The conference chair, Andy Cullen, welcomed a full house in the Westin Wednesday, beginning PAI’s first annual Data Protection conference. His introduction was brief; he spoke of the fast-paced nature of the technological world, saying: “Every day I pick up my
First to the podium was Dara Murphy TD, Minister of State at the Department of the Taoiseach and Foreign Affairs with Special Responsibility for European Affairs and Data Protection. His speech was a reflection on the importance that the government has attached to the issue of Data Protection, “the journey and where we are”. He noted that Ireland was the first EU country to “appoint specific responsibility for Data Protection” to a specific minister; he projects that within the next decade, every European country will follow suit.
A large amount of focus was given to Ireland’s role as a “technology hub”, and its place at the “forefront of the thinking in our new digital economy”. Nine of the ten top global software companies, all ten born-on-the-internet companies, and twenty-nine out of thirty top global digital companies have headquarters here. In regard to this, he noted that the current “twenty year-old law is extremely outdated”, therefore the new forthcoming regulation will be pivotal.
Minister Murphy applauded the establishment of an interdepartmental committee. “We need to ensure that Data Protection policies across the public sector are of the very highest standard … The committee is also insisting on the delivery of more effective public policy through the improved use of data.” Also, interaction with “key range of stakeholders” will be formalised in the coming weeks, with the establishment of the Data Issues Forum, a “blend of people … that will be representative of Irish society as a whole”.
An increase in resources for the new Data Protection Commissioner was a priority for the minister. “With a little bit of difficulty … we managed to secure a doubling of the budget [for] an immediate recruitment of new staff, and the sourcing of a new Dublin office.”
He spoke briefly about the new regulation, and its “privacy-friendly” applications, its “One-Stop-Shop” nature, but also the possible cumbersome nature of the appeals process. “There are real cost savings … the European Commission itself estimates the new regulation could potentially save €2.3bn”. Going forward, “business needs and efficiency benefits of data sharing proposals reports must be weighed against the personal and fundamental rights of the individual”, a balance between a person’s privacy and the need to avail of this free flow of information. He closed his speech by inviting those who had comments or insight to communicate with his office.
Ireland’s new Data Protection Commissioner, Helen Dixon, was next to the podium. Her main objective was to outline the powers and function of her new office. She is conscious of the misperceptions of “the role and its extent of responsibilities of its role”.
“Ireland, like every other EU member state, is obliged to have a Data Protection authority in place … to act independently of government. … Data Protection now has a new and elevated status of a fundamental right.”
She illuminated the importance of the Article 29 Working Party, an advisory working group to the Commission that meets regularly in Brussels, to formulate and issue non-binding opinions.
“Fundamentally, what Data Protection legislation requires all of you to do … is ensure you have a legitimate reason for collecting any personal data that you do, that those you are collecting the data from … understand clearly the basis that legitimises your process, … under what piece of legislation you’re obliged to collect and process the data. … It’s important you don’t collect excessive data.” It must also be processed in a suitable way. She suggests reviewing your policy on the length of time the records are retained.
The commissioner set out to provide tangible examples of the main functions of her office, specifically dealing with complaints, breaches, audits, and the disclosure and retention of information. She stated that the office received roughly 1000 complaints in 2014.
Public and private sectors are interconnected, “one cannot work without the other”. However, the public sector is the focus of current EU negotiations. Therefore, the public sector will face new obligations, and increased transparency. Dixon commented: “Nothing is agreed until everything is agreed”, there is time to become aware and comfortable with the new obligations under the new Regulation, which she expects will be enacted in 2019.
The commissioner said that the fundamental right to Data Protection is not an absolute right, and thus must sometimes be weighed against other rights, such as human rights, or the legitimate interest of a company. The importance of auditing, “in terms of establishing compliance baselines”, was stressed. It is up to the organisation to take civil action if the ODPA makes a recommendation in the wake of a breach. Another major area discussed was compliance projects, which precede large policy implementation in organisations. The commissioner’s closing note was that “legal authority does not automatically equal social relevancy”, and she advised to use office’s guidelines responsibly.
Seamus Carroll, Principal Officer in the Department of Justice, Equality & Law Reform then provided a technical examination of the forthcoming EU legislation. The legislation is based on the Lisbon Treaty (art 8, 16) and the 1995 directive. The new measures are important as we now have “mass recourse to interact” in our new digital economy. The reforms were proposed in 2012. He also emphasised the need for the Irish Data Protection policy to stay up-to-date.
