The Minister for Justice and Equality, Charlie Flanagan, T.D., and the Minister of State for Trade, Employment, Business, EU Digital Single Market and Data Protection, Pat Breen, today (Thursday), announced publication of the Data Protection Bill 2018.
The enactment of the Bill together with the entry into force of the EU General Data Protection Regulation (GDPR) on 25 May will modernise Ireland’s data protection laws and create a consistent data protection regime across the European Union. Minister Flanagan said the measure would “serve to make Ireland’s data protection law fit for purpose in the digital age.”
Speaking at today’s launch of the Bill, Minister Flanagan said:
“In a nutshell, what the General Data Protection Regulation (GDPR) will deliver are stronger rules on data protection. People will have more control over their personal data and businesses will benefit from a level playing field. The GDPR regulates the processing by an individual, a company or an organisation of personal data relating to individuals in the EU. It does not apply to data processed by an individual for purely personal reasons or for activities carried out in a person’s home, provided there is no connection to a professional or commercial activity.”
Referring to the impact of the new measures, Minister Flanagan said:
“All of us as individuals, will have greater control over the manner in which, and the purposes for which, our personal data is used. Businesses will be required to review and update the manner in which they collect, use or store the personal data of their customers, clients or others.
“The GDPR replaces the 1995 EU Directive on Data Protection. The world has changed a great deal since that Directive was introduced. Think back to 1995 – mobile phones were a rarity, personal computers were enormously expensive, I don’t think I’d ever heard of an app………… And now Ireland is the universally associated with technology – we have what I’ve heard described as an eco-system of the world’s leading technology firms located about a mile away in the so-called “Silicon Docks”.
“Today, we have mass internet usage, we are all glued to our phones, tablets, etc. These contain myriad apps and games, social networking platforms, and data analytics, all of which involve the collection and processing of our personal data, often for purposes that are unknown to us. Governments have a fundamental role to protect the citizen in these circumstances and that it what the GDPR and the Data Protection Bill published today are all about.
“The new legislation will introduce transparency so that people know what use their personal data may be put to. Information provided will have to be concise, transparent, intelligible and easily accessible format, using clear and plain language. It will no longer be acceptable to direct users to terms and conditions written in legal jargon.”
Minister Flanagan highlighted some of the strengthened rights for citizens, including the right to obtain access to personal data held; the right to ask for incorrect, inaccurate or incomplete personal data to be corrected; and the right to request that personal data be erased when it’s no longer needed or if processing it is unlawful”.
Minister Breen noted the new obligations on companies and the supports and advice available, through the Data Protection Commissioner. That office will, under the legislation, be replaced by a Data Protection Commission, with up to three commissioners. The new Data Protection Commission will have stronger supervision and enforcement powers.
Minister Breen said:
“It is essential that all businesses familiarise themselves with their obligations under the new legislation and Directive. I have been working alongside the independent Data Protection Commissioner to inform and support companies and that work will intensify in the time ahead. Companies which, retain and store personal data will need to review their systems and procedures, bearing in mind that personal data should not be retained for longer than is necessary for the purposes for which the data are processed. There is a range of information resources available through the Data Protection Commissioner’s website and through the European Commission website and I urge companies to engage now – don’t leave it until the last minute, now is the time to think about data protection measures."
Minister Breen highlighted the positives for business, stating:
“The harmonised rules set out in the GDPR and the Data Protection Bill would ensure that the same data protection safeguards will operate across the EU; common EU standards will provide a level playing field for business in the EU digital market.”
The GDPR, which will enter into force on 25 May, will strengthen individuals’ control over their own personal data, and the purposes for which that data may be used. It will also set out in detail the responsibilities and obligations on those that collect, use and store personal data. These obligations will, in certain areas, include the carrying out of data protection impact assessments before new types of forms of data processing are undertaken, and the notification of data breaches to the Data Protection Commission and the individuals whose personal data have been disclosed, destroyed or lost. Supervision and enforcement activity will also increase with the conferral of new functions and far-reaching powers of the Data Protection Commission.
The principal objectives of the Data Protection Bill are—
- to give further effect to the General Data Protection Regulation (GDPR), which will enter into force on 25 May next, in those areas in which national law is permitted;
- to transpose the Data Protection Directive, which establishes data protection standards in respect of data processing undertaken for the purposes of preventing, detecting, investigating and prosecuting criminal offences; and
- to establish the Data Protection Commission, with not more than three members, to replace the Data Protection Commissioner; the current Commissioner will become the sole member of the Commission on its establishment.
Minister Flanagan said that the Government was committed to achieving the full potential of the digital economy, and its capacity to promote innovation, create jobs and boost economic activity. This was particularly important for Ireland since many of the world’s leading digital companies have their EU headquarters here and they provide their services to users well beyond our shores. These users require assurances that high data protection standards apply, and are effectively enforced, here, thereby ensuring that their personal data will not be misused, or used for other purposes without their knowledge and consent.
Significant increases in levels of financial and staffing resources have been allocated to the Data Protection Commissioner in recent years. Staff levels have trebled from 30 in 2013 to almost 100. Additional funding of €4 million on 2018 will bring the overall budget to about €11.7 million and bring staff number to about 120.
The Data Protection Bill will now be debated in the Oireachtas and it is the Government’s intention to have legislation in place by May when the GDPR will enter info force.