Newsletter May 2020 – Covid-19 Update

Business Legal specialises in three core areas and Legal Project Management. 

1. Health and Safety 

2. HR and Employment  

3. Data Protection and Privacy 

4. Legal Project Management/General Counsel services 

Newsletter 
NEWSFLASH! 

Almost uniquely, this pandemic touches upon all of these three core areas areas, but in this newsflash edition we are advising of some BIG data protection news. 

Data Protection Commission issues first   GDPR administrative fine 

Coming from a low base 

Historically, the Data Protection Commission (“DPC”) has not had the power to issue administrative  fines, or indeed any other penalties for breach of data protection law.  This fact is not always  appreciated by our more recent GDPR practitioners.  The DPC did however find ways to enforce in some  circumstances.  It was always the case that data protection legislation in Ireland provided for voluntary  arrangements to resolve data protection disputes.  In such circumstances, the DPC would agree not to  further investigate a particular issue, in return for an offer of amends from the controller to the data  subject, often involving compensation.  Apart from this, the DPC occasionally insisted on payments of  its own costs, as a prerequisite for agreeing not to prosecute.  It was a fairly limited enforcement system  and could very much be said to be a light touch regulation. 

Separately to this, there was, and still remains an ability for the DPC to prosecute certain limited matters  under data protection law.  Essentially these are impeding the DPC or failing to follow their lawful  directions, and some very limited offences relating to employment, micro-targeting of children,   processing of information relating to convictions or alleged criminal offences, unauthorised disclosure  by a processor or an agent or employee of a processor.  Some of these offences carry penal terms of up  to 5 years imprisonment.  They are criminal offences, not mere breaches of GDPR. 

Notwithstanding the above, the history of data protection from 1988 to date has been one of zero  criminal convictions, and very light fines.  There was an expectation that GDPR would see a massive  increase in fines, particularly as it was now possible for the DPC to issue administrative fines generally  of up to €20 million or 4% of total worldwide annual turnover for a proceeding financial year, whichever  was the greater.  In short, the DPC now has the tools with which to heavily enforce the GDPR.  The  question was however, would they use these tools? 

Administrative Fines 

Administrative fines are issued by the DPC, but as only the Courts may issue fines in Ireland, a pro forma  application is made to the Circuit Court in order to turn an administrative fine into a judicial fine.  These  fines can be resisted, but only on the basis of administrative impropriety.  There is a similar regime for  the enforcement of employment law determinations issued by employment body fora such as the  Workplace Relations Commission.  It is rare that these are contested, as one has to show a breach of  administrative law in relation to the fines, rather than that the recipient of the fine disagrees with the  basis of the decision, or the amount of the fine. 

The Phoney War 

Initially, the DPC announced in general terms that it would be giving approximately one year’s grace  post 25 May 2018 before enforcement activity began in earnest.  This was despite the two years grace  period contained in the legislation, which ran for the two years prior to 25 May 2018.  In fact, the DPC  has not concentrated on enforcement in the two further years since the GDPR became operational. 

Businesses have therefore had four years within which to become operationally ready for the GDPR’s  enforcement regime, but not unsurprisingly, the attitude of many businesses has been that if the DPC  is not prepared to enforce, why should they spend money on what is after all a regulatory regime which  in the absence of enforcement would have a more limited effect on their business. 

Things just got interesting 

Last Friday, the DPC filed a Circuit Court action against TUSLA to  confirm an administrative fine of €75,000 in relation to 3 data  breaches.  TUSLA has not contested the administrative fine. 

In relation to timeframes, this was an investigation that started in October 2019, and has just been  completed, taking a total of eight months.  All investigations will be different, but it is indicative of the  timescales involved.  Considering the maximum amount of the administrative fine which could be  imposed was €10 million in this case (there is a lower limit for certain types of breaches of the GDPR,  including data breaches), a fine of €75,000 represents a fine of 0.75% of the maximum fine.  This does  suggest that fines for single incident data breaches may be relatively low. 

Notwithstanding this of course, the organisation involved has suffered severe reputational loss, been  fined for a breach, and €75,000 is a far cry from the previous level of fines imposed for criminal offences  under the old regime, which often amounted to fines of several hundred euro.  As against that, the  three breaches do appear to be serious.  In one breach TUSLA accidentally disclosed the address of the  foster home to the children’s imprisoned father, who then wrote to them at that address, in another  case TUSLA accidentally gave contact details of foster parents and the children’s school to a  grandparent, which allowed the grandparent to make contact, and in the third case TUSLA accidentally  disclosed contact and location data of a mother and child to their alleged abuser.   

It is expected that over time that the consistency mechanism in the GDPR will result in an equalisation  of administrative fines across the EU to some degree, with some countries such as Germany perhaps  levelling down, whilst other countries such as Ireland, level up. 

Commercial ramifications. 

This is the first case of an administrative fine in Ireland.  In general, across the EU, enforcement has  been mostly quite restrained.  Indeed, the largest privacy/data protection fines have actually been in  the United States.  However, this recent fine and the recent announcement by the DPC that it is scouring  websites for cookie consent in order to take action probably means that this is the start of a much more  impactful enforcement campaign.  There is no reason to believe that only state organisations such as  TUSLA will be targeted.  Indeed, were a private organisation to have its data breaches made public, and  make headline news, as a result of fines of this order or greater, the commercial impact would be severe.   Such impacts include loss of confidence by customers, by staff, by group companies, by affiliates et  cetera. 

There is no need to panic 

There is no need to panic because one of the key determinants in your  treatment by the DPC is whether you have put in place a proper  system.  The DPC understands that accidents will always happen, and  has made it clear that where an organisation has made its best efforts,  that it will either not be administratively fined, or it will be issued with  a very low administrative fine, possibly even a fine of zero.  As  important therefore as not having any breaches (this is nearly  impossible) is having a system in place that will assure the DPC that you  have made a reasonable effort to put in place appropriate data  protection systems.