The eagerly awaited Data Protection Bill 2018 (Bill) was published on 1 February 2018. The Bill implements those instances where Member States are permitted some flexibility under the General Data Protection Regulation (GDPR) and contains many important provisions on the robust enforcement powers of the reformed Data Protection Commission. We examine the key enforcement provisions in the Bill.
The Commission – Scope and Powers
The Bill establishes a new supervisory authority, the Data Protection Commission, the “Commission”, which will replace the existing Data Protection Commissioner. The capacity of the Commission will be greatly increased with the possibility of appointing up to three Commissioners, one of whom will be the Chairperson.
Where the Commission decides to launch an inquiry as a result of a complaint or of its own volition, it will have a wide range of powers. These cover issuing warnings and reprimands right up to imposing a temporary or permanent ban on processing activities by a controller or processor.
On receipt of a complaint, the Commission may take a number of direct actions against a processor or a controller without conducting an “inquiry”, including issuing an enforcement notice to make good a data subject’s rights. There is, it seems, no requirement for the Commission to identify whether a complaint is vexatious or frivolous before rejecting it, which is required under current law.
The Bill empowers the Commission to provide a complainant with “advice” in respect to his/her complaint. This is a new power; however, it remains unclear whether it would extend to providing a complainant with advice on the pursuit of civil remedies against a controller/processor.
Powers of investigation
Similar to current law, the Bill contains provisions on issuing information and enforcement notices. However, the Bill’s provisions are more detailed and onerous. Interestingly, the power to serve an enforcement notice or an information notice lies with the Commission or an authorised officer. The granting of such powers to an authorised officer is certainly a new development and a departure from current law.
The Bill provides that authorised officers will have powers to obtain and seek access to documents and will have the power to oblige a person to answer questions under oath. Their powers of entry will not be automatic and, failing obtaining consent from the owner of the premises, a district court warrant is needed. Potentially high fines of €250,000 and significant prison sentences of up to 5 years await anyone who interferes with the work of authorised officers.
The Bill also introduces a new power for the Commission to seek a report from a controller or processor on any matter on which the Commission requires information. If the controller or processor nominates a “reviewer” to prepare this report, which the Commission does not approve of, then the Commission may appoint its own reviewer. The reviewer must be an objective individual and must have “sufficient detachment”. In practice, this could enable an over-burdened Commission to effectively outsource to third parties its review of companies.
Where a controller or processor refuses to produce, or grant access to, information on the grounds that the information contains privileged material, the Commission can apply to the High Court for a determination as to whether the information is in fact privileged.
In contrast to current law, the Bill indicates that it will be optional for the Commission, in dealing with complaints, to seek to achieve an amicable resolution. In particular, the Commission may facilitate amicable resolutions where it considers that there is a reasonable likelihood of success.
Fines and criminal convictions
Fines will be calculated in accordance with the guidance in the GDPR, including Article 83. Fines under €75,000 can be appealed to the Circuit Court, with larger fines appealable to the High Court. Appeals must be lodged within 28 days of notice of the decision and the Court may confirm, replace, or annul the decision. Once the Commission levies a fine, which is not challenged, the Commission must apply to the Circuit Court to have the fine confirmed.
While the GDPR does not impose any criminal sanctions it leaves it at the discretion of Member States to do so. The Bill provides for a limited range of criminal offences including:
- non-compliance with orders made by the Commission
- forced subject access requests
- disclosure of personal data obtained unlawfully; and
- unauthorised disclosure by a processor or an employee or an agent
As under current law, directors and other certain other corporate officers may be held personally liable where an offence was committed by the corporate body with their consent or connivance, or as a result of their neglect. These offences will be punishable by a fine of up to €50,000 and/or up to 5 years’ imprisonment.
Additionally, section 129 of the Bill permits the Commission, in exceptional circumstances, to apply to the High Court for specific orders against controllers or processors, including the immediate suspension, restriction or prohibition of processing of personal data.
Publication of penalties
The Bill requires the Commission to publish details of convictions and any exercise of its powers to impose fines. Interestingly, the Commission is empowered to decide whether to publish specifics of the exercise of its other corrective powers.
Importantly, reports produced after audits and investigations may also be published, if it is in the public interest to do so. However, this is subject to removing commercially sensitive information.
Due to the large number of top technology multinationals with Irish bases the Commission is likely to play a significant role in regulating their data processing activities throughout Europe. The enforcement regime introduced in the Bill has teeth, and the increased capacity of the Commission will likely lead to a stepping up of enforcement actions. This combination makes it all the more important for organisations based in Ireland to get ready for compliance with the GDPR.
Finally, the Bill is subject to change as it progresses through Parliament before becoming law. However, given that the Bill must be enacted in time for the coming into force of the GDPR on 25 May 2018, it is unlikely that there will be scope for any major changes.