There are a number of bodies, regulatory and otherwise, which investigate corporate crime in Ireland. These include An Garda Síochana (the police), the Office of the Director of Corporate Enforcement (ODCE), the Office of the Revenue Commissioners (the Revenue Commissioners), the Competition and Consumer Protection Commission (CCPC) and the Office of the Data Protection Commission (ODPC).
Offences are divided between summary (minor) offences and indictable (serious) offences. In general, regulatory bodies are authorised to prosecute summary offences. However, the Office of the Director of Public Prosecutions (DPP) is the relevant body for the prosecution of criminal offences on indictment. The DPP has no investigative function; the relevant regulatory or investigating body prepare a file and submit it to the DPP for consideration. It is then solely at the discretion of the DPP as to whether a case will be taken in respect of the suspected offence. The Central Bank of Ireland also has investigatory and regulatory powers, including powers of inspection, entry, search and seizure, in respect of financial institutions under the Central Bank Act 1942, as amended.
The detection and investigation of criminal conduct is the core function of the police force. The Garda Bureau of Fraud Investigation (GBFI) is a subdivision of the police that also provides assistance in investigations of serious fraud. The GBFI is governed by the same statutory framework as the police and therefore has no specific investigative powers for the specialised work it carries out. The Criminal Justice Act 2011 granted both bodies a more extensive range of powers in order to adequately deal with the complex nature of corporate crime. The Criminal Assets Bureau (CAB) is connected with the police and the GBFI. The primary function of CAB is to carry out investigations into the suspected proceeds of criminal conduct. In carrying out this function, CAB, working alongside the police, is empowered to search and seize any assets suspected of deriving from criminal activity, and may arrest any persons obstructing an official investigation.
Following the introduction of the Companies Act 2014, the ODCE remains the principal corporate enforcer in the state, and is responsible for investigating instances of suspected offences under, and noncompliance with, company law. The ODCE is afforded a wide range of investigative powers under the Companies Act 2014, including powers of entry, search and seizure and the power to compel the production of specific documents that are of material assistance to their investigation. In respect of prosecution, the ODCE has the power to prosecute summary offences and to refer cases to the DPP for prosecution on indictment.
The Revenue Commissioners is the government agency responsible for the assessment and collection of taxes in Ireland, and also has extensive investigation and prosecution powers. Its investigation and prosecutions division is responsible for the development and implementation of policies, strategies and practices in relation to serious tax evasion and fraud offences. It has a wide range of powers, including the power to conduct civil investigations; to conduct investigations into trusts and offshore structures, funds and investments; and to obtain High Court orders. Of particular significance is the power to obtain information from financial institutions and procure search warrants to this effect. Similar to the ODCE, the Revenue Commissioners has the power to prosecute summary offences and to refer cases to the DPP for prosecution on indictment.
The CCPC, recently established under the Competition and Consumer Protection Act 2014, also holds extensive powers of investigation in relation to suspected breaches of competition law. The CCPC has powers of entry and search and seizure, including the power to search any premises used in connection with a business. Its search powers are not confined to a company's offices but extend to the homes of directors or employees.
The ODPC is responsible for enforcing the Data Protection Acts 1988 and 2003, (the Data Protection Acts) and the E-Privacy Regulations 2011. This legislation governs the processing and storing of personal data, or data by which an individual can be identified. If the ODPC receives a complaint under the Data Protection Acts, it is obliged to investigate the alleged breach. Additionally, the ODPC may investigate the unlawful processing of personal data and audit data processors of its own accord. The ODPC secures compliance with the Data Protection Acts through the service of enforcement and prohibition notices on the offending parties. Under Section 10 of the Data Protection Acts, any person who, without reasonable excuse, fails or refuses to comply with an enforcement notice shall be guilty of an offence. The ODPC may bring summary legal proceedings for an offence under the Data Protection Acts, but conviction on indictment may only be initiated by the DPP.
