This year has been another interesting year for data protection. While the progress made on the Proposed General Data Protection Regulation was at best sporadic, there was plenty of other activity in Ireland and further afield to keep us entertained.

DPC complaints, audits and breach notifications

The Office of the Data Protection Commissioner ('ODPC') has had another high profile and busy year. The level of complaints to the Office continues to rise. In May's Annual Report, the Data Protection Commissioner ('DPC') reported nearly 1,400 complaints in the previous year (2012), while the numbers of data breaches being reported to the ODPC under its Data Breach Code of Practice continues to spiral, reaching 1,600 last year.

The most high profile data breach of the year arose in November 2013, where LoyaltyBuild appears to have been the victim of a large scale hack the full extent of which is still being assessed by the Gardai and the ODPC.

The Annual Report notes that 42 organisations were audited by the ODPC although some of these audits were issue specific. Some additional staff have been allocated to the ODPC during the year which has enabled them to try to address the growing burden on their resources.

Civil litigation

There were a number of civil cases before the Irish courts in 2013 where data protection took centre stage. In February, in the decision of Fox v DPC, the High Court upheld an ODPC decision to refuse to investigate a number of complaints from Mr Fox on the grounds that they were considered to be 'frivolous or vexatious', as defined in Section 10(1)(b)(i) of the Data Protection Acts 1988 and 2003 ('DPAs'). The decision follows the decision of Nowak v DPC (2012) and provides welcome clarity for the ODPC in the context of the huge numbers of complaints coming through their door.

In March 2013, the High Court overruled the first damages award made for breach of the data protection duty of care created under Section 7 of the DPAs. In Collins v FBD Insurance, the High Court reversed a damages award made by the Circuit Court in respect of a failure by FBD to comply with a data access request. While the High Court maintained the costs award (acknowledging that a breach had occurred), the case indicates a reluctance on the part of the Irish Courts to open up significant damages awards for breach of DPAs.

On 3rd July 2013, the Supreme Court unanimously dismissed the DPC's appeal against the High Court decision in EMI & Others v DPC. In the first Supreme Court case to consider the DPAs, the Court determined that the High Court had correctly quashed the DPC's Enforcement Notice on the basis of 'a complete absence of reasons'. The Enforcement Notice (which related to the processing of IP addresses in the context of peer to peer file sharing) was therefore unlawful and made in breach of Section 10(4) of the DPAs.

Criminal prosecutions

The ODPC continues to routinely prosecute companies for breaches of the e-Privacy Regulations (SI 336 of 2011). Typically companies are being prosecuted for failure to obtain the requisite level of consent for direct marketing and/or for failing to provide or honour 'opt outs' to existing, potential and former customers. While lots of convictions were secured in 2013, the levels of fines imposed by the courts remain low.

Privacy online

In May 2013, the ODPC, along with its counterparts in Australia, Canada, Estonia, Finland, France, Germany, Hong Kong, Macao, New Zealand, Norway, UK and USA, participated in a 'Global Privacy Enforcement Network' internet sweep. The sweep involved a desktop audit of 2,186 websites and mobile apps around the world to assess their compliance with data protection and privacy laws. Of the sites and apps reviewed, 21% had no privacy policy available, many contained over-generalised statements about privacy with little or no details on the collection and use of customer information. For those that had a Privacy Policy, many focused disproportionately on the use of cookies, while many sites simply regurgitated legislation in a manner that raised concerns with respect to readability. The review also found that while most sites/apps declared a view that 'privacy is important to them', apps in particular seemed not to reflect this in practice. The review found that 92% of mobile app privacy policies reviewed raised one or more concerns with respect to how they present information about their privacy practices while 54% of mobile apps reviewed had no privacy policy at all.

The Prism effect

One controversy that we did not see coming in 2013 was the Edward Snowden affair. The EU Commissioner, Vivane Reding, described the Prism controversy as a 'wake-up call' to increase the pace for European data protection reform. The Safe Harbor regime has come under particular pressure as a result with claims by Commissioner Reding that it 'may not be so safe after all' and that it constitutes a 'loophole for data transfers because it allows data transfers from EU to US companies — although US data protection standards are lower than our European ones'. The extent to which the controversy has impacted the progress of the proposed General Data Protection Regulation is unclear, buts hopes are fading that it can be concluded before the current EU Commission's term comes to an end in 2014.

Ireland's own surveillance laws are also under scrutiny. In Digital Rights Ireland Limited v Minister for Communications, Marine and Natural Resources, Minister for Justice Equality and Law Reform, Commissioner of An Garda Síochána, Ireland and The Attorney General, a reference has been made by the Irish High Court to the European Court of Justice to assess whether or not the underlying EU laws on the retention of communications data constitute an unlawful and disproportionate interference with a person's rights under Article 8 of the European Convention on Human Rights. A decision is awaited at the time of writing.

The Europe v Facebook lobby is also bringing litigation arising from the Prism controversy. The DPC dismissed a complaint from that interest group that the Irish subsidiaries of Facebook and Apple breached EU law by sharing data with US intelligence services via the Prism programme. The DPC determined that there was 'nothing to investigate' as the transfers occurred within the terms of the Safe Harbor programme. A judicial review in the High Court has been scheduled for December 2013. The DPC's decision follows an earlier decision in the German courts in February 2013 which upheld the jurisdiction of the DPC to regulate Facebook in Europe.

International co-operation

In June, the ODPC signed a Memorandum of Understanding with the United States Federal Trade Commission on Mutual Assistance in the Enforcement of Laws Protecting Personal Information in the Private Sector. While the MOU is quite modest in its scope, it does create a positive framework for international cooperation in relation to material violations of privacy laws that affect individuals in the US and Ireland.

Conclusion

While the proposed EU Data Protection Regulation may not have progressed as fast as anticipated, there have been lots of other developments in 2013. All the indicators are that the increase in enforcement activity and civil litigation will continue to rise into 2014. The likelihood of wholesale legislative reform in 2014 seems now however to be remote.

This article first appeared in Data Protection Ireland journal Vol 6, Issue 3 by PDP Journals.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.