Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data protection issues in regulatory investigations

Published byReynold Walker Modified over 5 years ago

Similar presentations

Presentation on theme: "Data protection issues in regulatory investigations"— Presentation transcript:

1 Data protection issues in regulatory investigations
Colin Rooney Partner, Technology and Innovation Group 20 October 2017

2 Introduction Law enforcement, regulators & courts
voracious appetite for access to personal data Sometimes such data not held / controlled in same jurisdiction as regulator requesting it cross border issues Regulatory requests must navigate legal minefield

3 Compliance risk Compliance with request from regulatory authority for personal data could lead to breach of data protection rules Must assess sanctions for: breaching relevant data protection laws Against failing to comply with a request received from a regulatory authority Some thoughts on this follow…

4 Cross-border issues Foreign authorities requesting information held overseas Example: Microsoft Case Increasingly organisations resist exercise of extraterritorial jurisdiction by foreign courts and law enforcement agencies

5 Legal framework Europe Ireland
General Data Protection Regulation (the “GDPR”) (date of implementation: 25 May 2018) Heads of Bill (General Scheme) DP Directive 95/46/EC Data Protection Acts 1988 and 2003

6 Relevant Laws Data Protection Acts 1988 and 2003 (“DPA”)
Section 2(1) (c) of the DPA data controller shall not further process personal data (which includes disclosure to a third party) except in ways that are compatible with the purpose for which the data were obtained Section 8 of the DPA lifts the restriction on disclosure in certain circumstances individual's right to privacy is balanced against needs of civil society

7 Disclosures Section 8 of the Data Protection Acts 1988 and 2003
Section 8(a) "in the opinion of the Garda Siochana not below the rank of chief superintendent or an officer of the Permanent Defence Forces who holds an army rank not below colonel and is designated by the Minister for Defence under this paragraph, required for the purpose of safeguarding the security of the State" Section 8(b) "required for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax, duty or other moneys owed or payable to the State, a local authority or a health board, in any case in which the application of those restrictions would be likely to prejudice any of the matters aforesaid" Section 8(c) "required in the interests of protecting the international relations of the State" Section 8(d) "required urgently to prevent injury or other damage to the health of a person or serious loss of or damage to property" Section 8(e) "required by or under any enactment or by a rule of law or order of a court" Section 8(f) "required for the purposes of obtaining legal advice or for the purposes of, or in the course of, legal proceedings in which the person making the disclosure is a party or a witness" Section 8(h) "made at the request or with the consent of the data subject or to a person acting on his behalf"

8 Guidance from Data Protection Commissioner’s Office
Section 8(b) "required for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax, duty or other moneys owed or payable to the State, a local authority or a health board, in any case in which the application of those restrictions would be likely to prejudice any of the matters aforesaid“ DPC Guidance: The individual's right to privacy must be balanced against the need to investigate offences and collect taxes effectively. If a data controller is approached by a law enforcement authority or by a tax collecting authority, which seeks to have personal data disclosed to it under this section of the Data Protection Act, it is a matter for the data controller: (i) to satisfy itself that the provisions of this section are met, for example by establishing the bona fides of the authority and by obtaining assurances that the disclosure is actually necessary, and not merely of side interest, for the investigation of an offence; and (ii) to decide whether or not to comply with the request for disclosure. While this section of the Data Protection Act lifts the restrictions on disclosure by a data controller to a law enforcement authority or to a tax collecting authority, this section does not impose any obligation on a data controller to comply with the request for disclosure. Section 8(e) "required by or under any enactment or by a rule of law or order of a court“ DPC Guidance: If you are under a legal obligation to disclose personal data, then this obligation takes precedence over the Data Protection Act's prohibition on disclosure. However, if you have a statutory discretion to make information available, matters are not so clear-cut. The Data Protection Commissioner has found, in the past, that a statutory discretion to make information available did not come within the scope of section 8(e) of the Data Protection Act, and that accordingly the restriction on disclosure of personal data remained in force.

9 Data protection issues to consider on receipt of a regulatory request

10 Further information Evaluate purpose of the request
Seek further information from requesting regulatory authority

11 Powers Binding legal obligation to answer request?
If so, to what extent binding? Legal ability to compel disclosure? If so, have the correct procedures been followed to make a binding demand? Necessary to ask the regulator / law enforcement authority to make a binding request?

12 Scope of the request Negotiate scope of request?
Sometimes regulators / law enforcement authorities will agree to narrow broadly defined requests so as to target specific information required for purposes of their investigations…

13 Anonymization and minimisation
Limit data disclosed to that which is necessary for purpose (NB for GDPR) Redact personal data from documents before they are disclosed?

14 International disclosure
Can data be transferred via a domestic authority? Can domestic court compel disclosure of documents pursuant to Hague Convention?

15 Data processing agreement
Is recipient acting as a data processor? Is it necessary to put in place a data processing agreement? only to process data in accordance with the instructions of the company (as data controller) implement sufficient technical and organisational security measures to protect the personal data.

16 Thank you for your time today.
20 October 2017

Download ppt "Data protection issues in regulatory investigations"

Similar presentations

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Data Protection Information Management / Jody McKenzie.

Data Protection Information Management / Jody McKenzie.
The Problem Solvers TM www.singleton.com Privacy Rights: Minors and Parents Michael J. Hewitt Marcel Daigle Singleton Urquhart LLP.

The Problem Solvers TM Privacy Rights: Minors and Parents Michael J. Hewitt Marcel Daigle Singleton Urquhart LLP.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
JURISDICTION Arie Afriansyah. Definition The extent to which international law permits a state to exercise its jurisdiction over persons or things in.

JURISDICTION Arie Afriansyah. Definition The extent to which international law permits a state to exercise its jurisdiction over persons or things in.
The Australian Privacy Principles Protecting information rights –­ advancing information policy.

The Australian Privacy Principles Protecting information rights –­ advancing information policy.
Data Protection and Records Management

Data Protection and Records Management
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
Towards a Freedom of Information Law in Qatar Fahad bin Mohammed Al Attiya Executive Chairman, Qatar National Food Security Programme.

Towards a Freedom of Information Law in Qatar Fahad bin Mohammed Al Attiya Executive Chairman, Qatar National Food Security Programme.
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Www.nationalsmartcardproject.org.uk www.scnf.org.uk National Smartcard Project Work Package 8 – Information Law Report.

National Smartcard Project Work Package 8 – Information Law Report.
Data Protection Act 1998. Description The Data Protection Act controls how your personal information can be used and protects from the misuse of your.

Data Protection Act Description The Data Protection Act controls how your personal information can be used and protects from the misuse of your.
Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011.

Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)

Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)
The Information Commissioner’s Office David Evans.

The Information Commissioner’s Office David Evans.
Regulation of Personal Information Daniel Pettitt, Leon Sewell and Matthew Pallot.

Regulation of Personal Information Daniel Pettitt, Leon Sewell and Matthew Pallot.
1 driven by knowledge and experience 1 CHARITIES ACT 2009 ELECTORAL ACTS 1997 – 2002 PRESENTATION BY JOE O’MALLEY Partner At OPEN on 29 June 2011.

1 driven by knowledge and experience 1 CHARITIES ACT 2009 ELECTORAL ACTS 1997 – 2002 PRESENTATION BY JOE O’MALLEY Partner At OPEN on 29 June 2011.
Protecting information rights –­ advancing information policy The Australian Privacy Principles.

Protecting information rights –­ advancing information policy The Australian Privacy Principles.

Similar presentations

Ads by Google