Data Protection Commissioner publishes 2012 Annual Report

It has been an eventful week for the issue of data protection and privacy law. On Tuesday the 21st of May last the Data Protection Commissioner published his 2012 Annual Report. During his press release Mr Hawkes outlined a number of concerning data protection issues. He stated that a 'worrying degree' of inappropriate access to personal data by State employees was detected in audit carried out by them. He expressed that these breaches and intrusion on privacy rights display a serious lack of awareness within the HSE as to what actually constituted appropriate access. Mr Hawkes also emphasised the need for additional resources for his office to cope with the increased growth in complaints received by the Office.


The on-going saga involving Justice Minister Alan Shatter and T.D. Mick Wallace also raises issues within data protection and privacy law. Mr Shatter revealed during a debate on RTÉ last week that Mr Wallace had been seen by gardaí using a mobile phone while driving. He said he learned of the incident during a briefing with members of the garda about penalty points. The Data Protection Commissioner has said he would be willing to investigate the matter fully if he received a formal complaint from Mr Wallace about improper use of private information. The decision of Mr Shatter to reveal such confidential information on national television undermines an Garada Síochana as a public body whose duties include safeguarding records and confidential information of citizens. It is likely that the data protection breach here will be investigated further.

On the 24th of May last the Irish Times reported that Minister for Social Protection Joan Burton intends to make births, deaths and marriages accessible online for the first time. The relevant legislation permitting the creation of the online register is the Social Welfare and Pensions Bill 2013. The development is aimed combatting fraudulent social welfare claims. Birth, Death and Marriage Certificates can be taken up at the public office on application together with the prescribed fee. The creation of a database of such information will no doubt have implications for data protection and privacy law.

Increase in Funding for the Office of the Data Protection Commissioner

The Minister for Justice, Alan Shatter, has underlined the Government’s ongoing strong support for the Office of the Data Protection Commissioner.

The Minister and the Government are acutely aware of the critical importance of the role of the Office of the Data Protection Commission in the development of the digital economy.

The Minister has already, in the context of the Budget allocations for 2013, made available significant additional supports and resources to the Office of the Data Protection Commissioner, which include:

• A 20% increase in the budget for the Office in 2013 (compared with 2012). This significant increase is noteworthy given that budgets for many public sector organisations have been reduced significantly, having regard to the current economic circumstances;


• Additional staffing resources which have been put in place including:


• Specialist staff including a Chief Technology Advisor and a legal advisor


• Additional administrative staff.

The Minister has also committed to providing whatever additional resources are necessary to enable the Data Protection Commissioner to continue to discharge the vital functions of his Office.

In the context of Ireland’s Presidency of the European Union, as part of its focus on the Digital Agenda, the Irish Presidency will work to reach agreement in the Council on key aspects of the data protection package. This is aimed at ensuring that citizens will have more control over their personal data.

Part of the data protection package includes proposals for a "one stop shop" data protection regime, i.e. where a multinational company is currently subject to the jurisdiction of multiple data protection authorities (DPAs), the proposed Regulation would provide for a multinational to be subject to a "one stop shop" single DPA working in close collaboration with other DPAs where services are being provided in different EU Member States. This is likely to have considerable implications for the Office of the Data Protection Commissioner in Ireland, including significant resourcing demands.

Large tech firms to welcome softer EU line on personal privacy

Irish Times - 7th March, 2013.

Brussels will be forced to water down tough data protection rules in a move that will come as a relief to tech groups after many of the EU’s member states called for a softer approach to the privacy push.

The climbdown will be welcomed by companies that collect large amounts of personal data, such as Google and Facebook, which have lobbied furiously against the proposed regulation, as well as the US government.

Washington has repeatedly voiced its concern that the rules, which include the power to fine companies up to 2 per cent of global turnover for breaching onerous data protection standards, were targeted specifically at US technology groups.

Resolving the transatlantic dispute over data protection rules could ease the way towards a new EU-US trade agreement over the next two years, which boasts huge commercial potential but is also rife with complications. 

