The Government has published the Data Protection Bill 2018 which will sign into the law the new EU General Data Protection Regulation (GDPR). The GDPR, which will enter into force on the 25th May, has been enacted with the purpose of giving individuals greater control over their own data. Similarly the Data Protection Bill 2018 will hopefully modernise Ireland’s data protection laws.
Minister for Justice, Charlie Flanagan and Minister of State for Trade, Pat Breen, published the Bill on Friday 2nd February. Mr Flanagan commented that ‘the world has changed a great deal’ since the last EU Directive on Data Protection in 1995. He also stated that the GDPR would help to strengthen a citizen’s rights in a number of ways; it would improve their right to obtain access to personal data, their right to ask for incorrect personal data to be corrected, and their right to request that unlawfully processed data be erased. He also stressed that these new laws would not apply to data processed for purely personal reasons or for activities carried out in a person’s home.
Breen meanwhile emphasised that the new legislation would help provide support and advice to businesses. One such example of this would be through the new Data Protection Commission. This new Commission shall be composed of three people and will replace the old Office of the Data Protection Commissioner. It will also give them stronger supervision and enforcement powers for the state in the area of data protection. Breen also pointed out that Ireland was a front runner in Europe regarding data protection. Furthermore, he suggested that countries which were compliant with the GDPR would have a great advantage.
However, the new Data Protection Bill has been met with some criticism. One concern is over the fact that public bodies are not subject to fines under the new legislation. The Bill does allow for those who have been affected by data breaches to seek compensation in the Circuit Court, but this will only apply when private bodies have breached data. Government agencies shall be exempt unless they are in competition with a private organisation. The Data Protection Commissioner, Helen Dixon, last year stated that it was a matter of serious concern that public authorities were not fined under data protection laws. She said that ‘the purpose of the punitive fines under the new law is to act as a deterrent… and we see no basis upon which public authorities would be excluded’. A justice committee, in a report on the legislation last year, similarly recommended that public authorities should be subject to fines.
The Bill is currently being debated in the Seanad and will be signed into law on the 25th of May. As of the time of writing, it is yet to be seen whether the substance of the bill will change to address any concerns.
Daniel Forde – Law Editor