What is the current status of GDPR incorporation in the EU’s 28 Member States? [Ongoing updates]

GDPR incorporationHaving looked, in my previous post, at what Article 82(1) of the General Data Protection Regulation says and means in each of the EU’s 24 official languages, I’m interested in this post in the related question of the current status of incorporation of the GDPR in each of the EU’s 28 Member States. I am interested in particular in whether provision has been made in any incorporating legislation or draft for an express claim for compensation or damages to give effect to Article 82. The list below is the current state of play so far as I have been able to find out. I would be grateful if you correct any errors and help me fill in the blanks – via the comments below, via email, or via the contact page on this blog – I would very grateful indeed.

It seems that incorporations in various jurisdictions are taking differing positions on Article 82. On the one hand, On the one hand, such express claims are included in legislation in Austria, in draft Bills in the Netherlands, Poland, Slovakia, and Spain, and in reports in Sweden and the UK. On the other, no such express claims appear in legislation in Germany and France, in draft Bills in Estonia and Lithuania, or in a report in Finland. Somewhere in the middle comes Ireland.

(more…)

What is the literal meaning of Article 82(1) GDPR in each of the EU’s 24 official languages?

GDPRI’m trying to work out what Article 82(1) of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC) says and means in each of the 24 official languages of the EU institutions, and I’d be very grateful for your help. In English, Article 82(1) GDPR provides

Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

As I have said before on this blog (here, here, here), I think that this formulation is rather odd. It does not provide, in the present tense, that a person whose rights have been infringed “has” the right to receive compensation. Instead, it provides, in a much more congtingent fashion, that a plaintiff “shall have” such a right, which seems to imply that there is something more to be done in national law before plaintiffs actually have the claim. Although the language seems contingent, it does not replicate any of the usual strictures in a Directive, that Member States shall “provide” or “ensure” or “introduce” or “lay down” measures to achieve an outcome, such as a claim for compensation. Even so, the formulation in Article 82(1) GDPR still seems to envisage some national law mechanism in ensuring that a plaintiff “shall” have a claim to compensation. I’m interested in whether the text of Article 82(1) GDPR in other official languages uses a version of the present tense, or whether the formulation is as contingent as it seems to be in English. I have, therefore, set out below the text of that Article in each of the 24 official languages; I have highlighted the words that seem to me to be most relevant to that question; and I have provided a first attempt at a translation of those words. What I need now is a literal translation of these provisions by a native speakers, irrespective of what the EU Commission’s official translation or Google Translate might say. In particular, I need confirmation whether I have identified the relevant words, and translated them accurately. I’m not particularly interested in the various synonyms for damages (compensation, indemnification, reparation, and so on) so much as in the accompanying verbs, and in particular in whether those verbs are clearly in the present tense or whether they are more contingent. I know what Google Translate’s crowd-sourced machine-translation says, indeed it was one of the sources I used to zero in on what seem to me to be the relevant words in the various languages, but that is as far as I am prepared to go with it, as its translations will be very heavily influenced by the EU’s official translations. Instead, as I say, I am in need of human judgment as to the appropriate literal translations of the various texts of Article 82(1) GDPR.

The literal meaning of the precise wording may very well matter a very great deal in assessing whether Article 82(1) is sufficiently clear, precise and unambiguous to be horizontally directly effective. The contingent nature of the English text may not be, leading to potential problems which I have begun to explore here. Other texts may differ. For example, the French text of Article 82(1) GDPR (a le droit d’obtenir … reparation = has the right to obtain … compensation) is more likely to support a conclusion of horizontal direct effect, and the German text (hat Anspruch auf Schadenersatz = has a claim for compensation is entitled to compensation) is even more likely to do so, because they are both in the present tense (a, hat) rather than in more contingent terms. Indeed, of the 24 official languages of the EU institutions, if the assessments and translations below are correct, the text of the claim for compensation in Article 82(1) GDPR seems to be in the present tense in 19 of them: 12 are like the French text (the plaintiff “has the right to [receive/obtain] compensation”: Czech, Danish, Dutch, French, Finnish, Italian, Latvian, Lithuanian, Polish, Portuguese, Romanian, Slovenian); 4 have a similar formulation 5 are like the German text (the plaintiff “is entitled to compensation”: Bulgarian, Estonian, German, Greek, Hungarian), and 3 are like the German text 2 others have a similar formulation (the plaintiff “has [a claim for/the right to] compensation”: Croatian, German, Slovak). Only 5 seem to have a contingent text like the English (the plaintiff “shall have the right to [receive] compensation”: English, Maltese, Spanish, Swedish; the plaintiff “shall be entitled to compensation”: Irish).

