A&L Goodbody blog is about Dublin Lawyers & Attorneys for Intellectual Property, Communications & Information Technology Law in Ireland, U.S. & England.
A&L Goodbody is an Irish law firm providing expert legal advice across every aspect of business law.
Ireland succeeded in enacting the Data Protection Act 2018 prior to today’s GDPR deadline, with the President signing the Act into law yesterday. The Act implements derogations permitted under the GDPR and represents a major overhaul of the regulatory and enforcement framework. This briefing note analyses the key provisions under the Act and its likely impact on businesses operating from Ireland.
The Article 29 Working Party (WP29) has published a position paper on the scope of the derogation from the obligation to maintain records of processing activities. Article 30.5 provides that the record-keeping obligation does not apply to organisations with less than 250 employees in certain circumstances. The WP29 has stated that the position paper was published as a result of a high number of requests from companies received by national Supervisory Authorities. Despite the existence of the derogation, the WP29 encourages SMEs to maintain records of their processing activities, as it is a useful means of assessing the risk of processing activities on individuals’ rights, and identifying and implementing appropriate security measures to safeguard personal data. In light of the new accountability principle in the GDPR requiring organisations to be able to demonstrate how they comply with their GDPR obligations, it would certainly be prudent for all organisations, regardless of size, to maintain such records.
The position paper makes it clear that all organisations, without exception, must maintain a record of processing in regard for human resources (HR) data, as such processing is carried out regularly, and cannot be considered “occasional“. Accordingly, all organisations must ensure they can present records relating to HR data to their supervisory authority post-May 2018, if requested. This will entail keeping a record of the types of HR data processed, the categories of data subjects (i.e. employees, ex-employees, candidates, consultants), the purposes of the processing, the recipients of such data (e.g. any third party service providers), the data retention periods for each type of HR data processed, details of any non-EEA transfers of HR data, and the security measures in place to protect such data.
Background – What records does the GDPR require controllers and processors to maintain?
Article 30 of the GDPR requires data controllers and processors to maintain records of their processing activities, “in writing, including in electronic form“, and to make these records available to their supervisory authority on request.
Article 30.1 of the GDPR requires each data controller to maintain a record of processing activities which must include the following information:
the name and contact details of the controller and, where applicable any joint controllers, the controller’s representative, and the Data Protection Officer (DPO);
a description of the categories of data subjects and types of personal data;
the purposes of the processing;
the categories of recipients of the personal data
data retention periods for different types of personal data
details of non-EEA data transfers and safeguards in place
a description of the technical and organisational security measures in place
Article 30.2 of the GDPR requires each processor, and where applicable the processor’s representative, to maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
the name and contact details of the processor(s) and of each controller on behalf of which the processor is acting, and where applicable of the controller or processor’s representative) and the DPO
the categories of processing carried out on behalf of the controller
details of non-EEA transfers and safeguards in place
a description of the technical and organisational security measures in place
What derogations exist?
Article 30.5 contains a derogation from the record-keeping obligation for organisations employing fewer than 250 employees. However, this derogation is not absolute. It does not apply in regard to three types of processing, including:
(I) processing that is likely to result in a risk to the rights and freedoms of data subjects
(ii) processing that is not occasional (the WP29 considers that a processing activity is only “occasional” if it is not carried out regularly, and occurs outside the regular course of business or activity of the controller or processor), or
(iii) processing that includes special categories of data (i.e. sensitive data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, data concerning sex life or sexual orientation) or data relating to criminal convictions and offences
The WP29 emphasises that these three types of processing, to which the derogation does not apply, are alternative and the occurrence of any one of them alone triggers the obligation to maintain a record of processing activities. However, organisations with less than 250 employees need only maintain records of processing activities for the particular types of processing mentioned in (I) to (iii) above. Other processing activities do not need to be included in the record of processing activities.
The WP29 encourages Supervisory Authorities to support organisations by making available on their websites a simplified model that can be used by organisations to keep records of processing activities. The UK Information Commissioner has published helpful guidance on the record-keeping obligation to help controllers and processors understand their responsibilities (accessible here).
On 26 March 2018 , the US Department of Commerce (DOC) published an update on action it has taken to support the EU-US and Swiss-US Privacy Shield frameworks. It highlights the oversight and enforcement measures taken in regard to the commercial and national security aspects of the Shield Frameworks.
