With thanks to friends at McCann Fitzgerald.
|Stage of legislative progress
|Eg. pre-consultation, in consultation
The Data Protection Act was signed into law by the President of Ireland on 23 May 2018 and generally brought into force on 25 May.
|Approach to implementation
|Eg. amendments to existing law, total repeal of old laws
The Data Protection Act 2018 (the “Act”) covers both the GDPR and the Law Enforcement Directive.
The Data Protection Acts 1988 and 2003 (the “1988 and 2003 Acts”) are largely superseded. Under section 8 of the Act, the 1988 and 2003 Acts will continue to apply to (a) the processing of personal data for the purposes of safeguarding the security of the State, the defence of the State or the international relations of the State, and (b) the processing of personal data under certain forensic evidence and vehicle registration legislation.
The Act provides for certain exemptions from the data subject rights and related obligations provided for under the GDPR. Further exemptions may be specified by secondary legislation.
Where the Act provides that processing of personal data in certain contexts must be subject to “suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects”, section 36(1) of the Act provides a non-exhaustive list of such measures. Secondary legislation may be enacted for the purpose of (a) identifying additional suitable and specific measures which may be taken, or (b) specifying that measures referred to in section 36(1) of the Act are mandatory.
|Timescale for implementation
|Eg. pre-consultation, in consultation
Areas where Member States must have local laws:
|Personal data and freedom of expression
Under section 43(1) of the Act, the processing of personal data for the purpose of exercising the right to freedom of expression and information, including processing for journalistic purposes or for the purposes of academic, artistic or literary expression, shall be exempt from compliance with certain provisions of the GDPR where, having regard to the importance of the right of freedom of expression and information in a democratic society, compliance with such provisions would be incompatible with such purposes.
The Data Protection Commission may refer any question of law which involves consideration of whether processing of personal data is exempt under section 43(1) to the High Court for its determination.
Under the Act:
- the maximum administrative fine for breach of the GDPR by public authorities and public bodies is €1,000,000 (rather than the generally applicable maximum of €20,000,000 or 4% of annual worldwide turnover) (section 141);
- appeals of administrative fines imposed by the Data Protection Commission are subject to a time limit of 28 days from receipt of notice of the decision (section 142);
- the Data Protection Commission is required to make a summary application for any administrative fine imposed by it to be confirmed by the Circuit Court (section 143).
Areas where Member States may have local laws:
Section 168 of the Act allows for disclosures by the Central Bank of Ireland to the Data Protection Commission.
|Scientific, historical or statistical purposes
Under section 42 of the Act, personal data may be processed for (a) archiving purposes in the public interest; (b) scientific or historical research purposes; or (c) statistical purposes, subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects.
Under section 46 of the Act, subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects the processing of special categories of personal data shall be lawful where the processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the controller or the data subject in connection with employment or social welfare law.
|Personal data of deceased persons
Under section 31 of the Act, the age at which a child may consent on their own behalf to processing in relation to information society services is 16 years of age. Within three years of the Act coming in to operation, the Minister for Justice and Equality must commence a review of the age of digital consent.
|Special rules for special categories of data
Under Part 3 of the Data Protection Act 2018, the processing of special categories of personal data is lawful in certain limited circumstances:
- for purposes of employment and social welfare law;
- for purposes of legal advice and legal proceedings;
- for electoral activities and functions of the Referendum Commission;
- for purposes of administration of justice and performance of functions;
- for insurance and pension purposes;
- for reasons of substantial public interest;
- for purposes of Article 9(2)(h) of the GDPR;
- for purposes of public interest in the area of public health;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
|Genetic, biometric or health data
|Designation of a Data Protection Officer
Under section 24 of the Act, the Minister for Justice and Equality may enact secondary legislation which specifies categories of controller for whom the appointment of a Data Protection Officer will be mandatory.
|National identification numbers/any other identifier of general application
Under the Act, the Data Protection Commission is replaced with a new legal entity known as the Data Protection Commission.
|Any other areas under discussion
The Act provides for a new action, to be known as a ‘data protection action’, whereby an individual may bring a claim for infringement of their rights under the GDPR or the Act and seek an injunction or declaration, or compensation for damage suffered.
There is a proposed new criminal offence relating to direct marketing, profiling or micro-targeting children, which is in the Act but has not been brought into force as it is under consideration by the Irish government.