Submissions on the Data Protection Bill
What will future Irish data protection law look like? Many of the decisions have already been made in Brussels and Strasbourg, but the EU General Data Protection Regulation still leaves quite a bit of discretion to individual Member States. The Department of Justice and Equality has just published a draft Heads of Bill giving effect to aspects of the GDPR, and it is currently undergoing scrutiny by the Oireachtas Joint Committee on Justice and Equality. DRI was represented before the Committee at a public hearing yesterday by TJ McIntyre and Simon McGarr, and a summary of the submissions we made are set out in the post below.
Introduction
Digital Rights Ireland (DRI) is grateful to the Committee for the opportunity to make submissions in relation to the Heads of Bill. DRI is the only Irish civil liberties group focusing on issues of technology and fundamental rights and has extensive experience in the area of privacy and data protection. DRI was the lead plaintiff in the judgment of the European Court of Justice in Digital Rights Ireland and Seitlinger and Others which invalidated the Data Retention Directive, was an amicus curiae in Schrems , which found the Safe Harbor decision on data transfers to the United States to be invalid, and was an amicus curiae in Microsoft v. United States, which prohibited extraterritorial access by the US Government to emails stored in Ireland. DRI continues to bring litigation in this area, including an ongoing High Court challenge to Irish data retention laws.
Structure of the Bill
Head 5 states that:
Article 2 (Material scope) of the GDPR provides that its provisions do not apply to processing of personal data in the course of activities that lie outside the scope of EU law (e.g. national security) and those falling under the common foreign and security policy. Discussions are continuing on the question of whether and, if so, to what extent, provisions in the 1988 and 2003 Acts may need to be retained.
DRI shares the concerns expressed in previous testimony by the Data Protection Commissioner and Dr. Denis Kelleher that retaining portions of the earlier acts will result in a complicated and confusing patchwork of laws in this area. If the earlier acts are not repealed, researching some issues (particularly at the boundaries between public and private processing of data) will require piecing together the GDPR itself, the 1988, 2003 and 2018 Acts, as well as any relevant statutory instruments. This is entirely at odds with making the law accessible to the public.
While there are still a number of areas covered by Convention 108 which fall outside the scope of the GDPR – in particular, as Convention 108 applies to automated personal data files in the public sector generally – these areas are now considerably reduced as compared to the previous position under the Data Protection Directive and will require less work to identify and provide for. This is something which will have to take place in the relatively near future in any event, as the process for modernising Convention 108 (including aligning it to the GDPR) nears its conclusion.
DRI recommends that the 1988 and 2003 Acts be repealed, with those issues falling outside the scope of the GDPR included in a new, standalone, bill to parallel, as far as possible, the GDPR. This repeal and re-enactment should not undermine the additional rights provided for by those acts.
DRI also recommends that consideration be given to carving out Part 4 of the Bill and enacting it as a standalone bill. As a practical matter, including Part 4 in the Bill is likely to lead to confusion between the similar but distinct systems which will apply under the GDPR and the Law Enforcement Data Protection Directive. Readers without a legal background may be confused by the many sections which might appear to implement the GDPR, but in fact are limited to the law enforcement context. Indeed, this may even trip up readers with a legal background. For example, Head 20 provides for “national security” restrictions to be made by ministerial regulation (in the context of the GDPR); however “national security” is defined only in Head 26 (in the context of the Directive) – inviting blurring of the boundaries between the two parts. Treating Part 4 as a separate bill would help to clarify the scope of these provisions.
Representing Data Subjects
Article 80 GDPR provides for data subjects to be assisted in enforcing their rights by not-for-profit bodies. To explain why this is necessary, it may be helpful to refer to recently published research which examines how data protection law has been undermined by practices making it impossible for the average citizen to enforce their rights. For example, in relation to subject access requests it found that:
To exercise their rights, citizens are faced with an obstacle course: just to get to the starting line they need to traverse a number of hurdles before they can exercise their rights, many fall at the first hurdle because they cannot even locate the legal entity to whom they must make the request. Some fall at the second hurdle, when they are authoritatively, but incorrectly, told that they do not have the right. Those who manage to proceed may still give up before the next, as they are worn out by delays and administrative inefficiencies. But even those who make it to the starting line and successfully manage to submit a subject access request, are still unlikely to know what data is collected about them, with whom it is shared and how it is processed… the whole range of informal practices, situational understanding, and non-legal norms come in to play to systematically discourage and thwart data subjects in successfully gaining access to their data and information about how it is processed and shared.
Article 80 GDPR helps to remedy this power imbalance by permitting qualified not-for-profit bodies (such as consumer rights organisations, civil rights groups, or trade unions) to act on behalf of the data subject. It provides that:
1. The data subject shall have the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights referred to in Articles 77 [right to lodge a complaint], 78 [right to an effective judicial remedy against a supervisory authority] and 79 [right to an effective judicial remedy against a controller or processor] on his or her behalf, and to exercise the right to receive compensation referred to in Article 82 on his or her behalf where provided for by Member State law.
2. Member States may provide that any body, organisation or association referred to in paragraph 1 of this Article, independently of a data subject’s mandate, has the right to lodge, in that Member State, a complaint with the supervisory authority which is competent pursuant to Article 77 and to exercise the rights referred to in Articles 78 and 79 if it considers that the rights of a data subject under this Regulation have been infringed as a result of the processing.
To summarise, Article 80 has mandatory and discretionary parts:
• Member States must give effect to the data subject’s right to mandate a non-profit to lodge complaints with a data protection authority and seek a judicial remedy (such as an order that data be destroyed) against a controller or processor.
• Member States may provide that a non-profit can seek compensation (damages) on behalf of a data subject.
