Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Chapter: 

I. Legal framework

Constitutional privacy and data protection framework

Although there is no express reference to a right to privacy in the Irish Constitution, the Supreme Court has ruled that an individual may invoke the personal rights provision in Article 40.3.1 to establish an implied right to privacy.1 Article 40.3.1 provides:

"The State guarantees in its laws to respect, and, as far as practicable, by its laws to defend and vindicate the personal rights of the citizens."

It was first used to establish an implied constitutional right in the case of McGee v. Attorney General,[3]which recognised the right to marital privacy in the context of the importation of contraceptive products, which were then illegal in Ireland. In that case, Mr. Justice Budd stated that "it is scarcely to be doubted in our society that the right to privacy is universally recognised and accepted with possibly the rarest of exceptions". The case has been followed by others such as Norris v. Attorney General[4]and Kennedy and Arnold v. Ireland.[5]In the latter case, the Supreme Court ruled that the illegal wiretapping of two journalists was a violation of the constitution, stating:

"The right to privacy is one of the fundamental personal rights of the citizen which flow from the Christian and democratic nature of the State . . . . The nature of the right to privacy is such that it must ensure the dignity and freedom of the individual in a democratic society. This cannot be insured if his private communications, whether written or telephonic, are deliberately and unjustifiably interfered with."

While earlier cases such as McGee and Norris dealt with the right to privacy as against the state, it is now clear that the constitutional right also has horizontal effect and may be invoked as against private persons or entities such as media organisations.2

Privacy and data protection laws and regulations

Comprehensive law

The Data Protection Acts of 1988 and 2003 implement the 1981 Council of Europe (CoE) Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and the European Union Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.3 The Acts regulate the collection, processing, storage, use, and disclosure of personal data processed by both the private and public sectors. As originally adopted, the Act applied only to automatically processed information – excluding, for example, manual files – but has since been extended. Individuals have a right to access and correct inaccurate information. Information can only be used for specified and lawful purposes and cannot be improperly used or disclosed. Additional protections apply to sensitive personal data, defined as information relating to racial or ethnic origin, political opinions, religious or philosophical belief, trade union membership, physical or mental health, sexual life, the commission or alleged commission of an offence, and any proceedings arising therefrom.4 Except in extreme circumstances, data controllers must get explicit consent before processing sensitive data, and must provide additional safeguards.5 Criminal penalties can be imposed for certain violations. There are broad exemptions for national security, tax, and criminal purposes. Unlawful access to data is also criminalised in certain situations by the Criminal Damage Act 1991.

The 2003 Act amends the existing law in several ways. The definition of "data" is extended to manual data as well as automated files, although this extension did not take full effect until 24 October 2007). Not all manual data is covered, however: the Act applies only to manual data which is part of a "relevant filing system", meaning any set of information relating to individuals which is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible. Under this definition, archived files may not be readily accessible and therefore not part of a "relevant filing system".6

The Act also broadens the definition of "processing" to performing "any" operation on the data.7 The rights of individuals in the areas of notice, access, and consent are also improved. Section 6B of the Acts provides that decisions that significantly affect a data subject (such as work performance, creditworthiness, reliability, or conduct) may not, in the absence of consent, be made automatically without human input.

Sector-based laws

Directive 2002/58, which applies the principles of the EU Data Protection Directive (95/46/EC) to the electronic communications sector, was transposed into Irish law by the European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003. The Regulations prohibit unsolicited communications to individuals by means of fax, SMS, or automated calling, unless the individual opts into receiving such. In the case of corporate recipients, the requirement is to opt out. For telephone communications, individuals can opt out by registering with the National Directory Database (NDD).8

In 2006, the Irish Government presented the Defamation Bill 2006 and the Privacy Bill 2006 to the Houses of the Oireachtas (the Parliament) as part of a complementary package of reforms to the law on defamation and privacy. While the former piece of legislation has now been enacted as the Defamation Act 2009, no progress has been made with the Privacy Bill. However, the Office of the Press Ombudsman has been established, which can deal with complaints under a code of practice applicable to the press. Principle 5 of the Code deals with privacy and provides that while the right to privacy should not prevent publication of matters of public record or in the public interest, persons (including public persons) are entitled to privacy. It states that sympathy and discretion must be shown at all times in seeking information in situations of personal grief or shock. It also states that taking photographs of individuals in private places without their consent is not acceptable, unless justified by the public interest. The Ombudsman cannot award compensation but can direct the publication in question to publish a notice of his decision.

The Privacy Bill would provide for a specific tort of the invasion of privacy which would be actionable without proof of special damage (i.e., could be litigated without evidence of loss). It would provide that an individual would be entitled to such privacy as is reasonable in all the circumstances having regard to the rights of others and to the requirements of public order, public morality, and the common good. The Bill lists the following specific instances of violating privacy:

  1. to subject an individual to surveillance;
  2. to disclose information obtained by surveillance;
  3. to use the name, likeness, or voice of the individual, without the consent of that individual for the purpose of advertising, promotion, or financial gain;
  4. to disclose letters, diaries, medical records, or other documents concerning the individual or information obtained therefrom; or
  5. to harass another person (within the meaning of section 10 of the Non-Fatal Offences against the Person Act 1997).

