, , ,

Transfer of Personal Data- the Max Schrems and Facebook case

Privacy Rights Campaigner Max Schrems claims the transfer of his personal data by Facebook from Europe to its US parent company is unlawful and in breach of his right to privacy under article 7 and 8 of the EU Charter of Fundamental Rights. Individuals in the European Union have a specific right to privacy under European law. Individuals in the US do not have the same protections. In the US personal data is subject to mass State surveillance which is a breach of European citizen’s rights. The Irish Data Protection Commissioner refused to investigate Mr. Schrems complaint, this was overturned by Court Order and the Data Protection Commissioner was directed to investigate Mr. Schrems’s complaint.

 

The complaint was then investigated by the Irish Data Protection Commissioner. A draft decision on this complaint was then issued by the Irish Data Protection Commissioner, who then issued High Court proceedings seeking to refer a number of questions to the European Court. The key question raised is whether standard contractual clauses approved by the EC to be used by parties when they are arranging for the transfer of personal data of individuals to other countries outside the EU provide sufficient protection for EU citizens.

 

Ten parties applied to be joined as amici curiae (parties who have an interest in the proceedings) to assist the High Court in relation to this case. The High Court ordered that the USA Business Software Alliance, Digital Europe and the Electronic Privacy Information Centre be joined as amici curiae on the basis that this will have significant economic and commercial consequences for companies and individuals. The USA BSA were joined as restrictions on transfer of data would have considerable adverse effects on US commerce. Business Software Alliance is a not for profit international trade association of global technology providers. EPIC is a public interest, not for profit organisation with expertise in privacy, freedom of information, and government surveillance and has appeared frequently in the US as amici curiae and before the European Court of Human Rights. EPIC is a member of the advisory panel of Mr. Schrems. Digital Europe is the principal representative body for Europe for the Digital Technology Industry and is a not for profit association. The US Government were also represented in the case.

 

The case was heard in the High Court in Dublin in March 2017 before Ms. Justice Costello for a number of weeks. Judgment has been reserved and will issue shortly.

 

If you have any queries or comments in relation to this article, please contact Davnet O’Driscoll at Davnet@amoryssolicitors.com

, , , ,

Corporate Manslaughter Bill 2016

The Corporate Manslaughter Bill 2016 which is making its way through the Oireachtas at the moment creates 2 new criminal offences which will have significant impact on healthcare service providers. Firstly, an offence of “Corporate Manslaughter” is created when a person’s death is caused by gross negligence by an organisation. Corporate manslaughter can be committed by an “undertaking” which is a company, or corporate body, charity, government department or statutory body and can result in a large fine for the organisation. Secondly, management employees may be in addition charged with a criminal offence of “grossly negligent management causing death” in an organisation which has been convicted of Corporate Manslaughter. This occurs when a member of staff (“high managerial agent”) knew or ought to have known of risk of death or serious personal harm, and failed to take reasonable efforts to eliminate the risk which contributed to a death. This means a Director, Manager or Senior Official in a company or state body could also be charged and given a jail sentence in the event of a death.

 

Corporate Manslaughter occurs when an organisation which has a duty of care to an individual fails to meet the standard of care required to prevent substantial risk of death or serious personal harm, and to take all reasonable measures to anticipate and prevent risks. The size and circumstances of the organisation will be taken into account. The duty of care applies to all employers, subcontractors, owners/occupiers of property, producers of goods and service-providers. A Court will take a number of factors into account in assessing whether there is a breach of the standard of care required and specifically the management, rules, policies, allocation of responsibilities, training and supervision of staff, previous response of the organisation to other incidents involving death or serious personal harm, the organisation’s goals, communications, regulation, assurance systems and whether it is a licensee or contractor.

