Sign in. It’s quick, free and it’s up to you.
An account is an optional way to support the work we do. Find out more.
IN A LITTLE over three months’ time, on 25 May, the European Union’s General Data Protection Regulation (GDPR) will come into force – and it’s set to shake the privacy status quo in Europe to its foundations.
You’ve probably heard of GDPR – it first came into being nearly two years ago for starters. That meant that businesses throughout the EU had two years to update their data protection procedures and laws to fall in line with the new regulation.
As you might imagine, the new regulation has been causing substantial stress for companies across the union, especially those dealing in wholesale recording of personal data as a matter of routine.
And as you might also expect, the government of each EU nation has to fall in line with what’s coming. GDPR is an EU regulation, not a directive. It’s not a request, and it’s not a guideline. It’s mandatory.
What does it mean? Well, fundamentally it means a unified, modern-day (the previous EU legislation, from 1995, on the subject predates the internet as we know it) approach to data across the union – a fit-for-purpose data protection regulation for the online age. In practice, it means that companies, including those based outside the EU but processing personal data from within) will have to be exceptionally careful with how they collect and share a person’s data. It also means that the individual will have vastly strengthened rights regarding how their personal data is requested and used.
The punishment for those companies in breach of GDPR post-25 May? A maximum fine of €20 million or up to 4% of their turnover for the previous year, whichever is higher. Ouch.
So why is the Irish government currently sprinting through the legislative process in order to have a new data protection act in place come May? More importantly, why is so much of what’s being suggested for the Irish act apparently at odds with the EU regulation it is supposed to give effect to? Those eye-watering fines mentioned above for example? If the government has its way it won’t be paying them – it wants to make itself exempt from any penalties for breaching GDPR.
All of which begs the question: why is the Irish state trying to get away with non-compliance with one of the most anticipated EU regulations of modern times when the public at large has no say in the matter?
The Irish bill
The first question is easily answered – a new data protection act has to be put in place by GDPR’s go-live date to bring Irish law in line with its EU superior.
The freshly published data protection bill spent a deal of time being kicked around Oireachtas committees in its pre-legislative format. Most Irish data protection experts consistently cited its compatibility issues regarding GDPR at that stage, with the Data Protection Commissioner herself Helen Dixon suggesting a lack of comfort with the idea of state bodies being rendered exempt from those hefty GDPR fines within Irish law. Nevertheless, that proviso is still contained in the proposed document.
Now the would-be legislation has been officially brought before the Oireachtas in the form of a 132-page bill, with Minister for Justice Charlie Flanagan introducing it to the Seanad on 30 January. “In a nutshell, this legislation will introduce stronger rules on data protection,” the minister said by way of introduction.
Scarcely two weeks later the bill is firmly ensconced in the Seanad’s committee stage of deliberation. Whirlwind stuff, but then there is a rather pressing deadline. At present 92 amendments have been proposed to it as things stand. Only one has been voted upon.
Some of the marquee things it seeks to bring about you may already have heard of – a reduction of the digital age of consent from 16 to 13 (something that has caused no end of controversy itself, but is within the discretionary limits allowed for by GDPR), and the abolition of the current role of Data Protection Commissioner in favour of a new Data Protection Commission, with up to three commissioners in place, to handle a heavier workload.
Here are some other things the bill would make law should it be voted through the Oireachtas:
Such instances running seemingly contrary to the essence of GDPR are ten-a-penny throughout the bill.
Reaction
Any prospective legislation is necessarily dense and doesn’t make for light reading – nevertheless Irish data protection experts have been universal in their condemnation of the bill as it stands.
Intellectual property solicitor and data protection expert Fred Logue says the documnt in its current guise “has the potential to kill data protection enforcement in Ireland and will take years of litigation to fix”.
The Irish Council for Civil Liberties says that the bill “impacts fundamental human rights, and on first reading gives rise to serious concerns across a broad range of privacy rights issues”.
The ICCL believes that proper analysis and consideration of these issues is required and we are concerned at the apparent haste with which the Government is pushing through important legislation in a highly sensitive area.
Independent Senator Alice Mary Higgins has tabled over 30 amendments to the new bill, which she describes as being “less interested in effective implementation of GDPR than in limiting its impact”.
