The Data Protection Bill 2018 (the “Bill”) was published on 1 February 2018. The Bill, which runs to 132 pages, broadly follows the General Scheme of the Bill which was released in May 2017. Here we highlight some of the key points of interest.
- Reform of the Office of the Data Protection Commissioner: The Office of the Data Protection Commissioner will be restructured as the Data Protection Commission (the “Commission”). The Commission will be headed by up to three Commissioners for Data Protection, who shall be appointed for terms of between four and five years. The Minister for Justice will appoint one of the Commissioners to be the chairperson, who shall have the casting vote as regards decisions to be taken by the Commission in the event of a tied vote.
- Age of Digital Consent: The age of ‘digital consent’ has been set at 13.
- Exemptions for Public Authorities and Public Bodies: Under the Bill, administrative fines can only be levied against a public authority or a public body where it is acting as “an undertaking” within the meaning of the Competition Act 2002.
- Representative Actions: Article 80.2 of the GDPR, which enabled Member States to provide in legislation that not-for-profit bodies may lodge complaints with supervisory authorities and pursue judicial remedies independently of the mandate of a data subject, has not been specifically transposed into the Bill.
- Offences Attributable to Company Officers: Where an offence under the Bill is committed “with the consent or connivance of, or to be attributable to any neglect on the part of” a director, manager, secretary or other officer of the body corporate in question, such a person will be liable to be proceeded against personally as if they “were guilty of the first-mentioned offence”.
- Exemption for Insurance Industry for Sensitive Personal Data: The Bill contains an exemption when it comes to processing sensitive personal data for insurance and pension purposes (including where related to the mortgaging of property).
- Circuit Court to Confirm Fines: The Bill retains the mechanism proposed in the General Scheme whereby the Circuit Court will be used to “confirm” the decision of the new Commission with regard to administrative fines issued.
The Bill is still subject to change as it progresses through Seanad Éireann and Dáil Éireann before becoming enacted as law. However given that the Bill must be enacted in time for both the 6 May 2018 deadline for the Law Enforcement Directive as well as the coming into force of the GDPR on 25 May 2018, the scope for major alteration is limited.
For further information on the incoming GDPR and detailed guidelines on GDPR Readiness, register for PrivacySource, William Fry’s dedicated GDPR website.
Contributed by: Alex Towers and John Magee