The General Data Protection Regulation is an EU Regulation, which means that it has direct effect inside (and indeed outside) the EU. Member States do not have to do anything further in order for the GDPR to apply on May 25, 2018. However, the GDPR allows EU Member States to adapt some of its provisions; other provisions such as the imposition of fines and other sanctions may require some statutory procedures in order to be fully effective. Therefore Ireland, like other EU Member States, will amend its national data protection laws to take account of the GDPR.
On Friday, May 12, the Irish Minister for Justice published the General Scheme of the Data Protection Bill 2017. This scheme is not a draft law, instead it is a statement of policy that may be considered by a committee of the Irish Parliament. On foot of that consideration, a bill will be drafted, which will then be debated by the Irish Parliament. This process will take some time, though it seems highly unlikely that a new Irish Data Protection Act will not be enacted by this time next year. Of course the GDPR will apply from May 25, 2018, regardless of anything that the Irish Parliament says or does.
"One of the most interesting parts of the scheme are its provisions on the supervision and enforcement powers of the DPC."
The scheme provides for the modernization of the role of the Irish Data Protection Commissioner, which is to be re-established as a Data Protection Commission, with three members, including a chair. This DPC will be Ireland’s Data Protection Authority and as such is required to be independent by the EU Treaties and GDPR. As such, the DPC will have the power to appoint its own staff and determine their grades, subject to Ministerial approval. The GDPR does not grant the DPC a power to independently fund itself though levies or fees. Instead the GDPR requires that the DPC be funded by government. The scheme makes some suggestions as to the mechanism by which this funding might be provided, but this has yet to be finalized.
One of the most interesting parts of the scheme are its provisions on the supervision and enforcement powers of the DPC. The actual powers of the DPC are set out in Article 58 of the GDPR; the scheme cannot propose to amend or vary these. What it can propose are “procedural safeguards” and “due process,” which may apply when these powers are being exercised by the DPC. So the scheme provides for the issue of search warrants, information and enforcement notices.
One interesting additional power enables the DPC to require a report to be provided by a person nominated by the DPC or the controller or processor in question. This is modelled on Part 2 of the Central Bank (Supervision and Enforcement) Act 2013.
"The scheme suggests sanctions other than fines, including criminal offenses of unauthorized disclosure or disclosure without authority."
The schemes suggests significant changes to the investigative processes of the DPC, which may appoint authorized officers who may undertake investigations. Upon the conclusion of these investigations, those authorized officers may make an investigation report. A copy of this report will be given to the controller or processor who has been investigated, inviting them to make submissions within 21 days. The investigating officer may consider any such submission made and amend their report before submitting it to a member of the DPC. This report will indicate whether the investigator thinks an infringement has occurred, but will not recommend whether a sanction or fine should be imposed. The member of the DPC who receives that report can do one of three things: order further investigations, conclude that no infringement has occurred or else, if satisfied that an infringement has occurred, consider whether to impose an administrative fine, enforcement notice, or both.
A slightly different procedure will be used where other EU Data Protection Authorities are cooperating in the investigation. In that case, the Irish DPC will submit a draft decision to those cooperating DPAs, who will have four weeks to submit “a relevant and reasoned objection." The Irish DPC may then consider whether to amend the draft decision. If a dispute should arise between the Irish DPC and the other EU DPAs, then the GDPR requires that this dispute be considered by the EU’s Data Protection Board.
"These changes may enable class actions to be brought before the Irish courts in respect of breaches of the GDPR."
The scheme correctly describes the fines that may be imposed by the DPC as “massive." These fines can amount to €20 million or 4% of a controller or processor’s global (not EU) turnover. If the DPC should decide to impose a fine upon a controller or processor, then there is a four week period where the controller or processor in question can appeal to court. If an appeal is not lodged, then the DPC will still go to court to have the fine approved. The mechanism suggested by the scheme is robust and efficient, however, its operation has to be further discussed with the EU Commission. Whatever mechanism is ultimately adopted under the scheme, it seems certain that the imposition of fines will give rise to significant work for the DPC. One of the justifications offered by the scheme for creating a three-person DPC is the administrative and procedural burden that will flow from the “possibility of stringent sanctions, including large administrative fines.”
The scheme suggests sanctions other than fines, including criminal offenses of unauthorized disclosure or disclosure without authority. The GDPR will enable the bringing of class actions seeking compensation, and the scheme suggests changes to the Irish rules of court as it “ … would be undesirable for large numbers of claims arising from alleged infringements … to remain pending before the courts.” These changes may enable class actions to be brought before the Irish courts in respect of breaches of the GDPR.
These are just some of the more noteworthy suggestions that the scheme makes. There are many others, ranging from the age of digital consent to the making of regulations prohibiting the transfer of data outside the EU. In addition to suggesting how certain provisions of the GDPR may apply the scheme also provides for the implementation of the new Data Protection Directive. This Directive deals with the processing of personal data by competent authorities or other entities that are engaged in the prevention, investigation, detection or prosecution of crime.
At 171 pages, the scheme suggests that the forthcoming Irish Data Protection Bill 2017 will be long as well as complex. And the scheme must be read alongside the GDPR and the new Data Protection Directive, with occasional reference being made to the existing Data Protection Acts. The EU is already considering other laws, such as the proposed ePrivacy Regulation, which will only add to this complexity. All of this complexity must ultimately be interpreted by the EU’s Court of Justice, which is bound to uphold data protection as an EU fundamental right.
Understanding EU data protection law is already hard, the publication of this scheme is part of a process that will make understanding EU data protection law a lot, lot, harder.