The prosecution of corporate crime in Ireland is not influenced by political agendas, as the investigative bodies maintain independence from both the government and each other. The Office of the DPP is created by statute with the specific aim of maintaining prosecutorial independence. Section 6 of the Prosecution of Offences Act 1974 makes it an offence for persons (other than an accused, suspect, victim or person directly involved) to communicate with the DPP with a view to influencing a decision to commence or continue criminal proceedings. However, arguably there is a lack of transparency in relation to the decisions to prosecute, or not prosecute, particular crimes, as the DPP does not publish the reasons for a decision on prosecution. However, the DPP introduced a pilot scheme on 22 October 2008, under which the DPP will publish the reason for their decision not to prosecute in cases where an individual has died as a result of an alleged crime, including manslaughter and workplace deaths. The DPP will only provide reasons for his or her decision if:
a the crime was committed on or after 22 October 2008;
b a member of the family or household of the victim, or their lawyer, doctor or social worker requests the reasons; and
c no injustice would be created by disclosing such reasons.
Businesses are under no obligation to cooperate with an investigating authority, save where provided for by legislation or in the appropriate court order. In all cases, businesses should seek legal advice as to the extent to which they must cooperate and comply with the investigating authority. Compliance with a request for documents or information on a voluntary basis may impact on the privilege against self-incrimination and any obligations of confidentiality or under the Data Protection Acts to third parties.
There are a number of legislative provisions that impose a positive obligation on persons (including businesses) to report wrongdoings in certain circumstances:
a Section 19 of the Criminal Justice Act 2011 provides that a person is guilty of an offence where he or she fails to report information that they know or believe might be of material assistance in preventing the commission or securing the prosecution of another person of certain listed offences, including many white-collar offences. The disclosure is required to be made as soon as is practicable. Practically speaking, however, the person considering making the report may need to make enquiries in order to be satisfied that a report is justified. The applicable standard for what information meets the threshold of ‘material assistance' in preventing the commission of, or securing the prosecution, of an offence has not yet been expanded on or tested before the Irish courts.
b Section 38(2)(a) of the Central Bank (Supervision and Enforcement) Act 2013 places an obligation on the senior personnel of a regulated financial services body to disclose to the Central Bank of Ireland as soon as is practicable, information relating to a suspicion of, or the commission of, an offence under financial services legislation.
c Section 42(1) of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 provides that certain designated persons have an obligation to report any knowledge or suspicion that another person has been or is engaged in an offence of money laundering or terrorist financing to the police and the Revenue Commissioner.
d Section 59 of the Criminal Justice (Theft and Fraud Offences) Act 2001 obliges the auditor of a company to disclose to the police information of which the auditor may become aware in the course of his or her duties that suggests the commission by the company or entity of any offences under that Act. This obligation is notwithstanding any professional obligations of privilege or confidentiality on the part of the auditor.
e The Personal Data Security Breach Code of Practice requires all incidents in which personal data has been put at risk to be reported to the Office of the Data Protection Commissioner as soon as the data controller becomes aware of the incident. However, a self-reporting obligation is not triggered where fewer than 100 data subjects are affected, the full extent and consequences of the incident have been reported without delay to those affected and the incident does not involve disclosure of sensitive personal data or personal data of a financial nature.
Although in practice self-reporting may be a mitigating factor in prosecution, immunity or leniency based on this conduct is rarely expressly afforded by legislation. However, the list of sanctioning factors set out in the Central Bank's Administrative Sanction Procedure includes ‘how quickly, effectively and completely the regulated entity brought the contravention to the attention of the Central Bank or any other relevant regulatory body.'
The DPP has a general discretion whether or not to prosecute in any case having regard to the public interest. Within that discretion is the power to grant immunity in any case. Any such grant of immunity will generally be conditioned on the veracity of information provided and an agreement to give evidence in any prosecution against other bodies or individuals. There are no specific guidelines governing the grant of immunity in general. However, in the realm of competition law, the CCPC, in conjunction with the DPP, operates a Cartel Immunity Programme (CIP) in relation to breaches of the Competition Act 2002 (as amended). Applications for immunity under this Programme are made to the CPPC. However, the decision to grant immunity is ultimately at the discretion of the DPP.
