Ireland

[IE] General Scheme of Data Protection Bill 2017 and new legislation on cybercrime

IRIS 2017-7:1/22

Ingrid Cunningham

School of Law, National University of Ireland, Galway

On 12 May 2017, the Department of Justice and Equality published the General Scheme of the Data Protection Bill 2017. The Bill will give further effect in Irish law to the EU General Data Protection Regulation (GDPR) (2016/679). The Bill contains some notable features for the media: Article 85 of the GDPR obliges member states to reconcile the right to protection of personal data with the right to freedom of expression and information. Current law in Ireland in this regard is set out in section 22(A) of the Data Protection Acts 1988 and 2003, which gives effect to Article 9 of the 1995 Data Protection Directive. The Bill contains an exemption for many of the rights and obligations under the GDPR for processing that is carried out for journalistic purposes or for the purposes of academic, artistic, or literary expression, where compliance with the GDPR would be incompatible with the right to freedom of expression. The Bill gives expression to the final sentence in recital (153) GDPR, which states that “in order to take account of the importance of the right to freedom of expression in every democratic society, it is necessary to interpret notions relating to that freedom, such as journalism, broadly.” Accordingly, this is intended to acknowledge activities such as blogging and the expression of views on social media.” The Bill seeks to give effect to Article 85 GDPR and provides for a new ‘case stated’ mechanism which will permit the Data Protection Commission to refer a question of law arising in relation to the balance to be established between the right to data protection and the right to freedom of expression to be referred to the High Court for determination.

Moreover, on 18 May 2017, the first piece of Irish legislation specifically dedicated to dealing with cybercrime completed its passage through the Houses of Oireachtas (Parliament). The Criminal Justice (Offences Relating to Information Systems) Bill 2016, aims to safeguard information systems and the data that they contain. The legislation gives effect to the relevant provisions of an EU Directive on attacks on information systems (2013/40/EU) (see IRIS 2002-6/7) and also gives effect to many of the key provisions of a Council of European Convention on Cybercrime (see IRIS 2001-10/3) as certain offences are shared by both international instruments. The legislation creates new offences relating to unauthorised accessing of information systems, unauthorised interference with information systems or data on such systems; the unauthorised interception of transmission of data to or from information systems and; the use of tools, such as computer programmes, passwords or devices, to facilitate the commission of these offences relation to information systems. The definition of the term “information system” in the bill is purposely broad, encompassing all devices involved in the processing and storage of data and not just those considered to be “computer systems” in the traditional sense but also those that reflect the “range of modern communications and data storage technology currently available”, including tablets and smart phones. The Bill establishes strong and dissuasive penalties for commission of the offences it contains, with the most serious offences possibly resulting in a term of imprisonment of up to 10 years.