Ireland – Independence of the Irish Data Protection Commissioner is called into question
Published 1 February 2016
What does this cover?
Following a series of judgments (including the Commission v Germany (C-518/07); Austria (C-614/10); and Hungary (C-288/12)), the Court of Justice of the European Union (CJEU) has reaffirmed the position that member states must have independent data protection regulators. The importance of having an independent regulator was also reiterated recently in Schrems v Data Protection Commissioner (C-362/14) when the lack of an independent watchdog was cited as one of the most significant differences between the EU and US privacy systems. In short, data protection authorities must not be bound by instructions, or under any political influence, in the performance of their duties.
To date, the EU Commission has not taken a case against Ireland and one can only assume that the EU Commission is satisfied that the Irish Office of the Data Protection Commissioner (ODPC) is sufficiently independent in carrying out its functions. However, the privately funded organisation Digital Rights Ireland (DRI) has recently confirmed that it intends to serve High Court proceedings against Ireland and the Attorney General in which they claim that Ireland has failed to properly implement EU data protection law by failing to ensure that the ODPC is genuinely independent from the government.
Digital Rights Ireland – who are they?
According to DRI's website it is "dedicated to defending Civil, Human and Legal rights in a digital age". It gained notoriety when it brought an Irish constitutional challenge against legislation which gave effect to the Data Retention Directive (2006/24/EC). In essence, the Data Retention Directive compelled all ISPs and telecommunications service providers operating in Europe to collect and retain a subscriber's incoming and outgoing phone numbers, IP addresses, location data, and other key telecom and Internet traffic data for a period of six months to two years. Furthermore, An Gardaí Siochana (the Irish Police Force) was able to access the retained data without having a specific crime to investigate. The matter was referred to the CJEU who declared it invalid 8 April 2014.
On 28 January 2015 DRI confirmed on its webpage that it has "instructed its lawyers to serve legal papers on the Irish government, challenging whether the office of the Irish Data Protection Commissioner is truly an independent data protection Authority under EU law." The statement goes on to explain that "DRI’s case is that Ireland has failed to properly implement EU data protection law, or to follow the requirements of the Charter of Fundamental Rights by failing to ensure the Irish DPC is genuinely independent from the Government." On that basis DRI will be asking the High Court to make a referral to the CJEU for a ruling on whether the ODPC is truly independent under EU law.
In essence, DRI is claiming the state has acted in breach of EU law by failing to ensure the ODPC exercises its role independently. It was reported in the Irish national press that DRI is alleging that the ODPC is integrated with the Department of Justice and that Helen Dixon and her Office’s employees are, in effect, civil servants. The legal papers also allege that the ODPC has failed to act independently in policing databases of citizens created in recent years by both Irish Water and the Department of Education. We also understand that one of the arguments that may be put forward by DRI is that data protection regulators that are completely funded by governments can never be truly independent.
Article submitted by Rowena McCormack, Associate – DAC Beachcroft Dublin
What action could be taken to manage risks that may arise from this development?
None - for information only.