Abstract
This chapter explores the methods used and challenges faced by the Irish DPA in enforcing data protection rights. In this chapter, the Irish Data Protection Commissioner discusses how the office has been able to undertake major investigations of Facebook and LinkedIn and what instruments the DPC uses to maximise its impact, what other steps could be taken to improve the position of the Irish DPA and how they can leverage their effectiveness, including by means of investigation, raising awareness and audits. The DPC emphasises the importance of close co-ordination between data protection authorities and anticipates a situation where, under revised EU data protection law, such co-ordination will be the norm where a company is providing services across Europe.
Billy Hawkes retired from his role as Irish Data Protection Commissioner in August 2014 and Helen Dixon was subsequently appointed to the role. This chapter was largely prepared by Billy Hawkes with recent inputs from Helen Dixon to bring the information up-to-date.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
While the main focus of the annual registration requirement is on transparency , it can also be used as part of the DPC’s enforcement strategy as failure to register, or to fully describe personal data being processed, is an offence under the Data Protection Acts. The DPC’s power to refuse registration is also relevant as the organisation concerned is prohibited from processing personal data. The DPC has occasionally used or threatened use of these registration-related powers. The registration requirement also generates revenue from fees – however, these go to the general Exchequer rather than to the DPC.
- 2.
“Frivolous or vexatious” has been interpreted by the High Court as meaning “futile, or misconceived or hopeless in the sense that it was incapable of achieving the desired outcome” in the case Peter Nowak vs Data Protection Commissioner [2012] IEHC 449.
- 3.
See Collins vs FBD Insurance Plc [2013] IEHC 137.
- 4.
- 5.
- 6.
- 7.
Following a referral to the Court of Justice of the European Union by the Irish High Court (case c-362/14), the Court ruled that a Commission “adequacy” decision “does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive as amended, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection.”
- 8.
Enforcement responsibility is shared with the Communications Regulator (ComReg).
- 9.
- 10.
In the case of Facebook , all users outside the US and Canada. In the case of LinkedIn , all users outside the US.
- 11.
The degree to which, under existing EU law, other European DPAs can assert jurisdiction over entities such as Facebook -Ireland is not entirely clear, linked as it is to interpretations of Article 4 of Directive 95/46/EC, notably the phrase “the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State”. The DPC, in its audit report, stated that: “it ha(d) jurisdiction over the personal data processing activities of FB-I based on it being established in Ireland” but that this “should not however be interpreted as asserting sole jurisdiction over the activities of Facebook in the EU”.
- 12.
- 13.
- 14.
As indicated earlier, MoUs have facilitated co-operation with the US and Canadian authorities.
- 15.
Article 8 of the EU Charter of Fundamental Rights.
- 16.
The compromise text agreed between the Council, Parliament and Commission in December 2015 provides for penalties of up to €20 million or four per cent of an organisation’s global turnover.
- 17.
With regard to the transposition of Directive 95/46/EC into national law, the European Court of Justice has commented that “the harmonisation of those national laws is not limited to minimal harmonisation but amounts to harmonisation which is generally complete”. See judgment of 24 November 2011 in relation to Joined Cases C-468/10 and C-469/10 Asociación Nacional de Establecimientos Financieros de Crédito (ASNEF) (C-468/10), Federación de Comercio Electrónico y Marketing Directo (FECEMD) (C-469/10) vs Administración del Estado 2012/C 25/30.
References
Collins vs FBD Insurance Plc [2013] IEHC 137.
European Parliament, Council and Commission, Charter of Fundamental Rights of the European Union
European Court of Justice, judgment of 24 November 2011 in relation to Joined Cases C-468/10 and C-469/10 Asociación Nacional de Establecimientos Financieros de Crédito (ASNEF) (C-468/10), Federación de Comercio Electrónico y Marketing Directo (FECEMD) (C-469/10) vs Administración del Estado 2012/C 25/30.
Peter Nowak vs Data Protection Commissioner [2012] IEHC 449.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Hawkes, B. (2016). The Irish DPA and Its Approach to Data Protection. In: Wright, D., De Hert, P. (eds) Enforcing Privacy. Law, Governance and Technology Series(), vol 25. Springer, Cham. https://doi.org/10.1007/978-3-319-25047-2_18
Download citation
DOI: https://doi.org/10.1007/978-3-319-25047-2_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-25045-8
Online ISBN: 978-3-319-25047-2
eBook Packages: Law and CriminologyLaw and Criminology (R0)