Certain limited rights to privacy are already provided for in specific pieces of legislation. For example, the Consumer Credit Act 19959 restricts communications between creditors and consumers, the Refugee Act 199610 protects the identity of refugee applicants, and the Criminal Law (Human Trafficking) Act 200811 protects the privacy of human trafficking victims.

Data protection authority

The Data Protection Commissioner (DPC or Commissioner) is the Irish data protection authority and oversees the enforcement of data protection laws. The Commissioner has powers to investigate complaints, prosecute offenders, sponsor or publish codes of practice, and supervise the registration process of data controllers and data processors.12 Under Section 10 of the Data Protection Acts, the DPC must investigate any complaints that it receives from individuals who feel that personal information about them is not being treated in accordance with the Acts unless it is of the opinion that such complaints are frivolous or vexatious. The DPC notifies the complainant in writing of its decision regarding the complaint. The DPC's decision can be appealed to the Circuit Court. The DPC may also of its own initiative carry out investigations or privacy audits it considers appropriate to ensure compliance with the Data Protection Acts.

The Office of the DPC consists of 22 staff members.13 It has the power to obtain information to carry out its functions by serving a written "information notice" on any person.14 The DPC also has the power to enforce compliance with the Acts by serving an "enforcement notice" on any data controller or data processor to take whatever steps it considers are necessary for compliance.15 This may include correcting data, blocking access to data, supplementing data with an explanatory statement, or deleting data altogether. Failure to comply with either an information notice or an enforcement notice is an offence. The DPC also has the power to appoint an authorised officer to enter and examine the premises of a data controller or data processor where this is necessary for carrying out his functions.16 The obstruction of an authorised officer is an offence.

Unless specifically exempted by the Data Protection Acts, or under regulations issued by the Minister for Justice and Law Reform, all data controllers and data processors are required to register with the DPC, at which point their details are entered into a publicly available register.[21]

The extent of mandatory registration was, however, significantly reduced in 2007 when the Minister issued regulations which greatly expanded the categories of exemptions from registration.17 The net effect of that change is that the majority of data controllers and processors will now be exempt from registration. However, certain particularly important categories of data controllers and processors were not included in this change and are under an obligation to register: financial institutions (including credit institutions and insurance undertakings); persons whose business consists wholly or mainly in direct marketing, providing credit references, or collecting debts; Internet access providers; electronic communications network or service providers; data controllers who process genetic data; data processors who process personal data on behalf of data controllers who fall under one or more of the above categories.

Provision is made for "prior checking" of applications for registration involving sensitive personal data and the DPC may refuse to accept such an application where it is not satisfied that adequate safeguards will be provided for such data.18 It is an offence for a person who is obliged to register to process data while unregistered.19

The number of complaints received by the DPC grew significantly since the foundation of the department, though in 2009 there was a slight decrease in complaints (to 914, from 1,031 in 200820). In 2007 there were 1,037 complaints,21 and 658 in 2006.22 A substantial number of these complaints, especially in 2007, relate to unsolicited direct marketing text messages, phone calls, fax messages, and emails ("spam"), principally to mobile phones, though this has decreased in recent years from 538 in 2007 to 262 in 2009. The main reason behind this reduction in complaints is likely to be the series of criminal prosecutions brought by the DPC against premium rate text messaging and fax sending companies, most of which reached court in 2009. Other complaints concerned the right to access personal information.23

The overall profile of complaints in 2009 was as follows:24

Access Rights

29 %

Electronic Direct Marketing

28 %

Disclosure

17 %

Unfair obtaining of data

5 %

Failure to secure data

4 %

Unfair processing of data

3 %

Accuracy

2 %

Use of CCTV footage

2 %

Excessive data requested

2 %

Postal Direct Marketing

2 %

Unfair retention of data

2 %

Other

4 %

The Data Protection Acts 1988 to 2003 allow for the statutory rules governing the use of personal data to be supplemented by sectoral codes of practice. Under the 1988 Act the role of the DPC in this area was reactive, in that it was limited to approving or rejecting codes prepared by trade associations. Since the 2003 Act, the DPC has been given a more proactive role and may propose and draw up a code of practice on its own initiative.25 To date codes of practice have been approved by the DPC in relation to An Garda Síochána (the police force), the Injuries Board, the insurance sector, and personal data security breaches.26

Such codes of practice may also be laid by the Minister for Justice and Law Reform before the Oireachtas (Parliament) for approval. If approved by both Houses of the Oireachtas then a code of practice will have the force of law.

A significant trend in recent years, reflected internationally, is the increase in reported data security breaches (119 in 2009). As already noted, the DPC has responded by publishing a Code of Practice on data security breaches.

In 2009, the Minister for Justice established a Data Protection Review Group to consider the effectiveness of the Data Protection Acts.27 The terms of reference of the group are largely concerned with data security breaches and, among other things, require the group to consider: whether the legislation needs to be amended to deal with data breaches; the potential formats of mandatory reporting; the likely impact of the scope and timing of the forthcoming ePrivacy Directive, revised EU Data Protection Directive, and other relevant international legislative developments; as well as the role and level of penalties in any mandatory regime.

