A&L Goodbody blog is about Dublin Lawyers & Attorneys for Intellectual Property, Communications & Information Technology Law in Ireland, U.S. & England.
A&L Goodbody is an Irish law firm providing expert legal advice across every aspect of business law.
The European Parliament has voted for the suspension of the Privacy Shield unless the U.S. complies by 1 September 2018. The non-binding resolution was passed 303 to 223 votes, with 29 abstentions. Parliament takes the view that the current Privacy Shield arrangement does not provide the adequate level of protection required by EU data protection law and the EU Charter as interpreted by the European Court of Justice (CJEU). It considers that, if the US is not fully compliant by 1 September, then the Commission has failed to act in accordance with Article 45(5) GDPR and the Commission should suspend the Privacy Shield until the US authorities comply with its terms.
Following the Facebook-Cambridge Analytica data breach, Parliament emphasised the need for better monitoring of the Shield, given that both companies are certified under the Shield. Parliament is also concerned about the recent adoption in the US of the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) which permits the US and foreign police to access personal data stored in Europe; the reauthorisation of FISA Section 702, and the failure to appoint members to the Privacy and Civil Liberties Oversight Board (PCLOB). Parliament’s vote follows a statement in May 2018 from its Committee on Civil Liberties, Justice and Home Affairs calling upon the Commission to suspend the Shield.
Earlier this week, the US Ombudsperson responsible for handling national security complaints under the Privacy Shield, Ambassador Judith Garber, was invited to a plenary meeting of the European Data Protection Board (EDPB). The EDPB addressed raised by the EDPB’s predecessor WP29, especially the appointment of a permanent Ombudsperson, formal appointments to the PCLOB, and the lack of additional information on the Ombudsperson mechanism and further declassification of the procedural rules, in particular on how the Ombudsperson interacts with the intelligence services. The EDPB called for supplementary evidence to be given by the US authorities in order to address these concerns. The EDPB noted that the same concerns will be addressed by the CJEU in cases that are already pending, and to which the EDPB offered to contribute its view, if invited by the CJEU.
The Data Protection Commission (DPC) has published Guidelinesto support the Government with drafting future regulations restricting the rights of individuals afforded by the GDPR. Whilst the GDPR strengthens the rights of individuals, Article 23 allows Member States or the EU to restrict the scope of individuals’ rights and controllers’ obligations in certain circumstances. Section 60 of the Irish Data Protection Act 2018 (the Act), which came into effect alongside the GDPR, provides for a number of such restrictions, as well as allowing Government Ministers to make regulations further restricting individuals’ rights. It is a mandatory requirement that the Government Minister consults with the DPC before making such regulations.
Article 23 GDPR
Article 23 sets out a number of conditions which must be met in order to lawfully restrict the rights of a data subject afforded by Articles 12-22 and Article 34 (and Article 5 insofar as those principles correspond to the rights and obligations provided for in the aforesaid Articles). Any legislative measure used to restrict the rights of a data subject must be of limited scope, and be applied in a strictly necessary, proportionate and specific manner. Section 60 of the Act gives further effect to Article 23, and both provisions should be read together.
Article 23 provides that any restriction must:
(I) Be set out in Union or Member State Law via a legislative measure
Recital 41 of the GDPR provides guidance about what constitutes a legislative measure. Whilst the GDPR does not necessarily require a legislative act to be adopted by parliament, such a legal basis should be clear and precise. Recital 8 of the GDPR notes that the reason for the restriction, and how and when it may apply, should be clear to persons to whom it applies.
(II) Respect the essence of the fundamental rights and freedoms
The essence of a fundamental right means that any interference with the right should not be such that the right is in effect emptied of its basic content and the individual cannot exercise the right.. Legislation not providing any possibility for an individual to pursue legal remedies to uphold their data protection rights may not be permissible. Any legislation must respect the essence of fundamental rights to effective protection.
(III) Be necessary and proportionate in a democratic society
Necessity is a facts/evidence-based concept which must be considered in light of the specific circumstances surrounding the provisions of a measure and the defined purpose it aims to achieve. Proportionality requires that the restriction must be appropriate for attaining the legitimate objectives pursued by the legislation.
(IV) Safeguard one of the interests set out in Article 23(1)
The GDPR provides a general list of interests which can be safeguarded. These are further clarified in sections 60(3) and 60(7) of the Act. An organisation that seeks to rely upon a restriction must ensure that it is safeguarding at least one of these public interests.
(V) Contain specific provisions set out in the GDPR as per Article 23(2)
It is mandatory that any legislative measure restricting individuals’ rights lays down clear rules concerning its scope and imposing minimum safeguards. In particular, any proposed legislative measure must contain information concerning:
the purposes of the processing or categories of processing;
the categories of personal data;
the scope of the restrictions introduced;
the safeguards to prevent abuse or unlawful access or transfer;
the specification of the controller or categories of controllers;
the storage periods and the applicable safeguards taking into account the nature, scope and the risks to the rights and freedoms of data subjects; and
the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.
When a Government Minister consults with the DPC in regard to regulations restricting individuals rights, all of the above conditions should be specifically addressed and appropriately underpinned in the draft proposed legislative measures in advance of any approach to the DPC.
