The General Data Protection Regulation (GDPR) in Ireland-a Beginner’s Guide

GDPR

Have you heard about the GDPR (General Data Protection Regulation)?

Do you know the changes it will bring to data protection law in Ireland?

Do you know when it is to come into effect here?

These questions, and similar foundational ones, are what I am about to look at.

Ready?

Let’s go.

The “big bang” date for the this Regulation to come into effect in Ireland will be 25th May, 2018. As EU regulations have direct effect in Irish law, it will not require any act of transposition or formal introduction into Irish law.

The effect of the GDPR will be to replace the existing data protection framework in Ireland. If you are data controller, and you currently have obligations under data protection law, you will need to know what new obligations the GDPR will have for you and your organisation or business.

At its core it strengthens the rights of EU citizens to data privacy and central to this is the three principles of

  1. Security
  2. Accountability
  3. Transparency.

You will note that these are the principles inherent in the current data protection regime in Ireland, pursuant to the Data Protection Act 1988 and Data Protection (Amendment) Act, 2003. It will be a relief to discover that if you are in line with current legislation you will be broadly covered for the new regime.

However, there is some new elements being introduced by GDPR which you need to be aware of. The Office of the Data Protection Commissioner has suggested a 12 step approach to the new regime. Those 12 steps are:

1. Becoming aware

Key personnel need to be aware the law is changing in this area from 25th May, 2018.

2. Become accountable.

Gather up your existing personal data and review it under the following headings

  • Why are you holding it?
  • How did you obtain it?
  • Why was it gathered?
  • How long will you retain it?
  • How secure is it?
  • Do you share it with 3rd parties? If so, on what basis?

This will cover the accountability principle mentioned at number 2 above.

3. Communicate with staff and service users

This involves lettering your staff or service users know about the collection of their personal data.

Under GDPR new obligations include:

  • Providing information about the legal basis for processing the data
  • Retention periods
  • Complaint procedures
  • Their individual rights under GDPR
  • Whether the data will be subject to automated decision making.

4. Personal Privacy Rights

Generally, the rights afforded to individuals will be similar to what they currently enjoy eg to have inaccuracies corrected, to have data deleted, to object to direct marketing.

You will also need to consider how you will provide data electronically if requested by the data subject. You will need to consider,too, how long it will take to locate the data and who will make decisions about deletion of data.

5. How will access requests change

The GDPR will change the timescale for responding to data protection requests to one month so you need to review how you will deal with this faster timescale.

It will be less likely that you will be able to charge for such requests and the ground for refusal will need to be founded in well documented policies and procedures for refusal.

You will also need to provide additional information to data subjects such as information about the data retention periods and having inaccurate data amended.

6. The legal basis

You will have to explain your legal basis for processing personal data and data subjections will have stronger grounds for having their data deleted and the legal bases for processing data will be reduced significantly.

If customer consent is the only justification for processing data the data subject will be in a stronger position to request that it be deleted.

7. Customer consent as a ground to process data

Consent must be ‘freely given, specific, informed and unambiguous’ in relation to customer consent. The customer must not be duped or forced into giving the information. They must also know what exactly they are consenting to and requires a positive action of approval; it cannot be inferred be silence or a failure to take action eg tick a box to opt out.

Subjects also need to be told of their right to withdraw consent. You need to be able to show how consent was obtained, and have a record of it. Generally, where consent is relied upon, the data subject has stronger rights in relation to their personal data.

8. Processing children’s data

If you must gather children’s data you need to be careful about being able to verify the age of the child and obtain the consent of the guardian.

Special protections in respect of children’s data will be introduced, especially in relation to social media use and commercial internet services.

9. Reporting data breaches

You must ensure you have sound procedures in place to detect, report and investigate any data protection breach. The GDPR will introduce mandatory data breach reporting obligations to the Data Protection Commissioner.

Failure to report a breach will result in a fine in addition to the fine for the breach and breaches will typically have to be reported within 72 hours.

10. Data protection impact assessments (DPIA)

This involves the systematic consideration of how a particular initiative will impact on the privacy of individuals. This assessment may involve discussions with groups and stakeholders.

If this assessment leads the organiser to believe that the risks to personal data cannot be mitigated fully it may be necessary to contact the Data Protection Commissioner before starting the process of gathering data.

If a project requires a DPIA you will need to consider

  • Who carries it out?
  • Who needs to be involved?
  • Will it be run locally or centrally?

