by Cliona Kimber | Nov 29, 2022 | Legal News
Equal pay claims will come into a new focus following the new statutory code of practice on Pay Inequality launched in March 2022 to help eliminate pay inequality in Ireland, and the pressure on public sector pay due to the cost of living. April also saw the publication of the case of Reid v Teagasc ADJ-00028084, where the respondent was ordered to pay compensation to the Complainant in the amount of €40,000 in an equal pay case AND the Adjudication Officer also ordered the Head of HR to apologise to the Complainant for the department’s “very inept performance” in their handling of the matter. December this year will see the publication of the gender pay gaps in our public sector organisations and our larger private sector employers.
Mounting or defending a large equal pay case across a sector of the workforce can lead to important strategic decisions and raise a number of questions. For example:
- Which factors in a gender pay gap exercise might give rise to equal pay concerns?
- What data does the employee need to bring home a claim?
- What team does the employer need to assemble to defend a claim?
- How can they work with their lawyers, statisticians and accountants to counter sector averaging and pay averages?
- How can this be done with existing GDPR constraints?
Clíona Kimber SC, explains the very real issues around equal pay challenges by reference to the Code and how, combined with gender pay gap reporting, there will be a new spotlight on equality of pay between men and women in Ireland.
1. Factors in the new legislation: the Gender Pay Gap Information Act 2021 and the 2022 Regulations
The Gender Pay Gap Information Act 2021 amended the Employment Equality Act 1998 (mainly by inserting a new section 20), empowering the Minister for Children, Equality, Disability, Integration and Youth to make regulations requiring employers to publish gender pay gap information for their employees and such other additional parameters which the Minister may direct.
The Gender Pay Gap Information Regulations 2022 were published in June 2022. They provide the detailed framework for employers to calculate the gap in pay between males and females and to publish reports outlining specified information about the gender pay gap (GPG) and set out in detail how employers are to calculate the required statistics.
Who falls under the legislation?
- Employers with 250 or more employees are the first to come within the scope of the Act; employers with less than 250 employees will be included from the second anniversary of the regulations; and employers with less than 150 employees from the third anniversary.
- No requirement for employers with less than 50 employees to report.
- All public sector bodies are included, as well as bodies wholly or partly funded out of moneys provided by the Oireachtas, local authorities, the HSE, and schools and education and training boards in respect of which a public service pension scheme exists.
What information must be made available?
- The mean and median gap in hourly pay between men and women;
- The mean and median gap in bonus pay between men and women;
- The mean and median gap in hourly pay of part-time male and female employees;
- The percentage of men and of women who received bonus pay;
- The percentage of men and of women who received benefits in kind.
Insofar as there are gaps in pay, employers must publish a statement setting out the reasons for those differences in the employer’s case and the measures (if any) that the employer is taking to eliminate or reduce the gender pay gap.
How might the Act and Regulations be relevant in equal pay claims?
Two new sections inserted into the Employment Equality Act 1998 to support enforcement: s.85B will allow application to the Circuit Court or High Court in case of failure to comply with regulations made under s.20A by the Irish Human Rights and Equality Commission and s.85C allows a complaint by an employee to the WRC that their employer has failed to comply with s.20A. However, as the only remedy will be an order requiring the employer to comply, and no compensation may be awarded, it is difficult to see this as a standalone action. Rather, it may be used by an employee as a form of discovery. In this respect, timing of an information request and substantive complaint may need to be carefully choreographed.
Factors which may give rise to concern
The requirements to gather data on equal pay, calculate any gap and publish the results, will put a new spotlight on equal pay in a workforce. Factors such as discrepancies, inequalities or perceived inequalities will cause concern among the workforces. Employees may be prompted to take action.
If the exercise is not done at all, the employee may feel the employer has something to hide.
Differences across grades, and types of grades, may also lead to challenges as to the relevant scale an employee is on.
Ultimately, the deterrent effect on pay inequality of published pay gaps cannot be underestimated.
