The burden on Irish managers at a time of unprecedented challenges is about to get worse. A
new data protection regime will affect even small companies, writes Kyran Fitzgerald
In just under one year’s time, a whole new regime of data protection comes into force across the EU, and perhaps beyond.
What is already clear is that businesses will have to overcome significantly larger hurdles when it comes to satisfying the authorities with regard to the vast amount of customer and employee data held by them.
Many organisations will have to appoint data protection officers with specific responsibilities for ensuring compliance to the maximum degree with the new General Data Protection Regulation, or GDPR.
Firms and other bodies which fail to meet the new challenges could find themselves in significant legal trouble.
They could face legal action and the prospect of a compensation payout of up to four 4% of annual turnover.
A regulation on e-privacy has also been adopted in this country as authorities across Europe move to try and grapple with the challenges posed by the rapid spread of new information technologies.
The regulations will alter what is already a well-established situation with regard to data protection.
Under current laws, a so-called data controller must be extremely careful about disclosing any details about individuals that are in his, her or its possession.
Disclosure is permitted in very limited circumstances.
These exceptions include situations where there is a need to prevent injury or where the data subject has been involved in criminal activity.
This is particularly the case with so-called sensitive personal data.
This information includes a person’s ethnicity, physical or mental health, or criminal record.
However, the explosion in the collection of data means that current privacy law protections have come to be viewed as inadequate.
Hence, the decision at EU level to overhaul the data regulations.
Speaking recently at a conference in Dublin run by the Irish Centre for European Law, Eoin O’Dell of the School of Law in TCD warned that any failure by the State to enact the upcoming legislation in a timely manner could leave the taxpayer at risk in a claim for damages brought by an injured party.
As Mr O’Dell also pointed out, there are already several causes of action in Irish law for invasion of privacy, while and across the Atlantic, celebrities have benefited to a huge extent following lawsuits brought in the wake of breaches.
Last year, the Gawker celebrity blog site found itself on the wrong side of a jury award of $140m (€125m) in favour of the retired professional wrestler Hulk Hogan.
In 2014, Gawker had posted a video showing Mr Hogan having sex with the then wife of his best friend.
The jury accepted that this represented an invasion of his privacy.
Litigation on privacy matters is by no means confined to American superstars.
Recently, the high court here ruled on an application brought by a mother of two children by a former priest.
The applicant, MM, sought a judicial review of a refusal by the Gardaí to erase material related to her children recorded on the Pulse system.
She argued that the Gardaí as a data controller held personal data on her children.
The court upheld her application.
The view among lawyers is that the new General Data Protection Regulation will impose more duties and requirements on companies in this area, with a particular emphasis on ensuring that personal information is kept secure.
This is of particular relevance given the recent upsurge in hacking attacks.
When the Sony network was hacked, for example, it ended up more than $1bn out of pocket due to lost business and compensation payouts.
Ireland’s national authority, the Data Protection Commission, has recently benefited from a beefing up in its resources.
This was made necessary because of its exceptionally wide responsibilities entailed by the country’s location as a European centre of operations for many leading multinational high-tech firms.
As its deputy director, Anna Morgan said recently: “The regulation of data protection will become much more demanding.”
She anticipates that under the proposed new General Data Protection Regulation regime, national authorities will have to co-operate much more closely.
The EU-wide working party currently in place as a mechanism of coordination is to be replaced by a new European Data Protection Board, an organisation which will wield much more extensive jurisdiction than its predecessor.
The new board will have the power to impose binding solutions under a new dispute resolution process.
Its responsibilities cover cross-border processing of personal data.
The Irish organisation could find that its investigations are critiqued by other members of the European board.
According to Claire Morrissey, a partner at lawyers A&L Goodbody, larger organisations with staff of over 200 will have to carry out data privacy impact assessments.
Employees - and not just information technology staff- will have to be given induction training.
Organisations are currently requested to provide details to employees about the information currently held on them.
This becomes an absolute obligation in the absence of a specific derogation.
A key role will be played by the data protection officer whose appointment will be mandated in many cases.
All public bodies will have to appoint a DPO, a data protection officer.
Organisations involved in collecting sensitive data will also have to appoint or hire one.
It will, however, be possible to subcontract this function to an external service provider.
As many as 75,000 DPOs are expected to be appointed around the world.
All of this adds to the burdens of management at a time when Brexit is imposing unprecedented challenges.
It represents another boost to employees following the enactment of domestic whistleblower protection laws in recent years.
The new regulation is yet another sign that personal privacy ranks highly in an EU context.
The European Court of Justice in the Google Spain case has also recognised that individuals should have protection against disclosures of embarrassing information under the so-called “right to be forgotten” principle, although the court also accepted that the right is not absolute, and has to be balanced with the need to permit freedom of expression.
© Irish Examiner Ltd. All rights reserved