National laws have often struggled to keep up with the vast changes in technology over the last decade. As data laws are being drafted to keep up with these changes, countries across the EU are starting to tighten up their data protection regimes.
In Ireland the relationship between the tech giants and the law has been uneasy. Ireland is the EU home to some of the world’s largest companies including Facebook, Apple and Google. The Data Protection Commissioner (‘the DPC’) in Ireland will have to police the use of the data of hundreds of millions of citizens.
The Irish Government has been in a difficult position as regards these companies; they obviously do not want to deter investment by interfering in the corporate governance of these giants. At the same time they have a duty to ensure that the vast amounts of data held by Apple and Facebook on people all over the world are kept securely.
There are two main reasons as to why we are likely to see much stricter enforcement of data breaches in Ireland in the future.
One reason is the perceptible change in the public mood in Ireland on the subject of data protection. This change happened quickly. In the past data protection was often considered an exercise in government red tape. Ordinary people now see data protection as a right rather than a burden.
We have seen a stricter enforcement in other countries in the area of data protection. Read our blog here about Data Protection Criminal Prosecutions.
There is a simple reason for this. Massive data breaches from around the world have been in the news during the last 12 months. The eBay debacle concerning the loss of the details of up to 233 million users received huge coverage in 2014.
The Snowden revelations and also the numerous news stories about data gathering by the UK and US Intelligence Services were widely reported. We then saw what many believed to be one of the most important stories on data breaches as far as the public were concerned. Jennifer Lawrence helped put a human face on the effects of data breaches. The callous public posting of her private photos helped make the subject of data security a much more urgent issue in the public mind.
Another source of stricter controls in Ireland is the new EU data protection law that is currently in draft form. This Regulation will be directly enforceable in Ireland. It is going to fundamentally change the existing data protection law. It will be more clearly defined and it will be stricter than the current EU Data Protection Directive has been part of the Irish law since 1995. This Directive did not have “direct effect”. This means it had to be brought into effect by each EU country.
The new EU law will bring huge changes to the data protection law in Ireland including bringing a statutory “right to be forgotten” into force for all Irish people whereby they can have old or irrelevant data on themselves deleted including unwanted material that appears on search pages or social media. It will also have the power to award fines of €100 million or up to 2% of a company’s annual turnover for data breaches. There has even been talk of fines of 0.5% of the annual turnover of companies if they fail to comply properly with SARs. The “right to be forgotten” ruling from the Court of Justice of the European Union has proved to be complex; see Blog: Google Advisory Council event discusses the right to be forgotten and Episode 123: We can’t forget the right to be forgotten.
The last Irish Data Protection Commissioner, Billy Hawkes, in his 2013 annual report said he saw the new EU law as “imposing stricter obligations on data controllers and processors and enhanced rights for data subjects.” We can already see signs of a much stricter data protection regime coming into force in Ireland.
Firstly, Helen Dixon was recently appointed as the new Data Protection Commissioner in July 2014. Ms Dixon was formerly with the Companies Registration Office for the past 5 years. She worked at the Department of Jobs, Enterprise and Innovation before that. Interestingly, she also has a technology background having worked for US technology titan Citrix as a manager of Technical Support Services. This will be invaluable in dealing with the huge challenges that Ireland faces in respect of the data that is held by Facebook, Apple and other tech companies in Ireland.
Secondly, there has been a very marked shift in the attitude of the Irish Government to data protection. The Department of the Taoiseach (the Irish Prime Minister) has said that there will be new steps taken “designed to strengthen the office” in relation to data protection. They have also talked about a “significantly upgraded” office and said the new office is to have “enhanced resources”.
The strongest evidence that there will be a stricter regime in Ireland is shown by the Irish Government appointing a Data Protection Minister to the Irish Cabinet. Dara Murphy TD was appointed in July 2014 as Minister of State for European Affairs and Data Protection. This is the first time ever in Europe that data protection has a seat around a cabinet table in government. Mr Murphy perhaps summed up the modern view of the Irish Government when he said that “As we move at an increasingly faster pace into the digital age, it is fundamental that we ensure our data which is an increasingly valuable asset, is afforded the optimum level of protection.”
The budget for the next year in respect of the department in charge of data protection has also doubled. In total, €3.65 million has been allocated to resource the Office of the Data Protection Commissioner for 2015. The budget in 2014 stood at €1.89 million.
Minister Murphy also talked of the “objective that Ireland will be best in class in terms of data protection regulation, investigation and enforcement.” There certainly seems to be a new sheriff in town when it comes to Irish data protection enforcement.
There is no ambiguity. Ireland is entering a new era of data protection. Companies, large and small will have to be much more compliant when it comes to data protection.
The risks of fines, prosecutions and adverse media are greater than ever before.
All companies with any sort of presence in Ireland will have to take advice to ensure their policies, their training, their websites and their data transfers are kept to the highest standards of data protection.
Acting now to prepare for these changes is essential.
Patrick O’Kane is Compliance Counsel with Cordery in London
Patrick O’Kane, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 118 2700