The group published a consultation paper in March 2010 which suggests that the options are to further develop the DPC's Code of Practice or to strengthen the legislative provisions.28 That Group issued a report in March 2010 which rejected self-regulatory notification schemes as impractical and recommended that legislation provide criminal sanctions for deliberate or reckless acts or omissions in relation to the data protection principles – including contraventions of the security principle in relation to data breach incidents – and that the requirement to report breaches to data subjects should not be provided for in the legislation but rather be set out in a binding statutory Code of Practice including a provision for mandatory reporting to the DPC.29 The Commissioner already has the power to issue an enforcement notice requiring a data controller to inform data subjects of a breach which affects that data subject.

The DPC has become more active in conducting privacy audits of public and private organisations. In 2009 it published guidelines on such audits which are aimed at assisting organisations selected for auditing,30 and during 2009 completed 30 of them. These included a detailed audit of the Revenue Commissioners – one of the largest holders of personal data in Ireland – and various private companies.

The 2008 report detailed the first instance of the DPC bringing a prosecution against an entity for failing to respond to an Information Notice. Iarnród Eireann was successfully prosecuted for failing to respond to the Commissioner's repeated request for information and the subsequent Information Notice. Clarion Marketing Limited was also successfully prosecuted for sending unsolicited text messages.31 The report also outlined the increased sanctions and powers introduced by Statutory Instrument No. 526 of 2008.32 This increased the financial penalty for summary offences relating to unsolicited communications, and also created an indictable offence for a contravention of the regulation relating to unsolicited communications. The Statutory Instrument also allows for the prosecution of an officer of a body corporate, whether or not any action has been taken against it. It was also established that the onus rests on the defendant to prove that a subscriber consented to receive an unsolicited communication in cases relating to a contravention of unsolicited communication regulations.33

The annual 2007 report contains a number of case studies arising from complaints and investigations during the previous year. Some of the cases for that year included the right of rectification of personal data held by a data controller, inappropriate use of CCTV footage, marketing activities by NewTel Communications, RyanAir, Tesco, and Eircom, disclosure of employee information by Aer Lingus, and need for consent to use biometrics in the workplace. Unsolicited cold calling and direct marketing, and persistent direct marketing compliance with access requests by the Garda Síochána formed the majority of the cases.34 The 2007 report also contained guidance notes regarding electronic communications service providers about direct marketing telephone calls, data controllers about purpose limitation and retention, and biometrics in schools, colleges, and other educational institutions.35 Many complaints were filed regarding the conduct of both public and private sectors. The complaints in the public sector were improper access to personal information by civil servants and unlawful release of personal information to third parties. In the private sector, poor standards were detected in the financial, insurance and service industries. Unlawful disclosures of data were mostly the result of inadequate security procedures, low standards of staff training, and a failure to take data protection considerations into account when setting up business systems. The 2007 report also contained 21 case studies that included the disclosure of an email address by a financial institution, several cases relating to unsolicited text messages, faxes, calls, and emails, the Credit Union using insecure methods to transfer personal information, the retention of data provided online, access to personal information denied by a data controller, and the attempted use of CCTV footage for disciplinary measures by an employer.36

Major privacy and data protection case law

Privacy is protected not only by the Constitution but also, under Irish law, by virtue of Article 8 of the European Convention on Human Rights (ECHR). Although the Convention is not itself directly effective in Ireland, it has been given limited effect in domestic law by virtue of the European Convention on Human Rights Act 2003. Under that Act, a court in interpreting and applying any statutory provision or rule of law shall do so, so far as is possible, in a manner consistent with the State's obligations under the ECHR.37 Similarly, every organ of the State is placed under an obligation to perform its functions in a manner compatible with the State's obligations under the ECHR, and damages may be awarded to a person who has suffered as a result of a failure to do so.38

Under the Act the High Court and the Supreme Court are given the power to make a declaration that statutory provisions or rules of law are incompatible with the State's obligations under the ECHR.39 Such declarations have been made in a number of cases concerning Article 8 ECHR.40 Unlike a finding of unconstitutionality, such a declaration shall not of itself affect the validity or enforcement of the law in question, although it may lead to an ex gratia payment of damages by the state. Instead, the effect of a declaration being made is largely political – its real significance lies in the pressure it will create for legislative reform.

Following this implementation of the ECHR into national law, recent privacy litigation almost invariably involves Article 8 and jurisprudence from the European Court of Human Rights, as well as the constitutional guarantee of privacy and domestic case law.41

In 2006, the Circuit Court awarded €6,500 to a Gaelic footballer against a newspaper that published photographs of him playing in a match, one of which depicted him with his genitals accidentally exposed. It appears that the newspaper was not aware that the picture depicted his genitals until after publication, and the newspaper appealed to the High Court.42 The High Court controversially upheld the decision,43 finding that the newspaper had invaded the footballer's privacy and was negligent in doing so, by publishing the photograph.

Footnotes