Last week MoneyConf firmly put Dublin in the Fintech spotlight. The pressure on financial services firms to make better use of technology to reduce costs and improve customer service shows no sign of relenting. At the same time they need to carefully navigate the related regulatory challenges around technology outsourcing. A member of the ECB Supervisory Board recently observed that banks are not “technological houses” and said that the fragmentation of banks’ services across a range of external providers creates a “challenge” for banks’ leaders, who retain responsibility. This statement will resonate, in particular, with financial institutions looking to understand how much they are currently using, and how they can make more and better use of, cloud based technology solutions.
Worth noting then that with effect from the 1st July 2018, there will be another set regulatory recommendations for financial institutions to consider when outsourcing.
The European Banking Authority Recommendations on Outsourcing to Cloud Service Providers (the Recommendations) confirm that executives and managing bodies of financial institutions must ensure that they have a real understanding of the risks associated with using technology to outsource any aspect of their operations. The Recommendations apply to both competent authorities, such as the Ireland’s Central Bank, and “financial institutions” which are credit institutions and investment firms as defined in EU Regulation No 575/2013.
Outsourcing institutions should, prior to any outsourcing to the cloud, assess which activities should be considered as “material”. Assessments of what amounts to a “material activity” should be performed on the basis of existing CEBS Guidelines and take into account:
whether the activities are critical to business continuity/ viability;
what the impact of outages would be from an operational, legal and reputational perspective;
how significantly revenue would be affected by any disruption to the activity; and
what the potential impact of a confidentiality breach or failure of data integrity would be.
Therefore, a detailed risk assessment should form part of any policy for procurement of cloud services and the regulator may look to see that assessment.
2. Duty to Adequately Inform Supervisors
If it is material outsourcing it will need to be notified to the relevant regulator. The Recommendations require that the outsourcing institution should maintain a register of all its material and non-material activities outsourced to cloud service providers. This may require a change in procurement and contract management processes for some financial institutions. A detailed list of the information to be compiled in the register is provided and includes:
general information on the type of outsourcing and the parties involved;
evidence of the approval for outsourcing by the management body or its delegated committees;
an assessment of the cloud service provider’s substitutability; and
identification of an alternate service provider, where possible.
This can only be done if an institution is proactively approving, managing and monitoring its use of cloud services. Many are not doing so and certainly not to the same extent as they would for more traditional outsourcing arrangements.
3. Access and Audit Rights
The Recommendations state that outsourcing institutions should obtain a contractual undertaking from cloud service providers to provide:
full access to business premises, including the full range of devices, systems, networks and data used for providing services outsourced (right of access); and
unrestricted rights of inspection and auditing relating to outsourced services (right of audit)
to the outsourcing institution, its auditors and the relevant competent authorities.
There are real challenges with the negotiation and exercise of access and audit rights when it comes to cloud service providers. The Recommendations are helpful in that they confirm the outsourcing institution should exercise its rights to audit and access in a risk-based manner. Pooled audits, third-party certifications or internal audit reports may be considered, provided sufficient safeguards are in place. The outsourcing institution must ensure that the staff performing the audit have acquired the right skills and knowledge to perform effective and relevant audits and/or assessments of cloud solutions.
This puts the onus on the outsourcing institution to ensure its staff properly understand cloud services, negotiate cloud contracts in an informed way to secure meaningful alternatives to traditional audit rights and being organised internally such that it can ensure those rights are put to effective use.
4. Security of Data and Systems
The Recommendations build on existing CEBS Guidelines in relation to security and require that prior to entering a cloud service agreement, the outsourcing institution should:
Classify the relevant data and activities involved on the basis of sensitivity and required protections;
Conduct a thorough risk based assessment of subject matter of the proposed outsourcing; and
Decide on (and build into the contract) appropriate levels of confidentiality, service continuity and data integrity and traceability.
The Recommendations note that the outsourcing institutions must also monitor the agreed standards, ensure the security measures are met and promptly take any necessary corrective actions. Again, this points to the need to proactively manage all cloud service providers.
5. Location of Data and Data Processing
Outsourcing institutions must take special care when entering into and managing outsourcing agreements undertaken outside the EEA because of possible data protection risks. The Recommendations state that a risk assessment should be completed addressing the potential risk impacts, including legal risks and compliance issues, and oversight limitations related to the countries where the outsourced services are or are likely to be provided and where the data are or are likely to be stored, to ensure that any risks are kept within acceptable limits commensurate with the materiality of the outsourced activity.
Here, GDPR and more general regulatory requirements overlap and we think that consideration ought to be given to GDPR Privacy Impact Assessments for current and future cloud deals which involve the processing of personal data.
6. Chain Outsourcing
Chain outsourcing remains a key focus in these Recommendations.
The Recommendations builds on this requirement, noting that the cloud outsourcing agreement should:
specify any types of activities that are excluded from potential subcontracting;
indicate that the cloud service provider retains full responsibility for services that it has subcontracted; and
include an obligation for the cloud service provider to inform the outsourcing institution of any planned significant changes to the subcontractors and include a right for the outsourcing institution to terminate the agreement if a change of subcontractor would have an adverse effect on the risk assessment of the agreed services.
