AN ROINN DLI agus CIRT agus DEPARTMENT OF JUSTICE and

COMHIONANNAIS EQUALITY
5i Faiche Stiabhna 5] St. Stephen '3 Green
Bade Atha Cliath 2 Dublin 2

Teileafoni?Telephone: +353 I 602 8224 FacsuimhirfFax: 661 546]
Riomhphoistr?e-mail:



 

Submission re Of?ce of the Data Protection Commissioner and F01 Legislation

1. Introduction

Both the Department of Justice and Equality and the Of?ce of the Data Protection Commissioner
(ODPC) have examined the Freedom and Information Bill 2013, as amended at Committee Stage. The
consistent position of both bodies has been fully supportive of being extended to the
administration and publicity/information ?les of the ODPC. However, for the reasons set out below,
and notwithstanding the welcome and helpful amendment by DPER to the current draft [section 41 
of the Bill, it is the considered View of the Department and the Data Protection Commissioner (DPC)
that a block exemption for the investigation, audit and complaints ?les of the ODPC as well as advice
given and sought in con?dence should be available. A case in support ofthis position is set out below.

2. The Complaints? resolution role of the Of?ce of the Data Protection Commissioner is directly
analogous to that of the Ombudsman Of?ces

Schedule 1, Part I, exclusions for Ombudsman type bodies
Schedule 1, Part 1 of the draft FOI bill includes Ombudsmen-type Of?ces in the Schedule 0f?Partially
Included Agencies? as follows:

the Garda Siochana Ombudsman Commission

the ombudsman

the Ombudsman for Children

the Ombudsman for Financial Services

the Legal Services Ombudsman

the Ombudsman for Defence Forces

the Pensions Ombudsman
The various Ombudsmen Of?ces have block exemptions for their investigative ?les, generally ?insofar
as it relates to records concerning an examination or investigation.? In addition, the Central Bank of.
Ireland, which is subject to a similar con?dentiality requirement as the ODPC, is included under of
Schedule 1 as a partially exempt agency.

The rationale for not incorporating the ODPC in Schedule I, Part 1, is contained in the response by the
Minister for PER in the July 2012 FOI Government memorandum (see 14.3.3) wherein it is stated:

?The Minister does not consider the functions of the Data Protection Commissioner to be
analogous to those of an Ombudsman and proposes to bring this body under the Freedom of

 

Information Act in full other than investigative records which are prohibited from release under
EU law.?

Both the Department and the ODPC respectfully submit that there are sound public policy reasons to
justify the alteration of this position.

Rationale for treating the ODPC as an Ombudsman ype Body

It is strongly contended that the ODPC is, in fact, an Ombudsman type body and should be treated as
such under the draft legislation. Under section 10(1)(b) (ii) (extract appended at A) of the Data
Protection Acts 1998 and 2003, the Data Protection Commissioner has a statutory obligation to attempt
to reach an ?amicable resolution? with regard to complaints, a situation directly analogous with the
Ombudsman role. The ODPC legislation provides that they proceed to a formal decision in relation to a
complaint, only after being unable to arrange an amicable resolution within a reasonable time.

This role involves the ODPC acting as a go-between Ombudsman between the parties, using informal
procedures, rather than as a tribunal. The overwhelming majority of complaints received by the ODPC
are resolved by amicable resolution. A total of 1290 investigations of complaints were concluded by
the ODPC in 2013. Only 29 formal decisions were made by the Commissioner. This modus operandi is
typical of other Ombudsman type bodies.

The current ?informal? approach would be greatly inhibited by making these files potentially subject to
public disclosure, requiring the ODPC instead to act like a tribunal with full disclosure of all
documents to both parties. it is reasonable to presume that consideration of this potentially inhibiting
effect is one reason why the investigation files of all ombudsman-type bodies have benefitted from a
block exemption.

Section 5(l)(gg) of the Data Protection Act 1988 (as inserted by section 6 of the Data Protection
(Amendment) Act 2003) provides that the access right under section 4 of the 1988 Act the
individual's right to access his or her data) does not apply to personal data ?kept by the Commissioner
Data Protection Commissioner) or the Information Commissioner for the purposes of his or her
functions" (see Appendix A). This means, for example, that an investigation being carried out by either
Commissioner cannot be interrupted or frustrated by an individual whose actions might be under
investigation making access requests under data protection law. It would be strange indeed if such an
obstacle would now be created through access rights under revised FOI legislation. However, this is
precisely what is being unintentionally created as the draft legislation essentially requires that the DPC
must apply the F01 legislation in order to claim the protection of the law in respect of its
investigation and audit ?les. Any decision is appealable to the Office of the Information Commissioner
(01C). Hence, it is perfectly feasible to imagine a situation where attempts may be made to frustrate
ongoing investigation and audits by the making of routine requests which require the application of the
F01 legislation. This would be enormously disruptive to the ODPC and is inherently undesirable.