It remains to be seen whether the measures taken will be sufficient to appease the Article 29 Working Party (WP29) who raised a number of concerns about the EU-US Privacy Shield last November 2017. The WP29, in particular, called for the appointment of an independent Ombudsperson to be prioritized and the exact powers of the Ombudsperson mechanism need to be clarified, including through the declassification of internal procedures, as well as the appointment of PCLOB members. It called for those prioritized concerns to be resolved by 25 May 2018, and its other concerns to be addressed at the latest at the second joint review. The WP29 warned that if no remedy was brought to address its the concerns in the given time-frames, the WP29 would take appropriate action, including bringing the Privacy Shield Adequacy decision to national courts for them to make a reference to the CJEU for a preliminary ruling. Whilst the DOC’s update notes that President Trump has nominated three individuals to the PCLOB, it does not clarify whether Ambassador Judith G Garber, who has been ‘acting’ as Privacy Shield Ombudsman, has been permanently appointed to that role, nor is there any mention of declassification of the internal rules of procedure of the Ombudsperson.
On a positive note, the DOC’s update shows that the US has made efforts to address other concerns raised by the WP29, including publishing enhanced guidance on the self-certification process; strengthening monitoring and enforcement of the Shield, through random spot-checks on certified organisations and proactive checks for false certification claims, and developing user-friendly guidance material for individuals, businesses and authorities.
The DOC’s update also highlights that the US government has expressly confirmed that Presidential Policy Directive 28 (PPD-28), providing protection to individuals regardless of nationality with respect to signals intelligence information, remains in place without amendment. In addition, Congress has reauthorized FISA section 702, reportedly maintaining all elements on which the European Commission’s Privacy Shield determination was based.
The Data Protection Commissioner (DPC) has published her Annual Report for 2017, which discusses the key activities and challenges of her office last year, as well as her priorities for the coming year. The DPC spent much of 2017 raising awareness of the GDPR. She continued to engage with organisations in regard to their data protection law compliance, carrying out over 200 consultations and 100 face-to-face meetings in which preparation for the GDPR was a constant feature. The DPC dealt with a record number of complaints (2,642), most of which were resolved amicably. She was also busy on the litigation front, particularly in regard to court proceedings concerning the validity of the EU Standard Contractual clauses as a legal mechanism to transfer personal data out of the EEA.
Litigation & Data Transfers
The Report highlights the Irish High Court’s decision last October 2017, in DPC v Facebook and Schrems, to refer questions as to the validity of the Standard Contractual Clauses to the EU Court of Justice (CJEU). That reference will be made during 2018, once the High Court has finalised the specific questions to be referred to the CJEU (see our previous blog). In addition, the EU-US Privacy Shield was subject to, and survived, its first annual review carried out by the European Commission and to which the Article 29 Working Party (WP29) contributed. The DPC also acted as lead reviewer in relation to 14 Binding Corporate Rules (BCR) applications, and co-reviewer in three BCR applications. It is envisaged that with the recognition of BCRs as a tool to transfer data under the GDPR, and the introduction of the one-stop-shop mechanism, that there will be an increase in BCR applications to the DPC from May 2018.
In December 2017, the CJEU delivered its ruling in Nowak v DPC (see our previous blog) on foot of a reference from the Irish Supreme Court. In that case, the CJEU ruled that an exam script was “personal data” because even if the examiner did not know the identity of the candidate when he/she was marking the exam, the exam board had the information needed to identify the candidate through his/her identification number. Following its earlier decision in Breyer (2016), the CJEU held that in order for information to be treated as “personal data” there is no requirement that all the information enabling the identification of the data subject be in the hands of one person, so long as there is a means reasonably likely to be used to identify the data subject. The CJEU further ruled that the examiner’s comments were “personal data” as they constituted information “relating to” the candidate. The Report notes that this decision gives rise again to the debate about what one academic has termed the “unfathomable scope” of data protection law.
Finally, at an international level, the Report highlights that the US Supreme Court has accepted for hearing the US Department of Justice’s appeal concerning its attempt to obtain, by US court warrant under the 1986 Stored Communications Act, data held by Microsoft on a service in Ireland. Microsoft contends that people’s privacy rights should be protected by the laws of their own countries, and that US law enforcement needs to go through Irish authorities if they want to obtain the emails. The US has a Mutual Legal Assistance Treaty (MLAT) with Ireland, and Microsoft argues that US law enforcement could simply use the MLAT to ask Irish authorities for help. The DPC notes that cases such as this “demonstrate the burgeoning importance of data protection and privacy as fundamental human rights.”
