Support from readers like you keeps The Journal open.
You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.
If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.
Government to make cabin homes in back gardens exempt from planning
The 9 at 9: Wednesday
British insurer warns air fryers are causing tens of thousands of pounds worth of damage
Trouble Brewing
The government wants to exempt itself from the EU's new hardcore data protection rules - but why?
A new Data Protection Act has to be in place before the EU’s General Data Protection Regulation (GDPR) goes live in May – but the Irish state seems in no mood to align itself with Europe on the issue.
Shutterstock / Africa Studio
Shutterstock / Africa Studio / Africa Studio
IN A LITTLE over three months’ time, on 25 May, the European Union’s General Data Protection Regulation (GDPR) will come into force – and it’s set to shake the privacy status quo in Europe to its foundations.
You’ve probably heard of GDPR – it first came into being nearly two years ago for starters. That meant that businesses throughout the EU had two years to update their data protection procedures and laws to fall in line with the new regulation.
As you might imagine, the new regulation has been causing substantial stress for companies across the union, especially those dealing in wholesale recording of personal data as a matter of routine.
And as you might also expect, the government of each EU nation has to fall in line with what’s coming. GDPR is an EU regulation, not a directive. It’s not a request, and it’s not a guideline. It’s mandatory.
What does it mean? Well, fundamentally it means a unified, modern-day (the previous EU legislation, from 1995, on the subject predates the internet as we know it) approach to data across the union – a fit-for-purpose data protection regulation for the online age. In practice, it means that companies, including those based outside the EU but processing personal data from within) will have to be exceptionally careful with how they collect and share a person’s data. It also means that the individual will have vastly strengthened rights regarding how their personal data is requested and used.
The punishment for those companies in breach of GDPR post-25 May? A maximum fine of €20 million or up to 4% of their turnover for the previous year, whichever is higher. Ouch.
So why is the Irish government currently sprinting through the legislative process in order to have a new data protection act in place come May? More importantly, why is so much of what’s being suggested for the Irish act apparently at odds with the EU regulation it is supposed to give effect to? Those eye-watering fines mentioned above for example? If the government has its way it won’t be paying them – it wants to make itself exempt from any penalties for breaching GDPR.
All of which begs the question: why is the Irish state trying to get away with non-compliance with one of the most anticipated EU regulations of modern times when the public at large has no say in the matter?
The Irish bill
The first question is easily answered – a new data protection act has to be put in place by GDPR’s go-live date to bring Irish law in line with its EU superior.
The freshly published data protection bill spent a deal of time being kicked around Oireachtas committees in its pre-legislative format. Most Irish data protection experts consistently cited its compatibility issues regarding GDPR at that stage, with the Data Protection Commissioner herself Helen Dixon suggesting a lack of comfort with the idea of state bodies being rendered exempt from those hefty GDPR fines within Irish law. Nevertheless, that proviso is still contained in the proposed document.
Now the would-be legislation has been officially brought before the Oireachtas in the form of a 132-page bill, with Minister for Justice Charlie Flanagan introducing it to the Seanad on 30 January. “In a nutshell, this legislation will introduce stronger rules on data protection,” the minister said by way of introduction.
Scarcely two weeks later the bill is firmly ensconced in the Seanad’s committee stage of deliberation. Whirlwind stuff, but then there is a rather pressing deadline. At present 92 amendments have been proposed to it as things stand. Only one has been voted upon.
Some of the marquee things it seeks to bring about you may already have heard of – a reduction of the digital age of consent from 16 to 13 (something that has caused no end of controversy itself, but is within the discretionary limits allowed for by GDPR), and the abolition of the current role of Data Protection Commissioner in favour of a new Data Protection Commission, with up to three commissioners in place, to handle a heavier workload.