2. What data does the employee need to bring home a claim
The initial burden of proof is on the employee to establish a prima facie case. To do this, the employee needs to identify a comparator of the opposite gender who is doing the same work and who is being paid less than them. The employer is then required to justify the difference in pay on the basis of factors unrelated to the sex of the worker.
Clearly, information is king. Since discovery is not available before the WRC – although there is a power to request that information be disclosed to the WRC – there are two tools which might be deployed.
Data Subject Access Requests
- Article 15, Recitals 63 & 64 GDPR
- Under Article 12(5) GDPR, in limited circumstances, where an access request is ‘manifestly unfounded or excessive’, a controller may also, where appropriate, refuse to act on the request
- high threshold to meet, and the controller must be able to prove that the request was manifestly unfounded or excessive, in particular taking into account whether the request is repetitive. There should be very few cases where a controller can justify a refusal of a request on this basis.
- The GDPR (in Article 15(4)) states that the right to obtain a copy of your personal data should not ‘adversely affect the rights or freedoms of others’ – may cause problems re seeking comparator information.
There is very helpful guidance on the website of the Office of the Data Protection Commissioner as to making and complying with data subject access requests.
Freedom of Information Requests
An employee working in the public sector, may also have the ability to make a freedom of information request. This facility only applies to bodies that conform to the definition in section 6(1) of the Freedom of Information Act 2014 are subject to FOI:
- (1) Subject to this section, each of the following shall be a public body for the purposes of this Act:
(a) a Department of State;
(b) an entity established by or under any enactment (other than the Companies Acts);
(c) any other entity established (other than under the Companies Acts) or appointed by the Government or a Minister of the Government, including an entity established (other than under the Companies Acts) by a Minister of the Government under any scheme;
(d) a company (within the meaning of the Companies Acts) a majority of the shares in which are held by or on behalf of a Minister of the Government;
(e) a subsidiary (within the meaning of the Companies Acts) of a company to which paragraph (d) relates;
(f) an entity (other than a subsidiary to which paragraph (e) relates) that is directly or indirectly controlled by an entity to which paragraph (b), (c), (d) or (e) relates;
(g) a higher education institution in receipt of public funding;
(h) notwithstanding the repeal of the Act of 1997 by section 5, and subject to this Act, any entity that was a public body (including bodies or elements of bodies prescribed as such) within the meaning of the Act of 1997 on the enactment of this Act.
The FOI Act also provides, at section 7, for the extension of FOI to non-public bodies which are significantly funded by the State. Any such bodies that were subject to FOI under the 1997 Act will remain subject to FOI under the 2014 Act. The Minister may, by order, provide for FOI to apply to other non-public bodies which are significantly funded by the State in due course.
Circuit Court Discovery
Gender discrimination cases can be brought direct to the Circuit Court, as opposed to the WRC. The Circuit Court has unlimited jurisdiction in this type of case. Discovery is available in the Circuit Court, and an employee might be able to seek pay information by way of a request for discovery from the employer. It is likely that there would need to be some basis for the claim to be successful in obtaining discovery.
3. What team does the employer need to assemble to defend a claim?
If faced with an equal pay claim, an employer may need to add statisticians and accountants to the team to defend the claim. Larger organisations may want to create a team that includes people with knowledge of the organisation’s payroll and HR systems, and someone with an understanding of statistics, as well as an expert in equality law. This is particularly so if the pay across a grade or sector is challenged, or there are pay discrepancies across time windows.
The employee is likely to focus on a comparator of a different sex which they complain is paid more than they are for the same, or like work. The employer may need to justify this on the basis that the pay is linked to that grade, or that level rather than the sex of the worker. This may require statistics for the average pay across the sector, or statistics as to the number of overall males and females in the complainant pay grade and comparator pay grade. There may potentially be other factors which justify a difference in pay, which might only be revealed by statisticians, for example, agreed bonuses in a particular location due to a local agreement, allowances, night pay, after hours, additional bank holidays worked and so on. Pay could be impacted by allowances for degrees obtained or reduced if training has been paid for in a particular area.
