scope of Review

14. As noted above, there are three documents relevant to this case, Documents 5, 6, and 20. These documents are referred to on the schedule as follows:

Document 5: “9/12/2020 - Email of Garrett O’Neill to Dale Sunderland and David Murphy / Internal DPC email re consultation on smart meter programme”.
Document 6: “10/12/2020 – Email of Garrett O’Neill to Dale Sunderland and David Murphy / Internal DPC email re consultation on smart meter programme”.
Document 20: “Not dated – NSMP summary of the data protection considerations / Briefing note of data protection considerations of the NSMP” .

15. Documents 5 and 6 are email chains made up of individual emails and Document 20 is a pdf of a word document. Although Document 20 is not dated on the schedule, I am satisfied that it must have been created prior to early April 2021.

16. Document 5 contains three individual emails and Document 6 and contains five individual emails. The three individual emails within Document 5 are also within Document 6. Further detail related to the individual emails is set out below:

Documents 5 and 6 – Email dated 3 December 2020 and sent at 14:24 (Email 1)
Documents 5 and 6 – Email dated 3 December 2020 and sent at 14:59 (Email 2)
Documents 5 and 6 – Email dated 9 December 2020 and sent at 17:35 (Email 3)
Document 6 – Email dated 10 December 2020 and sent at 16:19 (Email 4)
Document 6 – Email dated 10 December 2020 and sent at 16:43 (Email 5)

17. In its submissions to this Office, the DPC stated that having considered article 10(5) of the AIE Regulations, it was no longer refusing access to certain information contained within Documents 5 and 6, namely the “originating external email which is ultimately the subject of the DPC’s internal commentary”. Having examined the email chains, I understand the “originating external email” to be the first email in Documents 5 and 6 dated 3 December 2020 and sent at 14:24 (Email 1). This email was sent from a Department staff member (cc’ing another Department staff member) to DPC staff members regarding “Statutory-Prior Consultation under Article 36(4) GPR / Section 85(12) DPA 2018” on the development of the European Union (Internal Market in Electricity) (No 2) Regulations 2022. As that email is no longer being refused, I do not consider it to fall within the scope of this review and I would expect the DPC to release it to the appellant, if it has not already done so.

18. In light of the above, I am satisfied that this review is concerned solely with whether the DPC was justified, under article 9(2)(d) of the AIE Regulations, in refusing access to Documents 5 and 6 (other than Email 1) and Document 20.

Preliminary Matters

19. I wish to apologise for my error in the previous decision OCE-108913-C6K9T2 and to acknowledge the contribution that this error has made to the delays experienced in this case.

20. A review by this Office is considered to be de novo, which means that it is based on the circumstances and the law as they pertain at the time of this decision. This approach has been endorsed by the decision of the High Court in M50 Skip Hire Recycling Limited v the Commissioner for Environmental Information [2020] IEHC 430.

21. While I am required by article 12(5)(b) of the AIE Regulations to specify reasons for my decision, I must also be careful not to disclose withheld information in my decisions. This means that the detail that I can give about the information at issue and the extent to which I can describe certain matters in my analysis is limited.

Analysis and Findings

Context

22. This case relates to the DPC’s views on data protection considerations regarding the NSMP. Directive (EU) 2019/944 on common rules for the internal market for electricity provides for the establishment of smart metering systems across the EU. It forms part of the Clean Energy Package designed to facilitate the transition away from fossil fuels towards cleaner energy and to deliver on the EU’s Paris Agreement commitments for reducing greenhouse gas emissions while ensuring affordable, secure and sustainable energy for EU citizens (see: https://www.gov.ie/en/publication/f8565-directive-eu-2019944-and-regulation-eu-2019943-on-the-internal-market-for-electricity-recasts/ ).

23. Directive (EU) 2019/944 makes specific reference to data management and Article 23 provides for an obligation on the part of Member States to “organise the management of data in order to ensure efficient and secure data access and exchange, as well as data protection and data security”. It also sets out that the rules on data access and data storage for the purpose of Directive (EU) 2019/944 must comply with Union law and the requirements of the General Data Protection Regulation (GDPR).

24. The European Union (Internal Market in Electricity) (No 2) Regulations 2022 (the 2022 Regulations ) transpose certain obligations set out in Directive (EU) 2019/944. In the course of preparing the 2022 Regulations, the Department of the Environment, Climate and Communications (the Department) sought the views of the DPC in accordance with Article 36(4) of the GDPR and section 84(12) of the Data Protection Act 2018. Article 36(4) of the GDPR provides that “Member States shall consult the supervisory authority during the preparation of a proposal for a legislative measure to be adopted by a national parliament, or of a regulatory measure based on such a legislative measure, which relates to processing”. Section 84(12) of the 2018 Act provides that “where there is a proposal for a legislative measure for which a Minister for the Government is responsible that relates to the processing of personal data, the relevant Minister shall consult with the Commission during the process of the preparation of the legislative measure”. In particular, the Department sought the views of the DPC on article 6 of the draft 2022 Regulations which, in its enacted form, provides for the data management arrangements associated with the NSMP including a Smart Meter Data Access Code to be developed and published by the Commission for Regulation of Utilities (the CRU), in consultation with the DPC insofar as the Smart Meter Data Access Code relates to the processing of personal data.

