The Data Protection Acts provide two routes by which subjects may enforce their rights:
- They may complain to the Data Protection Commissioner pursuant to section 10 of the Data Protection Acts;
- They can sue for damages.
Irish people have proven quite willing to complain to the Commissioner; on the other they have proven less willing to go to Court.
The Data Protection Commissioner
Ireland’s supervisory authority for the purposes of the Data Protection Directive is the Data Protection Commissioner. The Office is currently held by Billy Hawkes, who has a number of significant functions:
- Investigating complaints;
- Issuing enforcement notices on foot of those complaints, which may require the destruction or rectification of data;
- Requiring information;
- Prior checking of data processing systems that may cause substantial damage, distress or significantly prejudice data subjects;
The Data Protection Acts provide the Commissioner with enforcement powers that are comparatively weak. In general the Commissioner cannot take action directly against a controller who is in breach of their obligations under the Act. Indeed he will not be able to take action at all unless a complaint is made to him by the subject. If and when such a complaint is made, the Commissioner can investigate it, and may appoint authorised officers to do so. If he finds that a breach has occurred the Commissioner cannot then serve an Enforcement notice, since he must first try to ‘… arrange, within a reasonable time, for the amicable resolution by the parties concerned of the matter the subject of the complaint…’ Only if such efforts fail can the Commissioner then go on to serve an Enforcement Notice. Breach of such a Notice, not the Data Protection Acts themselves will be a criminal offence, but the Commissioner must wait at least 21 days before he can prosecute for such an offence.
More effective powers of enforcement have been granted to the Commissioner in some specific areas. One such is direct marketing over electronic communications networks, unsolicited texts, emails, faxes and phone calls. Regulation 17 of the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011grants more effective powers to the Commissioner, providing that:
- The Commissioner can investigate suspected contraventions without first receiving a compliant;
- The Commissioner need not seek an amicable resolution of an issue where he suspects an offence has been committed;
- The Commissioner can specify that the enforcement notice is immediately effective, not have to wait 21 days.
The Data Protection Acts provide other functions to the Commissioner. One such is the operation of the data protection register. The abolition of this anachronistic function has been proposed by the EU Commission. The only real significant of this function, is that if the Commissioner may refuse to register a data processing operation with which he is dissatisfied on the basis of a prior check that he has carried out. Processing without registration is a criminal offence, but it is an offence that is typically ignored. The commissioner can approve codes of practice, but has only approved three so far, most likely because such codes can do no more than replicate what is already in the Data Protection Acts.
All of the above concerns about the effectiveness of the powers available to the Commissioner will be resolved if and when the EU Commission’s proposal for a Data Protection Regulation is implemented.
‘For the purposes of the law of torts and to the extent that that law does not so provide, a person, being a data controller or a data processor, shall, so far as regards the collection by him of personal data or information intended for inclusion in such data or his dealing with such data, owe a duty of care to the data subject concerned’
What this means is that anyone who feels that their data protection rights have been infringed can sue for damages. Section 7 implements a provision of the Data Protection Directive, so is difficult to avoid. The section does, however, go on to provide some limitation on the duty of care in respect of data accuracy.