“The bill proposes a number of wide, often vague, exemptions which allow the State and public bodies to override an individual’s right to privacy and data protection and, outrageously, it also seeks to exempt public bodies from fines when they break the rules. No financial consequences is a recipe for disaster,” she said.
Issues of data protection touch so many areas of our lives that it is vital we get this legislation right. That’s why I’ll be fighting for those amendments as this bill continues through the Seanad.
Meanwhile, perhaps most damningly, leading Irish law firm McCann Fitzgerald (like most large corporate entities, a company not overly accustomed to delivering stinging rebukes in public) summarised the newly-published bill with the phrase “further work to be done”:
Considering that the application dates of the GDPR and the Law Enforcement Data Protection Directive are less than four months away and that the draft bill is overdue, many organisations will be disappointed that what has been published is not closer to a version that could be finalised.
Why is this happening?
So, why has the government chosen to approach such a modern-day issue as data protection in such a seemingly contrarian way? This is the first time data protection has been dealt with on an EU-wide level in generations remember. Given our wholesale dependence upon being in the union’s good books with Brexit in the offing, why is the state attempting to go it alone in the face of a regulation we should be beholden to?
TheJournal.ie queried the Department of Justice as to the thinking behind the exemptions included in the bill, the immunity from fines in particular, and as to whether the minister is aware of the criticism of the bill stemming from the ranks of the data protection and privacy professions.
“This legislation is being introduced by the Government and there is a clear obligation on State bodies to abide by the law,” a spokesperson for the department said in response.
The Data Protection Bill 2018 gives further effect to GDPR in a limited number of areas in which flexibility is permitted. Article 83 of the GDPR sets out that it is a matter for member states to decide on whether administrative fines should be imposed on public authorities and bodies (this is indeed the case – Article 83 states that “each member state may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that member state”).
“There is a distinction to be drawn between public and private sectors – unlike its impact on a private company, a fine on a public sector body may have the effect of reducing the funds available to it to carry out its statutory functions for the public,” they added.
It has been suggested that the government perhaps doesn’t feel that Ireland is adequately prepared for GDPR, and wishes to immunise itself from the massive fines that could entail, ie if fines eat up a department’s budget the money won’t be there to fix the issues that caused the fine in the first place.
With controversial state schemes like the Public Services Card in place, the legislative and lawful basis of which has been called repeatedly into question, the state may be feeling particularly vulnerable to the hefty fines that GDPR brings with it.
Likewise, responsibility for data protection has bounced back and forth between the Department of the Taoiseach and the Department of Justice (which has itself had a difficult time of it on the PR front in the last six years) in recent times, only settling as part of Justice’s brief once more upon Leo Varadkar’s ascension to the leadership of the country. A new department equals a new approach.
Another train of thought is that the new bill is the work of officialdom which doesn’t much like the restrictions being put in place by the GDPR, and has instead drafted the law it thinks GDPR might have been.
In the wake of the criticism the bill faced in its pre-legislative form, a slimmed-down version with less controversial overtones might be what you would expect the Department of Justice to have produced. That has not been the case – all the anomalies previously cited have made it through to the final bill intact.
Of course the bill may not make it through the Dáil entirely in its current guise – the government doesn’t have a working majority, so much will depend on how the opposition, particularly Fianna Fáil, reacts to the bill’s more controversial provisions. But the timeframe is extremely tight to get this right. One way or the other Ireland needs to have legislation in place come 25 May.
What are the pitfalls?
In defying the EU, what risks are Ireland running? Quite a few.
When GDPR comes into force, the vast majority of the EU states will be running entirely in compliance with the new regulation, with us as the exception. Anything that clashes with the new regime will bring uncertainty with it.
At present, with so many social media giants like Facebook based in Ireland, all litigation regarding those massive companies is processed here. Defying GDPR means legal uncertainty. And that could (and probably will) see an explosion in data protection lawsuits here.
The risk exists that Ireland will be a far less attractive prospect to multinationals due to the sheer lack of clarity regarding what is legal and what isn’t when it comes to the processing of data. Economically, flouting GDPR is a huge hazard, not least with the financial tornado that is Brexit looming, and one the government seems determined to brave.
From an Irish citizen’s point of view, the proposed bill creates substantial ‘wiggle room’ regarding whole swathes of the heightened privacy rights afforded by GDPR, those which the EU now deems to be fundamental human rights.
So if we are to defy the new regulation, it seems far-fetched that the EU will take the snub lightly.
