I am not alone in wondering what the status of Limerick City & County Council’s Smart CCTV surveillance system is. County councillors have been asking what the delay with the system is and it appeared some weeks ago that the provision of legal advice to the Council was imminent but, as far as I can see, it has not been presented to councillors for consideration.
The Data Protection Commission had told me last month that their office was not going to investigate complaints against the Limerick scheme because a national study on public CCTV was to commence within weeks, part of which would look at the Limerick scheme. However, the Commission also told me that it was their “understanding that the CCTV systems … are not in operation.” They did not state where that understanding came from. Somewhat unusually, the Commission does not appear to have made any public statement about its national study other than what was reported in the Irish Times in March.
So, I asked Limerick City & County Council if the cameras were recording. This request was made under section 3 of the Data Protection Acts 1988 and 2018, which allows individuals to see if an organisation is processing personal data. The Council have today told me that the surveillance system is active and recording footage. They say, however, that the footage is not currently being accessed because the cameras are being tested.
The Council’s position on this is that the system is in a “transitional” status and not a “live” or “operational” one because the footage is not being monitored. They say that the system is not not yet “live” because the Council is finalising its CCTV policy in line with the GDPR and data protection legislation. However, it is clear that the cameras are recording and the Council is, therefore, processing personal data (see Article 4 GDPR for the definition of “processing”). It is not clear what is being done with the footage recorded or what the testing of it involves.
A notable aspect of the Limerick scheme is that it has been authorised by the Garda Commissioner under section 38 of the Garda Síochána Act 2005, which provides for authorisations of community surveillance only for public order. The then Acting Commissioner confirmed to me in January that the authorisation granted was “for the sole or primary purpose of securing public order and safety in public places by facilitating the deterrence, prevention, detection and prosecution of offences.” The Council tell me that the primary purpose of the scheme is public order and safety “including” the following:
I was particularly interested in the reference to the “perception of safety” – the Council’s own statistics in the report that lead to the surveillance system show a significant drop in reported crime in many areas, including Newcastle West.
The Data Protection Commission will have to decide, in the first instance, whether or not the purposes to which the Council wishes to put its surveillance network are a justified and proportionate infringement on the privacy rights of individuals. The remarkably vague reference to “open data” gives rise to further concern and it is again astonishing that a privacy impact assessment does not appear to have been done in advance of planning such a system.
It remains to be seen how piggybacking these additional purposes on the surveillance system is compatible with the section 38 authorisation granted by the Garda Commissioner. The Commissioner has not yet confirmed the position on that point but the previous Acting Commissioner confirmed to me that they had not, for example, authorised ANPR or tourism cameras.
Whatever results from the national study, it will be interesting to see where the Data Protection Commission obtained the understanding that Limerick’s surveillance system was not in operation and how the Council’s continuing preparations for the full operation and monitoring of the system will interact with the Commission’s national study.
The Consumer Protection Act 2007 was a major reform of Irish consumer law with predictably European foundations, but has had very little impact in Ireland. It is rarely enforced in any meaningful way and the lack of court cases mean it is underdeveloped, despite the Act having wide-ranging provisions, extensive criminal offences and enforcement powers and even rights for consumers to seek damages for its breach.
Given the scope of the legislation, which covers marketing, sales, pricing and contract practices, it is not hard to find consumer situations in Ireland where the Act applies but is not enforced or respected. Undisclosed advertorial, for example, is a frequent and ongoing source of controversy that came into focus with undisclosed celebrity and sportsperson endorsements but has become a bigger issue with the rise of social media influencers. Regular calls to “do something” or to provide “clarity” on the rules are usually framed in the terms of non-binding ASAI rules rather than the actual legal provisions of the Act which have a direct bearing.
Another consistent issue is contract and subscription services that can be set up online or in-app but which have complicated or disproportionately inconvenient cancellation requirements, the main culprits being online publications and utility companies. There is no fair reason for requiring someone to ring up to cancel, or to write in by post for example, other than to capitalise on inertia. In one example I have seen, customers can cancel by clicking a link in their account but that merely prompts the trader to call the customer to confirm – an unnecessary extra step which does nothing more than provide the trader with another opportunity to cajole the customer not to cancel, but which also raises contractual difficulties in determining the cancellation period.
