Data Protection

Overview

  • Data trails begin at birth, which includes:

    • Birth recorded with the Registrar of Births, Deaths and Marriages.

    • Baby photos posted to social media.

    • Every reservation or transaction made throughout life creating personal data.

    • Interactions with organizations (governmental, enterprise, non-profit) contributing to data.

    • Sharing photos on social media showing milestones like graduations and engagements.

Value of Personal Data

  • Personal data is recognized as valuable.

  • Significant increase in high-profile data breaches; referenced DPC case studies show this trend.

Development of Data Protection Laws

  • Reason for Development:

    • Concerns regarding the impact of technologies on individual privacy led to the formation of Data Protection Laws.

    • Laws establish rights for individuals whose data is processed and duties for those who process data.

    • Facilitates the free flow of data while supporting cooperation between states.

Goals of Data Protection Legislation

  1. Protect individuals whose data is processed.

  2. Facilitate appropriate data usage.

History of Data Protection Legislation

  • 1970s:

    • Early adoption of data protection legislation in Sweden and Germany.

  • 1980:

    • OECD developed non-binding recommendations establishing 7 principles for personal data protection:

    • Notice

    • Purpose

    • Consent

    • Security

    • Disclosure

    • Access

    • Accountability

  • 1981:

    • Council of Europe introduced the Convention for Protection of Individuals regarding Automatic Processing of Personal Data (Convention No. 108).

  • 1988 (Ireland):

    • Implementation of Data Protection Act 1988 to give domestic effect to Convention No. 108.

  • 1995:

    • EU adopted Directive 95/46/EC.

  • 2003 (Ireland):

    • Implementation of the Data Protection (Amendment) Act 2003 in accordance with 1995 Directive.

  • 2018:

    • Introduction of General Data Protection Regulation (GDPR), which was directly applicable in Ireland without additional legislation.

Privacy and Data Protection

  • Privacy: Right to be left alone is fundamental in a democratic society, but not absolute; subject to civil society needs and other rights (e.g., others' rights).

    • Implied right to privacy under Article 40.3.1 of the Irish Constitution.

    • Explicit right under Article 8 of the European Convention on Human Rights: respect for private and family life, home, and correspondence.

  • Data Protection: Refers to the bundle of privacy rights protecting the processing of an individual’s personal data.

    • Broader protection than privacy law, including rights to access personal information.

    • Relevant EU cases reference Articles 7 and 8 of the ECHR for guiding EU data protection rules.

    • Elevated to Treaty Status in the Treaty of Lisbon, Article 16 states: “Everyone has the right to protection of personal data concerning them.”

    • EU Charter of Fundamental Rights also recognizes privacy and data protection separately (Article 7 and 8).

Aim of Data Protection Law

  • Dual mandate recognizes the need for free data flow while ensuring privacy.

  • GDPR applies specifically to personal data concerning natural persons.

Personal Data Defined

  • Personal Data: Defined by GDPR as any information relating to an identified or identifiable natural person (data subject).

    • Identifiers may include name, ID number, or any characteristic reflecting physical, physiological, genetic, mental, economic, cultural, or social identity.

  • Examples of Personal Data:

    • Name and address, income, disciplinary actions, expressions of opinion, and photographs.

  • Key Cases:

    • Address: Case C-28/08 EC Commission v Bavarian Lager Co Ltd.

    • Income: Joined Cases C-465/00, C-138/01, C-139/01 Rechnungshof v Osterreichischer Rundfunk.

    • Photograph: Campbell v MGN.

  • Anonymised Data: Not considered personal data if the individual cannot be identified from it.

Data Controller

  • Definition: Under Article 4 of GDPR, a person or entity that controls the contents and use of personal data, determining the purposes and means.

  • Exerts influence over personal data usage; relevant to both natural and legal persons.

  • Examples include doctors (GPs) and companies (e.g., Facebook).

  • To confirm data controller status, ask if you decide on data collection, storage, usage, and deletion.

  • GDPR applies to EU entities processing data regardless of where the data processing occurs.

Data Processor

  • Defined as an entity processing data on behalf of a data controller (Article 4(7)(8) GDPR).

