The text of Ireland’s new Data Protection Bill has been published on 1st February. This text, which may be subject to change by the Oireachtas, does not substantially deviate from what was expected when the Heads of the Bill were published in May 2017.
The Bill will enact two key pieces of European legislation: the General Data Protection Regulation (EC/2016/679) and the Law Enforcement Directive (EC/2016/680). The General Data Protection Regulation (GDPR) is a step-change in Data Protection obligations and requires wholesale changes to businesses' operations. The new bill transposes much of the GDPR text directly, while also addressing the powers of the Data Protection Authority, and applying the Law Enforcement Directive. The Law Enforcement Directive (also known as the Police and Criminal Justice Authority Directive) does not have direct effect in EU member states, in contrast to the GDPR.
In line with the expanded role of the Data Protection Authority within the GDPR, the draft Bill will establish a Data Protection Commission in place of the current Office of the Data Protection Commissioner (ODPC). Up to three Commissioners may be appointed by government. The Commission will be accountable to Oireachtas Committee, rather than directly to government, a move that reinforces its independence.
A controversial inclusion in the Bill is the exemption of Public Bodies from the administrative fine regime, except where acting as an “undertaking”, (i.e. providing goods or services for gain). Keeping public bodies in scope for administrative fines was explicitly requested by the current Data Protection Commissioner, Helen Dixon, and was also a recommendation from the Committee stage.
Contrary to some expectations, the existing 1988 Act is not repealed but amended, meaning that three Data Protection Acts will then be in force – an amended 1988 Act, the 2003 Amendment Act and the 2018 Act. This may lead to some uncertainty and difficult deliberations.
Liability for individuals who contravene data protection requirements continue to be in force, with fines up to €50,000 and potential custodial sentences. Directors, managers and company secretaries (“officers”) also may be held individually liable for contravening Data Protection requirements.
The Bill as published contains 8 parts through its 132 pages. These are structured as follows:
- Preliminary and General: This section covers those essential elements of legislation - clarifications and definitions.
- Data Protection Commission: This section establishes the Commission, and addresses the transfer of function from the ODPC to the Commission; sets out how Commissioners may be appointed; the length of service; and reporting obligations; etc.
- Data Protection Regulation: The requirements and obligations defined in the GDPR are repeated here, including all of the changes that have been widely discussed in other material, such as new and enhanced subject rights; limitation on processing; processing of special categories of data; limitation on transfer outside of the European Union; and etc.
- Provisions Consequent on Repeal of Certain Provisions of the Data Protection Act 1988: this section deals primarily with the transfer of assets and liabilities from the ODPC to the Commission, along with a means to maintain some of the regulations enacted under the 1988 Act.
- Processing of Personal Data for Law Enforcement Purposes: The Law Enforcement Directive text is here transposed. Competent Authorities are defined as those public bodies with the powers to investigate, prevent or prosecute in the context of criminal offences.
- Enforcement of Data Protection Regulation and Directive: This section defines the powers available to the Commission to investigate, audit and levy administrative fines against offenders. Procedures for appeals, judicial oversight and confirmation of fines is also described.
- Miscellaneous Provisions: Procedures for Court and Judicial proceedings are described here.
- Amendments to other Acts of Oireachtas: This section amends the definitions or wording of other Acts to match those in the GPDR and Law Enforcement Directive.
Grant Thornton will continue to monitor the progress of the Bill with potential amendments, through the Oireachtas to its enactment. If you have questions about how Data Protection is changing, or what your organisation should be doing to prepare, please contact us.
‘Grant Thornton’ refers to the brand under which the Grant Thornton member firms provide assurance, tax and advisory services to their clients and/or refers to one or more member firms, as the context requires. Grant Thornton International Ltd (GTIL) and the member firms are not a worldwide partnership. GTIL and each member firm is a separate legal entity. Services are delivered by the member firms. GTIL does not provide services to clients. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another’s acts or omissions. This publication has been prepared only as a guide. No responsibility can be accepted by us for loss occasioned to any person acting or refraining from acting as a result of any material in this publication.