With no clarity as to which takes precedence here, Irish or EU law, you can expect the courts to be busy.
The possibility is also there that, in becoming the black sheep of the European privacy family, the stigma is one the country would struggle to bear. For, while data protection may not be the hottest of potatoes here, on mainland Europe (particularly in Germany, Austria, and France) it is the marquee issue, one treated with the utmost seriousness.
A struggle to get this bill through the Oireachtas might just be the beginning of the government’s privacy problems.
Don’t you just love how this and previous Government’s , pick and choose which things to side with the EU and which to ignore. Our Politicians really have become world class at being devious.
@DMurph: just
@DMurph: hmmm. So you are saying this government and previous ones have only accepted ones that beneficial to Ireland?
@Stephen Coveney: beneficial to themselves and their agenda. Pretty much the opposite of what’s beneficial to Ireland
@DMurph: and yet, when the government implements EU Directives in full, they are accused of being puppets and lap dogs. Can’t win.
Public Service Card?
@Pauliebhoy: no, thanks. Already have one.
Doesn’t the EU know who they are dealing with? This is the Irish Government. They don’t pay fines, they are not accountable when they do something wrong, everybody knows that. How dare the EU even suggesting such a thing!
“With no clarity as to which takes precedence here, Irish or EU law, you can expect the courts to be busy.”
EU law has supremacy over Irish law. The law Facebook and other companies have to prepare for is EU law. No uncertainty.
@Untriggered Non-Snowflake:
Third Amendment to the Constitution:
The State may become a member of the European Coal and Steel Community (established by Treaty signed at Paris on the 18th day of April, 1951), the European Economic Community (established by Treaty signed at Rome on the 25th day of March, 1957) and the European Atomic Energy Community (established by Treaty signed at Rome on the 25th day of March, 1957). No provision of this Constitution invalidates laws enacted, acts done or measures adopted by the State necessitated by the obligations of membership of the Communities or prevents laws enacted, acts done or measures adopted by the Communities, or institutions thereof, from having the force of law in the State.
@Untriggered Non-Snowflake:
The Lisbon Treaty:
17. Declaration concerning primacy
The Conference recalls that, in accordance with well settled case law of the Court of Justice of the European Union, the Treaties and the law adopted by the Union on the basis of the Treaties have primacy over the law of Member States, under the conditions laid down by the said case law.
So while I would not label this article “fake news” as that would require a deliberate attempt to misinform, I would say that this article is basically nonsense.
@Untriggered Non-Snowflake: when you see the phrase “under the conditions laid down” it means there are definitely exceptions, it’s always a good idea to check what they are.
@N:
Before we joined the European Community, there was a clear hierarchy of law in Ireland. Constitutional Law was supreme. Any Act passed by the Oireachtas which was repugnant to the Constitution would be overturned. For example, if the government had decided to pass a piece of legislation to say that Oireachtas legislation would supersede the Constitution, it would be overturned. The government can’t simply decide when the Constitution applies and when it doesn’t.
Amendment 3 to the Constitution explicitly states that once we joined the European Communities nothing in the provisions of the Constitution would inhibit laws passed by the Communities. In essence, the Constitution relinquishes supremacy to the Communities.
The only real issue in the case of Ireland is when EU Treaties undergo substantial revisions and changes. As the famous Crotty case found, this would be repugnant to the Constitution and would require a new referendum as it would mean a new transfer of powers from Ireland to the EU.
As J.Hederman said in that case “The State’s organs cannot contract to exercise in a particular procedure their policy-making roles or in any way to fetter powers bestowed unfettered by the Constitution. They are the guardians of these powers, not the disposers of them.” Basically, the people decide who to dispose power to.
@Dave O Keeffe:
I know what they are Dave.
An EU regulation is both directly applicable and has direct effect (both horizontal and vertical) in all Member States. Directly applicable simply means that an EU regulation becomes Member State law in its entirety. The Member State is actually required to do nothing by way of legislation for an EU regulation to become the nation’s law.
Direct effect(both horizontal and vertical) simply means that the rights and duties conferred by the law allow people to bring cases against State bodies(horizontal) or against other persons(vertical) to ensure their rights are upheld. Under our law, a company is recognised as a person under the law. So my point stands. Facebook and other companies must follow EU law in this case. No uncertainty.