These are not provisions that will feature in many standard cloud contracts (the supply chain may not even be known by the customer) and so will need to be negotiated.
7. Contingency Plans and Exit Strategies
The Recommendations state that outsourcing institutions should make arrangements to avoid service disruption in the event that the provision of cloud services by a service provider fails or deteriorates to an unacceptable degree. To achieve this outsourcing institutions should:
develop and implement comprehensive and sufficiently tested exit plans;
identify alternative solutions and develop transition plans to enable it to remove and transfer existing activities and data from the cloud service provider; and
ensure the outsourcing agreement requires the cloud service provider to provide sufficient support to the outsourcing institution to allow the orderly transfer of the cloud activity or to the to another provider or to be reincorporated into the outsourcing institution.
Agreeing the detail around exit plans is often fraught with difficulty in outsourcing transactions. Many cloud contracts don’t deal with exit plans other than to provide for the termination of access to the service and/or to confirm that responsibility for taking back data sits with the customer and ought to be done during the contract and/or within a short time period following termination. The Recommendations suggest that financial institutions should perform a business impact analysis commensurate with the activities outsourced to identify what human and material resources would be required to implement the exit plan and how much time it would take. Failure to be able to demonstrate that this has been done may create difficulties where moving away from a cloud provider in the future doesn’t go as smoothly as was suggested at the outset.
The Data Protection Commission (DPC) has revamped its website and published online forms to help organisations comply with their new obligations under the GDPR.
The website contains a new Data Protection Officer (DPO) Notification Form, which must be completed by organisations to inform the DPC of their DPO’s contact details. The GDPR requires the appointment of a DPO in the following circumstances: (i) where the processing is carried out by public bodies or authorities; (ii) where an organisation’s core activities consist of large-scale regular and systematic monitoring of data subjects; and (iii) where an organisation’s core activities involve large-scale processing of special categories of data (i.e. sensitive data) or personal data relating to criminal convictions and offences. A DPO may also be appointed on a voluntary basis. However, organisations should be aware that a DPO designated on a voluntary basis will be subject to the same obligations and tasks under the GDPR as if the designation had been mandatory.
The DPC has also released Guidance on the Personal Data Breach Notification Process, along with breach notification forms for organisations to complete in order to notify the DPC of national and cross border personal data breaches. Not all personal data breaches are reportable. The GDPR defines a “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed“. A personal data breach must be reported to the DPC within 72 hours of becoming aware of a breach, where it likely to result in a “risk” to the affected individuals. Organisations must also report a personal data breach to affected individuals without undue delay where it is likely to result in a “high risk” to their rights and freedoms. Details of all breaches, whether or not they are reportable, must be documented. The documentation should include the facts relating to the breach, its effects, the remedial action taken, and, where applicable, the reasons for not notifying the breach. The DPC requires all national breach notifications to be notified using the National Breach Notification Form, and all cross-border personal data breaches to be notified using the ‘Cross-Border Breach Notification Form.
In addition, the DPC has published updatedGuidance on Data Subject Access Requests, along with flagging that requests made prior to 25 May 2018 continue to be governed by the Data Protection Acts 1988, as amended.
Ireland succeeded in enacting the Data Protection Act 2018 prior to today’s GDPR deadline, with the President signing the Act into law yesterday. The Act implements derogations permitted under the GDPR and represents a major overhaul of the regulatory and enforcement framework. This briefing note analyses the key provisions under the Act and its likely impact on businesses operating from Ireland.
The Article 29 Working Party (WP29) has published a position paper on the scope of the derogation from the obligation to maintain records of processing activities. Article 30.5 provides that the record-keeping obligation does not apply to organisations with less than 250 employees in certain circumstances. The WP29 has stated that the position paper was published as a result of a high number of requests from companies received by national Supervisory Authorities. Despite the existence of the derogation, the WP29 encourages SMEs to maintain records of their processing activities, as it is a useful means of assessing the risk of processing activities on individuals’ rights, and identifying and implementing appropriate security measures to safeguard personal data. In light of the new accountability principle in the GDPR requiring organisations to be able to demonstrate how they comply with their GDPR obligations, it would certainly be prudent for all organisations, regardless of size, to maintain such records.
The position paper makes it clear that all organisations, without exception, must maintain a record of processing in regard for human resources (HR) data, as such processing is carried out regularly, and cannot be considered “occasional“. Accordingly, all organisations must ensure they can present records relating to HR data to their supervisory authority post-May 2018, if requested. This will entail keeping a record of the types of HR data processed, the categories of data subjects (i.e. employees, ex-employees, candidates, consultants), the purposes of the processing, the recipients of such data (e.g. any third party service providers), the data retention periods for each type of HR data processed, details of any non-EEA transfers of HR data, and the security measures in place to protect such data.
Background – What records does the GDPR require controllers and processors to maintain?
Article 30 of the GDPR requires data controllers and processors to maintain records of their processing activities, “in writing, including in electronic form“, and to make these records available to their supervisory authority on request.
