In Irish First, Company Directors Fined For Unlawfully Obtaining Personal Data

By Ali Qassim

Oct. 6 — In a first, an enforcement action brought by Ireland's Office of the Data Protection Commissioner (ODPC) resulted in fines against company directors for taking part in their company's data protection offenses, the office announced Oct. 6.

The Bray District Court Oct. 6 fined private investigation company M.C.K. Rentals Ltd., doing business as M.C.K. Investigations, 7,500 euros ($9,469) for breaches of Section 22 of the Data Protection Acts 1998 and 2003, which make it unlawful to obtain access to personal data without the authority of the data controller and then disclose the data, the ODPC said in a statement.

The same court also fined the company's directors, Margaret Stuart and Wendy Martin, 1,500 euros ($1,893) each for breach of Section 29 of the acts after the court found they consented to the company's actions.

The investigation company obtained personal data from the Department of Social Protection and from the Health Service Executive, the national provider of health and personal social services, and then disclosed the data to a group of credit unions, the ODPC said.

“The investigation of these cases uncovered wholesale and widespread ‘blagging' techniques used by the offenders and this is the first completed prosecution by the Data Protection Commissioner of offenders engaged in such practices,” the ODPC said. The website of the U.K. data protection authority, the Information Commissioner's Office, defines “blagging” as an attempt by individuals to obtain information from organizations illegally using deception.

Director Liability

The ruling is “significant” because the ODPC “is prosecuting the directors in their personal capacity,” which it is entitled to do under Section 29 of the acts, Kate Colleary, a partner at Dublin-based Eversheds, told Bloomberg BNA Oct. 6.

The ODPC “has gone further than merely prosecuting the legal entity that committed the offences and is saying that the offences were committed with the consent or connivance of the directors who are being prosecuted personally which could result in them getting a criminal record,” she said.

“This could mean that they may be restricted from traveling to certain countries or from holding certain positions in companies/public office, or could even, though unlikely, result in a custodial sentence,” she said.

The prosecutions are also the first ones to be completed by the ODPC against private investigators for breaches of data protection law, according to the ODPC's statement. The Irish data protection authority initiated proceedings against another private investigator for the same breach of the data protection rules, but the court hasn't issued a final sentence.

 

‘Strong Message.'

The ODPC said the sentence sends a “strong message to private investigators and tracing agents to comply fully with data protection legislation,” warning them that they will be prosecuted for offending behavior.

The case should also act as a warning to organizations in the credit union, banking, financial services, legal and insurance sectors who make use of private investigators and tracing agents, who need to ensure that any companies they use “have fully safeguarded all personal data against unlawful forms of data processing,” the ODPC said.

The office added that it was “particularly shocking” that the credit unions that contracted the investigators asked no questions about how M.C.K. Investigations obtained the personal data.

The ODPC said it will also investigate further into how the Department of Social Protection and the Health Service Executive will prevent breaches from taking place in the future.

A spokesman with the Courts Service of Ireland told Bloomberg BNA Oct. 6 that it doesn't publish lower court documents such as the ruling in this case.

To contact the reporter on this story: Ali Qassim in London at correspondents@bna.com

To contact the editor responsible for this story: Katie W. Johnson at kjohnson@bna.com