A data processor has been found criminally liable for the first time in Ireland. Michael J Gaynor, trading as MJG Investigations, was prosecuted at Dublin Metropolitan District Court in November 2014 for breaches of Irish data protection law.
Mr Gaynor was charged with unlawfully obtaining personal data relating to individuals who had unpaid debts. The information was held by ESB, the Garda PULSE database and the Garda National Immigration Bureau computer database. This information was obtained through contacts of Mr Gaynor from his previous employment with An Garda Síochána. The personal data disclosed were account details, names, dates of birth, PPS numbers and utility bills which were given to various Credit Unions.
The Court convicted Mr Gaynor of two offences under Irish data protection legislation and imposed a fine of €2,500 for each offence. The Office of the Data Protection Commissioner (“ODPC”) was awarded costs.
The decision is noteworthy because it was the first prosecution of a data processor, in this instance Mr Gaynor, for processing personal data while not being registered on the register of the ODPC. Moreover, it was the second successful prosecution of a private investigator taken by the ODPC in 2014 (see here). This case serves as reminder to those who process personal data to do so in accordance with data protection legislation or potentially face criminal sanction. In addition, it sends a strong message to any individual or company who hires the services of a private investigator to ensure that they are registered with the ODPC and undertake appropriate due diligence in advance of processing any personal data.
The ODPC has stated it has many ongoing investigations and that more prosecutions will be taken in the future.