Accountants may be needed to quantify the value of a claim, or the overall value of particular pay elements, or the value of changes over time, as it may be possible to defend a claim by showing that pay has not been unequal in fact, although it might appear to be.
A gender pay gap could also reflect how the gap is calculated. There are organisations where more women than men have opted to pay their pension contributions under salary sacrifice arrangements, and this has widened the pay gap figures.
Multinationals: A multinational with 250 or more relevant employees working wholly or mainly in Ireland must report on its gender pay gap. The regulations are not clear about group reporting. At present they require each company, that is, each legal entity within a group, to report on its own gender pay gap; if a subsidiary has fewer than 250 employees, it does not have to report. As each legal entity within a group will vary in size, it will sometimes happen that not all companies within the group meet the 250 or more threshold. At present, the position is not clear as to whether a company and its subsidiaries are to be amalgamated for the purpose of creating an obligation to report. This also means, on the defence side, that if there is any challenge to pay statistics, that the company may be better minded to consider its reporting unit.
One public service decision reveals how the statistical bigger picture is required to defend.
Tomás Horgan and Claire Keegan v Minister for Education & Skills and Others (C-154/18) ECLI:EU:C:2019:113.
- The case concerned primary school teachers in state-paid positions.
- To achieve a medium-term structural reduction in the cost of the public service, the Irish government changed the salary arrangements by which newly recruited public servants, including teachers in national schools, were recruited, offering lower pay to new recruits than teachers already employed before a specified date, irrespective of age.
- Young teachers made a complaint about equal pay by reference to a comparator of an older teacher doing the same work. There was a difference in pay.
- The CJEU considered whether there could be discrimination at all. It observed that the difference in salary treatment resulted from the date of recruitment. When a person was recruited was the only relevant criterion, which applied regardless of age at the time of recruitment.
- CJEU held that this did not constitute indirect age discrimination as “The date of recruitment is at first sight a neutral criterion from the age perspective.”
- The Court concluded: “that criterion, which renders the application of the new rules dependent exclusively on the date of recruitment as an objective and neutral factor, is manifestly unconnected to any taking into account of the age of the persons recruited … the new remuneration conditions introduced by Ireland are not based on a criterion which is inextricably or indirectly linked to the age of the teachers, so that it cannot be considered that the new rules establish a difference of treatment on grounds of age”.
4. GDPR constraints
Clearly data on employees work and pay is collected for the purpose of paying the employees for work done. If the data is used to defend litigation, this will have to be justified under GDPR. Therefore, an employer will be required to find a valid reason for the processing and to put any safeguards in place.
A justification can be found in Data Protection Act 2018. Section 41 of that Act (“Processing for purpose other than purpose for which data collected”) states:
“Without prejudice to the processing of personal data for a purpose other than the purpose for which the data has been collected which is lawful under the Data Protection Regulation, the processing of personal data and special categories of personal data for a purpose other than the purpose for which the data has been collected shall be lawful to the extent that such processing is necessary and proportionate for the purposes…
(c) set out at paragraphs (a) and (b) of section 47;”
The relevant portions of Section 47 read:
“(a) is necessary for the purposes of providing or obtaining legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings, or
(b) is otherwise necessary for the purposes of establishing, exercising or defending legal rights.”
Nevertheless, as such processing is an exception to the general prohibition on processing data beyond its original purpose, Article 6(4) GDPR, – which applies to processing data for a purpose other than that for which it was collected – may come into play.
This section is likely to apply since the purpose of the original collection of the information was likely to have been under Article 6(1)(a) (the data subject consented to the processing for specific purposes) and/or (b) (the processing is necessary for the performance of a contract to which the data subject is party), Article 6(4) GDPR provides:
“Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:
- any link between the purposes for which the personal data have been collected and the purposes of the intended further processing.
- the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller.
- the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;
- the possible consequences of the intended further processing for data subjects.
