Briefing on Data Protection Law

Colin Rooney, Partner, Technology and Innovation

29 May 2014

Current law

– Irish Law • Data Protection Acts 1988 & 2003 • European Communities (Electronic Communications

Networks And Services) (Privacy And Electronic Communications) Regulations 2011

– Apply where a person/organisation is

• established in Ireland and is processing in context of establishment;

• has an office, branch or agency in Ireland;

• uses the company or third party server to collect data which is located in Ireland – and is not merely in “transit” through Ireland.

Basic Terms

• Data Controller

• Data Processor

• Data Subject

• Processing

• Personal Data

• Sensitive Personal Data

8 Core Principles

Obtain and process the information FAIRLY

Keep it only for one or more specified and lawful purposes

Use & disclose it only in a manner compatible with purposes

Ensure that it is adequate, relevant and non-excessive

Keep it accurate and up-to-date

Retain it no longer than is necessary for purposes

Ensure appropriate security measures are taken

Comply with individual access requests

Processing Conditions

• The data subject’s consent has been obtained • consent – can be verbal or written but must be freely given!

• The processing is necessary:

– for the performance of a contract to which data subject is party;

– compliance with a non-contractual legal obligation;

– to prevent serious injury, loss or damage; or

– for the legitimate purpose of a data controller, except where processing is unwarranted having regard to the fundamental rights of the data subject

– Even more conditions for Sensitive Personal Data!

Data Lifecycle

• Data Capture – Collection of Data

• Data Use – Processing

• Data Disclosure / Sharing and Data Transfer

• Data Retention/Destruction

Data Processors

– General Rule:

• Where an agent/third party is processing personal data, there should be a contractual basis for this, with appropriate security safeguards in place.

– In data protection terms:

• Where a data controller engages the services of a data processor, it must take certain steps to ensure that data protection standards are maintained.

Application to Data Processors

– Key requirements are as follows: • must be a written contract between the parties;

• including appropriate security safeguards;

• specifically providing that the data processor will process personal data only on the basis of the authorisation and instructions received from the data controller;

• committing the data processor to apply appropriate security measures; and

• the data controller must satisfy itself that the data processor has suitable technical security measures and organisational measures in place.

Sending Data Abroad

• When transferring, or making available, Personal Data abroad, must have regard to the provisions of DPA which limit or restrict foreign transfers.

• Section 11 DPA provides that:

– “The transfer of personal data by a data controller to a country or territory outside the European Economic Area may not take place unless that country or territory ensures an adequate level of protection for the privacy and the fundamental rights and freedoms of data subjects in relation to the processing of personal data.”

Sending Data Abroad (cont.)

• Export of Personal Data outside the EEA only if: – consent is given to data exports; or – the personal data is exported for the

purpose of fulfilling a contract; or – the personal data is exported to countries

which are deemed by the EU Commission to have adequate data protection laws; or

– the company has put adequate privacy safeguards in place for the transfer.

Sending Data Abroad (cont.)

Types of transfers approved

by the Commissioner

‘Safe Harbor’

Binding Corporate Rules

Model Contracts

Safe Countries

Argentina

Canada*

Switzerland

Guernsey

The Isle of Man

Jersey

Faroe Islands

Israel

New Zealand

Uruguay

*restrictions apply

Compliance Steps

• Review existing data exports to check that either information is not transferred outside the EEA, or

• Does appropriate DPA exemption apply (e.g. consent, contractual necessity or vital interests)?

• Put in place appropriate model form clauses for transfer.

• Consideration could be given to self-certification (by the US body) under the ‘Safe Harbor’ rules on trans-Atlantic data exports – requires action from party in the US.

• N.B. The other DPA Principles must still be adhered to.

Security Requirements

• Basic Rule: data controllers and data processors must take ‘appropriate security measures’ for personal data, to guard against unauthorised access, loss, or disclosure.

• Factors to be taken into account include:

– State of technological development;

– Cost of implementing measures;

– Harm that might result from unauthorised unlawful processing;

– Nature of the data concerned; and

– Obligation for staff awareness and compliance with security.

Data Security Considerations

• DPA does not detail the specific security measures that an organisation must have in place.

• Adherence to technical security arrangements, both internal and external.

– e.g. password protection, data encryption, etc.

• Security should also be borne in mind when personal data are being destroyed.

• Where personal data are being transferred out of/into company security of the transfer method is vital.

What does this mean in practice?

– Obligations on security need to be actively addressed

– Party should adhere to a “need to know” principle

– Hence staff should only be able to access the personal data that they need to carry out their functions – seems this is the case!

– Organisations must have adequate access controls, firewalls and virus protection

– Don’t forget about manual files (and Relevant Filing System)!

Security: Summary

• Presently high profile area

• Hence represents legal / compliance / reputational risk

• Be aware of nature of legal requirements:

– Not IT specific

– Principles based legislation

• Appropriate security is judged by variety of factors

including:

– nature of information & cost of available technology.

• Ongoing compliance review and staff training is crucial.

Obligation to Report a Breach?

Despite Personal Data Security Breach

Code of Practice presently no explicit

obligation to notify Commissioner’s Office or

data subject if breach of information security.

Exception: ISPs and Telecos.

However may be advisable to do so.

First consult with your legal advisors.

Note: this position will change shortly on foot of

EU law

Registration

• Depends on the nature of the Personal Data held.

• Certain Data Controllers must register

• Data Processors must register if process on behalf of a Data Controller required to be registered.

Data Retention

• Personal Data must not be kept for longer than necessary for the purpose for which it was acquired.

• Consider the length of time that you will need to keep various types of data.

• No specific retention periods are set by the data protection law.

What rights does the Data Subject have?

• Right of access – 40 days to comply

• Right of rectification and/or erasure

• Right to complain to Data Protection Commissioner

Data Protection Commissioner

• Investigates complaints of non-compliance.

• Codes of good practice.

• DPC can obtain information and issue enforcement notices requiring the company to take steps that include ceasing data capture or processing.

• “Dawn Raids”

• DPC can bring prosecutions and ask the Courts to impose criminal fines.

• DPC’s office are far more active than ever before

Consequences of Breach

• Criminal Offence – in certain circumstances - under Acts:

• €3,000 (summary conviction)

• €100,000 (indictment).

• Damages - compensation

• Information, Enforcement or Prohibition notice

• Public shame – DPC’s Annual report

• Erasure of database

• Compliance cost

EU Member States: Table of Fines

Proposed Changes

• New Data Protection Regulation

• Unified EU Data Protection law

• Applicable from 2015/2016

• Nominate Data Protection Officer

• Put in place a Data Breach procedure

• More obligations for Data Processors

A Final Thought!

| Using your new presentation template 25

Colin.Rooney@arthurcox.com

Thank you for your time today.

29 May 2014