Ireland Looking at More Authority, Fines Under EU Law

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Joyce E. Cutler

Sept. 30 — Ireland, which is developing a specialty in dealing with international technology companies' privacy issues, is awaiting to see if its authority will be expanded under the draft European Union data protection law, the Irish data protection commissioner said Sept. 30.

The data protection authority, with the European Court of Justice upholding citizens' right to be forgotten and increased voluntary data breach reporting, is getting more work with more changes to come, Helen Dixon, Ireland Office of the Data Protection commissioner, told privacy professionals during a breakout session at the International Association of Privacy Professionals annual meeting in Las Vegas.

“There certainly is more to do. And as we look forward to the European data protection regulation and the increase in the enumerated rights that data subjects are going to have and the increasing roles that the supervisory authorities are going to have, this is something that does keep us awake at night in terms of how we're going to resource this,” Dixon said.

The session, “Ireland's Role in the New EU Data Protection Regime,” was sponsored by Bloomberg Law. Other panelists included Don Aplin, managing editor of Privacy and Data Security News at Bloomberg BNA, and Rob Corbet, a partner and head of technology and innovation for Dublin, Ireland-based corporate law firm Arthur Cox.

Big Changes Expected

The European Parliament in March 2014 approved a draft data protection regulation that includes fines for breaches of up to 100 million euros ($114 million), or 5 percent of a company's global turnover (49 Privacy Law Watch, 3/13/14)(13 PVLR 444, 3/17/14).

“There are lots of changes that are going to come with the regulation,” Dixon said. “Obviously the overarching aim is to modernize and harmonize European data protection,” with the idea of regulations having a direct effect on enhanced rights for erasure.

The proposal will have “increasing emphasis on enforcement and enforcement through deterrence with very significantfines,” she added. “I think that's a massive change. Currently the Irish Data Protection Authority doesn't have theauthority to make any administrative fine, no matter how small.”

Tech Making Home in Ireland

Technology companies with Irish headquarters include Facebook Inc., Twitter Inc., Apple Inc., Google Inc., eBay Inc. and PayPal.

“We've taken a special role by virtue of the fact that a lot of U.S. companies have located their European headquarters inIreland,” Dixon told Bloomberg BNA. “So that puts us in the position of being the lead regulator, and by virtue then of the experience we've built up in regulating those companies and getting to know their service, that's an expertise we've now developed.”

Safe Harbor Ruling Coming Oct. 6

U.S companies see data protection and privacy as a compliance piece to fit into a business model, Corbet said during the session.

The philosophy “is moving more and more towards the fundamental human rights type view of data protection,” he said.

The ECJ is expected Oct. 6 to issue a ruling on the U.S.-EU Safe Harbor Program, which more than 4,000 U.S. companies rely on the transfer personal data from the European Union under a self-certification scheme that is aligned with principles in the EU's 1995 Data Protection Directive (95/46/EC) (189 Privacy Law Watch, 9/30/15).

Right to Be Forgotten

In a case involving Google, the ECJ May 2014 affirmed a right to be forgotten and to allow EU citizens to seek deletion of links on search engines if the information was outdated or irrelevant (93 Privacy Law Watch, 5/14/14)(13 PVLR 857, 5/19/14).

Under the Irish Data Protection Act, the DPA must investigate any complaint where an individual thinks his or her rights to be forgotten were breached, including 40 cases in 10 months in which individuals asked Google, Yahoo! Inc. or other search engines to have results de-indexed and the search engine refused. Dixon said that thus far, the investigations have resulted in a 50-50 split for de-indexing.

Those 40 cases are a “tiny percentage” of the more than 200,000 requests to be forgotten, she said.