Article 9(2)(d) of the AIE Regulations

25. Article 9(2)(d) of the AIE Regulations provides that a public authority may refuse to make environmental information available where the request concerns internal communications of public authorities, taking into account the public interest served by the disclosure. This provision transposes Article 4(1)(e) of the AIE Directive, which in turn is based on part of Article 4(3)(c) of the Aarhus Convention.

26. Article 9(2)(d) must be read alongside article 10 of the AIE Regulations, part of which transposes the second subparagraph of Article 4(2) of the AIE Directive. Article 10(3) of the AIE Regulations requires a public authority to consider each request on an individual basis and weigh the public interest served by disclosure against the interest served by refusal. Article 10(4) of the AIE Regulations provides that the grounds for refusal of a request shall be interpreted on a restrictive basis having regard to the public interest served by disclosure. Article 10(5) of the AIE Regulations provides that nothing in article 8 or 9 shall authorise a public authority not to make available environmental information which, although held with information to which article 8 or 9 relates, may be separated from such information.

27. When relying on article 9(2)(d), the public authority should show that the information at issue is an “internal communication” such that it falls within the scope of the exception. It is then for the public authority to weigh the public interest served by disclosure against the interest served by the refusal, as is required by the exception itself and articles 10(3) and (4) of the AIE Regulations.

28. The term “internal communications” is not defined in the AIE Regulations, the AIE Directive, or the Aarhus Convention. However, the decision of the CJEU in Land Baden-Württemberg, provides some guidance on the internal communications exception.

29. The CJEU noted that the term “communication”, should be given a separate meaning to the terms “material” or “document” (paragraph 40), and that it can be interpreted as relating to “information addressed by an author to someone, an addressee who or which may be an abstract entity – such as ‘members’ of an administration or the ‘executive board’ of a legal person – or a specific person belonging to that entity, such as a member of staff or an official” (paragraph 37).

30. The CJEU also noted that not all environmental information held by a public authority is necessarily “internal” and “[t]hat is so only in the case of information which does not leave the internal sphere of a public authority in particular when it has not been disclosed to a third party or been made available to the public” (paragraph 42). It further commented that “[w]here a public authority holds environmental information that it has received from an external source, that information may also be “internal” if it was not or should not have been made available to the public before that authority received it and it does not leave that authority’s internal sphere after it received it” (paragraph 43). The CJEU stated that such an interpretation of the word “internal” is supported by the objective pursued by the internal communications exception, namely to meet the need of public authorities to have a protected space in order to engage in reflection and to pursue internal discussions (paragraph 44).

31. The CJEU highlighted that the exceptions to the right of access to environmental information should be interpreted restrictively, in such a way that the public interest served by disclosure is weighed against the interest served by the refusal of disclosure. However, it noted that this rule of interpretation cannot limit the scope of an exception in disregard of its wording (paragraph 48). It further stated at paragraphs 49 and 50:

“It follows that the fact that an item of environmental information may be liable to leave the internal sphere of a public authority at a given time, inter alia where it is intended to be published in the future, cannot cause the communication that contains it to cease immediately to be internal in nature.

Furthermore, there is nothing in the wording of Article 4(1)(e) of [the AIE Directive] to suggest that the term ‘internal communications’ should be interpreted as covering only the personal opinions of a public authority’s staff and essential documents or as not including information of a factual nature. Such limitations would, moreover, be incompatible with that provision’s objective, namely the creation, for public authorities, of a protected space in order to engage in reflection and to pursue internal discussions.”

32. The CJEU also stated that the exception is not linked to the development or drawing up of documents, nor does it depend on the extent to which some administrative process has progressed. It stated that the end of such a process or of a stage thereof, marked by the adoption of a decision by a public authority or by the completion of a document, cannot, therefore, be a deciding factor for the applicability of the exception (see paragraph 56).