Furthermore, in circumstances where the ODPC is, in addition, subject to an EU confidentiality
obligation with the additional pressure of having to deal with multinational companies, it argued that it
is inconsistent to refuse to grant in the legislation the same exemption to ODPC investigation and audit
?les (bear in mind that audits are carried out using statutory powers which require the disclosure of
information which is inherently commercially sensitive and zealously guarded by the commercial
entities concerned).

Page 2 of 9

 

DPER Position

Both the Department and the ODPC acknowledge that the current DPER position accepts the fact that
exemptions for investigation and audit ?les are available under the EU Directive as transposed into
national law. Indeed, Section 41. was introduced at Committee Stage to strengthen this recognition.
However, such exemptions must ?rst be applied by the ODPC and are then subject to appeal to the
Information Commissioner under the draft F01 legislation. This is likely to involve the ODPC in the
expenditure of considerable scare resources to little purpose in order to claim an exemption under F01
legislation which is already available under EU law. It is far more desirable to speci?cally exempt in
the F01 legislation all investigation, audit and advice ?les from disclosure by including such activities
in Schedule 1, Part 1, as is the case with other Ombudsman type bodies and the Central Bank.

3. The obligation of professional secrecy placed on the ODPC by Article 28(7) of the Data
Protection Directive 

Article 28(7) of the Data Protection Directive provides that:

?Member States shall provide that the members and staff of the supervisory authority, even
after their employment has ended, are to be subject to a duty of professional secrecy with regard
to con?dential information to which they have access.?

This is transposed into national law via section 10(1) of the Second Schedule of the Data Protection
Acts 1988 and 2003:

person who holds or held the of?ce of Commissioner or who is or was a member of the staff
of the Commissioner shall not disclose to a person other than the Commissioner or such a
member any information that is obtained by him or her in his capacity as Commissioner or such
a member that could reasonably be regarded as con?dential without the consent of the person to
whom it relates.?

Scope of the professional secrecy provision

The scope of this professional secrecy provision clearly applies to all con?dential information to which
the Commissioner or his employees have access during and after their employment. It therefore would
apply to all complaints ?les, investigations, audits and to any compliance advice given and received in
con?dence.

Dif?culties with the adequacy of the amended section 41(1) to protect professional secrecy
The amended provision provides as follows:

41. (I) A head shall refuse to grant an FOI request if?

the disclosure of the record concerned is prohibited by law of the European Union or any
enactment (other than a provision speci?ed in column (3) ofParrs I or 2 ofSchedaie 3 of an
enactment speci?ed in that Schedule)?

A major dif?culty with this provision is that it still leaves the con?dentiality obligation which ?ows
from EU law to be open to interpretation by the Information Commissioner on appeal. It would be open
to the Information Commissioner to assess, on appeal, whether or not the record concerned could
?reasonably be regarded as con?dential.?

Page 3 of 9

 

It is argued that it is not a desirable from a public policy perspective to create such a potential (and
arguably ?inevitable?) con?ict between two public bodies and that there is no provision in the
relevant EU Directive which permits a national body to override the decision of the Data Protection
Commissioner as to which of his papers contain con?dential information and which do not [see also 5
below].

The above point is particularly relevant as the ODPC is effectively the European Ombudsman for many
complaints as already set out. Given that there is a clear divergence of views between certain EU
countries about the management and use of?big? data by multi-national entities, the Department would
argue that enacting the legislation in current form is likely to give rise to severe difficulties for the
ODPC and force that of?ce to manage its operations in a manner entirely inimical to Ireland?s Open
way of doing business.

4. The evolving status of data protection in the EU legal order

Article 16 (see Appendix B) of the Treaty on the Functioning of the European Union gives Treaty
status to the right to protection of personal data, and provides that rules shall be laid down regarding
the protection of individuals regarding the processing of personal data, and that compliance with such
rules ?shall be subject to the control of independent authorities.? (extract appended at B). Data
Protection is also given the status of a separate fundamental right in Article 8 of the EU Charter of
Fundamental Rights, on the same lines.

Therefore, the role of the ODPC, as an independent authority to protect the fundamental right to data
protection, stems directly from the Treaty of Lisbon. If a decision of an office holder under EU law (the
Data Protection Commissioner) were to be challenged by a national Office holder (the Information
Commissioner) this would lead to an inevitable and undesirable con?ict of legal orders.

