Category: Privacy

What is the current status of GDPR incorporation in the EU’s 28 Member States? [Ongoing updates]

GDPR incorporationHaving looked, in my previous post, at what Article 82(1) of the General Data Protection Regulation says and means in each of the EU’s 24 official languages, I’m interested in this post in the related question of the current status of incorporation of the GDPR in each of the EU’s 28 Member States. I am interested in particular in whether provision has been made in any incorporating legislation or draft for an express claim for compensation or damages to give effect to Article 82. The list below is the current state of play so far as I have been able to find out. I would be grateful if you correct any errors and help me fill in the blanks – via the comments below, via email, or via the contact page on this blog – I would very grateful indeed.

It seems that incorporations in various jurisdictions are taking differing positions on Article 82. On the one hand, On the one hand, such express claims are included in legislation in Austria, in draft Bills in the Netherlands, Poland, Slovakia, and Spain, and in reports in Sweden and the UK. On the other, no such express claims appear in legislation in Germany and France, in draft Bills in Estonia and Lithuania, or in a report in Finland. Somewhere in the middle comes Ireland.

(more…)

What is the literal meaning of Article 82(1) GDPR in each of the EU’s 24 official languages?

GDPRI’m trying to work out what Article 82(1) of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC) says and means in each of the 24 official languages of the EU institutions, and I’d be very grateful for your help. In English, Article 82(1) GDPR provides

Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

As I have said before on this blog (here, here, here), I think that this formulation is rather odd. It does not provide, in the present tense, that a person whose rights have been infringed “has” the right to receive compensation. Instead, it provides, in a much more congtingent fashion, that a plaintiff “shall have” such a right, which seems to imply that there is something more to be done in national law before plaintiffs actually have the claim. Although the language seems contingent, it does not replicate any of the usual strictures in a Directive, that Member States shall “provide” or “ensure” or “introduce” or “lay down” measures to achieve an outcome, such as a claim for compensation. Even so, the formulation in Article 82(1) GDPR still seems to envisage some national law mechanism in ensuring that a plaintiff “shall” have a claim to compensation. I’m interested in whether the text of Article 82(1) GDPR in other official languages uses a version of the present tense, or whether the formulation is as contingent as it seems to be in English. I have, therefore, set out below the text of that Article in each of the 24 official languages; I have highlighted the words that seem to me to be most relevant to that question; and I have provided a first attempt at a translation of those words. What I need now is a literal translation of these provisions by a native speakers, irrespective of what the EU Commission’s official translation or Google Translate might say. In particular, I need confirmation whether I have identified the relevant words, and translated them accurately. I’m not particularly interested in the various synonyms for damages (compensation, indemnification, reparation, and so on) so much as in the accompanying verbs, and in particular in whether those verbs are clearly in the present tense or whether they are more contingent. I know what Google Translate’s crowd-sourced machine-translation says, indeed it was one of the sources I used to zero in on what seem to me to be the relevant words in the various languages, but that is as far as I am prepared to go with it, as its translations will be very heavily influenced by the EU’s official translations. Instead, as I say, I am in need of human judgment as to the appropriate literal translations of the various texts of Article 82(1) GDPR.

The literal meaning of the precise wording may very well matter a very great deal in assessing whether Article 82(1) is sufficiently clear, precise and unambiguous to be horizontally directly effective. The contingent nature of the English text may not be, leading to potential problems which I have begun to explore here. Other texts may differ. For example, the French text of Article 82(1) GDPR (a le droit d’obtenir … reparation = has the right to obtain … compensation) is more likely to support a conclusion of horizontal direct effect, and the German text (hat Anspruch auf Schadenersatz = has a claim for compensation is entitled to compensation) is even more likely to do so, because they are both in the present tense (a, hat) rather than in more contingent terms. Indeed, of the 24 official languages of the EU institutions, if the assessments and translations below are correct, the text of the claim for compensation in Article 82(1) GDPR seems to be in the present tense in 19 of them: 12 are like the French text (the plaintiff “has the right to [receive/obtain] compensation”: Czech, Danish, Dutch, French, Finnish, Italian, Latvian, Lithuanian, Polish, Portuguese, Romanian, Slovenian); 4 have a similar formulation 5 are like the German text (the plaintiff “is entitled to compensation”: Bulgarian, Estonian, German, Greek, Hungarian), and 3 are like the German text 2 others have a similar formulation (the plaintiff “has [a claim for/the right to] compensation”: Croatian, German, Slovak). Only 5 seem to have a contingent text like the English (the plaintiff “shall have the right to [receive] compensation”: English, Maltese, Spanish, Swedish; the plaintiff “shall be entitled to compensation”: Irish).