Proactive Engagement with the Financial Sector
The Report notes that one of the significant areas of development in 2017 in the Financial Sector was the entry into the marketplace of third party payment and account information service providers under the Payment Services Directive 2015/2366 (PSD2). In 2018, the DPC intends to continue its engagement with key stakeholders including industry representatives bodies, financial services regulators, relevant Government Departments, and its EU counterparts to assist both banks and new entrants from the FinTech sector to ensure that the processing of personal data in the provision of innovative payment products under PSD2 is in compliance with data protection law, particularly the GDPR principle of transparency. The DPC also intends to further engage with the Financial Sector in relation to other evolving areas such as Anti-Money Laundering (AML) (in relation to the 4th and anticipated 5th AML Directives), anti-fraud and credit reporting which involve the large-scale processing of customers’ personal data.
Other Engagement Activities
The DPC also engaged with multinational technology and social media companies during 2017, which spanned over 100 meetings. The DPC’s priority was to ensure these companies have a lawful basis for collecting personal data and provide full transparency to users so that they can understand the business model and implications of free services and how their personal data is monetised and used. Driving higher standards of protection for children when using the internet and social media has also been a key concern.
In addition, the DPC’s office engaged extensively with the WP29, acting as “lead rapporteur” on the GDPR Transparency Guidelines with responsibility for drafting and preparing these Guidelines, in conjunction with other WP29 members. The Guidelines were published in preliminary form for EU wide consultation in December 2017, and are expected to be finalised and adopted by the WP29 in April 2018. Speaking at A&L Goodbody’s recent breakfast seminar, ‘GDPR – The Last Lap‘, Ms Morgan, Deputy DPC, noted that she was reviewing 66 consultation responses on the preliminary Guidelines, including a number of objections to the requirement for controllers to provide information to data subjects in privacy notices on the outcome of the balancing test when relying on “legitimate interests” as a basis for lawful processing. The schedule to the Guidelines sets out the WP29’s comments on the extensive information that must be provided to data subjects in privacy notices post-May 2018.
The Report notes that the nature of the consultation queries received by the DPC indicates that data protection is becoming a more significant boardroom issue, and there is a growing appreciation among businesses of the reputational damage and financial loss that can be caused by the mishandling of personal data. The DPC emphasises that “it is “imperative… in line with the principle of accountability”, that organisations can stand over and justify their data processing arrangements and be able to demonstrate compliance with the GDPR.
Complaints & Prosecutions
The DPC received 2,642 complaints in 2017, up from 1,479 in 2016 (a 79% increase from 2016) with the largest single category continuing to concern “Access Rights” which made up 1,372 (or 52%) of the total. The majority of complaints were resolved amicably, with only 34 written statutory decisions being issued. The Report highlights that most of the complaints which could not be resolved amicably concerned issues arising as a result of the financial crash, in particular cases involving the transfer of loan books to new lenders and receiverships where buy-to-rent owners are involved, as their fundamental grievance relates to the underlying transaction itself or the actions of the lender, rather than data protection issues per se. The Report points out that whilst personal data is transferred and processed in such circumstances, it is generally provided for in the original terms the borrower signed.
The case study section of the Annual Report sets out 17 illustrative complaints which the DPC handled during 2017. The case studies relate to a wide variety of data protection issues such as: use of CCTV footage by an employer in a disciplinary process; failure to respond fully to an access request; unlawful disclosure of personal data by an employee via a social media app; failure of an employer to impose access restrictions to medical data of an employee, and unsolicited marketing offences.
A number of prosecutions were successfully pursued by the DPC, including six entities for unsolicited electronic marketing. The DPC’s Special Investigations Unit also continued its work in the Private Investigator sector resulting in several prosecutions. Given the high level of breaches uncovered in the Private Investigator sector, the DPC intends to continue to focus on this sector for the foreseeable future.