Article 30.1 of the GDPR requires each data controller to maintain a record of processing activities which must include the following information:
the name and contact details of the controller and, where applicable any joint controllers, the controller’s representative, and the Data Protection Officer (DPO);
a description of the categories of data subjects and types of personal data;
the purposes of the processing;
the categories of recipients of the personal data
data retention periods for different types of personal data
details of non-EEA data transfers and safeguards in place
a description of the technical and organisational security measures in place
Article 30.2 of the GDPR requires each processor, and where applicable the processor’s representative, to maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
the name and contact details of the processor(s) and of each controller on behalf of which the processor is acting, and where applicable of the controller or processor’s representative) and the DPO
the categories of processing carried out on behalf of the controller
details of non-EEA transfers and safeguards in place
a description of the technical and organisational security measures in place
What derogations exist?
Article 30.5 contains a derogation from the record-keeping obligation for organisations employing fewer than 250 employees. However, this derogation is not absolute. It does not apply in regard to three types of processing, including:
(I) processing that is likely to result in a risk to the rights and freedoms of data subjects
(ii) processing that is not occasional (the WP29 considers that a processing activity is only “occasional” if it is not carried out regularly, and occurs outside the regular course of business or activity of the controller or processor), or
(iii) processing that includes special categories of data (i.e. sensitive data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, data concerning sex life or sexual orientation) or data relating to criminal convictions and offences
The WP29 emphasises that these three types of processing, to which the derogation does not apply, are alternative and the occurrence of any one of them alone triggers the obligation to maintain a record of processing activities. However, organisations with less than 250 employees need only maintain records of processing activities for the particular types of processing mentioned in (I) to (iii) above. Other processing activities do not need to be included in the record of processing activities.
The WP29 encourages Supervisory Authorities to support organisations by making available on their websites a simplified model that can be used by organisations to keep records of processing activities. The UK Information Commissioner has published helpful guidance on the record-keeping obligation to help controllers and processors understand their responsibilities (accessible here).
On 26 March 2018 , the US Department of Commerce (DOC) published an update on action it has taken to support the EU-US and Swiss-US Privacy Shield frameworks. It highlights the oversight and enforcement measures taken in regard to the commercial and national security aspects of the Shield Frameworks.
It remains to be seen whether the measures taken will be sufficient to appease the Article 29 Working Party (WP29) who raised a number of concerns about the EU-US Privacy Shield last November 2017. The WP29, in particular, called for the appointment of an independent Ombudsperson to be prioritized and the exact powers of the Ombudsperson mechanism need to be clarified, including through the declassification of internal procedures, as well as the appointment of PCLOB members. It called for those prioritized concerns to be resolved by 25 May 2018, and its other concerns to be addressed at the latest at the second joint review. The WP29 warned that if no remedy was brought to address its the concerns in the given time-frames, the WP29 would take appropriate action, including bringing the Privacy Shield Adequacy decision to national courts for them to make a reference to the CJEU for a preliminary ruling. Whilst the DOC’s update notes that President Trump has nominated three individuals to the PCLOB, it does not clarify whether Ambassador Judith G Garber, who has been ‘acting’ as Privacy Shield Ombudsman, has been permanently appointed to that role, nor is there any mention of declassification of the internal rules of procedure of the Ombudsperson.
On a positive note, the DOC’s update shows that the US has made efforts to address other concerns raised by the WP29, including publishing enhanced guidance on the self-certification process; strengthening monitoring and enforcement of the Shield, through random spot-checks on certified organisations and proactive checks for false certification claims, and developing user-friendly guidance material for individuals, businesses and authorities.
The DOC’s update also highlights that the US government has expressly confirmed that Presidential Policy Directive 28 (PPD-28), providing protection to individuals regardless of nationality with respect to signals intelligence information, remains in place without amendment. In addition, Congress has reauthorized FISA section 702, reportedly maintaining all elements on which the European Commission’s Privacy Shield determination was based.
The Data Protection Commissioner (DPC) has published her Annual Report for 2017, which discusses the key activities and challenges of her office last year, as well as her priorities for the coming year. The DPC spent much of 2017 raising awareness of the GDPR. She continued to engage with organisations in regard to their data protection law compliance, carrying out over 200 consultations and 100 face-to-face meetings in which preparation for the GDPR was a constant feature. The DPC dealt with a record number of complaints (2,642), most of which were resolved amicably. She was also busy on the litigation front, particularly in regard to court proceedings concerning the validity of the EU Standard Contractual clauses as a legal mechanism to transfer personal data out of the EEA.
Litigation & Data Transfers
The Report highlights the Irish High Court’s decision last October 2017, in DPC v Facebook and Schrems, to refer questions as to the validity of the Standard Contractual Clauses to the EU Court of Justice (CJEU). That reference will be made during 2018, once the High Court has finalised the specific questions to be referred to the CJEU (see our previous blog). In addition, the EU-US Privacy Shield was subject to, and survived, its first annual review carried out by the European Commission and to which the Article 29 Working Party (WP29) contributed. The DPC also acted as lead reviewer in relation to 14 Binding Corporate Rules (BCR) applications, and co-reviewer in three BCR applications. It is envisaged that with the recognition of BCRs as a tool to transfer data under the GDPR, and the introduction of the one-stop-shop mechanism, that there will be an increase in BCR applications to the DPC from May 2018.