- the existence of appropriate safeguards, which may include encryption or pseudonymisation.”
The employer using employee data such as pay level, age, educational achievements or qualifications, location of work, part-time or full time, or any other factors, will need to make sure that the safeguards are put in place.
If an employer works across a company structure, where the paymaster and employer are split, as can happen in the public sector, or where there are co-respondents, there may be further difficulties in using and sharing information between co-respondents or parts of a company.
5. What type of redress is needed when there are arrears of pay
What are the implications of the various options available to the parties when dealing with an award or negotiating a settlement agreement?
Its important to remember first that the WRC or Labour Court can award the following:
||(a) an order for compensation in the form of arrears of remuneration (attributable to a failure to provide equal remuneration) in respect of so much of the period of employment as begins not more than 3 years before the date of the referral
||(b) an order for equal remuneration going forward
||(c) an order for compensation for the effects of acts of discrimination or victimisation which occurred not earlier than 6 years before the date of the referral of the case
||(d) an order for equal treatment in whatever respect is relevant to the case;
||(e) an order that a person or persons specified in the order take a course of action which is so specified.
These are a wide range of orders, and mean that the WRC or Labour Court has a wide menu to choose from. They could also override any financial limits by making an order for equal treatment in ‘whatever respect is relevant.’
Points to consider include:
- The financial implications (particularly with regards to tax) of framing a plaintiff’s claim as a claim for back pay as opposed to a lump sum; [compensation for discrimination under 82(c) is limited to 2 years salary, but would not be subject to tax if it is compensation for effects of discrimination).
- For defendants, the greater immediate financial impact of a lump sum payment as opposed to the longer-term implications of a regrading or increase in pay for the future, which includes consideration of benefits and pensions.
- Arrears of pension – an employee will be required to make up any employee contributions, if these were required by an employer scheme. These need to be calculated.
- The range of orders which may be “on the table” if a claim is heard.
Conclusion- Take Aways
Strategy is important in dealing with equal pay claims. A complainant or a defendant must start with the end in mind and must have a clear road map as to how to get there.
Litigants must consider the use of data access tools, and the type of factual evidence they will need to assemble to create a prima facie case. Employers will have to consider at the outset what team they will need to assemble to defend the claim, and to analyse up front the substance of the claim from a statistical as well as legal perspective.
A good strategic defence at an early stage may encourage a litigant to withdraw the claim. Obtaining and analysing the data and how it relates to law may reveal that there is a difficulty with the defence, and thus lead to a more cost-effective early settlement, saving legal costs.
by Cliona Kimber | Jul 29, 2022 | Legal News
Written by: Clíona Kimber SC and Blánaid Ní Bhraonán (LL.B, BCL(Oxon))
Success in legal proceedings for your clients starts a long time before the day of hearing. There are many different roadways to trial and very many opportunities for your client to receive a successful outcome in a cost efficient manner and with the least amount of difficulties. It is important, therefore, to invest in litigation strategy from the outset.
Discovery is a part of litigation strategy. It is often dealt with in routine manner but bears a little more analysis. Your client may instruct you as to particular documentation held by their opponent which they believe can prove or disprove a case. The opponent will, however, be anxious to avoid scrutiny of documents, particularly those which might expose a smoking gun or show that they have prejudged an issue or made a decision in relation to your client’s interests which they subsequently deny. These sorts of documents are more likely to come into being when parties are squaring up their dispute. As a result, you may be met by claims from your opponent that the documents were prepared in contemplation of litigation and are therefore covered by litigation privilege.
However, litigation privilege is a lot narrower and more focused than parties might think and therefore it is well worth investing in your understanding of exactly what documents are covered and exactly what documents really should be provided to you.
This article will cover the most recent decisions on this topic and address the key questions judges ask when one side claims litigation privilege over certain documents.
