The General Scheme of the Data Protection Bill 2017 was published on 12 May 2017. This Bill is intended to be the main Irish legislative instrument that will give effect to, or provide for exemptions from, certain provisions of the General Data Protection Regulation (GDPR). It will also transpose the Law Enforcement Data Protection Directive into Irish law, will replace the Irish Data Protection Commissioner with a new legal entity to be known as the Data Protection Commission and will set out a new legal framework for the enforcement of data protection law in Ireland.
The General Scheme, which includes explanatory notes regarding the proposed provisions of the Bill, clarifies how the Irish legislature intends to give further effect to, transpose and administer the EU data protection reform package. It also provides useful insights regarding the underlying intention or inspiration for certain provisions, some of which are based on current Irish legislation and procedures in other areas, including competition law and financial services regulation. However the General Scheme also indicates that some key issues will be addressed via secondary legislation to be adopted under the Data Protection Bill, rather than in the Bill itself, with the result that there continues to be no publically available details regarding how these issues will be addressed in Irish law. While this flexibility will be helpful from a legislative perspective, the lack of detail on intended exemptions from rights and obligations under the GDPR will be a disappointment to businesses and organisations that are working on their preparations for the GDPR.
The following are some of the more notable details set out in the General Scheme:
- DPC: The legal entity currently known as the Data Protection Commissioner will be replaced with a new entity to be named the Data Protection Commission, which may have between 1 and 3 individual Data Protection Commissioners. The Commission will have separate processes for, among other things, (a) the investigation and (b) the adjudication of suspected or alleged breaches of data protection law and these separate functions might be headed by different Data Protection Commissioners. The Commission will have extensive and robust powers for the purpose of monitoring, investigating and enforcing data protection law and greater discretion as to whether and to what extent it must investigate complaints made to it.
- Data Protection Acts: Although many elements of the Data Protection Acts 1988 & 2003 will be superseded by the GDPR, it has yet to be decided whether certain parts of these Acts will be retained, or whether they will be repealed and replaced in their entirety by this Data Protection Bill.
- Exemptions: Article 23 of the GDPR provides that Member States may, by legislative measures, restrict the operation of key provisions of the GDPR that set out the rights of data subject and the obligations of controllers and processors. The General Scheme envisages that Irish legislative measures setting out exemptions from these rights and obligations will be contained in regulations made under the Data Protection Bill and in accordance with applicable requirements set out in the GDPR, rather than in the Bill itself. No details are provided as to what exemptions are likely to be made via such regulations.
- Processing for Journalistic Purposes or Academic, Artistic or Literary Expression: The General Scheme contains a high level provision to the effect that personal data processed for these purposes will be exempt from many of the rights and obligations provided for under the GDPR, where compliance with such provision would be ‘incompatible’ with such purposes. No further detail is provided as to how this determination should be made, except that the right to freedom of information and expression should be interpreted broadly in this context and it will be possible to refer questions on the balance to be drawn to the Irish High Court. Controllers and processors who process personal data for these purposes will hope that this provision will be fleshed out in a later draft, particularly since under the GDPR there seems to be an onus on the legislature to provide a clearer legal framework for reconciling these rights.
- Derogations: A number of provisions of the GDPR permit derogations via Member State legislation, provided that there are ‘appropriate safeguards’ in place in respect of the processing. The General Scheme indicates that such derogations will be adopted in Ireland, but does not specify what ‘appropriate safeguards’ will be put in place, except by saying that the possibility of a ‘toolbox’ of possible safeguards is being considered.
- International Transfers: The Minister for Justice and Equality will have the power to block transfers of personal data to a specific jurisdiction outside the EEA where that jurisdiction has not been deemed to have adequate data protection laws by the European Commission in certain circumstances. There is also a proposed provision that relates to the series of proceedings involving the Data Protection Commissioner and Max Schrems and the decision of the Court of Justice of the European Union in Case C-2015/650 (specifically paragraph 65 of the CJEU’s ruling). The DPC will have a legislative power to apply to the Irish High Court for a determination as to whether the level of protection in a jurisdiction deemed by the European Commission to be adequate is, in fact, adequate, with the possibility of the High Court referring the matter to the Court of Justice of the European Union for a preliminary ruling. The absence of such a provision from currently applicable legislation gave rise to challenges for the Data Protection Commissioner in bringing the proceedings relating to the Standard Contractual Clauses and transfers to the United States of America that are being considered by the Irish High Court (record no. 2016/4809P).
- Administrative Fines: The General Scheme mentions that the DPC might convene oral hearings before large administrative fines will be imposed. There will be opportunities to appeal administrative fines imposed by the DPC, however this will be subject to a tight time limit of 30 days from receipt of notice of the decision. A time limit of 28 days will apply to appeals of any other legally binding decisions of the DPC. The DPC will be required to make a summary application for any administrative fine imposed it to be confirmed by the Circuit Court.
- Prosecution of Offences & Costs: The DPC will have the power to prosecute summary offences under the Data Protection Bill. Where a person is convicted of an offence, the court will be required to order that person to pay the costs incurred by the DPC in investigating, detecting and prosecuting the offence, except where the court considers there are special and substantial reasons for not doing so. Such costs, if imposed, would be in addition to any administrative fines that might be incurred.
- Personal Liability for Directors & Officers: Directors, managers, secretaries and other officers of a corporate body may incur personal liability for offences under the Data Protection Bill committed by that corporate body, where the offence was committed with that individual’s consent, connivance or neglect. Potential offences that may arise under the Data Protection Bill include failing to comply with an enforcement notice issued by the DPC or the disclosure by a processor of personal data being processed on behalf of a controller without that controller’s authorisation.
- DPOs: The Minister for Justice and Equality will have the power to specify certain categories of controllers for whom the appointment of a Data Protection Officer will be mandatory (in addition to the categories for whom such an appointment will be mandatory under the GDPR).
- Public Authorities and Bodies: Public authorities and public bodies who are acting as ‘undertakings’ (in the competition law sense of this word) will be liable to administrative fines for breaches of data protection law. It is implicit (but not clear from the current drafting) that it is intended that public authorities and public bodies will be exempt generally from administrative fines, except where they are acting as ‘undertakings’.
- Privilege: There will be explicit acknowledgement that exemptions from obligations based on privilege will extend not only to legal advice privilege but also to litigation privilege (which is not explicitly acknowledged in the current Data Protection Acts).