Representing the Class: New Procedural Rules for Representative Actions under the Data Protection Act 2018

17-06-2019

Authors: Rob Corbet, Richard Willis, Gavin Woods and Conall O’Shaughnessy.

Click here to view the briefing in PDF format.

On 19 June 2019, new procedural rules will take effect setting out how “Data Protection Actions”(1) in the Circuit and Superior Courts of Ireland will work in practice. The new rules also set out specific requirements for “representative actions” by “Not-for-Profit” bodies.

The new rules also provide greater clarity on (i) the appeals mechanisms for Data Protection Actions and; (ii) the appropriate Circuit Court venue for the enforcement of certain rights under the DPA 2018.

However, it remains to be seen if representative actions in their current form will become an effective vehicle for data subjects in Ireland.

What types of “Representative Actions” are permitted under GDPR / the DPA?

The GDPR introduced a “representative” or “collective action” mechanism which allows a Not-for-Profit body to lodge a complaint on behalf of a group of individuals who are claiming that their rights under the Regulation have been infringed.

However, the GDPR left it to each Member State to determine the precise manner in which these “representative actions” were transposed into national law.

The DPA 2018 provides that a Data Protection Action may be brought on behalf of a data subject by a not-for-profit body that has the data subject’s permission to do so. This means that, whilst the DPA 2018 does not provide for the full extent of” collective actions” or “class actions” as permitted by the GDPR, it does provide for a limited form of “representative” action.

Procedural Amendments for Data Protection Actions

Confirmations in originating pleadings
Firstly, each Data Protection Action brought on behalf of a data subject by a not-for-profit body shall include in the particulars of claim:

  • a statement confirming that it is a body, organisation or association to which Section 117(7) of the DPA 2018 applies; and
  • a statement confirming that each relevant requirement of Article 80 of the GDPR has been satisfied. These are:
    • that it is a not for profit body, organisation or association;
    • properly constituted in accordance with the laws of Ireland;
    • its statutory objectives are in the public interest; and,
    • it’s active in the field of data subjects’ rights and freedoms with regard to the protection of their personal data.

Similar requirements exist for actions commenced by a body to which Section 120 (2)(2) of the DPA 2018 apply or where an appeal under Section 150 of the DPA 2018(3) is brought by a not for profit body to which Section 120(2) applies.

In addition, in each scenario, the Court may, of its own accord, or on the application of another party to the action, direct that further information is provided “as is necessary” to determine that the Plaintiff is an appropriate body for such an action.

Appeals
Secondly, the existing procedural rules have been substituted to provide that, where an appeal is to be made to the relevant Court from:

  • a decision or determination made;
  • a direction given; or
  • a requirement specified in a notice issued

of a “deciding body” (i.e. The Office of the Data Protection Commission), then the procedure for appealing any such decision (where not specifically identified in the DPA 2018 or by another Court Rule) shall follow the Statutory Appeals procedure set out under the existing procedural rules (subject to any specific requirement set out in the DPA 2018). This procedure provides that the appeal shall by commenced by an originating notice of motion grounded upon an affidavit of the appellant.

Indorsement of Pleadings
The procedural rules have also been amended accordingly, to provide for the indorsement of pleadings in Data Protection Actions where the plaintiff sues or the defendant is sued in a representative capacity. Consequently, pleadings in actions commenced pursuant to Section 117(7) or Section 120(2) of the DPA 2018 must contain the following indorsement:

the Plaintiff’s claim is a data protection action on behalf of a data subject, A.B, by a not-for-profit body, organisation or association to which section [117(7)] [120(2)] of the Data Protection Act 2018 applies that has been mandated by the data subject to do so”.

Amendments to Circuit Court Rules
Finally, the Circuit Court Rules have also been updated to reflect the provisions of the DPA 2018. In particular, it confirms that Data Protection Actions shall be brought in the county where:

  • the controller or processor against whom the data protection action is taken has an establishment; or
  • the data subject has his or her habitual residence.

The updated Order also specifies where applications and appeals to the Circuit Court may be made under certain sections of the 2018 Act (see Table below).

DPA 2018 PROVISIONTYPE OF APPLICATIONCOUNTY WHERE THE PROCEEDINGS MAY BE BROUGHT
138(4)Application by an authorised officer for an order under S 138(5) compelling an individual to comply with a requirement or substituting a different required. Where the person to whom the application relates ordinarily resides, or by a judge of the Circuit Court assigned to the Dublin circuit.
143(1)Application by the Commission for confirmation of the decision to impose an administrative fine where the controller or processor does not appeal the decision under S142(1)Where the controller or processor concerned has an establishment, or by a judge of the Circuit Court assigned to the Dublin circuit.
150(7)Application by a complainant for an order pursuant to S150 (8) (a) (ordering the Commission to comply with section 108(2) or 121(2)) in circumstances where the Commission is the competent supervisory authority in respect of a complaint.Where the complainant resides, or by a judge of the Circuit Court assigned to the Dublin circuit.
Paragraph 5 of Schedule 3An application by an authorised officer for an order compelling an individual to attend an oral hearing at such time and place as is specified and to give evidence in respect of any matter in issue in the investigation or to produce any documents, records etc. within their power, possession or procurement.Where the person to whom the application relates ordinarily resides, or by a judge of the Circuit Court assigned to the Dublin circuit.
142An appeal by a controller or processor against a decision to impose an administrative fine.Where the appellant controller or processor has an establishment or by a judge of the Circuit Court assigned to the Dublin circuit.
150(1)An appeal by a controller or processor against a requirement specified in an enforcement notice or notice under S135(1) or, an appeal by a data subject or other person affected by a legally binding decision of the Commission.Where the appellant controller or processor has an establishment, where the appellant data subject resides, or by a judge of the Circuit Court assigned to the Dublin circuit.

Conclusion:

The new procedural rules have been introduced in order to take account of the advent of Data Protection Actions and “representative actions” introduced into Irish law by the DPA 2018 and the GDPR. Clarity on the procedural rules is welcome, particularly with respect to representative actions which are a new development in Ireland. However, how representative actions will work in practice remains to be seen and there are a number of issues which remain to be considered and possibly resolved by the Courts including:

  • How to satisfy the test that a Not-for-Profit body is active in the field of data subjects rights and freedoms with regard to the protection of their personal data and is acting in the public interest?
  • Can a Not-for-Profit body bring a Data Protection action seeking compensation for damage suffered by data subjects?

It is notable with respect to the first of these points that the procedural rules provide the ability for a party (or the Court of its own accord) to request further information to be provided by a Not-for-Profit body in order to ensure it complies with the requirements. However, until the questions above are answered, it remains to be seen if these representative actions will become common in Ireland.

 

(1) A “data protection action” is an action brought by a data subject against the controller or processor concerned in circumstances where the data subject considers that their rights under a relevant enactment have been infringed as a result of the processing of their personal data

(2)  Section 120(2) relates to the representation of data subjects pursuant to the Law Enforcement Directive which deals with the processing of personal data by data controllers for “law enforcement purposes” which falls outside the scope of the GDPR).

(3) Section 150 provides a right of appeal against enforcement notice or notice under section 135(1) DPA 2018, including by a data subject affected by the legally binding decision.

Download PDF