Investigations & Audits/ Inspections
Over 91 audits/inspections were carried out in 2017. The Special Investigations Unit also carried out a number of investigations, including in regard to the processing of patients’ sensitive data by hospitals, where such data was being held in publicly accessible areas. On a geographical basis, the hospitals inspected represented a broad sample from across the State, including HSE facilities, private and voluntary hospitals. Building on the findings of the hospital inspections, the Special Investigations Unit is currently drawing up an overall investigation report for dissemination in the first half of 2018, to every hospital in the State. Matters of concern found in the twenty hospitals inspected include: controls in medical record libraries; storage of confidential wastepaper within the hospital setting; and lack of privacy when discussing medical and other personal issues. Having disseminated the overall report to all hospitals, the DPC will seek an action plan from each of them outlining how and when they will implement the recommendations.
The DPC also conducted an audit of certain prescribed state agencies who are permitted to make requests to communications service providers (CSPs), for disclosure of metadata (i.e. call and traffic data) relating to phone and internet records pursuant to the Communications (Retention of Data) Act 2011, for the purpose of the prevention, investigation, detection and prosecution of serious crime. The DPC conducted a series of audits of disclosure requests processed by CSPs to ensure the processing of such requests was in compliance with data protection law. The 2011 Act assigns a specific role to the DPC as national supervisory authority for the purposes of that Act. The DPC made a number of recommendations in terms of security measures, procedures and oversight which should be implemented by CSPs, and will conclude its series of audits of CSPs in 2018. The Report notes that last October 2017, the Government published draft legislation to replace the 2011 Act, namely the General Scheme of the Communications (Retention of Data) Bill 2017 in response to Chief Justice Murray’s Report which identified numerous failings with the current regime. The DPC warns that retaining the current status quo is “simply not an option” and urges the Irish Government to immediately prioritise the new legislation, which includes a requirement for judicial pre-authorisation for access by state agencies to data and proactive notification to users after the fact (see our previous blog on this draft Bill).
There was a surge in data breach notifications in 2017, the majority continuing to come from the financial services sector. A total of 2,795 breaches were recorded by the DPC in 2017, an almost 26% increase form 2016, despite the mandatory requirement under the GDPR to report data breaches posing a risk to data subjects not kicking in until 25 May 2018. Ms Morgan noted at A&L Goodbody’s breakfast seminar, that post-GDPR the DPC’s office expects to receive up to 100,000 breach notifications per year, a number of which are likely to be unnecessary, as organisations will play it safe, notifying even where the circumstances of the breach do not bring it within the parameters of an actual breach as defined in Article 4(12) of the GDPR. Ms Morgan warned that companies who flood her office with incidents which do not fall within the parameters of a breach, in an attempt to ward off regulatory action, will be counter-productive and will result in enforcement action against organisations to prevent on-going notification of non-breach incidents. However, the DPC will equally enforce against those organisations who under-declare the severity of a breach. The annex to the WP29 Guidelines on Breach Notification helpfully provides a list of non-exhaustive examples of reportable breaches, which is well worth reading.
In 2017, the DPC’s office investigated 19 data breaches involving multinational companies. The DPC highlighted that these breaches largely involved overreliance on data processors to implement appropriate security measures, such as reliance on the default security settings offered by cloud-service providers, which in many cases led to unauthorised access to personal data; failure to ensure that processors complied with their obligations to securely process personal data on the instruction of the controller, and failure to undertake periodic reviews of security measures and apply critical updates and security patches. Companies should take note of these common types of breaches, as they will face significant fines, as well as potential compensation claims, for such breaches post-May 2018.
The Year Ahead
The Report sets out the DPC’s main goals for 2018, which include:
Proactively targeting and engaging with public and private sector organisations, particularly in areas of highest risk and large-scale systemic data processing;
Providing guidance to controllers and processors on its microsite www.GDPRandyou.ie;
Pursing regulatory action, including sanctions, in a “lawful, fair, proportionate and effective manner”, with the objective of driving better compliance and accountability by organisations in upholding their data protection obligations;
Engaging proactively at EU level through the WP29 to the development of a harmonised interpretation of the new laws and preparation of GDPR guidance;
Engaging with stakeholders and other EU supervisory authorities to identify areas of bad practice and serious non-compliance, which may require enforcement measures, and
Driving improved compliance with data protection obligations through investigations and audits targeting high-risk and large-scale processing of personal data.
The DPC, like other stakeholders, is eagerly awaiting the finalisation and enactment of the Irish Data Protection Bill 2018, which is currently before the Oireachtas. That legislation will give further effect to the GDPR in areas where national derogations are permitted, and will transpose the Law Enforcement Directive into Irish law, as well as further underpinning the structures, functions and powers of the DPC. The Irish Government has committed to finalising the Bill by 25 May 2018, when the GDPR comes into force.
