Ireland

[IE] Data Protection Bill 2018 published

IRIS 2018-3:1/21

Ingrid Cunningham

School of Law, National University of Ireland, Galway

On 1 February 2018, the Minister for Justice and Equality, Charlie Flanagan, launched the publication of the 2018 Data Protection Bill 2018. The Bill will give effect to the General Data Protection Regulation (GDPR (2016/679), which will become law within the EU on 25 May 2018. The Bill repeals the 1988 and 2003 Data Protection Acts, with the exception of those provisions relating to the processing of personal data for the purposes of national security, defence and the international relations of the State, thereby giving effect to Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and for those and other purposes to amend the Data Protection Act 1988.

The Bill generally follows the General Scheme of the Bill released in May 2017 (see IRIS 2017-7/22). The Bill comprises eight Parts, includes, inter alia, the establishment of a Data Protection Commission, and allows for up to three commissioners to be appointed for terms of between four and five years. Part 3 of the Bill contains three chapters, giving further effect to a number of Articles in the GDPR, where Member States retain a margin of flexibility. Section 29 of the Bill deals with the “consent of children in relation to information society services” and specifies thirteen years of age as the “digital age of consent”, for the purposes of Article 8 GDPR. Article 8 GDPR specifies sixteen years of age as the digital age of consent, but allows Member States to provide by law for a lower age (which can be no lower than 13 years. This in effect means that where “information society services”, as defined in Article 4 GDPR, are offered directly to children, the processing of a child’s personal data will be lawful only if, and to the extent that, consent is given or authorised by the holder of parental responsibility over the child. In such cases, “the service provider must make reasonable efforts to verify that consent is given or authorised by the holder of parental responsibility.”

Section 37 of the Bill deals with “data processing and freedom of expression and information” and gives effect to Article 85 of the GDPR, which provides that it is for national law to reconcile the right to protection of personal data with the right to freedom of expression and information, including “processing for journalistic purposes or for the purposes of academic, artistic or literary expression.” An explanatory and Financial Memorandum to the Bill highlights that “[b]oth the right to protection of personal data and the right to freedom of expression and information are enshrined in Articles 8 and 11 of the EU Charter of Fundamental rights respectively, and in this context, [section] 37 (3), provides that the Data Protection Commission may refer, “on its own initiative … any question of law which involves consideration of whether processing of personal data is exempt  from certain provisions of the GDPR on freedom of expression and information grounds to the High Court for its determination. The Bill may be subject to change as it progresses through the Oireachtas (parliament) before becoming enacted as law, which must be in time for the deadline of 6 May 2018 for Directive (EU) 2016/680, in addition to the coming into force of the GDPR on 25 May 2018.