· Data Protection Act enacted in advance of the coming into force of GDPR tomorrow
· Data Protection Commissioner replaced with Data Protection Commission to ensure that the new data protection regime is effectively enforced
The Minister for Justice and Equality, Charlie Flanagan TD, this afternoon signed Commencement and Establishment Day orders for the Data Protection Act 2018. The Act completed all stages in the Houses of the Oireachtas on Tuesday and has been enacted in advance of the coming into force of the General Data Protection Regulation (GDPR), which takes effect tomorrow, 25 May 2018.
Speaking following the commencement of the Act, the Minister said:
I am delighted to announce the commencement of the Data Protection Act 2018. The Act gives effect to the limited areas of flexibility permitted under the GDPR, transposes the law enforcement Directive into Irish law, replaces the Data Protection Commissioner with a Data Protection Commission and provides for consequential amendments to a number of Acts.
I am confident that the GDPR and this legislation will serve to make our data protection laws fit for purpose in the digital age. Article 8 of the EU Charter of Fundamental Rights provides simply that "everyone has the right to the protection of personal data concerning him or her". The GDPR and this Act seek to make that a reality.
Our current law, based on the European Union’s 1995 data protection directive, predates mass internet usage, hand held devices, apps and games, social networking and data analytics, all of which involve the collection and processing of our personal data, often for purposes that are opaque and largely unknown to us. The GDPR and this Act will strengthen our control over our own personal data and the purposes for which it may be used.
The Government’s commitment to ensuring that this new data protection regime is a success is underlined by the substantial funding and resources being invested in the Data Protection Commission. The Data Protection Commission’s budget for 2018 is €11.7m, up from €7.5m in 2017 and €1.7m in 2013. This increased budget has allowed the Commission to recruit extensively and the Commission plans to increase its number of staff to 140 by the end of the year. This investment – along with the enforcement powers provided for in both the GDPR and the Act - will ensure that the Commission is effectively equipped with the means to properly enforce the new data protection regime.
The signing of the Orders means that the Data Protection Act, other than sections 7(3) (in so far as it relates to Statutory Instrument No. 95 of 1993 in so far as those Regulations apply to the Central Bank), 25, 30 and 176(b), will be in force tomorrow, 25 May 2018. In addition, the Data Protection Commission will be established with effect from 25 May.
The Minister went on to say
I want to express sincere thanks and appreciation for all those who have been involved in bringing this major piece of work to fruition, including my colleagues in both Houses of the Oireachtas who dedicated many hours of Parliamentary time subjecting this Bill to rigorous scrutiny during its passage through the Houses.
ENDS
Note for editors:
Following protracted negotiations, the General Data Protection Regulation (GDPR) was agreed in early 2016 and will take effect from 25 May 2018 [Regulation(EU) 2016/679]; while an EU Regulation is a directly-applicable legal instrument and does not normally require any national law to give it legal effect, the GDPR contains a number of provisions which allow Member States a limited margin of flexibility.
A Directive which sets data protection standards for the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection and prosecution of criminal offences and the execution of criminal penalties will enter into force at the same time [Directive (EU) 2016/680].
The Regulation and Directive provide for significant changes to the current data protection legislation; they provide for higher data protection standards for data subjects and impose increased obligations on data controllers and processors. Many of the main concepts and principles are much the same as those in the Data Protection Acts 1988 and 2003. However, both the Regulation and Directive introduce new elements and significant enhancements which will require detailed consideration by all organisations involved in the processing of personal data.
Both instruments provide for a risk-based approach which means that individual data controllers and processors are required to put appropriate technical and organisational measures in place in order to ensure and be able to demonstrate that the processing of personal data is in compliance with the Regulation, taking into account the nature, scope, context and purposes of the processing and the risks of varying likelihood and severity for the rights and freedoms of individuals. They place more emphasis on accountability and security of personal data. The Regulation, in particular, also places more emphasis on transparency.
The Regulation seeks to ensure a uniform level of data protection across the EU and a level playing field for those doing business in the single digital market.
The Data Protection Act 2018 gives effect to the limited areas of flexibility permitted under the Regulation, transposes the law enforcement Directive into national law and replaces the Data Protection Commissioner with a Data Protection Commission in order to ensure that the new data protection regime is effectively enforced. The Act also provides for a number of consequential amendments to existing Acts, primarily to update references to the Data Protection Acts 1988 and 2003.