Tag: GDPR

GDPR Update-Has the Danger Passed?

gdpr legal action

Were you worried in the lead up to GDPR?

Has the danger passed? Are you just keeping the head down and hoping for the best?

Are you in a good place with respect to compliance or do you still have some concerns but hope the fears generated were exaggerated?

Just to remind you new regulations concerning personal data protection came into force in the EU from 25th May, 2015: the GDPR regulations.

What has happened since then? Was the fear and loathing justified? Was it another “Y2K” scare-all hat and no cattle-or is it too early to decide?

Firstly, GDPR came into effect in Ireland 24 hours after the commencement of a new data protection act, the Data Protection Act, 2018. There is a certain degree of trepidation amongst data controllers and processors that this new law will lead to a significant increase in the number of legal cases arising as a result of breaches for the law now allows data subjects bring civil actions for compensation.

Collective Actions

Data subjects can also now authorise not for profit organisations to bring complaints and act on their behalf. This kind of “class” action is a new development in Ireland and is likely to be availed of when there is a significant breach of personal data on a wide scale affecting a large number of individuals.

Two of these not for profit type organisations, NOYB (‘None of Your Business’) in Austria and La Quadrature du Net (‘La Quad’) filed complaints in some European countries against large tech companies within a short time of GDPR coming into effect. There is nothing stopping them from popping up in Ireland.

Right to Compensation and Damage

The right to compensation and damage is set out in regulation 82 which states,

Right to compensation and liability

1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.

3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.

4. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.

5. Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.

6. Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2).

The game changer in this regulations is the reference in subsection 1 to “material or non-material damage”.

Up to this point you had to show you had suffered actual loss or damage in Ireland to be compensated, but you could not be compensated for non-material damage.

You will also see that subsection 1 refers to “controller or processor”. Prior to this only the controller could be held liable but now a processor can be also named as a defendant.

Article 78 sets out the right of the data subject to sue-that is, a judicial remedy. It states,

Article 78

Right to an effective judicial remedy against a supervisory authority

1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

2. Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to a an effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55 and 56 does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.

3. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.

4. Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or a decision of the Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.

This right to bring a data protection action in Ireland is set out in section 117 of Data Protection act, 2018. This action is founded on tort-that is, a civil wrong, and can be instituted in the Circuit Court or High Court.

Section 117 obliges the plaintiff data subject to prove that

his or her rights under a relevant enactment have been infringed as a result of the processing of his or her personal data in a manner that fails to comply with a relevant enactment

The critical change now is a data subject can sue for material and non material damage and non material damage is set out in recital 85 as follows:

A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned

You will see from regulation 82 above, section 2, that the controller and processor will be held liable where they are not compliant with the regulations; it is irrelevant whether they were negligent or at fault in any way.

How much compensation?

It is too early to say what level of compensation Irish courts will award, especially for non material damage such as damage to reputation or unauthorised reversal of pseudonymisation or loss of confidentiality.

Clearly, from the perspective of a controller or processor the smart thing to do is try to ensure that there is no breach of personal data rights in the first place. However, it is vital that a breach is notified to the Data Protection Commissioner within 72 hours of becoming aware of the breach as the Act refers to doing so “without undue delay”.

Section 85 Data Protection Act 2018 states:

85. Where a processor becomes aware of a personal data breach, the processor shall notify the controller on whose behalf the data are being processed of the breach—

(a) in writing, and

(b) without undue delay.

Further reading:

The General Data Protection Regulation (GDPR) in Ireland-the Essentials

Data Protection Breaches-Are You Entitled to Damages?

The General Data Protection Regulation (GDPR) in Ireland-the Essentials

gdpr-data-protection

Have you heard about the GDPR (General Data Protection Regulation)?

Do you know the changes it will bring to data protection law in Ireland?

Do you know when it is to come into effect here?

These questions, and similar foundational ones, are what I am about to look at.

Ready?

Let’s go.

The “big bang” date for the this Regulation to come into effect in Ireland will be 25th May, 2018. As EU regulations have direct effect in Irish law, it will not require any act of transposition or formal introduction into Irish law.

The effect of the GDPR will be to replace the existing data protection framework in Ireland. If you are data controller, and you currently have obligations under data protection law, you will need to know what new obligations the GDPR will have for you and your organisation or business.

At its core it strengthens the rights of EU citizens to data privacy and central to this is the three principles of

  1. Security
  2. Accountability
  3. Transparency.

You will note that these are the principles inherent in the current data protection regime in Ireland, pursuant to the Data Protection Act 1988 and Data Protection (Amendment) Act, 2003. It will be a relief to discover that if you are in line with current legislation you will be broadly covered for the new regime.

