Privacy & Data Protection Law in Ireland.
Europe’s data protection laws began as ancillary provisions to the right to privacy. Privacy is a right with a long historyWarren and Brandeis first defined privacy as the right to be let alone in 1870. The right to privacy was recognised by Article 12 of the Universal Declaration of Human Rights in 1948, Article 8 of the European Convention on Human Rights in 1950 and Article 7 of the European Charter of Fundamental Rights in 2009. Ireland’s Courts first recognised a right to marital privacy in the case of McGee v Attorney General in 1974; they recognised a general right to privacy in Kennedy & Arnold v Attorney General in 1987.
Privacy cannot be considered in isolation; technological developments have created a focus on how data processing systems impact upon the right. Europe’s data protection laws have developed in response. The first pan-European data protection law was the Council of Europe’s Strasbourg Convention, which was entered into in 1981 and implemented in Ireland as the Data Protection Act 1988. The signatories to that Convention went onto enact data protection laws at around the same time. The problem was that all of these laws were different. So the EU Commission proposed the Data Protection Directive, which was implemented in Ireland as the Data Protection Act 2003. The purpose of the Directive was to ensure that Member States would:
‘… protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy, with respect to the processing of personal data’
However, the EU legislature could not enact such a law in order to ensure the protection of Europeans privacy, rather it had to dos so ensure that Europe’ divergent data protection laws did not interfere with the single market. This reality was reflected in the text of the Directive, which went onto provide:
‘Member States shall neither restrict nor prohibit the free flow of personal data between Member States for reasons connected with the protection afforded…(to fundamental rights and privacy)’
The reason why the Directive had to take this approach was that it had its legal base in the internal market provisions of the EU Treaty, which could have led to interesting arguments if Europeans right to privacy were to have been held to conflict with the single market. However, this issue was resolved by the Lisbon Treaty which made two fundamental changes to the EU’s laws. Firstly, it made data protection one of the legislative objectives of the EU, providing in Article 16 of the Treaty on the functioning of the EU, which provides:
‘Everyone has the right to the protection of personal data concerning them’.
And goes onto provide that the EU’s legislature should:
‘…lay down the rules relating to the protection of individuals with regard to the processing of personal data by …the Member States…and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities’
This then creates a specific legal basis for the EU’s data protection legislation. Of greatest significance however is Article 8 of the European Convention of Fundamental Rights, which repeats the first line of Article 16 of the Treaty, then goes onto say:
‘Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified’
In response to both these legal changes and continuing changes in technology the EU Commission has undertaken extensive consultations, which has resulted in a draft proposal for a Data Protection Regulation.