33. The CJEU held that the “internal communications” exception:

“…must be interpreted as meaning that the term ‘internal communications’ covers all information which circulates within a public authority and which, on the date of the request for access, has not left that authority’s internal sphere – as the case may be, after being received by that authority, provided that it was not or should not have been made available to the public before it was so received” (paragraph 53) and

“…must be interpreted as meaning that the applicability of the exception to the right of access to environmental information provided for by it in respect of internal communications of a public authority is not limited in time. However, that exception can apply only for the period during which protection of the information sought is justified” (paragraph 70)

34. The CJEU noted that the lack of temporal limitation of the scope of the internal communications exception tallies with the objective to meet the need of public authorities to have a protected space in order to engage in reflection and to pursue internal discussions (paragraph 57). It commented that, as the Advocate General observed in his Opinion, “in order to determine whether the need to protect the freedom of thought of the people behind the communication concerned and the ability to exchange views freely continues to exist, account should be taken of all the factual and legal circumstances of the case on the data on which the competent authorities have to take a decision on the case which has been made to them, since, …, the right of access to environmental information crystallises on that date.” (paragraph 57).

35. The CJEU went on to reiterate that “whilst it is true that the exception provided for in Article 4(1)(e) of the [AIE Directive] is not limited in time, it is apparent, however, from that provision itself and the second subparagraph of Article 4(2) of the [AIE Directive] that refusal of access to environmental information on the ground that it is included in an internal communication must always be founded on a weighing of the interests involved” (paragraph 58).

36. The CJEU noted that the interests must be weighed on the basis of an actual and specific examination of each situation brought before the competent authorities in connection with a request for access to environmental information (paragraph 59). The CJEU held that in the case of the “internal communications” exception, that examination is especially important since the material scope of the exception is particularly broad and in order not to render the AIE Directive meaningless, the weighing of the interests that “is required in Article 4(1)(e) and the second subparagraph of Article 4(2) of [the AIE Directive] must be tightly controlled” (paragraph 60).

37. The CJEU outlined that it is apparent from Recital 1 of the AIE Directive that the reasons which may support disclosure and which a public authority must take into account when weighing the interests involve include bringing about “a greater awareness of environmental matters, a free exchange of views, more effective participation by the public in environmental decision-making and…a better environment” (paragraph 62). It also stated that since the examination of a request must take account of the specific interests involved in each particular case, the public authority is required to examine any particulars provided by a requester as to the ground that may justify disclosure of the information sought (paragraph 63). Furthermore, the CJEU commented that public authorities must take into account the time that has passed since the internal communication and the information that it contains were drawn up; the exception can apply only for the period during which protection is justified in the light of the content of such a communication (paragraph 64). It stated:

“In particular, if, in the light of the objective of creating for public authorities, a protected space in order to engage in reflection and to pursue internal discussions, information contained in an internal communication could properly not be disclosed on the date of the request for access, a public authority may, on the other hand, be led to take the view that, on account of its age, the information has become historical and that it is accordingly no longer sensitive, where some time has passed since it was drawn up…” (paragraph 65).

38. Finally, the CJEU noted at paragraph 69:

“…[A] public authority which adopts a decision refusing access to environmental information must set out the reasons why it considers that the disclosure of that information could specifically and actually undermine the interest protected by the exceptions relied upon. The risk of that interest being undermined must be reasonably foreseeable and not purely hypothetical”.

Internal Communications

39. As previously indicated, when relying on article 9(2)(d), the public authority should show that the information at issue is an “internal communication” such that it falls within the scope of the exception. It is then for the public authority to weigh the public interest served by disclosure against the interest served by refusal, as is required by the exception itself and articles 10(3) and (4) of the AIE Regulations. In order to be satisfied that the exception contained at article 9(2)(d) provides grounds for refusal of the information at issue, there must be a reasonably foreseeable risk that disclosure of the information would undermine the interest sought to be protected by the exception. The interest in guarding against that reasonably foreseeable risk by withholding the information, must be greater than the public interest in release.

40. Documents 5 and 6 are email chains made up of individual emails. Having examined the remaining individual emails at issue (Emails 2 to 5), I note that Email 2 was sent by a staff member of the Department (cc’ing another staff member of the Department) to a staff member of the DPC. Email 2 forwards Email 1, which was sent by the Department to the DPC regarding “Statutory-Prior Consultation under Article 36(4) GPR / Section 85(12) DPA 2018” on the development of the draft 2022 Regulations, and is longer being refused. I am satisfied that Email 2 is not an “internal communication” as defined by the CJEU in Land Baden-Württemberg and does not fall within the scope of the exception provided for at article 9(2)(d) of the AIE Regulations. Accordingly, I direct the release of Email 2.

41. Emails 3 to 5, which follow on from Emails 1 and 2, are correspondence between three staff members of the DPC. There is no evidence to suggest that Emails 3 to 5 left the internal sphere of the DPC. I am satisfied that Emails 3 to 5 are “internal communications” and fall within the scope of the exception provided for at article 9(2)(d) of the AIE Regulations.