  • Excludes employees who process data as part of their job.

  • Examples: payroll companies, accountants, market research firms, cloud services.

  • Responsibilities: Data processors must evaluate and mitigate processing risks; they carry obligations based on the instructions from the data controller.

  • A single company can act as both data controller and processor regarding different data sets.

Personal Data Processing

  • GDPR distinguishes between sensitive and non-sensitive personal data.

  • Personal data allows identification of individuals, directly or through combining with additional information.

  • European Data Protection Board’s Three-Pronged Test:

    1. The content relates to an individual, making it personal data.

    2. The purpose of the data usage can affect the individual’s status or behavior, making it personal data.

    3. The result of processing impacts an individual's rights and interests, confirming its personal data classification.

Sensitive Personal Data

  • Definition (Article 9): Subcategory of personal data needing special protection due to confidential nature, including:

    • Physical or mental health, sexual life, racial or ethnic origin, political opinions, religious beliefs, criminal convictions, and trade union membership.

Processing Defined

  • Broad Definition: Processing includes any operation performed on information, including:

    • Obtaining, recording, organizing, storing, altering, retrieving, consulting, using, disclosing, aligning, combining, blocking, erasing, or destroying information.

  • Essentially, anything done with data from collection to disposal.

Consent Requirements

  • Express Consent: Required for processing sensitive personal data, with exceptions provided.

  • Article 9 specifies consent is needed unless for legal claims or employment necessities.

  • Silence, pre-ticked boxes, or inactivity do not equate to consent.

Obligations of Data Controllers and Processors (The 8 Rules - now Article 5 GDPR)

  1. Obtain and process data fairly (e.g., via consent).

  2. Retain data only for specified and lawful purposes.

  3. Process data in ways compatible with initial collection purposes.

  4. Ensure data safety and security.

  5. Maintain accuracy and timeliness of data.

  6. Keep data adequate, relevant, and not excessive.

  7. Retain data only as long as necessary for purposes.

  8. Provide access copies of personal data upon request.

Transparent Processing Requirements

  • Data controllers must inform data subjects of:

    1. Controller’s name.

    2. Purpose of data collection.

    3. Potential disclosures of data to other parties.

    4. Obligation of responses to inquiries.

    5. Right of access and rectification.

    6. Consequences of not providing data.

  • Must use clear, plain language during data collection.

Purpose Limitation Principle

  • Data collected must be for specified, explicit, and legitimate purposes; meaning relevance is crucial.

  • The principle is pivotal against big data practices; must avoid using data not originally intended for specific purposes.

  • Considerations:

    • Context of data collection and reasonable expectations.

    • Nature of personal data.

    • Consequences of further processing.

    • Link between new and original purposes.

    • Existence of sufficient safeguards.

Minimization Requirement

  • Data collection must be limited to what is adequate and relevant; broad collection is not permissible.

  • Excess data increases risk for breaches.

Accuracy Requirement

  • Data must be accurate and up-to-date; individuals have rights to rectify or erase inaccuracies (Articles 16 and 17).

Storage Limitation Principle

  • Data must be identifiable only for the time necessary for legitimate purposes, safekeeping procedures must exist for data review and deletion.

Integrity Requirement

  • Data must be stored securely, protecting against unauthorized processing and accidental loss or damage.

  • GDPR emphasizes integrating data protection by design and by default.

Reporting Breaches

  • Controllers must report data breaches to the Data Protection Commissioner within 72 hours of awareness (Article 33 (1)).

  • Fines: Up to 20 million EUR or 4% of global turnover from the previous financial year, whichever is larger (Article 83 GDPR).

Data Protection Act 2018 & Liability

  • Section 7 of the Data Protection Act 1988 imposed a duty of care between Data Controllers/Data Processors and Data Subjects, allowing for negligence claims.

  • Companies must implement security measures and ensure valid consent. Negligence may incur fines and harm reputations.

Data Protection Impact Assessments

  • Required when processing employs new technologies likely to create high risks for individuals’ rights and freedoms (Article 35 GDPR).