It should also be noted that the EU secondary legislation regarding data protection is being revised by
means ofa proposal for a Regulation, which will have direct effect in all Member States. This is likely
to deliver further clarity in respect of the legal position and prerogatives of the Data Protection
Commissioner being derived from EurOpean law. The new EU Regulation will also require legislative
change in existing Irish law.

It is strongly preferable, in the view of the Department of Justice and Equality, to await the passage of
that Regulation so as to consider in the fullest possible context the public policy issues which arise for
Ireland in the context of balancing any right of access to personal data held by public bodies, including
the ODPC, with the right to the protection of personal data. This would also allow Ireland to take
account of developments in other EU states. Given that Irish legislation will require amendment in any
event this would seem the ideal opportunity to consider these issues in the round with the benefit of
having new EU legislation as the base. The Department of Justice and Equality would undertake in
that regard to consult in detail with the Department of Public Expenditure and Reform with a view to
arriving at the best policy options in the context of drafting amending legislation.

Page 4 of 9

 

5. The inevitability of conflicts between the Data Protection Commissioner and the Information
Commissioner regarding the con?dentiality of our complaints, investigative, audit and
advisory files

Under the current Bill there is an appeal route to the Information Commissioner from a refusal of a
request which relates, in the view of the Data Protection Commissioner to data protected from
disclosure under the EU Directive. It is the strong view of the Department that this mechanism will lead
to inevitable and pointless con?ict between the two Of?ces, a waste of public resources and to public
disrepute.

In practice, due to obligations stemming directly from EU law, the Data Protection Commissioner
would be obliged to argue the maximum con?dentiality for his con?dential records. The Information
Commissioner, from the viewpoint of his statutory duty, would almost certainly be obliged to question
this. This would lead to pointless con?ict, as the Data Protection Commissioner would be obliged to
argue the strength of his EU professional secrecy obligation, up to and including the CJEU. This could
lead to a potentially very embarrassing situation, where two national of?ce holders, both charged with
upholding citizens? rights, would be seen to be arguing against each other in the public EU arena. The
Department would strongly argue that this con?ict is entirely unnecessary and is not in the national
interest.

6. The need for the Of?ce of the Data Protection Commissioner to provide a guarantee of
absolute con?dentiality to the multinational companies based in Ireland in the course of
carrying out our data protection functions in relation to these companies, including audit and
provision of compliance advice.

It is necessary for the ODPC to be in a position to give a guarantee of con?dentiality to the companies
to enable a full and frank exchange in the provision of advice and resolving issues found through
audits. If the ODPC are in a position to offer a guarantee of con?dentiality, it will be possible for the
companies to come to them for advice on compliance issues, as is current practice, which the ODPC
may be able to resolve in discussions with them, before a problem escalates to a level requiring the use
of enforcement powers. If the ODPC cannot give this guarantee of con?dentiality, exchanges will
become much more formalised, the multinationals will seek protection behind their legal advisors, and
the relationships will be much less productive and more litigious. The lack of a block exemption for
investigative, audit and advisory ?les could impact on the guarantee of con?dentiality that the Of?ce
needs to be able to give to multinational companies (F acebook, Linkedln etc), when carrying out audits
and investigations.

Without a block exemption for these ?les, it is not possible for the Data Protection Commissioner
to give a guarantee of con?dentiality to the multinational companies, because the existing Bill
requires a record-by-record defence that the document can "reasonably be regarded as
confidential". The ODPC will therefore have to warn multinational companies in all
communications that they cannot guarantee the confidentiality of exchanges given that his
decisions are appealable to the Information Commissioner who may take a different View.

The draft EU general data protection Regulation provides for a ?one stop shop? mechanism, whereby,
if a multinational is established in one Member State, the multinational is directly supervised by the
data protection authority in that Member State, in consultation with the other Data Protection
Authorities via a consistency mechanism. Supervision of these multinationals by the ODPC will be
under EU?wide scrutiny, even more so than at present. It would obviously be very embarrassing and

Page 5 of9

 

damaging for public bodies in Ireland to be publicly airing constant domestic arguments about the
application of a professional secrecy obligation which applies to all the European data protection
authorities.

A further concern ofthe Department and the ODPC is the public policy implications of extending FOI
legislation to the ODPC as currently pr0posed. The ODPC has a Europe-wide obligation to oversee the
activities of multinational companies who locate their European headquarters in Ireland. It has
extensive powers to compel the production of information from private entities, much of which data is
commercially sensitive. Freedom of Information legislation is not applicable to private entities or
numerous commercial State sponsored bodies (see Schedule I, Part 2 ?Exempt Agencies?). Yet it is
being proposed to apply FOI legislation to the ODPC which holds extensive data from private and
commercial bodies which would not be normally available for disclosure under FOI legislation as these
bodies are not, for sound reasons of public policy, covered by FOI legislation. Indeed, in most cases
the information held by the ODPC has been provided to that body under compulsion of law and not in
the course of normal commercial activity or engagement. It is our view that the implications of such a
wholesale extension of FOI to data from private sector bodies needs to be carefully considered,
especially in the context of the draft EU Regulation under consideration.

