By Pádraig Hoare
Nama’s failure to provide Cork property developers Michael and John O’Flynn with all personal data held on them is “stark and frightening for citizens”, a legal expert has said.
The two had complained in 2014 to Data Protection Commissioner Helen Dixon that Nama had failed to tell them what data they were holding onto.
This is despite around 2,000 pages of “highly confidential and personal” information being handed over to the state agency when the O’Flynn Group engaged with Nama in 2010 about restructuring its loans.
Ms Dixon ruled Nama was wrong in claiming data held relating to O’Flynn Group’s loans did not include personal data, and that Nama had not conducted reasonable and proportionate searches of its records to find such personal data as per the pair’s request.
She said Nama breached its obligations under data- protection law, and that the body “continues to fail and refuse” to supply the data requested by the men.
The O’Flynn versus Nama case suggests “we as citizens have serious cause for concern”, according to solicitor and data protection analyst, Noel Doherty.
He said most citizens would not have had the resources to fight such a case over four years.
“What is even more frightening is that this case was between a state agency and comparatively well- resourced individuals who had the ability to source the best advice and sustain the case over a prolonged period. What chance would an ordinary person have to resource such a fight against state agencies?” he said.
Mr Doherty said that the decision had implications for government legislation being considered to comply with the EU’s general data protection regulation, which comes into law in May.
The regulation makes it considerably easier for individuals to bring private claims against data controllers when their data privacy has been infringed. If organisations fail to comply with the regulation, they can be fined up to 4% of annual global turnover, or €20m.
However state agencies are exempt from the penalties in the Government’s new data protection bill.
Mr Doherty said: “The bill, as currently drafted, exempts state agencies from fines for breach of data protection regulations and provides the State with wide ranging and ill-defined exemptions from compliance with the law. There will, therefore, be no sanction applicable to state agencies.”