The whole thrust of the DPIA is to identify potential problems with an initiative involving the gathering of personal data and look at ways to mitigate those issues.

11. Data protection officers

Some organisations will need to designantt a DPO (data protection officer) under the GDPR regime. Such organisations would include public bodies, large organisations, and so forth but you need to consider whether you need a data protection office in your organisation.

He/she will need to be conversant with GDPR and its obligations. You may appoint an external advisor to this role, if there is nobody suitable or qualified in your organisation.

12. GDPR and international organisations

For organisations which have operations in many EU states you will be entitled to deal with one data protection authority, a Lead Supervisory Authority (LSA) as your single regulating body in the country where you are mainly established.

This will generally be determined as the country where the main administration of the organisation is carried out.

Conclusion

If you are currently in compliance with existing data protection legislation in Ireland you will be in good shape to deal with the new situation after 25th May, 2018. However, even though you will be playing a similar game it will be more akin to being in the Premier league than division 3 or 4.

Data Protection Breaches-Are You Entitled to Damages?

data protection breach ireland

Have you suffered a breach of your data protection rights?

If so, what is your redress?

And are you entitled to damages/compensation for the breach?

If you are concerned that your data protection rights have been breached you may bring a complaint to the Office of the Data Protection Commissioner. This is a free service and covers situations where

  1. There has been no response to a data protection request you have made
  2. There has been a response but it has been inadequate
  3. Data is being withheld incorrectly, by claiming an exemption
  4. Other problems.

If your complaint is upheld the Data Protection Commissioner will seek to ensure compliance with his finding, and can make a legal order concerning the issue. The failure of the data controller to comply with this order can be punished by the Courts.

What about compensation/damages for you, however?

Compensation and Damages

The question arises, though: are you entitled to compensation for mishandling of your personal data, or breaches of your data protection rights?

Section 7 of the Data Protection act, 1988 states that data controllers and data processors owe data subjects a duty of care.

But what does this mean in practice?

A 2013 case, Collins v FBD Insurance p.l.c. [2013 IEHC 137], provides clarity in this area. In this case Mr. Collins’s data protection rights were breached by FBD, according to the Data Protection Commissioner. In fact, there were two findings against FBD for breaches of the Data Protection acts.

Mr. Collins brought a claim to the Circuit Court seeking damages against FBD and was awarded €15,000 general damages by way of compensation for the tort-the civil wrong-and the failure of FBD to discharge its duty of care, as set out in section 7.

FBD appealed the case to the High Court and the High Court found that in order to be entitled to damages a data subject needed to prove 3 things:

  1. There has been a breach of the Data Protection Act and the duty of care contained in section 7
  2. That damage has resulted from the breach
  3. The breach has caused the damage/loss.

If you cannot prove all three elements you will not be entitled to damages for the breach, according to the High Court, and it overturned the decision of the Circuit Court.

Justice Feeney held:

4.4 Section 7 is limited and goes no further than providing for a duty of care that is a duty of care within the law of torts. To obtain a compensation for a breach of duty of care, it is necessary for a claimant to establish that there has been a breach, that there has been damage and that the breach caused such damage. The tort of negligence, unlike the tort of trespass to person, requires proof of damage.

 

6.1 In this case the plaintiff has failed to prove any damage resulting from the breach of the duty of care owed by the defendant.

Read the full decision here.

Naivety When You Are Buying Your First Property is Your No. 1 Enemy

buy house ireland

Are you thinking about buying your first property? It is an exciting, and terrifying, time.

One of the biggest dangers you need to guard against is naivety.

It’s not your fault, and everyone has to start somewhere with their first purchase. But you need to ensure it is a sound one. And you must guard against your inexperience and naivety.

I have bought and sold properties in Ireland since 1986 and you can learn from what I have learned, and my mistakes.

Let me explain my thesis that naivety is one of your biggest dangers in the process. There is a number of ways you can be naive, and, quite frankly, taken advantage of. This is because there is a number of specific but diverse activities you will engage in before you successfully move to your new home.

These activities include

  1. Assessing where to buy your new property-the location
  2. Assessing the physical condition of the property
  3. Negotiating the deal with the vendor or, more likely, the auctioneer
  4. Organising the finances.

Each of these four areas is a potentially tricky area on its own, but combine it with each of the other three areas and it is easy to see how you can make costly mistakes through naivety, and the fact that this is your first time.

