The enforcement of Privacy and Data Protection Law is meagre in Ireland compared to the rest of the EU. This is exciting for practitioners but can be distressing for members of the public; one day it could even be for you!
In the case of Max Schrems, now landmark law, an Austrian complainant notified the Office of the Data Commissioner three years ago of alleged violations of privacy law by Facebook but his complaint was originally determined “frivolous and vexatious” by the data commissioner which apparently considered its “hands were tied”. Schrems accused the US social network of breaking European privacy law because, when it transfers its European users’ data to servers in the US, it cannot guarantee that the information isn’t scrutinised by US intelligence.
Facebook denied the Schrems allegations but, in a landmark case last year, the EU’s Court of Justice (ECJ) sided with the Austrian and shut down Safe Harbour, the major data-transmission agreement developed by the European Commission in 2000 which essentially promised to protect EU citizens’ data if transferred by American companies to the US, on the basis the agreement made a fool of European citizens’ fundamental right to privacy.
But the case didn’t end there because data transfers to the US have not stopped. Facebook – and other companies operating on both sides of the Atlantic – have other legal means to transfer data to the US.
Schrems complained again. This time around the Irish Data Protection Commissioner took the view that Schrems had raised “well-founded” objections, but that it needed further guidance from the ECJ to determine the complaint. The case is scheduled to be heard by the Irish High Court for two to three weeks in February 2017.
Schrems is a competent Austrian lawyer, author and privacy activist confident enough to challenge disregard for privacy law.
All this definitively suggests that even for practitioners data protection is fraught and our authorities make mistakes.
However, increasingly ordinary people, non-practitioners nevertheless leading complex lives, are finding it appropriate to make data access requests to businesses, banks and financial services providers to help explain how they are being treated as part of complex operations by far-flung organisations. The experience of the ordinary person, as a recent case shows, can be burdensome and frightening.
If privacy is important enough for each EU member state to fund a dedicated agency of data protection, to manage and enforce data and privacy law, why is privacy not being taken seriously by businesses? Data Protection law has been around for a long time and while there was a time for indulgence and forbearance allowing businesses to grow to compliancy, those days should be well behind us.
Gerardine Scanlan from Mallow ran into minor financial difficulties and a bank foreclosed on a rental property. A partner in Grant Thornton Accountants was appointed receiver over some of her assets in 2013. Data – contained in a CD – was sent to her in September 2015, in response to her legitimate request for the data concerning her that was being held by Grant Thornton. The CD contained personal data relating to Scanlan but also a vast amount of personal and confidential data relating to third parties, and confidential proprietary matter belonging to Grant Thornton, some of which Scanlan alleges discloses wrongdoing both as to her own receivership and receivership practice in general. It included details of appointment of receivers for a large number of properties of other borrowers not connected to her.
Scanlan wrote to the accountancy firm claiming she was concerned to find the extra items of information, among the documents provided to her. She said she was unsure what to do with such documents and wanted advice from the firm.
Grant Thornton was unaware of the data breach until it received Scanlan’s letter. In the end Grant Thornton through its solicitors, the ever assertive McCann FitzGerald, brought legal proceedings because it claimed Scanlan repeatedly refused to confirm she would return the information, delete or destroy any copies held by her or guarantee not to provide it to anyone else. It was clear she had already furnished some of the data to confidants and informal advisors though not, as was damagingly claimed, to social media.
Scanlan, who was impecunious and therefore had to defend herself without lawyers was given very little time to make her way to the Four Courts in Dublin where she received an unsympathetic hearing from Judge Paul Gilligan who made it clear she should ‘just return’ the material.
Scanlan felt appalled that she was being cast as a wrongdoer, that there was no guarantee the third parties would be told by Grant Thornton that their privacy and information had been compromised, that she was being oppressed by having to move so quickly under pressure, that she’d been improperly served with legal documentation, that the name of the branch of Grant Thornton used for purposes of the case was that of the wrong branch and that it was unclear how much of the information furnished to her was rightfully hers and should not therefore have needed to be ‘returned’.
She was appalled to see her improvised legal efforts, including a few allegations of dishonesty against Grant Thornton that were implausible, derided by expensive and aggressive lawyers.
She was enraged to have been deemed by Grant Thornton and its lawyers to be a “data controller” (for example in paragraph 14 (iv) of their High Court Statement of Claim of 23 February 2016).
Above all she was incandescent that a prominent firm of solicitors annotated a Court Order with threats of imprisonment.
A data controller is the individual or the legal person who controls and is responsible for the keeping and use of personal information on computer or in structured manual files. They have a legal ‘duty of care’ and are legally obliged to be formally registered with the Office of the Data Protection Commissioner, on a public register. According to the legislation, described by the data protection commissioner: “Being a data controller carries with it serious legal responsibilities, so you should be quite clear if these responsibilities apply to you or your organisation. If you are in any doubt, or are unsure about the identity of the data controller in any particular case, you should consult your legal adviser or seek the advice of the Data Protection Commissioner. In essence, you are a data controller if you can answer YES to the following question: Do you keep or process any information about living people?”.
Scanlan did not feel it was fair to deem taking inadvertent receipt of information, from a bunch of well-paid professionals who’d apparently made a reckless mistake, to be “keeping” or “processing” information. More specifically she told Village she didn’t feel there was any reasonable or legal basis for describing her as “the individual or the legal person who controls and is responsible for the keeping and use of personal information on computer or in structured manual files”.
Indicative of the misnomer is that the data commission’s website says “if you hold or process personal data, but do not exercise responsibility for or control over the personal data, then you are a “data processor”. Examples of data processors include payroll companies, accountants and market research companies, all of which could hold or process personal information on behalf of someone else”.
It would seem her responsibilities should, in any equitable interpretation be not just less than that of a data controller but less than that of a data processor such as a (professional) accountant or payroll consultant. This was a sledgehammer cracking a nut. The wrong nut.
The company itself which should have been be pursued under Data Protection Law for being negligent actually reversed the culpabilities and Scanlan was treated like the legal delinquent.
Scanlan also believes there are issues of public interest enveloping the way, even legally, some of the information she received should be treated, as she considers it reveals bad practice by Grant Thornton which the public should know about.
However, under pressure from senior counsel of Grant Thornton and the judge, she consented, though only for purposes of the initial ‘interlocutory’ hearing: first to returning or destroying the misassigned data and to not disseminating it to third parties; and second: to the judge changing the name of the firm deemed to be taking the proceedings. The “concession” for the consent was that Grant Thornton agreed not to seek the legal costs it was entitled to from her.
Scanlan consented reluctantly but stated that she would be looking for a forensic treatment of the issue – to reflect the complexities of the legislation, when the matter comes to a full hearing.
It appears the interlocutory order from Judge Gilligan indicates that private persons are now liable under the Data Protection Acts for a duty of care to parties who negligently issue unsolicited, unwanted and unnecessary data.
But at base, the real problem is for the innocents, inadvertently in receipt of negligently issued data, there are no guidelines, recommendations, rules, obligations or laws in Ireland on what to do.
It seems from the interlocutory order from Judge Gilligan that private persons are liable under data protection law for a duty of care to those who have negligently sent unwanted and unnecessary data to them.
But at base the problem is that, for innocents inadvertently in receipt of a large amount of data, there are no guidelines or rules or laws in Ireland regarding how to behave. The High Court may just order you to return it.
Beware, dear reader, of ever being deemed a data controller. Beware of ever being sent information inadvertently. Beware a data protection regime that is unclear but the breach of which just might ultimately result in prosecution and incarceration.
By Michael Smith