 

All management and officeholders should be aware that they might come within the definition of a “high managerial agent”. A “high managerial agent” is a Director, manager or officer of an organisation or someone acting in that capacity. A Court will consider the actual and stated responsibilities of the employee to establish if the employee should have known of the risk, and whether it is in the power of the employee to eliminate the risk. If it is not in the power of the employee to eliminate the risk, whether the employee passed information on the risk to others who can eliminate the risk in considering a charge of “grossly negligent management causing death”. Prosecutions for the 2 offences are on indictment in the Circuit Court. An organisation which is convicted of Corporate Manslaughter will be liable for a substantial fine. A “high managerial agent” convicted of “grossly negligent management causing death” will be liable for a fine and or term of imprisonment of up to 12 years.

 

In addition to other sanctions, a Court may make a Remedial Order to address the problems identified to prevent any recurrence and can consult with relevant trade unions and regulatory and enforcement authorities in considering the conditions. The organisation may be subject to a Community Service Order or Adverse Publicity Order where it is required to publicise its conviction for Corporate Manslaughter, the fine and any Remedial Order online or by other means. A “high managerial agent” who is convicted of “grossly negligent management causing death” can also be disqualified from acting in a management capacity for up to 15 years on indictment or subject to a fine of a maximum of 5 million euro and or up to 2 years in prison. The Court is entitled to enquire into the financial circumstances of an individual in setting the fine. If an organisation has been dissolved and reformed and the Court is satisfied the purpose of this is to avoid criminal liability, the Court can disregard the fact that an organisation has changed name.

 

This is a summary of the bill which has been published and specific legal advice should be obtained in any situation. If you have any comment on this article or would like any further information, please contact Davnet O’ Driscoll at Davnet@amoryssolicitors.com

 

,

Recruitment and Vetting of Candidates by Employers

The National Vetting Bureau (Children and Vulnerable Persons) Act 2012-2016 requires that all employees employed whether on a temporary, or agency contract, as an intern or on a voluntary basis who provide services to children under 18 or to a “Vulnerable Person” must be vetted by the National Vetting Bureau (formerly Garda Vetting Bureau). This came into force on 29 April 2016. A “Vulnerable Person” is an adult with a mental illness, dementia or intellectual disability or is a person who is suffering from a physical disability to such a degree which restricts the capacity of the person to guard themselves against another person and requires assistance with daily living activities, washing, walking, and eating. This includes hospital and elderly patients.

All persons and organisations providing services to children or Vulnerable Persons must be registered with the National Vetting Bureau. Where the person or organisation was registered with the Garda Vetting Bureau prior to 29 April 2016, this registration transfers over. Existing employees of organisations or persons registered with the National Vetting Bureau prior to 29 April 2016 do not require to be vetted, however, all new employees of organisations or persons from 29 April 2016 onwards must be vetted prior to providing any services to children or Vulnerable Persons. Failure to do so is an offence. The new e-vetting process is completed in a number of weeks.

The candidate who has applied to be vetted should be notified that information regarding  criminal records or a finding or allegation of harm to another person from the Garda Siochana or a regulatory organisation which reasonably gives rise to a bona fide concern that the person may harm, cause a child or Vulnerable Person to be harmed or put at risk may be disclosed to a prospective employer. Where an individual has one conviction only, which was over 7 years previously, and was minor, this will not be disclosed to allow the individual to move on. The candidate can make a submission in response to the National Vetting Bureau’s notification.

In considering whether to disclose the information received about a candidate, the Chief Bureau Officer will not disclose this unless he has a bona fide concern that the individual may harm or incite another person to harm a child or Vulnerable Person, the disclosure is necessary, proportionate and reasonable, takes into account the submission made by the candidate, and fair procedures in making a disclosure to a potential employer. Where this information is disclosed to an employer, the employer must consider carefully the suitability of the candidate and fitness for the role in light of the disclosure of a criminal record or finding or allegation of harm to another person. This will require detailed consideration of the type of role being offered, and the nature and extent of access to children or Vulnerable Persons by the candidate.

