Offences and Penalties
Disclaimer: Note that the material contained in this section is provided for general information purposes only, and does not purport to be legal advice or a definitive interpretation of the law. If you require legal advice on these or related matters, it is recommended that you consult a legal adviser.
The Data Protection Acts and the Electronic Communications Regulations (SI 336 of 2011) set out the rules with which data controllers must obey. Breaches of these rules sometimes involve offences which are punishable by fines. The offences are as listed below:
Offences by electronic communications companies under SI 336 of 2011
Under Section 19(6) of the Data Protection Acts, it is an offence for a data controller who is required to be registered to keep personal data unless he is registered. It is also an offence for a data processor, who is required to be registered, to process personal data unless the data processor is registered. Accordingly, data controllers who continue to keep personal data, and data processors who process personal data, without meeting their requirement to register are liable to be prosecuted. However, if a data controller or data processor has an registration application pending with this office, then there is no offence.
A registered data controller specifies, in his registration application, what types of personal data will be kept, for what purpose, to whom the personal data will be disclosed, and to what places outside the State the data will be transferred. A registered data controller who knowingly treats personal data in a way not covered by the particulars included in the register entry is guilty of an offence, under section 19(6) of the Acts. The same rule applies to employees or agents of the data controller, other than data processors, who are subject to the same restrictions as the data controller in respect of the handling of the personal data. Data controllers, and their employees and agents, should therefore ensure that the particulars included in the registry entry adequately describe the scope of the data controllerís dealings with the personal data. If a data controller wishes to treat personal data in a way not covered by the register entry, then the data controller should amend the register entry accordingly.
Under section 19(6) of the Data Protection Acts, it is an offence for a data controller or data processor, in respect of whom there is a register entry, to fail to notify the Commissioner of any change of address.
It is an offence under section 20(2) of the Data Protection Acts to knowingly furnish the Commissioner with false or misleading information when applying for registration.
Under Section 10(9) of the Data Protection Acts, it is an offence for any data controller or data processor, without reasonable excuse, to fail or refuse to comply with a requirement specified in an enforcement notice. There is a right of appeal against requirements specified in such notices.
Under Section 12(5) of the Data Protection Acts, it is an offence for any person, without reasonable excuse, to fail or refuse to comply with a requirement specified in an information notice. Knowingly to provide false information, or information that is misleading in a material respect, in response to an information notice is also an offence. There is a right of appeal against requirements specified in an information notice.
Under Section 11(15) of the Data Protection Acts, it is an offence for any person, without reasonable excuse, to fail or refuse to comply with a prohibition specified in a prohibition notice. There is a right of appeal against requirements specified in such notices.
Under Section 21(2) of the Data Protection Acts, it is an offence for any data processor, or for any employee or agent of his, to knowingly disclose personal data without the prior authority of the data controller on whose behalf the data were processed.
Bodies corporate, such as companies, statutory bodies, and formally-constituted voluntary bodies, are bound by the Data Protection Acts in the same way as individuals. Section 29 of the Act provides that directors, managers, secretaries or other officers of a body corporate which has committed an offence under the Act are also guilty of that offence, if it is proved to have been committed with their consent or connivance or to be attributable to any neglect on their part. If there is no officer of a body corporate who can be shown to bear personal responsibility for the offence, only the body corporate commits the offence. If there is, both the officer and the body corporate can be prosecuted.
This principle is extended to bodies corporate that are managed by their members. Any member who is personally responsible for the offence can similarly be prosecuted as if he were a director or manager of the body corporate concerned.
The Data Protection Acts deal with the threat to privacy posed by persons who are not data controllers or data processors (or their employees) and who, having obtained unauthorised access to personal information, then disclose it to others. Under section 22 of the Acts, such conduct is an offence. This unauthorised access can occur in various ways. In the case of electronic data the most obvious is "hacking", i.e. obtaining access from a point remote from the computer by electronic means. Unauthorised access can also occur by someone gaining access to a data controller's equipment when the staff are not present. Someone might steal, or take without authority, a diskette or tape or manual file on which data are recorded. Or someone (other than the data controller or his staff) could be in a position to read personal data being shown on the computer screen or to read a printout. But whichever way the unauthorised access takes place, it will be an offence if the person concerned, having gained access, proceeds to disclose to another person the information he or she has accessed.
Section 24 of the Data Protection Acts confers certain powers upon an "authorised officer", a person authorised by the Data Protection Commissioner to exercise powers of entry and inspection.
Section 24(6) of the Acts makes it an offence for any person to obstruct or impede an authorised officer in the exercise of a power; to fail to comply with any of the requirements to cooperate with the authorised officer; or knowingly to give false or misleading information to an authorised officer, in purported compliance with such requirements.
sending unsolicited marketing messages to individuals by fax, SMS, e-mail or automated dialling machine
sending unsolicited marketing by fax, SMS, e-mail or automated dialling machine to a business if it has objected to the receipt of such messages
It is an offence under regulation 13(13) of S.I. 336 of 2011 to make an unsolicited telephone call for the purpose of direct marketing if the sender is notified of an objection to such communications or an objection is recorded in the National Directory Database for that line.
When direct marketing telephone calls are being made or messages sent by e-mail, SMS, fax or automated dialling machines, then the caller or sender must identify themselves and provide a telephone number, address or e-mail address at which they can be contacted. Failure to do so is an offence under regulation 13(13) of S.I. 336 of 2011.
