Overview

Data Protection Legislation and Reform

Data protection law restricts the collection, storage and use of personal data. Personal data is that which concerns a living person.  The objective is to protect privacy and to restrict the use of information to legitimate purposes. Personal data must be collected for specified explicit and legitimate purposes and must not be processed in a way, incompatible with those purposes.  The legislation applies both to electronic information and to structured physical files or manual data, where it is structured by reference to individuals or criteria relating to individuals.

Irish Data Protection legislation derives from European Union Directives. The Irish and UK Data Protection Acts are broadly similar because of this common origin.  The earlier EU Directives were given the force of law in the Data Protection Act, 1988 and the Data Protection (Amendment) Act 2003.

The GDPR which became effective on 25 May 2018 has replaced most of this legislation with similar but enhanced EU wide rules. It is accompanied by the Data Protection Act 2018 in Ireland, which covers some areas which EU member states competences are and gives effect to options which the GDPR grants to Members States.

The following chapter contains  an outline of some general data protection principles followed by a discussion of some general features of the   GDPRs. The detailed position under the GDPR and the Data Protection Act 2018 is discussed in detail in other chapters.


Language and Scope of the Legislation

The original data protection legislation predates the internet and modern data processing.  To some extent, it does not sit well with the vast and growing amount of personal information that is available on the internet, instantly. Even, in the reformed GDPR setting, the essential scope and terminology of the earlier legislation remains intact.

The legislation applies to all data held electronically or to all other data (e.g. on paper etc.) which is held as part of a filing system. Some of the key definitions and concepts in Data Protection legislation are very broad and their full scope and meaning is not intuitively obvious. Some are in such general terms that its extent and boundaries may not always be apparent.

Much of the key language used in the legislation is not commonly used in everyday life. The legislation applies primarily to personal “data” and its use by data controllers and data processors.

Data are broadly equivalent to information. Striclty, the word “data” is in the plural form, being plural form of the Latin datum, a given thing.

“Data” is a very broad concept and refers to information in any form or media whatsoever. Data “controllers” and “processers” are broadly those who acquired store or use information.

Personal data is information that can by itself or with other data, directly or indirectly, identify an individual. This key concept is very broad in scope and includes much data which would not be readily thought to be personal information in an everyday sense. It includes images and sound files. The data subject is the person to whom the information refers.


Scope of GDPR

This General Data Protection Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. Files or sets of files, as well as their cover pages, which are not structured according to specific criteria,  do not fall within the scope of this Regulation.

The GDPR does not apply to the processing of personal data:

  • by a natural person in the course of a purely personal or household activity;
  • in the course of an activity which falls outside the scope of Union law;
  • by the Member States when carrying out asylum and immigration functions
  • by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

The second, third and fourth category of data is covered by the domestic Data Protection Act.


Data Controllers and  Processing

The GDPR and Data Protection Act provids key principles for the holding and use of personal data, which are binding on data controllers and data processors. A data controller is anybody who alone or in conjunction with others, controls personal data.  Personal data means any data relating to a living individual who can be identified from the data or in conjunction with other information in the data controller’s possession or which may come into their possession.

“Processing” covers keeping, collecting, storing, altering, adopting, retrieving, consulting, using, transmitting, disseminating or otherwise making available, the data.  It includes combining, blocking, erasing and destroying data.

A data processor is a person who processes personal data on behalf of a data controller.  A data processor is subject to most of the same obligation to which the data controller is subject. Their relationship should be structured by a contract or other arrangements.  It should specify the conditions under which data may be processed, minimum security requirements, procedures and provisions to procure compliance, risk management and rights of verification.

In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in the GDPR or in other EU or national law  including the necessity for compliance with a legal obligation to which the controller is subject or the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.


Fair Collection

Fair processing requires that the data subject be given certain information before his data is collected. He should be given information about the identity of the data controller, to whom it may be disclosed to and the purposes for which it is to be used. The information should be furnished before the data controller first processes the data.