42. Document 20 is a pdf of a word document entitled “National Smart Metering Programme Summary of data protection considerations”. The DPC submits that “it is an internal note that summarises the (unidentified) author’s views regarding data protection considerations in connection with the [NSMP]” and “it is clear from the content of this note that it was intended to be confidential within the DPC and not to be shared with third parties”. I do not agree that this is immediately clear from Document 20 since neither the author nor addressee are identified in the document itself. I recall in this regard that the CJEU in Land Baden-Württemberg stated that “the word ‘communication’…relates to information addressed by an author to someone, an addressee who or which may be an abstract entity – such as ‘members’ of an administration or the ‘executive board’ of a legal person – or a specific person belonging to that entity, such as a member of staff or an official”. However, the schedule describes Document 20 as a “Briefing note of data protection considerations of the NSMP” (my emphasis). Furthermore, while I must be circumspect in my description of the records, as I do not wish to disclose the content of withheld information, I note that there is a continued reference to “we” in Document 20 (e.g. “we understand…we have sought…we have queried…we have recently become aware”), which does suggest that it is a briefing note written by a staff member of the DPC for the attention of one or more other staff members. I also note that the Grounding Affidavit sworn by an Assistant Commissioner of the DPC contains an averment that he was the author of the document and that he prepared that document for internal use only. I am therefore satisfied that there is a sufficient basis on which to conclude that Document 20 is an “internal communication” and falls within the scope of the exception provided for at article 9(2)(d) of the AIE Regulations.

Public Interest Test

43. While I have found Emails 3 to 5 contained within Documents 5 and 6 and Document 20 to be “internal communications”, that is not the end of the matter. As noted above, when applying article 9(2)(d) of the AIE Regulations it is necessary to weigh the public interest served by disclosure against the interest served by the refusal, as is required by the exception itself and articles 10(3) and (4) of the AIE Regulations.

44. In considering the public interest served by disclosure, it is important to be mindful of the purpose of the AIE regime, as reflected in Recital 1 of the Preamble to the AIE Directive, which provides that “increased public access to environmental information and the dissemination of such information contribute to greater public awareness of environmental decision-making and, eventually, to a better environment.” The AIE regime thereby recognises a very strong public interest in openness and transparency in relation to environmental decision-making.

45. The AIE regime also acknowledges that there may be exceptions to the general rule of disclosure of information, as noted in Recital 16 of the AIE Directive, which provides that “public authorities should be permitted to refuse a request for environmental information in specific and clearly defined cases”. One such case is in respect of internal communications of public authorities. The general public interest in such an exception is evident from the European Commission’s Explanatory Memorandum on the AIE Directive, which notes that “it should be acknowledged that public authorities should have the necessary space to think in private. To this end, public authorities will be entitled to refuse access if the request concerns material in the course of completion or internal communications. In each such case, the public interest served by the disclosure of such information should be taken into account”. This was referred to by the CJEU in Land Baden Württemberg, which clearly stated that the exception is intended to meet the need of public authorities to have a protected space in order to engage in reflection and to pursue internal discussions (paragraph 44).

46. As noted above, the CJEU in Land Baden-Württemberg outlined that there is no temporal limitation on the operation of the exception regarding internal communications (see paragraphs 54 to 57). The CJEU further highlighted that as the exception is potentially very wide, the public interest balancing exercise required must be tightly controlled (paragraph 60). The interests involved must be weighed on the basis of an actual and specific examination of each situation brought before the public authority and myself on appeal (paragraph 59). Despite there being no temporal limit on the operation of the exemption, the CJEU introduced one into the balancing exercise. It noted that public authorities to which a request for access to environmental information in an internal communication has been made must take into account the time that has passed since that communication and the information that it contains were drawn up and that the exception can apply only for the period during which protection is justified in the light of the content of such a communication. It further commented:

“In particular, if, in the light of the objective of creating, for public authorities, a protected space in order to engage in reflection and to pursue internal discussions, information contained in an internal communication could properly not be disclosed on the date of the request for access, a public authority may, on the other hand, be led to take the view that, on account of its age, the information has become historical and that it is accordingly no longer sensitive, where some time has passed since it was drawn up (see, by analogy, judgment of 19 June 2018, Baumeister, C-15/16, EU:C:2018:464, paragraph 54)” (paragraph 65).

47. In its submissions to this Office, the DPC stated that the interests it is seeking to protect by refusing to release the information at issue are the interests in providing public authorities the necessary space to think in private and in maintaining the confidentiality of communications within the DPC when it is performing its core functions. It submitted that if the information at issue were to be released, then these interests would be undermined.

