Ireland - Data Breach Guide

Published on Dec 1, 2020

IRELAND

1.1 In the event of a data breach affecting residents of your country, is there any legal obligation or requirement to notify either a) affected individuals; or b) a regulator such as a data protection authority (DPA)?

Data breach notification requirements derive from three distinct sets of rules:

1.1.1 The General Data Protection Regulation ("GDPR") together with the Irish Data Protection Act 2018 ("DPA"), which gives further effect to the GDPR in Ireland. These apply to all controllers and processors.

The GDPR imposes a number of broad and general obligations on controllers. These include the obligation to process data "lawfully, fairly and "in a transparent manner" (Article 5 (1) lit. a) GDPR) and to ensure "appropriate technical or organisational measures to protect the data" (Article 5 (1) lit. f) GDPR).

1.1.2 The Privacy and Electronic Communications Regulations 2011 (the "ePrivacy Regulations") which transpose the requirements of the e-Privacy Directive (2002/58/EC) into Irish law, along with Commission Regulation (EU) No. 611/2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC (the "2013 Regulation") (collectively the "ePrivacy Regime"). The notification obligations under the ePrivacy Regime apply to certain entities in the telecommunications sector only.

The ePrivacy Regime imposes similar obligations to the GDPR on providers of publicly available electronic communications networks or services ("TSPs"). The ePrivacy Regulations, for example, require a TSP to take "appropriate technical and organisational measures" to safeguard the security of its service, if necessary, in conjunction with TSPs upon whose networks such services are transmitted (Regulation 4(1)).

1.1.3 The European Union (Measures for a High Common Level of Security of Network and Information Systems) Regulations 2018 (S.I. No. 360/2018) (the "NIS Regulations"), which transpose the Directive on security of network and information systems ((EU) 2016/1148) (the "NIS Directive"), together with Commission Implementing Regulation (EU) 2018/151 (the "Implementing Regulation"), which lays down rules for the application of the NIS Directive in respect of digital service providers (collectively, the "NIS Regime"). The NIS Regime only applies to certain covered entities, namely "relevant digital service providers" and "operators of essential services".

1.2 Under what conditions must such notification(s) be given, including a) what types of data must be breached to trigger notification; and b) whether the entity must be a data controller or data processor in your country for such obligations to apply?

1.2.1 GDPR

  • Controllers

A controller is obliged to notify the Irish Data Protection Commission ("DPC"), where it is the controller’s "supervisory authority concerned" under the GDPR, of any personal data breach that has occurred, unless it is able to demonstrate that the personal data breach is "unlikely to result in a risk to the rights and freedoms of natural persons" (Article 33 (1) of the GDPR).

The default position, therefore, is that personal data breaches should be notified to the DPC, except where the controller has assessed the breach as unlikely to present any risk to data subjects, and the controller can show why it reached this conclusion.

Under the GDPR, where a personal data breach occurs and is "likely to result in a high risk to the rights and freedoms of natural persons", the controller must communicate the personal data breach to the data subject without "undue delay" (Article 34 (1) GDPR).

However, under Article 34 (3) GDPR, communication of a personal data breach to the data subject is not required if any of the following conditions are met:

(a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;

(b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;

(c) it would involve disproportionate effort. In such a case, the controller must nonetheless ensure, by way of a public communication or similar measure, that the data subjects are informed in an equally effective manner.

  • Processors

A processor is obliged to notify the controller without undue delay after becoming aware of a personal data breach (Article 33 (2) of the GDPR).

  • Personal data breach

For this purpose, a "personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

"Personal data" is defined under the GDPR as "any information" relating to an identified or identifiable natural person (a ‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4 (1) GDPR).

1.2.2 ePrivacy Regime

Under the ePrivacy Regulations, TSPs within the scope of the ePrivacy Regulations must notify the DPC of a personal data breach "without undue delay" (regulation 4 (6)) and, further to the 2013 Regulation, within 24 hours after detection of the personal data breach "where feasible" (Article 2 (2)).

Under the ePrivacy Regime, TSPs must, "without undue delay", notify affected subscribers or individuals where a "personal data breach" is likely to "adversely affect the personal data or privacy of a subscriber or individual".

For this purpose, a "personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the European Union. In this context, "personal data" means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller.

1.2.3 NIS Regulations

  • Operator of an essential service

Under the NIS Regulations, an operator of essential services must notify the Computer Security Incident Response Team ("CSIRT") of any incident concerning it that has a significant impact on the continuity of an essential service provided by it in respect of which it is designated as an operator of essential services (Regulation 18).

Also, under the NIS Regulations an operator of essential services who relies on a third-party digital service provider for the provision of an essential service in respect of which it is designated as an operator of essential services must notify the CSIRT of an incident affecting the digital service provider which has a significant impact on the continuity of the essential service provided by the operator (Regulation 18).

