Data Protection Act (DPA) Ireland 2018

The Irish DPA 2018 (Data Protection Act 2018) supplements the EU’s GDPR (General Data Protection Regulation) by filling in sections of the Regulation that are left to individual member states to interpret and implement.

Because the DPA 2018 supports the GDPR rather than enacting it, the two laws should be read together.

Click here for more about the GDPR

A brief history of data protection law in Ireland

Irish Data Protection Act 1988, the EU’s Data Protection Directive 1995 and the Data Protection (Amendment) Act 2003

The first data protection legislation to be introduced into Irish domestic law was the Data Protection Act 1988, which led to the establishment of the ODPC (Office of the Data Protection Commissioner) in 1989. The 1995 Data Protection Directive (Directive 95/46/EC) was transposed into Irish domestic law in 2003 with the Data Protection (Amendment) Act 2003.

Among other stipulations, this Act set out eight data protection principles:

  1. Obtain and process the information fairly 
  2. Keep it only for one or more specified and lawful purposes
  3. Process it only in ways compatible with the purpose or purposes for which it was given to you initially 
  4. Keep it safe and secure 
  5. Keep it accurate and up to date 
  6. Ensure that it is adequate, relevant and not excessive 
  7. Retain it no longer than is necessary for the specified purpose or purposes 
  8. Upon their request, give individuals a copy of their personal data 

Organisations found to be in breach of the DPA 2003 could be fined up to €100,000 by the ODPC.

The Data Protection Directive 1995 and all local laws derived from it, including the Act of 2003, have now been superseded by the GDPR.

The GDPR and the DPA 2018

Originally proposed by the European Commission in January 2012, the GDPR (Regulation (EU) 2016/679) was adopted by the European Parliament in April 2016 and published in the Official Journal of the European Union on 4 May 2016. Following a two-year transition period, it was enforced in all 28 EU member states on 25 May 2018.

In Ireland, a new Data Protection Act was also enacted in May 2018 to supplement the GDPR by filling in sections of the Regulation that are left to individual member states to interpret and implement, and applying its provisions – or at least a “broadly similar regime” – to certain areas outside the GDPR’s scope.

Under the GDPR, data subjects have the right to lodge a complaint with the supervisory authority, the DPC (Data Protection Commission (formerly the ODPC)), if they consider that the processing of their personal data infringes the Regulation, and the right to an effective judicial remedy against data controllers and processors if they consider their rights to have been infringed by processing that does not comply with the Regulation.

On top of this, the DPC has the power to “impose a temporary or definitive limitation including a ban on processing” (Article 58(2f) of the GDPR) – in other words, effectively shut organisations down altogether.

Both the GDPR and the DPA 2018 are backed by a regime of considerably higher penalties than the Data Protection Acts of 1998 and 2003, with administrative fines of up to €20 million or 4% of global annual turnover – whichever is greater.

Click here for more information about the GDPR and the DPA 2018

The PECR and the ePR

The Irish ePrivacy Regulations 2011 (S.I. 336 of 2011), derived from the EU ePrivacy Directive 2002/58/EC (later amended by Directives 2006/24/EC and 2009/136/EC), deals with data protection for phone, email, SMS and Internet usage. 

The 2011 Regulations set out the rules on electronic communications, including marketing emails, faxes, texts and phone calls; the use of cookies that track website visitors’ information; the security of public electronic communications services; and the privacy of end users. If you market by phone, email, text or fax, use cookies or compile public directories, you must comply with the Irish ePrivacy Regulations 2011.

The EU’s ePrivacy Regulation or ePR (Regulation on Privacy and Electronic Communications) is set to replace the 2002 ePrivacy Directive (also known as the ‘cookies law’) and all local implementations, including the Irish ePrivacy Regulations 2011. It was originally intended to come into effect alongside the GDPR, but is now tentatively scheduled to apply from 2019.

The ePR is broader in scope, and aims to ensure stronger privacy in all electronic communications – including OTT (over-the-top) service providers such as instant messaging apps and VoIP (Voice over Internet Protocol) platforms, and machine-to-machine communications such as the IoT (Internet of things).

Click here for more information about the ePR

The difference between EU regulations and directives

The EU has two types of legal instruments that are used to regulate business: directives and regulations.

  • Directives set minimum standards and parameters for the EU, but leave the actual implementation to the states themselves. When a directive is passed, the EU sets a deadline by which every member state must have put the directive into force, whether by law, regulation or other initiative.
  • Regulations, on the other hand, apply across the EU with the same authority as if they were local laws. The ePR and the GDPR fall into this category. Member states may choose to pass their own laws to implement a regulation (often because the regulation requires each state to define some detail individually), but the regulation will apply regardless.

The future: Cross-border data transfers and dealing with the UK after Brexit

When the UK left the European Union on 31 January 2020, the Withdrawal Agreement commenced. This agreement ensures that the UK will be treated as an EU member state (subject to some exceptions) while the UK and the EU negotiate a trade deal.

This transition period is set to end on 31 December 2020. Until then, the GDPR (General Data Protection Regulation) will continue to apply as normal while the UK applies to become an adequate country. This is a detailed process that must be completed with the European Commission and can take a significant amount of time – the quickest EU adequacy decision to date, which pertained to Argentina, took 18 months.

The transition period may come to an end without the EU having made an adequacy decision in favour of the UK. Ireland’s DPC (Data Protection Commission) encourages controllers to plan their data transfer arrangements in the event that further negotiations result in some form of negotiated deal or a ‘no deal’ Brexit that changes the nature of data protection in the UK and its relationship with EU data protection law.

Further guidance from the DPC can be found here