LAW

The core Irish data protection law is comprised in the Data Protection Act 1988 ("1988 Act") as amended by the Data Protection (Amendment) Act 2003 ("2003 Act") (together the Data Protection Acts ("DPA")). The 2003 Act implemented the EU Data Protection Directive (95/46/EC). In addition to the DPA, the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 ("ePrivacy Regulations") set out data protection rules in relation to direct marketing and electronic networks and services, including location data and cookies.

DEFINITION OF PERSONAL DATA

Personal data is defined as data relating to a living individual who is or can be identified from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the Data Controller.

DEFINITION OF SENSITIVE PERSONAL DATA

Sensitive personal data means personal data as to:

  • the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the data subject;
  • whether the data subject is a member of a trade union;
  • the physical or mental health or condition or sexual life of the data subject;
  • the commission or alleged commission of any offence by the data subject; or
  • any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings.

NATIONAL DATA PROTECTION AUTHORITY

Office of the Data Protection Commissioner ("DPC")

REGISTRATION

All data controllers and data processors are required to register with the DPC unless exempt.

The Irish registration regime contains wide exemptions for certain categories of processing that do not trigger a registration obligation. There are also certain categories of data controller and data processor that are subject to an absolute obligation to register.

The DPA exempts:

  • not for profit organisations, provided they only process personal data relating to their activities;
  • data controllers and data processors who process personal data kept in a public register; and
  • data controllers and data processors who only process manual data.

The Data Protection Act 1988 (Section 16(1)) Regulations 2007 ("2007 Regulations") also exempt from registration:

  • data controllers that only process employees' human resources data in the normal course of personnel administration;
  • candidates for political office and elected representatives;
  • schools, colleges, universities and similar educational institutions;
  • solicitors and barristers;
  • data controllers who process customer and supplier data in the context of normal commercial activity;
  • companies who process personal data of past and present shareholders, directors or other officers in complying with the Irish Companies Acts;
  • data controllers who process personal data for the purpose of publishing journalistic, literary or artistic material; and
  • data controllers or data processors who operate under a statutory data protection code of practice.

Data processors that process personal data on behalf of any of the above categories of data controller are also not required to register.

The 2007 Regulations impose an absolute obligation to register on banks, insurance undertakings, direct marketing firms, debt collection agencies, credit reference agencies, health professionals, anyone processing genetic data, ISPs and telecoms companies. Any data processor that processes personal data on behalf of a data controller that falls into one of these categories is also obliged to register. A failure by a data controller or processor to register, when required to do so, is an offence punishable by fines up to EUR€100,000.

Data controllers and/or data processors are obliged to renew their registration annually. The DPC may refuse an application for registration under certain conditions. There is a right of appeal against a refusal to the Circuit Court.

DATA PROTECTION OFFICERS

There is no legal requirement to appoint a data protection officer but it would be best practice to do so. The DPC recommends that data controllers appoint a co-ordinator to deal with subject access requests. Where a data protection officer is appointed, this information should be supplied to the data subjects. A nominated contact for subject access requests also needs to be provided when making a registration application.

COLLECTION AND PROCESSING

The DPA transposes the data protection principles from the Data Protection Directive, which need to be complied with in relation to the collection and processing of personal data.

In addition to complying with the data protection principles, all processing of personal data must comply with one of a number of legitimate processing conditions contained in the DPA.

These include that:

  • the data subject has given his or her consent to such processing;
  • the processing is required for the performance of a contract to which the data subject is a party;
  • the processing is to prevent an injury or other damage to the health of the data subject;
  • the processing is to protect an individual's vital interests;
  • the processing is for the administration of justice; or
  • the processing is for the purposes of the legitimate interests pursued by a data controller.

If sensitive personal data is being processed, then an additional set of processing conditions need to be satisfied. These include the "explicit" consent of the data subject. The grounds for processing sensitive data are quite restrictive and it can sometimes be difficult to legitimise the processing of sensitive personal data.

TRANSFER

The DPA contains a number of restrictions on the transfer of personal data by a data controller to a country or territory outside of the European Economic Area ("EEA"). Under the DPA, such transfers may not take place unless the receiving country ensures an adequate level of protection for the privacy of data subjects in relation to the processing of their personal data. A limited number of countries are recognised by the by the European Commission as having this level of protection.

Otherwise under the DPA, it is only possible to transfer personal data outside the EEA if:

  • the data subject has consented to the transfer;
  • the transfer is necessary for the performance of a contract between the data subject and the data controller;
  • the transfer is necessary for reasons of public interest;
  • the transfer is necessary under some international obligation of the State;
  • the transfer is required or authorised by law;
  • the transfer is necessary for obtaining legal advice;
  • the transfer is necessary in order to prevent personal injury or damage to the health of the data subject; or
  • the transfer is done under one of the EU Approved Model Clauses

Due to the varying standards of data protection in the US, transfers of data from the EEA to the US may take place (in the absence of fulfilling one of the exceptions above) where the recipient in the US has signed up to the Safe Harbour Scheme.

The DPC recognises the use of binding corporate rules, and the Irish DPC has agreed to abide by the mutual recognition procedure. Multinational companies must draft and submit draft BCRs to the DPC for its approval. The Irish DPC acted as the lead authority for approval of the Intel Corporation's BCRs in January 2012.

SECURITY

Data controllers and data processors must take appropriate security measures against unauthorised access to or unauthorised alteration, disclosure or destruction of, personal data, particularly where the processing involves the transmission of data over a network and against all other forms of processing.