Advertisement
Minister for Justice Charlie Flanagan Leah Farrell / Rollingnews.ie
Leah Farrell / Rollingnews.ie / Rollingnews.ie
Here are some other things the bill would make law should it be voted through the Oireachtas:
As mentioned above, section 136 of the bill stipulates that the European Commission can only impose a fine on an Irish state body for breaching GDPR where that body is in competition with a private enterprise
Section 54 seeks to restrict the data rights of individuals regarding GDPR when the state deems that things like cabinet confidentiality (and many, many others) are at stake
Likewise mitigating circumstances are cited throughout the document for reasons why the state can process a person’s data contrary to GDPR where the ‘public interest’ is in question
The new Data Protection Commission would have the discretionary option to not investigate a complaint made to it, should it deem such a course of action appropriate
Constitutional Irish law can supersede EU law with regard to processing a citizen’s data (ie, make what the EU says is illegal, legal)
The existing 30-year-old Data Protection Act isn’t entirely repealed, but still remains law for issues like national security
Such instances running seemingly contrary to the essence of GDPR are ten-a-penny throughout the bill.
Reaction
Any prospective legislation is necessarily dense and doesn’t make for light reading – nevertheless Irish data protection experts have been universal in their condemnation of the bill as it stands.
Intellectual property solicitor and data protection expert Fred Logue says the documnt in its current guise “has the potential to kill data protection enforcement in Ireland and will take years of litigation to fix”.
The Irish Council for Civil Liberties says that the bill “impacts fundamental human rights, and on first reading gives rise to serious concerns across a broad range of privacy rights issues”.
The ICCL believes that proper analysis and consideration of these issues is required and we are concerned at the apparent haste with which the Government is pushing through important legislation in a highly sensitive area.
Independent Senator Alice Mary Higgins has tabled over 30 amendments to the new bill, which she describes as being “less interested in effective implementation of GDPR than in limiting its impact”.
“The bill proposes a number of wide, often vague, exemptions which allow the State and public bodies to override an individual’s right to privacy and data protection and, outrageously, it also seeks to exempt public bodies from fines when they break the rules. No financial consequences is a recipe for disaster,” she said.
Issues of data protection touch so many areas of our lives that it is vital we get this legislation right. That’s why I’ll be fighting for those amendments as this bill continues through the Seanad.
Meanwhile, perhaps most damningly, leading Irish law firm McCann Fitzgerald (like most large corporate entities, a company not overly accustomed to delivering stinging rebukes in public) summarised the newly-published bill with the phrase “further work to be done”:
Considering that the application dates of the GDPR and the Law Enforcement Data Protection Directive are less than four months away and that the draft bill is overdue, many organisations will be disappointed that what has been published is not closer to a version that could be finalised.
The Irish Data Protection Bill is finally published. (https://t.co/qtbMhlPaSa) But some of it doesn’t look good. Quick thread.
So, why has the government chosen to approach such a modern-day issue as data protection in such a seemingly contrarian way? This is the first time data protection has been dealt with on an EU-wide level in generations remember. Given our wholesale dependence upon being in the union’s good books with Brexit in the offing, why is the state attempting to go it alone in the face of a regulation we should be beholden to?
TheJournal.ie queried the Department of Justice as to the thinking behind the exemptions included in the bill, the immunity from fines in particular, and as to whether the minister is aware of the criticism of the bill stemming from the ranks of the data protection and privacy professions.
“This legislation is being introduced by the Government and there is a clear obligation on State bodies to abide by the law,” a spokesperson for the department said in response.
The Data Protection Bill 2018 gives further effect to GDPR in a limited number of areas in which flexibility is permitted. Article 83 of the GDPR sets out that it is a matter for member states to decide on whether administrative fines should be imposed on public authorities and bodies (this is indeed the case – Article 83 states that “each member state may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that member state”).
“There is a distinction to be drawn between public and private sectors – unlike its impact on a private company, a fine on a public sector body may have the effect of reducing the funds available to it to carry out its statutory functions for the public,” they added.
