The UK’s Data Protection Bill 2017: repeals and compensation – updated

UK Data Protection image, via UK gov websiteIn the UK, the Department of Digital, Culture, Media and Sport (DCMS) has today published the Data Protection Bill 2017, to incorporate the General Data Protection Regulation (GDPR) and to implement the Police and Criminal Justice Authorities Directive (PCJAD) (respectively: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC; and Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA; aka the Law Enforcement Directive). The progress of the Bill through Parliament can be tracked here.

In Ireland, when the Department of Justice published the the General Scheme of the Data Protection Bill 2017 (scheme (pdf)), I expressed two concerns. First, since the Scheme was unclear on the relationship of the new Bill with existing legislation (the Data Protection Acts 1988 and 2003 (also here and here; administrative consolidation here)), I said that I fervently hoped that the 1988 and 2003 Acts would be repealed, so that the new Bill would provide a single one-stop-shop for the law on data protection. Anything else would be unworkably messy. I am glad to see that this is the approach taken by the UK’s Bill. As Neil Browne pointed out to me, clause 190(1) provides that “Schedule 18 contains minor and consequential amendments”, and clause 2 of Schedule 18 provides that “The Data Protection Act 1998 is repealed”. Excellent.

My second concern with the Irish Scheme was as to whether it properly provided for a private action for compensation (see, eg, here and here). Article 82(1) GDPR provides that any “person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”. In my view, the EU Member States should include a provision to give effect to this Article in legislation incorporating the GDPR. The Irish position is, at best, unclear – Head 91 of the Scheme is probably intended to do this, but I am not convinced that it does so successfully (see, eg, here and here). However, such provisions are included in legislation in Austria, in draft Bills in the Netherlands, Poland, Slovakia, Spain, and in a report in Sweden. I am glad to see that this is the approach taken by the UK’s Bill. Clause 159 provides for “compensation for contravention of the GDPR”; in particular, clause 159(1) provides that “[i]n Article 82 of the GDPR (right to compensation) ‘damage’ includes financial loss, distress and other adverse effects”.

Update: It’s not clear to me exactly what these “other adverse effects” might be. It may simply have been better to leave well-enough alone, and rely simply on the GDPR language of “material or non-damage”. If the DMCS wished to have some text here, they could simply have used “material or non-damage”. Or they could have repeated as much as possible of the text of Article 82. Indeed, in my view, they probably should have done so. Recital 8 GDPR encourages as much, by permitting the incorporation only of “elements” of the Regulation. It is neither necessary nor desirable to reinvent the wheel; and the dangers of trying to do so are starkly illustrated by the narrow interpretation provided by the Irish High Court in Collins v FBD Insurance plc [2013] IEHC 137 (14 March 2013) (noted here and here) of section 7 of the Data Protection Act, 1988 (also here), which is intended to implement Article 23 of the Data Protection Directive (Directive 95/46/EC) but does so in very different terms. End update

DCMS had conducted a consultation which did not refer to Article 82. On foot of that consultation, and in advance of publishing the Bill, the Department issued a Statement of Intent, outlining its planned reforms. This mentioned the “greater scope for enforcing rights under the GDPR” (p13) but did not refer specifically to Article 82. However, a further [leaked] document (pdf) said that Article 82 was one of the Articles of the GDPR in respect of which Member States have flexibility; and that document (pp8-9) envisaged an express provision relating to compensation claims. Clause 159 of the Bill provides that. In its express reference to Article 82, it is similar to the approach taken in §29(1) of the Austrian Act and Article 32(2) of the Spanish Bill. Moreover, the express reference to “distress” avoids the problem with section 13 of the 1998 Act which the Court of Appeal strove mightily, and successfully, to overcome in Google Inc v Vidal-Hall [2016] QB 1003, [2015] EWCA Civ 311 (27 March 2015) and which the Irish High Court failed to overcome in Collins. Update: A reference to “non-material damage” would have been better, not least because the Court of Appeal in Vidal-Hall made clear that this phrase included “distress”. And the full text of Article 82 instead of clause 159(1) would have been better still. Nevertheless, the reference to Article 82 in clause 159 is very welcome; and though it could have better, it could also have been a lot worse. This On balance, then, End update this, too, is excellent.

