With thanks to friends at McCann Fitzgerald.
|Stage of legislative progress
|Eg. pre-consultation, in consultation
General Scheme of the Data Protection Bill published on 12 May 2017. Draft legislation to be published in Autumn 2017.
|Approach to implementation
|Eg. amendments to existing law, total repeal of old laws
Data Protection Bill to cover GDPR and the Law Enforcement Directive.
Data Protection Acts 1988 and 2003 (the “DPA”) to be largely superseded. It has yet to be decided whether certain parts of the DPA will be retained, or whether they will be repealed and replaced in their entirety by the Data Protection Bill.
Exemptions from GDPR to be contained in the Data Protection Bill and in secondary legislation to be adopted under the Data Protection Bill. No details are provided as to what exemptions are likely to be made via such secondary legislation.
|Timescale for implementation
|Eg. pre-consultation, in consultation
Data Protection Bill to be published in Autumn 2017.
Areas where Member States must have local laws:
|Personal data and freedom of expression
The General Scheme envisages that the Data Protection Bill will contain an exemption from many of the rights and obligations provided for under GDPR for data processed for journalistic purposes or academic, artistic or literary expression where compliance with such provisions would be ‘incompatible’ with such purposes. It is envisaged that there would be a mechanism for the Data Protection Commission to refer questions regarding the application of this exemption to the Irish High Court for determination.
The General Scheme envisages that :
• public authorities and public bodies will generally be exempt from administrative fines, except where they are acting as ‘undertakings’
• the Data Protection Commission may convene oral hearings before large administrative fines will be imposed
• appeals of administrative fines imposed by the Data Protection Commission will be subject to a time limit of 30 days from receipt of notice of the decision;
• the Data Protection Commission will be required to make a summary application for any administrative fine imposed by it to be confirmed by the Circuit Court.
Areas where Member States may have local laws:
The General Scheme envisages specific rules to facilitate disclosures by the Central Bank of Ireland to the Data Protection Commission.
|Scientific, historical or statistical purposes
The General Scheme envisages an exemption from specified rights provided for under GDPR for data processed for scientific or historical research purposes or statistical purposes, subject to certain conditions.
The General Scheme refers to the possibility of specific rules in the employment context but contains no detail as to what, if any, specific rules may be adopted.
|Personal data of deceased persons
The definition of personal data in the General Scheme refers only to information relating to an identified or identifiable “living” individual.
The Data Protection Bill will specify a ‘digital age of consent’. A consultation process on appropriate age of consent has been completed and the results of the consultation, which recommended that the digital age of consent should be 13, have been submitted to the Government.
The General Scheme envisages the making of secondary legislation permitting the processing of special categories of data where “necessary for reasons of substantial public interest”.
|Special rules for special categories of data
|Genetic, biometric or health data
The General Scheme envisages that the processing of biometric data for identification and security purposes will be permitted, subject to appropriate safeguards.
|Designation of a Data Protection Officer
The General Scheme envisages that the Minister for Justice and Equality will have the power to specify categories of controller for whom the appointment of a Data Protection Officer will be mandatory.
|National identification numbers/any other identifier of general application
Not mentioned in the General Scheme.
The Data Protection Commissioner is to be replaced with a new legal entity to be known as the Data Protection Commission.
|Any other areas under discussion