48. Regarding Documents 5 and 6, the DPC stated that they contain email exchanges between DPC staff in which they express views regarding a draft statutory instrument (the draft 2022 Regulations), a code to be adopted under that statutory instrument (the Smart Meter Data Access Code), and their interaction with data protection law. It submitted that it is clear from the content of the exchanges that they were intended to be confidential within the DPC and not to be shared with external third parties. It commented that if the exchanges were required to be released, then this would undermine the interests in providing public authorities with the necessary space to think in private and in maintaining the confidentiality of communications within the DPC when it is performing its core functions. It stated that if email exchanges such as those at issue were susceptible to release, then personnel within the DPC would be denied the necessary space to “think in private.” It outlined that the application of data protection law is context based, turning on the facts of the matter being considered, which underscores the imperative of the space “to think in private”. It submitted that such internal exchanges of views are essential to facilitate the DPC formulating and developing positions and views on matters presented to it for consideration as the national supervisory authority for data protection. It stated that this internal process allows for the DPC to reach a considered position which is then communicated to external parties as the DPC’s official position on such matters. It contended that it would be highly detrimental to the DPC’s ability to perform its core functions as a regulator if the DPC’s internal workings and deliberations were required to be released to the public. It noted that, while it is required to explain and give reasons for the position it takes on compliance matters, this is done when communicating the formal/agreed DPC position to external parties. It submitted that requiring the release of internal communications would severely undermine the DPC’s authority and ability to perform its statutory functions in accordance with due process and fair procedures.

49. Regarding Document 20, the DPC stated that it is “an internal note that summarises the (unidentified) author’s views regarding data protection considerations in connection with the [NSMP].” It submitted that it is clear from the content of the note that it was intended to be confidential within the DPC and not to be shared with external parties. It commented that if the note was required to be released, then this would also undermine the interests in providing public authorities the necessary space to think in private and in maintaining the confidentiality of communications within the DPC when it is performing its core functions. It stated that Document 20 contains internal views presented to colleagues within the DPC for consideration and debate in order to reach the DPC’s final official position. It contended that for the reasons already set out in respect of Documents 5 and 6, the release of internal views such as those contained in Document 20, would seriously undermine the DPC’s ability to give due and proper consideration to all compliance issues presented to it as the national data protection supervisory authority.

50. The DPC stated that, in accordance with articles 10(3) and 10(4) of the AIE Regulations, it weighed the public interest served by disclosure against the public interest served by refusal of the information at issue and determined that the public interest served by disclosure would not outweigh the public interest served by withholding the information.

51. The DPC stated that it considered the public interest in disclosing the information at issue. It stated that the public interest factors considered include openness and transparency in matters of government and the ability of the public to understand the basis for decision making in matters affecting the environment. It noted that, in particular, the DPC’s involvement with the NSMP could provide an insight into the data protection considerations that arise in connection with the NSMP, which the DPC acknowledges has the potential to involve large scale processing of personal data.

52. The DPC stated that it also considered public interest in withholding the information at issue. It stated that the public interest factors considered include the general public interest in providing public authorities with the “necessary space to think in private” which is the interest to be protected by the internal communications exception and the public interest in favour of upholding the confidentiality of internal communications of the DPC when carrying out its core functions, including its function as the national data protection supervisory authority. It submitted that the importance of maintaining the confidentiality of internal communications of the DPC when carrying out its core functions is reflected in the provisions of the Freedom of Information Act 2014 (the FOI Act) and the Data Protection Act 2018 (the DPA). It stated that Part 1(f) of Schedule 1 of the FOI Act exempts all DPC records from the scope of the FOI Act other than those relating to its general administration and that section 12 of the DPA provides the DPC with the power to regulate its own procedures and to disseminate information in relation to its statutory functions as it sees fit. It also referred to section 26 of the DPA, which, it stated, provides that disclosure of confidential information relating to the DPC is a criminal offence and defines confidential information as including any information expressed by the DPC to be confidential. The DPC outlined its view that it is evident that it was the intention of the legislature that the records of the DPC should not be released where the DPC deems that they should be considered confidential. The DPC submitted that its internal processes allow it to reach an official position which is then communicated to external parties and that it would be highly detrimental to its ability to perform its core functions as a regulator if its internal workings and deliberations were to be released to the public.

53. Regarding the balancing test carried out, the DPC stated that the public interest lies in favour of withholding the information at issue. The DPC noted its position that the public interest in transparency in relation to data protection matters arising out of the NSMP does not outweigh the public interest in enabling the DPC to have “the necessary space to think in private”. It submitted that in order to fulfil its functions as the national data protection supervisory authority, in particular in relation to compliance and consultation, it requires the ability to engage internally on matters without public interference. It submitted that the public interest in allowing the DPC the necessary space to think in private is explicitly envisaged by the provisions of the FOI Act and the DPA that protect records of the DPC intrinsically linked with the exercise of the DPC’s core functions from disclosure. It stated that release of the information at issue would undermine the functions of the DPC as the national data protection supervisory authority (particularly in relation to its consultation and compliance functions). It stated that its internal processes allow it to reach a position which is then communicated to external parties as the DPC’s official position on such matters, and, as noted above, it would be highly detrimental to the DPC’s ability to perform its core functions as a regulator if the DPC’s internal workings and deliberations were to be released to the public.