The information must be made available to the person affected. In some cases, the furnishing of information on a website could suffice.  The GDPR requires that it be given more directly.  Consent should be informed consent in all cases. In the case of a minor, the consent of a parent or guardian should be obtained.

Data must be collected for a particular specified, explicit and legitimate purpose.  It must not be processed in a manner which is incompatible with that purposes.  The relevant purpose must be specified at the time of collection.

Data must not be collected which is irrelevant to the purposes for which it is required.  The controller must assess the adequacy, relevancy and nexus of the data in an objective way.  He must act fairly bearing in mind the purpose of the data collected and acquisition.


Processing and Security

Personal data must be accurate and kept up-to-date. It must be adequate, relevant and not excessive in relation to the purposes for which it is collected.  It must be accurate and where necessary, kept up to date.  Every reasonable step must be taken to ensure that data which is inaccurate or incomplete having regard to its purposes, is erased or corrected. Data is inaccurate if it is incorrect or misleading in relation to the factual position.

Data processing must be objectively necessary.  Data must not be retained for any longer than necessary. Data processing must be relevant to the purpose for which it is collected.  It must not be excessive in the context of the purposes for which it is collected.

Data controllers must take security measures to prevent unauthorised access to, unauthorised alterations of, unauthorised disclosures and destruction of personal data.  Appropriate security must be provided for personal data subject to the current state of technology, the costs, the nature of the data and the harm that might result from loss or unauthorised use.


Territorial Scope

Data protection law applies to be processing of personal data where that data controller is established in the State and data is processed in the context of that establishment.  It also applies where the data controller is established neither in the State nor in another EU state, but uses equipment in the State for processing data, other than for transit purposes.

An establishment is a concept which entails having a certain minimum presence and business operations in the State.  Accordingly, a transient presence or the presence of small elements of a business would usually suffice in order to bring the entity within the control of Irish data protection, if the entity is established in another EEA state.  The latter states will have equivalent data protection rights and laws, deriving from the EU legislation.

An individual resident in the state is deemed established.  A company incorporated in the state is deemed established.  A partnership formed in Ireland under the laws of Ireland is deemed established. Outside of these categories, a person or entity is established if he or it has an office, branch or agency in the State, through which he or it carries out a regular practice.  See the sections on tax, which use similar concepts in defining the degree of presence necessary to bring an entity within the charge to Irish tax.

Personal data kept by an individual in the management of his personal family and household affairs or kept only for recreational purposes is exempt. The Act does not apply at all to information that must otherwise be made public or under separate legislation.


Rights of Data Subject

Where a person believes another person has personal data about them he may write to the person concerned requesting a copy. The data controller must inform him whether he holds personal data and supply a description of the data and certain other information in relation to it. The data controller must give a description of the data and the purposes for which it is kept.  This request must be complied with, within a specified period.

The date subject has a right of access to the data, subject to certain exceptions, designed to protect the legitimate interest of the data controller. The data subject is entitled to have the data rectified, erased or blocked if the person does not comply with the duties. The data controller must comply with requests  within a reasonable time.

The data subject may by notice in writing request the data controller to cease or not to process personal data where the processing is likely to cause substantial damage or distress or would be unwarranted.  There are certain public interest exceptions.

Where a decision which affects a person, either significantly or in a legal sense, it may not be based solely on an automatic processing of personal data where it relates to personal matters such as creditworthiness, work performance, reliability, conduct.  Certain exceptions exist.


The GDPR Reforms

The EU wide General Data Protection Regulation (the GDPR) came into effect on 25 May 2018 (Regulation (EU) 2016/679). As a regulation, it is directly effectively law in all European Union States. It is now the principal source of Data Protection Law in Ireland.

Common EU wide law has now replaced most national legislation, which was based on older EU Directives. There are narrow exclusions on EU competences in relation to criminal and security legislation, this continues to be governed by domestic law.

This area is the subject of a separate EU Directive dealing with processing of personal data by national authorities for the purposes of the prevention, investigation, detection and prosecution of criminal offences and the execution of criminal penalties. The Directive (EU) 2016/680) is given effect in Ireland by the Data Protection Act 2018 in Ireland.

