This first article considers what the Irish Government intends to do to implement the General Data Protetion Regulation (GDPR). The GDPR will be directly effective from 25 May 2018 without any need for further legislation. However, Member States have discretion on certain derogations and other limited areas. The Department of Justice and Equality published the General Scheme of Data Protection Bill 2017 in May. It is still in the preliminary stages of the legislative process and is subject to change before enactment.
What are the headline issues?
- Fines without convictions. Organisations will be fined without having to first be convicted of a criminal offence, as is currently the case. The fines will be imposed by the Data Protection Commission rather than the Courts, although data controllers will be entitled to appeal fines to the Circuit Court or High Court (depending on the level of the fine). Many EU directives presume that regulators can impose administrative fines and other sanctions, but most Irish regulators do not have this power and more often than not it is only the courts who have the power to impose fines following a criminal conviction.
- No fines for public bodies? The General Scheme avails of the derogation allowed in the GDPR by stating that fines will only be imposed on public authorities and bodies acting as "undertakings". The explanatory note which accompanies the General Scheme says that this approach stems from concerns that fully exempting public bodies from administrative fines would result in a distortion of the market. It dodges the obvious question of why exempt public bodies at all, particularly given that the Data Protection Commissioner regularly identifies public bodies as among the worst offenders when it comes to data protection. The Data Protection Commissioner has already spoken of her 'serious concerns' in this regard, saying her office saw "no basis on which public bodies or authorities would be excluded, particularly given that arguably higher standards in the protecting of fundamental rights are demanded of those entities."
- More resources for the regulator. The Data Protection Commissioner will become the Data Protection Commission and there will be three commissioners rather than one. It's not too long ago that the Office of the Data Protection Commissioner, the regulator of multi-billion euro companies based in Ireland, was based above a convenience store in Portarlington.
- 13 as the digital age of consent. Under the GDPR, Member States have discretion to provide for a digital age of consent anywhere between 13 and 16. Data processing will only be lawful to the extent that consent is given by that child's parent or guardian if the child is under the digital age of consent. Last week, the Government agreed this age should be 13.
The Bill which ultimately emerges from the General Scheme will deal with derogations allowed under the GDPR and other limited areas, but there is a long way to go before we can say anything concrete in relation to many of those issues.