Irish Data Protection Bill

February 2, 2018

The Data Protection Bill 2018 (the ‘Bill’) was published on 1 February
2018.  The Bill, which runs to 132 pages, broadly follows the General
Scheme of the Bill which was released in May 2017.  Here we highlight some
of the key points of interest.

  • Reform
    of the Office of the Data Protection Commissioner: 
    The Office of the Data
    Protection Commissioner will be restructured as the Data Protection
    Commission (the ‘Commission’).  The Commission will be headed by up
    to three Commissioners for Data Protection, who shall be appointed for
    terms of between four and five years.  The Minister for Justice will
    appoint one of the Commissioners to be the chairperson, who shall have the
    casting vote as regards decisions to be taken by the Commission in the
    event of a tied vote.
  • Age
    of Digital Consent: 
    The age of ‘digital consent’ has been set at
  • Exemptions
    for Public Authorities and Public Bodies:
     Under the Bill,
    administrative fines can only be levied against a public authority or a
    public body where it is acting as ’an undertaking’ within
    the meaning of the Competition Act 2002.
  • Representative
    80.2 of the GDPR, which enabled Member States to provide in legislation
    that not-for-profit bodies may lodge complaints with supervisory
    authorities and pursue judicial remedies independently of the mandate of a
    data subject, has not been specifically transposed into the Bill.
  • Offences
    Attributable to Company Officers: 
    Where an offence under the Bill is
    committed ’with the consent or connivance of, or to be
    attributable to any neglect on the part of’ 
    a director, manager,
    secretary or other officer of the body corporate in question, such a
    person will be liable to be proceeded against personally as if they ’were
    guilty of the first-mentioned offence’.
  • Exemption
    for Insurance Industry for Sensitive Personal Data: 
    The Bill contains an
    exemption when it comes to processing sensitive personal data for
    insurance and pension purposes (including where related to the mortgaging
    of property).
  • Circuit
    Court to Confirm Fines: 
    The Bill retains the mechanism proposed in the
    General Scheme whereby the Circuit Court will be used to ‘confirm
    the decision of the new Commission with regard to administrative fines

The Bill is still subject to change as it progresses through Seanad
Éireann and Dáil Éireann before becoming enacted as law.  However given
that the Bill must be enacted in time for both the 6 May 2018 deadline for the
Law Enforcement Directive as well as the coming into force of the GDPR on 25
May 2018, the scope for major alteration is limited. 

John Magee is a Partner in the Technology Department at William Fry,
based in Dublin

Alex Towers is a Solicitor at William Fry