• Member States may provide that a non-profit can, of its own accord, lodge a complaint with a data protection authority and seek a judicial remedy (such as an order that data be destroyed) against a controller or processor.
These Heads of Bill, however, fail to give effect to either of these two discretionary parts of Article 80, without any explanation as to why this narrow approach was chosen. This will both undermine fundamental rights and lead to practical problems. In particular:
• The ability of non-profits to assist individuals by bringing claims on their behalf is hampered by the fact that non-profits will not be able to seek compensation for those individuals. This creates a perverse incentive – those who are most harmed by an illegal practice will be the least able to ask a non-profit to bring an action on their behalf, as by doing so they will not be able to receive compensation. Instead they will have to bring a claim themselves, if they have the knowledge to do so, can afford to do so and can risk the legal costs involved.
• A knock-on effect is that this will lead to an increased number of cases before the courts, in a way which will be unmanageable for any large scale data protection breaches given the lack of any general provision for class-actions in Irish law.
• The failure to allow non-profits to bring complaints of their own accord means that illegal practices will go unchallenged unless a particular victim is identified and willing to step forward. This is a particular problem in areas of sensitive personal data where a complaint may be embarrassing, humiliating or even dangerous.
The need for non-profits to be able to bring complaints of their own accord has been recognised in our own litigation. In Digital Rights Ireland Ltd v. The Minister for Communication, Marine and Natural Resources & Ors. the High Court granted locus standi to DRI to challenge data retention laws on behalf of the wider population on the basis that the privacy interests affected by those laws were “of great importance to the public at large” and without a representative action “it is unlikely that any given mobile communications user… would bring the case, given the costs that would be associated with any such challenge”. It is unfortunate that this point has been ignored in the drafting of the Heads of Bill.
DRI recommends that the Heads of Bill be amended to provide that a data subject can mandate a properly qualified not-for-profit body to seek compensation on his/her behalf.
DRI recommends that the Heads of Bill be amended to provide that a properly qualified not-for-profit body shall have the right to lodge a complaint or seek an injunction against a controller/processor if it considers that the rights of a data subject have been infringed.
Head 20 – Restrictions on exercise of data subject rights
It seems to DRI that Head 20(1) – by providing a largely open-ended power to any Minister to make regulations in any area restricting any data subject rights on the basis of any “important objectives of general public interest” – is extremely problematic.
As a matter of national law, Cityview Press v An Comhairle Oiliúna [1980] IR 381 has established the well known test that to comply with Article 15.2 of the Constitution any delegated legislative power must not go further than “filling in the details of principles and policies already articulated” in the parent statute. In this case, however, Head 20 provides for the restriction of data subject rights on the basis of an “intentionally non-exhaustive” list which includes any “important objectives of general public interest”. It is difficult to see that this open-ended power meets the domestic constitutional requirements of Article 15.2, even before considering its compatibility with EU law.
Indeed, Head 20 is circular – subhead 1 provides that regulations may be made to protect “important objectives of general public interest referred to in subhead 2” while subhead 2 provides that “[i]mportant objectives of general public interest include… (s) such other important objectives of general public interest… as may be prescribed in regulations made in accordance with subhead 1”. In effect, regulations may be made to define a general public interest which then provides the legal basis for making those same regulations. [Note that there is a typo here – subhead “2(s)” appears twice on p.36 of the General Scheme.]
The Explanatory Notes at p.27 of the General Scheme acknowledge that it “would be desirable for all Departments to consider the need for specific amendments to primary legislation”; however in the view of DRI the need for specific amendments goes beyond being merely desirable and is necessary for there to be a sufficient legal basis for regulations restricting data subject rights, bearing in mind that such rights are not merely legislative but are protected under Article 8 of the EU Charter of Fundamental Rights.
DRI recommends that, where necessary, specific statutory powers should be put in place to make regulations restricting data subject rights, and that Head 20(1) should be deleted.
DRI recommends that in the event Head 20(1) is retained, it should be modified to ensure that the power to make regulations under this section is a residual one, to be used only where there is no other specific statutory power (to avoid evasion of restrictions which might apply under those other powers) and subject to additional safeguards such as a requirement of a positive resolution of both Houses of the Oireachtas before the regulations come into force, a sunset clause limiting the duration of Head 20(1) to a transitional period following the adoption of the Act, or a sunset clause limiting the duration of regulations made under this provision.
Remedies in the case of retaliation against Data Protection Officers
The GDPR recognises that Data Protection Officers (DPOs) are placed in a difficult position where they must act independently of their employer and Article 38(3) provides that the DPO “shall not be dismissed or penalised by the controller or the processor for performing his tasks”.
The GDPR does not, however, provide any specific remedy for a DPO who is dismissed on this basis.
It is likely that an Irish court would treat the retaliatory dismissal of a DPO as breaching an implied term in the contract of employment, entitling the DPO to bring an action for wrongful dismissal in the courts.
However, such actions are slow, difficult and risky for individual plaintiffs, particularly as it exposes them to the risk of significant legal costs against them.
It would be desirable to enable DPOs who have been dismissed to make a complaint of unfair dismissal under the Unfair Dismissals Acts 1977–2015, enabling them to use the (comparatively) streamlined and low cost procedure of a complaint to the Workplace Relations Commission. There is precedent for doing this in section 11 of the Protected Disclosures Act 2014, under which a dismissal for making a protected disclosure is automatically treated as unfair. Indeed, this may already apply to some dismissal of DPOs – for example, where a DPO is dismissed for providing information to the Data Protection Commission.
DRI recommends that dismissal of a DPO contrary to Article 38(3) GDPR be included as a ground for unfair dismissal under the Unfair Dismissals Acts 1977–2015.
Image Credit: Robin Stevens