Text Size
Saturday, December 07, 2019

Data Protection Commissioner gets tough on cookies

The Data Protection Commissioner issued a letter to 80 Irish websites on 19th December 2012 warning them of their responsibilities under the recent "cookie" legislation introduced in July 2011 under Statutory Instrument 336 of 2011. The website operators contacted had 21 days from that date to outline to the Data Protection Commissioner measures they have taken to achieve compliance with the new rules.

If your firm operates a website, you must achieve compliance with the new rules, as set out in Regulations 5(3) and 5(4) of Statutory Instrument 336 of 2011. To do this, you must provide "clear and comprehensive" information to users about the types of cookies used on your website. This information must be provided in a manner that is "as user-friendly as possible", and must:

  • be "prominently displayed" on your website
  • be "easily accessible" to the user, and
  • clearly set out all of the purposes for which the user's information is processed.

In addition, you, as the website operator, must obtain the specific consent of the user for the use of such cookies. The method you afford to the user to give such consent must also be "as user-friendly as possible". This requirement for advance consent is subject only to limited exceptions, for example, in a situation where a cookie is strictly necessary to facilitate a transaction requested by the user.

In his letter, the Commissioner specifically referred to the Guidance Note on Data Protection in the Electronic Communications Sector that was issued by his Office on the same day that the rules became effective. He noted that operators have now had 18 months to achieve compliance with the requirements. If you are not yet fully compliant you must be able to provide reasons why, together with details as to how and when you expect to achieve compliance. You are also expected to detail actions taken to advise users of third party activity taking place on your website, and information given to users on how to control such third party activity via their browser.

It should be noted that if you voluntarily fail or refuse to comply, you may be subject to enforcement action taken by the Data Protection Commissioner.

Please click for the letter and Guidance Note.

Audits by the Data Protection Commissioner - are you compliant?

Billy Hawkes, the Irish Data Protection Commissioner, has stated that he plans to conduct scheduled audits on large social media companies with operations in Ireland. Ireland has in recent years become home to the European headquarters of a number of these companies and as such, they fall under Mr. Hawkes' jurisdiction.The Commissioner carried out an audit on the activities of Facebook-Ireland in 2011 which was followed up by a comprehensive assessment in 2012 of Facebook's compliance with best practice recommendations arising from that audit. LinkedIn and Twitter have been named as potential subjects of future audits.

It is important to note that the Data Protection Commissioner is not limited when it comes to selecting a company for audit. He has the power to conduct scheduled audits on any data controller or data processor operating in Ireland to assess and ensure compliance with data protection law. He can also carry out 'on the spot' or unscheduled inspections and formal investigations in response to specific complaints. Audits can be targeted to focus on a particular issue or can be more general in nature.

A broad range of organisations are selected for audit each year and those audited are listed in the Commissioner's annual reports. If your firm handles personal data you could also be selected for audit. You should be confident that you are complying with all of your data protection obligations.

To identify any deficiencies in your present state of compliance you should conduct a review of your data protection policies, procedures, systems, records and controls having regard to your regulatory obligations and particularly the 8 Data Protection Principles. You should also address compliance issues surrounding the use of data processors, if any, and the transfer of personal data by your firm outside of the EEA. The results of a review can benefit your firm in a number of ways including the following:

  • It will identify system weaknesses and areas where corrective action is needed in advance of any audit by the Data Protection Commissioner;
  • It will reduce potential risks faced by your firm, for example, the inappropriate use of personal data, data theft or loss, unlawful disclosure of personal data or unauthorised employee access;
  • It will identify the level of awareness of data protection obligations throughout the firm and will inform training needs;
  • It will give you peace of mind that you are in full compliance with data protection law and will inform your compliance monitoring program;
  • If you are required to register with the Data Protection Commissioner, the results will assist you in preparing an application for registration or renewal of registration;
  • If you are a credit institution or insurance undertaking, the results will be important in the context of the Compliance Statement to be signed on an annual basis by the firm's directors under the Corporate Governance Code for Credit Institutions and Insurance Undertakings 2010.

The Data Protection Audit Resource published by the Data Protection Commissioner’s Office in January 2009 is a useful guide to data protection audits and can be found here.

