The Office of the Data Protection Commissioner (ODPC) this week successfully prosecuted a private investigator for breaches of Irish Data Protection legislation.
Following an investigation, the defendant was charged with sixty one counts of breaches of Section 22 of the Data Protection Acts, 1988 & 2003. The charges related to “obtaining access to personal data without the prior authority of the data controller by whom the data was kept and disclosing that data to another person.” Permanent TSB Bank had hired the defendant to trace people while insurance companies including Zurich, Alliance and the State Claims Agency also used his services to carry out surveillance on possible bogus claimants in personal injuries cases. The personal data in question was, at the time, under the control of the Department of Social Protection. The defendant was convicted on the first four charges and was fined €1,000 per charge for a total of €4,000. In addition, the defendant contributed €1,000 to the ODPC’s prosecution costs.
Upon conviction, Judge John O'Neill said: “Privacy is a huge topic nowadays and invasion of privacy is serious”, adding that there is now a greater emphasis on protecting those rights. The Commissioner, Helen Dixon, welcomed the decision, stating that the outcome was “a timely reminder to all companies and businesses which hire private investigators of their responsibilities under the Data Protection Acts to ensure that all work carried out on their behalf by private investigators is done lawfully”. The ODPC also outlined its commitment to continue investigations/prosecutions of Section 22 offences, several of which are currently underway.
Section 22 of the Irish Acts states:
A person who obtains access to personal data, or obtains any information constituting such data, without the prior authority of the data controller or data processor by whom the data are kept, and discloses the data or information to another person, shall be guilty of an offence.
This week’s case signifies the second consecutive week that the ODPC has carried out a successful prosecution and illustrates that the Office is beginning to take an aggressive stance on prosecuting those who contravene Data Protection law. This proactive stance is welcomed, especially in light of the impending enactment of the EU General Data Protection Regulation (GDPR) which sets out clearly defined rules and specific administrative fines for data breaches. Whilst the new law does not take effect until May 25th 2018, organisations in both the public and private sectors are being advised by the ODPC to implement proactive compliance standards in advance of this date, and to have data processing operations fully compliant by the time the GDPR becomes law. It is important to note that the new law is a Regulation – the most powerful instrument of the EU legislative structure – whereas the current law; EU Directive 95/EC/46, is a flexible instrument mainly used as a means to harmonise national laws. A Directive requires EU countries to achieve a certain result but leaves them free to choose how to do so. A Regulation, however, takes effect immediately in one uniform text, across the EU without need for any harmonisation with national laws.
Article 99 of the GDPR states:
1. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
2. It shall apply from 25 May 2018.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
While the GDPR has been promised for some time now, and has been subjected to amendments and re-drafts since being first proposed in 2011, now that the final text has been agreed and specific rules set out, there can be no confusion as to the requirements that will now be expected of data controllers and data processors going forward in the new regulatory environment. This is the message that the ODPC’s prosecutions are sending out to organisations that may be ‘on the fence’ regarding their compliance standards.
Moreover, under the uniform standards of the GDPR, the ODPC will have the powers to enforce the law to a degree similar to the equivalent Data Protection Authorities throughout Europe. For example, violation of German Data Protection laws are subject to fines up to EUR 300,000.00 per violation (administrative offence). Furthermore, in the case of wilful behaviour or if conducted in exchange for a financial benefit (criminal offence), infringements can lead to imprisonment of up to 2 years or a fine depending on the severity of the violation. The Irish Acts, by comparison, do not provide for criminal sanctions and currently offer less onerous fines, as has been evidenced by the cases before the Courts during the past two weeks. What is interesting is that the German regulatory authorities have until now been regarded as ‘reluctant’ concerning the enforcement of data protection law - very few official prosecution procedures were instigated and imposed fines were rather low. However, this is changing and there appears now to be a movement towards stricter enforcement of the law. This is in response to several data protection scandals involving loss and disclosure or misuse of personal data in the recent years. Ireland has also had some notable data protection scandals during recent years, notably the LoyaltyBuild data breach, and is central to the most significant data protection-related action of our times; Schrems v Facebook.
Over the course of the next two years during the build up to the GDPR entering into law, we therefore expect to see an increase in the amount, and level, of prosecutions sought by the ODPC here in Ireland against those who commit offences under the current law. Moreover, as the heightened standards expected under the GDPR become more familiar and eventually replace the current laws which are enforced on a subjective rather than an impartial, objective basis, it is widely accepted that punitive measures and consistent prosecutions will become the norm as opposed to the current, occasional circumstance.