Last month, the Irish government published the General Scheme of the Data Protection Bill 2017 (the “Scheme”). This Scheme provides some insight into the Irish Government’s legislative intent and approach towards those provisions of the General Data Protection Regulation (“GDPR”) where Member States are afforded a margin of flexibility.
The Scheme provides a general overview of the various elements of the proposed legislation. It contains 95 Heads which are quite sparse in parts. As a result, there is a substantial legislative task ahead to build out the substance and have the Bill enacted as law in time for commencement of the GDPR in May 2018. There has been no indication from the Irish Government of a proposed timeline for the Bill or when the Bill will be presented to the Irish Parliament for approval.
The Scheme indicates that some of the key areas, where Member States are allowed some degree of flexibility from the provisions of the GDPR, will be addressed via secondary legislation in the form of ministerial regulations. While this approach is likely a result of the considerable size of the task at hand, the practical effect of this legislative shortcut is that there continues to be no available details regarding how these areas will be addressed in Ireland.
The DPC 2.0
Some of the most notable proposals in the Scheme centre on reforming the office and powers of the Data Protection Commissioner. The Data Protection Commissioner is to be replaced by a new entity, the “Data Protection Commission” (the “Commission”). The number of Commissioners is also set to increase to up to three Commissioners. Where there is more than one Commissioner, the Minister for Justice shall appoint a chairperson who will have the casting vote in decisions taken by the Commission. The Scheme also makes clear that Helen Dixon (the prevailing Commissioner) will continue in her capacity as Commissioner after the Bill is passed.
The Government’s strengthening of the Commission comes ahead of the additional GDPR workload. The One-Stop-Shop mechanism and new resource-intensive elements of investigation are likely to be sources of increased demand on the Commission’s resources.
The investigative and adjudicative processes within the Commission will be separated. Enhanced investigative powers are proposed for authorised officers of the Commission. In addition to their current powers of entry, inspection and seizure of documents or records, officers will be able to require a controller or processor (including their employees and agents) to provide “reasonable assistance” in relation to the operation of the data equipment or computer systems. This would include the provision of access and passwords to make documents available and understandable. Officers of the DPC who have been refused access to premises will now have the power to apply for and execute a search warrant. There is also the possibility of officers of the DPC to conven oral hearings prior to the imposition of a large fine.
One-Stop-Shop regulatory procedure
Given the large number of organisations which have their European or international headquarters in Ireland, the Commission will likely have a significant role in co-ordinating investigations with a cross border element as the lead supervisory authority under the GDPR. The process required where the Commission is acting as the lead supervisory authority is set out in the Scheme. The Commissioner shall prepare a draft decision and submit it to the other concerned supervisory authorities. The Commission must take account of the supervisory authorities’ views and if the Commission’s draft decision has not been objected to within four weeks, it will be adopted.
Where an objection arises, the Commission can decide to revise the decision in line with the objection or, where the Commissioner is not minded to revise the draft decision, refer that draft decision to the European Data Protection Board (the “Board”). In this instance, the Board will act as a dispute resolution mechanism. On the basis of the Board’s decision, the Commissioner shall adopt their final decision including any enforcement notice of administrative fine and give notice of it in writing and the reasons to the controller or processor.
Fines and penalties
Part 5 of the Scheme sets out the procedure governing the Commission’s supervision and enforcement powers. This includes the how it will impose fines and penalties.
At the end of an investigation, and after considering an investigation report, a Commissioner may decide that either:
(a) a further investigation is warranted; or
(b) an infringement did not occur justifying the dismal of a complaint; or,
(c) to impose an administrative fine or enforcement notice (or both), as the Commissioner thinks fit in the circumstances of the case.
A controller or processor may appeal a decision to impose a fine upon them within 30 days of receipt of notice of the fine. On appeal the relevant court (either the Irish High Court or Circuit Court, depending on the amount of the fine) may either confirm or annul the decision, or replace it with a decision of the court. In the course of an appeal, evidence may be introduced before the Court that was not previously submitted to the Commission.
The Scheme also provides for an appeal to be brought within 28 days against an enforcement or information notice or against any legally binding decision of the Commission.
Possibly the most notable provision of the Scheme suggests that any decision to impose an administrative fine under the GDPR will be subject to a confirmation order of the Circuit Court (after the 30 days for lodging an appeal has passed). In this function, the Circuit Court will not be acting as court of appeal but rather it will impose the fine unless there is good reason not to. This means for every fine it intends to impose, the Commission will have to make an application to the Court to execute the fine.
This oversight of the Circuit Court is to ensure the decision by the Commission to impose a fine was taken in line with procedural rules and constitutional justice. The explanatory note mentions that this mechanism will be discussed further with the European Commission. However, it will be a comfort to organisations if the substantial GDPR fines imposed were subject to judicial oversight, if even summarily, before being imposed.
The Scheme is only in its preliminary form and is likely to be subject of intense lobbying and amendments as it moves through the legislative process. The DPC’s Annual Report 2016 highlighted the scaling up of the DPC’s resources. The reformulation of the role and office of the DPC proposed by the Scheme will contribute to achieving greater regulatory capacity. It also ensures procedural safeguards and due process standards are abided by to prevent any court challenges to decisions of the Commission.