As a companion to the clause 159 claim for compensation for contravention of the GDPR, clause 160 provides for “compensation for contravention of other data protection legislation”. Given that the Bill would repeal the 1998 Act, the other data protection legislation clause 160 has in mind must be the non-GDPR parts of the 2017 Bill, such as Part 3 on law enforcement processing and Part 4 on intelligence services processing. These Parts of the Bill implement the PCJAD; Article 56 of that Directive requires that Member States provide a “right to receive compensation” for material or non-material damage suffered as a result of unlawful processing; and clause 160 gives effect to this. Of the thirteen Member States which have so far published reports or Bills or enacted legislation to provide for the incorporation of the GDPR, only four – Austria, Germany, Ireland, and now the UK – have chosen to include the incorporation of the GDPR and the implementation of the PCJAD in the same piece of legislation. Of those, the Austrian Act does not refer to a claim for compensation for breach of the PCJAD, §63 of the German Act provides such a claim, Head 58 of the Irish Scheme is probably intended to do this (but, as with Article 82 GDPR, I am not convinced that it does so successfully; see, eg, here and here), and clause 160(1) of the UK’s Bill seems to do so in the following terms:

A person who suffers damage by reason of a contravention of a requirement of the data protection legislation, other than the GDPR, is entitled to compensation for that damage from the controller or the processor …

Moreover, clause 160(5) goes on to provide that, in that clause, “‘damage’ includes financial loss, distress and other adverse effects, whether or not material”. By way of contrast, clause 159(1) provides only that “‘damage’ includes financial loss, distress and other adverse effects’, without the addition of the four words at the end of clause 160(5) “whether or not material”. I am at a loss to understand why there should be this difference. However, given the text of Article 82 GDPR, and in the light of Vidal-Hall, a court would have no difficulty reading clause 159 to cover both “material” and “non-material”. Nevertheless, it would have been better had clauses 159(1) and 160(5) been in the same terms.

Update: These same terms should have been in the extended terms of clause 160(5) and not the narrower terms of clause 159(1). Indeed, I would go further. Article 56 PCJAD refers also to “material or material damage”; and if clause 159(1) should have used that phrase, so also should clause 160(1). Indeed, I would go further still. If clause 159(1) should simply have replicated Article 82 GDPR as much as possible, so also should clause 160(5) have similarly replicated Article 56 PCJAD have as much as possible. Nevertheless, the fact that clause 160 clearly implements Article 56 PCJAD This End update is also excellent.

Compensation for breach of the General Data Protection Regulation

I have just posted a paper on SSRN entitled “Compensation for breach of the General Data Protection Regulation”; this is the abstract:

Article 82(1) of the General Data Protection Regulation (GDPR) provides that any “person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”. As a consequence, compliance with the GDPR is ensured through a mutually reinforcing combination of public and private enforcement that blends public fines with private damages.

After the introduction, the second part of this article compares and contrasts Article 82(1) GDPR with compensation provisions in other EU Regulations and Directives and with the caselaw of the CJEU on those provisions, and compares and contrasts the English version of Article 82(1) GDPR with the versions of that Article in the other official languages of the EU, and concludes that at least 5 of the versions of Article 82(1) GDPR are unnecessarily ambiguous, though the CJEU (eventually, if and when it is asked) is likely to afford it a consistent broad interpretation. However, the safest course of action at this stage is to provide expressly for a claim for compensation in national law. The third part of this article compares and contrasts the compensation provisions in the Irish government’s General Scheme of the Data Protection Bill 2017 with existing legislation and case-law in Ireland and the UK, and with incorporating legislation and Bills in other EU Member States, and concludes that the Heads of the Scheme do not give full effect to Article 82(1) GDPR. Amendments to the Scheme are therefore proposed.

To ensure that any person who has suffered such damage has an effective remedy pursuant to Article 47 CFR, Member States will have to provide, pursuant to Article 19 TEU, remedies sufficient to ensure effective legal protection in the fields of privacy and data protection. In particular, they will have to provide expressly for a claim for compensation, incorporating Article 82(1) GDPR into national law. Claims for compensation are an important part of the enforcement architecture of the GDPR. Private enforcement will help to discourage infringements of the rights of data subjects; it will make a significant contribution to the protection of privacy and data protection rights in the European Union; and it will help to ensure that the great promise of the GDPR is fully realised.

As I was working on this paper, I published several posts on this blog (here | here | here) including discussions of the literal meaning of Article 82(1) GDPR in each of the EU’s 24 official languages and the current status of GDPR incorporation in the EU’s 28 Member States. Thanks to everyone who has engaged with these posts – the analysis in my paper has improved immeasurably. All comments on the current version gratefully received.