It has been suggested that the government perhaps doesn’t feel that Ireland is adequately prepared for GDPR, and wishes to immunise itself from the massive fines that could entail, ie if fines eat up a department’s budget the money won’t be there to fix the issues that caused the fine in the first place.
With controversial state schemes like the Public Services Card in place, the legislative and lawful basis of which has been called repeatedly into question, the state may be feeling particularly vulnerable to the hefty fines that GDPR brings with it.
Related Reads
'We are trying to sound the alarm' - committee hears Public Services Card is a legal ticking time bomb
Calls for public bodies not to be exempt from fines after details about 18 patients found on street
Paschal Donohoe, Minister for Public Expenditure and Reform, brandishing a giant PSC at an event in August 2016 Leah Farrell / Rollingnews.ie
Leah Farrell / Rollingnews.ie / Rollingnews.ie
Likewise, responsibility for data protection has bounced back and forth between the Department of the Taoiseach and the Department of Justice (which has itself had a difficult time of it on the PR front in the last six years) in recent times, only settling as part of Justice’s brief once more upon Leo Varadkar’s ascension to the leadership of the country. A new department equals a new approach.
Another train of thought is that the new bill is the work of officialdom which doesn’t much like the restrictions being put in place by the GDPR, and has instead drafted the law it thinks GDPR might have been.
In the wake of the criticism the bill faced in its pre-legislative form, a slimmed-down version with less controversial overtones might be what you would expect the Department of Justice to have produced. That has not been the case – all the anomalies previously cited have made it through to the final bill intact.
Of course the bill may not make it through the Dáil entirely in its current guise – the government doesn’t have a working majority, so much will depend on how the opposition, particularly Fianna Fáil, reacts to the bill’s more controversial provisions. But the timeframe is extremely tight to get this right. One way or the other Ireland needs to have legislation in place come 25 May.
What are the pitfalls?
In defying the EU, what risks are Ireland running? Quite a few.
When GDPR comes into force, the vast majority of the EU states will be running entirely in compliance with the new regulation, with us as the exception. Anything that clashes with the new regime will bring uncertainty with it.
At present, with so many social media giants like Facebook based in Ireland, all litigation regarding those massive companies is processed here. Defying GDPR means legal uncertainty. And that could (and probably will) see an explosion in data protection lawsuits here.
The risk exists that Ireland will be a far less attractive prospect to multinationals due to the sheer lack of clarity regarding what is legal and what isn’t when it comes to the processing of data. Economically, flouting GDPR is a huge hazard, not least with the financial tornado that is Brexit looming, and one the government seems determined to brave.
Section 136 of the Data Protection Bill 2018, which gives the Irish government immunity from the EU's hefty GDPR fines Oireachtas.ieOireachtas.ie
From an Irish citizen’s point of view, the proposed bill creates substantial ‘wiggle room’ regarding whole swathes of the heightened privacy rights afforded by GDPR, those which the EU now deems to be fundamental human rights.
So if we are to defy the new regulation, it seems far-fetched that the EU will take the snub lightly.
With no clarity as to which takes precedence here, Irish or EU law, you can expect the courts to be busy.
The possibility is also there that, in becoming the black sheep of the European privacy family, the stigma is one the country would struggle to bear. For, while data protection may not be the hottest of potatoes here, on mainland Europe (particularly in Germany, Austria, and France) it is the marquee issue, one treated with the utmost seriousness.
A struggle to get this bill through the Oireachtas might just be the beginning of the government’s privacy problems.
Readers like you are keeping these stories free for everyone...
A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article.
Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.
To embed this post, copy the code below on your site
Close
54 Comments
This is YOUR comments community. Stay civil, stay constructive, stay on topic.
Please familiarise yourself with our comments policy
here
before taking part.
My dad filmed me constantly when I was tiny, and this was long before social media. I think it’s really nice to have old videos of when I was a baby, even if it’s just hours of footage of me sitting on the floor. Not just because I was adorable (fat) but also because it’s fascinating getting a glimpse into my parents’ lives at that time.