In December 2017, the CJEU delivered its ruling in Nowak v DPC (see our previous blog) on foot of a reference from the Irish Supreme Court. In that case, the CJEU ruled that an exam script was “personal data” because even if the examiner did not know the identity of the candidate when he/she was marking the exam, the exam board had the information needed to identify the candidate through his/her identification number. Following its earlier decision in Breyer (2016), the CJEU held that in order for information to be treated as “personal data” there is no requirement that all the information enabling the identification of the data subject be in the hands of one person, so long as there is a means reasonably likely to be used to identify the data subject. The CJEU further ruled that the examiner’s comments were “personal data” as they constituted information “relating to” the candidate. The Report notes that this decision gives rise again to the debate about what one academic has termed the “unfathomable scope” of data protection law.
Finally, at an international level, the Report highlights that the US Supreme Court has accepted for hearing the US Department of Justice’s appeal concerning its attempt to obtain, by US court warrant under the 1986 Stored Communications Act, data held by Microsoft on a service in Ireland. Microsoft contends that people’s privacy rights should be protected by the laws of their own countries, and that US law enforcement needs to go through Irish authorities if they want to obtain the emails. The US has a Mutual Legal Assistance Treaty (MLAT) with Ireland, and Microsoft argues that US law enforcement could simply use the MLAT to ask Irish authorities for help. The DPC notes that cases such as this “demonstrate the burgeoning importance of data protection and privacy as fundamental human rights.”
Proactive Engagement with the Financial Sector
The Report notes that one of the significant areas of development in 2017 in the Financial Sector was the entry into the marketplace of third party payment and account information service providers under the Payment Services Directive 2015/2366 (PSD2). In 2018, the DPC intends to continue its engagement with key stakeholders including industry representatives bodies, financial services regulators, relevant Government Departments, and its EU counterparts to assist both banks and new entrants from the FinTech sector to ensure that the processing of personal data in the provision of innovative payment products under PSD2 is in compliance with data protection law, particularly the GDPR principle of transparency. The DPC also intends to further engage with the Financial Sector in relation to other evolving areas such as Anti-Money Laundering (AML) (in relation to the 4th and anticipated 5th AML Directives), anti-fraud and credit reporting which involve the large-scale processing of customers’ personal data.
Other Engagement Activities
The DPC also engaged with multinational technology and social media companies during 2017, which spanned over 100 meetings. The DPC’s priority was to ensure these companies have a lawful basis for collecting personal data and provide full transparency to users so that they can understand the business model and implications of free services and how their personal data is monetised and used. Driving higher standards of protection for children when using the internet and social media has also been a key concern.
In addition, the DPC’s office engaged extensively with the WP29, acting as “lead rapporteur” on the GDPR Transparency Guidelines with responsibility for drafting and preparing these Guidelines, in conjunction with other WP29 members. The Guidelines were published in preliminary form for EU wide consultation in December 2017, and are expected to be finalised and adopted by the WP29 in April 2018. Speaking at A&L Goodbody’s recent breakfast seminar, ‘GDPR – The Last Lap‘, Ms Morgan, Deputy DPC, noted that she was reviewing 66 consultation responses on the preliminary Guidelines, including a number of objections to the requirement for controllers to provide information to data subjects in privacy notices on the outcome of the balancing test when relying on “legitimate interests” as a basis for lawful processing. The schedule to the Guidelines sets out the WP29’s comments on the extensive information that must be provided to data subjects in privacy notices post-May 2018.
The Report notes that the nature of the consultation queries received by the DPC indicates that data protection is becoming a more significant boardroom issue, and there is a growing appreciation among businesses of the reputational damage and financial loss that can be caused by the mishandling of personal data. The DPC emphasises that “it is “imperative… in line with the principle of accountability”, that organisations can stand over and justify their data processing arrangements and be able to demonstrate compliance with the GDPR.
Complaints & Prosecutions
The DPC received 2,642 complaints in 2017, up from 1,479 in 2016 (a 79% increase from 2016) with the largest single category continuing to concern “Access Rights” which made up 1,372 (or 52%) of the total. The majority of complaints were resolved amicably, with only 34 written statutory decisions being issued. The Report highlights that most of the complaints which could not be resolved amicably concerned issues arising as a result of the financial crash, in particular cases involving the transfer of loan books to new lenders and receiverships where buy-to-rent owners are involved, as their fundamental grievance relates to the underlying transaction itself or the actions of the lender, rather than data protection issues per se. The Report points out that whilst personal data is transferred and processed in such circumstances, it is generally provided for in the original terms the borrower signed.
The case study section of the Annual Report sets out 17 illustrative complaints which the DPC handled during 2017. The case studies relate to a wide variety of data protection issues such as: use of CCTV footage by an employer in a disciplinary process; failure to respond fully to an access request; unlawful disclosure of personal data by an employee via a social media app; failure of an employer to impose access restrictions to medical data of an employee, and unsolicited marketing offences.