7. Conclusions and Recommendations
In conclusion Department and the ODPC are of the view that:

The ODPC is a clearly and unambiguously an Ombudsman type body which acts in the
same manner as other Ombudsman type bodies. Indeed, it might be argued that the
Ombudsman role of the DPC is of a higher level than other Irish Ombudsmen due to his
responsibilities to citizens across the EU. The Department and ODPC would therefore
strongly argue that it is not consistent from a policy perspective to refuse to grant the same
exemption to the ODPC in respect of their investigation, audit and advice files.

(ii) Requiring the ODPC to apply FOI legislation in order to claim exemptions for
investigation and audit files will more than likely lead to an interference with ongoing
investigations and audits by FOI applicants and may set at naught the intentions of Section
5(l)(gg) of the Data Protection Act 1988 (as inserted by section 6 of the Data Protection
(Amendment) Act 2003).

Requiring the ODPC to operate the F01 legislation in order to claim exemptions available
to them under EU law is not a sensible use of scarce public resources at a time when the
ODPC is under severe pressure due to the establishment of Europe headquarters in Ireland
by numerous multi-national corporations which requires that the ODPC effectively operate
as the European Ombudsman for all complaints and hence investigations for those bodies.

The Department and the ODPC strongly recommend that the current legislation speci?cally provide in
Schedule 1, Part 1, for the exclusion of the investigation, audit and advice ?les of the ODPC from the
ambit of the draft FOI legislation. This would not do violence to Section 41(1) which could remain
unchanged. As DPER already agrees that these ?les are protected from disclosure under current EU
law this inclusion avoids:

The expenditure of scarce administrative resources on applying FOI to ?les which should
not be disclosed in any event under the EU Directive. This may even necessitate additional
resources for the ODPC to meet these requirements. It might be noted that the Minister for
Justice and Equality has given a public commitment that the Government will ensure that
ODPC will have all necessary resources to ful?l its mandate. 

Page 6 of9

 

 

(ii) The creation of unnecessary concern amongst commercial entities who fear that their
personal data may be disclosed under the new FOI regime and the consequential resort to a
more legalistic approach from those entities.

A possible clash of national and EU legal orders as between two public bodies which is not
in the national or EU interest.

(iv) The premature determination of public policy in this area in advance of the passage of the
new Regulation on data protection which will have direct effect in all Member States. The
passage of this Regulation is likely to ensure that the legal position and prerogatives ofthe
Data Protection Commissioner as derived from European law are even more clear. It will
also require legislative change in existing Irish law. it is strongly preferable in the View of
the Department of Justice and Equality to await the passage of that Regulation and to
consider at that point the public policy issues which arise in the context of balancing any
right of access to personal data held by public bodies, including the ODPC, with the right
to the protection of personal data.

Department of Justice and Equality
26?1 February 2014

Page 7 of9

 

Appendix A

Section 10(l)(b)Data Protection Acts 1998 and 2003:

Where a complaint is made to the Commissioner under paragraph ofthis subsection,

the Commissioner shall 

Investigate the complaint or cause it to be investigated, unless he is of opinion that it is

frivolous or vexatious, and

(ii) If he or she is unable to arrange, within a reasonable time, for the amicable resolution by
the parties concerned of the matter the subject of the complaint, notify in writing the
individual who made the complaint of his or her decision in relation to it and that the
individual may, if aggrieved by the decision, appeal against it to the Court under section

26 ofthis Act within 21 days from the receipt by him or her ofthe noti?cation.

Page 8 of9

 

 

Appendix 

?Article 16 of the Treaty on the Functioning of the European Union

Article 16
1. Everyone has the right to the protection of personal data concerning them.
2. The EurOpean Parliament and the Council, acting in accordance with the ordinary legislative

procedure, shall lay down the rules relating to the protection of individuals with regard to the
processing of personal data by Union institutions, bodies, of?ces and agencies, and by the
Member States when carrying out activities which fall within the scope of Union law, and the
rules relating to the free movement of such data. Compliance with these rules shall be subject to

the control of independent authorities.

The rules adopted on the basis of this Article shall be without prejudice to the speci?c rules laid down

in Article 39 of the Treaty on European Union.?

Page 9 of9