A revised CIP came into effect on 22 January 2015, and sets out clearly the criteria for an application for immunity to be successful. A person applying for immunity under the CIP must come forward as soon as possible, and must not alert any remaining members of the cartel to their application for immunity under the programme. Further, the applicant must not have incited any other party to enter or participate in the cartel prior to approaching the CCPC. It is important to note that immunity under the CIP is only available to the first member of a given cartel that satisfies these requirements.
Once an application for conditional immunity has been granted, a positive duty is imposed on the applicant to cooperate fully with the investigation, on a continuing basis, and at no expense to the CCPC. In particular, the applicant must reveal all cartel offences in which they were involved, and provide full disclosures in relation to the same. If the applicant is a company or corporation, the application for immunity must be made by the company in its separate legal capacity. Failure to comply with the requirements set out in the CIP may result in conditional immunity being revoked by the DPP.
ii Internal investigations
There is generally no restriction on a business initiating an internal investigation, particularly in relation to suspected criminal conduct. The company is only under an obligation to share the results of such an investigation with the relevant authorities where it is required under a court order, statute, or a self-reporting obligation (see Section II.i, supra). In considering such matters, the advice of external legal counsel is usually engaged.
An internal investigation usually makes use of a wide range of evidence - hard-copy and electronic documentation, witness interviews, computer forensics and financial records are open to an internal investigation.
There has been some clarification of issues surrounding fair procedures in recent case law. In Joyce v Board of Management of Colaiste Iognáid, the High Court held that natural justice principles do not apply at the initial stages of an investigation, such as the initial consideration of an issue, but are engaged when formal proceedings from which findings may be drawn commence.
Where witness interviews are conducted, the employee in question has no statutory right to legal representation. However, if the employee or witness is, or may become, the subject of the investigation, the employer should consider advising the employee or witness to have legal representation in order to ensure that the employee has been afforded their fair procedures rights and to prevent any later legal challenge to the investigation process. However, this should be assessed on a case-by-case basis.
Any requirement to disclose documents obtained through an internal investigation to the authorities is qualified by legal professional privilege. In Ireland, documentation may attract legal professional privilege, either in the form of legal advice privilege or litigation privilege. Legal-advice privilege arises in communications between a lawyer and their client where there is no actual or potential litigation, but the client is seeking advice and not merely legal assistance. Litigation privilege applies to communications between a lawyer and a client made in the context of contemplated or existing litigation. It is the broader form of legal professional privilege and also covers communications with third parties, such as experts.
Privilege over any document is a right of the client, which he or she may choose to waive. In general, the disclosure of a privileged document to a third party will waive privilege. Following the decision in Fyffes v. DCC, the courts will allow disclosure of an otherwise privileged document to a third party for a limited and specified purpose without privilege being waived. In such circumstances it is essential that the entity making the disclosure seeks assurances by way of a confidentiality agreement that the recipient will not disclose the privileged documents and will use them only for the specified and limited purpose for which they have been disclosed.
Therefore, in the context of regulatory investigations, legal professional privilege is relevant when considering the power of regulatory authorities to inspect documentation and compel the production of documents.
The Protected Disclosures Act 2014 (the Protected Disclosures Act) is the key piece of Irish legislation in relation to reporting suspicions of illegal activity. It was enacted on 15 July 2014, and is the first comprehensive piece of legislation governing whistle-blowing, where previously only piecemeal provisions existed. Public sector bodies must now put in place whistle-blowing policies that meet the requirements of the Protected Disclosures Act; and where private sector businesses have policies in place, they must review them to ensure they are aligned to the provisions of that Act.
Part 3 of the Protected Disclosures Act sets out the protections offered to those who make protected disclosures. Where a worker makes a protected disclosure, the employer in question is prevented from dismissing or penalising the worker; bringing an action for damages or an action arising under criminal law; or disclosing any information that might identify the person who made the disclosure. Further, the Act makes provision for a cause of action in tort for the worker for detriment suffered as a result of making a protected disclosure.
