The Government has published the eagerly awaited Data Protection Bill 2018 to give effect to the GDPR (2016/679) and to provide, in the limited areas permitted, for national derogations. The Bill repeals the Data Protection Acts 1988 and 2003 (the Acts), except for those provisions relating to the processing of personal data for the purposes of national security, defence and the international relations of the State. It also provides for similar restrictions on individuals’ rights to those which currently exist under section 5 of the Acts, such as in regard to data processed for the prevention, detection, investigation and prosecution of criminal offences; or for the exercise or defence of legal claims.
The GDPR does not impose any criminal sanctions on controllers or processors for contravening its provisions, but leaves it to Member States to do so, and the Bill provides for a number of offences. Unsurprisingly, the Bill proposes that enforced access requests; unauthorised disclosure of personal data by a processor or by an employee or agent of the processor; and disclosure of personal data obtained without authority will continue to constitute offences post-May 2018 . These offences will be punishable by a fine of up to €50,000 and/or up to 5 years’ imprisonment. The Bill also proposes the continuation of personal criminal liability for directors, managers, secretaries, or other officers of a company, for offences committed by a company, which are proved to have been committed with the consent or connivance of, or to be attributable to any neglect of such persons.
One of the surprising provisions in the Bill, is that enabling a data subject to mandate a not-for-profit organisations to lodge a complaint with the Data Protection Authority (to be renamed the ‘Data Protection Commission’), or to bring a judicial action, on his or her behalf in regard to damage suffered as a result of a controller or processor infringing the GDPR. However, the Bill does not allow the court in such a representative action to award compensation for any material or non-material damage suffered by the relevant data subject, rather the court can only grant relief by way of an injunction or declaration. It remains to be seen whether this means not-for-profit bodies will be able to take class actions on behalf of multiple data subjects for breaches of the GDPR, as such actions are not currently permitted under Irish law. There does, however, appear to be an appetite to permit class actions here, as demonstrated by the recently published Private Members’ Multi-Party Actions Bill 2017, and it is likely that the introduction of the right to representative data protection actions will increase the risk of group privacy claims against businesses under the GDPR.
The Bill also contains a new lawful processing ground, specifically permitting health data to be processed for insurance and pension purposes, where necessary for a policy of insurance or life assurance; a policy of health insurance or health-related insurance; an occupational pension; a retirement annuity contract or other pension arrangement, or the mortgaging of property. The GDPR leaves it to Member States to provide for the circumstances when personal data relating to criminal convictions and offences may be lawfully processed, and the Bill sets out specific circumstances where such processing is permitted.