Beware - Village Magazine

4 2 December - January 2017

HE ENFORCEMENT of Privacy and Data Protec-

tion Law is meagre in Ireland compared to the

rest of the EU. This is exciting for practitioners

but can be distressing for members of the

public; one day it could even be for you!

In the case of Max Schrems, now landmark law, an

Austrian complainant notified the Office of the Data Com-

missioner three years ago of alleged violations of privacy

law by Facebook but his complaint was originally deter-

mined “frivolous and vexatious” by the data

commissioner which apparently considered its “hands

were tied”. Schrems accused the US social network of

breaking European privacy law because, when it trans-

fers its European users’ data to servers in the US, it

cannot guarantee that the information isn’t scrutinised

by US intelligence.

Facebook denied the Schrems allegations but, in a

landmark case last year, the EU’s Court of Justice (ECJ)

sided with the Austrian and shut down Safe Harbour, the

major data-transmission agreement developed by the

European Commission in 2000 which essentially prom-

ised to protect EU citizens’ data if transferred by

American companies to the US, on the basis the agree-

ment made a fool of European citizens’ fundamental

right to privacy.

But the case didn’t end there because data transfers

to the US have not stopped. Facebook – and other com

panies operating on both sides of the Atlantic – have

other legal means to transfer data to the US.

Schrems complained again. This time around the Irish

Data Protection Commissioner took the view that

Schrems had raised “well-founded” objections, but that

it needed further guidance from the ECJ to determine the

complaint. The case is scheduled to be heard by the Irish

High Court for two to three weeks in February 2017.

Schrems is a competent Austrian lawyer, author and

privacy activist confident enough to challenge disregard

for privacy law.

All this definitively suggests that even for

practitioners data protection is fraught and our authori-

ties make mistakes.

However, increasingly ordinary people, non-practi-

tioners nevertheless leading complex lives, are finding

it appropriate to make data access requests to busi-

nesses, banks and financial services providers to help

explain how they are being treated as part of complex

operations by far-flung organisations. The experience of

the ordinary person, as a recent case shows, can be bur-

densome and frightening.

If privacy is important enough for each EU member

state to fund a dedicated agency of data protection, to

manage and enforce data and privacy law, why is privacy

not being taken seriously by businesses? Data Protec-

tion law has been around for a long time and while there

was a time for indulgence and forbearance allowing

businesses to grow to compliancy, those days should be

well behind us.

Gerardine Scanlan from Mallow ran into minor finan

cial difficulties and a bank foreclosed on a rental

property. A partner in Grant Thornton Accountants was

appointed receiver over some of her assets in 2013. Data

– contained in a CD – was sent to her in September 2015,

in response to her legitimate request for the data con-

cerning her that was being held by Grant Thornton. The

CD contained personal data relating to Scanlan but also

a vast amount of personal and confidential data relating

to third parties, and confidential proprietary matter

belonging to Grant Thornton, some of which Scanlan

alleges discloses wrongdoing both as to her own receiv-

ership and receivership practice in general. It included

details of appointment of receivers for a large number of

properties of other borrowers not connected to her.

Scanlan wrote to the accountancy firm claiming she

was concerned to find the extra items of information,

among the documents provided to her. She said she was

unsure what to do with such documents and wanted

advice from the firm.

Grant Thornton was unaware of the data breach until

The reach of Data Protection

is uncertain and individuals who receive

information inadvertently can ﬁnish up

threatened with prosecutions

by Michael Smith

POLITICS

All this deﬁnitively

suggests

that even for

practitioners

data protection is

fraught. But the

experience of the

ordinary person,

as a recent case

shows, can be

frightening

Beware

December - January 2017 4 3

It was clear she had

already furnished

some of the data to

conﬁdants and informal

advisors, and even to

social media

it received Scanlan’s letter. In the end Grant Thornton

through its solicitors, the ever assertive McCann FitzGer-

ald, brought legal proceedings because it claimed

Scanlan repeatedly refused to confirm she would return

the information, delete or destroy any copies held by her

or guarantee not to provide it to anyone else. It was clear

she had already furnished some of the data to

confidants and informal advisors though

not, as was damagingly claimed, to

social media.

Scanlan, who was impecunious

and therefore had to defend her

self without lawyers was given

very little time to make her way

to the Four Courts in Dublin

where she received an unsympa-

thetic hearing from Judge Paul

Gilligan who made it clear she

should ‘just return’ the material.

Scanlan felt appalled that she was

being cast as a wrongdoer, that there

was no guarantee the third parties would

be told by Grant Thornton that their privacy and

information had been compromised, that she was being

oppressed by having to move so quickly under pressure,

that she’d been improperly served with legal documen-

tation, that the name of the branch of Grant Thornton

used for purposes of the case was that of the wrong

branch and that it was unclear how much of the informa-

tion furnished to her was rightfully hers and should not

therefore have needed to be ‘returned’.

