The Tánaiste and Minister for Justice and Equality, Frances Fitzgerald TD and the Minister of State for Data Protection, Dara Murphy TD, have published the General Scheme of the Data Protection Bill 2017.
The EU General Data Protection Regulation and the Data Protection Directive for law enforcement bodies, which update EU data protection rules, were adopted last year and will come into force in May 2018.
Welcoming the Government decision approving the drafting of the Data Protection Bill, the Tánaiste said:
“Data protection affects all of us, whether in our private capacity as an individual or in our business or professional capacity.”
“The coming into force of the new data protection rules in May 2018 will represent one of the most important regulatory reforms that has taken place in recent years. It will result in higher data protection standards for individuals. While imposing higher data protection obligations on business, it should also result in benefits by increasing consumer trust and confidence in new technologies and business models which should in turn facilitate business in reaping the full potential of the digital economy.”
The Minister of State for Data Protection, Dara Murphy TD, said:
“Data protection concerns the right that we all have to the safeguarding of our personal information and its use, for the protection of our personal privacy. In the EU, the right to the protection of personal data is explicitly recognised in the EU Charter of Fundamental Rights.
“Government approval for the drafting of the Data Protection Bill 2017 is an important step in Ireland’s ongoing preparations to implement new EU data protection rules agreed last year. The rules will apply to all organisations, public or private, large or small, from May 2018, and are intended to encourage a cultural shift in how personal data is treated.
“Importantly, the Bill will include provisions to equip Ireland’s supervisory authority, the Office of the Data Protection Commissioner, with the means to supervise and enforce application of our new enhanced EU data protection standards. Once drafted and published, the Data Protection Bill 2017 will provide a unique legislative opportunity for Ireland to reinforce our robust regulatory environment – to protect individuals and to provide certainty for business and the public sector.
“Ahead of the May 2018 deadline, awareness-raising activities in Ireland and across the EU targeted at business and the voluntary sector are now beginning to intensify to help them to get ready.”
The Data Protection Bill
- gives further effect to the Regulation, e.g. it will provide for the imposition of fines on public authorities for breaches of data protection law where such authorities are acting in competition with private operators;
- transposes the Directive into national law; and replaces the Data Protection Commissioner with a Data Protection Commission with the possibility of up to three Commissioners depending on future workload.
The General Scheme is available here: www.justice.ie/en/JELR/General_Scheme_of_Data_Protection_Bill_(May_2017).pdf/Files/General_Scheme_of_Data_Protection_Bill_(May_2017).pdf
Note to Editors
Following protracted negotiations, the General Data Protection Regulation (GDPR) was agreed in early 2016 and will take effect from 25 May 2018 [Regulation(EU) 2016/679]; while an EU Regulation is a directly-applicable legal instrument and does not normally require any national law to give it legal effect, the GDPR contains a number of provisions which allow Member States a limited margin of flexibility.
A Directive which sets data protection standards for the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection and prosecution of criminal offences and the execution of criminal penalties will enter into force at the same time [Directive (EU) 2016/680].
The Regulation and Directive provide for significant changes to the current data protection legislation; they provide for higher data protection standards for data subjects and impose increased obligations on data controllers and processors. Many of the main concepts and principles are much the same as those in the Data Protection Acts 1988 and 2003. However, both the Regulation and Directive introduce new elements and significant enhancements which will require detailed consideration by all organisations involved in the processing of personal data.
Both instruments provide for a risk-based approach which means that individual data controllers and processors are required to put appropriate technical and organisational measures in place in order to ensure and be able to demonstrate that the processing of personal data is in compliance with the Regulation, taking into account the nature, scope, context and purposes of the processing and the risks of varying likelihood and severity for the rights and freedoms of individuals. They place more emphasis on accountability and security of personal data. The Regulation, in particular, also places more emphasis on transparency.
The Regulation seeks to ensure a uniform level of data protection across the EU and a level playing field for those doing business in the single digital market.