The Data Protection Commissioner (the "Commissioner") launched his Annual Report 2012 on 20 May 2013. The 2012 report has noted a continued increase in complaints made to the Data Protection Commissioner - 1,349 complaints were received in 2012 compared to the 1,161 received in 2011. This indicates a continued growth in awareness amongst the public of their data protection rights and a willingness to pro-actively assert them by making complaints to the Commissioner about data protection breaches.
We would urge companies to take stock of this as the Commissioner takes complaints from data subjects very seriously and indeed will prosecute a company for data protection breaches where he considers them serious enough. 195 prosecutions were taken against 11 entities in 2012.
Aside from a potential conviction and fine for data protection failures, it is important to consider the potential reputational impact on your firm should you be prosecuted by the Commissioner or named for breaches in his annual report. The Central Bank also has the power to take action against a regulated financial service provider for a breach of data protection law, with the current maximum fine for a breach of regulatory requirements standing at €5 million. It is therefore important that companies are fully aware of their data protection obligations if they are to avoid falling foul of the legislation.
Problematic Areas - Access Requests and Direct Marketing
The main areas where companies seem to be falling down, as was also noted in the 2011 annual report, are in relation to compliance with data access requests and direct marketing rules. 606 complaints, compared to 253 in 2011, were received by the Commissioner's Office in 2012 about unsolicited direct marketing text messages, phone calls, fax messages and emails in breach of the Privacy in Electronic Communications Regulations (S.I. 336 of 2011). A large portion related to marketing text messages sent by both large and small businesses in Ireland. As a data controller, a company must have subscriber consent to send a marketing message and must include an opt-out mechanism in each marketing message sent.
As regards access requests, 442 complaints were received in 2012. This was a dip on those received in 2011 but nonetheless very substantial and far in excess of those received in previous years. The issue of compliance with access requests has been addressed by the Commissioner in previous annual reports and he includes four case studies on the matter in his 2012 report. In 2010, the Commissioner used his powers under section 24 of the Data Protection Acts (the "Acts") to carry out an unannounced inspection, appointing authorised officers to enter and inspect the premises of a firm of accountants following a complaint from an employee of the firm that the company had not complied with his access request.
There are only very limited circumstances in which a company can refuse to comply with an access request or restrict information to be handed over to an individual following an access request. If seeking to rely on one of the exemptions set out in the Acts, for example that documentation is the subject of legal professional privilege under section 5, a company must ensure that the exemption does in fact apply in the circumstances in question. There are many examples of where companies have gotten this wrong.
Privacy Audits and Inspections
There are a number of ways in which the Commissioner may come to inspect a company for non-compliance with data protection legislation. They are as follows:
- Scheduled privacy audits intended to assist data controllers in ensuring data protection systems are effective and comprehensive;
- Investigations in response to specific complaints; and
- Unscheduled inspections under section 24 of the Acts (and Regulation 19 SI336/2011).
Privacy audits and inspections are carried out to ensure compliance with the Acts and to identify breaches. Forty scheduled privacy audits were carried out in 2012, with six focusing on financial service providers. Data controllers are expected to be aware of their data protection obligations and to comply with them.
International and Domestic Responsibilities
On a final note, the Commissioner pointed out that the workload of his Office was likely to increase under the "one-stop-shop" system of enforcement being proposed at EU level for oversight of multinational companies, for example, Facebook. However, he stated that the Government has provided his Office with additional staffing and funding and that his Office's commitment to meeting such responsibilities would not cause domestic issues to be neglected.