The best approach to take is to ensure you have good advice every step of the way, don’t cut corners, and engage the help of professionals where you can.

The Structural Soundness of the Property

For example, don’t take chances with the structure of the property, and its physical boundaries. Have these checked out by an engineer/surveyor/architect who should also carry out a structural survey on the property to ensure the structural integrity of the property and no evidence of pyrite.

Ensure, too, that the surveyor had professional indemnity insurance and ask him any questions that are bugging you after he has given you his report; for example, a) is the property structurally sound? and b) do you recommend further investigation be carried out?

Negotiating the Deal

Negotiating the deal-always remember when you are buying the property that the auctioneer has only one client: the vendor. Don’t rely entirely, or at all, on representations or blandishments made by the auctioneer.

The likelihood is that when the contract is issued there will be a special condition in it which states you understand that you cannot rely on any other representations or warranties made prior to the issue of the contract. This, therefore, legally rules out you relying on what may have been promised by an enthusiastic, friendly auctioneer.

Organising the finance

Shop around for the best deal and be aware that the person in the bank who is selling you the loan will not be the person who stipulates the conditions set out in your loan offer. In the same way that you take what the auctioneer has told you with a pinch of salt you need to also understand that the front line person for the lender who is sending applications up the line has little or no influence over the loan conditions which will ultimately emanate from the bank’s legal and/or securities section.

A mortgage broker or advisor might be a useful tool in your toolbox provided that he/she is providing you with independent financial advice and has only one client: you.

Be cautious about advisors or brokers who have agencies with specific institutions or have some type of commission arrangement for selling a particular loan.

Through the whole process when you are dealing with someone-auctioneer, bank, vendor,engineer- always silently ask yourself: who is his/her client. If it is not you, be vigilant.

Conclusion

My advice to protect you against your inexperience and the fact that you are a “virgin” at this:

  • Use your head and get advice from those who have been through the experience of buying and selling property
  • Don’t be afraid to pay for professional advice, as buying property is a big investment and commitment
  • Keep a cool head and always remember who is acting for you, and who is not on your side.

These same fundamental principles also apply if you are buying a commercial property.

The Parties in Legal Proceedings in Irish Law

parties in legal proceedings

Are you confused about the parties in a civil legal action?

In this piece, I will, hopefully, clear up any confusion.

Sounds good? Let’s go.

The Plaintiff

The Plaintiff is the party who brings an action or claim against another party. A party can be an individual or a company.

The Defendant

The Defendant is the party against whom the claim is made. This can be an individual, partnership, limited company.

It is vitally important that before commencing legal proceedings you ascertain the correct defendant. For example, if you have had a bad paint job done by a painter called Mick do you sue Mick, or perhaps he has been trading as a limited company.

Or maybe he is in a partnership, with a registered business name, but you have never met the partner.

Remember, if you sue Mick and his company is the correct legal person to sue, you will be wasting your time and money, and your case will be thrown out of Court.

You need to carry out a search on the Companies Registration Office website to check out the situation. The CRO has registers of limited companies and registered business names.

A Minor Plaintiff

A minor plaintiff is a plaintiff under the age of 18 years when the legal proceedings commence, and must sue through through a next friend who will normally be the mother or father.

A Person of Unsound Mind

A person of unsound mind is also known as a person under a disability. He or she needs to sue through a next friend, too.

A Minor Defendant

A minor defendant-that is, a defendant under the age of 18 years-must defend legal proceedings through a guardian ad litem, as he cannot defend in his own name. The procedures for becoming a guardian ad litem is different in the three Courts (District, Circuit, High).

The Petitioner

If proceedings are brought by way of petition the person bringing them is the petitioner.

The Applicant

Sometimes there is no defendant as a person will bring an application to Court for something. This person is the Applicant.

The Respondent

The Respondent is the person against whom a petition or application is brought, for example in matrimonial proceedings.

The Co-Defendant

If more than one defendant is sued by the Plaintiff all defendants are co-defendants.

A Notice Party

A person or body who is not a party to the proceedings, but who may be affected by an order made in proceedings, is a Notice Party. The Notice Party can enter an Appearance in the proceedings and be heard in argument court.

The Attorney General

The Attorney General represents the State and the public interest in legal proceedings and is a necessary defendant when the constitutionality of a law is called into question.