In either case, the notification must be without delay after the incident occurs and, in any event, not later than 72 hours after the operator of essential services concerned becomes aware of the occurrence of that incident (Regulation 18).

An operator of an essential service that has made a notification must notify the CSIRT when the incident has been resolved (Regulation 18). This notification must be made as soon as practicable after the incident has been resolved and, in any event, not later than 72 hours after that time (Regulation 18).

The NIS Regulations do not require notification by an operator of an essential service to affected individuals.

  • Relevant digital service providers

Under the NIS Regulations, a relevant digital service provider must notify the CSIRT of any incident that has a substantial impact on the provision by it of a digital service set out in Schedule 2 which is offered by it within the Union (Regulation 22). The notification must be made as soon as practicable after an incident occurs and, in any event, not later than 72 hours after the relevant digital service provider becomes aware of the occurrence of the incident. However, the notification obligation does not apply where the relevant digital service provider does not have access to the information required to assess the impact of an incident taking into account certain prescribed matters.

A relevant digital service provider that has made a notification must notify the CSIRT when the incident has been resolved (Regulation 22). This notification must be made as soon as practicable after the incident has been resolved and, in any event, not later than 72 hours after that time (Regulation 22).

The NIS Regulations do not require notification by a relevant digital service provider to affected individuals.

  • Incident

For this purpose, "incident" means any event having an actual adverse effect on the security of network and information systems. "Security of network and information systems" means the ability of a network and information system to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or the related services offered by, or accessible via, those network and information systems.

  • Significant / substantial impact of incident

An operator of essential services, in determining whether an incident has had a "significant impact" on an essential service provided by that operator of essential services (and, consequently, must be notified), must take into account:

(a) the number of users affected by the disruption of the service;

(b) the duration of the incident; and

(c) the geographical spread of the area affected by the incident,

(Regulation 18(4)).

In addition, an operator of essential services should have regard to the indicative incident reporting levels for relevant sectors set out in the "NIS Compliance Guidelines for Operators of Essential Service (OES)" (the "OES Guidelines" – available here), published by the Department of Communications, Climate Action and the Environment ("DCCAE").

Similarly, a relevant digital service provider, in determining whether an incident has had a "substantial impact" on the provision of a digital service by that relevant digital service provider, must take into account:

(a) the number of users affected by the disruption of the service;

(b) the duration of the incident; and

(c) the geographical spread of the area affected by the incident,

(Regulation 22(4)).

In addition, however, a relevant digital service provider must also take into account:

(a) the extent of disruption of the functioning of the service;

(b) the extent of impact on economic and societal activities; and

(c) whether a situation referred to in Article 4 of the Implementing Regulation has occurred (in which case, an incident will be considered to have a "substantial impact"), i.e. whether:

(aa)the service provided by a digital service provider was unavailable for more than 5,000,000 user-hours (the term "user-hour" being the number of affected users in the EU for a duration of 60 minutes);

(bb) the incident has resulted in a loss of integrity, authenticity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via a network and information system of the digital service provider affecting more than 100,000 users in the EU;

(cc) the incident has created a risk to public safety, public security or of loss of life;

(dd) the incident has caused material damage to at least one user in the EU where the damage caused to that user exceeds EUR 1,000,000,

(Regulation 22(4)).

1.3 For such notification(s), is there any required or suggested a) content of the notice; b) time period in which notice must be given; or c) method of giving notice, such as regular mail, email, web-posting or publication?

1.3.1 Notification to Regulator

GDPR

The notification must be made without undue delay and, where feasible, not later than 72 hours after the controller becomes aware of it. Where later than 72 hours, the notification must be accompanied by the reasons for the delay (Article 33 (1) GDPR).

Under the GDPR (Article 33 (3)), the notification of a personal data breach must, at a minimum:

(a) describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

(b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

(c) describe the likely consequences of the personal data breach; and

(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where it is not possible to provide all of the information at the same time, controllers should provide the information in phases, provided this is done without undue delay.

The DPC requires notification using an online form (available on its website here).

ePrivacy Regime

The timelines for notification are set out in the response to question 1.2.

The ePrivacy Regulations and 2013 Regulation each impose separate and, in some cases, overlapping requirements as regards the content of notifications to the DPC, and TSPs must comply with both pieces of legislation.

Under the ePrivacy Regulations (Regulation 4(9)), TSPs must provide "without undue delay":

(a) a description of the nature of the personal data breach;

(b) a description of the contact points where more information can be obtained;

(c) a recommendation on measures to mitigate the possible adverse effects of the personal data breach; and

(d) a description of the consequences of, and the measures proposed to be taken by the TSP to address, the personal data breach.

Under the 2013 Regulation, TSPs must submit specified information to the DPC within 24 hours after detection of the data breach "where feasible". This notification must, at a minimum, contain all of the information set out in Section 1 of Annex I, as well as, where available, the information set out in Section 2 of Annex I (available here).