Both the GDPR and law enforcement Directive (implemented by the Data Protection Act 2018) are based on in Article 16 of the Treaty on the Functioning of the European Union, and they provide for significant reforms to current data protection rules based on the EU’s 1995 Data Protection Directive.

Both instruments generally provide for higher standards of data protection for individuals (“data subjects”) and impose increased obligations on bodies in the public and private sectors that process personal data (“controllers” and “processors”).They also increase the range of possible sanctions for infringements of these standards and obligations.


EU Objective of Single Regulation

Many key data protection concepts and principles remain broadly similar under the GDPR, to those already set out in the Data Protection Acts 1988 and 2003 (which have given effect in national law to the 1981 Council of Europe Data Protection Convention (Convention 108) and the EU’s 1995 Data Protection Directive respectively).

The GDPR seeks to provide for a more uniform interpretation and application of data protection standards across the EU, thereby providing a level playing field for those doing business in the EU digital market. The European Data Protection Board comprising representatives of the data protection authorities of all Member States, will play an important role in this respect

The GDPR lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.The GDPR protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.

The free movement of personal data within the EU shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.


Scope

The GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

The GDPR does not apply to the processing of personal data:

  • in the course of an activity which falls outside the scope of Union law;
  • by the Member States when carrying out activities which fall within the scope of foreign and security policy;
  • by a natural person in the course of a purely personal or household activity;
  • by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

For the processing of personal data by the EU institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies. Regulation (EC) No 45/2001 and other EU Union legal acts applicable to such processing of personal data are to be adapted to the principles and rules of the GDPR.


GDPR Territorial Scope

Data protection law and the GDPR applies to the processing of personal data where that data controller or processor is established in the State and data is processed in the context of the activities of that establishment. This is the case regardless of whether the processing takes place in the European Union or not.

The GDPR applies to the processing of personal data of data subjects who are in the European Union by a controller or processor not established in the Union, where the processing activities are related to:

  • the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
  • the monitoring of their behaviour as far as their behaviour takes place within the Union.

The GDPR also applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.


Risk Based Approach

The EU Regulation and Directive (implemented by the Data Protection Act 2018) introduce new elements and some enhancements. Both require   a “risk-based” approach to data protection. This requires that each individual data controller and processor is required to put appropriate technical and organisational measures in place in order to ensure – and to be able to demonstrate – that their processing of personal data complies with the new data protection standards.

For the purposes of assessing the nature, level and likelihood of risks for the rights and freedoms of data subjects, they must take account of the nature, scope, context and purposes of the data processing. In certain cases, this requires the carrying out of data protection impact assessments, and where mitigation of risk is not possible, prior consultation with the Data Protection Commission will be mandatory.


Transparency and Public Bodies

The GDPR Regulation and Directive (implemented by the Data Protection Act 2018) place greatly increased emphasis on the transparency of processing, the responsibility of the controller and processor for compliance with data protection standards, and the need for appropriate security standards to be implemented in order to protect against data breaches such as unauthorised or unlawful processing and accidental loss, destruction or damage.

Both instruments impose an obligation on all public authorities and bodies, as well as some private sector bodies, to designate a Data Protection Officer with responsibility to oversee data processing operations, and to report data breaches to the relevant data protection authority.

The GDPR also limits the grounds for lawful processing of personal data by public authorities and bodies. For example, depending on the circumstances, an individual’s consent to the processing of his or her personal data may not provide a reliable basis for such processing by a public authority. The so-called “legitimate interest” ground will no longer be available to public authorities when acting in that capacity


Enhanced Enforcement

Both the GDPR and Directive (implemented by the Data Protection Act 2018) provide for increased supervision and enforcement of data protection standards by the data protection authority.

The GDPR also provides for the possible imposition of substantial administrative fines (up to €10 million or €20 million, or 2% or 4% of total worldwide annual turnover in the preceding financial year). Both the GDPR and Directive (implemented by the Data Protection Act 2018) provide that any data subject who has suffered material or non-material damage because of a breach of his or her data protection rights shall have the right to seek compensation in the courts.