Moreover, of the three EEA countries, Norway has begun the process of incorporating the GDPR. The literal English translation of the Norwegian text is “shall be entitled to receive compensation”, which is a sixth example of a contingent “shall”.

All help in confirming whether this is an accurate assessment or not – via the comments below, or better via the contact page on this blog – will be very gratefully appreciated indeed. [Note: as you can see, this paragraph has been updated to reflect a consensus on the German text which is different from my own initial assessment; this is exactly why I’m grateful for all help].

(more…)

Orders against social networks to identify anonymous posters of defamatory content (Muwema v Facebook part 3)

Uganda Facebook Ireland 2Fred Muwema is a prominent lawyer in Uganda, who claimed that various Facebook pages in the name of Tom Voltaire Okwalinga, or TVO, defamed him. In Muwema v Facebook Ireland Ltd [(No 1)] [2016] IEHC 519 (23 August 2016), Binchy J declined to grant injunctions requiring Facebook either to remove the posts from the account or to prevent the material in them from being re-posted, and I considered these holdings in one of my earlier posts on the case (also here). However, Binchy J did grant an order requiring Facebook to identify TVO, and I considered this aspect of the case in another of my earlier posts on the case (also here). This was not a difficult issue, as the defendant had consented to the order. However, before the order could be perfected, the defendant sought the leave of the Court to introduce new evidence with a view to opposing the making of the order. In Muwema v Facebook Ireland Ltd (No 2) [2017] IEHC 69 (08 February 2017), Binchy J allowed the new evidence to be introduced; and, having considered it, he declined to make the order after all. It is to that aspect of the case that this post is directed.

Jack Gilbert, Lead Litigation Counsel for Facebook, explained that Facebook generally takes a neutral position on applications to identify people behind pages or profiles on their network. However, he said that, when his office was informed of Binchy J’s proposed order, he was informed by his colleagues that TVO is a political activist who has been marked for arrest by the Ugandan Government. He also said that the position was complicated by the fact that the URLs provided by the plaintiff were for a fake or copycat profile of the more established TVO profile. He said that he was informed by his colleague, Ebele Okobi, Facebook’s head of public policy for Africa, that if the identities of the people behind the real and fake TVO profiles (if they are in fact different) were revealed, they may be at risk of arrest and subsequent persecution, and their lives, bodily integrity and liberty would be placed in jeopardy. Moreover, the US Department of State Human Rights Report for Uganda cites examples to unlawful killings and torture, and other abuses of detainees and suspects.

Binchy J considered In re McInerney Homes Ltd [2011] IEHC 25 (10 January 2011) (Clarke J) (affd [2011] IESC 31 (22 July 2011) [61]-[62] (O’Donnell J)); and, notwithstanding that much of the defendant’s new evidence was hearsay, he allowed the defendant’s application to adduce it. (more…)

Social media, open justice, and contempt of court

Social Media Mix 3D icons, via FlickrI have a short op-ed in today’s Irish Independent, on the topic of contempt of court by social media, pointing out that there’s a fine line between commenting on and prejudicing a trial (registration required).

Here’s a rather longer version, with a few relevant links:

The law on contempt applies equally to all media, offline and online

Social media coverage of criminal trials raises profound constitutional issues, and may hasten legislation on contempt of court

Justice shall be administered in public, according to Article 34.1 of the Constitution. The full glare of a public hearing enables everyone to know that justice is being administered fairly, and impartially, and according to the evidence. It allows the press and the public to report on, to scrutinise, and to comment upon, the workings of the law.

Every person facing a criminal charge is entitled to a fair trial, according to Article 38 of the Constitution. So commentary that gives rise to a substantial risk either of serious prejudice to, or of prejudgment of, an active trial, can amount to contempt of court. This can be dealt with either by the judge during the trial itself (by charging the jury to ignore the comments, or penalising the commentator, or – in rare and extreme cases – stopping the trial, or some combination of these), or by a case taken by the Director of Public Prosecutions against the commentator after the trial.

There can be a fine line between reporting and commenting on an active trial, and prejudicing or prejudging it. (more…)

Damages for Breach of the GDPR

Data Summit 2017 LogoTwo weeks ago today I was chatting over coffee with a data protection expert during the second day of the Data Summit 2017. He was annoyed at my blogpost on the Government’s General Scheme of the Data Protection Bill 2017 [the Scheme] to give further effect in Irish law to the EU’s General Data Protection Regulation [the GDPR]. Article 82(1) GDPR provides claim for compensation for anyone whose rights under the GDPR are infringed. In the post that annoyed him so much, I said that I couldn’t find a Head to this effect in the Government’s Scheme. He said: what about Head 91? I said: that’s where it should be, but it isn’t there. He wasn’t convinced. So, I went back and had a closer look at the Scheme and the GDPR. I also had a look at an associated Directive (the Police and Criminal Justice Authorities Directive [the PCJAD]) which is also being transposed by the Scheme. Article 56 PCJAD similarly provides for a claim for compensation for anyone whose rights under the PCJAD are infringed. Heads 91 and 58 (respectively) of the Scheme address these claims, but they do not completely provide for such claims for compensation. So, I’m still of the view that the Scheme does not provide a claim for compensation for breach of the GDPR and the Scheme. It seems to assume one, to be sure; but it never goes so far as expressly to provide one.