However, there is some new elements being introduced by GDPR which you need to be aware of. The Office of the Data Protection Commissioner has suggested a 12 step approach to the new regime. Those 12 steps are:

1. Becoming aware

Key personnel need to be aware the law is changing in this area from 25th May, 2018.

2. Become accountable.

Gather up your existing personal data and review it under the following headings

  • Why are you holding it?
  • How did you obtain it?
  • Why was it gathered?
  • How long will you retain it?
  • How secure is it?
  • Do you share it with 3rd parties? If so, on what basis?

This will cover the accountability principle mentioned at number 2 above.

3. Communicate with staff and service users

This involves lettering your staff or service users know about the collection of their personal data.

Under GDPR new obligations include:

  • Providing information about the legal basis for processing the data
  • Retention periods
  • Complaint procedures
  • Their individual rights under GDPR
  • Whether the data will be subject to automated decision making.

4. Personal Privacy Rights

Generally, the rights afforded to individuals will be similar to what they currently enjoy eg to have inaccuracies corrected, to have data deleted, to object to direct marketing.

You will also need to consider how you will provide data electronically if requested by the data subject. You will need to consider,too, how long it will take to locate the data and who will make decisions about deletion of data.

5. How will access requests change

The GDPR will change the timescale for responding to data protection requests to one month so you need to review how you will deal with this faster timescale.

It will be less likely that you will be able to charge for such requests and the ground for refusal will need to be founded in well documented policies and procedures for refusal.

You will also need to provide additional information to data subjects such as information about the data retention periods and having inaccurate data amended.

6. The legal basis

You will have to explain your legal basis for processing personal data and data subjections will have stronger grounds for having their data deleted and the legal bases for processing data will be reduced significantly.

If customer consent is the only justification for processing data the data subject will be in a stronger position to request that it be deleted.

7. Customer consent as a ground to process data

Consent must be ‘freely given, specific, informed and unambiguous’ in relation to customer consent. The customer must not be duped or forced into giving the information. They must also know what exactly they are consenting to and requires a positive action of approval; it cannot be inferred be silence or a failure to take action eg tick a box to opt out.

Subjects also need to be told of their right to withdraw consent. You need to be able to show how consent was obtained, and have a record of it. Generally, where consent is relied upon, the data subject has stronger rights in relation to their personal data.

However, be careful about employee consent, as it it unlikely to be an acceptable legal basis for gathering data (see below).

8. Processing children’s data

If you must gather children’s data you need to be careful about being able to verify the age of the child and obtain the consent of the guardian.

Special protections in respect of children’s data will be introduced, especially in relation to social media use and commercial internet services.

9. Reporting data breaches

You must ensure you have sound procedures in place to detect, report and investigate any data protection breach. The GDPR will introduce mandatory data breach reporting obligations to the Data Protection Commissioner.

Failure to report a breach will result in a fine in addition to the fine for the breach and breaches will typically have to be reported within 72 hours.

10. Data protection impact assessments (DPIA)

This involves the systematic consideration of how a particular initiative will impact on the privacy of individuals. This assessment may involve discussions with groups and stakeholders.

If this assessment leads the organiser to believe that the risks to personal data cannot be mitigated fully it may be necessary to contact the Data Protection Commissioner before starting the process of gathering data.

If a project requires a DPIA you will need to consider

  • Who carries it out?
  • Who needs to be involved?
  • Will it be run locally or centrally?

The whole thrust of the DPIA is to identify potential problems with an initiative involving the gathering of personal data and look at ways to mitigate those issues.

11. Data protection officers

Some organisations will need to designantt a DPO (data protection officer) under the GDPR regime. Such organisations would include public bodies, large organisations, and so forth but you need to consider whether you need a data protection office in your organisation.

He/she will need to be conversant with GDPR and its obligations. You may appoint an external advisor to this role, if there is nobody suitable or qualified in your organisation.

12. GDPR and international organisations

For organisations which have operations in many EU states you will be entitled to deal with one data protection authority, a Lead Supervisory Authority (LSA) as your single regulating body in the country where you are mainly established.

This will generally be determined as the country where the main administration of the organisation is carried out.

How will GDPR affect your organisation?

We know that the GDPR (General Data Protection Regulation) will come into effect in all EU member states including Ireland on 25th May, 2018.

In addition to this EU regulation having direct effect from May, 2018 Ireland will have its own additional data protection legislation, with a bill  being drafted and finalised in late 2017.

What differences will we see from the existing data protection regime in Ireland? Let’s take a look, shall we?

