The Data Protection Commissioner (“DPC”) has the power to:
- Investigate complaints and cases. It is under a mandatory obligation to investigate when complaints are received from individuals. It can also carry out investigations of its own accord where it believes there may have been a breach of the Data Protection Acts 1988 and 2003 (“DP Acts”);
- Appoint an authorized officer who has the power to enter premises of a data controller or data processor and to inspect the type of personal information kept, how it is processed and the security measures in place;
- Compel data controllers to comply with the Data Protection Acts by issuing an enforcement notice to;
- Obtain information from anyone by way of an information notice in order to pursue an investigation;
- Order the suspension of processing;
- Issue a prohibition notice to a data controller or data processor in order to prohibit the transfer of data from Ireland to a place outside Ireland; and/or
- Order the destruction of data and other similar actions. These orders can be appealed to the Circuit Courts within 21 days.
Individuals can file complaints with the DPC. The DPC will then be required to carry out investigations and may issue an enforcement notice. Individuals can also sue for breach of duty of care in the courts provided they can prove that the breach was caused by failure of the data controller.
Fines of up to €3,000 for summary conviction and up to €100,000 for conviction on indictment are applicable to offences under the DP Acts. A data controller found guilty of an offence under the DP Acts can be fined the amounts listed above and/or may be ordered to forfeit or destroy or erase any data which the court may determine to be connected with the commission of the offence. Summary proceedings for an offence under EC (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (S.I.336 of 2011), may be brought and prosecuted by the DPC. Each call or message can attract a fine of up to €5,000 on summary conviction. If convicted on indictment, the fines range from €50,000 for a natural person to €250,000 for an entity. The court may also order the destruction of data that is connected with the commission of an offence.
A director, manager, secretary or other officer of a corporate body, including employees in some circumstances, may be held liable for an offence under the DP Acts where such offences were committed with their consent.
Selected Enforcement Actions/ General Comments
The DPC publishes an annual report naming, in certain cases, those data controllers that were the subject of investigation or action by the DPC during the previous year.
- Breach of the EC (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (the “2011 Regs”
The ODPC successfully prosecuted a number of companies in the Irish courts for unsolicited direct marketing offences in breach of the 2011 Regs in 2013. Typically companies are prosecuted after “two strikes” ie where they have failed to heed a prior formal warning by the ODPC, however that is not to say that the ODPC would not prosecute after one offence. Some examples from 2013 are as follows:
- A pizza company was ordered to pay €4,000 for sending unsolicited marketing messages to customers without obtaining their consent. They had previously received a warning from the ODPC due to their failure to include an opt-out facility in all marketing communications with customers;
- A car repairs company was ordered by the District Court to pay €2,000 to a charity, plus the ODPC’s costs for the prosecution, due to their repeated failure to obtain the necessary consent from customers before sending marketing messages;
2. Enforcement Notices Under Section 10 of the DP Acts
While the ODPC received over 900 complaints in 2013, most of these were resolved amicably without the need for a formal decision under section 10 of the DP Acts. There were, however, some enforcement notices and information notices served on companies. The key case involved a company that caused a data breach affecting nearly 1.5million people across Europe. This was Ireland’s biggest and most significant data hacking breach to date. An Enforcement Notice was issued by the ODPC as part of a package of immediate actions undertaken by the ODPC to limit the effects of the data security breach. The Enforcement Notice required the company, amongst some other things, to notify all its clients and affected individuals about the security breach, to delete all personal data held for the purpose of providing services to its clients and to implement a series of changes to its procedures to bring them in line with industry best practices. The company was also not allowed process personal data until it had satisfied the ODPC that these requirements were being met. The ODPC then carried out a system-wide audit to examine the company’s policies and procedures. Once the terms of the Enforcement Notice had been met, the ODPC lifted it.
3. Information Notices Under Section 12 of the DP Acts
In 2013, just two companies were issued with Information Notices pursuant to section 12 of the DP Acts in order to assist the ODPC in carrying out their functions, such as to pursue an investigation.
4. Damages Under Section 7 of the DP Acts
Section 7 of the DP Acts allows an individual to sue for a breach of duty of care by a company where they can prove that a breach was caused by failure of the data controller. The 2013 case Collins v FBD Insurance plc  IEHC 137, decided that in order for an individual to be awarded compensation under section 7 he or she must be able to prove that the breach caused him or her damage. In this case the Circuit Court had ordered an insurance company to pay the data subject €15,000 in compensation damages on the grounds that it had breached its duty of care to the data subject under the DP Acts. The High Court overturned the decision stating that in order for compensation to be awarded to a data subject under section 7 of the DP Acts, the data subject must establish that there has been a breach, that there has been damage and that the breach caused the damage. The claimant here had not successfully established that the breach caused her damage.
A recent Circuit Court decision awarded a woman €10,000 in damages against a pharmacy who had breached section 7 of the DP Acts. The claimant here did successfully establish that the breach caused her damage. The case demonstrates that where damage is proved, the courts are willing to award significant amounts of compensation.
5. Director’s Liability Under Section 29 of the DP Acts
Section 29 of the DP Acts provides for the prosecution of company directors where an offence by a company is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of the company directors or other officers. Two directors of a firm of private investigators were recently charged with twenty three counts of breaches of Section 29 for the role they played in the offences committed by the company. The company was charged with twenty three counts of breaches of Section 22 of the DP Acts for obtaining access to personal data without the prior authority of the data controller by whom the data is kept and disclosing the data to another person. The company was convicted on five sample charges and fined €1,500 per offence. The directors were convicted of one sample charge each and both were fined €1,500 for that offence. This is the first occasion on which company directors have been prosecuted by the ODPC for their part in the commission of data protection offences by their company.