Litigation privilege is one form of legal professional privilege. It’s important to remember that this is an exception to the general rule that all information relevant to the proceedings is subject to disclosure. Therefore, it only applies where it can be justified by the need to facilitate full and frank communication between a party and his or her advisors when preparing for trial. Litigation privilege should thus be applied carefully and balanced against the ordinary presumption in favour of disclosure.
The Four Key Questions
In Artisan Glass Studio Limited v The Liffey Trust Limited ( IEHC 278) McDonald J identified the four main questions the court should consider in determining whether litigation privilege applies to a given document.
The first question is: Was litigation reasonably apprehended at the time the documents in question were brought into being?
This is a trickier hurdle to overcome than it might first appear. In Colston v Dunnes Stores ( IECA 59) Irvine J stated that the court will not be satisfied with a “bald assertion” that the document was in fact prepared with future litigation in mind.
The second is: Were the documents in question were brought into being for the purpose of the litigation?
In Ladislav Kunzo v Kepak Longford Unlimited Company ( IEHC 180) Barr J considered whether a workplace accident report created a month after the incident occurred, but before the plaintiff’s letter of claim was sent to the defendant, was covered by litigation privilege. He held that there was no requirement that proceedings had actually been threatened or instituted at the time the document was created, as long as the court was satisfied that the dominant purpose in creating it was the desire to obtain legal advice regarding potential future proceedings that could be reasonably anticipated.
In this case, the head of the Health and Safety department in the defendant group of companies stated on affidavit that the company investigated all workplace accidents in light of the fact that it would probably give rise to a legal claim by the injured worker. Moreover, the investigation report was considerably more thorough than what was required of the defendant under health and safety legislation (it included witness statements, photographs, etc.) and Barr J was satisfied that it was indeed assembled in anticipation of litigation.
The third key question is: If the documents were created for more than one purpose, was the litigation the dominant purpose?
In Artisan Glass at  McDonald J noted that the court must be provided with sufficient material to enable it to assess whether the dominant purpose of the document is the apprehended litigation. Where a party claiming privilege fails to provide the necessary material to the court, the court may conclude that they have failed to establish the dominant purpose of the creation of the document.
In Kellard Homes Ltd v Ballytherm Ltd  IEHC 305 Quinn J found that the party claiming litigation privilege failed to discharge the onus of proof as to the dominant intention of the emails in question. He also stated that the proximity in time of the emails threatening litigation and the emails over which privilege was claimed was not enough to satisfy either the “reasonably apprehended” or “dominant purpose” requirements.
These decisions demonstrate that if you are claiming litigation privilege over documents, it’s not enough to argue that the documents were created in a vague anticipation of a variety of possible legal issues – the dominant purpose has to be specifically in anticipation of the relevant proceedings.
The fourth and final question is: Has the party claiming privilege discharged the burden of proving that the documents are protected by privilege?
In Colston Irvine J upheld the High Court’s finding that the store manager’s statement on affidavit that the accident report was created “in the course of, and for the purpose of” defending the proceedings was not enough to demonstrate that the apprehended litigation was the dominant purpose of creating the documents.
The court was unimpressed with this assertion, even though the statements taken from witnesses were headed “privileged and private for the use of Dunnes Stores and/or their legal advisors” and the investigation form was headed “Internal Investigation in respect of incident which it is contemplated may become the subject of legal proceedings/privileged and private for the use of the Company and their advisors and underwriters”. Irvine J noted that these documents were created on the day of the accident and there was no replying affidavit or sworn testimony from anyone in the defendant company elaborating upon whether there was a policy or approach of creating such documents specifically in apprehension of future claims.
These recent decisions show that to succeed in a claim of litigation privilege, a party needs to get specific, detailed evidence – on affidavit or, even better, on oath – before the court about why and how the documents were drawn up. Conversely, when countering a claim of privilege, the best approach is to highlight any vagueness or suggestion of multiple or competing purposes for the documents and emphasise the privilege’s status as an exception to general rule which must be adequately justified by the one claiming it.
