On the horizon
Increased government focus on data protection
2014 saw the appointment of Ireland’s first female Data Protection Commissioner, Helen Dixon. The 2015 Irish Government Budget has doubled the funding for the Data Protection Commissioner (the ODPC). Regulator profile, investigations and enforcement actions are likely to increase.
Data protection audits
In August 2014, the ODPC published an updated version of their 2009 Guide to the Audit Process to reflect developments in the legislation and changes in the approach of the ODPC to the audit process.
2013 saw a 10% rise from 2012 in the number of audits carried out by the ODPC to 44. The legal basis for the audits is contained in Section 10 (1A) of the Irish Data Protection Acts 1988 and 2003 (the DP Acts). It is anticipated that the level of audit activity in Ireland will continue to increase.
Cyber crime and cyber security
Ireland is required to transpose Directive 2013/40/EU on Attacks against Information Systems by 4 September 2015. The Directive has introduced new crimes such as botnet attacks and identity theft. An obligation has also been imposed on Member States to respond to urgent information requests within eight hours and to collect basic statistical data on national cybercrime.
First data protection convictions against company directors
In October 2014, the ODPC secured its first personal convictions against company directors for their part in the breach of data protection law by their private investigation company. The company was charged with 23 counts of breaches of section 22 of the DP Acts for obtaining access to personal data without the prior authority of the data controller and disclosing the data to another person. Separate prosecutions were made under section 29 of the DP Acts, which provides for prosecution where the corporate offence is committed with the consent or connivance of, or is attributable to any neglect on the part of the directors or other officers.
Irish Government involvement in the Microsoft warrant case
The Irish Government has filed an amicus curiae brief in relation to the US Court of Appeal case Microsoft v the United States. The amicus curiae concept allows a party to offer a position on a case that it is not directly involved in, which in this case is the ongoing legal dispute between the US and Microsoft over access to an email account held on an Irish server.
Ireland refers safe harbour question to the court of justice
In the case of Schrems v the Data Protection Commissioner, the Irish High Court had to consider whether the ODPC was correct not to investigate and stop the transfer of personal data from Facebook Ireland to its parent company in the US. The basis for the challenge to the transfer was that there is no effective data protection regime in the US.
In his decision on 18 June 2014, Mr Justice Hogan concluded that if the ODPC cannot arrive at a decision that is inconsistent with a Community finding (Safe Harbour) then accordingly the judicial review of the decision not to investigate must fail. He noted that the ODPC had ‘demonstrated scrupulous steadfastness to the letter of the 1995 Directive and the 2000 decision’. However the Court went on to note that given the novelty and practical importance of the issues (primarily the validity of Safe Harbour) for all 28 Member States, the Court of Justice should determine whether an independent office holder such as the ODPC is absolutely bound by a Community finding or whether the office holder may conduct his or her own investigation of the matter in light of factual developments in the meantime since. At the time of writing the Court of Justice decision is pending.