In Part 1 and Part 2 of our series on the recently released General Scheme to the Data Protection Bill 2017, we examined how the current Office is to be restructured as an enhanced Data Protection Commission, with up to three commissioners, before the General Data Protection Regulation (GDPR) takes effect next year. The General Scheme also contains a proposal under which the Circuit Court would confirm any fines imposed by the new Commission.
Head 80 of the General Scheme states that where a controller or processor is fined and does not appeal a decision to the Data Protection Commission, then the Commission will apply to the Circuit Court for confirmation of the fine. The Head goes on to state that the Circuit Court must then confirm the fine unless there is “good reason not to do so”. Although there is no indication of how “good” a reason must be for the Court not to confirm a fine, the language used in Head 80 is similar to section 76(3) of the Medical Practitioners Act 2007, which in turn is to be interpreted in the light of the judgment in The Medical Council v MAGA (2016), which states a decision should be taken “in line with procedural rules and constitutional justice”.
The language used in the General Scheme also echoes that of Section 71 of the Property Services (Regulation) Act 2011, which grants the High Court jurisdiction to oversee sanctions imposed on licensed providers of property services. It is likely that the legislative intention behind including a similar provision in the draft Data Protection Act 2017 could be an attempt to reduce the potential for appeals of an administrative body “acting judicially” as discussed in In re Solicitors Act 1954 IR 239.
Tellingly the explanatory note to Head 80 acknowledges the need for greater detail regarding the proposed process and notes in particular “it may be useful to explain this further” as the current draft “gives no indication of the Court’s role.”
The General Scheme is currently being scrutinised and there are likely to be considerable changes before the law’s enactment. Regardless of whatever form the law takes, it is already clear that Irish legislators are seeking to structure the new Data Protection Commission so that fines and decisions can withstand both “the likely court challenges” and “anticipated workload arising from the GDPR” that the General Scheme predicts.
This is the third article in a series on the General Scheme for the Data Protection Bill 2017.
For further information, visit William Fry’s dedicated website to the GDPR, PrivacySource, which includes in-depth analysis and practical tips on preparing for the GDPR.
Contributed by: David Cullen