As a follow-up on its Communication of September 2017 on tackling illegal online content, the European Commission has published a non-binding “Recommendation” which formally lays down operational measures which online platforms and Member States should take, before it determines whether it is necessary to propose legislation to complement the existing regulatory framework. The Recommendation applies to all forms of illegal content which are not in compliance with EU or Member State law, such as terrorist content, racist or xenophobic illegal hate speech, child sexual exploitation, illegal commercial practices, breaches of intellectual property rights and unsafe products. The Recommendation puts pressure on online platforms to implement more proactive measures to ensure faster detection and removal of illegal content online. It has been criticised by digital human rights organisations as essentially forcing online platforms to “voluntarily” police and censor the internet, without respect for the fundamental right to freedom of expression.
The Commission acknowledges that progress has been made in regard to removing illegal content through voluntary arrangements, including the EU Internet Forum on terrorist content online, the Code of Conduct on Countering Illegal Hate Speech Online and the Memorandum of Understanding on the Sale of Counterfeit Goods. For example, in regard to the Code of Conduct, internet companies now remove on average 70% of illegal hate speech notified to them and in more than 80% of these cases, the removal takes place within 24 hours. However, notwithstanding this progress, the Commission states that illegal content online remains a serious problem within the EU. It states that the Recommendation is without prejudice to the position of hosting service providers under the e-Commerce Directive 2000/31/EC, and the enforcement of their terms of service in accordance with EU and national law. The e-Commerce Directive contains liability exemptions available to certain online service providers, including ‘hosting’ service providers, where they act expeditiously to remove or disable access to illegal content that they store upon obtaining knowledge of such content.
The Recommendation relates to the activities of all hosting service providers, irrespective of whether they are established in the EU or in a third country, provided that they direct their activities to consumers residing in the EU. The Commission’s recommendations include:
Takedown notices – Hosting providers should provide mechanisms for the public to submit takedown notices. Those mechanisms should be easy to access, user-friendly and allow for the submission of notices by electronic means.
Informing content providers – Where a hosting service provider decides to remove illegal content, it should inform the content provider of that decision, as well as the possibility to contest that decision via a counter notice, unless it is manifest that the content is illegal, or a law enforcement authority has requested that the content provider is not informed for reasons of public policy and public security.
Out of court dispute settlements – Member States are encouraged to facilitate, where appropriate, out-of-court settlements to resolve disputes related to the removal of illegal content.
Transparency – Hosting service providers should publish explanations to the general public on their content management policy and, at regular intervals (at least annually), reports on their activities relating to the removal of illegal content. Those reports should include, in particular, information on the amount and type of content removed, on the number of notices and counter-notices received and the time needed for taking action.
Proactive measures – Hosting service providers are encouraged to take proactive measures to identify and remove illegal content, including automated means such as upload filters, where appropriate.
Safeguards – To accurately assess whether content identified via automated tools is actually illegal, hosting providers should put in place necessary safeguards, including a human review step before content is removed.
Cooperation between hosting providers and member states – Fast-track procedures should be provided to process notices submitted by law enforcement authorities. Member States are encouraged to establish legal obligations for hosting service providers to promptly inform law enforcement authorities of any evidence of alleged serious criminal offences involving a threat to the life or safety of persons obtained in the context of their removal of illegal content.
Cooperation between hosting providers – Hosting service providers should, where appropriate, share experiences, technological solutions and best practices to tackle illegal content online among each other.
No hosting of terrorist content – Hosting providers should explicitly state in their terms of service that they will not host terrorist content.
One-hour takedown rule – As terrorist content is particularly harmful, hosting providers should as a general rule remove such content within one hour of its flagging by law enforcement authorities and Europol.
Regular and Transparent Reporting – Member States should submit information to the Commission on the removal of terrorist content within three months, and illegal content within six months.
The Commission will be monitoring actions taken by online platforms in response to the Recommendation, and has will then determine whether further regulatory measures, including legislation, is required.
