As published in the September 2017 issue of the Public Sector Magazine.

Steve Cummins talks to Anne Bateman, a partner with commercial law firm Philip Lee, about the important evolution in data protection obligations.

If you had told the people of Clonee, Co Meath or Athenry, Co Galway, a decade ago that future job growth in the local economy would be driven by the data industry; that information, collected, stored and processed on each of us would mean jobs in those towns and villages, you may have been given a funny look.

Yet, last year, Facebook turned the sod on a €200m data centre at Clonee that will reportedly bring 2,000 construction jobs. In Athenry, Apple have plans, pending a court decision, for a long-delayed €850m data centre. Both are examples of how the data industry has grown to the extent that it is impacting on the landscape of Ireland, far outside Dublin’s Silicon Docks.

Those centres are also examples of the growing awareness of data storage and data protection. Data is now a powerful commodity used to drive business and influence policy. This has given rise to debate around privacy and the protection of personal data being collected and held by organisations in both the public and private sector.

Anne Bateman, a partner with commercial law firm Philip Lee, says that awareness of data protection obligations is only going to heighten.

What’s interesting about Ireland is that we’ve had data protection legislation since 1988,” Ms Bateman says. “The EU didn’t get around to enacting a directive to do with data protection until 1995, seven years later. But I think the awareness of it has really only come to the fore in the last five to ten years and I think that’s because of developments in technology and how prevalent the use of everybody’s information as a commodity has become, and how easy it is to collect people’s information electronically.

Like everything digitally, there has been rapid change in data protection with three key recent developments. They include the opening of a new office for our Data Protection Commission; Privacy Shield, a new framework for the transfer of personal data between the EU and the US; and, importantly, the EU General Data Protection Regulation (GDPR), which will see a single data protection law for the EU become legally effective on the 25th May 2018.

Ms Bateman calls the GDPR, which was enacted in May 2016, two years before it becomes enforceable, an “evolution not a revolution”. Although the regulation is broadly similar to what is currently enforced here, she says it is important for bodies not to understate the “enhanced compliance” and tougher sanctions it will bring.

What’s really significant about the GDPR is the emphasis that it puts on the consequences for breaching the rules. There’s a much more stringent enforcement and sanctions regime. It could culminate ultimately in a fine in an organisation of up to €20m or 4% of the organisation’s annual worldwide turnover if they breach the rules either negligently or intentionally,” she says. “That’s the extreme of the sanctions, and there’s a menu of other sanctions involved, but my experience is that this is the thing that has made organisations sit up and pay attention to data protection rules.”

Ms Bateman says that across the board the GDPR will demand greater transparency and will require organisations to closely examine the legal basis that they rely on for the processing and collection of personal information.

“Data protection by design and data protection by default are concepts that are going to be introduced by the GDPR,” Ms Bateman says.

“Under GDPR, there is a greater focus on organisations being very transparent about what they’re doing with people’s information, both in the public sector and the private sector. From a public sector point of view I think that’s significant because public sector organisations, where they were traditionally relying on legislation to justify their collection and processing of people’s information, that legal basis will still exist for them, but it doesn’t take away from the fact they’re going to have to be extremely transparent with people about what they’re doing with their information. So, I think that’s quite important because the more transparency an individual has, the better they’re able to understand what’s going on with the information.”

She adds that under the GDPR, public bodies “aren’t going to be able to rely on the ‘legitimate interests’ basis of processing any more” when it comes to data.

That basis is going to be removed from public bodies under the GDPR,” Ms Bateman says. “So, they are going to have to be able to point to a piece of legislation that requires them to process personal data, if it’s data that belongs to a member of the public. One of the things that then requires attention is that public bodies look at the legislative provisions that they’re using at the moment to justify processing information and be satisfied that those legislative provisions are going to be consistent with the GDPR, and are now going to enable them to continue to do that processing once the GDPR comes into effect.”

There is also a greater emphasis on data minimization and data retention. This, Ms Bateman says, is not only a requirement that organisations “collect and process only the minimum information that is required in order to fulfil the purpose behind their processing”, but also that they look at the lifespan of that data and whether they still need to hold onto it years after they initially collected it.

With such changes coming from the EU, it’s no surprise that the office of our Data Protection Commission (DPC) has expanded with the opening of new offices in Dublin, as well as an increase in staff numbers (29 to 50) and budgets (€1.8m to €3.6m). There is also proposal under our new Data Protection Bill to increase the membership of the Commission from one Commissioner to up to three Commissioners.

“These are very welcome developments and necessary ones because I think the DPC’s workload is only going to expand under the GDPR, particularly with the amount of tech companies who are heavy on data processing and who have their EMEA headquarters in Ireland,” says Ms Bateman.

She agrees the expansion could be seen as evidence of the increased importance at Government level of data protection, pointing also to “a lot of really good work” done by Dara Murphy, the former Minister of State for European Affairs, EU Digital Single Market and Data Protection.

“As Minister he established a data protection forum with the key stakeholders from the IT industry, business, the public sector, data protection experts and he used it as the basis to discuss the issues the Government needs to tackle in terms of GDPR implementation and how the data protection rules need to operate in the markets,” she says.

Mr Murphy’s office was also one of the key drivers of last June’s successful Data Summit at the Convention Centre Dublin Data protection now falls under the remit of Pat Breen, the newly created Minister of State with special responsibility for Trade, Employment, Business, EU Digital Single Market and Data Protection.

Privacy Shield, which facilitates the transfer of personal information to the US from Europe, is the final major recent development around data protection. It replaces the previous Safe Harbour agreement and is particularly important for tech companies here who are transferring large amounts of data to the US. The validity of Privacy Shield as a transfer mechanism is itself under scrutiny. The concern around the legitimacy of transferring data to the US and other non-EU based locations, as well as questions around how safe the data is in those locations, in part led to the data storage facilities in Meath and Galway.

“It has actually given rise to more companies looking at keeping their data storage within the EU,” says Ms Bateman. “Ireland is becoming a much more popular location for data centres. There have been quite a few planning decisions lately granting permission for the building of data centres. That’s probably because of this uncertainty about data transfers, and that’s probably a good thing for Ireland.”

The GDPR should now be on the minds of all organisations here, Ms Bateman says. “If there are bodies in the public sector that haven’t started preparing for the GDPR by now, they certainly need to do so,” she warns. “There is a lot of additional paperwork that needs to be put in place in terms of policies and documented procedures. While, as I said, the GDPR is an evolution and not a revolution, its impact on organisations should not be understated.”