Ireland

[IE] Data Protection Act 2018 enacted  

IRIS 2018-8:1/31

Ronan Ó Fathaigh

Institute for Information Law (IViR), University of Amsterdam

On 24 May 2018, the Data Protection Act 2018 was enacted following publication of the Data Protection Bill in February 2018 (see IRIS 2018-3/21) and the General Scheme of the Bill in May 2017 (see IRIS 2017-7/22). The purpose of the 2018 Act is to give further effect to the European Union’s General Data Protection Regulation (2016/679) (GDPR), which became applicable in all member states on 25 May 2018 (see IRIS 2018-6/7). While the GDPR is directly applicable, a number of its provisions require member states to enact domestic legislation, and 25 May 2018 was also the deadline for member states to notify the European Commission of national legislation adopted pursuant to a number of chapters and articles in the GDPR.

Similar to the GPDR, the Data Protection Act 2018 is a lengthy piece of legislation, running to 184 pages. However, two sections of the Data Protection Act 2018 are of particular relevance for the media. The first is section 43, which concerns data processing and freedom of expression and information. Under Article 85 of the GDPR, member states must by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression. Thus, section 43(1) of the Data Protection Act 2018 provides that the processing of personal data for the purpose of exercising the right to freedom of expression and information, including processing for journalistic purposes, is exempt from compliance with the provisions of the GDPR specified in section 43(2), where, having regard to the importance of the right of freedom of expression and information in a democratic society, compliance with the provision would be incompatible with such purposes. The GDPR provisions listed in section 43(2) are Chapter II (principles), other than Article 5(1)(f), Chapter III (rights of the data subject), Chapter IV (controller and processor), Chapter V (transfer of personal data to third countries and international organisations), Chapter VI (independent supervisory authorities) and Chapter VII (cooperation and consistency). Notably, section 43(5) provides that in order to take account of the importance of the right to freedom of expression and information in a democratic society, that right shall be interpreted in a broad manner.

The second section of particular relevance is section 44 on data processing and public access to official documents under the Freedom of Information Act 2014 (see IRIS 2015-1/25). Under Article 86 of the GDPR, personal data in official documents held by a public authority may be disclosed in accordance with Union or member state law to which the public authority is subject in order to reconcile public access to official documents with the right to the protection of personal data, pursuant to this Regulation. In this regard, section 44 of the Data Protection Act 2018 provides that for the purposes of Article 86, personal data contained in a record may be disclosed where a request for access to the record is granted under and in accordance with the FOI Act 2014, pursuant to a freedom of information request.