Ireland implemented the Data Retention Directive 2006/24/EC (the Directive) by means of the Communications (Retention of Data) Act 2011 (the 2011 Act). The Directive requires communications service providers to retain metadata relating to phone and internet communications, such as traffic, location and subscriber data (but not the content of communications), for 6 to 24 months, to ensure the data are available for designated authorities, such as the police and security services, for the purpose of the prevention, investigation, detection and prosecution of serious crime. In April 2014, in the Digital Rights Ireland case, the CJEU declared the Directive invalid on the basis that: the requirement for service providers to retain all communications data, even of persons not suspected of involvement in serious crime, was disproportionate; the Directive failed to set objective criteria determining how and when national authorities could access and use retained data; the Directive failed to protect individuals’ rights by means of procedural safeguards such as prior review of access requests of designated authorities by a court; and the Directive failed to stipulate that communications data be retained within the EU. Despite the CJEU declaring the Directive to be invalid, the State’s data retention regime has continued to operate under the 2011 Act.
In December 2016, in the Tele2 case, the CJEU ruled that EU law prohibited general and indiscriminate retention of traffic and location data, and that procedural safeguards such as prior review of access requests made by designated authorities by an independent body, such as a court, were essential. The Murray Report, published last October 2017, further criticised many aspects of the 2011 Act, including: the lack of independent vetting and authorisation of access requests made by designated authorities; the lack of coherence (“legislative scatter”) in the statutory rules governing the retention and disclosure of data: failure of the Act to set out clear objective criteria governing data retention and disclosure; absence of clear procedures and protocols to be followed by authorities given access to retained data; failure to provide for notification of persons whose data is disclosed; a lack of remedies for wrongful access to retained data; and a failure to require communications service providers to keep data within the EU.
The Draft Bill
The General Scheme of the Communications (Retention of Data) Bill 2017 provides for:
the repeal of the 2011 Act;
the exclusion from retention of the contents of communications, such as recordings of voice calls or the text and image contents of emails or websites;
the designation of the An Garda Síochána, Defence Forces, Revenue Commissioners, Garda Síochána Ombudsman Commission (GSOC) and the Competition and Consumer Protection Commission (CCPC) as the statutory agencies having authority to request access to retained data;
the retention by service providers of information that identifies subscribers for 12 months, and access to it by designated officers of the statutory agencies in connection with specific serious offences;
traffic and location data to be retained only by order of the Minister for Justice and Equality on foot of an application by the head of one of the statutory agencies;
access by designated officers to traffic and location data to be conditional on an order of an authorising judge, and to be restricted to purposes relating to certain serious offences;
access without a judge’s order to be permitted only in cases of urgency;
service providers to keep retained data securely in the EU, and all retained data to be destroyed when proceedings or investigations conclude;
criminal penalties for service providers that fail to comply with obligations;
periodic review of the Act’s operation by a designated judge;
reports of the designated judge and of the statutory authorities to be laid before the Oireachtas; and
persons who are the subject of or are affected by a disclosure to be notified of that fact, and to have access to the complaints procedure under the Interception of Postal Packets and Communications Messages (Regulation) Act 1993.
The Committee has made a number of recommendations, which it hopes will inform the drafting of the final Bill, to ensure that the State’s data retention legislation is fully compliant with EU law. The Committee’s recommendations include:
1) Journalists and their sources: The Committee recommends, per the Murray Report, that it should be made explicit that retaining or accessing data in order to identify journalists’ sources should be permitted only where prior judicial authorisation has been secured and there is an overriding requirement in the public interest. In principle, access should be permitted only when the journalist (and not somebody else) is the object of investigation for suspected commission of a serious criminal offence or for unlawful activity which poses a serious threat to the security of the State.
2) Rights to notification: Persons whose retained data is disclosed should be notified of the fact once doing so is unlikely to prejudice an investigation.
3) Judicial remedy: The Committee recommends, per the Murray Report, that persons whose rights have been affected by access to retained data should have an appropriate judicial remedy, expressly provided for in legislation.
4) Independent monitoring authority: The Committee believes that the current system, retained in the General Scheme, of oversight by a designated judge of the High Court, is not a sufficiently robust protection against the potential for excessive surveillance. The Committee recommends therefore the establishment of an independent authority, chaired by a senior judge. This body should be fully accountable to the Houses of the Oireachtas and furnish periodic detailed reports on its activities; and it should be provided with the necessary resources and technical expertise to perform its functions.
5) Test to be applied for retaining data: The Committee recommends that a Ministerial Order for data retention should only be made where ‘strictly necessary’. A time limit of no more than three months should also be set for the retention of such data.
