Expert Comment - Data Protection Ireland

Author:Mr Rob Corbet
Profession:Arthur Cox

This year has been another interesting year for data protection. While the progress made on the Proposed General Data Protection Regulation was at best sporadic, there was plenty of other activity in Ireland and further afield to keep us entertained. DPC complaints, audits and breach notifications The Office of the Data Protection Commissioner ('ODPC') has had another high profile and busy year. The level of complaints to the Office continues to rise. In May's Annual Report, the Data Protection Commissioner ('DPC') reported nearly 1,400 complaints in the previous year (2012), while the numbers of data breaches being reported to the ODPC under its Data Breach Code of Practice continues to spiral, reaching 1,600 last year. The most high profile data breach of the year arose in November 2013, where LoyaltyBuild appears to have been the victim of a large scale hack the full extent of which is still being assessed by the Gardai and the ODPC. The Annual Report notes that 42 organisations were audited by the ODPC although some of these audits were issue specific. Some additional staff have been allocated to the ODPC during the year which has enabled them to try to address the growing burden on their resources. Civil litigation There were a number of civil cases before the Irish courts in 2013 where data protection took centre stage. In February, in the decision of Fox v DPC, the High Court upheld an ODPC decision to refuse to investigate a number of complaints from Mr Fox on the grounds that they were considered to be 'frivolous or vexatious', as defined in Section 10(1)(b)(i) of the Data Protection Acts 1988 and 2003 ('DPAs'). The decision follows the decision of Nowak v DPC (2012) and provides welcome clarity for the ODPC in the context of the huge numbers of complaints coming through their door. In March 2013, the High Court overruled the first damages award made for breach of the data protection duty of care created under Section 7 of the DPAs. In Collins v FBD Insurance, the High Court reversed a damages award made by the Circuit Court in respect of a failure by FBD to comply with a data access request. While the High Court maintained the costs award (acknowledging that a breach had occurred), the case indicates a reluctance on the part of the Irish Courts to open up significant damages awards for breach of DPAs. On 3rd July 2013, the Supreme Court unanimously dismissed the DPC's appeal against the High Court decision in EMI & Others v DPC. In the...

To continue reading