Where the information set out in Section 2 is not available at the time of the initial notification, the provider must submit a second notification within 3 days after the initial notification. Where it is still not possible to submit this additional information, the provider must provide a reasonable justification to the DPC, and provide the remaining required information as soon as possible.

The table below sets out the information required under Section 1 (i.e., the minimum initial information) and Section 2 (i.e., the information required where a second notification is required) of the 2013 Regulation.

Initial notification

Second notification

Name of the provider

Summary of the incident that caused the personal data breach (including the physical location of the breach and the storage media involved):

Identity and contact details of the data protection officer or other contact point where more information can be obtained

Number of subscribers or individuals concerned

Whether it concerns a first or second notification

Potential consequences and potential adverse effects on subscribers or individuals

Date and time of incident, if known (if necessary an estimate can be made), and of detection of incident

Technical and organisational measures taken by the provider to mitigate potential adverse effects

Circumstances of the personal data breach (e.g. loss, theft, copying)

Content of notification

Nature and content of the personal data concerned

Means of communication used

Technical and organisational measures applied (or to be applied) by the provider to the affected personal data

Number of subscribers or individuals notified

Relevant use of other providers (where applicable)

Whether the data breach involved individuals in other Member States and whether other competent national authorities have been notified

The DPC requires notification using an online form (available on its website here).

NIS Regulations

The timelines for notification are set out in the response to question 1.2.

In respect of operators of essential services, the notification of the occurrence of an incident must, to the extent to which the operator concerned may reasonably be expected to have such information, contain the following information:

(a) the operator’s name;

(b) the category of sector and, where appropriate, subsector and the essential service provided by it which is affected by the incident;

(c) the time the incident occurred;

(d) the duration of the incident;

(e) information concerning the nature and impact of the incident;

(f) information concerning any or any likely cross-border impact of the incident;

(g) any other information that may be of assistance to the CSIRT,

(Regulation 18(3)).

In respect of relevant digital service providers, the notification of the occurrence of an incident must include:

(a) the name of the relevant digital service provider;

(b) details of when the incident occurred;

(c) the duration of the incident;

(d) sufficient information to enable the CSIRT to determine whether the incident has any impact on another member state, and, if so, its significance; and

(e) any other information which may be of benefit to the CSIRT,

(Regulation 18(3)).

Both operators of essential services and relevant digital service providers must use the respective incident notification templates published by DCCAE.

The template for notification of the occurrence of an incident in respect of operators of essential services is to be circulated to entities designated as operators of essential services in accordance with Regulation 12, and is otherwise available upon request to incident@ncsc.gov.ie or certreport@dccae.gov.ie.

The template for notification of the occurrence of an incident in respect of relevant digital service providers is available here.

There is no prescribed form for notifying that an incident has been resolved.

1.3.2 Notification to affected individuals:

GDPR

Under the GDPR, the notification to data subjects must be made without undue delay where the threshold for notification is met. The notification to the data subject must describe in clear and plain language the nature of the personal data breach and contain at least the information and measures required to be submitted to the DPC under points b), c) and d) (outlined above).

ePrivacy Regime

Under the e-Privacy Regulations, TSPs must notify affected individuals without undue delay, and must include similar information to that required to be submitted to the DPC (outlined above).

Annex II of the 2013 Regulation sets out further information required to be notified to the affected subscriber or individual, likewise "without undue delay":

  1. name of the TSP;
  2. identity and contact details of the data protection officer or other contact point where more information can be obtained;
  3. summary of the incident that caused the personal data breach;
  4. estimated date of the incident;
  5. nature and content of the personal data concerned;
  6. likely consequences of the personal data breach for the subscriber or individual concerned;
  7. circumstances of the personal data breach;
  8. measures taken by the TSP to address the personal data breach; and
  9. measures recommended by the TSP to mitigate possible adverse effects.

NIS Regulations

The NIS Regulations do not require notification to affected individuals.

1.4 What are the penalties, fines or risks in failing to notify, either by the DPA or in litigation?

1.4.1 Penalties / fines

GDPR

The DPC has the power to issue administrative fines up to EUR 10,000,000, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher, for non-compliance with breach reporting obligations under the GDPR (Article 83 (4) lit. a)).

The DPC may have regard to a number of factors in imposing a fine including any action taken to mitigate damage suffered by data subjects, the manner in which the personal data breach became known to the DPC and the degree of cooperation with the DPC (Article 83).

ePrivacy Regime

Under the e-Privacy Regulations, a person may be liable to a fine, on summary conviction, not exceeding EUR 5,000, and, on indictment, not exceeding EUR 250,000 (where the person is a corporate entity) or EUR 50,000 (where the person is a natural person).

A court may also order that any data that appears to be connected with the commission of the offence be forfeited or destroyed and any relevant data be erased.