Court confirms “frivolous or vexatious” DP cases cannot be appealed

Section 10(1)(a) of the Data Protection Act 1988 (the “Act”) provides that an individual can make a complaint to the Data Protection Commissioner about a breach of the Act. Section 10(1)(b)(i) provides that the Commissioner must investigate the complaint unless he is of the opinion that it is "frivolous or vexatious". Where the Commissioner refuses to investigate the complaint on this basis, the complainant is not entitled to appeal this decision to the Circuit Court under section 26 of the Act.

 

This position was reinforced by the High Court in the recent case of Fox v The Office of the Data Protection Commissioner [2013] IEHC 49. The court confirmed that if the Data Protection Commissioner is of the opinion that a complaint is “frivolous or vexatious” he is not required to investigate the complaint at all.

 

The High Court also stated that the right to appeal a decision of the Data Protection Commissioner made in relation to a complaint under section 10(1)(a) applies only to "a decision" made after the complaint has been subject to an investigation by him.

Data Protection Annual Report 2012 launched

The Data Protection Commissioner (the "Commissioner") launched his Annual Report 2012 on 20 May 2013. The 2012 report has noted a continued increase in complaints made to the Data Protection Commissioner - 1,349 complaints were received in 2012 compared to the 1,161 received in 2011. This indicates a continued growth in awareness amongst the public of their data protection rights and a willingness to pro-actively assert them by making complaints to the Commissioner about data protection breaches.

We would urge companies to take stock of this as the Commissioner takes complaints from data subjects very seriously and indeed will prosecute a company for data protection breaches where he considers them serious enough. 195 prosecutions were taken against 11 entities in 2012.

Aside from a potential conviction and fine for data protection failures, it is important to consider the potential reputational impact on your firm should you be prosecuted by the Commissioner or named for breaches in his annual report. The Central Bank also has the power to take action against a regulated financial service provider for a breach of data protection law, with the current maximum fine for a breach of regulatory requirements standing at €5 million. It is therefore important that companies are fully aware of their data protection obligations if they are to avoid falling foul of the legislation.

Problematic Areas - Access Requests and Direct Marketing

 

The main areas where companies seem to be falling down, as was also noted in the 2011 annual report, are in relation to compliance with data access requests and direct marketing rules. 606 complaints, compared to 253 in 2011, were received by the Commissioner's Office in 2012 about unsolicited direct marketing text messages, phone calls, fax messages and emails in breach of the Privacy in Electronic Communications Regulations (S.I. 336 of 2011). A large portion related to marketing text messages sent by both large and small businesses in Ireland. As a data controller, a company must have subscriber consent to send a marketing message and must include an opt-out mechanism in each marketing message sent.

As regards access requests, 442 complaints were received in 2012. This was a dip on those received in 2011 but nonetheless very substantial and far in excess of those received in previous years. The issue of compliance with access requests has been addressed by the Commissioner in previous annual reports and he includes four case studies on the matter in his 2012 report. In 2010, the Commissioner used his powers under section 24 of the Data Protection Acts (the "Acts") to carry out an unannounced inspection, appointing authorised officers to enter and inspect the premises of a firm of accountants following a complaint from an employee of the firm that the company had not complied with his access request.

There are only very limited circumstances in which a company can refuse to comply with an access request or restrict information to be handed over to an individual following an access request. If seeking to rely on one of the exemptions set out in the Acts, for example that documentation is the subject of legal professional privilege under section 5, a company must ensure that the exemption does in fact apply in the circumstances in question. There are many examples of where companies have gotten this wrong.

Privacy Audits and Inspections

 

There are a number of ways in which the Commissioner may come to inspect a company for non-compliance with data protection legislation. They are as follows:

  • Scheduled privacy audits intended to assist data controllers in ensuring data protection systems are effective and comprehensive;
  • Investigations in response to specific complaints; and
  • Unscheduled inspections under section 24 of the Acts (and Regulation 19 SI336/2011).
     

Privacy audits and inspections are carried out to ensure compliance with the Acts and to identify breaches. Forty scheduled privacy audits were carried out in 2012, with six focusing on financial service providers. Data controllers are expected to be aware of their data protection obligations and to comply with them.

International and Domestic Responsibilities

 

On a final note, the Commissioner pointed out that the workload of his Office was likely to increase under the "one-stop-shop" system of enforcement being proposed at EU level for oversight of multinational companies, for example, Facebook. However, he stated that the Government has provided his Office with additional staffing and funding and that his Office's commitment to meeting such responsibilities would not cause domestic issues to be neglected.

Newsletter