References and Sources

Data Protection Act 1988

Data Protection (Amendment) Act 2003

Data Protection Act 2018

Data Protection (Fees) Regulations 1988, S.I. No. 347 of 1988

Data Protection Act 1988 (Commencement) Order 1988, S.I. No. 349 of 1988

Data Protection (Registration Period) Regulations 1988, S.I. No. 350 of 1988

Data Protection (Registration) Regulations 1988, S.I. No. 351 of 1988

Data Protection Act 1988 (Restriction of Section 4) Regulations 1989, S.I. No. 81 of 1989

Data Protection (Access Modification) (Health) Regulations 1989, S.I. No. 82 of 1989

Data Protection (Access Modification) (Social Work) Regulations 1989, S.I. No. 83 of 1989

Data Protection Act 1988 (Section 5 (1) (D)) (Specification) Regulations 1993, S.I. No. 95 of 1993

Data Protection Commissioner Superannuation Scheme 1993, S.I. No. 141 of 1993

Data Protection Act 1988 (Section 16(1)) Regulations 2007, S.I. No. 657 of 2007

Data Protection (Fees) Regulations 2007, S.I. No. 658 of 2007

Data Protection (Processing of Genetic Data) Regulations 2007, S.I. No. 687 of 2007

Data Protection (Processing of Genetic Data) Regulations 2007, S.I. No. 687 of 2007

Data Protection Act 1988 (Section 5(1)(D)) (Specification) Regulations 2009, S.I. No. 421 of 2009

Data Protection Act 1988 (Section 2B) Regulations 2011, S.I. No.486 of 2011

Data Protection Act 1988 (Section 2B) Regulations 2012, S.I. No.209 of 2012

Data Protection Act 1988 (Section 2A) Regulations 2013, S.I. No.313 of 2013

Data Protection Act 1988 (Commencement) Order 2014, Sino. 337 of 2014

Data Protection Act 1988 (Section 2B) Regulations 2015, S.I. No.240 of 2015

Data Protection Act 1988 (Section 2A) Regulations 2016, S.I. No.220 of 2016

Data Protection Act 1988 (Section 2B) Regulations 2016, S.I. No.426 of 2016

Data Protection Act 1988 (Section 2B) (No. 2) Regulations 2016, S.I. No. 427 of 2016

Data Protection (Amendment) Act 2003 (Commencement)Order 2003, S.I. No. 207 of 2003

Data Protection (Amendment) Act 2003 (Commencement) Order 2007, S.I. No. 656 of 2007

Data Protection (Amendment) Act 2003 (Commencement) Order 2014

EU Legislation

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA

Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

Irish Books

EU Data Protection Law Kelleher & Murray           2018

Information & Technology Communications Law Kennedy & Murphy         2017

Social Networking           Lambert               2014

Law Society PPG Hyland Technology & Intellectual Property Law                 2008

Information Technology Law in Ireland   2 Kelleher & Murray       2007

Data Protection Law in Ireland: Sources & Issues 2 Lambert 2016

Privacy & Data Protection Law in Ireland                Kelleher               2015

Data Protection: A Practical Guide to Irish & EU Law         Carey    2010

Practical Guide to Data Protection Law in Ireland A&L Goodbody 2003

EU and UK Texts

Information Technology and Intellectual Property Law 7th end 2018 Bainbridge 2018

Guide to the General Data Protection Regulation and the UK Data Protection Act 2nd ed

Rosemary Jay 2018

Government and Information: The Law Relating to Access, Disclosure and Their Regulation 5th ed

Patrick Birkinshaw, Mike Varney 2018

Commentary on the EU General Data Protection Regulation Christopher Kuner, Lee A. Bygrave, Christopher Docksey 2018

A User’s Guide to Data Protection: Law and Policy A User’s Guide to Data Protection: Law and Policy 3rd ed Paul Lambert 2018

