Cases
Joanna Block & Gabriel Oser (Legal Guardians to V.O Minor) vs. Karim Anjarwalla
Case Summary
This case involves a complaint brought by Joanna Block and Gabriel Oser, the legal guardians of a minor, against Karim Anjarwalla. The complaint concerns the alleged unlawful disclosure of the minor's personal data by Anjarwalla on LinkedIn. The Office of the Data Protection Commissioner (ODPC) was tasked with investigating the complaint, which included examining whether there was a breach of the Data Protection Act, 2019, and whether the minor’s personal data was improperly disclosed without consent.
Issues for Determination
- Whether the ODPC has jurisdiction to determine the complaint.
- Whether there was an infringement of the minor's personal data under the Data Protection Act, 2019.
- Whether the complaint was sufficiently addressed by the Respondent.
- Whether the Complainants are entitled to the remedies sought for the alleged breach.
Determination
The Office of the Data Protection Commissioner (ODPC) has determined that the complaint filed by Joanna Block and Gabriel Oser against Karim Anjarwalla, alleging the unlawful disclosure of their minor's personal data on LinkedIn, is within its jurisdiction to investigate. Despite the Respondent's assertion that the information disclosed was part of public judicial records, the ODPC finds that the minor’s data, specifically the name and residential address, was not anonymized, which is a breach of the Data Protection Act, 2019. The ODPC acknowledges the Respondent's immediate action to delete the LinkedIn post upon realising the breach but concludes that the failure to anonymize the minor's data initially constitutes an infringement of the minor's rights under the Act. Therefore, the ODPC holds that the Respondent did violate the Data Protection Act by disclosing the minor's personal data without consent and without anonymization.
Analysis
On whether the ODPC has jurisdiction to handle the complaint
The ODPC examined its mandate under the Data Protection Act, 2019, and determined that it has the authority to investigate complaints related to the unlawful processing of personal data. The Complainants alleged that their minor’s personal data was disclosed without consent, a clear concern under the Act. Although the Respondent argued that the information disclosed was part of public judicial records, the ODPC maintained that the jurisdiction to investigate potential breaches of the Act remains within its purview. Therefore, the ODPC confirmed its jurisdiction to handle this complaint, emphasising its responsibility to protect personal data irrespective of the source of the data.
On whether the personal data was unlawfully disclosed by the Respondent
The ODPC reviewed the LinkedIn post made by the Respondent, which included the minor's name and residential address. According to Section 33 of the Data Protection Act, 2019, personal data relating to a child should not be processed without the consent of the parent or guardian. The Respondent did not anonymize the minor’s data in the LinkedIn post and did not obtain consent from the Complainants. Although the Respondent deleted the post upon being notified, the initial disclosure constituted an unlawful processing of the minor’s personal data. The ODPC determined that the failure to anonymize sensitive information and the lack of necessary consent amounted to a breach of the Data Protection Act.
On whether the disclosed data falls under public records as per the Evidence Act and the Public Archives and Documentation Service Act
The Respondent argued that the Plaint containing the minor's personal data is a public record and its publication does not breach data protection laws. While acknowledging that court documents are public records, the ODPC emphasised that the Data Protection Act still requires compliance with data protection principles when processing such records, especially those involving minors. The Act stipulates that data relating to children must be handled with extra protection, including anonymization to safeguard their identity. Therefore, even though the Plaint is a public document, the Respondent’s failure to anonymize the minor’s data was inconsistent with the requirements of the Data Protection Act.
On whether the ongoing High Court proceedings affect the ODPC’s determination
The ODPC considered the parallel proceedings in the High Court, where the Complainants sought similar relief. While recognizing the High Court's jurisdiction over certain aspects of the case, the ODPC focused on its statutory mandate to investigate breaches of the Data Protection Act. The existence of High Court proceedings did not preclude the ODPC from fulfilling its role in protecting personal data. The ODPC ensured that its determination was based strictly on issues of data protection, thereby avoiding potential conflicts with the High Court’s jurisdiction. Consequently, the ODPC concluded that its investigation and determination were justified and necessary to uphold the principles of data protection as outlined in the Act.