GDPR With an Irish Flavour – The Irish Data Protection Act 2018

05.09.2018

Ireland's Data Protection Act 2018 (the "DPA"), which implements elements of the European Union's General Data Protection Regulation (the "GDPR"), was formally passed in the nick of time on 24 May 2018 and together the DPA and the GDPR will have significant impact for the operations of those working in the cloud in or through Ireland. Here we outline and clarify some of the key aspects of the DPA.

Reference to the Data Protection Acts 1988 and 2003: The DPA did not entirely repeal existing Irish Data Protection legislation. Therefore there are still references to the Acts from 1988 and 2003 and current Data Protection legislation is cited as the "Data Protection Acts 1988 to 2018".

The Reformed Data Protection Commission:

As a result of Ireland's importance in the cloud, technology and data sectors the Office of the Data Protection Commissioner has been restructured as the Data Protection Commission (the "Commission"). The Commission can be headed up by up to three Commissioners for Data Protection, each of whom may be appointed for terms of between four and five years. The Minister for Justice will appoint one of the Commissioners to be the chairperson, who shall have the casting vote as regards decisions to be taken by the Commission in the event of a tied vote. Currently the only Commissioner is Helen Dixon.

The Commission has been granted a wide range of new or enhanced powers, including:

  • The ability, for the first time, to issue fines (more below);
  • Greater investigative powers, such as allowing Commission officers to apply for and execute search warrants; and
  • The power to apply to the High Court to suspend or restrict data processing where there is an urgent need to protect the rights of the data subjects.

The Commission is making use of its new powers with Helen Dixon, the Data Protection Commissioner, stating that an investigation into the use of smart CCTV cameras will be conducted as the revamped Commission flexes its muscle. The Commissioner also noted that although the Commission has been granted the power to impose fines, the enforcement strategy being put in place will not solely focus on fines, instead efforts will be made to create a culture of "ethical compliance" in the technology sector.

Age of Digital Consent:

Although in the draft versions of the Act the digital age of consent had been 13, a late campaign to have it raised to 16 proved to be successful. The Daii (Upper House of the Irish Parliament) voted 55-51 in favour of setting the age at 16.

Those who argued in favour of setting the age at 13 highlighted the abundance of useful resources available to young people on the internet such as social services, mental health support and educational resources It was argued that setting the age of digital consent at 16 would greatly reduce access to these vital resources for persons aged 13-15.

The arguments in favour of raising the age focused on protecting children from micro-targeting by social media companies and concerns were also raised that social media usage was a threat to individualism and "anti-intellectual in the long-run".

Setting the age of digital consent at 16 brings Ireland in line with other Member States such as Germany, France and the Netherlands, although several others have chosen 13.

Further Protections for Children:

The protection of children's rights was a key discussion point in the drafting of the DPA. In addition to the age of digital consent, a further protection for children's digital rights comes in the form of Section 30 of the DPA. This section makes it an offence for companies to process the personal data of a child for the purposes of direct marketing, profiling or micro-targeting.

The DPA also puts in place the possibility for drawing up a specific Code of Conduct for Children which would set out:

  • Further provisions and safeguards which may be implemented to protect children's digital rights;
  • The information to be provided by a controller to children; and
  • The manner in which parental consent is to be obtained. 

It is also expected that a Commissioner for Digital Safety will be appointed to ensure online security particularly for children.

Representation of Data Subjects:

Although child protection agencies' input was taken into account in the debates on the age of digital consent, the DPA does not fully implement Article 80.2 of the GDPR. That Article enables Member States to provide in legislation that not-for-profit bodies, such as child protection agencies, may lodge complaints with supervisory authorities and pursue judicial remedies independently of the mandate of a data subject.

The DPA does allow not-for-profit bodies to bring data protection actions on behalf of a data subject, but not if it is outside the mandate of the data subject. Furthermore, these bodies cannot take class actions on behalf of multiple data subjects for breaches of the GDPR, as such actions are not currently permitted under Irish law.

Offences Attributable to Company Officers:

Where an offence is committed "with the consent or connivance of, or to be attributable to any neglect on the part of, a person being a director, manager, secretary or other officer of the body corporate or a person who was purporting to act in any such capacity, that person, as well as the body corporate, shall be guilty of that offence and shall be liable to be proceeded against and punished as if he or she were guilty of the first-mentioned offence".

This creates a wide scope of liability for directors or company officers who may be found criminally liable even if they have no actual knowledge of an offence under the GDPR but should have and failed to do something that was expected of them.

Circuit Court to Confirm Fines:

All decisions by the Commission to issue administrative fines will be referred to the Circuit Court for confirmation. If a controller or processor does not appeal a decision of the Commission, then the Commission will apply to the Circuit Court for confirmation of the administrative fine. The Circuit Court must confirm the fine unless there is "good reason not to do so".

This judicial oversight addresses any constitutional concerns of due process, natural justice and separation of powers which may have arisen by granting the Commission the power to investigate, adjudicate and impose the abovementioned fines.

Conclusion

The DPA contains few derogations from the GDPR, although the rights and protections for children appear to have been set at a higher standard. It is still too early to analyse the practical effects of the DPA but due to Ireland's position of particular importance to cloud providers and the technology sector in general, Europe will be keeping a close on all developments.

 

Article provided by: Leo Moore (Partner, William Fry)

 

Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Höllwarthtobias.hoellwarth@eurocloud.org

VIEW PROJECT

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.