What is the current status of GDPR incorporation in the EU’s 28 Member States? [Ongoing updates]

GDPR incorporationHaving looked, in my previous post, at what Article 82(1) of the General Data Protection Regulation says and means in each of the EU’s 24 official languages, I’m interested in this post in the related question of the current status of incorporation of the GDPR in each of the EU’s 28 Member States. I am interested in particular in whether provision has been made in any incorporating legislation or draft for an express claim for compensation or damages to give effect to Article 82. The list below is the current state of play so far as I have been able to find out. I would be grateful if you correct any errors and help me fill in the blanks – via the comments below, via email, or via the contact page on this blog – I would very grateful indeed.

It seems that incorporations in various jurisdictions are taking differing positions on Article 82. On the one hand, On the one hand, such express claims are included in legislation in Austria, in draft Bills in the Netherlands, Poland, Slovakia, Spain, and the UK, and in a report in Sweden. On the other, no such express claims appear in legislation in Germany and France, in draft Bills in Estonia and Lithuania, or in a report in Finland. Somewhere in the middle comes Ireland.

(more…)

What is the literal meaning of Article 82(1) GDPR in each of the EU’s 24 official languages?

GDPRI’m trying to work out what Article 82(1) of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC) says and means in each of the 24 official languages of the EU institutions, and I’d be very grateful for your help. In English, Article 82(1) GDPR provides

Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

As I have said before on this blog (here, here, here), I think that this formulation is rather odd. It does not provide, in the present tense, that a person whose rights have been infringed “has” the right to receive compensation. Instead, it provides, in a much more congtingent fashion, that a plaintiff “shall have” such a right, which seems to imply that there is something more to be done in national law before plaintiffs actually have the claim. Although the language seems contingent, it does not replicate any of the usual strictures in a Directive, that Member States shall “provide” or “ensure” or “introduce” or “lay down” measures to achieve an outcome, such as a claim for compensation. Even so, the formulation in Article 82(1) GDPR still seems to envisage some national law mechanism in ensuring that a plaintiff “shall” have a claim to compensation. I’m interested in whether the text of Article 82(1) GDPR in other official languages uses a version of the present tense, or whether the formulation is as contingent as it seems to be in English. I have, therefore, set out below the text of that Article in each of the 24 official languages; I have highlighted the words that seem to me to be most relevant to that question; and I have provided a first attempt at a translation of those words. What I need now is a literal translation of these provisions by a native speakers, irrespective of what the EU Commission’s official translation or Google Translate might say. In particular, I need confirmation whether I have identified the relevant words, and translated them accurately. I’m not particularly interested in the various synonyms for damages (compensation, indemnification, reparation, and so on) so much as in the accompanying verbs, and in particular in whether those verbs are clearly in the present tense or whether they are more contingent. I know what Google Translate’s crowd-sourced machine-translation says, indeed it was one of the sources I used to zero in on what seem to me to be the relevant words in the various languages, but that is as far as I am prepared to go with it, as its translations will be very heavily influenced by the EU’s official translations. Instead, as I say, I am in need of human judgment as to the appropriate literal translations of the various texts of Article 82(1) GDPR.

The literal meaning of the precise wording may very well matter a very great deal in assessing whether Article 82(1) is sufficiently clear, precise and unambiguous to be horizontally directly effective. The contingent nature of the English text may not be, leading to potential problems which I have begun to explore here. Other texts may differ. For example, the French text of Article 82(1) GDPR (a le droit d’obtenir … reparation = has the right to obtain … compensation) is more likely to support a conclusion of horizontal direct effect, and the German text (hat Anspruch auf Schadenersatz = has a claim for compensation is entitled to compensation) is even more likely to do so, because they are both in the present tense (a, hat) rather than in more contingent terms. Indeed, of the 24 official languages of the EU institutions, if the assessments and translations below are correct, the text of the claim for compensation in Article 82(1) GDPR seems to be in the present tense in 19 of them: 12 are like the French text (the plaintiff “has the right to [receive/obtain] compensation”: Czech, Danish, Dutch, French, Finnish, Italian, Latvian, Lithuanian, Polish, Portuguese, Romanian, Slovenian); 4 have a similar formulation 5 are like the German text (the plaintiff “is entitled to compensation”: Bulgarian, Estonian, German, Greek, Hungarian), and 3 are like the German text 2 others have a similar formulation (the plaintiff “has [a claim for/the right to] compensation”: Croatian, German, Slovak). Only 5 seem to have a contingent text like the English (the plaintiff “shall have the right to [receive] compensation”: English, Maltese, Spanish, Swedish; the plaintiff “shall be entitled to compensation”: Irish).