The new directive is intended to provide uniform rules for the EU digital market and a more streamlined procedures, and establish a “one-stop-shop”. Also, the directive provides for detection, investigation, prosecution, and prevention of criminal offenses.
The new legislation “is a long and complex instrument” that will apply directly across the EU with transposition. New in the rules “there is a new data security principle …, a greater emphasis on transparency …, it has to be intelligible, accessible and in clear and plain language”. He also spoke at length about the risks, and potential damage caused by a breach of Data Protection legislation. Under Art.33 of the Directive, companies will be obliged to undertake a Data Protection impact assessment; the ODPA can give advice based on this assessment. The current, informal code of conduct which states that breaches should be reported will become formal—you must report any breaches that you become aware of without undue delay. The Directive will also impose “effective, proportionate and dissuasive” fines, the level of which has not been decided as of yet. They will be determined by factors such as the gravity of the breach, the intention behind it, the previous record of the body, benefits gained, and the manner in which the infringement became known to the relevant Data Protection authority.
The morning session concluded with an open panel discussion on issues including the challenges in enforcement of data protection in Ireland given the presence of such large international corporations here and the resource implications for the Data Protection Commissioner.
Colin Rooney, partner at Arthur Cox, began the second session with a presentation on the practical applications of the compliance guidelines which were outlined earlier in the day, the central message being that whatever changes may emerge from discussions at EU level, there is a legal imperative to comply with existing Data Protection obligations. He commented that the information regarding large Data Protection cases, both domestic and foreign, tended to take away from the focus on the current regime, and was “just noise”. “There’s a tsunami of information coming at you … I propose to turn down the volume”. Emphasis was placed on paying close attention to the fundamentals of Data Protection compliance; for example, having a privacy policy, understanding data flows, proper coordination, and having solid security principles in place which all aid organisations greatly in achieving a reasonable degree of compliance, according to Rooney.
Rooney compared the elements of both consent and legitimate interest, noting that consent does not outweigh legitimate interest, as consent can be withdrawn. Where the data is relevant, and the request can be justified, legitimate interest can override the issue of withdrawn consent. The presentation was concluded with three take-away considerations: “turn down the noise”, work to achieve compliance within the current regime as opposed to the forthcoming regime; staff training and staff awareness of Data Protection issues are key; and finally, that there is a difference between something being legally justifiable and it being socially acceptable.
Dr Eoin O’Dell (TCD) addressed the conference on the “Internet of Things”. He remarked that the “death of privacy”, an idea which dates back over fifty years, is still as prevalent today. In Ireland, as the second-most connected country globally, we are a hub of data creation. That data is “open for anyone to eavesdrop on”. A look at top apps available on both Android and Apple showed that twenty common apps requested permission beyond that necessary for installation, and the average app sharing data with eighteen third parties. More and more, big companies are “turning Big Data into insight”. However, many of these companies do not pay as close attention to the privacy rights of the individual, according to Dr O’Dell. “Privacy is not dead,” he concluded, “it just needs nurturing”.
The final speaker of the afternoon was Rob Corbet, also a partner at Arthur Cox, who opened with the claim: “If you haven’t had a data security breach yet, it’s probably because nobody’s told you.” He went on to outline the proper procedures involved should you be faced with a breach. Your duties are defined under several legal instruments, for example the e Privacy directive (2002), and s.19 of the Criminal Justice Act (2011) which makes it illegal to not report any offense to An Garda Síochána. Corbet laid out a series of steps for dealing with a breach, after you have identified it.
The first forty-eight hours are the most crucial, according to the solicitor. This is where things can seem chaotic. The important thing is the fact finding and to look at the situation objectively, to “rise above it” to analyse the damage. Ask questions such as whether or not the attack is on-going, the number of people are affected, the source of the breach, if it is necessary to contact those affected, who needs to know about the breach. Having a solid communication plan in place is pivotal in dealing with a breach of this nature.
The second phase composes the search for evidence of the breach, attention to contractual issues, and possible litigation options. In the case of “major data breaches”, litigation is rare. The third phase involves reassessing your organisation and the way in which it deals with Data Access requests. He closed the session with guidelines on how to process such requests in both a way that is efficient and law-compliant.
The day was concluded with a workshop on Data Protection compliance and best practice with Pearse Ryan and Olivia Mullooly of Arthur Cox.