The interesting thing is that the Journal article actually points out that EU regulations are mandatory. Then it goes on to argue it is unclear which law, Irish or EU, takes precedence in this case. It is clear to me the author does not really understand what an EU Regulation is or the basic.idea of EU law primacy in Ireland.
That is first year “Introduction to Law” stuff…
The author is right to say that Data Protection is an “marque” issue with countries such as Germany, Austria,and France. And this is why in the European Law Framework, it becomes a marque issue for all nations of the EU.
The reason it is important arises from World War 2 and the Holocaust. Lack of privacy and data protection was a primary reason to how the Nazi party in Germany could so easily find and round up Jewish people across Europe. Data Protection Law in Europe is framed in a way to ensure that something like this can never be done on that scale again. People should take Data Protection very seriously.
I’ve being saying for a while now that the PSC, the biometric national id card by the back door contravenes EU law and regulation on private and personal data protection. I’ve being warning that massive fines are there for breaches of those laws and regulations. Now it looks like those fines are to be doubled. Some here have rubbished me, but the truth is out now.
This is all about the PSC and the government’s intentions for it’s use. Not once has the government informed people what their rights are re the data that is and will be held on the cards and the data base it will use. The government try and pass this PSC off as the means to stop SW fraud. It’s purpose is far beyond that. It will place every Irish citizen under invasive and intrusive surveillance, control.
The GDPR will scupper the government’s intentions. So while it’s hastily trying to protect itself from the EU, it won’t protect it’s citizens.
For a long time now the government has played fast and loose with people’s data. Data protection is treated in a very cavalier manner by those who have access to it. Shared around willy nilly, even sold at times to private companies.
Your private and personal data belongs to you. You own it. The government can only collect it and use it for specific purposes. You are entitled to informed to what purpose it is wanted and used. It cannot be shared around any government depts, public bodies, without your express permission. It certainly cannot be shared with utilities, quangoes, banks, or other commercial interests.
You have never been informed as to what your rights are. Ever as yourself why.
@Dave Doyle: How did Irish Water, a semi private company, get my name and address to send me a bill? If that doesn’t worry you then nothing will
@Dave Doyle: Well the GDPR allows each member state to decide whether public bodies can be fined for GDPR and it seems that if the current draft of the Bill is enacted governmental bodies will escape fines.
@Sideshow Brendan: Irish Water collected much of that information from local authorities, who were previously responsible for water in Ireland.
So the collection and processing of names, addresses was lawful.
However the collection of PPSNs, which were originally being requested by Irish Water, was deemed to be excessive for the purpose of processing, and therefore Irish water stopped collecting that information.
@Thn: to give my details to a semi private company is legal? I never gave permission. Who asked me? This is a total theft of private data
@Sideshow Brendan: Permission is just one of the lawful grounds for the processing of personal data, so your permission is not required.
In order for Irish Water to operate it requires personal data on its customers.
@Sideshow Brendan: it was in the legislation. Passed by the Dail. Look it up.
Full disclosure and transparency is only a virtue when you have nothing to hide!
VRT
I said the PSC was going to be a GDPR headache on posts before…this just proves that point. What the Gov are claiming the card is for and what they intend to do with those cards are two different things and just like their refusal to enshrine Irish Water in law as a public entity the PSC is all about a scheme they are concocting for a quick euro. The cross department stuff alone will be GDPR fines as they are not meant to do that (but sure when you say central database the idea “cannot work”). Let’s not forget the number of times a suitcase was left on a train with patient details. The logic behind looking to be exempt isnt purely based on money…it is because the historical track record is a disaster already.
@Derek Power: Well the legality of the PSC is questionable under the current Data protection regime anyway.
Data controllers must have a legitimate basis to process personal data in order to make it lawful.
The stated purpose of the PSC initially was cut out fraud in Social Welfare. This in my view is legitimate and is arguably carried out on public service grounds.
However the runs afoul of the DP acts in a number of ways, including for example:-
- people aren’t given enough info. about why, how and where data is processed, including regarding security measures applied;
- while using this card where someone is in receipt of payments in arguably justified, requiring a person to have one to apply for a passport or in order to sit the driver theory test is unnecessary in my view.