Have to say Brian as this girl’s dad..we don’t film her enough…They’re only small for a short period of time…when they find something fun and say daddy take my picture it’s nice to look back at and have fun and laugh about…some uptight people in this world…
Government to make cabin homes in back gardens exempt from planning
Christina Finn
8 hrs ago
53.5k
69
Good Morning
The 9 at 9: Wednesday
Updated
9 mins ago
1.1k
air fryer fires
British insurer warns air fryers are causing tens of thousands of pounds worth of damage
23 hrs ago
49.7k
42
Your Cookies. Your Choice.
Cookies help provide our news service while also enabling the advertising needed to fund this work.
We categorise cookies as Necessary, Performance (used to analyse the site performance) and Targeting (used to target advertising which helps us keep this service free).
We and our 148 partners store and access personal data, like browsing data or unique identifiers, on your device. Selecting Accept All enables tracking technologies to support the purposes shown under we and our partners process data to provide. If trackers are disabled, some content and ads you see may not be as relevant to you. You can resurface this menu to change your choices or withdraw consent at any time by clicking the Cookie Preferences link on the bottom of the webpage .Your choices will have effect within our Website. For more details, refer to our Privacy Policy.
We and our vendors process data for the following purposes:
Use precise geolocation data. Actively scan device characteristics for identification. Store and/or access information on a device. Personalised advertising and content, advertising and content measurement, audience research and services development.
Cookies Preference Centre
We process your data to deliver content or advertisements and measure the delivery of such content or advertisements to extract insights about our website. We share this information with our partners on the basis of consent. You may exercise your right to consent, based on a specific purpose below or at a partner level in the link under each purpose. Some vendors may process your data based on their legitimate interests, which does not require your consent. You cannot object to tracking technologies placed to ensure security, prevent fraud, fix errors, or deliver and present advertising and content, and precise geolocation data and active scanning of device characteristics for identification may be used to support this purpose. This exception does not apply to targeted advertising. These choices will be signaled to our vendors participating in the Transparency and Consent Framework.
Manage Consent Preferences
Necessary Cookies
Always Active
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work.
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Functional Cookies
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then these services may not function properly.
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not be able to monitor our performance.
Store and/or access information on a device 102 partners can use this purpose
Cookies, device or similar online identifiers (e.g. login-based identifiers, randomly assigned identifiers, network based identifiers) together with other information (e.g. browser type and information, language, screen size, supported technologies etc.) can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here.
Personalised advertising and content, advertising and content measurement, audience research and services development 133 partners can use this purpose
Use limited data to select advertising 103 partners can use this purpose
Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are (or have been) interacting with (for example, to limit the number of times an ad is presented to you).
Create profiles for personalised advertising 75 partners can use this purpose
Information about your activity on this service (such as forms you submit, content you look at) can be stored and combined with other information about you (for example, information from your previous activity on this service and other websites or apps) or similar users. This is then used to build or improve a profile about you (that might include possible interests and personal aspects). Your profile can be used (also later) to present advertising that appears more relevant based on your possible interests by this and other entities.
Use profiles to select personalised advertising 74 partners can use this purpose
Advertising presented to you on this service can be based on your advertising profiles, which can reflect your activity on this service or other websites or apps (like the forms you submit, content you look at), possible interests and personal aspects.
Create profiles to personalise content 36 partners can use this purpose
Information about your activity on this service (for instance, forms you submit, non-advertising content you look at) can be stored and combined with other information about you (such as your previous activity on this service or other websites or apps) or similar users. This is then used to build or improve a profile about you (which might for example include possible interests and personal aspects). Your profile can be used (also later) to present content that appears more relevant based on your possible interests, such as by adapting the order in which content is shown to you, so that it is even easier for you to find content that matches your interests.