The plan will be softened after at least nine countries – including the UK, Germany, Sweden and Belgium – said they were opposed to several proposed measures. 

Copyright The Financial Times Limited 2013

European Parliament to vote on united Data Protection Legislation

Members of the European Parliament will vote this week on a European Commission proposal on Data Protection.

Private companies such as Google and Facebook are under constant scruting in respect of their privay policies and the EU are under pressure to be seen to be taking some action. The newest propsal advocates the establishment of a single set of rules on data protection and online privacy. Currently each member state applies its own laws and sanctions. The main focus of the proposal is to target large companies so it will be important that the new regulations do not impose overly onerous administrative burdens on small and medium sized companies.

Under the new propsals, each national data protection authority will be responsible for implementing the new EU law. At the moment the administrative costs of complying 27 different regulations from the member states stands at £2.3 billion a year.

A united set of regulations for all Member States is common sensical from a cost-effective perpective but it is important that the new regulations take account of the differing circumstances and resources of companies.

Church defection website seeks record

Irishtimes.com - : Tuesday, January 29, 2013.

JASON KENNEDY - The founder of a website formerly used to allow people leave the Catholic Church is asking people who still wish to defect to retrieve their records from their parish.

Paul Dunbar, who runs countmeout.ie, is asking people to request a copy of their records from the parish they were born in. Mr Dunbar hopes that data protection legislation can be used to force the church to amend their records to reflect the member’s desire to leave the organisation.

Catholics may no longer formally defect from the Church after a change in canon law that took place in 2010. Before that, countmeout.ie said more than 12,000 copies of its online form to defect had been downloaded.

A spokeswoman for the Archdiocese of Dublin would not comment on Mr Dunbar’s campaign, but reiterated the statement issued in 2010, saying it was a change that did not just affect the Church in Ireland, but also the world. “The Archdiocese of Dublin plans to maintain a register to note the expressed desire of those who wish to defect. Details will be communicated to those involved in the process when they are finalised,” she said.

Despite this, Mr Dunbar says people are still unable to leave the church of their own accord, even through excommunication. “During April 2011, we assisted 16 people in their effort to have an Act of Apostasy recognised as a formal declaration of their wish to leave the church,” he said.
However, the Archdiocese of Dublin has decided it cannot accept these declarations, meaning those who wish to leave the church “continue to be denied this option”, he said.

“We have sent letters to Archbishop Martin and the Vatican over the last few months and we never got reply. If people don’t wish to be a part of the institution, it has no right to bind them there. It’s frustrating.”

FBD appeals against Data Breach Award

The Irish Times - Saturday, January 12, 2013

An Insurance company has appealed to the High Court against an award of €15,000 damages to a man over breach of his data protection rights.

FBD Insurance claims painter and decorator Michael Collins suffered no loss from the admitted breach after he made a claim when his work van was stolen outside his home at Mellowes Park, Finglas, Dublin, in September 2008.

Mr Collins said he lost work due to not having the van until it was recovered three months later, when he withdrew his claim. During that period FBD, on the basis of confidential information on him which it failed to disclose to him in accordance with data protection law, declined to deal with his claim, he said.

Inquiry into breaches of Experian's databases

Experian, a credit-reporting service with financial information on more than 740 million consumers, is being investigated by Irish regulators following breaches of the company’s databases. 

The Office of the Data Protection Commissioner has opened a preliminary inquiry into the security practices of Dublin-based Experian, said Gary Davis, the agency’s deputy commissioner. He said the move was prompted by reports that Experian’s database was invaded at least 80 times, leading to the theft of almost 15,500 credit reports since 2006. Hackers infiltrated Experian using passwords stolen from its customers, and invasions were not immediately detected. Mr Davis said regulators have asked Experian whether breaches have affected Irish consumers or businesses, and requested information on what steps the company was taking to prevent unauthorized access to its databases and safeguard records.

Gerry Tschopp, a spokesman for Experian, declined to comment directly on the Irish inquiry. The breaches were “isolated security issues experienced by a small number of our clients in North America involving US consumers under US data-protection jurisdiction”, he said in an emailed statement.