4 2 December - January 2017
T
HE ENFORCEMENT of Privacy and Data Protec-
tion Law is meagre in Ireland compared to the
rest of the EU. This is exciting for practitioners
but can be distressing for members of the
public; one day it could even be for you!
In the case of Max Schrems, now landmark law, an
Austrian complainant notified the Office of the Data Com-
missioner three years ago of alleged violations of privacy
law by Facebook but his complaint was originally deter-
mined “frivolous and vexatious” by the data
commissioner which apparently considered its “hands
were tied”. Schrems accused the US social network of
breaking European privacy law because, when it trans-
fers its European users’ data to servers in the US, it
cannot guarantee that the information isn’t scrutinised
by US intelligence.
Facebook denied the Schrems allegations but, in a
landmark case last year, the EU’s Court of Justice (ECJ)
sided with the Austrian and shut down Safe Harbour, the
major data-transmission agreement developed by the
European Commission in 2000 which essentially prom-
ised to protect EU citizens’ data if transferred by
American companies to the US, on the basis the agree-
ment made a fool of European citizens’ fundamental
right to privacy.
But the case didn’t end there because data transfers
to the US have not stopped. Facebook – and other com
-
panies operating on both sides of the Atlantic – have
other legal means to transfer data to the US.
Schrems complained again. This time around the Irish
Data Protection Commissioner took the view that
Schrems had raised “well-founded” objections, but that
it needed further guidance from the ECJ to determine the
complaint. The case is scheduled to be heard by the Irish
High Court for two to three weeks in February 2017.
Schrems is a competent Austrian lawyer, author and
privacy activist confident enough to challenge disregard
for privacy law.
All this definitively suggests that even for
practitioners data protection is fraught and our authori-
ties make mistakes.
However, increasingly ordinary people, non-practi-
tioners nevertheless leading complex lives, are finding
it appropriate to make data access requests to busi-
nesses, banks and financial services providers to help
explain how they are being treated as part of complex
operations by far-flung organisations. The experience of
the ordinary person, as a recent case shows, can be bur-
densome and frightening.
If privacy is important enough for each EU member
state to fund a dedicated agency of data protection, to
manage and enforce data and privacy law, why is privacy
not being taken seriously by businesses? Data Protec-
tion law has been around for a long time and while there
was a time for indulgence and forbearance allowing
businesses to grow to compliancy, those days should be
well behind us.
Gerardine Scanlan from Mallow ran into minor finan
-
cial difficulties and a bank foreclosed on a rental
property. A partner in Grant Thornton Accountants was
appointed receiver over some of her assets in 2013. Data
– contained in a CD – was sent to her in September 2015,
in response to her legitimate request for the data con-
cerning her that was being held by Grant Thornton. The
CD contained personal data relating to Scanlan but also
a vast amount of personal and confidential data relating
to third parties, and confidential proprietary matter
belonging to Grant Thornton, some of which Scanlan
alleges discloses wrongdoing both as to her own receiv-
ership and receivership practice in general. It included
details of appointment of receivers for a large number of
properties of other borrowers not connected to her.
Scanlan wrote to the accountancy firm claiming she
was concerned to find the extra items of information,
among the documents provided to her. She said she was
unsure what to do with such documents and wanted
advice from the firm.
Grant Thornton was unaware of the data breach until
The reach of Data Protection
is uncertain and individuals who receive
information inadvertently can finish up
threatened with prosecutions
by Michael Smith
POLITICS
All this definitively
suggests
that even for
practitioners
data protection is
fraught. But the
experience of the
ordinary person,
as a recent case
shows, can be
frightening
Beware