The Act prohibits a range of commercial practices, including aggressive commercial practices. These are practices which, if by harassment, coercion or undue influence, would be likely to:
cause significant impairment of the average consumer’s freedom of choice or conduct in relation to the product concerned, and
cause the average consumer to make a transactional decision that the average consumer would not otherwise make.
This may not immediately seem relevant to cancellation practices, but the Act goes on to say that in determining whether the commercial practice employs harassment, coercion or undue influence, a number of things shall be taken into account, including the imposition of onerous or disproportionate non-contractual barriers by the trader when the consumer wishes to terminate the contract, exercise a contractual right or switch to another product or trader.
In 2011, the Bulgarian Supreme Court found that burdensome termination requirements effectively trapped consumers in automatic renewals of a service, amounting to an aggressive commercial practice. It is worth noting that, in Ireland, aggressive consumer practices are not just prohibited, they are a criminal offence. The penalties under the Act can be serious, ranging up to a fine of up to €5,000 or imprisonment for up to 12 months on summary conviction or up to €60,000 and 18 months on indictment.
The history of Irish regulatory law and enforcement, particularly in consumer law, suggests that prosecutions will continue to be rare and even if brought to conviction penalties will be at the low end of the scale. However, Irish consumers are entitled to a more activist consumer regulator monitoring terms and conditions and trader behaviours, particularly given that the lack of class action structures in Ireland means that the civil remedies in the Act are usually not cost-effective to invoke, devaluing another incentive for traders to improve behaviour. I have had District Court cases with awards of aggravated damages in the region of 25% due to misleading commercial practices, but the consumers involved had significant contractual claims to begin with. For most, private enforcement of a breach of the Act will not be worthwhile.
The merger of the under-resourced Competition Authority with the under-resourced Consumer Agency to form the Competition and Consumer Protection Commission has continued the trend of insufficient enforcement and monitoring of both areas of the law, but the emphasis remains on competition and merger control.
The Commission has only published lists of consumer protection enforcement measures taken up to the end of 2016 and for that year it reports 40 enforcement actions, but which cover only 7 categories of consumer law breaches and only three categories of remedial action (none of which were prosecutions). From 2012 to 2016 one major Irish retailer appears on the enforcement list 40 times, with some entries relating to multiple offences. Only one conviction is recorded, in the 2012 enforcement list. It would appear that fixed payment notices and other minor measures are a mere cost of doing business, rather than something that leads to an improvement for consumers.
The most commonly enforced rules are those prohibiting the car “clocking” and price display regulations. However, a significant amount of consumer disposable income is likely now spent on daily transactions, particularly through mobile internet use, which involve lengthy contracts with detailed terms and conditions. It is time for a detailed study of these terms and practices to check for compliance with the Act and a number of other relevant pieces of consumer legislation.
I have had a draft blog post lingering for many months addressing some of the issues and concerns with community surveillance, particularly in light of Limerick’s “Smart CCTV” scheme which, I believe, will be a model for a national network of community surveillance.
Quite a lot has since been written (and spoken) about the issue so I include links below to various reports and discussions about the scheme, and some other schemes around the country.
Given the commencement of the GDPR and Data Protection Act 2018, and the forthcoming examination by the DPC, one would think that they State authorities might pause these systems so that a national approach to them could be put in place before expanding their scope further. The opposite seems to be the case.
Litigation solicitors often request and disclose too much information about clients when representing them in court cases. The imminent data protection reforms in the GDPR are bringing data protection issues into focus on a daily basis, not least the routine things many businesses and professionals do and have always done which might not be acceptable under the GDPR or even existing data protection law.
Respecting privacy, and the GDPR, requires that we all consider and reconsider what personal data should be collected and what can or should be done with it. Solicitors owe a duty to their own clients, for example, not to unnecessarily disclose personal data.
What is the issue
This often arises when dealing with requests for information or documentation from “the other side” in a case. If you sue someone there is certain information you must provide the other side with, and some information they are entitled to ask for. I’m going to use the example of personal injury cases, as they are the most relevant in this context.