Armed with the knowledge in this blog – you can hope your investment in litigation strategy pays off.
by Cliona Kimber | Sep 24, 2021 | Legal News
Data Protection is very important for in-house and agency PR consultants who ranging from working in public and private sector organisations to being sole traders to being senior agency leaders / MDs who advise across the areas of reputation, consumer / FMCG, Public Affairs, finance, construction, internal communications, to name but a few.
Data Management of project communications for large infrastructure projects is a big issue also especially around public consultations on projects.
Brexit has thrown a spanner in the works especially where there is uncertainty about where computer servers are housed.
Much, but not all, of what is sent on behalf of clients or employers by public relations professionals to journalists is unsolicited e.g., media releases, invitations to events. Generally, public relations practitioners and press officers have access to a media contacts database/s in some format e.g., Excel. These databases commonly contain journalists’ names, who they work for, their work and possibly personal email address, their work and possibly personal mobile number.
According to the GDPR, storing or using such data constitutes ‘processing’ personal data. Journalists have the same rights in relation to their personal data as any other person under GDPR. Public relations practitioners and press officers must therefore ensure they are compliant with the GDPR. Breaches of these regulations can have a severe impact on organisations, including onerous fines.
All members of staff who have access to, or store on their phone, laptop etc, such as mailing lists or data bases of contacts must therefore be made aware of the GDPR and act within the regulations.
I will look at the following matters:
- The GDPR
- Key issues and solutions
- Data base management
- Privacy & data protection policies
- Consent at events, photographs
- Some Stories on Enforcement
- The Learnings
The GDPR, in article 5, sets out 5 key principles. These are not aspirations, but are serious obligations placed on the controller or processor should they elect to process any personal data, regardless of the extent or duration. The principles are that personal data must be:
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’);
- Processed lawfully, fairly and in a transparent manner (‘lawfulness, fairness and transparency’);
- Restrict disclosure and processing;
- Taken care of in storage, processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’);
- accurate and, where necessary, kept up to date (‘accuracy’).
Article 5 also provides for an additional principle, directed at the controller, that it shall be responsible for, and be able to demonstrate compliance with, the above principles (accountability’).
In brief, the most common areas of difficulty are:
- The scope of ‘personal data’. What is personal is very broad – it is defined as ‘any information relating to an identified or identifiable natural person’ and is not limited to ‘identifiers’,
- Lawfulness of processing – there are six reasons in legislation, but in essence three – reasons (a) (e) and (f) of the list of six – are applicable to public relations:
‘(a) consent’ and that it must be freely given, explicit, informed and revocable at any time, or legitimate interest.
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Where processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited unless there are two good reasons.
- What is a Legitimate interest – in brief, it is really necessary for your business, bearing in mind that unsolicited mailing and sales are not permitted. This will be looked at in more detail at Key issues and Solutions
- The need to exercise Due care in the retention of data:
- Confidentiality of data to be preserved and there should only be limited sharing of data; even within the workplace information should be kept secure and access should only be on a need to know basis.
- Confidentiality should be preserved and secure systems and devices ensured while working at home.
- ‘Transfers to third countries’, may be problematic and this can include cloud storage abroad. Therefore, the laws of that third country need to be considered to determine whether or not any effective technical measures can prevent any access from infringing on the rights of a data subject.
Transfers to the UK will be considered transfers outside of the EU/EEA and will require a mechanism to ensure an adequate level of data protection. Fortunately, the EU Commission formally adopted two UK adequacy decisions on 28 June 2021, one under the GDPR and the other under the Law Enforcement Directive (LED). This means that personal data can continue to flow freely from the EU to the UK, without putting in place additional safeguards, such as the Standard Contractual Clauses. They are of a four-year duration.
Key issues and solutions
Lawfulness of processing databases of contact
There are many practical questions facing PR professionals. Can I keep a database of journalists to e-mail them your press releases? Can my PR agency keep a database? These are thorny questions and there is no definitive answer to them yet, as many edge cases will be decided by the judiciary.