Section 5 of the Protected Disclosures Act defines a ‘protected disclosure' as a disclosure of information, made by a worker, which, in their reasonable belief, shows a ‘relevant wrongdoing' and which came to their attention in the course of their employment. Section 5(3) of the Protected Disclosures Act defines a ‘relevant wrongdoing' as relating to the commission of an offence; non-compliance with a legal obligation (except one arising under the worker's employment contract); a miscarriage of justice; endangerment of health and safety; damage to the environment; misuse of public funds; mismanagement by a public body; or concealing or destroying information relating to any of the above. The definition of ‘worker' in Section 3 of the Protected Disclosures Act is also quite broad in its scope, and covers employees (including temporary and former employees), interns, trainees, contractors, agency staff, and consultants.
The Protected Disclosures Act also sets out a procedure for redress for a worker who makes a protected disclosure. If the matter is part of an unfair dismissals claim by the worker and a Rights Commissioner of the Labour Relations Commission finds in favour of the worker, it can require the employer to take a specified course of action or require the employer to pay compensation of up to 260 weeks remuneration to the worker.
It is worth noting that although the motivation for making a disclosure is irrelevant, the protections as set out above are not available to those who deliberately make false disclosures as these are not considered to meet the test for having a reasonable belief that a wrongdoing has occurred. This provision aims to protect businesses from malicious and ill-founded claims.
The Protected Disclosures Act closely reflects, and brings Ireland in line with, international best practice in the area. In achieving its principal aim of protecting those who make a protected disclosure from reprisal from their employers, the Protected Disclosures Act places a significant burden on employers in all sectors to ensure they have adequate policies in place and conform to its requirements.
i Corporate liability
The Interpretation Act 2005 provides that in all Irish legislation, any reference to ‘persons' includes references to companies and corporate entities. Therefore, a company can, in theory, be subject to criminal or civil liability in the same manner as individuals, and can be liable for the conduct of its employees and officers. However, corporate liability has predominately been restricted to offences where a fault element (mens rea) is not required, namely those of absolute, strict and vicarious liability. Many regulatory offences carrying corporate liability are established as such offences.
For example, Section 343(11) of the Companies Act 2014 imposes absolute liability in circumstances where a company fails to send its annual financial accounts to the Company Registrations Office, and provides that the company shall be guilty of an offence.
In contrast, Section 271 of the Companies Act 2014 provides for strict liability, which provides that an officer of a company shall be presumed to have permitted a default by the company, unless the officer can establish that they took all reasonable steps to prevent the default, or was unable to do so by reason of circumstances beyond their control.
Additionally, the Competition Act 2002 imposes vicarious liability by providing, for the purposes of determining the liability of a company for anticompetitive practices or abuse of a dominant position, that the acts of an officer or employee of a company carried out for the purposes of, or in connection with, the business affairs of the company shall be regarded as an act of the company.
While theoretically a company can be guilty of a mens rea offence, the means of attributing the acts of an employee to a company for the purposes of criminal liability is not settled in Irish law. The Irish and English courts have recognised two modes of importing direct liability to a company: the identification doctrine and the attribution doctrine. The identification doctrine focuses on the extent to which the individual employee or officer who committed the offence represents the ‘directing mind and will' of the company, thereby rendering the company criminally liable. The attribution doctrine, on the other hand, is not concerned with the individual's position in the company, but rather imposes a form of absolute liability on companies where their officers or employees commit offences in the course of, and connected with, their employment. While there is conflicting jurisprudence on the preferred approach, only the identification doctrine has been endorsed by the Irish Supreme Court, albeit in the context of the imposition of civil liability on a corporation.
It is unlikely that companies and individuals could be represented by the same counsel, based on the rules governing conflicts of interest in the Solicitors' Code of Conduct. According to the Code:
…if a solicitor, acting with ordinary care, would give different advice to different clients about the same matter, there is a conflict of interest between the clients, and the solicitor should not act for both.