Moreover, of the three EEA countries, Norway has begun the process of incorporating the GDPR. The literal English translation of the Norwegian text is “shall be entitled to receive compensation”, which is a sixth example of a contingent “shall”.

All help in confirming whether this is an accurate assessment or not – via the comments below, or better via the contact page on this blog – will be very gratefully appreciated indeed. [Note: as you can see, this paragraph has been updated to reflect a consensus on the German text which is different from my own initial assessment; this is exactly why I’m grateful for all help].

(more…)

Orders against social networks to identify anonymous posters of defamatory content (Muwema v Facebook part 3)

Uganda Facebook Ireland 2Fred Muwema is a prominent lawyer in Uganda, who claimed that various Facebook pages in the name of Tom Voltaire Okwalinga, or TVO, defamed him. In Muwema v Facebook Ireland Ltd [(No 1)] [2016] IEHC 519 (23 August 2016), Binchy J declined to grant injunctions requiring Facebook either to remove the posts from the account or to prevent the material in them from being re-posted, and I considered these holdings in one of my earlier posts on the case (also here). However, Binchy J did grant an order requiring Facebook to identify TVO, and I considered this aspect of the case in another of my earlier posts on the case (also here). This was not a difficult issue, as the defendant had consented to the order. However, before the order could be perfected, the defendant sought the leave of the Court to introduce new evidence with a view to opposing the making of the order. In Muwema v Facebook Ireland Ltd (No 2) [2017] IEHC 69 (08 February 2017), Binchy J allowed the new evidence to be introduced; and, having considered it, he declined to make the order after all. It is to that aspect of the case that this post is directed.

Jack Gilbert, Lead Litigation Counsel for Facebook, explained that Facebook generally takes a neutral position on applications to identify people behind pages or profiles on their network. However, he said that, when his office was informed of Binchy J’s proposed order, he was informed by his colleagues that TVO is a political activist who has been marked for arrest by the Ugandan Government. He also said that the position was complicated by the fact that the URLs provided by the plaintiff were for a fake or copycat profile of the more established TVO profile. He said that he was informed by his colleague, Ebele Okobi, Facebook’s head of public policy for Africa, that if the identities of the people behind the real and fake TVO profiles (if they are in fact different) were revealed, they may be at risk of arrest and subsequent persecution, and their lives, bodily integrity and liberty would be placed in jeopardy. Moreover, the US Department of State Human Rights Report for Uganda cites examples to unlawful killings and torture, and other abuses of detainees and suspects.

Binchy J considered In re McInerney Homes Ltd [2011] IEHC 25 (10 January 2011) (Clarke J) (affd [2011] IESC 31 (22 July 2011) [61]-[62] (O’Donnell J)); and, notwithstanding that much of the defendant’s new evidence was hearsay, he allowed the defendant’s application to adduce it. (more…)

Social media, open justice, and contempt of court

Social Media Mix 3D icons, via FlickrI have a short op-ed in today’s Irish Independent, on the topic of contempt of court by social media, pointing out that there’s a fine line between commenting on and prejudicing a trial (registration required).

Here’s a rather longer version, with a few relevant links:

The law on contempt applies equally to all media, offline and online

Social media coverage of criminal trials raises profound constitutional issues, and may hasten legislation on contempt of court

Justice shall be administered in public, according to Article 34.1 of the Constitution. The full glare of a public hearing enables everyone to know that justice is being administered fairly, and impartially, and according to the evidence. It allows the press and the public to report on, to scrutinise, and to comment upon, the workings of the law.

Every person facing a criminal charge is entitled to a fair trial, according to Article 38 of the Constitution. So commentary that gives rise to a substantial risk either of serious prejudice to, or of prejudgment of, an active trial, can amount to contempt of court. This can be dealt with either by the judge during the trial itself (by charging the jury to ignore the comments, or penalising the commentator, or – in rare and extreme cases – stopping the trial, or some combination of these), or by a case taken by the Director of Public Prosecutions against the commentator after the trial.