54. The DPC stated that it considered article 10(5) of the AIE Regulations as to whether partial disclosure was possible. As outlined above, regarding Documents 5 and 6 it identified that Email 1 could be separated from the information to be refused under article 9(2)(d) of the AIE Regulations and released. Regarding Document 20, it stated that it had determined that it was not possible to separate out any information contained therein for partial disclosure.

55. During the course of this review, this Office provided the appellant with a summary of the DPC’s submissions. In response, the appellant referred to the CJEU’s judgment in Land-Baden Württemberg, in particular paragraphs 58 to 69, and outlined its position that the DPC had not justified its decision to refuse access to the information at issue. The appellant provided submissions regarding the points made by the DPC, which I can confirm have been considered and I believe can be summarised in the following comments made:

“…the DPC’s essential position is that granting access to its internal communications would always cause harm and that there is never a public interest in release. The DPC makes no reference to the contents of the records or why in this specific case access to these particular records must be refused. It also makes no reference to the timing of release which was a factor specifically identified in [Land-Baden Württemberg] The DPC’s arguments are entirely generic and non-specific.

It also speaks volumes that the DPC hasn’t actually identified how its theory of harm would come about, it simply states that access to internal communications will cause harm without saying how this would in fact happen. The DPC is a statutory body with significant powers, it is very difficult to imagine how releasing information could interfere with the performance of its functions. The DPC has been offered the opportunity to explain precisely what it is about the contents of the three remaining records that make them particularly sensitive to the extent that they engage an exception and must be refused.

In terms of public interest, there is a lot of public controversy over the smart meter program at EU level. This program aims to go from a system where electricity readings are taken quarterly to one where they are taken every 30 minutes and this data is stored for every customer for 7 years. This is very invasive of privacy since this information can be used to determine precise aspects of an individual’s private life, for example what time they go to bed, when they cook their meals, when they go on holidays etc.

See for example: [The appellant provided links to various pieces of commentary relating to the interaction between smart meters and privacy/data protection]

The internet is replete with numerous articles raising concerns about privacy and data protection implications of smart meters”.

56. The appellant further stated “[i]t is not disputed that the three remaining documents contain internal communications or that they are confidential, what is disputed is that there would be any harm involved in release of these specific records and the DPC has not demonstrated this harm, instead it has said that release of any internal communication would automatically cause this harm. That is an unsupportable argument”. In addition to its comments regarding its view that the DPC had failed to identify the specific harm that would result from the release of the particular information at issue, the appellant contended “[r]eferences to the FOI Act and the Data Protection Act are completely irrelevant. The AIE Directive is EU law. National law cannot displace this law nor can it make it a criminal offence to release information under AIE” and “…the legislature has made specific provision for access to environmental information under the AIE Regulations and AIE Directive. What is at issue here is access to three specific records. This is not a debate about access to information generally of the DPC. The DPC may disagree with the AIE Regulations, but as a statutory body it has to comply with them regardless.”

57. As I found above, the “internal communications” at issue that fall within the scope of the exception provided for at article 9(2)(d) of the AIE Regulations comprise Emails 3 to 5 contained within Documents 5 and 6 and Document 20. I wish to reiterate that while I am required by article 12(5)(b) of the AIE Regulations to specify reasons for my decision, I must also be careful not to disclose withheld information in my decisions. This means that the detail that I can give about the content of the emails and the document and the extent to which I can describe certain matters in my analysis is limited.

58. Having examined Emails 3 to 5 contained within Documents 5 and 6, I note that they are emails between three DPC staff members. These three emails make up the latter part of an email chain, the first two emails of which were sent by the Department to the DPC (Emails 1 and 2), seeking the DPC’s views on the development of the draft 2022 Regulations, in particular article 6, in accordance with the statutory requirement to consult the DPC under Article 36(4) of the GDPR and Section 84(12) of the DPA. I am satisfied that Emails 3 to 5 can reasonably be described as setting out and discussing the initial observations and considerations of two DPC staff members regarding article 6 of the draft 2022 Regulations and the Smart Meter Data Access Code, prior to the preparation of a response to the Department. I am also satisfied that the comments on article 6 of the draft 2022 Regulations are inextricably linked to comments on the Smart Meter Data Access Code.

59. Document 20 is a three-page briefing note entitled the “National Smart Metering Programme summary of data protection considerations”, which contains six headings; “Legal basis”, “Data recorded on the meter”, “Communication between the meter and ESB Networks”, “Data sent from the meter to ESB Networks”, “ESBN’s use of data”, and “To note”. During the course of this review, this Office’s investigator informed the DPC of her view that some of the information contained in Document 20 (i.e. all of the information apart from the final bullet point under the heading “Legal basis” and the information under the heading “To note” is factual background detail regarding the NSMP and related data protection considerations that is publicly available (e.g. sections on the ESB Networks website including " More Information on Smart Meters and Data " and " The technology that smart meters use ") and asked the DPC for any comments it had in that regard. In response, the DPC stated that Document 20 set out its provisional understanding of the first five of the six headings. It also stated that Record 20 sets out the DPC’s internal views based on its understanding of the processing taking place at the time and that that this information remains relevant to the DPC’s assessment of complaints.

