The General Scheme of the Data Protection Bill 2017 was published last Friday and we have prepared a summary of its main provisions here.
The drafting of the Bill is a complex task. There is a need to repeal the provisions of the Data Protection Acts 1988 and 2003 that are replaced by the directly effective provisions of the GDPR, to transpose the Law Enforcement Directive (2016/680) and at the same time to give effect to provisions of the GDPR that require national implementing measures.
Although not stated definitively, it appears that consideration is being given to having a full repeal of the Data Protection Acts 1988 and 2003 with the new Act to be a consolidating measure. That would be a welcome development.
The stand out proposals of general interest in the Bill include:
- Confirmation that only public authorities who compete with the private sector will be susceptible to administrative fines.
- The proposal that additional due process in the form of an oral hearing or a written “right of reply” will be available under the new administrative sanctions procedure.
- A new power of the DPC to direct that a controller/processer engage an independent reviewer to prepare a written report on any matter specified by the DPC with the cost of the report to be borne by the data controller/processor. This is an entirely new investigative mechanism that has been designed to deal with “large scale cases”.