The main basis for lawful processing is legitimate interest. To successfully rely on this to justify keeping all the data bases and e-mailing contacts is that the specific interest in question must be identified for the data subject.
So, what is the specific interest? A fair and reasonable interpretation of GDPR is that public relations agencies and in-house departments would be exercising a ‘legitimate interest’ in storing and processing journalist data and contacting journalists to provide relevant information. Remember, access to the media is important not just for big corporates but small businesses, charities and pressure groups too – organisations of all types and sizes.”
If public relations professionals have to get specific consent from every journalist for every client and every campaign (granularity of consent built into GDPR), then this will be very difficult for public relations and it could be said there is a public interest in good journalism and reporting as necessary for democracy, which is in the public interest.
A public interest case could actually be made for communications with You can argue that the impact of the media is so great, that it is necessary to monitor what the media are writing and which journalists in particular are following your industry.
There is a good case to be made that companies have a legitimate interest to manage a list of stakeholders.
The corporate communication best practices say that you should have a good overview of your stakeholders.
That means that, at a minimum, you need to have a list of stakeholders and their representatives – as well as some classification and information about their views. You can think of stakeholders like:
- Federations and associations
- Policy makers
- Local Organisation
- NGOs and pressure groups
For example, if you are working for a chemical plant, it makes sense to have a database of contacts in surrounding residential areas, such as local authorities, Gardaí, fire service, residents’ organisations.
But also, perhaps, groups that might have goals that are at odds with your organisation, such as competitors.
Right to Object
However, a scattergun approach to contacting journalists or stakeholders is not likely to be permissible, e.g. sending a press release on a food product to a sports journalist. This may be seen as spam and would not be covered by legitimate interest. In any event, it is also likely to be bad business, as a journalist who keeps getting irrelevant press releases from you is likely to ignore them.
Don’t forget also that a journalist or stakeholder has the right to opt out, and also to request access to the data you hold on them.
Photographs at Events
A picture tells a thousand stories, and that is why photographs are so important for public relations. Where events take place, a few good photos can be the hook to good publicity. However, the taking of images of those present, and what you do with them is a minefield for GDPR.
For example, one large company which sponsored an award for persons with disabilities, kept the pictures on its website for many years. While the award was a stepping stone at the outset, the image became a hindrance as the person had moved into long term employment and wanted more privacy around their particular disability.
The Guidance Note of PRII “GDPR Information for Public Relations Professionals Compiled by the Public Relations Institute of Ireland 2018” is extremely useful and has very good advice.
“Personal data includes photographs and images which do/can identify an individual. PR professionals are used to using photography release forms and this should be continued.
Images also need to be stored in a safe and secure manner. Bear in mind that under GDPR this data is included in the right of individuals to know what data you hold on them and people can request for such data to be deleted.
In crowded situations, for example, at an event it may not be possible to get consent from everyone so consider making it clear by announcement, notice on invitations, and on-site signage that there will be photography or another image recording taking place.”
A Privacy Notice should confirm that an organisation is aware of, and operating in alignment with, the GDPR, that only necessary data is held, that it is held for the legitimate interest of doing business, that the data is secure, that it will not be shared, and that it can be amended or deleted at the request of the individual data subject within one month, on request.
A sample given by PRII is:
“Please be advised that [photographs, video, livestreaming] will be [taken, made, taking place] at this event. These materials may be used by [name of company/companies] and included in [publications, media materials, promotional materials, digital platforms and social platforms]. If you do not wish to appear in any images captured, please contact a member of [company] staff on site. [Company] can then take appropriate steps to comply with your wishes.”
Some stories on enforcement
The GDPR and Data Protection Act provide the Data Protection Commissioner with a raft of significant powers, including investigative and corrective powers and the authority to impose administrative fines of up to €20 million or 4% of global turn over, or a maximum of €1m for state bodies. Any fines must be effective, proportionate and dissuasive. The DPC has published very detailed and comprehensive decisions which provide significant clarity on how the DPC considers imposing a fine.
