Data Protection Act (DPA) Ireland 2018

The Irish DPA 2018 (Data Protection Act 2018) supplements the EU’s GDPR (General Data Protection Regulation) by filling in sections of the Regulation that are left to individual member states to interpret and implement.

Because the DPA 2018 supports the GDPR rather than enacting it, the two laws should be read together.

Click here for more about the GDPR >>

How IT Governance can help

Find out more about the GDPR and the ePR on our dedicated information pages below. You can also contact our team of experts to find out more about how we can support your organisation.

Read more and visit our shop

A brief history of data protection law in Ireland

Irish Data Protection Act 1988, the EU’s Data Protection Directive 1995 and the Data Protection (Amendment) Act 2003

The first data protection legislation to be introduced into Irish domestic law was the Data Protection Act 1988, which led to the establishment of the ODPC (Office of the Data Protection Commissioner) in 1989. The 1995 Data Protection Directive (Directive 95/46/EC) was transposed into Irish domestic law in 2003 with the Data Protection (Amendment) Act 2003.

Among other stipulations, this Act set out eight data protection principles:

  1. Obtain and process the information fairly 
  2. Keep it only for one or more specified and lawful purposes
  3. Process it only in ways compatible with the purpose or purposes for which it was given to you initially 
  4. Keep it safe and secure 
  5. Keep it accurate and up to date 
  6. Ensure that it is adequate, relevant and not excessive 
  7. Retain it no longer than is necessary for the specified purpose or purposes 
  8. Upon their request, give individuals a copy of their personal data 

Organisations found to be in breach of the DPA 2003 could be fined up to €100,000 by the ODPC.

The Data Protection Directive 1995 and all local laws derived from it, including the Act of 2003, have now been superseded by the GDPR.

The GDPR and the DPA 2018

Originally proposed by the European Commission in January 2012, the GDPR (Regulation (EU) 2016/679) was adopted by the European Parliament in April 2016 and published in the Official Journal of the European Union on 4 May 2016. Following a two-year transition period, it was enforced in all 28 EU member states on 25 May 2018.

In Ireland, a new Data Protection Act was also enacted in May 2018 to supplement the GDPR by filling in sections of the Regulation that are left to individual member states to interpret and implement, and applying its provisions – or at least a “broadly similar regime” – to certain areas outside the GDPR’s scope.

Under the GDPR, data subjects have the right to lodge a complaint with the supervisory authority, the DPC (Data Protection Commission (formerly the ODPC)), if they consider that the processing of their personal data infringes the Regulation, and the right to an effective judicial remedy against data controllers and processors if they consider their rights to have been infringed by processing that does not comply with the Regulation.

On top of this, the DPC has the power to “impose a temporary or definitive limitation including a ban on processing” (Article 58(2f) of the GDPR) – in other words, effectively shut organisations down altogether.

Both the GDPR and the DPA 2018 are backed by a regime of considerably higher penalties than the Data Protection Acts of 1998 and 2003, with administrative fines of up to €20 million or 4% of global annual turnover – whichever is greater.

Click here for more information about the GDPR and the DPA 2018 >>

The PECR and the ePR

The Irish ePrivacy Regulations 2011 (S.I. 336 of 2011), derived from the EU ePrivacy Directive 2002/58/EC (later amended by Directives 2006/24/EC and 2009/136/EC), deals with data protection for phone, email, SMS and Internet usage. 

The 2011 Regulations set out the rules on electronic communications, including marketing emails, faxes, texts and phone calls; the use of cookies that track website visitors’ information; the security of public electronic communications services; and the privacy of end users. If you market by phone, email, text or fax, use cookies or compile public directories, you must comply with the Irish ePrivacy Regulations 2011.

The EU’s ePrivacy Regulation or ePR (Regulation on Privacy and Electronic Communications) is set to replace the 2002 ePrivacy Directive (also known as the ‘cookies law’) and all local implementations, including the Irish ePrivacy Regulations 2011. It was originally intended to come into effect alongside the GDPR, but is now tentatively scheduled to apply from 2019.

The ePR is broader in scope, and aims to ensure stronger privacy in all electronic communications – including OTT (over-the-top) service providers such as instant messaging apps and VoIP (Voice over Internet Protocol) platforms, and machine-to-machine communications such as the IoT (Internet of things).

Click here for more information about the ePR >>

The difference between EU regulations and directives

The EU has two types of legal instruments that are used to regulate business: directives and regulations.

  • Directives set minimum standards and parameters for the EU, but leave the actual implementation to the states themselves. When a directive is passed, the EU sets a deadline by which every member state must have put the directive into force, whether by law, regulation or other initiative.
  • Regulations, on the other hand, apply across the EU with the same authority as if they were local laws. The ePR and the GDPR fall into this category. Member states may choose to pass their own laws to implement a regulation (often because the regulation requires each state to define some detail individually), but the regulation will apply regardless.

The future: Cross-border data transfers and dealing with the UK after Brexit

In the UK, a new Data Protection Act (DPA 2018) was also enacted in May 2018 to supplement the GDPR. The DPA 2018 sits alongside the GDPR, and both laws apply directly in the UK. Upon leaving the EU, the GDPR will no longer have the same status as a local UK law, as it will no longer be an EU member state – it is, after all, an EU law.

The most straightforward way for Irish cross-border transfers with the UK to continue would be for the European Commission to determine that the UK, as a third country, offers personal data an acceptable level of protection via an adequacy decision as per Article 45 of the GDPR. However, such talks have been known to take years, so until an adequacy decision has been reached, organisations should consider other possibilities: binding corporate rules, standard contractual clauses or approved codes of conduct to transfer data to and from the UK.

Speak to an expert

Please contact our expert team, who will be able to give advice and guidance about the compliance options.


This website uses cookies. View our cookie policy