1. Severe financial penalties and compensation

Currently, if an individual is aggrieved about a breach of his/her data protection rights he can report this to the Data Protection Commissioner. However, it is up to the Data Protection Commissioner as to whether she takes any action by way of criminal prosecution in the District Court. For the individual concerned, there is no compensation for a breach unless he/she has suffered loss or damage.

I have written about this elsewhere: Data Protection Breaches-Are You Entitled to Damages?

Under the new regime the Data Protection Commissioner (DPC) will have the power to impose eye watering fines for breaches of data protection rules. These penalties can reach 4% of an organisation’s worldwide turnover or €20 million for breaches of the data protection law.

In the case of public bodies the DPC will have the power to impose these fines by way of administrative fines; in other cases she will have to prosecute through the District Court as criminal prosecutions.

Crucially the GDPR includes the right of an individual whose rights have been breached to be compensated for material or non material damage. This would include for stress arising from the breach which is a big change from the existing position that the individual must show material damage/actual loss suffered.

These new, stiff financial penalties are critical motivators for all organisations which keep data to analyse where there is any potential infirmities in their data protection obligations.

2. Greater transparency

Up to now there has been a general obligation on the data controller to obtain data/information fairly and to let the data subject know who is gathering the data, why they are gathering it, and who it might be provided to. The gathering of the data must be fair, and the data subject must not be surprised by any of the uses to which his/her personal data is being put.

The obligations in this area have increased significantly to comply with a fundamental principle of GDPR: the principle of lawfulness, fairness, and transparency.

The GDPR now obliges the data controller to address a list of questions about the gathering of the data-questions like the legal basis for processing the data, how long it will be retained, and detailed information for the data subject about their data protection rights.

GDPR also places an increased focus on the necessity of gathering the data for the purpose for which it is being gathered. If it is not necessary for the avowed purpose, it should not be gathered.

Organisations, therefore, need to be disciplined about the personal data which they gather.

The data controller will also become more accountable for the application of the data protection laws in the organisation and must be able to show compliance with the principles of the GDPR.

The obligation to be more transparent and comply with the principle of gathering only necessary data will almost certainly force organisations to take a closer look at their existing data protection policies, and ensure clear, effective communication with the data subjects. This communication would not be confined to simply distributing the policy document but also telling the subject at the data collection point why this particular data is being gathered and telling them what their rights are arising from GDPR (see “7” below).

3. Record keeping obligation

There is an increased onus on organisations in respect of record keeping, even though there is no requirement to register with the Data Protection Authority in Ireland.

However, this record keeping burden does not rest with organisations with less than 250 employees. These organisations need to ensure that they have implemented “appropriate data protection policies”(Article 24) which might include a general data protection policy, a website cookie and privacy statement policy, a policy for the use of CCTV, email, internet and social media policies, and so forth, depending on the organisation.

4. Consent-is it enough for a legal basis for processing?

The principle of consent is an important one in the GDPR and the conditions for consent.

Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

It is vital that the consent that is given is given freely and it can be freely withdrawn at any time and it should be as easy to do so as when giving it. The consent needs to be freely given, specific, informed and unambiguous.

The organisation must be able to prove that they obtained the consent and it is unlikely that the consent will be regarded as freely given if the parties are in an imbalanced relationship, for example employer/employee.

It is also worth noting that it is unlikely that the mere giving of consent gives an organisation a legal basis for data collection. A more reasonable legal basis for collection would be the performance of the employment contract or compliance with legal obligations (eg tax obligations or record keeping for employment law purposes) or the legitimate interest of the employer.

Also, the consent must not be bundled in with other terms and conditions of a contact between the parties, but must be separated in a separate consent declaration and the burden of proof of proving that a valid consent was obtained is on the employer.

In summary, the question of consent has been given much more important than the previous standard of “freely given” consent and consent cannot be relied upon where the relationship is imbalanced, as you have in an employer/employee situation.

Standard clauses in employment contracts will not be sufficient to allow extensive use of the employee’s data eg transfer overseas and consent should only be relied on when absolutely necessary.

What is an acceptable legal basis for gathering employees’ data? Likely to be acceptable are the following grounds:

  • it is necessary for a legitimate, lawful interest of the employer. This must be necessary and proportionate, however;
  • it is necessary to comply with the law-for example, deduction of tax, prsi, USC etc. from wages;
  • it is necessary to perform the contract-for example, to calculate wages due
  • necessary to protect the vital interests of a person
  • necessary to carry out a task in the public interest
  • consent (but consent on its own is not enough).