Protecting Individuals Against the Negative Impact of Big Data: Potential and Limitations of the Privacy and Data Protection Law Approach Manon Oostveen July 2018

Information Exchange and EU Law Enforcement Information Exchange and EU Law Enforcement Anna Fiodorova 2018

Data Privacy and Cybersecurity: A Practical Guide Rafi Azim-Khan 2018

The General Data Protection Regulations (GDPR): How to get GDPR consent Simon McNidder 2018

The Cambridge Handbook of Consumer Privacy Edited by: Evan Selinger, Jules Polonetsky, Omar Tene 2018

Data Protection: A Practical Guide to UK and EU Law Data Protection: A Practical Guide to UK and EU Law 5th ed Peter Carey 2018

The EU General Data Protection Regulation (GDPR): A Commentary Lukas Feiler, Nikolaus Forgo, Michaela Weigln 2018

A Practical Guide to the General Data Protection Regulation (GDPR) Keith Markham 2018

EU Data Protection Law EU Data Protection Law Denis Kelleher, Karen Murray 2018

New European General Data Protection Regulation: A Practitioner’s Guide Edited by: Daniel Rucker, Tobias Kugler 2017

Encyclopaedia of Data Protection and Privacy Annual Subscription Rosemary Jay, Hazel Grant, Sue Cullen, Timothy Pitt-Payne 2017

Determann’s Field Guide to International Data Privacy Law Compliance 3rd ed 2017

The EU General Data Protection Regulation (GDPR): A Practical Guide Paul Voigt, Axel von dem Bussche 2017

EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide Alan Calder, Richard Campo, Adrian Ross 2017

Privacy, Data Protection and Cybersecurity in Europe Privacy, Data Protection and Cybersecurity in Europe Edited by:  Wolf J. Schunemann, Max-Otto Baumann 2017

Guide to the General Data Protection Regulation: A Companion to the 4th ed of Data Protection Law and Practice Rosemary Jay 2017

Post-Reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 Post-Reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 Mariusz Krzysztofek 2016

Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2016

EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Alan Calder, Richard Campo, Adrian Ross 2016

Data Protection and Privacy: International Series Data Protection and Privacy: International Series 3rd ed Edited by: Monika Kuschewsky 2016

Data Protection: The New Rules Ian Long 2016

A User’s Guide to Data Protection A User’s Guide to Data Protection 2nd ed Paul Lambert 2016

The Foundations of EU Data Protection Law Orla Lynskey 2015

Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2015

Data Protection: A Practical Guide to UK and EU Law Data Protection: A Practical Guide to UK and EU Law 4th ed Peter Carey 2015

Data Protection: Law and Practice 4th ed with 1st Supplement Data Protection: Law and Practice 4th ed with 1st Supplement Rosemary Jay 2014

Information Rights: Law and Practice Information Rights: Law and Practice 4th ed Philip Coppel 2014

Cloud Computing Law Christopher Millard 2013

Transborder Data Flow Regulation and Data Privacy Law (eBook) Christopher Kuner 2013

Consent in European Data Protection Law Consent in European Data Protection Law Eleni Kosta 2013

A User’s Guide to Data Protection A User’s Guide to Data Protection Paul Lambert 2013

Confidentiality (Book & eBook Pack) Confidentiality 3rd ed The Hon Mr Justice Toulson, Charles Phipps 2012

Binding Corporate Rules: Corporate Self-Regulation of Global Data Lokke Moerel 2012

Property Rights in Personal Data: A European Perspective Property Rights in Personal Data: A European Perspective Nadezhda Purtova 2011

Global Employee Privacy and Data Security Law 2nd ed Morrison & Foerster LLP 2011

Computers, Privacy and Data Protection: An Element of Choice Computers, Privacy and Data Protection: An Element of Choice Edited by: S. Gutwirth, Y. Poullet, P. De Hert, R. Leenes 2011

Information Rights: Law and Practice Information Rights: Law and Practice 3rd ed Philip Coppel 2010

Data Protection: Legal Compliance and Good Practice for Employers Data Protection: 2ed Lynda Macdonald 2008