With thanks to friends at McCann Fitzgerald.
The Data Protection Act was signed into law by the President of Ireland on 23 May 2018 and generally brought into force on 25 May.
The Data Protection Act 2018 (the “Act”) covers both the GDPR and the Law Enforcement Directive.
The Data Protection Acts 1988 and 2003 (the “1988 and 2003 Acts”) are largely superseded. Under section 8 of the Act, the 1988 and 2003 Acts will continue to apply to (a) the processing of personal data for the purposes of safeguarding the security of the State, the defence of the State or the international relations of the State, and (b) the processing of personal data under certain forensic evidence and vehicle registration legislation.
The Act provides for certain exemptions from the data subject rights and related obligations provided for under the GDPR. Further exemptions may be specified by secondary legislation.
Where the Act provides that processing of personal data in certain contexts must be subject to “suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects”, section 36(1) of the Act provides a non-exhaustive list of such measures. Secondary legislation may be enacted for the purpose of (a) identifying additional suitable and specific measures which may be taken, or (b) specifying that measures referred to in section 36(1) of the Act are mandatory.
Areas where Member States must have local laws:
Under section 43(1) of the Act, the processing of personal data for the purpose of exercising the right to freedom of expression and information, including processing for journalistic purposes or for the purposes of academic, artistic or literary expression, shall be exempt from compliance with certain provisions of the GDPR where, having regard to the importance of the right of freedom of expression and information in a democratic society, compliance with such provisions would be incompatible with such purposes.
The Data Protection Commission may refer any question of law which involves consideration of whether processing of personal data is exempt under section 43(1) to the High Court for its determination.
Under the Act:
Areas where Member States may have local laws:
Section 168 of the Act allows for disclosures by the Central Bank of Ireland to the Data Protection Commission.
Under section 42 of the Act, personal data may be processed for (a) archiving purposes in the public interest; (b) scientific or historical research purposes; or (c) statistical purposes, subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects.
Under section 46 of the Act, subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects the processing of special categories of personal data shall be lawful where the processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the controller or the data subject in connection with employment or social welfare law.
Under section 31 of the Act, the age at which a child may consent on their own behalf to processing in relation to information society services is 16 years of age. Within three years of the Act coming in to operation, the Minister for Justice and Equality must commence a review of the age of digital consent.
Under Part 3 of the Data Protection Act 2018, the processing of special categories of personal data is lawful in certain limited circumstances:
Under section 24 of the Act, the Minister for Justice and Equality may enact secondary legislation which specifies categories of controller for whom the appointment of a Data Protection Officer will be mandatory.