Irish criminal legislation typically provides for monetary fines or terms of imprisonment for offences. Given the nature of corporate entities, the most common form of sanction against a corporate entity is a fine. However, while less common, Irish legislation also provides for compensation orders (whereby the guilty party is required to pay compensation in respect of any personal injury or loss to any person resulting from the offence), adverse publicity orders (in the form of publication of the offence and the identity of the entity found guilty) and remedial orders (to undo the harm caused by the offence).
Another common sanction against businesses is a disqualification order. Under Section 839 of the Companies Act 2014, where a person has been convicted of an indictable offence in relation to a company, or convicted of an offence involving fraud or dishonesty, that person may not be appointed to, or act as, an auditor, director or other officer, receiver, liquidator or examiner or be in any way, whether directly or indirectly, concerned or take part in the promotion, formation or management of any company.
The Central Bank of Ireland also operates the Administrative Sanctions Procedure pursuant to the Central Bank Act 1942, as amended. This legislation bestows a range of sanctions at the Central Bank's disposal, both monetary and administrative. Part IIIC, as amended, sets out the powers of the Central Bank to impose sanctions in respect of the commission of prescribed contraventions by regulated financial services providers. The monetary penalty for financial institutions is an amount up to €10 million or 10 per cent of the annual turnover of the regulated financial service provider in the last financial year, whichever is the greater. The Central Bank has used these powers to reach settlements with financial institutions for regulatory breaches, with the monetary size of such settlements increasing dramatically since the onset of the financial crisis in 2008. In addition, the Central Bank has the power to suspend or revoke a regulated entity's authorisation in respect of one or more of its activities.
A wide range of penalties exist under the Competition (Amendment) Act 2012. The maximum prison sentence for an offence relating to anticompetitive agreements, decisions and concerted practices is 10 years, and the maximum monetary penalty is a fine of €5 million. Furthermore, the Irish courts have jurisdiction under the Companies Act 2014 to disqualify an individual from acting as a director of a company if that individual is convicted of a competition offence on indictment.
iii Compliance programmes
Compliance programmes are not generally provided for in legislation as a defence to criminal proceedings. One notable potential change, similar to the content of Section 7 of the UK Bribery Act 2010, is Head 13 of the draft scheme of the Criminal Justice (Corruption) Bill 2012. This contains an explicit defence for a business that has committed an offence under the corruption legislation, if it can show that the business took ‘all reasonable steps and exercised all due diligence to avoid the commission of the offence'.
If a business is found guilty of an offence, a wide range of factors may be taken into account when sentencing a business, and these are at the discretion of the court. Mitigating factors include whether the company ceased committing the criminal offence upon detection or whether there were further infringements or complaints since the detection of the offence; whether remedial efforts to repair the damage caused were utilised by the company; and whether the company itself reported the infringement before it was detected by the prosecuting authority. Additionally, in imposing any sentence, the court must comply with the principle of proportionality as set out in People (DPP) v. McCormack. The existence of a compliance programme may assist in reducing the quantum of any sentence to be imposed. However, any such programme should be effective in its implementation.
iv Prosecution of individuals
When there are allegations of an individual's misconduct in the course of his or her employment, generally the company will first conduct an internal investigation into the alleged offence. If the company concludes that the alleged conduct did, in fact, take place, the company may be required to report this activity to the relevant authorities. During this investigation, the individual may be placed on ‘gardening leave', or be suspended. However, in the recent case of Bank of Ireland v. O'Reilly, the High Court stipulated that employers must exercise extreme care when suspending an employee pending an investigation.
However, if criminal prosecution precedes an internal investigation, in general, internal disciplinary procedures are suspended, based on respecting the individual's right to silence. Notably, the Irish High Court has decided that the acquittal of an employee of criminal charges does not preclude employers from considering whether an employee should or should not be dismissed on the basis of the impugned conduct.
