Data Protection Commissioner
Formation | 1989 |
---|---|
Legal status | Independent Regulator |
Headquarters | Dublin and Portarlington |
Region served | Republic of Ireland |
Data Protection Commissioner | Helen Dixon |
Website |
www |
Remarks | Appointment: 10 September 2014 |
The Office of the Data Protection Commissioner (Irish: An Coimisinéir Cosanta Sonraí) is the independent national authority responsible for upholding the EU fundamental right of individuals to data privacy through the enforcement and monitoring of compliance with data protection legislation in Ireland. With 9 out of 10 world-leading technology and internet companies, as well as many of the world’s leading pharmaceutical and financial services firms now located in Ireland, the range of issues the Office deals with, as well as the responsibility it now has to Irish and EU users has expanded greatly since its establishment in 1989.
Current Data Protection Commissioner
Helen Dixon was appointed Data Protection Commissioner in September 2014. Prior to her appointment she held the role of Irish Registrar of Companies with the Companies Registration Office from December 2009. She previously held senior management positions in the Department of Jobs and Enterprise. She spent the first 11 years of her career working for US IT multinationals with EMEA bases in Dublin.
Role and operations of the Data Protection Commissioner
The independent role and powers of the Data Protection Commissioner are as set out in legislation in the Data Protection Acts 1988 and 2003. These Acts transpose the Council of Europe 1981 Data Protection Convention (Convention 108) and the 1995 EU Data Protection Directive (Directive 95/46/EC).
Investigation of complaints
Complaints received from individuals who feel that their personal information is not being treated in accordance with data protection law are investigated under section 10 of the Data Protection Acts. It is the statutory obligation of the Office to seek to amicably resolve complaints in the first instance. Where amicable resolution cannot be achieved, the Commissioner may make a Decision on whether, in her opinion, there has been a breach of the law. If the complainant or the data controller disagrees with the Commissioner’s finding, they have the right to appeal the Decision to the Circuit Court. The DPC’s main priority, if a complaint is upheld, is that the data controller complies with the law and puts right the matter concerned. If an organisation does not voluntarily cooperate with an investigation, the DPC has powers of compulsion to require such cooperation.
In 2015, the Office received 932 complaints that were opened for investigation.[1] Investigations into 1,015 complaints were concluded.
Data breaches
Since 2013, under the revised Electronic Privacy Directive, as transposed into Irish law, reporting of data breaches is obligatory for telecommunications companies.
In addition, under the DPC voluntary Data Security Breach Codes of Practice, any organisation that suffers a data security breach involving personal data above a prescribed minimum level of non-sensitive information relating to 100 or more individuals is obliged to report the breach to the Office of the Data Protection Commissioner. Organisations which suffer a breach involving sensitive data (medical data, financial information, sexual orientation etc.) relating to one or more individuals are also obliged to report the breach to the Office of the Data Protection Commissioner. This will change under the upcoming General Data Protection Regulation; data controllers will be legally obliged to notify the relevant data protection authorities of any personal-data security breach that occurs without undue delay and not later than 72 hours after the event.
2,376 data security breach notifications were received in 2015, an increase of 112 on 2014.[1]
Audits
Section 10 (1A) of the Acts provides that “the Commissioner may carry out or cause to be carried out such investigations as he or she considers appropriate in order to ensure compliance with the provisions of this Act and to identify any contravention thereof.” These investigations often take the form of audits of selected organisations. The aim of an audit is to identify any issues of concern about the way the organisation under scrutiny manages personal data.
In 2015, the DPC carried out 51 audits and inspections of organisations in the public and private sectors.[1]
Consultation and Outreach activity
The Office of the Data Protection Commissioner devotes significant resources to providing guidance to organisations and individuals on their respective obligations and rights. Guidance is offered to organisations which voluntarily consult with the Office in order to ensure compliance with data protection law in the implementation of projects that involve the collection and processing of personal data. In this way, the Office improves data privacy outcomes for individuals, who have a fundamental right under European law to have their personal data protected. It operates an active help desk where organisations and individuals can seek guidance by phone or in writing on their respective obligations and rights. More in-depth enquiries are escalated to the Office’s dedicated Consultation Team. It provides guidance on its website on specific data protection issues, provides speakers for relevant data protection forums and for news media and publishes an annual report on its activities.
