LAW AND THE REGULATORY AUTHORITY
1 Legislative framework
Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Have any international instruments on privacy or data protection been adopted in your jurisdiction?
The data protection regime in Ireland is governed by the Data Protection Acts 1988 and 2003 (the DPA). The DPA transpose European Directive 95/46/EC on data protection into Irish law.
As well as conferring rights on individuals, the DPA also place obligations on those who collect and process personal data. 'Personal data' is defined as any information relating to a living individual identifiable from that data (or from a combination of that data and other information which the data controller is in possession of or is likely to come into possession of).
The DPA seek to regulate the collection, processing, keeping, use and disclosure of personal data that is processed automatically or, in certain circumstances, manually.
The DPA places responsibilities on both 'data controllers' and 'data processors'. A data controller is one who controls the use and contents of personal data, while a data processor refers to a person who processes personal data on behalf of a data controller.
Ireland is a signatory to both the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and the European Convention on Human Rights and Fundamental Freedoms.
2 Data protection authority
Which authority is responsible for overseeing the data protection law? Describe the powers of the authority.
The DPA confer specific rights on the Office of the Data Protection Commissioner (the ODPC) and explicitly states that the ODPC shall be the supervisory authority in Ireland for the purpose of the Directive.
The ODPC is responsible for ensuring that individuals' data protection rights are respected, and that those who are in control of, or who process personal data carry out their responsibilities under the DPA.
Powers of the ODPC
Under section 10 of the DPA, the ODPC must investigate any complaints that it receives from individuals in relation to the treatment of their personal data unless it considers them to be 'frivolous or vexatious'. The ODPC may also carry out investigations of its own accord. These usually take the form of scheduled privacy audits in practice although it should be noted that the ODPC is not prevented from conducting 'dawn raid' types of audits, if it decides to do so, as to which see note on the powers of 'authorised officers' under section 24 of the DPA below.
Power to obtain information
Under section 12 of the DPA the ODPC has the power to require any person in this jurisdiction to provide it with whatever information it needs to carry out its functions. In carrying out this power in practice, the ODPC usually issues the person with an 'information notice' in writing. It is an offence to fail to comply with such an information notice (without reasonable excuse) although there is a right to appeal any requirement specified in an 'information notice' to the Circuit Court under section 26 of the DPA.
Power to enforce compliance with the Act
Under section 10 of the DPA, the ODPC may require a data controller or data processor to take whatever steps it considers appropriate to comply with the terms of the DPA. In practice this may involve blocking personal data from use for certain purposes or erasing, correcting or supplementing the personal data. This power is exercised by the ODPC by issuing an 'enforcement notice'.
Power to prohibit overseas transfer of personal data
Under section 11 of the DPA, the ODPC may prohibit the transfer of personal data from this jurisdiction to an area outside of this jurisdiction, however in exercising this power the ODPC must have regard to the need to facilitate international transfers of information.
The powers of 'authorised officers'
Under section 24 of the DPA, the ODPC has the power to nominate an 'authorised officer' to enter and examine the premises of a data controller or data processor, to enable the ODPC to carry out its functions.
Such an officer has a number of powers such as: the power to enter the premises and inspect any data equipment there; to require the data controller or data processor to assist him or her in obtaining access to personal data; and to inspect and copy any information.
The ODPC may bring summary legal proceedings for an offence under the DPA.
The ODPC does not have the power to impose fixed monetary penalties, unlike the information commissioner in the UK.
3 Breaches of data protection
Can breaches of data protection lead to criminal penalties? How would such breaches be handled?
Yes. While most of the penalties for offences under the DPA are civil in nature, breaches of data protection can also lead to criminal penalties.
Summary legal proceedings for an offence under the DPA may be brought and prosecuted by the ODPC. Under the DPA, the maximum fine on summary conviction of such an offence is set at 3,000.
On conviction on indictment (such a conviction in Ireland is usually reserved for more serious crime), the maximum penalty is a fine of 100,000.
4 Exempt sectors and institutions
Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?
Some areas of activity are outside the scope of the DPA. The DPA applies to individuals or organisations established in Ireland that collect, store, or process personal data about living people on any type of computer (or structured filing system).
Under section 1(4) the DPA does not apply if the personal data:
is or at any time was, kept for the purposes of safeguarding Ireland's security; consists of information that the person keeping the personal data is required by law to make available to the public; or the personal data is kept by an individual for his or her personal, family or household affairs, or for solely recreational purposes. 5 Communications, marketing and surveillance laws
Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.
No. Interception of communications is covered by the Interception of Postal Packets and Telecommunications (Regulation) Act 1993 and surveillance is covered by the Criminal Justice (Surveillance) Act 2009.
6 Other laws
Identify any further laws or regulations that provide specific data protection rules for related areas.
Any processing of personal data in the context of e-health records, social media, or credit information must comply with the principles as set out in the DPA.
7 PII formats
What forms of PII are covered by the law?
Personal data includes any automated and manual data (ie, data that is recorded as part of a structured filing system) relating to a living individual who can be identified from the personal data in question (or from a combination of that data and other information which the data controller is in possession of or is likely to come into possession of).
Is the reach of the law limited to data owners and data processors established or operating in the jurisdiction?
Yes. The DPA apply to data controllers in respect of the processing of personal data only if:
the data controller is established in Ireland, and the data are processed in the context of that establishment; or the data controller is established neither in Ireland nor in any other state that is a contracting party to the European Economic Area (EEA) Agreement, but makes use of equipment in Ireland for processing the data otherwise than for the purpose of transit through the territory of Ireland. Such a data controller must, without prejudice to any legal proceedings that could be commenced against the data controller, designate a representative established in Ireland. Each of the following shall be treated as established in Ireland:
an individual who is normally resident in Ireland; a body incorporated under the laws of Ireland; a partnership or other unincorporated association formed under the laws of Ireland; and a person who does not fall within any of the above, but who maintains in Ireland: an office, branch or agency through which he or she carries on any activity; or; a regular practice. 9 Covered uses of PII
Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide services to owners?
Yes. The DPA applies to individuals or organisations established in Ireland that collect, store or process data about living people on any form of computer system.
Under the DPA, a distinction is made between those who control personal data and those who process it. A 'data controller' is one who (either alone or with others), controls the use and contents of personal data, while a 'data processor' refers to a person who processes data on behalf of a data controller. Generally, those who provide services to owners will be data processors. Employees who process personal data in the course of their employment are not included in these definitions.
LEGITIMATE PROCESSING OF PII
10 Legitimate processing - grounds
Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner's legal obligations or if the individual has provided consent? Give details.
Yes. Under Section 2A(1)(a) of the DPA, consent of the individual is a legitimate ground for processing personal data. Data controllers can also process personal data without the data subject's consent (except where sensitive personal data is concerned - see question 11 below) if it is necessary for one of the following reasons:
for the performance of a contract to which the data subject is a party (including steps taken at the request of the...