The Government has today published the General Scheme of the Data Protection Bill 2017 (press release | scheme (pdf)) to give further effect in Irish law to the EU General Data Protection Regulation and to implement the associated Data Protection Directive for law enforcement bodies. The publication of the Heads is a very welcome development indeed. There will, in the coming weeks and months, no doubt be much discussion of the Heads, and I hope that the draft will be improved as a consequence. For now, I want to make two points, about repeals of existing legislation, and the availability compensation for infringement of the GDPR.
The first point is brief enough. Existing Irish law is contained in the Data Protection Acts 1988 and 2003 (also here and here; the ODPC’s unofficial but extremely helpful administrative consolidation is here), which are not very easy to work with. Head 5 deals with “Repeals”. My fervent hope is that the 1988 and 2003 Acts will be repealed, and that the new Bill will provide a single one-stop-shop for all Irish law on data protection. My hope has been neither fulfilled nor dashed by Head 5. It’s blank. The explanatory note says that the existing Acts “will be largely superseded by” the GDPR and Directive, and that this “Head will be completed during the drafting process”. The equivocation in that “largely superseded” is redolent of indecision both as to the scope and effect of the GDPR and as to the retention of the 1988 and 2003 Acts. All I can say is that the Head that emerges from the drafting process should repeal the 1988 and 2003 Acts, and that any parts of those Acts that need to continue should re-enacted in the new Bill.
The second point is a little longer. The availability of damages, as an important element of the enforcement architecture of the GDPR was one aspect of my talk this week for the Irish Centre for European Law’s Privacy and Data Protection Conference 2017. Article 82(1) GDPR provides:
Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. …
Update (11 July 2017): I can’t find a Head in the Scheme explicitly giving effect to Article 82 GDPR.
Section 83 of Germany’s Bill to give effect to the GDPR (the Federal Data Protection Bill (pdf), approved by the Bundestag on 27 April, and now pending before the Bundesrat) is an explicit provision giving effect to Article 82 GDPR. In my view, this is a lead that the Irish legislation should follow; but I can’t find a Head to this effect in the Scheme.End of update.
Instead, the explanatory note to Head 24 (on data processing and freedom of expression and information) comments that Article 82 GDPR “clarifies that damages are payable in the case of data breaches giving rise to non-material damage”. This seems to assume that that Article 82 is horizontally effective. As I said on Tuesday, I’m not sure that this is so clear.
The text of Article 82 GDPR turns up again in Article 22 of the proposed ePrivacy Regulation (pdf). Such a right to compensation in a Regulation is unusual but not unique as a matter of EU law. For example, Article 5(1)(c) of the Flight Compensation Regulation provides that, in the “case of cancellation of a flight, the passengers concerned shall … have the right to compensation by the operating air carrier in accordance with Article 7”, and Article 7 provides that “passengers shall receive compensation” according to a scale of amounts and conditions set out in that Article.
More often, such rights are provided in Directives, leaving the form and methods of the claim for compensation to national law (eg, Article 5 of the Package Holidays Directive (1990) implemented by section 20 of the Package Holidays and Travel Trade Act, 1995 (also here); Article 14 of the Package Holidays Directive (2015); Article 3 of the Competition Damages Directive implemented by Regulation 4 of SI No 43 of 2017 (also here); Article 13(3) of the Trade Secrets Directive). Indeed, a Directive may be silent on the issue of compensation, but national implementing legislation may still provide it. For example, although the Unfair Commercial Practices Directive (pdf) does not in terms require it, section 74(2) of the Consumer Protection Act 2007 (also here) provides that a “consumer who is aggrieved by a prohibited act or practice shall have a right of action for relief by way of damages, including exemplary damages”.
Moreover, not only is the existence of such a claim unusual, but the formulation in Article 82(1) GDPR is also rather odd. It does not say that a person whose rights have been infringed has the right to receive compensation. Instead, it provides, in a much more mealy-mouthed fashion, that such a plaintiff shall have the right to receive compensation. Whilst this is similar to Article 5(1)(c) FCR, there is no further phrase like Article 7 FCR, which provides additionally and unambiguously that “passengers shall receive compensation”. In combination, Articles 5(1)(c) and 7 FCR unambiguously provide an imperative, directly effective, horizontal right to receive compensation. But it is the combination which has this effect. In the absence of an equivalent of Article 7, the formulation in Article 82 GDPR is not as a clear statement of an imperative, directly effective, horizontal right as Articles 5(1)(c) and 7 FCR; and, although it does not replicate the usual stricture in a Directive that “Member States shall ensure” an outcome, the provision that a plaintiff “shall have the right to receive compensation” certainly to cast the role of providing a right to receive compensation upon the national legal system. It would not have been difficult for the text of the formulation in Article 82(1) GDPR to have been clear on this issue, either by adding a provision like Article 7 FCR which would have made it clear beyond doubt that additional national implementation was not necessary, or by expressly providing that it was. In the absence of such clarity, the formulation in Article 82(1) GDPR and seems to assume a role for the national legal system in providing for the right to receive compensation.