60. Notwithstanding the DPC’s comments, having examined the content of Document 20, in the context of information publicly available, including on ESB Networks website, I am satisfied that the vast majority of the document is, indeed, factual information, consisting of an overview of the legal regime which applies to the NSMP and of the practical operation of smart meters and the processing of data involved in that operation. However, the final bullet point under the heading “Legal Basis” contains a comment relating to the DPC’s understanding of a particular legal matter and the information under the final heading “To note” contain references some particular queries raised by the DPC in respect of data protection considerations related to the NSMP.

61. The 2022 Regulations have been in place since 25 January 2022, article 6 of which requires the CRU to put in place a Smart Meter Data Access Code, in consultation with the DPC. I understand that the development of the Smart Meter Data Access Code is ongoing. In this regard, I note that on 11 December 2023, the CRU published an Information Paper on the Smart Meter Data Access Code alongside consultation responses to its Proposed Decision on the Smart Meter Data Access Code, including the DPC’s.

62. The DPC, in response to further queries from this Office seeking an update as to whether the final position communicated by the DPC to the Department or, indeed, other relevant parties, in relation to the NSMP could be provided to this Office, stated:

“I can confirm that the DPC has not yet made a formal adjudication on whether the NSMP as currently implemented complies with data protection law. Consultation regarding aspects of the legislation such as the Code of Practice is ongoing, and the DPC has not communicated a final position to the Department or other relevant parties, which includes the Commission for the Regulation of Utilities and ESB Networks, in connection with those consultations. In addition, as is particularly relevant to Record 20…the DPC is currently handling complaints which allege that certain aspects of the NSMP infringe the GDPR, and Record 20 sets out internal views that are relevant to the DPC’s assessment of those complaints.”

63. Having examined Emails 3 to 5 contained within Documents 5 and 6 and Document 20, I am satisfied that the release of that information would provide insight into the DPC’s views regarding data protection considerations related to the NSMP. The roll out of the NSMP and the manner of its operation once rolled out is clearly a matter of environmental decision-making and the decisions taken will have an environmental impact. This is evident from the fact that the NSMP is being carried out as part of the National Climate Action Plan and, as the CRU notes, one of the intended effects of smart metering is to “help us cut CO2 emissions and [lower] our reliance on fossil fuels” (See information on the CRU website

here and on the ESB website here ). It is also evident from the Government's publication on the EU Directive underpinning the NSMP which notes that Directive (EU) 2019/944 forms part of the Clean Energy Package which is designed to facilitate the transition away from fossil fuels towards cleaner energy and to deliver on the EU’s Paris Agreement commitments for reducing greenhouse gas emissions while ensuring affordable, secure and sustainable energy for EU citizens.

64. The objective of the AIE Directive, as set out in Recital 1, acknowledges that environmental decision-making will involve competing priorities and views and suggests that increased access to environmental information is a desirable mechanism for ensuring that debates on how to reconcile those completing priorities and views lead to robust decision-making and, eventually, to a better environment. One element of the debate about smart-metering is the extent to which the environmental benefits of the programme compensate for, or outweigh, the risks or potential disadvantages which might arise from, what the DPC itself acknowledges is, potential large scale processing of personal data of members of the public. A key component of that debate is the extent to which data protection rights are safeguarded as part of the NSMP rollout and its operation.

65. There is undoubtedly a strong public interest in the openness and transparency with regard to the transposition of Directive (EU) 2019/944, the implementation of the NSMP, and the DPC’s views with regard to the development of the 2022 Regulations, the Smart Meter Data Access Code, and data protection considerations related to the NSMP generally.

66. However, it must also be noted that the exception provided for in article 9(2)(d) of the AIE Regulations is designed to protect the “private thinking space” of public authorities. I accept that there is a strong public interest in protecting the space required by the DPC to think in private, engage in reflection, pursue free and frank internal discussions, and develop its views. Furthermore, I acknowledge that there is a strong public interest in maintaining the confidentiality of communications within the DPC when performing its core functions as a regulator and developing a position, prior to communicating a subsequently agreed position and the reasons the on which it is based to external parties.

67. As noted above, I am satisfied that the vast majority of the information at issue in Document 20 is factual information (i.e. all of the information, apart from the final bullet point under the heading “Legal Basis” and the information under the heading “To note”). I cannot see how release of this factual information would undermine the private thinking space of the DPC to the extent it should be considered to outweigh the public interest in disclosure. This information is high-level background detail regarding the NSMP and related data protection considerations that is already known and available to the public (e.g. on the ESB Networks website) and contains no reference to any comments, opinions, or discussions of the DPC. In my view, disclosure of this information will simply show that it has been reviewed by the DPC when further assessing the data protection considerations of the NSMP and will have no serious impact on the maintenance of its “private thinking space”. Accordingly, I direct the release of all the information in Document 20 apart from the final bullet point under the heading “Legal Basis” and the information under the final heading “To note”.