She was appalled to see her improvised legal efforts,

including a few allegations of dishonesty against Grant

Thornton that were implausible, derided by expensive

and aggressive lawyers.

She was enraged to have been deemed by Grant

Thornton and its lawyers to be a “data control-

ler” (for example in paragraph 14 (iv) of

their High Court Statement of Claim of

23 February 2016).

Above all she was incandescent

that a prominent firm of solici-

tors annotated a Court Order

with threats of imprisonment.

A data controller is the indi-

vidual or the legal person who

controls and is responsible for

the keeping and use of personal

information on computer or in

structured manual files. They have

a legal ‘duty of care’ and are legally

obliged to be formally registered with the

Office of the Data Protection Commissioner, on

a public register. According to the legislation, described

by the data protection commissioner: “Being a data con-

troller carries with it serious legal responsibilities, so

you should be quite clear if these responsibilities apply

to you or your organisation. If you are in any doubt, or

are unsure about the identity of the data controller in any

particular case, you should consult your legal adviser or

4 4 December - January 2017

seek the advice of the Data Protec-

tion Commissioner. In essence, you

are a data controller if you can

answer YES to the following ques-

tion: Do you keep or process any

information about living people?”.

Scanlan did not feel it was fair to

deem taking inadvertent receipt of

information, from a bunch of well-

paid professionals who’d apparently

made a reckless mistake, to be “keep-

ing” or “processing” information.

More specifically she told Village she

didn’t feel there was any reasonable

or legal basis for describing her as

“the individual or the legal person who

controls and is responsible for the

keeping and use of personal informa-

tion on computer or in structured

manual files”.

Indicative of the misnomer is that the

data commission’s website says “if you

hold or process personal data, but do

not exercise responsibility for or control over the

personal data, then you are a "data processor".

Examples of data processors include payroll

companies, accountants and market research

companies, all of which could hold or process

personal information on behalf of someone

else”.

It would seem her responsibilities should, in

any equitable interpretation be not just less

than that of a data controller but less than that

of a data processor such as a (professional)

accountant or payroll consultant. This was a

sledgehammer cracking a nut. The wrong nut.

The company itself which should have been

be pursued under Data Protection Law for being

negligent actually reversed the culpabilities and

Scanlan was treated like the legal delinquent.

Scanlan also believes there are issues of

public interest enveloping the way, even legally,

some of the information she received should be

treated, as she considers it reveals bad practice

by Grant Thornton which the public should know

about.

However, under pressure from senior counsel

of Grant Thornton and the judge, she consented,

though only for purposes of the initial ‘interlocu-

tory’ hearing: first to returning or destroying the

misassigned data and to not disseminating it to

third parties; and second: to the judge changing

the name of the firm deemed to be taking the

proceedings. The “concession” for the consent

was that Grant Thornton agreed not to seek the

legal costs it was entitled to from her.

Scanlan consented reluctantly but stated that

she would be looking for a forensic treatment of

the issue - to reflect the complexities of the leg

islation, when the matter comes to a full

hearing.

It appears the interlocutory order from Judge

Gilligan indicates that private persons are now

liable under the Data Protection Acts for a duty

of care to parties who negligently issue unsolic

ited, unwanted and unnecessary data.

But at base, the real problem is for the inno

cents, inadvertently in receipt of negligently

issued data, there are no guidelines, recommen-

dations, rules, obligations or laws in Ireland on

what to do.

It seems from the interlocutory order from

Judge Gilligan that private persons are liable

under data protection law for a duty of care to

those who have negligently sent unwanted and

unnecessary data to them.

But at base the problem is that, for innocents

inadvertently in receipt of a large amount of

data, there are no guidelines or rules or laws in

Ireland regarding how to behave. The High Court

may just order you to return it.

Beware, dear reader, of ever being deemed a

data controller. Beware of ever being sent infor

mation inadvertently. Beware a data protection

regime that is unclear but the breach of which

just might ultimately result in prosecution and

incarceration.

POLITICS

Above all she was

enraged to have been

deemed by Grant

Thornton a “data

controller”, the individual

who controls and is

responsible for personal

information

Mr Justice Paul Gilligan

McCann FitzGerald

annotated the court

order to emphasise

breach could lead to

"imprisonment"

December - January 2017 4 5

Bagots Hutton Wine Emporium

Serving Fine Wines, Teas & Coﬀee Since 1829

Now open on 6 Upper Ormond Quay, Dublin 7.

Get in touch: 083 1887 782 | info@bagotshutton.com