Where direct marketing messages relating to the sender's own similar products are being sent to customers by e-mail or SMS the sender must give an easy to use, without charge, opportunity with each message sent, to object to future messages. This opportunity must also have been given when the contact details were initially collected from the customer not more than twelve months prior to the sending of the direct marketing communication or, where applicable, the contact details were used for the sending of electronic mail for direct marketing purposes within that twelve month period. Failure to comply is an offence under regulation 13(13) of S.I. 336 of 2011.
It is an offence under regulation 13(13) of S.I. 336 of 2011, for the sender of an e-mail or SMS for direct marketing purposes to disguise or conceal the identity of the sender or to fail to provide a valid address to which the recipient can send a request that such communication shall cease.
Marketing calls to mobile telephones are prohibited unless (i) the caller has been notified by the subscriber or user concerned that he or she consents to the receipt of such calls on his or her mobile telephone, or (ii) the subscriber or user has consented generally to receiving marketing calls and that such consent to receive marketing calls is recorded in the National Directory Database in respect of his or her mobile telephone number. Failure to comply is an offence under regulation 13(13) of S.I. 336 of 2011.
A non-marketing SMS message (e.g. an SMS information message) may not have marketing content "tagged on" unless the subscriber or user concerned has given prior consent to the receipt of an SMS communication containing such "tagged on" marketing content. Failure to comply is an offence under regulation 13(13) of S.I. 336 of 2011.
Data controllers in the electronic communications sector must give effect to a specific security policy which protects personal data against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure of personal data. They must also ensure that personal data can only be accessed by authorised personnel for legally authorised purposes. Failure to comply is an offence under regulation 4(13) of S.I. 336 of 2011.Data controllers in the electronic communications sector must provide information to their subscribers on any particular risk of a breach of the security of the public communications network. Where the risk lies outside the scope of the measures to be taken by the relevant service provider, they must provide information to their subscribers on any possible remedies including an indication of the likely costs involved. Failure to comply is an offence under regulation 4(13) of S.I. 336 of 2011.
Where there has been a personal data breach, data controllers in the electronic communications sector must, without undue delay, notify the Data Protection Commissioner of the breach. Failure to comply is an offence under regulation 4(13) of S.I. 336 of 2011.
failure to notify the subscriber or individual concerned where there has been a personal data breach which is likely to adversely affect the personal data or privacy of the subscriber or individual concernedWhere there has been a personal data breach which is likely to adversely affect the personal data or privacy of a subscriber or individual, data controllers in the electronic communications sector must, without undue delay, notify the subscriber or individual of the breach. Failure to comply is an offence under regulation 4(13) of S.I. 336 of 2011. Such a notification is not required if the data controller has demonstrated to the satisfaction of the Data Protection Commissioner that it has implemented technological protection measures which render the data unintelligible to any person who is not authorised to access it and that those measures were applied to the data affected by the security breach.
Data controllers in the electronic communications sector must maintain an inventory of personal data breaches which comprise information on the facts surrounding the breach, the effects of the breach and any remedial action taken. Failure to comply is an offence under regulation 4(13) of S.I. 336 of 2011.Data controllers in the electronic communications sector must co-operate with any audits undertaken by the Data Protection Commissioner to determine compliance with the provisions of regulation 4 of S.I. 336 of 2011. A refusal to co-operate is an offence under regulation 4(13) of S.I. 336 of 2011.
Summary proceedings for an offence under the Data Protection Act may be brought and prosecuted by the Data Protection Commissioner. Under section 31 of the Acts, the maximum fine on summary conviction of such an offence is set at Ä3,000. On convictions on indictment, the maximum penalty is a fine of Ä100,000.
If the commission of an offence under the Data Protection Acts also involves violence - for example, if an "authorised officer" is assaulted in trying to gain access to a premises under section 24 - then the offender can be proceeded against for assault and be liable to imprisonment.
Where a person suffers damage as a result of a failure by a data controller or data processor to meet their data protection obligations, then the data controller or data processor may be subject to civil sanctions by the person affected. Ordinarily, the "injury" suffered by a data subject will be damage to his or her reputation, possible financial loss and mental distress. The data subject concerned may have adequate remedies under the existing law (defamation where appropriate, breach of confidentiality and so on, but, more frequently perhaps, in negligence because in some cases a data controller or a data processor would owe a duty of care to data subjects about whom data are being kept or processed - a duty to see that damage is not caused to them by negligent handling of the data in question). In so far as a data controller or data processor may not be subject to this duty of care, section 7 of the Data Protection Acts remedies this by ensuring that such a duty will be implied in all cases where personal data are kept or processed.
Where a court convicts a person of an offence under the Data Protection Act, section 31(2) of the Acts provides that the court has discretion to order any data material, i.e. any document or other material used in connection with, or produced by, data equipment connected with the commission of the offence, to be forfeited or destroyed. The court may also order any relevant data to be erased. A court would use this power to prevent any further damage being done by the use of the material or of the data.
When exercising this power, the court must give the owner of the data concerned or anyone who is otherwise interested in them an opportunity to show cause why a forfeiture etc. order should not be made.
Summary proceedings for an offence under S.I. 336 of 2011, may be brought and prosecuted by the Commissioner. Each call or message can attract a fine of up to Ä5,000 on summary conviction. If convicted on indictment, the fines range from Ä50,000 for a natural person to Ä250,000 if the offender is a body corporate.
The court may also order the destruction of data that is connected with the commission of an offence. See Forfeitures above relating to penalties under the Data Protection Acts.