In those cases the injured party (the plaintiff) has to give certain basic information like their name, address, PPSN, details of special damages and negligence alleged. The person being sued (the defendant) can ask the plaintiff for some additional information such as about previous personal injuries, claims and treatments where relevant and, if asked, the plaintiff must answer. These questions are put in what is called a “notice for particulars”, a document sent by the solicitor for the (usually) insurance company defending the claim. If the plaintiff refuses to answer the notice with “replies to particulars”, the defendant can ask for a court order compelling the plaintiff to answer.
That does not, however, mean that all questions must be replied to. The purpose to particulars is so that the defendant knows what case they have to meet at trial and to prevent them being surprised with unexpected allegations. It is not a means of a defendant getting advance details of the evidence that will be presented at trial, nor is it an opportunity for a fishing expedition for information about the plaintiff. It is, however, often treated as just that and defendants often ask all sorts of questions about the plaintiff’s family and domestic circumstances, personal and employment history and medical affairs whether or not they have a bearing on the case.
The (non-data protection) law on particulars
Mr Justice Hogan delivered a significant judgment (Armstrong v. Moffatt) on replying to notices for particulars in 2013. The judgment provides a good run-through of the law on particulars but Hogan J was notably critical of the practices which had developed in recent years of defendants seeking a huge range of information, and of plaintiff solicitors going along with these requests.
Not least in personal injury cases, the particulars sought in many cases had reached something of an art form. Quite often no possible detail or dimension of a [claim] remained unexplored at the hands of pleaders who at times seemed to revel in this glorious new art form. It was by no means uncommon to find notices for particulars stretching to twenty or more paragraphs, often replete with individual sub-paragraphs. Most litigants (or, perhaps more accurately, their solicitors and junior counsel) simply yielded dutifully to these requests, as it was often more convenient and expedient to do so rather than to take a stand on principle. In retrospect, the courts should, perhaps, have been more prepared to strike out many of the pre-rehearsed requests as oppressive and, in some cases, as constituting quite simply an abuse of process … [M]any of the requests in this and similar cases are either irrelevant or not permissible in law as particulars are nonetheless steadfastly advanced shows that many pleaders have simply gone astray in their enthusiasm to interrogate every possible detail of their opponent’s claim.
While the judgment did not mention and was not based on data protection law it was, in effect, a call to action addressed to solicitors on both sides: stop requesting so much information in notices for particulars, and stop acquiescing to excessive requests.
Unfortunately, it has not been heeded. The practice certainly varies from solicitor to solicitor but some insurance defence solicitors continue to issue lengthy notices for particulars, often with very surprising questions about the plaintiff’s personal life and family circumstances that do not appear to have any bearing on the case. Moreover, judges have not always accepted arguments against providing replies to particulars on the basis of Hogan J’s judgment.
A similar issue arises in the context of voluntary discovery, which involves the handing over of full records rather than just replying to questions. I would hope that solicitors are generally more restrictive when it comes to discovery, but solicitor Dervila McGirr quite rightly criticises the reliance on discovery “on the usual terms”, particularly in relation to extensive requests for highly sensitive medical records, and the impact on client privacy. There should be little if any basis for operating “on the usual terms”. Each request for information or documentation should be considered on its own terms.
It is important to note that in these situations, a solicitor acts as the “agent” of her/his client. I won’t digress into the field of agency law but a solicitor acting as agent of the client has a certain amount of latitude to do things on behalf of a client with their authority (whether explicit or implied). Delivering replies to particulars is one of those things, but how far does a solicitor’s authority go? Surely not to hand over personal data wholesale. However, in personal injuries cases at least, the client must swear an affidavit of verification confirming the accuracy of the information in the replies to particulars so the client necessarily has to have reviewed what is in the document. You could, therefore, argue an express authority to hand over the information (after all, the client confirmed the contents), but does it end there?
Which is where data protection comes in
Quite simply, if a defendant is not entitled to certain information in the course of obtaining further and better particulars, what right does a plaintiff’s solicitor have to provide the information? The obligations of the Data Protection Acts (and the GDPR/Data Protection Bill) mean that a solicitor should consider whether the defendant is entitled to the particulars sought. If not, the information (which will often be sensitive personal data) should not be disclosed to the defendant.