Third Parties

Third parties are parties joined in eh legal proceedings by the defendant if the defendant alleges the third party is responsible if the plaintiff’s action succeeds.

Concurrent Wrongdoer

A concurrent wrongdoer is a party joined in the proceedings by the defendant from whom the defendant seeks a contribution or indemnity. The liability of concurrent wrongdoers is set out in section 11 of the Civil Liability Act, 1961.

Section 12 of the Civil Liability Act, 1961 sets out the extent of liability of the concurrent wrongdoer. In summary, each of the wrongdoers is each liable for the whole of the damage in respect of which they are concurrent wrongdoers.

Section 27 of the Civil Liability Act, 1961 sets out the procedure for claiming contribution from a concurrent wrongdoer.

Notice of Indemnity or Contribution

A notice of indemnity or contribution can be served by a defendant on one or more of the parties to the action. This includes a co-defendant or third party. No permission of the Court is necessary to serve such a notice.

Joining a Third Party

Joining a third party requires approval of the Court, although even if it is refused the defendant can bring separate legal proceedings for contribution against that intended third party. However, service of the notice seeking to join a third party to the proceedings must be served as soon as reasonably possible.

There are rules in each of the Courts for joining a third party to proceedings.

The Court has discretion, however, to refuse an order for contribution in an independent action for contribution.

Concurrent Wrongdoers in Personal Injuries Actions

Section 42 of the Personal Injuries Assessment Board act 2003 applies section 22 of the Civil Liability Act, 1961 in allowing claims for contributions between concurrent wrongdoers where the first concurrent wrongdoer settled with the Plaintiff.

Section 43 of the Personal Injuries Assessment Board act, 2003 applies section 18 of the Civil Liability Act, 1961. This means that an order to pay against a wrongdoer will not be a bar to an action against any other person who would, if sued, have been liable as a concurrent wrongdoer.

This means that non participating respondents are treated the same way as other respondents for the purpose of Civil Liability act, 1961.

Discovery in Legal Proceedings in Irish Law-the Essentials

legal discovery

Discovery is a two stage procedure in litigation. It primarily relates to documents and involves the disclosure and inspection of relevant documents in a legal case.

The purpose of discovery is to ensure the parties in a case know before trial the case they have to meet. For this reason, discovery may encourage parties to settle a case before incurring the cost of a hearing.

The rules for discovery are set out in the Court rules for each Court: District (Order 46A as amended-SI 285/1999), Circuit (Order 32) and High (Order 31).

The parties can make voluntary discovery, that is with agreement. If agreement cannot be reached the Court can be asked to make an order for discovery.

Two things are necessary before a Court will make an order for discovery:

  1. The documents requested are relevant to the issues in the case;
  2. The documents requested are necessary to deal with the case fairly or to save costs.

Discovery is not always appropriate or necessary, but will give an insight into the evidence the other party will be relying on at the hearing.

Inter Party Discovery

Discovery is normally made between the parties, that is, “inter party discovery”. Discovery can also be sought against a person or body not involved in the proceedings (non party discovery).

Type of Discovery

General discovery can be sought in the District or Circuit Courts. This is an order for all documents relevant to the issues in dispute in the case.

Specific discovery must be sought in High Court cases-this means the party seeking discovery must stipulate the exact categories of documents they are seeking and why they are necessary.

Seeking Discovery

Before seeking an order for discovery the parties must try, through correspondence, to agree terms for voluntary discovery between them.

The letter requesting voluntary discovery should

  1. Be to the party against whom discovery is being sought
  2. In the High Court specify the exact categories of documents sought
  3. Specify the period of time within which agreement must be reached.

If agreement is not reached the party seeking discovery can seek an order from Court compelling discovery .

The Discovery Obligation

The obligation is to make discovery on oath of all documents now or previously in a party’s possession, custody or power (eg bank statements which are in custody of the bank) relating to any matter in question in the case. There is no definition of “document” in the Court rules so it is extremely broadly interpreted, and includes electronically stored information (ESI).

Documents Must Be Relevant and Necessary

Relevance is assessed by reference to “relating to any matter in question in the action”. The party seeking discovery must show the documents sought are relevant and necessary to dispose fairly of the matter in question or to save costs.

Fishing expeditions, therefore, are not permitted but in the final analysis the Court will decide what his relevant or not.

