A New Legal Framework for Data Protection in Ireland

Ireland’s Data Protection Act 2018 or the DPA 2018 for short is a data protection law that was recently passed in Ireland in 2018. In accordance with provisions in the EU’s GDPR law that allows for EU members states to enact their own privacy laws to work in conjunction with the privacy laws of the EU, Ireland’s DPA 2018 implements the provisions of the General Data Protection Regulation into Irish law. To this end, Ireland’s DPA 2018 and the EU’s GDPR law establish the framework for the collection, processing, use, and disclosure of personal data within Ireland. Moreover, these pieces of legislation also establish the punishments for violating the rights of Irish citizens under said laws.

What are the primary differences between Ireland’s DPA 2018 and the EU’s GDPR Law?

As it pertains to the scope and application of the law, as well as the requirements for data controllers and processors operating within Ireland, there is little to no variation between Ireland’s DPA 2018 and the General Data Protection Regulation. However, there are certain variations between the two laws as it relates to certain specific aspects of data processing. To illustrate this point further, as it relates to the personal data of children, the provisions of the EU’s GDPR law state that a child should be “taken to refer to a person under the age of 18 years.” Alternatively, “Section 31(1) of the DPA 2018 provides that the digital age of consent for Ireland is 16 years. Therefore, 16 years is the minimum age at which a child may provide their consent to the processing of their personal data in respect of information society services.”

Furthermore, as it pertains to the collection and processing of special categories of personal data, “Article 9 of the GDPR gives Member States some flexibility with respect to the lawful bases to legitimize the processing of special categories of personal data.” To this point, special categories of personal data pertaining to Irish citizens may be legally processed, permitting said processing is “for a purpose other than the purpose for which the data was collected if the processing is necessary and proportionate for the purposes:”

• Of preventing a threat to national security, defense or public security;
• Of preventing, detecting, investigating, or prosecuting criminal offenses; or
• Set out in paragraphs (a) or (b) of Section 47 of the DPA 2018.

Are there any variations between the rights of Irish citizens under the DPA 2018 when compared to the EU’s GDPR law?

Under Ireland’s DPA 2018, the rights of Irish citizens are largely the same when compared to the EU’s GDPR law. These rights include the following:

• The right to be informed.
• The right to access.
• The right to rectification.
• The right to erasure.
• The right to object or opt-out.
• The right to data portability.
• The right not to be subject to automated decision-making.
• The right to restrict processing.

However, under the provisions of the DPA 2018, the rights of Irish citizens may be restricted, given certain circumstances. For instance, “Section 60(5) of the DPA 2018 provides that a Minister of the Government may enact regulations restricting these rights and obligations where it considers it necessary for the protection of a data subject or the rights and freedoms of others:”

• If the application of those rights and obligations would be likely to cause serious harm to the physical or mental health of the data subject and to the extent to which, and for as long as, such application would be likely to cause such serious harm; and
• In relation to personal data kept for, or obtained in the course of, the carrying out of social work by a public authority, public body, a voluntary organization, or other body.

What are the punishments for violating Ireland’s DPA 2018?

Under Ireland’s DPA 2018, the country Data Protection Commission or DPC for short has the authority to impose a variety of sanctions and punishments against data controllers and processors within the country who violate the law, in accordance with Article 83 of the EU’s GDPR law. Such sanctions and punishments include the following:

• An administrative fine of up to €75,000 ($84,812)
• An administrative fine of up to €1 million ($1,130,549) if the violation is committed by a public authority or public body.
• A maximum penalty of €250,000 ($282,582) and/or five years’ imprisonment, depending on the offense.
• The suspension, restriction, or prohibition of processing.

Through the provisions of both the EU’s GDPR law and Ireland’s Data Protection Act 2018, Irish citizens have several avenues for recourse should they feel as though their data privacy rights are being infringed upon. As one of the standout features of the EU’s GDPR law, data controllers and processors who violate the rights of Irish citizens essentially face punishment on two fronts, as Ireland’s Data Protection Commission and the European Data Protection Board, the regulatory body of the European Union, are both authorized to impose penalties for non-compliance with the law. As such, Irish citizens are provided with the assurance that their personal data is being protected in the most effective and efficient manner possible.