A client may have reviewed the contents of replies to particulars and confirmed them in an affidavit of verification, but have they consented to the release of the personal data or expressly authorised it? Consent is notoriously problematic in data protection, and for sensitive personal data (which many replies to particulars in personal injuries cases are) it must be explicitly given. If a solicitor puts draft replies to particulars in front of a client, asks that they be checked for accuracy and that an affidavit of verification be sworn, at what point was the client given a clear explanation of the processing involved (the disclosure to the other side)? The key explanation should involve advice as to whether or not the client is required to disclose the particulars. And this is, I suspect, where many would fall into difficulty.
What is the consequence?
This issue does not appear to have been the subject of a judicial decision or complaint to the Data Protection Commissioner (yet), but this is true of many persistent issues in data protection.
A possible explanation is the lack of serious consequence to date. There has, possibly, been too much deference to exemptions and exceptions in the Data Protection Acts relating to litigation and connected services. And while the Acts (section 7), impose a duty of care to data subjects under the law of torts, the utility of that provision was almost entirely hollowed out by a High Court decision in 2013 (Collins v. FBD). Section 7 was never satisfactory and the Collins decision made it worse, requiring that a plaintiff had to show specific loss in order to claim damages – i.e. the fact that the duty of care owed to them was breached in some way alone was not enough to obtain compensation. Eoin O’Dell’s excellent paper on compensation for GDPR breaches expertly outlines the issues with Collins, forcefully concluding:
the decision … in Collins is quite simply wrong – as a matter of principle, as a matter of national law, and as a matter of European law
In addition, judges sometimes order that replies to particulars be given which should not be ordered – many plaintiff personal injuries solicitors will probably have had this experience in the past. While, under the Acts, this may cure data protection issues for the plaintiff’s solicitor (because there is now a legal obligation to disclose the personal data) the GDPR, again, changes the landscape.
Which is where the GDPR comes in
Mr Justice Frank Clarke (Chief Justice) has recently commented in a number of forums about the challenges the GDPR raises for the judiciary and the need for privacy training among judges. Future disputes about particulars and discovery are likely to involve increased reliance on data protection concerns and the GDPR when before the courts. All of this should mean a more restrictive disclosure regime than has often existed in Ireland, despite the decision in Armstrong v. Moffatt on particulars and the changes in relation to discovery outlined by McGirr.
In the context of voluntary particulars and discovery, while O’Dell points out that the decision in Collins would not survive further challenge, it will be made redundant by the GDPR which requires that someone whose rights under the Regulation have been infringed must be entitled to seek compensation for both material and non-material rights (section 112 of the Data Protection Bill 2018 purports to implement this).
It is difficult to see how a solicitor is fairly processing personal data by unnecessarily disclosing it in these circumstances. This has been the case for many years, but a key change with the GDPR is that breach of data protection rights will no longer be mere technical, regulatory breaches but actionable ones that could give rise to compensation.
And, legal provisions aside, there is a very obvious and natural objection that someone might have to sending out all manner of personal information (including information about other family members or cohabitees) to third parties where it is not necessary to do so. Defence solicitors need to be robustly challenged on notices for particulars, or plaintiff solicitors may find themselves struggling to justify the unnecessary disclosure of their client’s personal data to insurance companies.
Over the past 24 hours the media has focussed on one of the two reports published by An Garda Síochána yesterday. The report into mandatory alcohol testing checkpoints is important and the discrepancy in testing remarkable, but no-one was wrongly prosecuted or convicted as a result of the errors involved. This is exactly what happened due to problems with the Fixed Charge Processing System (FCPS), the subject of the second report. Unfortunately, the report only explains how summonses were wrongly issued, not how so many resulted in convictions before the issue was spotted.