Codes of Practice
Section 13 of the Data Protection Act provides that the Office of the Data Protection Commissioner "shall encourage trade associations and other bodies representing categories of data controllers to prepare codes of practice to be complied with by those categories in dealing with personal data." The Office of the Data Protection Commissioner then formally approves such codes of practice, if such a code provides adequate data protection for individuals. The Office of the Data Protection Commissioner will then encourage its use in the sector concerned. The Office of the Data Protection Commissioner may also draw up such a code of practice on its own initiative.
Resourcing
The Office of the Data Protection Commissioner is an expanding organisation, with a current staff of approximately 60 and a budgetary allocation of €4.7 million for 2016. Its staff numbers and budget were significantly increased in 2015 and 2016, and a Dublin location was established in recognition of the responsibilities it has acquired in relation to oversight of information-rich, multinational companies providing services from Ireland across the European Union. The increased staffing has included the recruitment of a number of specialists in the audit, communications, legal and technological fields.
Enforcement Activity
Enforcement powers
The Office adopts an engaged approach to regulation, with open channels of communication between the regulator and those regulated. The Office proactively engages with the private and public sectors, helping to shape how organisations work with data, rather than simply watching for transgressions.
However, the Office's strong powers to enter premises for inspections, conduct audits, to issue enforcement notices compelling a data controller or processor to take steps considered necessary to comply with the Data Protection Acts, and the ability in certain instances to pursue the directors of bodies corporate for the breaches of those companies add up to a substantial capability to rectify non-compliance.
Data Protection Acts – offences
Breaches of the data protection rules laid down by the Acts are not, in general, criminal offences. Section 31 provides that offences are punishable by fines – a maximum of €3,000 on summary conviction and €100,000 on conviction on indictment. Section 30 provides that The Office of the Data Protection Commissioner may bring summary proceedings for an offence under the Acts.
Offences under the Electronic Communications Regulations
In contrast, all breaches of the Electronic Communications Regulations for which the Office of the Data Protection Commissioner has responsibility[1] are offences. The offences relate primarily to the sending of unsolicited marketing communications by electronic means. The offences are punishable by fines – up to €5,000 for each unsolicited message on summary conviction and up to €250,000 on conviction on indictment. The Office of the Data Protection Commissioner may bring summary proceedings for an offence under the Regulations.
In November 2014, a record financial imposition was enforced on a telecommunications company by Dublin Metropolitan District Court, with Eir ordered to donate €35,000 to various Irish charities.
Enforcement responsibility is shared with the Commission for Communications Regulation (ComReg).
Notable Cases
Max Schrems and Facebook
Max Schrems is an Austrian privacy activist who campaigns against Facebook for privacy violations. He filed a complaint against Facebook Ireland Ltd with the Irish Data Protection Commissioner in 2013.
As it was considered that Commission Decision 00/520/EC (the Safe Harbour Decision) was both valid and binding on the Office of the Data Protection Commissioner, the complaint was not investigated. Mr. Schrems then filed an application for judicial review in the Irish High Court which was granted. At the first hearing of the review on 18 June 2014, Mr. Justice Hogan adjourned the case pending a reference to the Court of Justice of the European Union and on 6 October 2015, the Court of Justice of the European Union ruled that, (1) national supervisory authorities still have the power to examine EU-US data transfers in spite of an existing Commission decision (such as its Safe Harbor Decision in 2000 which determined that US companies complying with the principles were allowed to transfer data from the EU to the US), and (2) the Safe Harbour framework was invalid.
In the subsequent hearing in the Irish High Court on the 20th of October 2015, the matter was remitted for consideration by the Data Protection Commissioner who undertook to investigate with all due diligence. The Court invited Mr. Schrems to submit a reformulated complaint in light of the striking down of Safe Harbour and this is the subject of ongoing investigation.
International Cooperation
Article 29 Working Party
Representatives of the Office participate at the Article 29 Working Party and its subgroups. Over the coming years, the Working Party will develop into the European Data Protection Board with the coming into legal force of the General Data Protection Regulation (GDPR) on 25 May 2018. The GDPR will be of major significance for the Irish DPC, in particular the introduction of a “one-stop shop” mechanism for multi-nationals operating in Europe which will extend a very central and critical role to the Office in terms of pan-EU data-protection matters.
Other International Cooperation
The Office also participates in cooperation with international DPA colleagues through the Global Privacy Enforcement Network (GPEN), Memoranda of Understandings with other DPAs, through the International Working Group on Data Protection in Telecommunications (IWGDPT) and engages with both the US Chamber of Commerce and the Federal Trade Commission.
References
- 1 2 3 Dixon, Helen. "DPC 2015 Annual Report".