As to the level of security required, data controllers and data processors must put in place appropriate security provisions for the protection of personal data, having regard to:

  • the current state of technological development;
  • the cost of implementing security measures;
  • the nature of the personal data; and
  • the harm that might result from unauthorised processing or loss of the data concerned.

Data controllers and data processors are also obliged to take all reasonable steps to ensure that their employees and other persons at the place of work concerned are aware of and comply with the relevant security measures.

BREACH NOTIFICATION

The DPC has published a Personal Data Security Breach Code ("Code") which states that the DPC must be notified of any unauthorised disclosure of personal data except in limited circumstances. These are where the disclosure:

  • affects less than one hundred individuals;
  • the loss of sensitive personal or financial data is not involved; and
  • the affected individuals have been informed.

Under the ePrivacy Regulations, data breaches in relation to electronic communication networks or services must be notified to the Data Protection Commissioner. Where the breach is likely to affect the personal data or privacy of a subscriber, affected subscribers must also be notified.

In very limited circumstances, data controllers can take the view that affected data subjects do not need to be notified if measures have been taken which will make the data inaccessible to unauthorised users; such technical measures could include encryption.

ENFORCEMENT

The DPC is responsible for the enforcement of the DPA and the ePrivacy Regulations.

A breach of specific provisions of the DPA can result in criminal liability. These include:

  • the failure of a data controller or data processor to register;
  • the disclosure of personal data which was obtained without authority; and
  • the failure to comply with an Enforcement Notice.

Persons found guilty of offences under the DPA may be liable:

  • on summary conviction (before a district judge sitting alone), to a fine not exceeding EUR 3,000; or
  • on conviction on indictment (before a judge and jury), to a fine not exceeding EUR 100,000.

Breaching other provisions of the DPA do not in themselves give rise to criminal liability, but the DPC may investigate the incident and issue an "Enforcement Notice" compelling a data controller to comply with the DPA. Failure to comply with an Enforcement Notice is an offence.

The ePrivacy Regulations prescribe fines for failure to report data breaches, inadequate security measures and sending of unsolicited communications (spam) with regard to electronic communication networks and services.

In addition to specific penalties arising out of enforcement actions, a breach of the DPA can also give rise to reputational damage, particularly if the DPC publishes details of the breach in his Annual Report or issues a press release (as he does from time to time).

In 2011 the DPC investigated 1,161 complaints (of these, 183 related to a co-ordinated action against one data controller with regard to access rights). This is a record high and represents a sharp increase on the 783 complaints filed in 2010. Approximately 22% of the complaints lodged in 2011 concerned breaches of the ePrivacy Regulations. The remaining 78% related to breaches of the DPA.

Complaints concerning access rights accounted for approximately 48% of the overall total.

ELECTRONIC MARKETING

The ePrivacy Regulations implement the anti-spam rules set out in Article 13 of the Privacy and Electronic Communications Directive (as amended by the Citizens' Rights Directive). These regulations came into effect on 1 July 2011.

Direct marketing emails can generally only be sent to users with their prior consent. A limited exemption is available for direct marketing emails sent to existing customers to promoting other products or services similar to those previously purchased by that consumer (such emails can only be sent for 12 months, the customer must have been given the opportunity to object when the details were collected and the product or service being marketed must be a product or service offered by the person with the existing relationship with the customer)

B2B direct marketing emails can generally be sent unless the recipient has informed the sender that it does not consent to the receipt of such messages.

The identity of the sender must not be disguised or concealed and the recipient must be offered an opt-out.

Direct marketing calls (excluding automated calls) may be made to a landline provided the subscriber has not previously objected to receiving such calls or noted his or her preference not to receive direct marketing calls in the National Directory Database. Direct marketing calls cannot be made to a mobile phone without prior consent.

One cannot send a direct marketing fax to an individual subscriber in the absence of prior consent. One can send such a fax to a corporate subscriber unless that subscriber has previously instructed the sender that it does not wish to receive such communications or has recorded a general opt-out to receiving such direct marketing faxes in the National Directory Database.

Breach of these anti-spam rules is a criminal offence. On a summary prosecution (before a judge sitting alone) a maximum fine of EUR 5,000 per message sent can be handed down. On conviction on indictment (before a judge a jury) a company may be fined up to EUR 250,000 per message sent and an individual may be fined up to EUR 50,000 per message.

ONLINE PRIVACY (INCLUDING COOKIES AND LOCATION DATA)

Cookies – Consent is needed for the use of cookies unless the cookie is strictly necessary for the provision of a service to that subscriber or user. The 2011 Regulations expressly refer to the use of browser settings as a means to obtain consent. There is no express requirement for consent to be "prior" to the use of a cookie. A user must be provided with "clear and comprehensive information" about the cookie (including, in particular, its purposes). This information must be prominently displayed and easily accessible. The methods adopted for giving information and obtaining consent should be as "user friendly" as possible.

The DPC has provided regulatory guidance on the use of cookies which can be accessed at: http://www.dataprotection.ie/documents/guidance/Electronic_Communications_Guidance.pdf.

Location Data – One cannot process location data unless either (i) such data has been made anonymous or (ii) user consent has been obtained.

A provider of electronic communication networks or services or associated facilities (i.e. a telco) must inform its users of (i) the type of location data (other than traffic data) that will be processed, (ii) the purpose and duration of the processing and (iii) whether the data will be transmitted to a third party to provide a value added service. Users can withdraw their consent to the processing of location data.

© DLA Piper

This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.


DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com