The long awaited draft Irish Data Protection Bill was finally published on Friday 1 February. While it sets out how a number of key elements of the new data protection law regime will operate in Ireland, the draft will clearly require further work as it contains anomalies and fails to cover important points that will need to be addressed. Considering that the application dates of the GDPR and the Law Enforcement Data Protection Directive are less than 4 months away and that the draft Bill is overdue, many organisations will be disappointed that what has been published is not closer to a version that could be finalised. The following are some of the key points arising from this draft (many of which will not be a surprise to organisations who familiarised themselves with the General Scheme of Data Protection Bill that was published in May 2017):
Scope of the Bill:
The Bill serves a number of purposes. It provides for the implementation of certain elements of, and limited exemptions from, the GDPR; the transposition of the Law Enforcement Data Protection Directive, the establishment of a new supervisory authority to be known as the Data Protection Commission, as a replacement for the current Data Protection Commissioner; the repeal of certain provisions of the current Data Protection Acts 1988 & 2003 (the “Acts”) and the disapplication of the remainder of the Acts except for limited purposes; and repeals of and amendments to data protection provisions in other pieces of legislation.
Exemptions from Data Subject Rights:
The Bill provides for exemptions from the data subject rights and related obligations provided for under the GDPR, many of which are similar to exemptions that apply under the Acts to the more limited range of data subject rights that are currently available. The Bill also provides that further exemptions may be specified by secondary legislation.
Additional Grounds for Processing Special Categories of Personal Data:
There will be a number of additional grounds for processing ‘special categories of personal data’ (such as health data) under Irish law, in addition to those contained in Article 9 of the GDPR. Notably, these include a legal basis to process health data for insurance, pension or mortgage purposes.
Grounds for processing Criminal Data:
The Bill provides for legislative grounds for criminal data to be processed for specific purposes, as is required under Article 10 of the GDPR, in order for organisations other than ‘competent authorities’ to be permitted to process personal data relating to criminal offences and criminal convictions.
Suitable and Specific Measures to Safeguard Rights and Freedoms:
Certain provisions of the GDPR permit processing in specific circumstances based on national legislation subject to the adoption of suitable and specific measures to safeguard fundamental rights and freedoms. As envisaged by the General Scheme that was published in May 2017, the Data Protection Bill provides for a non-exhaustive list of such measures, which according to the accompanying explanatory memorandum, is intended to operate as a ‘toolbox’ for such provisions.
Freedom of Expression and Information:
The Bill provides for an exemption from many of the data subject rights and related obligations under the GDPR where personal data is processed for the purpose of exercising the right to freedom of expression and information, where compliance would be incompatible with this purpose. Unfortunately no detail is provided as to how organisations should identify when compliance with a GDPR obligation might be ‘incompatible’ with the right to freedom of expression and information. The DPC is given an express power to refer questions in this regard to the Irish High Court to be resolved.
A New ‘Data Protection Action’ for Individuals:
The Bill provides for a new action, to be known as a ‘data protection action’, whereby an individual may bring a claim for infringement of their rights under the GDPR or the Bill and seek an injunction or declaration, or compensation for damage suffered. As required under the GDPR, there is an express acknowledgment that the damage may be material or non-material.
Limited Parameters for Data Protection Actions to be Brought on Behalf of Individuals:
As required under Article 80 of the GDPR, not-for-profit organisation that meet certain conditions will be able to bring data protection actions on behalf of data subjects. However, the Bill provides that such bodies will not be able to recover compensation on behalf of individuals.
Robust Powers for the DPC:
The Data Protection Commission will have robust supervision and enforcement powers, which far exceed those currently vested in the Data Protection Commissioner. While there will be rights to appeal decisions of the DPC (such as a decision to impose an administrative fine for breach of the GDPR) to the courts, these will be subject to limited time limits generally of 28 days. The DPC will also have an express power to publish details of convictions, sanctions etc., subject to a limited obligation not to publish commercially sensitive information.
