Commenting on the new requirements, the Commissioner stated “I am pleased that the Minister has introduced new legal requirements which recognise that the challenges to the maintenance of individual privacy are becoming increasingly complex in today’s electronic age. Individuals must be able to enjoy the benefits of new technology while at the same time remaining in control of their privacy. These new requirements give individuals new rights which my Office will enforce.
I particularly welcome the fact that the Minister has responded to public concern over data breach incidents by introducing strict requirements for service providers in this area with the ability for my Office to bring prosecutions where such requirements are not followed. I am also pleased that individuals can no longer be bothered on their mobile phones by direct marketers unless they have given their prior agreement.”
The main new requirements are:
- Compulsory notification of individuals and the Office of the Data Protection Commissioner in the case of data breaches
- More stringent requirements for user consent for the placing of “cookies” on electronic devices
- Stricter requirements for the sending of electronic marketing messages and the making of marketing phone calls
All telecommunications companies and internet service providers are now required to notify the Data Protection Commissioner of every data breach involving a subscriber. They are also required to notify customers in all cases where there is a risk their data may be accessed. Failure to do so can lead to prosecution by the Commissioner with a fine of up to €5,000 per instance. The Commissioner can also for the first time prosecute companies in this area for allowing a data breach with fines on indictment of up to €250,000.
Any company or website placing information, usually by way of what is known as a cookie, on user equipment (computer, smartphone etc) must provide appropriate information to the user and collect their consent except in limited circumstances where the cookie is strictly necessary for the provision of the service in question. In practice this means that websites placing cookies on user equipment that are not deleted when the user leaves their website must identify a means of obtaining user consent.
Electronic Marketing & Phonecalls
In a strengthening of the laws in this area, it is now an offence for any company or entity to phone a person on their mobile phone for a marketing purpose without having obtained their prior consent for such contact. The requirements now extend to all forms of marketing carried out by means of a publicly available electronic communications service – including, for example, the soliciting of support for charitable organisations or political parties.