The General Data Protection Regulation (GDPR) will come into effect on the 25 May 2018. It is aimed at harmonising the data protection framework across the EU. While the GDPR is an EU regulation and typically regulations do not require implementing legislation, complete harmonisation will not be achieved by the GDPR alone. In this regard, the GDPR gives Member States a margin of flexibility in certain areas permitting them to introduce their own local laws to give further effect to the GDPR's requirements and to provide for derogations.
In Ireland, the General Scheme of the Data Protection Bill 2017 (the General Scheme) was published by the Minister of State for Data Protection, Dara Murphy, and Tánaiste and Minister for Justice and Equality, Frances Fitzgerald on the 12 May 2017. The General Scheme sets out various heads proposed to be included in the Data Protection Bill, which when enacted will be the local Irish legislation designed to give effect to, and provide for derogations from the GDPR.
It is expected that when the Data Protection Bill is enacted, it will;
(i)give further effect to the GDPR;
(ii)transpose into Irish law, the provisions of the Law Enforcement Directive (2016/680), which sets out to protect personal data used by police and criminal justice authorities, including for the prevention, investigation or prosecution of crime; and
(iii) largely replace the current Irish data protection legislation, being the Data Protection Acts 1988 and 2003 (as amended) (DPA) . Head 5 of the General Scheme indicates that ongoing discussions are taking place to assess the extent to which certain provisions of the DPA may need to be retained.
Whilst the General Scheme may undergo changes before it eventually becomes the Data Protection Act 2017, provisions of the current draft which may be of particular interest to organisations include:
The Data Protection Commission (DPC)
The Office of the Data Protection Commissioner (ODPC) will transition into the DPC as the Irish supervisory authority for data protection. In anticipation of the increased workload of the DPC particularly resulting from the one-stop shop, up to three individual commissioners can be appointed to the DPC. Currently, there is just one ODPC commissioner, Helen Dixon.
Digital age of consent
The GDPR gives a level of discretion to each EU Member State in determining the age from which a child can access digital services without parental consent. Whilst Head 16 of the General Scheme does not yet specify an age, the Irish Government has, following public consultation, determined that thirteen shall be the age below which parental consent would be required for the lawful processing of a child's data.
Data protection officer (DPO)
The GDPR mandates the appointment of a DPO for certain organisations, namely (i) public authorities and bodies (except for courts acting in their judicial capacity) processing personal data, (ii) data controllers and processors whose core activities consist of processing operations which require systematic monitoring of data subjects on a large scale, and (iii) data controllers and processors whose core activities consist of large scale processing of special categories of data and personal data relating to criminal convictions and offences.
Member States are permitted by the GDPR to enact local legislation that would require controllers and/or processors to appoint a DPO in other cases. The General Scheme includes a power to enact Ministerial regulations so that other situations can be addressed in future. Head 21 of the General Scheme sets out the Minister’s considerations when making such Ministerial regulations, including: (i) the nature, scope, context and purposes of the processing, (ii) risks arising for the rights and freedoms of individuals, (iii) the likelihood and severity of such risks, and (iv) the costs of implementation.
Administrative fines on public authorities and bodies
Potential exposure to a €20 million / 4 % of total worldwide annual turnover fine is likely to be a significant motivator for organisations in ensuring they are GDPR ready. The GDPR, however, gives flexibility to Member States in imposing fines on infringing public authorities and bodies.
Head 23 of the General Scheme provides that fines may be imposed on public authorities or bodies only where they are acting as an "undertaking" (i.e. activities which are also performed by competing private bodies). As such, it seems that fines will not be imposed on public bodies that do not have competitors in the private sector. With some commentators arguing that this may discourage compliance and that fines on public authorities are generally cost neutral to the tax payer, the extent to which this Head may be amended remains to be seen.
Freedom of expression
The GDPR requires Member States to balance the right to protection of personal data with the right to freedom of expression and information.
Head 24 of the General Scheme creates certain exemptions from the GDPR where personal data is processed for journalistic, academic, artistic or literary expression purposes and compliance with the GDPR would be incompatible with those purpose (considering the importance of the right to freedom of expression and information in a democratic society).
Data subject complaints
The DPC will (to the extent that it considers appropriate) investigate (or cause to be investigated) the subject matter of a complaint made to it in relation to the processing of personal data which infringes the GDPR and/or new Irish Legislation when enacted. Any complaint subsequently withdrawn by the data subject may be investigated by the DPC as though the DPC had initiated the complaint itself. Where the DPC has doubts regarding the identity of a complainant (e.g. online complaints), it may require the provision of additional information.
Search warrants and investigative powers
In a change from the DPA, a District Court judge acting on the sworn evidence of an authorised officer of the DPC, who has reasonable grounds for suspecting that information required for the purpose of exercising his or her powers is held at any place, may issue a warrant authorising that officer to enter that place and exercise its investigative powers, including, securing, copying, inspecting, removing and/or retaining documents or records.
Appeals from decisions of the DPC
Appeals to the Courts by a data controller or processor against an Information or Enforcement Notice, or by a data subject against a legally binding decision of the DPC, must be brought within 28 days. Appeals will be heard in the Circuit Court or High Court depending on the monetary jurisdiction. The decision of the Circuit Court or High Court, as may be, will be final. However, a further right of appeal exists to the High Court from Circuit Court decisions and to the Court of Appeal from High Court decisions on points of law only.
Data controller / processor's report
In order to obtain information from a controller or processor, the DPC may, require the controller or processor to provide it with a report prepared by a "reviewer" of its own choice and approved by the DPC, or nominated by the DPC where the controller or processor fails to make such a nomination within the specified timeframe. In requiring such a report, the DPC will have regard to the knowledge, expertise and resources available to the controller or processor, the likely benefit, and whether exercising another of its powers may be more appropriate.
The costs of and incidental to the preparation of the report will be incurred by the controller or processor. It is an offence under the General Scheme (i) to obstruct or impede a reviewer in preparing a report, (ii) to give false or misleading information to a reviewer, and (iii) for a reviewer to prepare report which it knows to be false or misleading. Where such an offence is prosecuted summarily, a controller or processor will be punishable by up to €5,000 and/or a maximum 12 months‘ imprisonment. On indictment, the offence will punishable by a fine of up to €250,000 and/or a maximum 5 years’ imprisonment.
Disclosure of personal data obtained without authority
The General Scheme creates the offences of obtaining or gaining access to personal data without the prior authority of the controller or processor, and/or selling or offering to sell such personal data. Where such an offence is prosecuted summarily, a penalty of a fine of up to €5,000 and/or a maximum 12 months' imprisonment may be imposed. On indictment, such an offence will be punishable by a fine of up to €50,000 and/or a maximum 5 years' imprisonment.
Offences by directors
The General Scheme imposes personal liability for company officers. Where an offence is committed by a body corporate "with the consent or connivance of, or attributable to any neglect on the part of" a director, manager, secretary or other officer of a body corporate, that person, as well as the body corporate, will be guilty of an offence.
The General Scheme is currently at a very early stage of the legislative process and therefore it is expected that there will be changes to it before enactment.