A number of prosecutions were successfully pursued by the DPC, including six entities for unsolicited electronic marketing. The DPC’s Special Investigations Unit also continued its work in the Private Investigator sector resulting in several prosecutions. Given the high level of breaches uncovered in the Private Investigator sector, the DPC intends to continue to focus on this sector for the foreseeable future.
Investigations & Audits/ Inspections
Over 91 audits/inspections were carried out in 2017. The Special Investigations Unit also carried out a number of investigations, including in regard to the processing of patients’ sensitive data by hospitals, where such data was being held in publicly accessible areas. On a geographical basis, the hospitals inspected represented a broad sample from across the State, including HSE facilities, private and voluntary hospitals. Building on the findings of the hospital inspections, the Special Investigations Unit is currently drawing up an overall investigation report for dissemination in the first half of 2018, to every hospital in the State. Matters of concern found in the twenty hospitals inspected include: controls in medical record libraries; storage of confidential wastepaper within the hospital setting; and lack of privacy when discussing medical and other personal issues. Having disseminated the overall report to all hospitals, the DPC will seek an action plan from each of them outlining how and when they will implement the recommendations.
The DPC also conducted an audit of certain prescribed state agencies who are permitted to make requests to communications service providers (CSPs), for disclosure of metadata (i.e. call and traffic data) relating to phone and internet records pursuant to the Communications (Retention of Data) Act 2011, for the purpose of the prevention, investigation, detection and prosecution of serious crime. The DPC conducted a series of audits of disclosure requests processed by CSPs to ensure the processing of such requests was in compliance with data protection law. The 2011 Act assigns a specific role to the DPC as national supervisory authority for the purposes of that Act. The DPC made a number of recommendations in terms of security measures, procedures and oversight which should be implemented by CSPs, and will conclude its series of audits of CSPs in 2018. The Report notes that last October 2017, the Government published draft legislation to replace the 2011 Act, namely the General Scheme of the Communications (Retention of Data) Bill 2017 in response to Chief Justice Murray’s Report which identified numerous failings with the current regime. The DPC warns that retaining the current status quo is “simply not an option” and urges the Irish Government to immediately prioritise the new legislation, which includes a requirement for judicial pre-authorisation for access by state agencies to data and proactive notification to users after the fact (see our previous blog on this draft Bill).
There was a surge in data breach notifications in 2017, the majority continuing to come from the financial services sector. A total of 2,795 breaches were recorded by the DPC in 2017, an almost 26% increase form 2016, despite the mandatory requirement under the GDPR to report data breaches posing a risk to data subjects not kicking in until 25 May 2018. Ms Morgan noted at A&L Goodbody’s breakfast seminar, that post-GDPR the DPC’s office expects to receive up to 100,000 breach notifications per year, a number of which are likely to be unnecessary, as organisations will play it safe, notifying even where the circumstances of the breach do not bring it within the parameters of an actual breach as defined in Article 4(12) of the GDPR. Ms Morgan warned that companies who flood her office with incidents which do not fall within the parameters of a breach, in an attempt to ward off regulatory action, will be counter-productive and will result in enforcement action against organisations to prevent on-going notification of non-breach incidents. However, the DPC will equally enforce against those organisations who under-declare the severity of a breach. The annex to the WP29 Guidelines on Breach Notification helpfully provides a list of non-exhaustive examples of reportable breaches, which is well worth reading.
In 2017, the DPC’s office investigated 19 data breaches involving multinational companies. The DPC highlighted that these breaches largely involved overreliance on data processors to implement appropriate security measures, such as reliance on the default security settings offered by cloud-service providers, which in many cases led to unauthorised access to personal data; failure to ensure that processors complied with their obligations to securely process personal data on the instruction of the controller, and failure to undertake periodic reviews of security measures and apply critical updates and security patches. Companies should take note of these common types of breaches, as they will face significant fines, as well as potential compensation claims, for such breaches post-May 2018.
The Year Ahead
The Report sets out the DPC’s main goals for 2018, which include:
Proactively targeting and engaging with public and private sector organisations, particularly in areas of highest risk and large-scale systemic data processing;
Providing guidance to controllers and processors on its microsite www.GDPRandyou.ie;
Pursing regulatory action, including sanctions, in a “lawful, fair, proportionate and effective manner”, with the objective of driving better compliance and accountability by organisations in upholding their data protection obligations;
Engaging proactively at EU level through the WP29 to the development of a harmonised interpretation of the new laws and preparation of GDPR guidance;
Engaging with stakeholders and other EU supervisory authorities to identify areas of bad practice and serious non-compliance, which may require enforcement measures, and
Driving improved compliance with data protection obligations through investigations and audits targeting high-risk and large-scale processing of personal data.
The DPC, like other stakeholders, is eagerly awaiting the finalisation and enactment of the Irish Data Protection Bill 2018, which is currently before the Oireachtas. That legislation will give further effect to the GDPR in areas where national derogations are permitted, and will transpose the Law Enforcement Directive into Irish law, as well as further underpinning the structures, functions and powers of the DPC. The Irish Government has committed to finalising the Bill by 25 May 2018, when the GDPR comes into force.