Article 79 GDPR provides for a right to an effective judicial remedy against a controller or processor; and Article 82 GDPR provides for a claim for compensation as part of that effective judicial remedy. Head 91 of the Scheme seems to be directed towards these Articles. Head 91(1) provides what it describes as “a data protection action” to data subjects whose rights under the GDPR or its translating legislation are infringed. Head 91(2) provides jurisdiction to the Circuit Court, concurrently with the High Court, to hear such actions. Head 91(3) provides:

In a data protection action under this Head, the Circuit Court shall, without prejudice to its powers to award compensation in respect of material or non-material damage, have the power to grant relief by means of injunction or declaratory orders.

And Head 91(4)(b) requires a plaintiff in a data protection action to specify, inter alia, “any material or non-material damage alleged to have been occasioned by the infringement”.

The reference in Head 91(3) to the provision of other remedies “without prejudice to [the Circuit Court’s] … powers to award compensation” assumes that the Court has such powers. And the reference in Head 91(4)(b) to “any material or non-material damage” further assumes that that the powers to award compensation cover both material and non-material damage. However, Head 91 does not expressly afford a claim compensation for material or non-material damage; nor is it expressly afforded elsewhere in the Scheme. It may be that this Head is predicated on the assumption that Article 82(1) GDPR is directly horizontally effective and thereby provides those “powers to award compensation”.

(more…)

Tory Island and Unjust Enrichment – a sad story ends not with a bang but a whimper

BaidinWhen I was in school, I learned a song in Irish called Báidin Fheilimí. It’s about Phelim’s boat, sailing to islands off Donegal, in the north-west of Ireland. In the first verse, it sails to Gola Island; in the second, it sails to Tory Island; and, in the third, the lively little boat is wrecked on the rocks off Tory. The song left a romantic image of Tory in my mind. Neville Presho probably had a similar image; but, like Phelim’s boat, it has been wrecked on Tory rocks. He had a holiday home on the island. Until, one day, he returned to the island, and found that the house was gone, replaced by car park for an adjacent hotel. I have, on this blog, been following his action against the hotel (see here, here, here, here). In Presho v Doohan [2009] IEHC 619 (17 July 2009), Murphy J held that the appropriate remedy lay not in reinstatement of the demolished house “but in the provision of a comparable dwelling on Tory Island or the open market value of a comparable dwelling on the island”. He later held that this amounted to €46,000. The story has resulted in a book and tv documentary. Now, from the Irish Independent, I learn both that the matter was appealed by both parties, and that the various appeals have been discontinued:

Filmmaker’s Supreme Court appeal over home that ‘disappeared’ is dismissed

The Supreme Court has struck out an appeal over a €46,000 valuation placed on a man’s Tory Island holiday home that “disappeared” while he was abroad over a number of years. … After he won in the High Court in 2009, both defendants brought appeals against that court’s ruling.

When the matter came before the Supreme Court yesterday, it heard Mr Doohan, who was not in court, had stated he was not proceeding with his appeal. The appeal by Ostán Thoraigh Comhlacht Teoranta had been withdrawn last November. In those circumstances, the court struck out Mr Doohan’s appeal and affirmed the High Court orders. …

The Irish Times has a similar report. An earlier stage of the appeal was dismissed last November (see here, here, and here). And so ends a very sad tale, not with a bang but with hardly a whimper.

The Heads of an Irish Bill to ensure GDPR compliance are very welcome, but they raise questions about repeals and compensation

GDPRThe Government has today published the General Scheme of the Data Protection Bill 2017 (press release | scheme (pdf)) to give further effect in Irish law to the EU General Data Protection Regulation and to implement the associated Data Protection Directive for law enforcement bodies. The publication of the Heads is a very welcome development indeed. There will, in the coming weeks and months, no doubt be much discussion of the Heads, and I hope that the draft will be improved as a consequence. For now, I want to make two points, about repeals of existing legislation, and the availability compensation for infringement of the GDPR.