6) Targeted data retention: The Committee believes that in order for the proposed legislation to be fully compliant with EU law, it must limit and clearly set out the circumstances in which data can be retained. In line with the Tele2 ruling, a Ministerial Order for data retention must be targeted. There must be an established connection between the data to be retained and the objective pursued.
7) Access to third party data: Heads 8 and 9 of the General Scheme are overly permissive in permitting access to data of entirely unconnected third parties if “likely to assist in the prevention, detection, investigation or prosecution of that offence.” The Committee recommend this is restricted, as per the Tele2 ruling, so that a person whose information is demanded must be in some way implicated in the crime before access to his or her data can be granted.
8) Precise definitions of data: The definition of “traffic and location data” in Head 1 of the General Scheme is potentially very broad in its scope. It should be amended to ensure that the legislation cannot be used to require the logging of information about web browsing or other information which tends to reveal the content of communications. The precise categories of data that can be retained should be explicitly set out in the legislation.
9) Compensation: The Committee believes that the current power under the 2011 Act of the Complaints Referee to award compensation to individuals whose data has been accessed in contravention of the legislation should be retained.
10) Retrospective authorisation: An urgency exception should only be provided for where accompanied by a requirement that the authority seeking disclosure must subsequently provide objective evidence of the need for urgent and immediate access without prior authorisation, and must submit, as soon as possible thereafter, an application to the independent body or designated judge for retrospective authorisation.
The Bill is listed as “priority legislation for publication” in the Government’s legislative programme for Spring/Summer 2018. We will post further updates on the progress of the Bill in due course.
Speaking at A&L Goodbody’s breakfast seminar, ‘GDPR – The Last Lap‘, Anna Morgan, Deputy Data Protection Commissioner, has warned that companies who ‘over-report’ and adopt an overly conservative approach to the GDPR’s breach notification requirements may risk enforcement action from the Data Protection Commission (DPC).
Currently, notification of a data breach to the Office of the Data Protection Commissioner is a recommended action, but is not compulsory. The GDPR (Article 33) introduces the requirement for a personal data breach to be notified to the DPC (or in the case of a cross-border breach, to the lead supervisory authority) and, in certain cases, to communicate the breach to the individuals whose personal data have been affected by the breach. Notifications for potential data breaches are not required. Notifications must be made without delay and where feasible within 72 hours of becoming aware of it.
The GDPR adopts a risk-based approach, with the obligation to notify not kicking in where the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The onus is on the data controller to assess the risk associated with the breach, rather than notifying immediately, and relying on the DPC to conduct the risk analysis for it. This is in keeping with the concept of data controller accountability under GDPR.
It is also clear that a data controller flooding the DPC with an avalanche of notifications could not be carrying out an actual risk analysis. Ms Morgan has warned that controllers must undertake the risk analysis before making a notification to the DPC, with data controllers who persistently notify ‘non-notifiable’ data breaches being at risk of having enforcement action taken against them, to prevent ongoing notification of non-breach incidents. Ms Morgan has advised that the Article 29 Working Party Guidelines on Breach Notification should be consulted by companies, to familiarise themselves with data breach scenarios which may or may not require a notification, with the Guidelines including some non-exhaustive examples in the Annex.
A new online notification procedure will be live on the DPC’s website in the coming months. This form will be detailed in nature, requiring companies to self-declare the severity of the data breach that they are reporting, and to give details on the nature of the breach e.g. ‘was it accidental, was it a deliberate hack?’. This submission should be given due consideration by notifying entities, as the DPC has indicated that it will take enforcement action against those organisations which are under-declaring the severity of the breach. In preparation for 25 May 2018, companies are advised to ensure procedures and processes are in place, which can distinguish between ‘breach’ and ‘non-breach’, ‘high risk’ and ‘low risk’, all within 72 hours.
Following on from Davinia’s post last week, we have now prepared an update that covers the key aspects of the Data Protection Bill 2018 of most relevance to businesses that are in the process of preparing for the GDPR.
The Government has published the eagerly awaitedData Protection Bill 2018to give effect to the GDPR (2016/679) and to provide, in the limited areas permitted, for national derogations. The Bill repeals the Data Protection Acts 1988 and 2003 (the Acts), except for those provisions relating to the processing of personal data for the purposes of national security, defence and the international relations of the State. It also provides for similar restrictions on individuals’ rights to those which currently exist under section 5 of the Acts, such as in regard to data processed for the prevention, detection, investigation and prosecution of criminal offences; or for the exercise or defence of legal claims.