The DPC, as the Lead Supervisory Authority for many of the world’s largest controllers and processors, is placed in a unique and powerful position to enforce the GDPR. However, as many of these controllers and processors are engaged in cross-border processing of personal data, the one-stop-shop mechanism often comes into play.
The mechanism means that any draft decision the DPC comes to in Ireland needs to be sent to the Concerned Supervisory Authorities in other countries, and the same is true for the equivalent of the DPC in other countries. However, there has been controversy over the fines of our Irish DPC – that they are too lenient, and we have been receiving recommendations from the EU body.
One example in Autumn 2021 is the fine imposed on WhatsApp where European regulators directed the Irish DPC to increase the fine from what was originally proposed. As a result, the DPC, Helen Dixon, has imposed a record €225 million fine on WhatsApp for “severe” breaches of privacy laws.
The breaches found by the DPC in combination with the EU bodies were a failure to abide by transparency obligations that are placed on data controllers by the GDPR in the context of the possible sharing of personal data between WhatsApp and a variety of Facebook companies. In particular that there was
The way in which information was provided was not adequate, the report noted that it was piecemeal and needed a link through to different screens.
The DPC found that WhatsApp had failed to comply with its obligations pursuant to Article 13(1) (d) of GDPR. WhatsApp was criticised for a “very significant information deficit” in particular that the company provided only 41 per cent of the prescribed information to users of its service and none to non-users. The impact was “particularly severe” on non-users of WhatsApp, who were denied the right to exercise control over their personal data.
Disputed and appealed by WhatsApp
WhatsApp has disputed the fine. “We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate. We will appeal this decision,” the company said. It has appealed.
It is certainly true that privacy regulators have taken a more aggressive position on enforcement. On July 30 2021 Amazon.com Inc (AMZN.O)was fined with a record €746 million for processing personal data in violation of the EU’s GDPR rules. The original complaint was that Amazon’s advertising system was not based on free consent. However, little is known about what Amazon has been fined for.
DPC Prosecutions for sending unsolicited marketing emails and contacts
Another enforcement power which the DPC has is to bring criminal prosecutions against companies who breach GDPR. It has been doing a lot of these.
One example of the type of breach is in relation to the Prosecution on 7th September 2021 in the Dublin Metropolitan District Court against two prominent telecommunications companies in relation to marketing offences under S.I. 336 of 2011.
Three Ireland (Hutchison) Limited pleaded guilty to two charges of sending unsolicited marketing emails to one customer who had not consented to his email address being used by the company for marketing purposes. The complainant opted-out of receiving marketing emails in mid-February 2021. When Three Ireland (Hutchison) Limited attempted to execute the opt-out request an issue arose from a scenario of two records getting sent simultaneously and losing sequence, resulting in its system not being updated correctly. As a result, three further marketing emails were sent to the complainant in the following weeks. The Dublin Metropolitan District Court applied the Probation of Offenders Act in this case on the basis that the company will donate €3,000 to charity.
Vodafone Ireland Limited pleaded guilty to a total of seven charges of sending unsolicited marketing text messages, emails and telephone calls without consent. One case concerned a former customer who had called Vodafone on seven separate occasions to try to opt-out of receiving marketing phone calls to his mobile phone. On each occasion the agent he spoke to did not follow proper procedures and this resulted in him not being opted-out of marketing and receiving further marketing calls. The complainant closed his account with Vodafone Ireland Limited and switched to a different operator due to the marketing phone calls he received.
From these stories on enforcement, PR professionals can see that keeping in line with GDPR is very important for them and their company. While it might seem complex, the basic touchstone is to be aware of peoples’ privacy and their right to be left alone – even if a company wants to contact them. After that, if you have databases and contacts, keep them safe and secure and only accessible on a need to know basis.
Also, from the WhatsApp case we can learn that taking care of data is not enough, a company also has to communicate its policies and be transparent. Thankfully this is something that PR professionals should already be very good at
For further advice: Clionakimber@lawlibrary.ie