The report details a number of failings which led to the wrongful prosecution and conviction of thousands of citizens. In short: a massive IT system was rolled out with too many people involved in its operation, no training provided to its users and updates applied to it on a piecemeal basis. Some of the reasons for these issues are the type of thing that can happen with any IT system but are remarkable given that the system involved is part of the State’s criminal justice apparatus, with serious consequences for citizens. For example:
“This problem should have been foreseen but was not.” (p.35)
“Members of An Garda Síochana were not given any formal instruction on the FCPS or the issuing of Fixed Charge Notices (FCN‘s) between 2004 and 2016.” (p.36)
“A [Fixed Charge Processing Office] FCPO home page exists [on the Garda Portal] but this does not contain all related and necessary information … There is currently no one place that Garda personnel can go and get comprehensive, clear, concise and up to date direction on using the FCPS.” (p.36)
A Manual Summons Report, which was intended to inform prosecuting gardaí that a fixed charge offence would not lead to a summons being issued automatically and would need manual intervention “remains largely unknown by district staff members and there is still much confusion about same.” (p.37)
“From the day this system was created there was a lack of functionality between the two core systems i.e. FCPS and Pulse.” (p57)
This report comes on the back of, and refers to, a report by the Garda Síochána Inspectorate on the FCPS in 2014 which said that fixes to various issues in the system had resulted in a “technically deficient, managerially uncoordinated, ineffecient and excessively resourced support unit” (p.9 of that report).
The new report identified a number of issues that required a solution but the one that remains unexplained and is difficult to comprehend, is where convictions were imposed for driving without an NCT certificate where the accused had already paid a FCN.
The crucial point here is that one cannot be convicted of Fixed Charge Offence if a FCN has not issued in advance. If no FCN was issued or received by the accused, or if it was issued and was paid, the accused has a full defence to the charge. So why did we not encounter thousands of people in court between 2014 and 2016 giving evidence that they had paid their FCNs?
Gardaí first became that there was a defect in the FCPS in respect of the NCT offence on 6 February 2016 and set about examining and rectifying the issue. Separately, on 26 April 2016 a Garda Sergeant contacted the Garda Information Services Centre to report that a defendant in a particular District Court had appeared on foot of a summons for driving without an NCT certificate when it transpired that the defendant had (a) received a FCN in advance and (b) had paid the fine. The summons should have never issued but, in the event, the defendant had a full defence and the charge was struck out. What beggars belief is that this was the first time the issue arose in a court.
The report gives us only one aggregate figure for convictions arising out of the various issues identified: 14,700 (p.33). It is not clear whether this 14,700 relates only to NCT convictions or to the full range of FCOs. The issues outlined in page 33 are different from those in page 56. How many of the 14,700 convictions referred to were cases where the FCN had been paid, or is there a different statistic entirely for that issue? The report is not just unclear, but confused.
Bear in mind that a court conviction for driving without an NCT carries 5 penalty points, and 12 penalty points leads to disqualification (7 for learners and novices). A second conviction for driving without an NCT carries an automatic 2 year disqualification. So, in almost 15,000 convictions, were there none where the accused was at risk of disqualification or was in fact disqualified? How was it that no-one came to court before 26 April 2016 to say that they had already paid a FCN and should not have been prosecuted? How was there not at least one driver who learned of a conviction and then appealed it because they had already paid the fine?
Are we to accept that thousands of drivers received notification that they had been convicted of an offence and received penalty points and, possibly, a disqualification from driving even though they had already paid a FCN, and they did nothing?
The failure to address this aspect of the examination means that the following further detail is needed:
Of the 14,700 cases identified, how many were prosecutions where the FCN had been paid?
Of those cases, how were the summonses served and have the declarations of service been examined?
How many of those convictions were recorded in the absence of the defendant?
How many of those convictions resulted in the disqualification from driving of the defendant?
A note in the report, after a review of previous reports into the FCPS, states:
The recommendation that the process becomes totally automated using technology to ensure more consistent results is a common theme throughout all these reports. (p.43)
That is well and good, but some of the problems that have arisen are the result of automation and technology. They can be fixed, but a greater degree of care is required in designing and implementing these systems. If Amazon’s order fulfillment system gets a code wrong you might “The Pelican Brief” on DVD instead of in paperback, if the Gardaí’s system gets a code wrong you might get a criminal record.
For over a year now the Irish insurance industry has been spinning dramatic price hikes in car insurance as being the result of claims – those awful people injured in car accidents who dared to claim against insurance are the fault, along of course with their lawyers.