NIS Regulations

Under the NIS Regulation, a person may be liable for a fine, on summary conviction, not exceeding EUR 5,000, and, on indictment, not exceeding EUR 500,000 (where the person is a corporate entity) or EUR 50,000 (where the person is a natural person).

1.4.2 Enforcement notices and offences

GDPR

The DPC has the power to issue enforcement notices under the DPA requiring a controller or processor to take such steps as are specified in the notice, within such time specified in the notice.

The DPC has, prior to the commencement of the GDPR, taken formal enforcement action so as to force companies to make notifications following data breaches. For example, in "Data Security Breach at Loyaltybuild Ltd: Case Study 14 of 2013", a case concerning a major security breach of personal data of some 1.5 million individuals (including 376,000 individuals whose full credit card data was compromised), the DPC issued enforcement notices against a number of data controllers directing them to notify the affected individuals.

In addition, an enforcement notice can direct the taking of steps where such steps are necessary for the recipient to comply with the GDPR. For example, in 2019, the DPC issued an enforcement notice to the Government Department of Employment Affairs and Social Protection to comply with the findings of a two-year investigation over a state issued public services card.

Failure to comply with an enforcement notice is a criminal offence under the DPA.

Summary proceedings may be brought by the DPC, while prosecution on indictment requires the cooperation of the Director of Public Prosecutions. The DPC can also issue administrative fines directly for failure to comply with an enforcement notice.

ePrivacy Regime

Under the e-Privacy Regulations, where a TSP has not notified the subscriber or individual of the personal data breach, the DPC may, having considered the likely adverse effects of the breach, require the TSP to do so by serving an enforcement notice.

Under the ePrivacy Regime, it is a criminal offence for TSPs to fail to comply with an enforcement notice without reasonable excuse.

NIS Regulations

Under the NIS Regulations, in addition to wide-ranging other powers, the Competent Authority (DCCAE) may appoint authorised officers who may, in turn, issue compliance notices where an operator of essential services or a relevant digital service provider has failed to meet its obligations under the NIS Regulations, including its notification obligations.

Under the NIS Regulations, failure to comply with a compliance notice is a criminal offence, and a person failing to comply may be liable to the fines outlined above.

1.4.3 Damages

GDPR

Under the GDPR, any person who has suffered damage as a result of an infringement of the GDPR (for example, a data breach) shall have the right to receive compensation from the controller or processor for the damage suffered (Article 82 GDPR).

Article 82 GDPR expressly provides for material and non-material damages.

A controller or processor is exempt from liability only if it proves that it is not in any way responsible for the event giving rise to the damage.

A failure to notify affected individuals could, in certain circumstances, potentially result in further damage being suffered by affected individuals.

ePrivacy Regime

Under the e-Privacy Regulations, a person who suffers loss and damage as a result of a contravention of any of the requirements of the e-Privacy Regulations by any other person shall be entitled to damages from that other person for that loss and damage (Regulation 16(2)).

A TSP will not be liable in damages where it has taken all reasonable care in the circumstances to comply with the requirement concerned (Regulation 16(3)).

A failure to notify affected individuals could potentially result in further damage being suffered by affected individuals.

NIS Regulations

The NIS Regime does not provide for civil damages.

1.5 Even if there is no current legal obligation to do so, or if there is no "data controller" or "data processor" located in your country, is notification to individuals recommended in the event of a data breach affecting residents in your country (such as in credit card data breaches)?

This would depend on the nature of the breach, including the type and volume of data involved, whether it is encrypted, whether the breach was a result of a deliberate act and the type of data subjects and whether the entity subject to the breach is within the territorial scope of the relevant legislation.

1.6 What are the applicable data protection laws or guidelines within your country?

The main data protection laws and regulations are the following:

  • Regulation (EU) 2016/679 (General Data Protection Regulation);
  • Data Protection Acts 1988 to 2018;
  • The European Communities (Privacy and Electronic Communications) Regulations 2011;
  • Commission Regulation (EU) 611/2013; and
  • European Union (Measures for a High Common Level of Security of Network and Information Systems) Regulations 2018 (S.I. No. 360/2018).

1.7 Contact information for Data Protection Authority:

Name:

Office of the Data Protection Commissioner

Address:

Canal House, Station Road, Portarlington, Co. Laois, Ireland

Telephone:

+353 1 57 868 4800

Fax:

+353 1 57 868 4757

Email:

info@dataprotection.ie

Website:

www.dataprotection.ie

For more information, contact:

Name:

Robert McDonagh

Firm:

Mason Hayes & Curran

Address:

South Bank House, Barrow Street, Dublin 4, Ireland

Telephone:

+353 1 614 5000

Fax:

+353 1 614 5001

Email:

rmcdonagh@mhc.ie

Website:

www.mhc.ie