As detailed in a recent update, the Irish Data Protection Bill 2018 was published on 1 February 2018. The Bill implements those instances where Member States are permitted some flexibility under the GDPR and contains important provisions on the robust enforcement powers of the reformed Data Protection Commission.
With some amendments, the Bill was passed by the Seanad in late March 2018 and is currently at Committee Stage in Dáil Éireann, the Irish legislature’s lower house.
While commentators often point out that the GDPR is an evolution not a revolution, the steps required for compliance are onerous and, no doubt, causing many challenges for both data controllers and processors.
The GDPR applies to both public and private organisations that are established in the EU or that process personal data of EU data subjects in certain circumstances. However, there are some key differences for data controllers in the public sector. These relate, in particular, to the imposition of administrative fines, the need to appoint a Data Protection Officer and the lawful conditions of processing which may be relied upon.
Administrative fines for public authorities
Under the GDPR, administrative fines can be imposed on data controllers and data processors that breach certain provisions of the GDPR. The level of fine will depend on the seriousness of the breach. The most serious breaches will be liable to fines of up to €20 million or 4% of the undertaking’s annual turnover, whichever is greater. The less serious breaches will be liable to fines of up to €10 million or 2% of the undertaking’s annual turnover, again, whichever is greater.
However, the GDPR (Art 83(7)) allows for each Member State to legislate on whether, and to what extent, administrative fines can be imposed on public authorities and bodies established in that Member State.
Initially, the Bill sought to exempt public sector bodies from fines. However, concerns were expressed by the Data Protection Commissioner that these bodies should not be excluded from fines. This was on the basis that, in protecting fundamental rights, higher standards are arguably demanded from public sector bodies. Unfortunately for the public sector, the Bill passed by the Seanad has been amended in this regard. It now provides (section 139) that administrative fines can be levied against public authorities and public bodies up to a maximum of €1 million. However, to ensure fair competition, this upper limit will only apply where the said authority or body is not an undertaking within the meaning of the Competition Act 2002.
Requirement to appoint a DPO
Under the GDPR (Art 37), private undertakings are only required to appoint a Data Protection Officer, or DPO, if their core activity consists of regular and systematic monitoring of data subjects on a large scale or if their activities consist of large scale processing of special categories of sensitive data for example, health data and data on religious and political beliefs (Art 9). However, public sector bodies, other than courts acting in their judicial capacity, are required to appoint a DPO, regardless of their processing activities.
Conditions upon which public sector bodies can process personal data
Under both current Irish data protection law and the GDPR, data controllers can lawfully process personal data where it is necessary for the purposes of the “legitimate interests” pursued by the controller or by a third party, unless those interests are overridden by the interests or fundamental rights and freedoms of the data subject. However, under the GDPR, this condition for lawfully processing personal data is expressly not applicable to public authorities. Instead, public authorities will have to rely on one or more of the other processing conditions provided for under the GDPR.
In addition, while private data controllers can still rely upon a data subject’s consent to lawfully process his/her personal data under the GDPR, provided it meets the enhanced requirements for valid consent, it will be more difficult for public sector bodies to do so. This is because the GDPR makes clear that consent should not be considered valid where there is a clear imbalance between the data subject and data controller (Recital 43). The specific example provided is where the data controller is a public authority, as it is unlikely in that case that consent would be freely given.
While it might not be a revolution as, to a large extent, the GDPR restates much of the existing data protection laws in Ireland, the GDPR evolution is almost upon us. This evolution includes some key differences for data controllers in the public sector, which public sector bodies should be familiar with and take steps to address before 25 May 2018.