One spin in particular, though, will not die: the suggestion that there was a huge jump in court injury awards from 2013 – 2015. On RTÉ’s Nine News last night (5 October 2016, from 1:43) Kevin Thompson, CEO of Insurance Ireland, made the claim again:
We’ve also seen a 33% increase in the level of awards in the Circuit Court from 2013 – 2015.
This is amazing. Injury awards suddenly up by one third! But this claim, often made by insurance industry spokespeople, raises two obvious questions: (1) why did this happen in the Circuit Court?; and (2) what happened between 2013 and 2015?
The District and Circuit Courts have upper limits on the compensation they can award and until 2014, when the law took effect, the maximum the Circuit Court could award was €38,092.14. That odd figure is £30,000 in old money, hinting that the limit had not been changed in a very long time. In fact, since the late 1990s many argued for an increase in jurisdiction for the District and Circuit Courts to address inflation and the changing nature of litigation. In 2010 I wrote that such a change was long overdue and would help to reduce legal costs. The government had introduced a law in 2002 to allow them to change jurisdiction limits but failed to do so, partly due to insurance industry lobbying.
Increasing the jurisdiction of the lower courts allows them to hear a range of cases that they are more than capable of dealing with, at a lower cost. So, increasing court jurisdiction limits should reduce legal costs.
The increase in Circuit Court jurisdiction in 2014 raised maximum personal injury awards by that court by €21,907.86 – around 57%. This is a significant increase and one which has an immediate impact on statistics, particularly average awards. There is no reason that a Circuit Court judge would award more than a High Court judge in a particular case, so there should be no award inflation. But the average Circuit Court injuries award will naturally increase. Likewise, at High Court level, the average award increases because the lower value awards up to €60,000 are taken out.
So, it is not at all surprising that there was an increase in Circuit Court compensation levels from 2013 to 2015 – the jurisdiction level increased 57% but the average award only 33%. Average award levels limited to one court jurisdiction are of little use in considering the overall levels of compensation awarded or general claims activity.
What the insurance industry does not say, and cannot say, is that this 33% was a result of overall compensation inflation.
Personal injuries compensation is usually assessed by the Injuries Board, though many claims end up in court afterward. Both the Injuries Board and the courts calculate compensation on the basis of general damages, a somewhat unscientific amount awarded for pain and suffering, and special damages, which are made up of specific expenses.
A common claim special damages claim in a personal injuries case is for loss of earnings. The injured party will get a certificate from their employer calculating what earnings were lost due to the injuries suffered and the certificate will be used as evidence to support their claim. Recently, the HSE started charging its own employees €123 for providing a certificate of loss of earnings. This was surprising as while providing the certificate involves some work for the employer, they should have the information readily available and providing it seems part of the ordinary obligations of an employer to an employee.
When I first came across the charge it I queried it with the HSE, who said it was a new standardised fee. I asked the Injuries Board if they would include such a fee in calculating special damages for a claim and they said they would not. So the injured party would either have to pay the fee themselves or risk not having an accurate loss of earnings claim.
Last week, the Injuries Board wrote to me to say that they were taking the issue up directly with the HSE.
In the meantime I had made a freedom of information request to the HSE about the introduction of the fee, with an interesting result. It appears that the HSE began to consider introducing this standardised fee in March 2013. They thought about it at a number of meetings in 2013/2014 and tax advice was taken which confirmed that vat would apply to the fee. They went ahead and introduced it.
There was a gap in documentation after 2014 until 21 September 2016 (two weeks ago), when the general manager of national payroll for the HSE sent an internal email as follows:
Following a review of the charge for Loss of Earnings calculations, it has now been agreed to abolish same effective immediately.
It does seem odd that a process was engaged in over two years to discuss and decide on the national standardised fee, but the review of it which lead to its abolition appears to have come out of nowhere and the only document about it is an email confirming the decision.
But nevertheless, the abolition of the fee is welcome (although, the email says that any existing charges which have been billed remain). Fees of this nature are unnecessary hidden costs in personal injuries claims. When the insurance industry complains about legal costs, it never breaks down the costs and it is worth drawing some attention to the State costs involved.