In the recently released General Scheme to the Data Protection Bill 2017, it was confirmed that the Data Protection Acts 1988 and 2003 will be largely superseded due to the General Data Protection Regulation ("GDPR"). "Work is ongoing" to determine the extent to which provisions can be retained in a new Irish law. As part of this overhaul, there are plans to restructure the Office of the Data Protection Commissioner ("ODCP") into a new 'Data Protection Commission' that would have the same duties as its predecessor but with enhanced means to ensure the new data protection rules of the GDPR are adhered to by organisations regulated in Ireland.
Previously in Part 1 of our series on the General Scheme, we examined how the likelihood of "resource intensive" cases means Ireland could have up to three Data Protection Commissioners. There is also a proposal in the General Scheme that the internal structure of the current ODCP should be reorganised in order to ensure that the anticipated "large administrative fines" can "withstand likely court challenges". The General Scheme states that while the procedural safeguards and due process standards currently being used by the ODCP need to be maintained, in light of the enhanced responsibility the GDPR will bring, the new Commission will need to be structured in a fundamentally different way than its predecessor.
The General Scheme proposes separating the investigative and adjudicative personnel into distinct departments. It is thought that this separation will allow the Commission to manage the caseload that is expected due to the high number of large data-processing organisations based in Ireland, while also providing an internal structure that is more robust, being mindful of potential judicial review actions.
This proposal is interesting for two reasons. First, it illustrates that Irish legislators expect that GDPR will lead to an increased number of both data protection complaints and ensuing audits that will in turn result in large punitive fines. Second, as more fines inevitably will result in more court challenges, legislators are seeking to reconstruct the new Commission to be as legally resilient as possible.
For organisations, this proposed restructure shows that not only is there a clear legislative intention to pursue what, under GDPR, could be very sizable administrative fines for data protection infringements but that it may well be that there will be nowhere to hide, as businesses should expect that it will prove difficult to overturn such fines in Irish courts.
The General Scheme will be undergoing pre-legislative scrutiny and cabinet approval before it is sent to the Oireachtas for consideration, meaning there could be considerable changes to the restructuring proposal before the law's enactment. However, what is clear at this early stage is there will be an amplification of the ODCP's resources as the GDPR comes into effect to ensure that the Irish Regulator will be well able to handle its increased responsibilities.