Since the General Data Protection Regulation (GDPR) was enacted in May 2016 we have been waiting to see what the Data Protection Bill 2017 will provide. As an EU regulation the GDPR will have direct effect, in other words no national laws are required for its provisions to apply. The GDPR will apply generally to the processing of personal data within Ireland from 25th May 2016 regardless of what the Irish Oireachtas decides.
However the Government has committed itself to the introduction of a new Data Protection Bill. And there are good reasons for the Government to have done so. One is that there are a great variety of provisions with the GDPR that allow Member States to introduce national implementing measures, including the following:
- General restrictions for subject rights (Article 23)
- Specific provisions for research, confidentiality etc…(Articles 85-91)
- Age of consent (Article 8);
- Sensitive data (Article 9)
- Criminal records (Article 10)
- Artificial intelligence (Article 22)
- Joint controllers/processors (Articles 26, 28 and 29)
Ireland will require national implementing measures to give effect to these and other derogations, hence the need for a new Data Protection Bill. As is clear from the recent decision of Tele2 the fact that the GDPR allows for a national derogation does not mean that such national laws do not have to conform to EU Data Protection law. Tele2 concerned Case concerned national law derogations from Directive 2002/58 (ePrivacy Directive), which provided that:
“… Member States may adopt, subject to the conditions laid down, ‘legislative measures to restrict the scope of the rights and obligations provided for…”
The CJEU held that the power to introduce such national laws did: “… not permit the conclusion that the legislative measures referred to… are excluded from the scope of that directive, for otherwise that provision would be deprived of any purpose”. The CJEU went onto conclude that national laws had to
“…ensure that a high level of protection of personal data and privacy will continue to be guaranteed for all electronic communications services…”
So whatever laws are enacted by Ireland to implement or give effect to the GDPR will still have to comply with EU data protection rules. The purpose of these derogations is to allow Member States give effect to EU data protection rules, it is not to enable them to be bypassed.
In addition to the above derogations other provision of the GDPR also require national implementing measures, most notably the new powers of the Data Protection Commissioner under Article 58, in particular the power to impose fines under Article 83. And the GDPR is not the only data protection law that will apply in Ireland from 25th May 2018, though it is the law that will apply “generally”. There are a number of other laws and these will also require national measures to give them effect. On 25th May 2018 Ireland will have three parallel data protection regimes:
- The GDPR, together with any national implementing measures;
- The Data Protection Directive, which applies to data processing for the “…for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security”;
- Data processing that falls outside the scope of the above enactments notably activities of Member States that “fall within the scope of Chapter 2 of Title V of the TEU” (foreign and security policy).
It will be interesting to see how these various issues are addressed by the Irish Bill. Data protection is a complex and growing area of the law; not every issue can be addressed at once. So it will be particularly interesting to see just which issues are to be addressed by the Irish law. One such is how the processing of personal data within the Court’s system will be addressed by the Irish Bill. Recital 20 of the GDPR provides that:
“The competence of the supervisory authorities should not cover the processing of personal data when courts are acting in their judicial capacity, in order to safeguard the independence of the judiciary in the performance of its judicial tasks, including decision- making. It should be possible to entrust supervision of such data processing operations to specific bodies within the judicial system of the Member State…”
Article 55(3) GDPR goes onto provide:
“Supervisory authorities shall not be competent to supervise processing operations of courts acting in their judicial capacity”
How will the Government propose implementing these various provisions and reconciling these various interests? We will have to wait and see, but probably not for long. There is now less than 18 months before the GDPR applies; this leaves the Oireachtas little enough time to debate and enact a new Data Protection Act. A rough outline of what the next steps may be is as follows:
- The Heads of the Data Protection Bill 2017 will be proposed and may be approved by Cabinet;
- The Oireachtas may engage inpre-legislative scrutiny;
- The Data Protection Bill 2017 will be drafted by a drafter in the Office of the Parliamentary Counsel to the Government;
- This Bill will go to Cabinet for its approval;
- If approved the Bill will be presented to the Oireachtas, probably by a Minister;
- The Bill will then be debated by the Houses of the Oireachtas (the Dail and the Seanad), at first, committee and second stages; the Houses may amend, enact, reject or ignore it;
- If and when the Houses approve the Bill the President may sign it;
- If signed by the President the Bill will be enacted;
- Once enacted the Act may be commenced, in whole or in part. Commencement may happen upon enactment or subsequently.
So there are quite a number of steps to be followed before the Data Protection Bill 2017 may become law. But always remember that regardless of how this Irish legislation may progress the GDPR will apply from 25th May 2018