The Data Protection Bill 2018 (the ‘Bill’) was published on 1 February
2018. The Bill, which runs to 132 pages, broadly follows the General
Scheme of the Bill which was released in May 2017. Here we highlight some
of the key points of interest.
- Reform
of the Office of the Data Protection Commissioner: The Office of the Data
Protection Commissioner will be restructured as the Data Protection
Commission (the ‘Commission’). The Commission will be headed by up
to three Commissioners for Data Protection, who shall be appointed for
terms of between four and five years. The Minister for Justice will
appoint one of the Commissioners to be the chairperson, who shall have the
casting vote as regards decisions to be taken by the Commission in the
event of a tied vote. - Age
of Digital Consent: The age of ‘digital consent’ has been set at
13. - Exemptions
for Public Authorities and Public Bodies: Under the Bill,
administrative fines can only be levied against a public authority or a
public body where it is acting as ’an undertaking’ within
the meaning of the Competition Act 2002. - Representative
Actions: Article
80.2 of the GDPR, which enabled Member States to provide in legislation
that not-for-profit bodies may lodge complaints with supervisory
authorities and pursue judicial remedies independently of the mandate of a
data subject, has not been specifically transposed into the Bill. - Offences
Attributable to Company Officers: Where an offence under the Bill is
committed ’with the consent or connivance of, or to be
attributable to any neglect on the part of’ a director, manager,
secretary or other officer of the body corporate in question, such a
person will be liable to be proceeded against personally as if they ’were
guilty of the first-mentioned offence’. - Exemption
for Insurance Industry for Sensitive Personal Data: The Bill contains an
exemption when it comes to processing sensitive personal data for
insurance and pension purposes (including where related to the mortgaging
of property). - Circuit
Court to Confirm Fines: The Bill retains the mechanism proposed in the
General Scheme whereby the Circuit Court will be used to ‘confirm’
the decision of the new Commission with regard to administrative fines
issued.
The Bill is still subject to change as it progresses through Seanad
Éireann and Dáil Éireann before becoming enacted as law. However given
that the Bill must be enacted in time for both the 6 May 2018 deadline for the
Law Enforcement Directive as well as the coming into force of the GDPR on 25
May 2018, the scope for major alteration is limited.
John Magee is a Partner in the Technology Department at William Fry,
based in Dublin
Alex Towers is a Solicitor at William Fry