Amicable Resolution Procedure:
The Bill expressly provides for an approach that has been the modus operandi of the DPC for many years and, it seems, will continue to apply under the GDPR. Where possible, the DPC will seek to facilitate an amicable resolution of complaints made by or on behalf of data subjects.
Personal Liability for Directors for Offences under the Bill:
The Bill provides for a limited range of criminal offences, including non-compliance with orders made by the DPC; forced data subject access requests (e.g. in the context of background checks or vetting); disclosure of personal data obtained unlawfully; and disclosure by a processor without the authorisation of the controller on behalf of whom the processor is processing the personal data in question. A director, secretary, manager or other officer of a corporate entity that is guilty of an offence under the Bill may be held personally liable for the same offence, where it was committed with their consent or connivance or as a result of their neglect.
Digital Age of Consent:
The age at which children will be deemed old enough to give consent on their own behalf to the processing of personal data for the provision of information society services (rather than the consent of a parent or guardian being required) will be 13.
Abolition of Registration Regime:
The obligation for certain categories of controllers and processors to register with the Data Protection Commissioner will cease to apply.
There will be a general statutory basis for public authorities and bodies to process personal data for the performance of their functions conferred by or under statute or the Irish Constitution, or the administration of non-statutory schemes, programmes or funds where the legal basis for such administration is a function conferred by or under statute or the Irish Constitution. This umbrella provision will be welcome news for many statutory bodies, who might otherwise have required more detailed legislative amendments to continue to process personal data lawfully in connection with the performance of their functions under the new regime. Controversially, public authorities will be exempt from the imposition of administrative fines for breach of the GDPR, except where they are acting as ‘undertakings’ (as this term is defined under competition law).
The Bill contains detailed provisions regarding the interaction between privilege, data protection law and dealings with the DPC, which are clearer and more extensive than the relatively brief equivalent provisions in the Acts. This clarity should be helpful, particularly since the extent to which privileged legal advice may be withheld will be particularly important in the context of enforcement actions by the DPC and data protection actions by or on behalf of individuals.
The following are some notable anomalies or omissions from this draft
The Bill does not contain any provisions regarding the territorial scope of its provisions that relate to the GDPR. There is no successor to Section 1(3B) of the Acts (which essentially provides that they apply to a controller established in Ireland who processes personal data in the context of that establishment). According to the current draft of the Bill, Section 1(3B) will apply only to the limited extent that the Acts will continue to apply. This fundamental point in relation to the Bill will need to be clarified.
Application of the Acts:
According to Section 8 of the Bill, the provisions of the Acts which are not repealed by Section 7 of the Bill will continue to apply to the processing of personal data for the purposes of national security, defence and the international relations of the State. However, Section 1(4)(a) of the 1988 Act (which will not be repealed by the Bill as currently drafted) provides that it does not apply to personal data that in the opinion of the Minister or the Minister for Defence are, or at any time were, kept for the purpose of safeguarding the security of the State. This is a confusing inconsistency.
Amendments to Other Legislation:
Part 8 of the Bill currently sets out a short list of amendments to data protection related provisions in other pieces of legislation. This fails to mention a number of other amendments that will be required to be made in connection with the GDPR and Law Enforcement Data Protection Directive, which will need to be addressed in the final version of the Bill.
Interaction between the GDPR and FOI:
According to the Bill, the FOI Act 2014 already provides for an appropriate balance between the right of access to public records and data protection rights, such that personal data held by a FOI body may be released in response to a FOI request in compliance with the GDPR, provided that it adheres to the procedures set out in the FOI Act 2014. It is questionable whether this is the case, particularly bearing in mind how ‘personal information’ is defined in the FOI Act 2014.
Organisations that are or will be subject to Irish data protection law will need to familiarise themselves with the Bill but will also be eager for it to be further refined and enacted as soon as possible so that they have reasonable time to take its final provisions into account in their preparations.