68. I turn now to the remaining information at issue in Documents 5 and 6 (Emails 3 to 5) and in Document 20 (the final bullet point under the heading “Legal Basis” and the information under the heading “To note”). As indicated, I am satisfied that Emails 3 to 5 can reasonably be described as setting out and discussing the initial observations and considerations of two DPC staff members regarding article 6 of the draft 2022 Regulations and the Smart Meter Data Access Code, prior to the preparation of a response to the Department. I am also satisfied that the comments on article 6 of the draft 2022 Regulations are inextricably linked to the comments on the Smart Meter Data Access Code. In respect of Document 20, I am satisfied that the final bullet point under the heading “Legal Basis” contains a comment relating to the DPC’s understanding of a particular legal matter and the information under the final heading “To note” contain references some particular queries raised by the DPC in respect of data protection considerations related to the NSMP.

69. I agree that the DPC requires a safe space to engage internally on matters without public interference in order to both develop its views generally and fulfil its functions as the national data protection supervisory authority. The need for a safe space is most prevalent when the issues concerned are live. While Emails 3 to 5 are from 2020, Document 20 must have been created prior to early April 2021, and the 2022 Regulations have been in place since 25 January 2022, the development of the Smart Meter Data Access Code is ongoing (see https://www.cru.ie/publications/26006/ ) and data protection considerations related to the NSMP generally continue to be assessed. Article 6(2) of the 2022 Regulations states that the CRU “shall, insofar as the Smart Meter Data Access Code relates to the processing of personal data, consult with the Data Protection Commission in relation to the development and publication of the Code. The CRU further explains:

“the Smart Meter Data Access Code is a set of rules and regulations, developed by the CRU, which will determine how smart meter data can be accessed by electricity market participants and third parties. The main objective of the Smart Meter Data Access Code is to ensure customer interests and their respective smart meter data are protected and secure. Therefore, it seen as vital that the Smart Meter Data Access Code is operated and managed efficiently to achieve the objective” (see https://www.cru.ie/publications/26006/)

70. It is clear that data protection considerations related to the NSMP remain a live issue. I note that formal views of the DPC on the matter have been published (e.g. its consultation response to the CRU’s consultation on the Smart Meter Data Access Code). I consider that the release of the initial observations and considerations of the DPC on the draft Regulations 2022, which are inextricably linked to its comments on the Smart Meter Data Access Code contained within in Documents 5 and 6 (Emails 3 to 5), and the remaining information contained in Document 20, which also concerns initial observations on data protection considerations related to the NSMP would undermine the “private thinking space” of the DPC. I consider that to release the information would undermine the DPC’s ability to have free and frank discussions in relation to same.

71. In light of all of the above, I am of the view that in this particular case the public interest in disclosure of the specific information contained in Emails 3 to 5 of Documents 5 and 6 and the final bullet point under the heading “Legal Basis” and the information under the heading “To note” in Document 20 does not outweigh the interest served by refusal. Accordingly, I find, that the DPC’s decision to withhold that particular information under article 9(2)(d) of the AIE Regulations was justified.

72. In accordance with article 10(5) of the AIE Regulations, I am satisfied that information contained within Document 20 which, although held with information to which article 9(2)(d) applies, can be separated from such information. In that regard, I find that partial disclosure of Document 20 is possible. I also find that partial disclosure of Documents 5 and 6 is possible, however, in reaching this conclusion, I am satisfied that Emails 3 to 5 must be refused in full as the information contained therein comprises initial observations and considerations of the DPC on the draft Regulations 2022, which are inextricably linked to its comments on the Smart Meter Data Access Code.

Decision

73. Having carried out a review under article 12(5) of the AIE Regulations, I hereby vary the DPC’s decision in respect of Documents 5, 6, and 20. While I affirm its decision under article 9(2)(d) of the AIE Regulations to refuse access to some of the information at issue, I direct it to release Email 2 contained in Documents 5 and 6 and all of the information contained in Document 20, apart from the final bullet point under the heading “Legal Basis” and the information under the heading “To note”. Also, if it has not already done so, I expect it to release Email 1 contained in Documents 5 and 6 to the appellant, which it stated was longer being refused.

Appeal to the High Court

74. A party to the appeal or any other person affected by this decision may appeal to the High Court on a point of law from the decision. Such an appeal must be initiated not later than two months after notice of the decision was given to the person bringing the appeal.

Ger Deering

Commissioner for Environmental Information