Peter Fitzpatrick (Louth, Fine Gael) | Oireachtas source

The Data Protection Bill 2018 proposes to give further effect to the general data protection regulation, GDPR, and to transpose the 2016 directive on data protection in regard to law enforcement functions. It will enter into force across the European Union on 25 May 2018. An accompanying directive, which establishes data protection standards for the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection and prosecution of criminal offences and the execution of criminal penalties, is also required to be transposed into national law by May 2018.

Both the GDPR and directive provide significant reforms to current data protection rules based on the EU's 1995 data protection directive. Both instruments generally provide for higher standards of data protection for individuals and data subjects, and impose more detailed obligations on bodies in the public and private sectors that process personal data, controllers and processors. They also increase the range of possible sanctions for infringements of these standards and obligations.

The Bill comprises 162 sections and three Schedules, with multiple cross-references to the GDPR and directives. The GDPR creates a harmonised system of data protection rules that will apply across the EU. It also applies to EU residents' personal data that is transferred or processed outside the EU and to businesses that offer goods or services to EU residents.

The GDPR introduces and updates extensive rights for data subjects, including the right to be forgotten, which requires data controllers and processors to erase data that are inaccurate, obsolete, improperly held, or to whose processing the data subject no longer consents.

The regulation also deals with the consent of children and allows member states to legislate for a digital age of consent below which parental approval is required for offering "information society services" to a child. The Bill provides for a minimum age of 13 years.

The GDPR requires member states to appoint a supervisory authority to oversee the implementation of data protection rules under the GDPR. Part 2 of the Bill provides for a new data protection commission, comprising up to three commissioners. It transfers to the new commissioner the personnel and responsibilities of the current Data Protection Commissioner under the Data Protection Act 1988.

As an EU regulation, the GDPR is directly applicable, meaning that its provisions take effect in member states without the need for transposition. However, many of its provisions oblige member states to adopt legislation — for example, in regard to the operation of the official bodies — or to adopt provisions of the GDPR in their legal systems.

The GDPR allows member states a margin of appreciation in how or whether they adopt some of its provisions. The Bill therefore contains provisions regulating the exercise of certain rights in regard to processing or setting restrictions on them in defined circumstances. It also provides for ministerial regulations to govern data processing of particular types, such as archiving for historical, scientific or statistical purposes, or where data are to be transferred outside the states in which the GDPR applies, namely, the member states of the EU, Iceland, Norway and Liechtenstein.

The Bill makes provision for the enforcement of the GDPR by means of complaints to the new data protection commissioner, investigations, information and enforcement notices, court action and a new feature under the regulator, administrative fines. The data protection commissioner may impose administrative fines on controllers or processors that infringe the GDPR up to a maximum of 4% of worldwide turnover, or €20 million, whichever is higher.

The directive deals with data protection for the purpose of law enforcement, including police, prosecution and prison functions. Directives must be transposed into member states' law. Therefore, Part 5 of the Bill enacts the directive's provisions. In doing so, Part 5 provides for data protection in terms broadly similar to those of the GDPR but with adaptations appropriate to law enforcement purposes. It provides for rights of data subjects to information about the processing of their personal data, to complain to the data protection commissioner about breaches and to see remedies in court through the commission. Neither the GDPR nor the directive applies to the courts or judges when acting in their judicial capacity. Nevertheless, the Bill addresses the issue of data protection in the courts by providing for a judge to be nominated by the Chief Justice, who is to act as a regulatory authority for judges. The judge is to promote data protection and awareness of the rights under the GDPR and will handle related complaints.

The Bill does not repeal the Data Protection Act 1988. Instead, it restricts its application to areas in which the EU does not have competence, such as defence and national security, and repeals provisions of the legislation that are not relevant to these areas.

The GDPR retains many of the key components of existing data protection law, including the data protection principles that underlie the rights of data subjects and the responsibility of data controllers.

The principal changes introduced by the GDPR include: a uniform data protection regime in all member states; increased territorial scope; the establishment of a European data protection board; transfers and processing of personal data outside the EU; a risk-based approach whereby data processors are responsible for assessing the potential effect of their operations and planning suitable protection accordingly; strengthened provisions on consent; provisions dealing specifically with children; rights to access and data portability; the right to be forgotten; privacy by design; supervisory arrangements; compliance procedures; breach notifications; and penalties and compensation.

See this speech in context