How does COVID-19 impact on your GDPR rights and obligations?
The Coronavirus/COVID-19 pandemic has caused problems in all areas of life, including the difficulties posed regarding responding to data subject requests.
The Irish Data Protection Commission (DPC) has issued guidelines, whilst pointing out that the timelines for responding to requests has not changed.
Advice for Individuals
The DPC outlines that members of the public should be aware and appreciative to the frontline and critical services organisations such as healthcare providers, government departments (in particular the Department of Employment Affairs and Social Protection), Revenue and local authorities as they may need to divert resources and to prioritize work areas. This channelling of resources will have an impact in sectors of these organisations such as handling access requests.
The closure of schools, universities and other private sector organisations has further compounded the difficulty in processing data access requests. Based on this the DPC has asked the public to bear these factors in mind if an access request is not processed in the requisite time. These are unprecedented times that call for unprecedented understanding.
Problems for Organisations/Data Controllers
The DPC has acknowledged that many organisations, especially ones on the frontline and/or provide a critical service may need to divert resources to priority work areas. The diversion of work resources will impact other areas such as processing access requests. With regard to the regulatory requirements set out by statute that deal with the same, the DPC is alive and aware of these challenges and is proposing a proportionate regulatory response to these extraordinary circumstances.
The main point is that organisations experiencing delays in responding to access requests should note that the organisation should, where possible, notify the subject of the delay or possible delay in processing their request for data. This also includes an extension for a period of two months to respond to an access request, this extension is provided for by the GDPR.
Another option open to Organisations would be to respond to access requests in stages. If this is an option open to an organisation the DPC implore organisations to communicate clearly with the individuals concerned.
Finally, where an organisation, due to the impact of COVID-19, cannot respond to a request either in full or in part that organisation remains under an obligation to comply with the request and action same as soon as reasonably possible.
Organisation must note that the statutory obligations to comply with access requests cannot be waived however if an individual complains to the DPC regarding a organisations failure to comply with a DSR, the commission will assess the specific extenuating circumstances that led to the initial delay.
The Data Protection Commission encourages organisations to document their reasons for not complying with the timelines set out by statute.
If an organisation feels that it will not be able to deal with a subject’s access request within the statutory timeframe the organisation should properly communicate these reasons to the data subject.
Finally, even though the GDPR does not allow statutory timelines to be waived the DPC will take into account the extenuating circumstances surrounding the delay in delivering the access request.
Has the danger passed? Are you just keeping the head down and hoping for the best?
Are you in a good place with respect to compliance or do you still have some concerns but hope the fears generated were exaggerated?
Just to remind you new regulations concerning personal data protection came into force in the EU from 25th May, 2015: the GDPR regulations.
What has happened since then? Was the fear and loathing justified? Was it another “Y2K” scare-all hat and no cattle-or is it too early to decide?
Firstly, GDPR came into effect in Ireland 24 hours after the commencement of a new data protection act, the Data Protection Act, 2018. There is a certain degree of trepidation amongst data controllers and processors that this new law will lead to a significant increase in the number of legal cases arising as a result of breaches for the law now allows data subjects bring civil actions for compensation.
Data subjects can also now authorise not for profit organisations to bring complaints and act on their behalf. This kind of “class” action is a new development in Ireland and is likely to be availed of when there is a significant breach of personal data on a wide scale affecting a large number of individuals.
Two of these not for profit type organisations, NOYB (‘None of Your Business’) in Austria and La Quadrature du Net (‘La Quad’) filed complaints in some European countries against large tech companies within a short time of GDPR coming into effect. There is nothing stopping them from popping up in Ireland.
Right to Compensation and Damage
The right to compensation and damage is set out in regulation 82 which states,
Right to compensation and liability
1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.
4. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.
5. Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.
6. Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2).
The game changer in this regulations is the reference in subsection 1 to “material or non-material damage”.
Up to this point you had to show you had suffered actual loss or damage in Ireland to be compensated, but you could not be compensated for non-material damage.
You will also see that subsection 1 refers to “controller or processor”. Prior to this only the controller could be held liable but now a processor can be also named as a defendant.
Article 78 sets out the right of the data subject to sue-that is, a judicial remedy. It states,
Right to an effective judicial remedy against a supervisory authority
1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
2. Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to a an effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55 and 56 does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.
3. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
4. Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or a decision of the Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.
This right to bring a data protection action in Ireland is set out in section 117 of Data Protection act, 2018. This action is founded on tort-that is, a civil wrong, and can be instituted in the Circuit Court or High Court.
Section 117 obliges the plaintiff data subject to prove that
his or her rights under a relevant enactment have been infringed as a result of the processing of his or her personal data in a manner that fails to comply with a relevant enactment
The critical change now is a data subject can sue for material and non material damage and non material damage is set out in recital 85 as follows:
A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned
You will see from regulation 82 above, section 2, that the controller and processor will be held liable where they are not compliant with the regulations; it is irrelevant whether they were negligent or at fault in any way.
How much compensation?
It is too early to say what level of compensation Irish courts will award, especially for non material damage such as damage to reputation or unauthorised reversal of pseudonymisation or loss of confidentiality.
Clearly, from the perspective of a controller or processor the smart thing to do is try to ensure that there is no breach of personal data rights in the first place. However, it is vital that a breach is notified to the Data Protection Commissioner within 72 hours of becoming aware of the breach as the Act refers to doing so “without undue delay”.