On 12 of May 2017 the Tánaiste and Minister for Justice and Equality, Frances Fitzgerald TD and the Minister of State for Data Protection, Dara Murphy TD, published the General Scheme of the Data Protection Bill 2017 (the ‘General Scheme’).
The General Scheme is a draft form of the final bill that still requires approval by the Oireachtas prior to enactment. It provides us with an interesting view of the form of the likely proposed Data Protection Act 2017, which will effectively transpose the Articles of the General Data Protection Regulation (‘GDPR’) into Irish law. The General Scheme of the Bill includes direct implementation of the articles and elements of interpretation of the GDPR. It also includes the definition of some criteria and the inclusion of elements from other statutes that are relevant or applicable to the requirements of the GDPR or to data protection in general.
There are a number of points of note within the General Scheme that provide insight into the current draft and the work still to be completed for the final draft. They have been documented below under relevant headings:
Digital Age of Consent
- A consultation process regarding a “digital age of consent” has been completed and submitted to the Government for a decision. The proposals for agreed age and decision thereon has not been released.
The Supervisory Authority
- It replaces the Data Protection Commissioner with a Data Protection Commission with the possibility of up to three Commissioners depending on future workload.
- To ensure the independence requirement for Supervisory Authorities as prescribed by the GDPR, two specific potential elements of the DPA 2017 are described:
- independence over financial control over the DPC may be enhanced through provision of a separate Vote and Accounting officer role being in the Commission;
- the DPC may become accountable to an Oireachtas committee rather than the Minister for Justice and Equality; and
- The DPC has a role as a supervisory authority for other acts, outside of that proposed by the General Scheme, including:
- The Credit Reporting Act 2013; and
- The Electronic communications Networks and Service (privacy and electronic communications) regulations from 2011.
Data Subject Rights
- Exceptions to the exercise of data subject rights (Article 23) have been more granularly defined with the requirement that all three defined conditions should be met. The three conditions are that :
- a legislative measure is required;
- it must be proportionate “necessary and proportionate measure in a democratic society”; and
- the essence of the right to data protection must be respected.
- The requirements of Article 23 are already present in some existing statutes:
- Credit Reporting Act 2013; and
- Criminal Justice Act 2010.
- Head 37 (4) of the General Scheme relates to restrictions on the right to access. It provides the Data Controller, in certain circumstances, with the option to “neither confirm nor deny” the existence of personal data. This reflects the existing requirements of Section 33(4) of the Freedom of Information Act 2014.
Data Protection Officer
- Article 37.4 of the GDPR provides the State with the flexibility to enact national law to expand the requirements of organisations and types of organisations required to designate a Data Protection Officer.
- Head 21 of the DPA 2017 seeks to create an enhanced regulation-making power which may be availed of, if necessary in due course. As such the DPA 2017 is putting in place a framework for the State to expand the requirements for a DPO outside of those currently defined in 37.1 in the GDPR.
- In relation to Articles 77 or 80.1 of the GDPR, Head 65 (3) in the DPA 2017 provides the Commission with the right to proceed to investigate a complaint despite it being withdrawn provided the Commission is satisfied that there is a good and sufficient reason for so doing. In such circumstances the investigation will proceed and be treated as if initiated by the Commission.
- Article 12.6 of the GDPR accommodates the ability of data subjects to make a complaint online. Because such complaints may introduce a difficulty regarding verification of identity, Head 65 (4) provides for the Commission to request additional information from the complainant if there are reasonable doubts over his/her identity. In essence this implies consent from the data subject to be contacted by the Commission if a complaint is made.
- The DPA 2017 includes sub headers that reflect the Communications Regulation Act 2002 and Section 28 of the Central Bank Act 2013 with regard to issuing of search warrants. There was no specific item in the Data Protection Acts 1988 or 2003, or a specific article in the GDPR. Search warrants will be valid for one month but can be extended if specific criteria are met.
Fines and breach penalties
- The DPA 2017 will provide for the imposition of fines on public authorities for breaches of data protection law where such authorities are in competition with private operators.
- Appeals against fines may be bought before the High Court or brought to the Circuit Court where the fine amounts are less that €75,000.
- Head 81 of the DPA 2017 specifically sets the penalties for Data Processors if they disclose data without the consent of the Data Controller. The penalties are up to 12 months in jail and/or a class A fine, or a fine that does not exceed €50,000 and/or imprisonment for a term not more than 5 years.
- Head 82 of the DPA 2017 creates a new offence with regard to the sale of illegally obtained personal data. The penalties are up to 12 months in jail and/or a class A fine, or a fine that does not exceed €50,000 and/or imprisonment for a term not more than 5 years.
Grant Thornton will continue to monitor and provide updates on any changes to the Data Protection Bill 2017 as it progresses toward implementation of the new GDPR regime.