Moreover, of the three EEA countries, Norway has begun the process of incorporating the GDPR. The literal English translation of the Norwegian text is “shall be entitled to receive compensation”, which is a sixth example of a contingent “shall”.

All help in confirming whether this is an accurate assessment or not – via the comments below, or better via the contact page on this blog – will be very gratefully appreciated indeed. [Note: as you can see, this paragraph has been updated to reflect a consensus on the German text which is different from my own initial assessment; this is exactly why I’m grateful for all help].

(more…)

Damages for Breach of the GDPR

Data Summit 2017 LogoTwo weeks ago today I was chatting over coffee with a data protection expert during the second day of the Data Summit 2017. He was annoyed at my blogpost on the Government’s General Scheme of the Data Protection Bill 2017 [the Scheme] to give further effect in Irish law to the EU’s General Data Protection Regulation [the GDPR]. Article 82(1) GDPR provides claim for compensation for anyone whose rights under the GDPR are infringed. In the post that annoyed him so much, I said that I couldn’t find a Head to this effect in the Government’s Scheme. He said: what about Head 91? I said: that’s where it should be, but it isn’t there. He wasn’t convinced. So, I went back and had a closer look at the Scheme and the GDPR. I also had a look at an associated Directive (the Police and Criminal Justice Authorities Directive [the PCJAD]) which is also being transposed by the Scheme. Article 56 PCJAD similarly provides for a claim for compensation for anyone whose rights under the PCJAD are infringed. Heads 91 and 58 (respectively) of the Scheme address these claims, but they do not completely provide for such claims for compensation. So, I’m still of the view that the Scheme does not provide a claim for compensation for breach of the GDPR and the Scheme. It seems to assume one, to be sure; but it never goes so far as expressly to provide one.

Article 79 GDPR provides for a right to an effective judicial remedy against a controller or processor; and Article 82 GDPR provides for a claim for compensation as part of that effective judicial remedy. Head 91 of the Scheme seems to be directed towards these Articles. Head 91(1) provides what it describes as “a data protection action” to data subjects whose rights under the GDPR or its translating legislation are infringed. Head 91(2) provides jurisdiction to the Circuit Court, concurrently with the High Court, to hear such actions. Head 91(3) provides:

In a data protection action under this Head, the Circuit Court shall, without prejudice to its powers to award compensation in respect of material or non-material damage, have the power to grant relief by means of injunction or declaratory orders.

And Head 91(4)(b) requires a plaintiff in a data protection action to specify, inter alia, “any material or non-material damage alleged to have been occasioned by the infringement”.

The reference in Head 91(3) to the provision of other remedies “without prejudice to [the Circuit Court’s] … powers to award compensation” assumes that the Court has such powers. And the reference in Head 91(4)(b) to “any material or non-material damage” further assumes that that the powers to award compensation cover both material and non-material damage. However, Head 91 does not expressly afford a claim compensation for material or non-material damage; nor is it expressly afforded elsewhere in the Scheme. It may be that this Head is predicated on the assumption that Article 82(1) GDPR is directly horizontally effective and thereby provides those “powers to award compensation”.

(more…)

The Heads of an Irish Bill to ensure GDPR compliance are very welcome, but they raise questions about repeals and compensation

GDPRThe Government has today published the General Scheme of the Data Protection Bill 2017 (press release | scheme (pdf)) to give further effect in Irish law to the EU General Data Protection Regulation and to implement the associated Data Protection Directive for law enforcement bodies. The publication of the Heads is a very welcome development indeed. There will, in the coming weeks and months, no doubt be much discussion of the Heads, and I hope that the draft will be improved as a consequence. For now, I want to make two points, about repeals of existing legislation, and the availability compensation for infringement of the GDPR.

Stamp Act Repealed (via Wikipedia; element)The first point is brief enough. Existing Irish law is contained in the Data Protection Acts 1988 and 2003 (also here and here; the ODPC’s unofficial but extremely helpful administrative consolidation is here), which are not very easy to work with. Head 5 deals with “Repeals”. My fervent hope is that the 1988 and 2003 Acts will be repealed, and that the new Bill will provide a single one-stop-shop for all Irish law on data protection. My hope has been neither fulfilled nor dashed by Head 5. It’s blank. The explanatory note says that the existing Acts “will be largely superseded by” the GDPR and Directive, and that this “Head will be completed during the drafting process”. The equivocation in that “largely superseded” is redolent of indecision both as to the scope and effect of the GDPR and as to the retention of the 1988 and 2003 Acts. All I can say is that the Head that emerges from the drafting process should repeal the 1988 and 2003 Acts, and that any parts of those Acts that need to continue should re-enacted in the new Bill.