Additionally, the Companies Act 2014 largely restates earlier legislation, under which a company may purchase and maintain, for any of its officers or auditors, directors and officers insurance (D&O insurance) in respect of any liability arising under negligence, default, breach of duty or breach of trust. Accordingly, a company may indemnify an officer of the company for any liability incurred by him or her in defending the proceedings, whether civil or criminal, provided judgment is given in the individual's favour or the individual is acquitted. However, in practice, D&O policies tend to exclude losses resulting from fraud or dishonesty, malicious conduct and the obtaining of illegal profit.
i Extraterritorial jurisdiction
Ireland does not, in general, assert extraterritorial jurisdiction in respect of acts conducted outside the jurisdiction. However, extraterritorial jurisdiction may be conferred by statute to varying degrees. For instance, Section 4 of the Competition Act 2002 provides that it is an offence to be party to an anticompetitive agreement that has the effect of preventing, restricting or distorting competition in trade in goods or services within the state. Importantly, the Section is not restricted to agreements made within Ireland.
There are a number of specific offences for which Ireland exercises extraterritorial jurisdiction.
The Prevention of Corruption Acts 1889-2010 (the Corruption Legislation) contain provisions for bribery offences occurring outside of Ireland in two circumstances:
a If an Irish person or company does something outside of Ireland that, if done within Ireland, would constitute an offence under the Corruption Legislation, that person is liable as if the offence had been committed in Ireland. There is no requirement that the offending act also be an offence in the foreign jurisdiction.
b If an offence under the Corruption Legislation takes place partially in Ireland and partially in a foreign jurisdiction, a person may still be tried in Ireland for that offence.
It is worth noting that we are not aware of any prosecutions of individuals or companies under these extraterritorial provisions.
The Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (the CJ(MLTF) Act) sets out specific circumstances in which an action can be read as money laundering outside Ireland. If an individual or a company engages in conduct in a foreign jurisdiction that would constitute a money-laundering offence both under the CJ(MLTF) Act and in that foreign jurisdiction, they can be prosecuted in Ireland. This extraterritorial jurisdiction may only be exercised where:
a the individual is an Irish citizen, ordinarily resident in the state; or
b the body corporate is established by the state or registered under the Companies Act 2014.
The EU Fourth Anti-Money Laundering Directive (AML IV) came into force on 25 June 2015 and has only been partially transposed into Irish law, to the extent that corporate entities are required to maintain registers of beneficial ownership. Many of the other provisions of the Directive are due to be transposed by the Criminal Justice (Money Laundering and Terrorist Financing) Amendment Bill, which is due to be published shortly. The remaining provisions are expected to be transposed by way of statutory instruments. It imposes increased responsibility on ‘obliged entities' (as defined under Article 2 of the Directive) to identify and assess potential risks of money laundering and terrorist financing in their business relationships and transactions. Aside from the requirement to identify individuals holding ultimate beneficial ownership, the most important change it introduces in Irish law is the inclusion of both domestic and foreign politically exposed persons (PEPs) under the new rules. Previously, only foreign PEPs were subject to a mandatory enhanced regime.
ii International cooperation
The Criminal Justice (Mutual Assistance) Act 2008 (the Mutual Assistance Act) is the primary piece of legislation governing mutual legal assistance between Ireland and other countries. The extent of available cooperation under mutual legal assistance procedures is dependent on the identity of the corresponding state. The greatest level of cooperation exists between Ireland and other EU Member States. Cooperation with third countries (those outside the European Economic Area) is dependent on their ratification of relevant international agreements or the existence of a mutual assistance treaty agreed between them.
Most notably, the Mutual Assistance Act allows Ireland to take evidence in connection with criminal investigations or proceedings in another country; search for and seize material on behalf of another country; serve a summons or any other court process on a person in Ireland to appear as a defendant or witness in another country; and transfer a person imprisoned in Ireland to another country to give evidence in the foreign criminal proceedings.
There are a number of additional measures in place to facilitate Ireland's cooperation with other EU Member States, including the Council Framework Decision on Freezing Orders and the Council Framework Decision on the European Evidence Warrant.