Privilege

Privilege is an entitlement to refuse production of a document, and privilege can be claimed under a number of different headings:

  • Legal professional privilege. This includes legal advice privilege and litigation privilege, essentially communication between legal professional and client.
  • Without Prejudice Statements-a document written without prejudice for the purpose of negotiating a settlement (including mediation) is protected from disclosure or admissibility as evidence in court.
  • State or executive privilege. This includes the State or an arm of the State.
  • Diplomatic privilege.
  • Journalistic privilege.

Where privilege is being claimed over a document it must be done so in a proper form, and the individual document over which privilege is be9ing claimed must be identified.

Non Party Discovery

Non party discovery must be firstly sought voluntarily; if agreement cannot be reached an application can be made to Court for an order. This will require a Notice of Motion and Grounding Affidavit.

Timing of Discovery

Normally discovery is made after the close of pleadings. It is only when pleadings are closed that the parties can ascertain the materials relevant to the issues in dispute. These issues will be clear from the Statement of Claim, Defence, and Replies to Particulars.

Terms of Discovery

The terms of discovery will cover issues like:

  • The timeframe for production of documents
  • The identity of the deponent
  • Whether cross-orders are made, that is, discovery is ordered by the Court on a mutual basis.

Two Stage Process

As stated at the outset, discovery is a two stage process. The first stage is preparing and filing an Affidavit of Discovery. This involves gathering the documents and assessing relevance and necessity.

Each document should be listed and identified and the affidavit will be sworn by the deponent, once it is finalised. It should then be filed in the court office and the other side should be advised that they are ready to exchange affidavits.

The second stage is inspection of the documents, which normally takes place at the office of the solicitor of the party whose documents are being made available for inspection.

Alternatively, a copy of the disclosed documents can be served along with the Affidavit of Discovery, rather than wait for a request for inspection.

Where discovery and inspection has been carried out there is an implied undertaking about the use of the discovered documents, that is, that they will not be used for any other purpose save for the legal proceedings at hand.

Discovery Obligations after Swearing of Affidavit of Discovery

There is no continuing obligation to discover documents which come into existence after discovery has been made.

However, documents which existed at the time of discovery, and which were not disclosed, and come into the hands of the parties after after the swearing of the affidavit should be discovered.

Penalties for Discovery Failings

In the High Court or District Court the party failing to fulfill his discovery obligations can be jailed. However, the more common course of action is for the other party to seek to have the failing party’s statement of claim or defence struck out by way of a notice of motion and grounding affidavit. Alternatively, further and better discovery can be sought in the same application.

A party cannot rely on a document at trial which he has failed or refused to produce.

If mistakes have been made and documents omitted inadvertently, a supplementary affidavit can be filed.

Getting Ready for Trial

It is common for solicitors to try to agree common books of pleadings and discovery documents to be used at trial. If discovery in the case is small a book of all discovery documents could be available for trial.

If agreement cannot be reached each party should have their own books for the trial.

A Notice to Produce is complementary to the discovery process and it allows the serving party to demand inspection of any document referred to in the other party’s pleadings and affidavits of discovery.

A Notice to Produce can be served any time but makes sense to serve it pre-trial.

Personal Injury and Medical Negligence Cases

There are extra obligations in medical negligence and personal injury cases surrounding the exchange of expert medical reports and obtaining medical records. The Freedom of Information legislation can be of assistance to general medical services (GMS) patients and patients of health board hospitals. Data protection legislation can also be availed of to access computerised records in a hospital.

Statutory instrument 391/1998 sets out the disclosure of reports and statements obligations in accordance with the rules of the Superior Courts. These rules, however, should not be seen as an alternative to discovery.

Plaintiff’s are obliged to agree to medical examination by the defendant’s doctor.

Interrogatories are questions which can be raised in lieu of discovery or after inspection of the documents discovered. The aim of interrogatories is to seek out weaknesses in the other party’s case, and ultimately reduce the length of time for the trial, and, therefore, costs.

Injunctions

It may be necessary to seek a Mareva injunction or Anton Pillar order as part of the discovery process, to prevent the disposal of assets or documents.

Solicitors in the Discovery Process

Solicitors have onerous responsibilities in the discovery process “as a client cannot be expected to know the whole scope of his responsibilities regarding discovery without the assistance and advice of his solicitor”.(Murphy v J Donohoe Limited & Others[1996]1 IR 123)