CompensationThe second point is a little longer. The availability of damages, as an important element of the enforcement architecture of the GDPR was one aspect of my talk this week for the Irish Centre for European Law’s Privacy and Data Protection Conference 2017. Article 82(1) GDPR provides:

Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. …

Update (11 July 2017): I can’t find a Head in the Scheme explicitly giving effect to Article 82 GDPR. (more…)

Damages and compensation for invasion of privacy and data protection infringements

Hulk HoganThe saga in Bollea v Gawker shows two remedies for invasion of privacy. Hulk Hogan (real name, Terry Gene Bollea; pictured left), is a former professional wrestler and American television personality. Gawker was a celebrity news and gossip blog based in New York. In October 2012, Gawker posted portions of a secretly-recorded video of Hogan having sex in 2006 with one Heather Cole, who (as Heather Clem) was the then-wife of his then-best-friend (the wonderfully-monikered radio personality Bubba “the Love Sponge” Clem). In March 2016, a jury found Gawker liable for invading Hogan’s privacy, and awarded him a total US$140m – Gawker itself was held liable for US$115m in compensatory damages (including US $60 million for emotional distress), and US$15m in punitive damages; Gawker’s CEO, Nick Denton, was held personally liable for US$10m in punitive damages.

Gawker and Denton immediately announced that they would appeal; but first Gawker, and then Denton, both soon filed for bankruptcy. In August 2016, Gawker itself was shut down, and the media group of which it was a centrepiece was sold for US$135m. This provided the funds for a settlement: in November 2016, the case was ultimately settled for US$31m; and, in March 2017, Denton came out of bankruptcy. The US$140m damages award and eventual US$31m settlement show one remedy for invasion of privacy. In particular, this raises the issue of the extent to which damages for invasion of privacy are available at Irish law – even if, in privacy claims as in so many other areas, damages in Ireland are not of the same order of magnitude as in the US.

In a plot twist that might once have been revealed by Gawker itself, it emerged that Hogan’s case had been secretly financed by Peter Thiel, a technology billionaire (after a short career as a lawyer, he co-founded Paypal, and was Facebook’s first outside investor; he is currently founder and Chair of Palantir Technologies, and a partner at VC firm Founders Fund). This was his revenge for Gawker’s outing of him as gay in December 2007. As an application of the principles of “don’t get mad; get even” and “revenge is a dish best served cold”, this is certainly a novel remedy for invasion of privacy; but it is one that is only available to American tech billionaires. More practical are claims for injunctions and damages.

Where there is a threatened invasion of privacy, by intrusion or publication, the usual remedy is to seek an injunction to prevent it. If an injunction is refused, or if the invasion of privacy has already occurred, then the plaintiff will often seek damages. Such damages will prove an important part of the enforcement architecture of the General Data Protection Regulation [GDPR] and the proposed Regulation on Privacy and Electronic Communications [Proposed ePrivacy Regulation; hereafter: PePR (my acronym)]. “Money remedies for invasion of privacy at Irish law, to provide compensation for breach of the GDPR and of the Proposed ePrivacy Regulation” was the theme of my talk for the Irish Centre for European Law’s Privacy and Data Protection Conference 2017.

(more…)

The Right to be Forgotten – is it time to teach the world to sing in perfect harmony?

ISEL logo, via ISEL websiteThe Irish Society for European Law will hold an Update on Data Protection, next Thursday, 23 March 2017, at 6:30pm in the Ormond Meeting Rooms, 31-36 Ormond Quay Upper, Dublin 7.

The event will be chaired by the Hon Ms Justice Mary Finlay Geoghegan, Judge of the Court of Appeal; and the speakers will be Bruno Gencarelli (Head of the Data Flows & Protection Unit, DG Justice & Consumers, European Commission), Andreas Carney (Partner, Matheson), Emily Gibson BL (Law Library, Dublin), and me.

The event is open to all and is free of charge to ISEL members (there is a €30 charge for non-ISEL members, payable on arrival). Places are limited and will be allocated on a first come, first served basis. Please register for the event at www.isel.ie. 1.5 CPD points are available for this event.