Ireland is subject to the European Arrest Warrant Framework Decision, which was implemented in Ireland by virtue of the European Arrest Warrant Act 2003, as amended by the European Arrest Warrant (Application to Third Countries and Amendment) and Extradition (Amendment) Act 2012. This governs all extradition procedures between the EU Member States. The High Court is the competent authority for issuing a European arrest warrant where the individual sought is accused of an offence for which the maximum penalty is at least one year in prison, or if he or she has already been sentenced to a prison term of at least four months. A European arrest warrant does not have a dual criminality requirement - meaning the offence must be prohibited under the domestic law of both countries - for certain serious offences, such as corruption, fraud or money laundering. This legislation can extend to individuals from non-EU countries upon consultation between the Minister for Foreign Affairs and the Minister for Justice and Equality. Generally, extradition to non-EU countries is governed by the Extradition Act 1965 (as amended), (the Extradition Act). There are a number of preconditions to non-EU extradition. First, there must be an extradition agreement in place between Ireland and the non-EU country before such an extradition can take place. Second, the Extradition Act retains a requirement of dual criminality. Third, the Extradition Act excludes extradition for political offences, military offences and revenue offences. The transposition of the AML IV into Irish law will lead to further enhanced international cooperation, as the Directive requires sharing information between competent national authorities, including the creation of a central register of beneficial owners of entities.
iii Local law considerations
There are a number of legal considerations to be aware of in relation to a cross-jurisdictional investigation, in particular in the areas of banking confidentiality, data privacy and constitutional law.
In Ireland, an obligation of bank-client confidentiality is implied by the common law. However, this obligation can be breached in limited circumstances, including where the terms of the contract with the customer so provide or a bank is compelled by law to disclose.
Under Section 4 of the data-protection legislation, which is part of the comprehensive European data-protection framework, data subjects have a right to access and to be supplied with all of their ‘personal data' held by a data controller or processor. However, individuals may not obtain their personal data where the information is kept by a statutory body for the purposes of preventing, detecting or investigating offences.
Wide-reaching change to Irish data protection law is anticipated with the adoption of the European General Data Protection Regulation 2016 (GDPR), which will be directly effective following a two-year implementation period (i.e., by May 2018) in each of the EU Member States. The GDPR introduces significant changes to, among other elements, data subject rights, supervision and enforcement, and the scope of the application of EU data protection law, in that companies based outside the EU will be subject to the GDPR when offering services in the EU. In conjunction with the GDPR, the Law Enforcement Data Protection Directive 2016 was adopted, which will govern the processing and exchange of personal information between law enforcement authorities in the context of criminal investigations.
Further, Irish individuals or entities who are the subject of an international investigation benefit from the protections of the Irish Constitution and the European Convention on Human Rights, including the right to a good name, the right to a fair trial and the entitlement to fair procedures.
V YEAR IN REVIEW
Over the last two decades, a number of tribunals of inquiry have been established by legislation and overseen by members of the judiciary. However, these were considered by some to be lengthy and expensive. The system of public inquiries was reformed by the Houses of the Oireachtas (Inquiries, Privileges and Procedures) Act 2013 (the 2013 Act), whereby parliamentary committees may be appointed to inquire into a limited set of matters.
The 2013 Act strictly qualifies the nature of the findings which can be made by parliamentary committees. Accordingly, reports on the findings of such committees are limited. One example of this is the Report of the Banking Inquiry into the financial crisis in Ireland. Notwithstanding the new system of public inquiries available under the 2013 Act, a traditional tribunal of inquiry was established in February 2017 under the Tribunals of Inquiry (Evidence) Acts 1921-2011 by resolutions of both houses of Ireland's parliament. The Charleton Tribunal, led by Mr Justice Peter Charleton, will examine matters concerning Protected Disclosures made by members of the police.
On 1 February 2016, the Criminal Justice (Mutual Assistance) (Amendment) Act 2015 was commenced. The Act gives effect under Irish law to international treaties, with a view to increasing cooperation with other EU Member States in tackling criminal activity. The Act focuses, in particular, on increasing cooperation between Member States on matters including the recovery of financial penalties on a cross-border basis, the confiscation of assets deemed to be the proceeds of crime, and addressing serious security threats, such as terrorist activity.
