Government departments may face €1m fines for data breaches

Amendment reverses exemption of public bodies from huge fines under new EU regime

In January a former civil servant who sold the personal details of hundreds of people was sentenced to two years in prison with the final year suspended. Photographer: Luke MacGregor/ Bloomberg

In January a former civil servant who sold the personal details of hundreds of people was sentenced to two years in prison with the final year suspended. Photographer: Luke MacGregor/ Bloomberg

 

Government departments and other public bodies may face regulatory fines of up to €1 million for breaching people’s data protection rights after a Government plan to exempt them from fines was reversed in amendments to legislation before the Oireachtas.

The Data Protection Bill 2018 had proposed to exempt public bodies from fines by the Data Protection Commissioner when a new EU regulation giving the office stronger enforcement powers comes into effect in May. Such bodies would have been exempt save where they were acting in competition with a body in the private sector providing similar services.

The kinds of breaches of privacy rights emanating from Government departments in recent years have included leaks to private investigators from welfare officials.

In January a former civil servant who sold the personal details of hundreds of people was sentenced to two years in prison with the final year suspended.

From May 25th, fines provided for in the EU General Data Protection Regulation may be up to €20 million or 4 per cent of annual global turnover for organisations that breach people’s data protection rights. However, member states are permitted under the regulation to lay down the rules on whether, and to what extent, fines may be imposed on public bodies and authorities established within the member state.

Minister for Justice Charlie Flanagan has now proposed an amendment to the Bill, allowing for fines of up to €1 million for public bodies, following work by independent Senator Alice-Mary Higgins and others in recent weeks. The amendment is expected to be voted on at the report stage of the Bill on Tuesday.

Serious concern

During pre-legislative scrutiny of the Bill last summer, Data Protection Commissioner Helen Dixon told the Oireachtas Committee on Justice it was a “serious matter of concern” to her office that the legislation proposed to exempt public bodies from fines, once the new EU regime takes effect.

Ms Higgins has also tabled amendments to a section of the Bill on processing personal data about people’s political opinions.

A section of the Bill had given some cause for concern that it might create a “free for all” for Ireland to be used as a hub for companies and other organisations to abuse people’s personal data for profiling in election campaigns.

Cambridge Analytica used people’s personal data to target advertising during the US mid-term elections in 2014, and the Donald Trump campaign in 2016, based on the harvesting of up to 50 million Facebook customers’ profiles, according to reports by a whistleblower last week.

Publishing the Data Protection Bill in early February, Mr Flanagan said that under the GDPR, people would have more control over their personal data and businesses would benefit “from a level playing field”.

‘Real and present danger’

Mr Flanagan has said section 43 of the Bill relating to the processing of data related to people’s political opinions was important, in the context of it confining the processing of data revealing political opinions to parties and candidates for elections, those going for office, a referendum commission and those engaged in active political participation.

During the committee stage debate on March 6th Ms Higgins’ said: “We have seen the role played by companies such as Cambridge Analytica in the Brexit vote and Trump campaign. There is a real and present danger of private companies being contracted to influence and shape electoral outcomes.”

Ahead of the report stage of the Bill in the Seanad late last week, Ms Higgins said the “scandalous harvesting and manipulation” of Facebook data by Cambridge Analytica had shone a renewed spotlight on the importance of stringent data protection regulation to protect both individuals’ privacy and the integrity of the electoral processes.

Simon McGarr, a solicitor and data protection expert who also acts for the privacy rights group Digital Rights Ireland, said the Government amendment on the fines issue was “an enormous win for citizens and senators who argued for this change – particularly Digital Rights Ireland and Senator Higgins”.

“Hopefully, as the Bill continues through the Dáil, we will see Minister for Justice Charlie Flanagan continue to listen to arguments against the other parts of the Data Protection Bill that are still bad policy – and even illegal under EU law.”