Ireland looks to strengthen data protection regime to supplement the GDPR

Out-Law News | 06 Feb 2018 | 12:24 pm | 3 min. read

New data protection offences are to be introduced in Ireland under broader plans to update the way in which personal data is protected in the country.

A new Data Protection Bill (132-page / 1MB PDF) was introduced before Ireland's parliament last week. The Bill is designed to supplement the EU's General Data Protection Regulation (GDPR) and would repeal the majority of existing data protection laws that apply in Ireland, which are set out in Acts that have been in force since 1988 and 2003. The Irish Senate is expected to debate the new Bill over the coming weeks.

Technology law expert Dermot McGirr of Pinsent Masons, the law firm behind Out-Law.com, said the Bill "represents a significant strengthening of the protection of personal data under Irish law and an unprecedented conferral of enforcement powers" on the country's data protection commissioner.

Under the proposals, a series of new criminal offences would be introduced for breaches of data protection law.

According to the Bill, it would be an offence for a data processor to knowingly or recklessly engage in unauthorised disclosure of personal data where they do not have prior authority from the data controller for such disclosure. A further offence could arise where there is disclosure or sale of personal data obtained without the prior authority of the data controller or processor.

Businesses recruiting new staff that require job applicants to file data subject access requests with former employers would also be at risk of being found to have committed an offence, under the proposals.

Organisations and individuals convicted of committing those offences could be hit with a fine of up to €50,000 or a maximum term of five years imprisonment.

Stiff financial penalties for those that breach the GDPR are provided for under the terms of the Regulation. Under the GDPR, organisations face fines of up to €20 million, or 4% of their annual global turnover, whichever is the highest, for the most serious of offences. However, the Regulation requires in some circumstances, and gives each EU member state a degree of freedom in others, to set their own rules to supplement the GDPR, including in relation to enforcement and sanctions.

The Irish government, in its new Bill, confirmed that public sector bodies in Ireland would be exempt from fines where they are responsible for breaching the new rules.

Further changes to rules regarding civil actions that can be brought against those that breach data protection laws are also outlined in the Bill.

Under those proposals, non-for-profit bodies, organisations or associations would be eligible to raise data protection actions on behalf of data subjects. However, the remedies available in such cases would be restricted to court injunctions that prohibit a continuation of non-compliant processing and a declaration that there has been a breach of the law. Damages could not be awarded in those cases.

In addition, the Bill would hand the Irish data protection commission the power to apply to the High Court for an order suspending, restricting or prohibiting the processing of the data or its transfer outside of the EEA where it considers that there is an urgent need to act in order to protect the rights and freedoms of data subject.

New rules relating to the digital age of consent to the processing of personal data are also contained in the new Bill. Under the proposals, online platforms would be prohibited from processing the data of children under the age of 13 on the basis of consent. The age of consent would not apply to any preventative or counselling services, however.

Insurers and pension providers look set to benefit from planned changes to the way health data can be processed. Under the draft plans, health data would be able to be lawfully processed for insurance and pension purposes.

A further change proposed in the Bill would enable public sector bodies in Ireland to disclose personal data in response to freedom of information (FOI) requests in a way which is lawful under the data protection regime.

Provisions contained in existing data protection laws in Ireland that concern the processing of personal data for the purposes of national security, defence and the international relations of the State will continue to apply under the proposed new framework.

Provisions set out in the Data Protection Act 1988 will also continue to apply to complaints made, investigations initiated and suspected contraventions that occur before the new Bill takes effect.

The European Commission recently told EU member states to "speed up" their adoption of new data protection laws to supplement the forthcoming General Data Protection Regulation (GDPR). At the time of its comments in late January, just two countries had adopted "the relevant national legislation". One of those countries is Germany, and the other is Austria.

In the UK, a new Data Protection Bill has been proposed to implement and complement the GDPR. The Bill is currently before parliament.