Business Legal specialises in four core areas.
1. Health and Safety
2. HR and Employment
3. Data Protection and Privacy
4. Legal Project Management/General Counsel services
Almost uniquely, this pandemic touches upon all of these areas, but in this newsflash edition we are advising of some BIG data protection news.
Data Protection Commission issues first
GDPR administrative fine
Coming from a low base
Historically, the Data Protection Commission (“DPC”) has not had the power to issue administrative fines, or indeed any other penalties for breach of data protection law. This fact is not always appreciated by our more recent GDPR practitioners. The DPC did however find ways to enforce in some circumstances. It was always the case that data protection legislation in Ireland provided for voluntary arrangements to resolve data protection disputes. In such circumstances, the DPC would agree not to further investigate a particular issue, in return for an offer of amends from the controller to the data subject, often involving compensation. Apart from this, the DPC occasionally insisted on payments of its own costs, as a prerequisite for agreeing not to prosecute. It was a fairly limited enforcement system and could very much be said to be a light touch regulation.
Separately to this, there was, and still remains an ability for the DPC to prosecute certain limited matters under data protection law. Essentially these are impeding the DPC or failing to follow their lawful directions, and some very limited offences relating to employment, micro-targeting of children, processing of information relating to convictions or alleged criminal offences, unauthorised disclosure by a processor or an agent or employee of a processor. Some of these offences carry penal terms of up to 5 years imprisonment. They are criminal offences, not mere breaches of GDPR.
Notwithstanding the above, the history of data protection from 1988 to date has been one of zero criminal convictions with prison sentences, and some criminal convictions but with very light fines. There was an expectation that GDPR would see a massive increase in fines, particularly as it was now possible for the DPC to issue administrative fines generally of up to €20 million or 4% of total worldwide annual turnover for a proceeding financial year, whichever was the greater. In short, the DPC now has the tools with which to heavily enforce the GDPR. The question was however, would they use these tools?
Administrative fines are issued by the DPC, but as only the Courts may issue fines in Ireland, a pro forma application is made to the Circuit Court in order to turn an administrative fine into a judicial fine. These fines can be resisted, but only on the basis of administrative impropriety. There is a similar regime for the enforcement of employment law determinations issued by employment body fora such as the Workplace Relations Commission. It is rare that these enforcement actions are contested, as one has to show a breach of administrative law in relation to the fines, rather than that the recipient of the fine disagrees with the basis of the decision, or the amount of the fine.
In the case of GDPR administrative fines however, if the fine is appealed, it is open to the Circuit Court to substitute its alternative amount of what it believes to be a proportionate fine, or annul the DPC decision.
If the fine is not appealed, the Circuit Court may still refuse to confirm the administrative fine if it “sees good reason” to do so.
The Phoney War
Initially, the DPC announced in general terms that it would be giving approximately one year’s grace post 25 May 2018 before enforcement activity began in earnest. This was despite the two years grace period contained in the legislation, which ran for the two years prior to 25 May 2018. In fact, the DPC has not concentrated on enforcement in the two further years since the GDPR became operational.
Businesses have therefore had four years within which to become operationally ready for the GDPR’s enforcement regime, but not unsurprisingly, the attitude of many businesses has been that if the DPC is not prepared to enforce, why should they spend money on what is after all a regulatory regime which in the absence of enforcement would have a more limited effect on their business.
Things just got interesting
Last Friday, the DPC filed a Circuit Court action against TUSLA to confirm an administrative fine of €75,000 in relation to 3 data breaches. TUSLA has not contested the administrative fine.
In relation to timeframes, this was an investigation that started in October 2019, and has just been completed, taking a total of eight months. All investigations will be different, but it is indicative of the timescales involved. Considering the maximum amount of the administrative fine which could be imposed was €10 million in this case (there is a lower limit for certain types of breaches of the GDPR, including data breaches), a fine of €75,000 represents a fine of 0.75% of the maximum fine. This does suggest that fines for single incident data breaches may be relatively low.
Notwithstanding this of course, the organisation involved has suffered severe reputational loss, been fined for a breach, and €75,000 is a far cry from the previous level of fines imposed for criminal offences under the old regime, which often amounted to fines of several hundred euro. As against that, the three breaches do appear to be serious. In one breach TUSLA accidentally disclosed the address of the foster home to the children’s imprisoned father, who then wrote to them at that address, in another case TUSLA accidentally gave contact details of foster parents and the children’s school to a grandparent, which allowed the grandparent to make contact, and in the third case TUSLA accidentally disclosed contact and location data of a mother and child to their alleged abuser.
It is expected that over time that the consistency mechanism in the GDPR will result in an equalisation of administrative fines across the EU to some degree, with some countries such as Germany perhaps levelling down, whilst other countries such as Ireland, level up.
This is the first case of an administrative fine in Ireland. In general, across the EU, enforcement has been mostly quite restrained. Indeed, the largest privacy/data protection fines have actually been in the United States. However, this recent fine and the recent announcement by the DPC that it is scouring websites for cookie consent in order to take action probably means that this is the start of a much more impactful enforcement campaign. There is no reason to believe that only state organisations such as TUSLA will be targeted. Indeed, were a private organisation to have its data breaches made public, and make headline news, as a result of fines of this order or greater, the commercial impact would be severe. Such impacts include loss of confidence by customers, by staff, by group companies, by affiliates et cetera.
There is no need to panic
There is no need to panic because one of the key determinants in your treatment by the DPC is whether you have put in place a proper system. The DPC understands that accidents will always happen, and has made it clear that where an organisation has made its best efforts, that it will either not be administratively fined, or it will be issued with a very low administrative fine, possibly even a fine of zero. As important therefore as not having any breaches (this is nearly impossible) is having a system in place that will assure the DPC that you have made a reasonable effort to put in place appropriate data protection systems.