As a follow-up on its Communication of September 2017 on tackling illegal online content, the European Commission has published a non-binding “Recommendation” which formally lays down operational measures which online platforms and Member States should take, before it determines whether it is necessary to propose legislation to complement the existing regulatory framework. The Recommendation applies to all forms of illegal content which are not in compliance with EU or Member State law, such as terrorist content, racist or xenophobic illegal hate speech, child sexual exploitation, illegal commercial practices, breaches of intellectual property rights and unsafe products. The Recommendation puts pressure on online platforms to implement more proactive measures to ensure faster detection and removal of illegal content online. It has been criticised by digital human rights organisations as essentially forcing online platforms to “voluntarily” police and censor the internet, without respect for the fundamental right to freedom of expression.
The Commission acknowledges that progress has been made in regard to removing illegal content through voluntary arrangements, including the EU Internet Forum on terrorist content online, the Code of Conduct on Countering Illegal Hate Speech Online and the Memorandum of Understanding on the Sale of Counterfeit Goods. For example, in regard to the Code of Conduct, internet companies now remove on average 70% of illegal hate speech notified to them and in more than 80% of these cases, the removal takes place within 24 hours. However, notwithstanding this progress, the Commission states that illegal content online remains a serious problem within the EU. It states that the Recommendation is without prejudice to the position of hosting service providers under the e-Commerce Directive 2000/31/EC, and the enforcement of their terms of service in accordance with EU and national law. The e-Commerce Directive contains liability exemptions available to certain online service providers, including ‘hosting’ service providers, where they act expeditiously to remove or disable access to illegal content that they store upon obtaining knowledge of such content.
The Recommendation relates to the activities of all hosting service providers, irrespective of whether they are established in the EU or in a third country, provided that they direct their activities to consumers residing in the EU. The Commission’s recommendations include:
Takedown notices – Hosting providers should provide mechanisms for the public to submit takedown notices. Those mechanisms should be easy to access, user-friendly and allow for the submission of notices by electronic means.
Informing content providers – Where a hosting service provider decides to remove illegal content, it should inform the content provider of that decision, as well as the possibility to contest that decision via a counter notice, unless it is manifest that the content is illegal, or a law enforcement authority has requested that the content provider is not informed for reasons of public policy and public security.
Out of court dispute settlements – Member States are encouraged to facilitate, where appropriate, out-of-court settlements to resolve disputes related to the removal of illegal content.
Transparency – Hosting service providers should publish explanations to the general public on their content management policy and, at regular intervals (at least annually), reports on their activities relating to the removal of illegal content. Those reports should include, in particular, information on the amount and type of content removed, on the number of notices and counter-notices received and the time needed for taking action.
Proactive measures – Hosting service providers are encouraged to take proactive measures to identify and remove illegal content, including automated means such as upload filters, where appropriate.
Safeguards – To accurately assess whether content identified via automated tools is actually illegal, hosting providers should put in place necessary safeguards, including a human review step before content is removed.
Cooperation between hosting providers and member states – Fast-track procedures should be provided to process notices submitted by law enforcement authorities. Member States are encouraged to establish legal obligations for hosting service providers to promptly inform law enforcement authorities of any evidence of alleged serious criminal offences involving a threat to the life or safety of persons obtained in the context of their removal of illegal content.
Cooperation between hosting providers – Hosting service providers should, where appropriate, share experiences, technological solutions and best practices to tackle illegal content online among each other.
No hosting of terrorist content – Hosting providers should explicitly state in their terms of service that they will not host terrorist content.
One-hour takedown rule – As terrorist content is particularly harmful, hosting providers should as a general rule remove such content within one hour of its flagging by law enforcement authorities and Europol.
Regular and Transparent Reporting – Member States should submit information to the Commission on the removal of terrorist content within three months, and illegal content within six months.
The Commission will be monitoring actions taken by online platforms in response to the Recommendation, and has will then determine whether further regulatory measures, including legislation, is required.
Ireland implemented the Data Retention Directive 2006/24/EC (the Directive) by means of the Communications (Retention of Data) Act 2011 (the 2011 Act). The Directive requires communications service providers to retain metadata relating to phone and internet communications, such as traffic, location and subscriber data (but not the content of communications), for 6 to 24 months, to ensure the data are available for designated authorities, such as the police and security services, for the purpose of the prevention, investigation, detection and prosecution of serious crime. In April 2014, in the Digital Rights Ireland case, the CJEU declared the Directive invalid on the basis that: the requirement for service providers to retain all communications data, even of persons not suspected of involvement in serious crime, was disproportionate; the Directive failed to set objective criteria determining how and when national authorities could access and use retained data; the Directive failed to protect individuals’ rights by means of procedural safeguards such as prior review of access requests of designated authorities by a court; and the Directive failed to stipulate that communications data be retained within the EU. Despite the CJEU declaring the Directive to be invalid, the State’s data retention regime has continued to operate under the 2011 Act.