On the other hand, the CJEU has provided an expansive interpretation of the right to compensation in Articles 5(1)(c) and 7, asserting that the right has to be interpreted broadly, and that exceptions and derogations have to be interpreted narrowly (Case C-549/07 Wallentin-Hermann v Alitalia (ECLI:EU:C:2008:771; CJEU, 22 December 2008); Joined Cases C-402/07 and C-432/07 Sturgeon v Condor Flugdienst GmbH and Böck v Air France SA (ECLI:EU:C:2009:716; CJEU, 9 November 2009); Joined Cases C-581/10 and C-629/10 Nelson v Deutsche Lufthansa AG and TUI Travel plc v Civil Aviation Authority (ECLI:EU:C:2012:657; CJEU, 23 October 2012); Case C-12/11 McDonagh v Ryanair (ECLI:EU:C:2013:43; CJEU, 31 January 2013); Case C-257/14 van der Lans v Koninklijke Luchtvaart Maatschappij NV (ECLI:EU:C:2015:618 CJEU, 17 September 2015); Case C-302/16 Krijgsman v Surinaamse Luchtvaart Maatschappij NV (ECLI:EU:C:2017:359; CJEU, 11 May 2017)). The CJEU has also provided an expansive interpretation of the right to compensation in Article 5 of the Package Holidays Directive (1990) (see Case C-168/00 Leitner v TUI Deutschland GmbH  ECR 1-1631 (ECLI:EU:C:2002:163; CJEU, 12 March 2002).
A similarly expansive interpretation of Article 82 GDPR is probably inevitable, if the CJEU is asked. But unless and until it is, there is the potential for great uncertainty. It would therefore be better to have this matter settled by legislation rather than leaving it to the vagaries of litigation to – and in – the CJEU. In the meantime, a failure to enact such legislation could leave the State open to a claim for damages from someone who suffered loss by reason of the State’s failure to give further effect to Article 82(1) GDPR. For example, in Dillenkofer [Joined Cases C-178/94, C-179/94, C-188/94, C-189/94 and C-190/94 Dillenkofer v Germany  ECR I-4845 (ECLI:EU:C:1996:375; CJEU, 8 October 1996)], the CJEU held that Germany’s failure to transpose the Package Holidays Directive (1990) gave rise to a claim for damages for holiday-makers who failed to get compensation and refunds for holidays where the organizers became insolvent. If the right to compensation in Article 82(1) GDPR requires implementation in national law, and if there is no relevant section giving effect to it in the forthcoming Irish legislation, then (as in Dillenkofer) a person who suffers loss by reason of an infringement of the GDPR would have a claim in damages against the State.
Any section of the Bill seeking to give effect to Article 82 GDPR should not seek to reinvent the drafting wheel. It should therefore begin with as much of the text of the relevant Regulation as possible. Cleaving as much as possible to the text of Article 82 GDPR will avoid many of the problems associated with section 7 of the Data Protection Act, 1988 (also here) which led Feeney J into error in Collins v FBD Insurance plc  IEHC 137 (14 March 2013), both as a matter of Irish law and as a matter of EU law. And the section should conclude by providing that the relevant claim is tortious in nature. For example, the Sea Pollution (Hazardous Substances) (Compensation) Act 2005 (also here) gives effect to the International Convention on Liability and Compensation for Damage in connection with the Carriage of Hazardous and Noxious Substances by Sea, 1996. Section 16(1) of that Act (also here) provides:
An action for compensation under the Convention … shall be deemed for the purposes of every enactment and rule of law to be an action founded on tort.
If a similar provision were to be included in the implementing legislation for the GDPR in respect of claims for compensation for breach of the Regulation, then issues such as causation, remoteness, measures of damages, limitation periods, contributory negligence, mitigation, and damages jurisdictions in the various courts, could be resolved by the application of settled principles of tort law. It is likely that the Irish Courts would answer such questions by analogy with tort (see, eg, Tate v Minister for Social Welfare  1 IR 418,  1 ILRM 507) but it would be better to have this matter comprehensively settled by legislation rather than leaving it to the piecemeal vagaries of litigation.
I therefore hope that a compensation provision along these lines emerges during the drafting process. And I hope that the legislation that ultimately emerges repeals the existing Acts and consolidates all of Irish data protection law into a single Act. No doubt I shall have more to say about the General Scheme of the Data Protection Bill 2017 published today; but, notwithstanding the quibbles raised here, I want to conclude by welcoming the publication of the Scheme without equivocation. It is plainly the fruits of much labour; it is another important milestone on the road to GDPR compliance; and I am certain that the legislation which is ultimately enacted will be all the better from the debates about the Heads which have no doubt already started.