VI CONCLUSIONS AND OUTLOOK
In 2012, the draft scheme of the much-anticipated Criminal Justice (Corruption) Bill was published. The draft scheme proposes to repeal the numerous pieces of anti-corruption legislation in Ireland and replace them with one consolidated piece of legislation. It is not clear when the Corruption Bill will be passed, but it is hoped that this will happen in the coming years. Significant provisions in the proposed legislation include:
a provisions imposing criminal liability for businesses for the actions of their employees, agents, subsidiaries, officers, managers and directors, where there is an intention by these persons to obtain or retain business for the company; and
b a defence for businesses of having taken all reasonable steps and exercised all due diligence to avoid the commission of an offence.
In early 2016, the Law Reform Commission (LRC) published an issues paper entitled ‘Regulatory Enforcement and Corporate Offences'. The paper tackles lacunae in existing criminal law in the area of white-collar crime and moreover, the sufficiency of the supervisory and enforcement powers of the state's main financial and economic regulators. However, while a formal report was expected to follow soon after, none has yet been issued by the LRC.
As discussed earlier there are two changes at European Union level taking effect in Ireland with the General Data Protection Regulations 2016 and the impending transposition of the EU Fourth Anti-Money Laundering Directive.
1 Carina Lawlor and Nicola Dunleavy are partners at Matheson.
2 Established by the Criminal Assets Bureau Act 1996 (as amended).
3 Section 14 of the Criminal Assets Bureau Act 1996.
4 Ibid, Section 16.
5 Section 949(c) and (d) of the Companies Act 2014.
6 Section 899 of the Taxes Consolidation Act 1997.
7 Ibid, Section 895.
8 Ibid, Sections 902A and 908.
9 Ibid, Section 908C.
10 Ibid, Section 903.
11 Section 36 of the Competition and Consumer Protection Act 2014.
12 The European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011, SI 336 of 2011.
13 Approved by the Data Protection Commissioner under Section 13(2)(b) of the Data Protection Acts.
14 ‘Outline of Administrative Sanctions Procedure', published by the Central Bank of Ireland in 2014.
15  IEHC 809
16 (2005) IESC 3.
17 Sections 11 and 12 of the Protected Disclosures Act.
18 Superwood Holdings plc v. Sun Alliance and London Insurance plc (1995) 3 IR 303.
19 Section 6(1) of the Criminal Justice Act 1993.
20 Section 85 of the Safety, Health and Welfare At Work Act 2005; Section 1086 of the Taxes Consolidation Act 1997.
21 Sections 75 and 85 of the Consumer Protection Act 2007 as amended by the European Union (Consumer Information, Cancellation and Other Rights) Regulations 2013; Section 1078(3A) of the Taxes Consolidation Act 1997.
22 The Central Bank (Supervision and Enforcement) Act 2013.
23 Section 2 of the Competition (Amendment) Act 2012.
24 Section 839 of the Companies Act 2014.
25 (2000) 4 IR 356.
26 Bank of Ireland v. O'Reilly  IEHC 241.
27 Mooney v. An Post (1998) 4 IR 288.
28 Section 235(4) of the Companies Act 2014.
29 Ibid, Section 235.
30 Section 8 of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010.
31 As amended by the Criminal Justice (Mutual Assistance) (Amendment) Act 2015.
32 Tournier v. National Provincial and Union Bank (1924) 1 KB 461.
33 Data Protection Acts.
34 Section 5 of the Data Protection Acts.
35 Regulation (EU) 679/2016.
36 Directive (EU) 680/2016.
37 The issues paper specifies a number of potential proposals of reform for regulators such as;
a Creation of a standard set of powers of financial and economic regulators;
b Increased use of civil financial sanctions;
c Increased use of negotiated compliance agreements;
d Introduction of deferred prosecution agreements used in the US and UK;
e Improving coordination and cooperation between regulators; and
f Creating a single appeals process from financial and economic regulators.
38 Directive (EU) 2015/849.