In December 2016, in the Tele2 case, the CJEU ruled that EU law prohibited general and indiscriminate retention of traffic and location data, and that procedural safeguards such as prior review of access requests made by designated authorities by an independent body, such as a court, were essential. The Murray Report, published last October 2017, further criticised many aspects of the 2011 Act, including: the lack of independent vetting and authorisation of access requests made by designated authorities; the lack of coherence (“legislative scatter”) in the statutory rules governing the retention and disclosure of data: failure of the Act to set out clear objective criteria governing data retention and disclosure; absence of clear procedures and protocols to be followed by authorities given access to retained data; failure to provide for notification of persons whose data is disclosed; a lack of remedies for wrongful access to retained data; and a failure to require communications service providers to keep data within the EU.
The Draft Bill
The General Scheme of the Communications (Retention of Data) Bill 2017 provides for:
the repeal of the 2011 Act;
the exclusion from retention of the contents of communications, such as recordings of voice calls or the text and image contents of emails or websites;
the designation of the An Garda Síochána, Defence Forces, Revenue Commissioners, Garda Síochána Ombudsman Commission (GSOC) and the Competition and Consumer Protection Commission (CCPC) as the statutory agencies having authority to request access to retained data;
the retention by service providers of information that identifies subscribers for 12 months, and access to it by designated officers of the statutory agencies in connection with specific serious offences;
traffic and location data to be retained only by order of the Minister for Justice and Equality on foot of an application by the head of one of the statutory agencies;
access by designated officers to traffic and location data to be conditional on an order of an authorising judge, and to be restricted to purposes relating to certain serious offences;
access without a judge’s order to be permitted only in cases of urgency;
service providers to keep retained data securely in the EU, and all retained data to be destroyed when proceedings or investigations conclude;
criminal penalties for service providers that fail to comply with obligations;
periodic review of the Act’s operation by a designated judge;
reports of the designated judge and of the statutory authorities to be laid before the Oireachtas; and
persons who are the subject of or are affected by a disclosure to be notified of that fact, and to have access to the complaints procedure under the Interception of Postal Packets and Communications Messages (Regulation) Act 1993.
The Committee has made a number of recommendations, which it hopes will inform the drafting of the final Bill, to ensure that the State’s data retention legislation is fully compliant with EU law. The Committee’s recommendations include:
1) Journalists and their sources: The Committee recommends, per the Murray Report, that it should be made explicit that retaining or accessing data in order to identify journalists’ sources should be permitted only where prior judicial authorisation has been secured and there is an overriding requirement in the public interest. In principle, access should be permitted only when the journalist (and not somebody else) is the object of investigation for suspected commission of a serious criminal offence or for unlawful activity which poses a serious threat to the security of the State.
2) Rights to notification: Persons whose retained data is disclosed should be notified of the fact once doing so is unlikely to prejudice an investigation.
3) Judicial remedy: The Committee recommends, per the Murray Report, that persons whose rights have been affected by access to retained data should have an appropriate judicial remedy, expressly provided for in legislation.
4) Independent monitoring authority: The Committee believes that the current system, retained in the General Scheme, of oversight by a designated judge of the High Court, is not a sufficiently robust protection against the potential for excessive surveillance. The Committee recommends therefore the establishment of an independent authority, chaired by a senior judge. This body should be fully accountable to the Houses of the Oireachtas and furnish periodic detailed reports on its activities; and it should be provided with the necessary resources and technical expertise to perform its functions.
5) Test to be applied for retaining data: The Committee recommends that a Ministerial Order for data retention should only be made where ‘strictly necessary’. A time limit of no more than three months should also be set for the retention of such data.
6) Targeted data retention: The Committee believes that in order for the proposed legislation to be fully compliant with EU law, it must limit and clearly set out the circumstances in which data can be retained. In line with the Tele2 ruling, a Ministerial Order for data retention must be targeted. There must be an established connection between the data to be retained and the objective pursued.
7) Access to third party data: Heads 8 and 9 of the General Scheme are overly permissive in permitting access to data of entirely unconnected third parties if “likely to assist in the prevention, detection, investigation or prosecution of that offence.” The Committee recommend this is restricted, as per the Tele2 ruling, so that a person whose information is demanded must be in some way implicated in the crime before access to his or her data can be granted.
8) Precise definitions of data: The definition of “traffic and location data” in Head 1 of the General Scheme is potentially very broad in its scope. It should be amended to ensure that the legislation cannot be used to require the logging of information about web browsing or other information which tends to reveal the content of communications. The precise categories of data that can be retained should be explicitly set out in the legislation.
9) Compensation: The Committee believes that the current power under the 2011 Act of the Complaints Referee to award compensation to individuals whose data has been accessed in contravention of the legislation should be retained.
10) Retrospective authorisation: An urgency exception should only be provided for where accompanied by a requirement that the authority seeking disclosure must subsequently provide objective evidence of the need for urgent and immediate access without prior authorisation, and must submit, as soon as possible thereafter, an application to the independent body or designated judge for retrospective authorisation.
The Bill is listed as “priority legislation for publication” in the Government’s legislative programme for Spring/Summer 2018. We will post further updates on the progress of the Bill in due course.