The GDPR does not impose any criminal sanctions on controllers or processors for contravening its provisions, but leaves it to Member States to do so, and the Bill provides for a number of offences. Unsurprisingly, the Bill proposes that enforced access requests; unauthorised disclosure of personal data by a processor or by an employee or agent of the processor; and disclosure of personal data obtained without authority will continue to constitute offences post-May 2018 . These offences will be punishable by a fine of up to €50,000 and/or up to 5 years’ imprisonment. The Bill also proposes the continuation of personal criminal liability for directors, managers, secretaries, or other officers of a company, for offences committed by a company, which are proved to have been committed with the consent or connivance of, or to be attributable to any neglect of such persons.
One of the surprising provisions in the Bill, is that enabling a data subject to mandate a not-for-profit organisations to lodge a complaint with the Data Protection Authority (to be renamed the ‘Data Protection Commission’), or to bring a judicial action, on his or her behalf in regard to damage suffered as a result of a controller or processor infringing the GDPR. However, the Bill does not allow the court in such a representative action to award compensation for any material or non-material damage suffered by the relevant data subject, rather the court can only grant relief by way of an injunction or declaration. It remains to be seen whether this means not-for-profit bodies will be able to take class actions on behalf of multiple data subjects for breaches of the GDPR, as such actions are not currently permitted under Irish law. There does, however, appear to be an appetite to permit class actions here, as demonstrated by the recently published Private Members’ Multi-Party Actions Bill 2017, and it is likely that the introduction of the right to representative data protection actions will increase the risk of group privacy claims against businesses under the GDPR.
The Bill also contains a new lawful processing ground, specifically permitting health data to be processed for insurance and pension purposes, where necessary for a policy of insurance or life assurance; a policy of health insurance or health-related insurance; an occupational pension; a retirement annuity contract or other pension arrangement, or the mortgaging of property. The GDPR leaves it to Member States to provide for the circumstances when personal data relating to criminal convictions and offences may be lawfully processed, and the Bill sets out specific circumstances where such processing is permitted.
We will provide you with further insights on the Bill shortly.
The Minister for Communications, Denis Naughten, has confirmed that plans to appoint a Digital Safety Commissioner for Ireland (DSC) will go ahead in 2018. The DSC will act as an ‘Internet regulator’, with powers of enforcement and responsibility for a ‘notice and takedown’ regime, to ensure the online safety of Internet users.
The proposal for a DSC is contained in a Report from the Law Reform Commission (LRC) on Harmful Communications and Digital Safety, which also contains a draft legislative proposal. The LRC has recommended that the scope of regulation by the DSC should include all ‘digital service undertakings’, which would be defined very broadly to cover intermediary service providers, internet service providers, internet intermediaries, online intermediaries, online service providers, search engines, social media platforms and websites and telecommunications undertakings.
The DSC mechanism is partially inspired by the systems in place in Australia and New Zealand, which have specific timelines linked to the obligation to unlawful material, with removal generally being required within 48 hours. In Ireland, under the current LRC proposals, the DSC will be mandated to develop a national Code of Practice for Take Down procedure, which would contain detailed and practical guidance on the procedure for ‘takedowns’, a requirement that the takedown procedure is made available free of charge and timelines within which offending materials should be removed.
It should be noted that the Australian and New Zealand regimes were implemented on a somewhat blank legislative canvas. Any proposal in Ireland must be compliant with the overarching requirements of the eCommerce Directive (which does not contain mandatory timelines, but requires internet intermediaries to ‘act expeditiously’ or risk losing its legal immunity). It remains to be seen whether an additional layer of Irish regulation on tech and Internet companies would have any impact on Ireland’s international reputation as an attractive place to do business.
An Taoiseach Leo Varadkar had previously indicated that Government plans to appoint a DSC were ‘on hold’, however, he has since clarified that he may have ‘mis-spoken’.
The Department of Communications has organised an open digital safety forum on March 8 at the Royal Hospital Kilmainham involving Gardaí, Interpol, NGOs, state bodies and parents groups. We await further detail on this proposal.
Read Full Article
Read for later
Articles marked as Favorite are saved for later viewing.
Scroll to Top
Separate tags by commas
To access this feature, please upgrade your account.