Developments in Data Protection Rights pre-GDPR

On 9 March 2013, the insurance company FBD was fined €15,000 in a ground-breaking case taken by a policy holder against the company for breach of his data protection rights.

Žao nam je, ne postoji prijevod na raspolaganju za ovaj proizvod još Američki Engleski. For the sake of viewer convenience, the content is shown below in the alternative language. You may click the link to switch the active language.

Mr. Michael Collins, who was represented by Fintan Lawlor of Lawlor Kiernan LLP Solicitors took a case against FBD insurance for breaching the Data Protection law and using the information to deny him his right to have a claim for the theft of his van assessed and settled.

In a landmark decision, Judge Jacqueline Linnane held that FBD insurance breached Mr. Collins’ Data Protection Rights, pursuant to sections 2 and 4 and awarded Mr. Collins €15,000 in damages.

The Data Protection Commissioner had held that FBD failed to provide full documentation to Mr. Collins relating to a claim he made about a stolen work van. FBD had refused to pay out on the claim because Mr. Collins allegedly failed to disclose a previous criminal conviction on his policy form.

“FBD Insurance was found to have contravened the Data Protection Acts, 1998 and 2003 as follows:

  1. – By failing to furnish data within 40 days,
  2. – By failing to disclose certain documents when the data was produced,
  3. – By failing to have the required contract in place with the private investigator.
  4. – By failing to access District Court Orders in the proper manner.

This is the first case in this country where damages have been awarded upon an individual’s data protection rights being breached.

The decision marks a distinct shift in the area of Data Protection law in relation to damages and punitive measures taken against such data controllers who breach their duties under the legislation. Prior to this the only punitive measures taken against such data controllers had been the payment of charitable donations.

Subsequently, three insurance companies were found guilty of illegally using social welfare information on individuals which they had obtained through a private investigator. FBD, Zurich and Travelers Insurance pleaded guilty to 10 sample charges each after they were prosecuted for breaches of the Data Protection Acts. All three offered to make donations of €20,000 to charity.

They will also pay legal costs.

The prosecutions followed a complaint from the Department of Social Protection in December 2010 after it notices an unusual pattern of access to its database by an official, who had also been making phone calls to two specific numbers. Dublin District Court heard the companies were all registered with the Data Protection Commissioner to process certain personal information. This did not include social welfare information, which is not publicly available.

The commissioner obtained details of the welfare official’s access to the department’s computer systems for 2010, and was also led to the offices of Kildare-based private investigator Reliance Investigation Services by phone records. Assistant Data Protection Commissioner Tony Delaney and other officials made an unannounced inspection of the private investigator’s premises on 9 December 2010, and obtained its client list.

Mr Delaney told the court VAT invoices found on the premises proved to be critival evidence linking the private investigator with the insurance companies. Information found at the insurance firms, which the department subsequently confirmed was from its records, included individual’s dates of birth, PPS numbers, addresses, employment history and information on claims made from the department. The Office of the Data Protection Commissioner said that the outcome snet ‘the strongest possible message to other companies in the insurance sector and all sectors that there would be severe consequences from breaches of the Data Protection Acts.’

Mr Fintan Lawlor, said that this case sent a clear signal to all companies that there was a need to have open and transparent policies in relation to the data protection rights of their customers and staff.

“It is apparent that there are two types of privacy. The first applies to the wealthy and well known who enjoy the right to super injunctions to protect them from their own indiscretions and misjudgements.

“The other type of privacy applies to everyday citizens whose data is illegally accessed by State bodies, insurance companies, banks and other organisations. If you form part of the latter group it may not be so straightforward to access justice in this regard.

“Despite the existence of clear, defined legal guidelines on data protection, the privacy rights of countless ordinary citizens are breached everyday with no repercussions for the perpetrators. The collection and retention of data is so inextricably intertwined in our daily routines that it can be invisible and go unnoticed. This makes it easier for data controllers to use and abuse our data,” Mr Lawlor highlighted.

“I welcome as it will alert individuals and companies of the need to adhere to the law. It also demonstrates to individuals that they must fight for their data protection rights and the legal system will support them,” he said.

The collection and retention of all forms of data is an issue which is currently at the beating heart of Irish society. The case of Collins v FBD has opened new doors for Data Protection in Ireland . While the possibility of recovery of damages for data protection breaches has existed on paper for many years, this case provides the practical and realistic basis for individuals to be awarded damages under the relevant legislation.

Clearly there must be prohibitions against ever-expanding surveillance, but only popular pressure will cause the state to build new firewalls of privacy. Only sustained protest will compel regulators to tell corporations, police, schools, hospitals, and other institutions that there are limits. As a society, we want to say: Here you may not record. Here you may not track and identify people. Here you may not trade and analyse information and build dossiers. There are risks in social anonymity, but the risks of omniscient and omnipotent state and corporate power are far worse.