Never mind the hyperbolics: new confidentiality provisions for DPC

Much of the recent commentary on the new Section 26A of the Data Protection Act 2018 has produced more heat than light. Introduced by the recently enacted Courts and Civil Law (Miscellaneous Provisions) Act 2023, Section 26A provides that the Data Protection Commission may, in specific circumstances, issue a notice to a person requiring that person not to disclose specified information provided to them by the DPC, subject to limited exceptions. 

This seems to have been misunderstood in some commentary to give the DPC a broad power to require any person to keep any information relating to the DPC confidential in any circumstances. However Section 26A does not provide for a general ability for the DPC to ‘gag’ anyone (whether they be complainants, privacy activists, journalists or otherwise). Instead, it enables the DPC to impose confidentiality obligations on limited categories of people in respect of limited categories of information in limited circumstances. As has been explained in recent commentary on this provision, rather than being intended to restrict criticism of the DPC or to favour ‘Big Tech’ or other subjects of investigations or inquiries conducted by the DPC, it is intended to enable the DPC to share information with complainants or other participants in investigations, inquiries or complaints that will enable them to participate more fully in the process, without jeopardising its integrity or the ability of the DPC to perform its statutory function in relation to the relevant process. 

The following are some of the key limitations on the scope of Section 26A and confidentiality obligations that may be imposed under it:

  • It enables the DPC to impose confidentiality obligations only:
    • in respect of information that is provided to a person by the DPC in connection with the performance by the DPC of a ‘relevant function’. ‘Relevant function’ essentially means the DPC carrying out an investigation, inquiry or audit or dealing with a complaint.
    • where the DPC issues a notice to such a person, and identifies the information and the reasons why it is considered to be confidential information in such a notice.
    • in respect of information that can be considered to be “confidential information” on any one of the following three grounds:
      • it is “commercially sensitive information”, as defined in Section 149(7) of the 2018 Act.  In this provision, “commercially sensitive information” is defined as follows: “(a) financial, commercial, scientific, technical or other information the disclosure of which could reasonably be expected to result in a material financial loss or gain to the person to whom it relates, or could prejudice the competitive position of that person in the conduct of his or her business or otherwise in his or her occupation, or (b) information the disclosure of which could prejudice the conduct or outcome of contractual or other negotiations of the person to whom it relates”.
      • it was given in confidence and on the understanding that it will be treated by the DPC as confidential and where, in the opinion of the DPC (i) the disclosure of such information would be likely to prejudice the giving to the DPC of further information by the person or information by another person, and (ii) it is important that the DPC continues to receive such information for the purpose of the performance of a ‘relevant function’.
      • it is information the disclosure of which could, in the opinion of the DPC, reasonably be expected to prejudice the effectiveness of the performance of a ‘relevant function’ by the DPC or an authorised officer of the DPC.  Where this is the basis on which information is deemed to be confidential, any confidentiality obligations imposed by the DPC will cease to apply once the ‘relevant function’ (i.e. the investigation, inquiry, audit or complaint handling process) is completed.
  • Any confidentiality obligations imposed on a person pursuant to a notice issued by the DPC in accordance with Section 26A will not prevent that person from disclosing information within the scope of that notice, where such disclosure is required by law or permitted by the DPC.

Some of the criticism of this amendment has focused more on the way in which it was introduced (as a relatively late addition to the Courts and Civil Law (Miscellaneous Provisions) Bill, before it was enacted). Leaving aside procedural points regarding the method and timing of its introduction in the legislative process, much of the substantive criticism of this amendment seems misguided.

Separately, as mentioned in this recent briefing the Courts and Civil Law (Miscellaneous Provisions) Act 2023 has also extended to the District Court jurisdiction to deal with data protection actions (i.e. claims for compensation or other relief by individuals for infringement of their data protection rights as a result of non-compliant processing of their data). The prospect of such claims being brought in the District Court rather than the Circuit Court or High Court may be welcome by some potential defendants from the perspective of minimising legal costs they are likely to incur. However, it also has the potential to result in a greater volume of such claims being made. 

This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.