There can be a fine line between reporting and commenting on an active trial, and prejudicing or prejudging it. (more…)

Damages for Breach of the GDPR

Data Summit 2017 LogoTwo weeks ago today I was chatting over coffee with a data protection expert during the second day of the Data Summit 2017. He was annoyed at my blogpost on the Government’s General Scheme of the Data Protection Bill 2017 [the Scheme] to give further effect in Irish law to the EU’s General Data Protection Regulation [the GDPR]. Article 82(1) GDPR provides claim for compensation for anyone whose rights under the GDPR are infringed. In the post that annoyed him so much, I said that I couldn’t find a Head to this effect in the Government’s Scheme. He said: what about Head 91? I said: that’s where it should be, but it isn’t there. He wasn’t convinced. So, I went back and had a closer look at the Scheme and the GDPR. I also had a look at an associated Directive (the Police and Criminal Justice Authorities Directive [the PCJAD]) which is also being transposed by the Scheme. Article 56 PCJAD similarly provides for a claim for compensation for anyone whose rights under the PCJAD are infringed. Heads 91 and 58 (respectively) of the Scheme address these claims, but they do not completely provide for such claims for compensation. So, I’m still of the view that the Scheme does not provide a claim for compensation for breach of the GDPR and the Scheme. It seems to assume one, to be sure; but it never goes so far as expressly to provide one.

Article 79 GDPR provides for a right to an effective judicial remedy against a controller or processor; and Article 82 GDPR provides for a claim for compensation as part of that effective judicial remedy. Head 91 of the Scheme seems to be directed towards these Articles. Head 91(1) provides what it describes as “a data protection action” to data subjects whose rights under the GDPR or its translating legislation are infringed. Head 91(2) provides jurisdiction to the Circuit Court, concurrently with the High Court, to hear such actions. Head 91(3) provides:

In a data protection action under this Head, the Circuit Court shall, without prejudice to its powers to award compensation in respect of material or non-material damage, have the power to grant relief by means of injunction or declaratory orders.

And Head 91(4)(b) requires a plaintiff in a data protection action to specify, inter alia, “any material or non-material damage alleged to have been occasioned by the infringement”.

The reference in Head 91(3) to the provision of other remedies “without prejudice to [the Circuit Court’s] … powers to award compensation” assumes that the Court has such powers. And the reference in Head 91(4)(b) to “any material or non-material damage” further assumes that that the powers to award compensation cover both material and non-material damage. However, Head 91 does not expressly afford a claim compensation for material or non-material damage; nor is it expressly afforded elsewhere in the Scheme. It may be that this Head is predicated on the assumption that Article 82(1) GDPR is directly horizontally effective and thereby provides those “powers to award compensation”.

(more…)

Tory Island and Unjust Enrichment – a sad story ends not with a bang but a whimper

BaidinWhen I was in school, I learned a song in Irish called Báidin Fheilimí. It’s about Phelim’s boat, sailing to islands off Donegal, in the north-west of Ireland. In the first verse, it sails to Gola Island; in the second, it sails to Tory Island; and, in the third, the lively little boat is wrecked on the rocks off Tory. The song left a romantic image of Tory in my mind. Neville Presho probably had a similar image; but, like Phelim’s boat, it has been wrecked on Tory rocks. He had a holiday home on the island. Until, one day, he returned to the island, and found that the house was gone, replaced by car park for an adjacent hotel. I have, on this blog, been following his action against the hotel (see here, here, here, here). In Presho v Doohan [2009] IEHC 619 (17 July 2009), Murphy J held that the appropriate remedy lay not in reinstatement of the demolished house “but in the provision of a comparable dwelling on Tory Island or the open market value of a comparable dwelling on the island”. He later held that this amounted to €46,000. The story has resulted in a book and tv documentary. Now, from the Irish Independent, I learn both that the matter was appealed by both parties, and that the various appeals have been discontinued:

Filmmaker’s Supreme Court appeal over home that ‘disappeared’ is dismissed

The Supreme Court has struck out an appeal over a €46,000 valuation placed on a man’s Tory Island holiday home that “disappeared” while he was abroad over a number of years. … After he won in the High Court in 2009, both defendants brought appeals against that court’s ruling.

When the matter came before the Supreme Court yesterday, it heard Mr Doohan, who was not in court, had stated he was not proceeding with his appeal. The appeal by Ostán Thoraigh Comhlacht Teoranta had been withdrawn last November. In those circumstances, the court struck out Mr Doohan’s appeal and affirmed the High Court orders. …

The Irish Times has a similar report. An earlier stage of the appeal was dismissed last November (see here, here, and here). And so ends a very sad tale, not with a bang but with hardly a whimper.