Stamp Act Repealed (via Wikipedia; element)The first point is brief enough. Existing Irish law is contained in the Data Protection Acts 1988 and 2003 (also here and here; the ODPC’s unofficial but extremely helpful administrative consolidation is here), which are not very easy to work with. Head 5 deals with “Repeals”. My fervent hope is that the 1988 and 2003 Acts will be repealed, and that the new Bill will provide a single one-stop-shop for all Irish law on data protection. My hope has been neither fulfilled nor dashed by Head 5. It’s blank. The explanatory note says that the existing Acts “will be largely superseded by” the GDPR and Directive, and that this “Head will be completed during the drafting process”. The equivocation in that “largely superseded” is redolent of indecision both as to the scope and effect of the GDPR and as to the retention of the 1988 and 2003 Acts. All I can say is that the Head that emerges from the drafting process should repeal the 1988 and 2003 Acts, and that any parts of those Acts that need to continue should re-enacted in the new Bill.

CompensationThe second point is a little longer. The availability of damages, as an important element of the enforcement architecture of the GDPR was one aspect of my talk this week for the Irish Centre for European Law’s Privacy and Data Protection Conference 2017. Article 82(1) GDPR provides:

Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. …

Update (11 July 2017): I can’t find a Head in the Scheme explicitly giving effect to Article 82 GDPR. (more…)

Legal deposit of digital publications

Digital Deposit, via NLAThe Department of Arts, Heritage, Regional, Rural and Gaeltacht Affairs, on behalf of the National Library of Ireland, is currently undertaking “a consultation on the legal deposit of published digital material in the 21st century in the context of copyright legislation” (see here and here). In particular, the Department welcomes submissions in relation to three questions:

Question 1: Should the policy of collecting, preserving and making available the published output of the nation for the benefit of the public be extended to include all contemporary publication formats of Irish interest including online digital formats e.g.,.ie websites?

Answer: Yes.
I have already set out my views on this issue on this blog. The starting point is Section 198 of the Copyright and Related Rights Act, 2000 (also here), which provides that publishers of books and other paper publications must deliver a copy of each book or publications published in the state to various copyright deposit libraries. Most countries worldwide have similar provisions, and they ensure the preservation and the availability of a nation’s published heritage. With the rise of digital publishing, it is increasingly being recognised that print deposit is incomplete, and that a comprehensive preservation of a nation’s published heritage requires that copyright deposit should extend to online publications as well. As a consequence, countries with copyright deposit legislation are amending their legislation to ensure that generations of will have access to today’s online stories. As a consequence, the Copyright Review Committee (of which I was chair), in the Modernising Copyright Report (pdf), recommended amendments to the 2000 Act to extend the existing copyright deposit regime for print publication in section 198 to digital works. In particular, we recommended some changes to the existing section 198; and we recommended a new section 198A broadly modelled on the existing section 198 CRRA, to ensure that the process of claiming digital publications is as similar as possible to the existing familiar process relating to books and other print publications. And we additionally recommended that the copyright deposit institutions should be able to make copies of our online digital heritage whilst it is available. No doubt our recommendations and drafts can be improved, but I remain convinced that they are an excellent starting point for achieving a feasible digital copyright deposit regime in Ireland.

CRC Link Rot, via SC HealyQuestion 2: What issues arise if a policy extension on digital legal deposit is not provided for?
Answer: The real point about the size of the digital universe in the future is not about how big it will be (it will be huge) but how much is being lost (that is also huge). To take only one example, Sharon Healy did a study of link rot in the Modernising Copyright Report, and she concluded that 20% of the links in the footnotes of that Report are broken, meaning that the linked resource is no longer available. And our sources were official or public ones. To my mind, this is a perfect encapsulation why copyright deposit institutions should be able to claim digital publications and make copies of online resources – even the formal material is disappearing at frightening pace. In the US, the nonprofit Internet Archive harvests more than 250m webpages a week; it is now more than 20 years old. However, the copying by any Irish equivalent would infringe copyright in the material harvested, which is why an amendment to copyright legislation is necessary; we are already 20 years late; and the longer we wait, the bigger and blacker the digital black hole of lost material will become. It is a challenge our libraries and heritage institutions are willing to meet, if only they are let.

Data is the new oilQuestion 3: What are the benefits if a policy extension on digital legal deposit is provided for?
Answer: The benefits will be not only cultural but also economic. On the cultural side, exciting projects in TCD Library and the NLI show the potential. On the economic side, the cover story of this week’s Economist tells us the world’s most valuable resource is no longer oil, but data. To take only one example, the field of Artificial Intelligence (AI) is red hot, but researchers need data on which to train and develop their AI engines. The loss of culturally significant data diminishes AI data-sets and impoverishes decisions based upon them. More generally, a proper archive of digital publications will be a resource for citizens and researchers, at home and abroad, now and in the future. The generations to come will not thank us if we do not legislate now for legal deposit of digital publications.