Ireland

Dublin is a host to a wide range of tech giants that increase its economic significance on the world map. The multinational headquarters make the Irish Office of the Data Protection Commissioner (DPC) a leading authority under a global spotlight. That is why, when it comes to privacy & data protection, Ireland can be considered a special jurisdiction. 

According to the EuroBarometer Survey on Data Protection issued by the European Commission more than a quarter of the respondents feel they have no control over the information provided online and 83% claim to be concerned about companies using personal information for a different purpose from the one it has been collected for. Irish perceptions of and attitudes towards personal data are similar to what most Europeans think. 

The basic acts regulating data protection & privacy in Ireland are the Data Protection Acts of 1988 and 2003 (DPA). These acts transpose the requirements of the EU Directive 95/46/EC into national legislation. 

There are a number of additional acts that complement the requirements of the basic Acts. The most recent of these feature:

• Data Protection Act 1988 (Commencement) Order 2014 - it is an administrative consolidation and update of the basic governing law;

• Data Protection (Amendment) Act 2003 (Commencement) Order 2014 - it is an update to the basic governing law;

• European Communities (Electronic Communications Networks and Services) Regulations 2011 (Privacy and Electronic Communications) (e-Privacy Regulations) - it is an act to implement EU law in relation to communication services providers and their data protection obligations.

The primary body responsible for the enforcement of data protection & privacy laws in Ireland is the DPC. The office has investigatory powers and can order the performance of an audit. The DPC has no power to issue penalties for breaching the DPA, but can prosecute organisations for the DPA and e-Privacy Regulations contraventions. In its annual reports, the DPC often criticises Irish companies and Government Departments for not taking sufficient account of data protection legislation.  

Usually investigations are preceded by complaints by data subjects. If the DPC is of the opinion that there may be a breach of the DPA it will initiate investigations. The DPC has powers to appoint an 'authorized officer', who conducts investigations in the form of a privacy audit. The authorised officer has broad competences to enter and examine the premises of the data controller or data processor. Obstructing or impeding the work of the authorised officer constitutes an offence. In general, the DPC seeks to resolve complaints through an amicable solution. Nevertheless, the Commissioner has powers to issue information and enforcement notices and 'name and shame' non-compliant data controllers in the DPC's annual report. Most notably, the DPC prosecutes breaches of the DPA and the e-Privacy Regulations. Under the DPA, prosecution may result in a fine ranging from 3.000,00 EUR to 100.000,00 EUR. Breach of the e-Privacy Regulations can result in a maximum fine of 50.000,00 EUR for natural persons and 250.000,00 EUR for corporate bodies. In addition, the DPC publishes a series of guidelines for businesses to help their compliance efforts. 

Dublin hosts a multitude of tech giants that have had their impact on the on both Public and Private sectors in Ireland. These include the multi-billion business of Facebook, LinkedIn, Amazon, eBay, Intel, IBM, Airbnb, and Instagram. These corporations have shaped not only the Irish technology business but have also provided a lot of work to the Irish legal industry. They have also spearheaded the Irish DPC as one of the leading data protection authorities in the world.

In 2014 the DPC received 960 complaints. Nevertheless, only 27 required formal decision and the rest were resolved by means of amicable solution. 9 entities were prosecuted, the DPC issued 3 enforcement notices and 9 information notices. The DPC's annual reports make clear that often, the authority does not take action to fine an organisation as the organisation declares that it will make a voluntary donation to a particular charity.

In 2015 the number of complaints compared to 2014 decreased to 932. The largest single category of complaints related to access rights, which accounted for over 60% of the total number. 51 audits and inspections were carried out, including those on major holders of personal data in the public and private sectors. The DPC issued 3 Statutory Enforcement Notices.

Data protection & privacy laws in Ireland are very dynamic. For example, recently a constitutional challenge brought by an NGO called Digital Rights Ireland in 2014 reached the Court of Justice of the European Union. As a result, the 2006 Data Retention Directive was declared invalid not only in Ireland, but across the European Union. 

Currently, the DPC does not have the direct power to impose fines (these come via prosecution). However, the DPC will be granted the power to levy vast fines on some of the world's largest tech firms under the newly adopted General Data Protection Regulation (GDPR) on the basis of their Dublin headquarters. Further, the DPC might become a 'leading authority' within the meaning of the GDRR one-stop-shop principle, requiring companies to deal with only one EU authority when conducting business across the Continent.

The DPC remains the lead regulator on privacy issues for companies such as Apple, Facebook or Yahoo!, since Ireland is where their European headquarters are. In May 2018, when the GDPR will enter into force the monetary penalties will be significant with a maximum fine of 4% annual global turnover or up to 20m EUR, whichever is higher. When the DPC gains these powers to impose such fines, it will become one of the most important data protection& privacy authorities in the business world. 

1. DataGuidance, Global Privacy Enforcement Report 2015 [Cecile Park Publishing Ltd.]

2. European Commission, EROBAROMETER Survey on Data Protection, 28/02/2015 – 09/03/2015, http://ec.europa.eu/public_opinion/archives/ebs/ebs_431_fact_ie_en.pdf 

3. Data Protection Commissioner, Offences and Penalties https://www.dataprotection.ie/ViewDoc.asp?fn=/documents/legal/4e.htm&CatID=23&m=e 

4. Data Protection Commissioner, Powers of the Data Protection Commissioner https://www.dataprotection.ie/ViewDoc.asp?fn=/documents/legal/4c.htm&CatID=22&m=e 

5. The Court of the European Union, Joined Cases C-293/12 and 594/12 Digital Rights Ireland and Seitlinger and others http://curia.europa.eu/juris/liste.jsf?num=C-293/12 

Data Privacy Recruitment Ltd. 

September 2016

London, the United Kingdom