5. Data Protection Officer (DPO)

Under GDPR certain organisations are required to appoint an independent data protection officer. These include

  1. Public authorities
  2. Organisations who systematically and regularly monitor data subjects on a large scale
  3. Organisations who process sensitive personal data on  a large scale or data in relation to criminal offences.

The DPO must inform and advise the organisation of its obligations under GDPR, provide advice, act as a point of contact with the supervisory authority, and monitor the organisation’s compliance with the law and its own policies.

The GDPR does not require any particular professional qualification but should be a professional with expert knowledge of data protection law and practice.

The DPO can be an external consultant or an employee of the organisation. If an employee, however, his/her other duties must not give rise to a conflict of interest.The contact details of the DPO must be published and provided to the supervisory authority and he/she must be involved regularly in meetings of middle and senior management, and consulted in relation to any data protection issues or breaches.

The DPO must also be given sufficient resources to do fulfill the role and act independently.

It is estimated that nearly 30,000 DPOs will need to be appointed to private sector organisations in the EU before May, 2018.

6. Data breaches notification

Any data breach must be notified to the Data Protection Commissioner within 72 hours. However, if there is no risk to employees’ data rights there is no obligation to report it. If the breach is likely to pose a high risk to employees’ rights and freedoms then it must be notified.

The notification must set out the circumstances of the breach, who has been affected, the likely consequences, the contact person/DPO of the organisation,  and the measures taken to mitigate any adverse consequences.

7. Enhanced rights for data subject

GDPR gives even more rights to data subjects. These rights include

  • To have inaccurate data rectified
  • To have personal data erased without delay (the right to be forgotten)
  • To restrict the processing of their personal data
  • To object to its processing altogether (this should be on compelling legitimate grounds)
  • The right to data portability (the right to obtain and use their own data for their own purposes across different services)
  • The right not to be evaluated on the basis of automated processing of data

These rights are not absolute, however, and for personal data to be erased it must no longer be required for the purpose for which it was acquired.

These new rights will create new, more onerous obligations for organisations and employers.

8. Data protection impact assessments (DPIA)

Data protection impact assessments may have to be carried out by employers, and the purpose is to ensure recognition of a principle: a data protection by design approach. This means that all the policies of an organisation should keep in mind privacy considerations of the data subject.

The organisation should also consider how to minimise the processing of personal data, as much transparency as possible, and allow the data subject to monitor processing.

Data protection rights and privacy of individuals should be considered in relation to the design of new products and services, and all internal policies of the organisation.

A DPIA will be necessary when a new processing activity may result in a high degree of risk for data subjects. The DPIA should contain:

  • A description and purpose of the processing
  • An assessment of the necessity for the processing operation
  • An assessment of the risks to the rights of the data subjects
  • What steps will be taken to reduce the risks.

A DPIA would be necessary for example where an employer is going to commence monitoring employees’ use of the internet or where a hospital may start processing its patients’ health data.

9. Data portability

This is a new concept and allows the data subject to transmit his personal data to another data controller. This can be done by the data subject receiving the data and giving it to the new data controller or having the first one transfer it to the new one.

However, the right is not an absolute one and does not apply to all data provided by an employee to an employer; it applies to

  1. a) automated data
  2. b) which was actively and knowingly provided by the employee to employer and
  3. c) the personal data must have been processed by the employer with the employee’s consent.

The automated data requirement above means that the right does not apply to  paper records.

This would not apply to data which was held by the employer and processed based on the legal ground of legitimate interest or for a specific legal obligation connected with the employment relationship eg payment of statutory obligations such as tax/prsi.

The data controller cannot charge a fee for the provision of personal data and in a HR/employment law context the request for data should be considered on a case by case basis.

10. Data subject access requests

For employers the timeframe for responding to a data request has been shortened to one month. Employers, however, can extend this by two months if there is complexity involved in fulfilling the request.

If a request is “manifestly unfounded” or “excessive” the employer can refuse the request or charge a fee. However, “manifestly unfounded” and “excessive” in this context has not been defined so it remains to be seen how this is to be assessed.

11. Demonstrating compliance

The data controller will need to be able to demonstrate how they comply with  the data protection principles.

This would mean that employers, for example, would need to be able to show that consent was given and that there are compelling legitimate grounds for processing the data where the data subject objects.

12. Conclusion

The GDPR is a far reaching piece of secondary legislation emanating from Europe and should be of particular concern for employers who need to look very carefully at their existing data protection policies, how they gather data, whey they gather it, their procedures for responding to data protection requests in future, when they need to carry out a data protection impact assessment (DPIA), review their existing data privacy policies and notices, and whether they need to appoint a DPO (data protection officer).

Useful links: