Call McGarr Solicitors on: 01 6351580

Digital Rights Ireland

In January 2012, in the case of Digital Rights Ireland Ltd. v The Minister for Communications & Ors., the High court referred certain questions to the CJEU (ECJ) under Article 267 TEU.

In the events that happened the ECJ struck down or found invalid Directive 2006/24/EC in the course of the hearing of the referred questions.

The High court is now hearing the parties (Digital Rights Ireland Ltd. and the Minister for Communications & Ors.) in the resumed proceedings, interrupted by the reference made in 2012.

Interested parties may attend. The hearing is taking place in Court No. 14 on the 2nd floor of the Four Courts in Dublin. It may conclude today.

McGarr Solicitors act for Digital Rights Ireland Ltd.

GDPR – Start now!

If you do not know about the personal data you hold, you cannot comply with the GDPR. So, trace the flow of personal data in your company. Bear in mind that the personal data of employees is covered by the GDPR.

Compliance with the GDPR will involve those self-same employees. They will need training in the application of the principles of the GDPR in your organization.

Possibly you are obliged to appoint a Data Protection Officer (DPO). If so, even if you decide you need one regardless of a lack of obligation to appoint one, there is little point in leaving it to May 2018 to do so. The DPO will be needed to help you reach compliance with the GDPR.

As your DPO will tell you quickly, many systems must be devised and implemented to ensure compliance. You will have to ensure that data protection is “baked in” to your systems. In other words, no change can take place without a rational analysis of the data protection implications and the measurement of risk for any such change. Here, speaking of change carries the assumption that your organization is not currently in compliance. It would be an unusual organization if it were to be already in compliance with the GDPR.

The GDPR requires the writing of a Data Protection Impact Assessment for change. To comply with the GDPR is to change. So, you will need to write your Data Protection Impact Assessment.

The foregoing is a cursory look at what you have to do. Start doing it now. You are possibly going to be late and not in compliance on 25th May 2018 but if you recognize the urgency you might just make it.

Start. Start now. Do not get diverted or distracted. You need to focus; you will need all the time that remains to do even the few things listed above.

GDPR and Brexit (whatever that means)

There is probably a book yet to be written on the interplay between the General Data Protection Regulation and Brexit, but some elements can be seen now.

Unusually, the GDPR permits the introduction of some national legislation on data protection issues. They include occasions where a legal obligation mandates the processing of personal data, or the processing relates to a public interest task, or the processing is carried out by a body with official authority. There are others.

As a presumption, we believe that Brexit will not happen outside the provisions of Article 50 TEU and therefore will not happen before 25th May 2018.

If the UK makes legislative provision within the scope of the GDPR it will be incumbent on the UK to include those provisions in the Brexit negotiations and receive EU assent to their recognition, otherwise the UK derogations will fail as law (from the point of view of the EU) on the happening of Brexit.

For Irish organisations one important issue would be the receipt of consent to data processing in relation to children. The GDPR sets the age for “children” and the requirement that consent be given by parents, to be up to 16 years of age. This can be subject to national derogation and reduced to 13 years of age. If the UK derogates on the point and fails to get agreement in Brexit negotiations, Irish organisations must immediately apply the provisions of the GDPR in full.

Put another way, it would be wiser, as a commercial matter, not to give recognition to any UK legislative derogations until the full conclusion of the Brexit negotiations.

Putting it in yet another way, pending the successful (with agreement) conclusion of the Brexit negotiations, Irish organisations should not accept, in relation to data processing of personal data, the inclusion of jurisdictional law clauses in such contracts, where the stipulated legal jurisdiction is the UK.

GDPR; the data is not yours

The EU deferred the application of the GDPR for two years to allow organisations to make the necessary internal changes to reach compliance. The first, and possibly the most difficult, is to perceive what is stated in the title here; personal data belongs to the data subject.

Personal data, collected by you, is not owned by you.

Think of it as money. Less than one year from now, your organisation must be able to account for personal data in very close detail. You will be answerable to regulators and to the data subject for the personal data. Unless you prepare, the very possession of personal data could be a breach of the GDPR and, depending on the nature of that breach, its circumstances etc., the fine for a breach could be fatal for your organisation.

That is intended by the EU; if you get the GDPR wrong, it is likely you will go out of business.

GDPR – Gambling

Reputedly, many businesses and organisations are still trying to get out of bed (or even are still asleep) with regard to compliance with the GDPR.

There is just one word to describe this situation; gambling. Just 11
months from now, if a business or organisation suffers a data breach, Article 33 GDPR requires them to notify the Regulator and Article 34 requires them to notify the data subjects whose data has been violated.

Two scenarios open up; either the business will be fined and sued or the business will hide the breach, be found out and will be fined and sued.

Either scenario, particularly the latter one, will be very expensive.
The latter one will probably break the business.

On the evidence of companies that started 13 months ago to comply with the GDPR, the 11 remaining months will very likely be insufficient to reach compliance with the GDPR.

So, there is another form of gambling available. Do not try to comply
with the GDPR; keep your fingers crossed.

Unfortunately, Article 5(2) and Article 30 GDPR require a business or
organisation to demonstrate that it is in compliance with the GDPR. If you do nothing you will not have the documentation that you must generate now to reach compliance. Have you technology to continuously monitor data and continuously evaluate vulnerabilities?

If you do nothing, the answer is no. The Regulator, with just one
question, will immediately know you are not in compliance.

Go to Jail. Do not pass Go.

Why bother with the GDPR?

Here is news that was not (to my knowledge) on RTE. Deep Root Analytics maintained a database on an estimated 62% of the
population of the USA. It contains what is known as “sensitive” information on the population. It is being used to profile the US population.

The GDPR is designed to prevent the processing of exactly such a database as Deep Root Analytics possesses.

Companies like Deep Root Analytics believe that the information they have collected is theirs, not the data subjects. They believe that they can sell it and exploit it for their profit.

The GDPR is predicated on the rejection of those ideas.

Those ideas are, currently, default ideas with regard to personal data.

This is the reason why European companies and organisations must go through a metamorphosis to comply with the GDPR.

This is the reason why the new Regulators of the GDPR will definitely apply the planned fines and penalties provided for in the GDPR.

Nothing but such penalties will bring about the GDPR revolution.

Spoiling the Ship

When the EU passed the GDPR as directly effective law it deferred the implementation of the GDPR for two years to allow organisations to make the necessary changes to comply with the law.

One year of that two year period has passed. Many companies and organisations have not even begun to make the necessary changes. For some of them, there is not now enough time to make the necessary changes to reach compliance by 25th May 2018.

There is a reasonable basis for making that judgment; those companies that did start early say they have been working on the issue for a year – and are still working.

Each company and organization will have to change internally. For some, it will be possible to do this in the remaining time. For others there is not enough time. However, even for those companies or
organisations it is best to make an effort; it will be taken into account in the application of fines. Those fines will be administrative fines or court fines.

Ireland is opting for court imposed fines for its public bodies. It plans to generally relieve its public bodies from administrative fines under the GDPR. So, in order to give proper effect to the GDPR, Ireland will have to take its miscreant public bodies to court in order to apply the necessary and appropriate fines. That will be more expensive than the administrative fines.

Perhaps the Government really loves lawyers and will go out of its way to benefit them?

GDPR – Privacy by Design

Article 25 GDPR requires organisations to adopt privacy by design and by default. Generally, they are new principles in data protection. Consequently, organisations will be obliged to adopt those principles before 25th May 2018 in order to become GDPR compliant as the Regulation comes to apply on that date.

Failure to do this will be easily detected; under Article 30 GDPR organisations are obliged to establish and maintain a register of treatment activities. Implementation of privacy by design and by default should be recorded in the register. Failure to record
will reveal a failure to comply, attracting a fine. A false record relating to Article 30 would constitute a crime attracting the severe penalties under the GDPR and those penalties are very severe (a fine of up to €10 million or 2% of annual global turnover).

Implementing security for personal data is essentially, a sub-set of privacy by design and by default. Data controllers and processors must implement appropriate technical and administrative measures to protect the personal data. Those measures must be
tested regularly to ensure their effectiveness.

Again, these steps and measures must be recorded in the register of treatment activities.

These are policies that can be expected to come from the highest level of authority in an organisation. If that high level of authority leaves it too late there may not be enough time to comply with the GDPR before 25th May 2018. The EU provided a period of two years to become compliant; 50% of that time is gone.

Less than half of the time allotted to becoming GDPR compliant remains. That, if your organisation has dawdled, or not started, is a failure of your top management.

GDPR: Is your business a Foinavon?

Less than one year from now every business holding (i.e., processing) personal data will have undergone a significant process of internal change or will, more likely than not, be in breach of the GDPR. The change process will have started at the top of the business and will have devolved downwards in the form of training (and other changes). With a considerable amount of work businesses can make the necessary changes. Those businesses that succeed in changing and adapting will survive, those that fail will not survive the effects of the GDPR fines and other losses in the form of compensation awarded in civil action claims from individual data subjects (the people who own the personal data).

The process of change will not be easy. It will not be quick.

Organisations can get help, to change, from Data Compliance Europe.

PS. Foinavon won the Grand National in 1967 at odds of 100/1. His rivals fell at the 23rd fence in a melee. He was well behind coming to the fence and managed to swing wide as he jumped, gaining a 30 length lead on his rivals.

GDPR; receiving data

If you belong to some form of “circulating library” of personal data, less than one year from now you will encounter an excruciating dilemma. Under Article 14 of the GDPR you must notify the data subjects, whose data you have just received, of that fact and of your intentions with regard to the data. If you fail to do that you will be in breach of the Regulation. If you do it, the data subjects may direct you to delete it. If there is no legal basis for your possession of the personal data in the first place it is very likely that the data subject will report you to the regulator.

What is necessary to know is this; personal data will require to be accompanied by its “title deeds”. The ownership or right to possession of personal data, and the right of transfer, must be proved.

Possession of personal data will not be cheap. Receiving it might prove to be very expensive.