The General Scheme of Data Protection Bill 2017 (the “Bill”) has been published by the Department of Justice. The purpose of the Bill is to give effect to the General Data Protection Regulation (“GDPR”) which comes into force on 25 May 2018. The Bill also transposes the Law Enforcement Directive (2016/680) (the “Regulation”) into domestic law.
The Bill is still in the early stages and it is unclear whether some of the provisions of the Data Protection Acts 1988 and 2003 will be retained.
Some of the key provisions of the Bill are:
Data Protection Commission (the “DPC”)
The Data Protection Commissioner will be replaced by the Data Protection Commission (the “DPC”). The Bill allows for the appointment of more than one Data Commissioner depending on workload – with the possibility of the appointment of a total of three Commissioners. The DPC will have enhanced powers of monitoring, investigation, and enforcement of data protection.
Administrative fines and appeal of administrative fines
The Bill provides that the DPC may impose administrative fines (as set out in the GDPR) if satisfied that breaches of the Regulation or the Act has occurred.
A controller or processor subject to such administrative fines must appeal no later than 30 days from the date which notice of the decision was served. Both the High Court and Circuit Court have jurisdiction to hear such applications. There is a reference to oral hearings, at the discretion of the DPC before a fine is imposed.
The DPC is obliged to make an application to the Circuit Court to confirm its decision to impose such an administrative fine.
The Bill provide for the possibility of fines for infringement of provisions of the Regulation or the Act if a public body or authority is acting as an “undertaking”. The explanatory note sets out that a public body or authority is not acting as an “undertaking” in all instances. The note states an assessment must be made on an activity by activity basis.
The Bill specifies that some of the rights and obligations provided for in the Regulation and sections of the Act giving effect to the Regulation do not apply to personal data processed for the purpose of legal advice privilege or personal data covered by litigation privilege. Litigation privilege is not specifically acknowledged in our current data protection legislation.
The Bill sets out that the processing of personal data for journalistic purposes and purposes of academic, artistic or literary expression shall be exempt from a significant set of rights and obligations under the GDPR where having to comply with the provisions would be incompatible with such purposes – having due regard to the importance of the right to freedom of expression and information. The Bill provides that “journalism” must be interpreted broadly and the explanatory note states that this provision is intended to acknowledge activates such as blogging and social media. The DPC is empowered to refer any question of law regarding the balance between the right of data protection and freedom of expression and information, which might arise under this section to the High Court.
Prosecution of Offences and Costs
The Bill provides the DPC with the power to prosecute summary offences. If a person is convicted of an offence, save where there exist special and substantial reasons, the court shall award the costs and expenses of the Commission in relation to the investigation, detection, and prosecution of the offence. Under the Bill, the payment of court costs would be in addition to any administrative fine or penalty. The position regarding costs has been substantially borrowed from competition and consumer protection legislation.
Personal Liability for Directors
The Bill imposes personal liability on directors, managers, secretaries or other officers of a body corporate where an offence under the Act was committed by the body corporate with his or her consent or connivance. Further, if the offence can be attributed to any negligence on the part of the officer he or she is personally liable along with the body corporate.
Data Protection Officers
The Bill confers powers on the Minister for Justice and Equality to make regulations requiring controllers, processors or associations and other bodies representing controllers or processors to designate a data protection officer. The categories added by ministerial regulations would be in addition to the mandatory categories set out in the GDPR.