State could face claims for damages if public bodies illegally process data

Oireachtas committee told social media firms must identify whether users adults or children

The State could be facing millions in claims for damages from citizens if public bodies illegally process their personal information, an Oireachtas committee has heard.

Pre-legislative scrutiny of the general scheme of the data protection Bill 2017 continued at the Joint Committee on Justice and Equality on Wednesday.

The proposed legislation must be in place by May of next year to give effect to the new EU general data protection regulation and an associated directive on sharing data for law enforcement purposes.

Barrister Dr Denis Kelleher told the committee that under the regulation, if government departments had, for example, a system that failed to process requests from customers for their personal information, it could be facing millions in claims.


It would be easy for the number of claims in such circumstances to reach a thousand, which would add up to €15 million, he said.

‘Significant issue’

He said it was a “significant issue” and it was difficult to say how it would go.

In the past, claims for failing to secure CCTV, for example, had been settled for in the region of €10,000.

“There are differing views on what claims would settle for at this present time but it’s likely they would be significant,” Dr Kelleher said.

Dr Kelleher, the author of a number of key texts on data protection law in Ireland, said the "very real penalty" faced by public authorities under the new EU regulation was "illegality".

There was a “very real issue” that public bodies who failed to process personal data in accordance with data protection law would “effectively be processing that data illegally”.

They would then face not being able to perform their statutory functions and those people whose data had been processed illegally may be able to bring claims for damages which was a “very real penalty on them”.

Dr Kelleher said the “real deterrent” against the public body was the possibility of damages claims.

Identification services

Dr Kelleher also raised an issue about the role of the State in providing identification services.

Under the new EU regulation, companies such as social media firms will have to identify the identity of those using their services so that they may distinguish between adults and children.

Dr Kelleher said companies such as social media providers would have to be able to identify children and they were subject to “onerous fines” and potentially very significant claims for damages if they processed the data of children where they were not supposed to do so.

The two choices were that the identification would be done by the firms themselves or by the State.

“Personally I would prefer if the market wasn’t providing the solution – I would prefer that the State would provide the solution,” Dr Kelleher said. This would give people rights such as judicial review and the ability to see who was processing data, he added. But the State was not in a position to provide such services at present.

Seamus Carroll of the Department of Justice told the committee last week that the Government would take a decision in the coming weeks on the "digital age of consent" that will apply for the use of internet services.

The EU regulation requires parental consent for the provision of information society services to a child under 17. But member states may provide by law for a lower age as long as it is no lower than 13 years. The Government held a public consultation on the issue.