Use profiles to select personalised content 32 partners can use this purpose
Content presented to you on this service can be based on your content personalisation profiles, which can reflect your activity on this or other services (for instance, the forms you submit, content you look at), possible interests and personal aspects. This can for example be used to adapt the order in which content is shown to you, so that it is even easier for you to find (non-advertising) content that matches your interests.
Measure advertising performance 124 partners can use this purpose
Information regarding which advertising is presented to you and how you interact with it can be used to determine how well an advert has worked for you or other users and whether the goals of the advertising were reached. For instance, whether you saw an ad, whether you clicked on it, whether it led you to buy a product or visit a website, etc. This is very helpful to understand the relevance of advertising campaigns.
Measure content performance 59 partners can use this purpose
Information regarding which content is presented to you and how you interact with it can be used to determine whether the (non-advertising) content e.g. reached its intended audience and matched your interests. For instance, whether you read an article, watch a video, listen to a podcast or look at a product description, how long you spent on this service and the web pages you visit etc. This is very helpful to understand the relevance of (non-advertising) content that is shown to you.
Understand audiences through statistics or combinations of data from different sources 72 partners can use this purpose
Reports can be generated based on the combination of data sets (like user profiles, statistics, market research, analytics data) regarding your interactions and those of other users with advertising or (non-advertising) content to identify common characteristics (for instance, to determine which target audiences are more receptive to an ad campaign or to certain contents).
Develop and improve services 79 partners can use this purpose
Information about your activity on this service, such as your interaction with ads or content, can be very helpful to improve products and services and to build new products and services based on user interactions, the type of audience, etc. This specific purpose does not include the development or improvement of user profiles and identifiers.
Use limited data to select content 37 partners can use this purpose
Content presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type, or which content you are (or have been) interacting with (for example, to limit the number of times a video or an article is presented to you).
Use precise geolocation data 42 partners can use this special feature
With your acceptance, your precise location (within a radius of less than 500 metres) may be used in support of the purposes explained in this notice.
Actively scan device characteristics for identification 24 partners can use this special feature
With your acceptance, certain characteristics specific to your device might be requested and used to distinguish it from other devices (such as the installed fonts or plugins, the resolution of your screen) in support of the purposes explained in this notice.
Ensure security, prevent and detect fraud, and fix errors 82 partners can use this special purpose
Always Active
Your data can be used to monitor for and prevent unusual and possibly fraudulent activity (for example, regarding advertising, ad clicks by bots), and ensure systems and processes work properly and securely. It can also be used to correct any problems you, the publisher or the advertiser may encounter in the delivery of content and ads and in your interaction with them.
Deliver and present advertising and content 92 partners can use this special purpose
Always Active
Certain information (like an IP address or device capabilities) is used to ensure the technical compatibility of the content or advertising, and to facilitate the transmission of the content or ad to your device.
Match and combine data from other data sources 65 partners can use this feature
Always Active
Information about your activity on this service may be matched and combined with other information relating to you and originating from various sources (for instance your activity on a separate online service, your use of a loyalty card in-store, or your answers to a survey), in support of the purposes explained in this notice.
Link different devices 48 partners can use this feature
Always Active
In support of the purposes explained in this notice, your device might be considered as likely linked to other devices that belong to you or your household (for instance because you are logged in to the same service on both your phone and your computer, or because you may use the same Internet connection on both devices).
Identify devices based on information transmitted automatically 81 partners can use this feature
Always Active
Your device might be distinguished from other devices based on information it automatically sends when accessing the Internet (for instance, the IP address of your Internet connection or the type of browser you are using) in support of the purposes exposed in this notice.
Save and communicate privacy choices 60 partners can use this special purpose
Always Active
The choices you make regarding the purposes and entities listed in this notice are saved and made available to those entities in the form of digital signals (such as a string of characters). This is necessary in order to enable both this service and those entities to respect such choices.
have your say