Harmony, via Wikipedia (detail)The title of my talk is: The Right to be Forgotten – is it time to teach the world to sing in perfect harmony? I will consider whether delinking in support of the right to be forgotten [R2bF] ought to have worldwide effect. My talk will be in three brief parts. The first part will consider CJEU R2bF caselaw and member-state developments on the question whether an R2bF delinking derived from EU law should be effective worldwide or just inside the EU. Against this backdrop, the second part of the talk will argue that the Circuit Court decision Savage v Data Protection Commissioner & Google (Circuit Court, unreported, 11 October 2016, Sheahan J; pdf via DPC) mis-applied the R2bF. Third, combining the first and second parts, the final part of the talk will consider the proceedings in Google v Equustek Solutions (hearing 5 December 2016; webcast), in which the Supreme Court of Canada was invited to uphold an injunction (2015 BCCA 265) that an R2bF delinking derived from Canadian common law and constitutional considerations should be effective worldwide.

Privacy Paradigm – getting the design right

ODell@ICS2 I spoke today at the (ISC)² Security Congress EMEA in Dublin. Before me, Minister Naughten gave an opening address; after me, Brian Honan provided a fascinating keynote.

In between, I beat the drum (again) for Privacy Paradigm. The image, left, is an artist’s impression of the highlights of my talk. If you click through, you will get a bigger version, and – as a bonus, on the same sheet – the same artist’s impression of the talks from Brian and the Minister as well.

What I am hoping to do with Privacy Paradigm (if anyone wants to fund the research) is provide a simple means by which websites could signal not only that they respect their visitors’ privacy but also how (if at all) the sites processe personal data. For this, by analogy with Creative Commons, I suggest an appropriate icon and short accompanying text which explains that the site operates under a standard-form privacy policy, with a link to the underlying privacy policy, provided by an appropriately coded plugin. In my view, the key is to start with the standard-form privacy policies, and to code them accordingly, and then to provide the icons.

There have been many previous attempts covering some elements of this strategy, but none has caught on. This is in part because they have been partial (not replicating the full depth of the Creative Commons precendent), in part because they started with the icons and didn’t get much further, and in part because the icons haven’t been great (either too many, nor not intuitive, or not connected with underlying privacy policies). The image at the top is very good, and it emphasises for me that, although the icons should probably come near the end of the process, they need to be good – clear, intuitive and few in number. If they work, then Privacy Paradigm will be able to live up to its slogan of “respecting privacy online”.

Dearer to us than a host of truths is an exalting illusion? EU Data Transfer Regulation after Schrems

Kuner & FennellyMy favourite Steve Jobs aphorism (and there are so many from which to choose) is

People who know what they’re talking about don’t need PowerPoint.

(see Steve Jobs by Walter Isaacson (Simon and Schuster, 2011) 337). Last Thursday, Chris Kuner elevated this from apothegm to axiom, resoundingly proving the truth of that insight, by providing a masterclass in compelling presentation without resort to the crutch of powerpoint or similar slides. Chris is pictured above left, chatting with David Fennelly, before delivering a powerful lecture on “Reality and Illusion in EU Data Transfer Regulation” in the light of the decision of the Court of Justice of the European Union in Case C-362/14 Schrems v Data Protection Commissioner [2015] ECR I-nyr (Grand Chamber, 6 October 2015) to a rapt audience in Trinity College Dublin. He began with a quote from Chekov:

Dearer to us than a host of truths is an exalting illusion.

This is from Chekov’s short story “Gooseberries” (see Richard Pevear and Larissa Volokhonsky (tr) Selected Stories of Anton Chekov (Random House, 2009) 311 at 317), where the Nikolai is deluding himself that his gooseberries – actually “hard and sour” – are in fact the succulent and luscious fruit which he had always dreamed of growing. So it is, Chris argued, with EU regulation of trans-border data flows, which is at present an exalting illusion running up against a host of political realities.

In Schrems, the CJEU held that national data protection authorities [DPAs] could independently make decisions on the adequacy of data protection regimes in countries to which EU data is exported, notwithstanding a Commission decision on such adequacy, and that the Commission Safe Harbour decision on the adequacy of the US data protection regime was invalid. Four themes can be discerned in the judgment. First, there is a strong affirmation of the right to data protection under the EU Charter of Fundamental Rights, building on the prior judgments in Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger (Grand Chamber, 8 April 2014) [and Case C-131/12 Google Spain (Grand Chamber, 13 May 2014)]. Second, EU data protection standards – and in particular, the Charter – apply to transfers to third countries. Third, the CJEU elevated the role of independent national DPAs (especially as against the EU Commission) and empowered individuals to complain to such DPAs. And, fourth, the CJEU held that the “adequate level protection” of international transfers of data required by EU law is equivalent to the level of data protection provided by EU law – Chris stressed that “equivalent” here is not necessarily “identical”, but that this is still a high bar.

The impact of the CJEU decision in Schrems goes far beyond the context of the invalid safe harbour. Chris gave four examples. (more…)