Ireland: DP Bill to Implement GDPR and Overhaul Data Protection Commission
Rebranding: The Office of the Data Protection Commissioner will be rebranded the Data Protection Commission (DPC). Provision is made for the DPC to be headed by up to three Commissioners, instead of the current one, reflecting the increased importance and workload of the Irish DPC in recent years. One Commissioner will be appointed Chairperson. In the short term however, it is not expected that the second and third Commissioners will be appointed.
Additional Powers: It is currently intended that the DPC will be accorded a wide range of new or enhanced powers, including:
- the ability, for the first time, to issue fines (more on which below);
- greater investigative powers, including calling on individuals to provide "reasonable assistance" in relation to the operation of data equipment and to attend before DPC officers to provide information;
- a general power for DPC officers to apply for and execute search warrants;
- the power to apply to the High Court to suspend or restrict the processing of personal data where there is an urgent need to protect the rights and freedoms of data subjects; and
- the authority to require controllers and processors to prepare a report containing information for the purposes of an investigation or audit.
Addressing Constitutional Concerns: In both investigating transgressions of the GDPR and imposing stringent sanctions, the DPC must be cognisant of constitutional concerns regarding due process and natural justice. To this end the DPC will be reorganised by separating the investigative and adjudicative personnel into distinct departments. This will help the DPC manage its caseload and ensure that the administrative fines it imposes are more likely to withstand court challenge.
Another constitutional concern is that the DPC, in imposing sanctions, will encroach on the judicial function in the separation of powers, which is the preserve of the courts under Irish law. The General Scheme of Bill includes a proposal that seeks to offset this concern. This is by requiring the Circuit Court to confirm any fines imposed by the DPC. Accordingly, if a controller or processor is fined and does not appeal the decision to the Circuit Court, then the DPC will apply to the Circuit Court for confirmation of the administrative fine. The Circuit Court must confirm the fine unless there is "good reason not to do so".
Budget: The General Scheme of Bill acknowledges that the DPC will likely face many "resource intensive" cases given the one-stop-shop mechanism and the large number of multinational companies based in Ireland. The DPC will be resourced accordingly. Funding for the body has increased rapidly in recent years, with the 2018 budget allocation being increased in October 2017 by 55% to €11.7m. This represents a six-fold increase on the €1.9 million allocated in 2014.
Conclusion
If the implementing legislation in Ireland follows the structure proposed in the General Scheme of Data Protection Bill, Ireland will see a much better resourced and a restructured supervisory authority with a much wider range of powers including the power to issue fines for the first time. All indicators point to the DPC being a proactive and vigilant enforcement body going forward.
Article provided by: Leo Moore (William Fry)
Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project
Director CPC project: Dr. Tobias Höllwarth, tobias.hoellwarth@eurocloud.org