@Thn: Exactly. Using it to combat fraud is fine…but why do we hear of an American company outside Ireland being involved in the info storing. Even if that is tinfoil hat stuff, making it “not mandatory, but compulsory” for things like sitting your driving test screams of a Gov intent on getting the system they want and forgetting that some people will work their entire life and never recieve welfare payments…thus making this card something a lot of the population would never even need. GDPR is now just showing that our shower of “leaders” will forever think in the local scale only and have now been caught out again by an educated electorate. The problem with modern technology…doesnt take weeks for info to get from one side of the island to the other now.
@Derek Power: storing the data outside of the EU is an non issue provided that the adequate safeguards have been put in place. Under the GDPR, the right to information requires data controllers (in this case the Gov.) to provide (amongst other things) details of these adequate safeguards and information on where a copy of such safeguards can be obtained. (Interesting guidance has been published on this point by article 29 working party).
Not to be seen as defending the way in which the PSC has been implemented, Regina Doherty herself has admitted that that phrase was stupid – her word!
Will that also effect journalism and breaking news stories and exclusives about corruption???
The GDPR explicitly allows some wriggle room for member states to decide how to impose fines. Personally I think the idea of the DPC (a state body) imposing a fine on another state body would be an exercise in pointlessness.
Simply a matter of moving public funds around between departments.
That said it’s vital that state bodies are held to task in a transparent, public manner for breaches of GDPR, which means regular and systematic oversight and audits by the DPC.
It must be remembered that even if state bodies can’t be fined by the state, data subjects will be able to bring direct actions against each data controller for damage caused as a result of a data breach.
Very good article. Disappointing that the Government is adopting this approach. Being led by ayatollah civil servants in cahoots with American multinationals??? General impression is that the Government is on the wrong side of history when it comes to digital.
Nothing to see here.Just a bunch of corrupt politicians trying to cover their arses at the public’s expense.Wait who voted them in?
The UK should have just exempted themselves from the common travel and freedom of movement part of the EU rules to avoid Brexit then.
This is worrying! Most private sector companies have put measures in place. The public sector needs to be guided on this! It’s happening in may!
@Roisin Walsh: Most private sector companies don’t have guidelines in place actually.
FFS, more fupping EU rules!!!
@Stephen Winterson:
Won’t be long before we lose our Ivory Coast flag also
@Ben Guy: The GDPR is simply updating a 1995 directive that has been in place in Ireland since 2003.
The GDPR requires companies who collect personal data to accord to a higher standard of data protection.
People are also being afforded new rights. This is actually a good think for every joe soap
@Thn:
Why are you telling me?
@Ben Guy: because I’m trying to declare my undying love for you.
Or else I just accidentally clicked reply to your comment instead of the one above. You decide baby
@Thn:
Anything could happen if you’re a good looker
@Ben Guy: meet me at the top of leeson street tonight at 10.
I’ll be the guy in fishnets and the I heart Ben guy t-shirt
Music,love and romance……..there may be trouble ahead…..kerching! I hear the geasy till.
Will not know anything until its law, then things will be noticed as usual?
What’s with the Russian/English keyboard under the padlock? Is this pertinent to the question?
@Ashley Brown: It’s a Latin/Cyrillic keyboard. Cyrillic is used in mainly Slavic speaking countries, not just Russia.
For once they have exercised a bit of foresight and have seen the flood of complaints and the sh*t storm incoming due to the introduction of the PSC and are clearly washing their hands of it in advance…. “we must fall in line with the EU”…….pure bollix!!!
No clear idea, from this article, what the government is doing. Waffle.
@Nick Caffrey: Because the government won’t come out and say where this GDPR will effect it most.
@Dave Doyle: GDPR is a confusing nightmare. Well intentioned but poorly drafted. There are amendments inserted by the European Parliament and nobody really knows the implications of the amendments. It’s a messy legalistic compromise.
As usual the Journal has posted a clickbait article. As of January 26 EU states including Ireland are not ready for GDPR. One would imagine from the article that is it only Ireland. And that’s because GDPR is immensely legalistic and complex. Most states especially small states are overwhelmed by the process.
But it is easier to damn the politicians and civil servants than admit that GDPR poses immense challenges for most States and companies not least because of its complexity and legal uncertainly.
A hypothetical, if it turns out the public services card does in fact breach data protection standards then a body could complain the Irish government to the EU for breaches under data protection legislation that itself failed to implement.
I salute anyone with the stones to file that lawsuit!!
have your say