Under the regulatory regime in the UK which vets candidates who work with children and Vulnerable Persons, a decision is made by an assessing officer regarding what information should be disclosed to a potential employer. In a recent case, the assessing officer decided  the fact that a candidate had been acquitted of the rape of a 17 year old should be released to a potential employer. The individual who was accused of rape is a taxi driver and former teacher. This individual challenged the lawfulness of this disclosure as a breach of his human rights under Articles 6 and Article 8 of the European Convention on Human Rights. Article 6 gives the presumption of innocence to individuals and Article 8 the right to privacy of individuals. The decision of the assessing officer to disclose this acquittal was upheld by the UK Court of Appeal as reasonable, proportionate, and necessary in the circumstances. The incident was an isolated incident but a very serious one. The officer believed that a correct balance was struck in disclosing the acquittal in order to protect children and Vulnerable Persons and reconciling the rights of the individual who was acquitted. Even though this impacts on the candidate as he may not get employment in a chosen profession, it does not prevent him from gaining employment in another profession to support his family.

 

If you have any comments on this article or would like any further information, please contact Davnet O’ Driscoll at Davnet@amoryssolicitors.com

,

The Importance of “the Right to be Forgotten”

At the moment, the Data Protection Acts 1988-2003 provide that employees have the right to request their employer (who are “data controllers”) to rectify, erase, or block personal data accessible by them if it is incomplete, inaccurate or not up to date.

Personal data includes an employee’s HR file, reference checks, medical information, details of accidents or other claims, information in investigation and disciplinary processes, redundancy or dismissal of the employee.  There are restrictions preventing access by employees to certain data, for example information relating to investigating or detecting offences, and legally privileged information.

The European Court of Justice ruling in Google Spain, Google Inc. –V- AEPD and Gonzalez (C – 131/12) in 2014, said that Mr. Gonzalez could require the Google search engine to remove information linked to his name about the repossession of his home, some 16 years earlier. The Court said that individuals have the right to ask search engines or “data controllers” to remove links to personal information which is inaccurate, inadequate, irrelevant or excessive. This right of removal is subject to the right of freedom of expression and of the media.

This ruling has stirred up debate about what should be removed and whether individuals should be able to whitewash their reputations through the “right to be forgotten” and their right to do so where time has passed. Similar concerns arise for organisations when requests are made by employees to rectify, delete or block their personal data, where it relates to their HR file.

Employees “right to be forgotten” is strengthened in the new General Data Regulation which will be in force in 2 years’ time, and this provides:

  • An employer is obliged to erase an employee’s personal data where requested without undue delay
  • Employees will be able to supplement incomplete information held by an employer with a statement
  • If the information to be removed under the “right to be forgotten” has been made public, an employer shall take reasonable steps (taking account of technology and cost) to require that links and copies are erased

 

Employees “right to be forgotten” is not unlimited and will be subject to:

  • the right to freedom of expression
  • processing required by law, or in the public interest, or for public health
  • archiving in the public interest or for historical, statistical and scientific reasons
  • the establishment, exercise or defence of legal claims

 

An employee will have the right to restrict an employer from processing personal data, where its accuracy is being verified, or when it’s not necessary but is required for legal reasons, or if it is pending verification as to whether the grounds of the employer override the rights of the employee to rectify, erase or block the data.

The General Data Regulation allows fines of up to 4% of the annual worldwide turnover of a company who does not comply with the rights of employees “right to be forgotten”.

 

WHAT STEPS SHOULD AN EMPLOYER TAKE NOW?

  • The organisation should review its Data Protection Policy to ensure compliance with “the right to be forgotten”.
  • When a request to rectify, erase and block data is received by an employer, the request should be assessed on a case by case basis, as an employee’s right to rectify, erase and block data is limited.
  • Relevant factors to be considered by an employer are the time that has passed, the reason for retention of the information, its relevance, whether this is required for legal proceedings or other processes which are ongoing.
  • The “right to be forgotten” request should be complied with within 40 days.