New Irish Data Protection Act introduced to sit alongside GDPR

The GDPR is EU legislation that has direct effect in every EU member state, including Ireland. However, it provides governments across Europe with a duty in some cases, and freedom in others, to flesh out further rules relating to the processing of personal data.

The new Irish Data Protection Act, passed by the Irish parliament earlier this month and subsequently signed into law by Irish president Michael D. Higgins, replaces existing data protection legislation and addresses matters left to the competency of national governments by the GDPR.

One of the biggest changes that the new Act introduces is a new legal basis for processing health data. The Act expressly provides that health data can be lawfully processed for insurance and pension purposes.

The new legislation also contains a series of new criminal offences for breaches of data protection law.

It will now be an offence for a data processor to knowingly or recklessly engage in unauthorised disclosure of personal data where they do not have prior authority from the data controller for such disclosure. A further offence could arise where there is disclosure and/or sale of personal data obtained without the prior authority of the data controller or processor.

In addition, it is also an offence to force individuals to submit a data subject access request in connection with recruitment or employment or in relation to contracts for the supply of services by an individual.

Those who commit the new offences could face fines of up to €50,000 or up to five years in prison.

The new legislation also introduces the prospect of a rise in data protection-related litigation in Ireland. Civil actions for breaches of data protection law can now be brought on behalf of data subjects by not-for-profit bodies, organisation or associations that have been mandated to do so by those individuals.

The new Data Protection Act also introduces a new digital age of consent. Children must be 16 years of age or older to be able to signal their consent to the processing of their personal data on websites and apps and other 'information society services', although the provisions do not apply to any preventative or counselling services. A review of the provisions is hard-wired into the Act and must take place within three years.

The Act also addresses issues relevant to public bodies in Ireland and their handling of freedom of information (FOI) requests. The Act explicitly permits personal data contained in official documents to be disclosed in response to FOI requests.

Ireland's Data Protection Commission has also been handed new powers to make urgent applications to the High Court to intervene in data processing activities in certain circumstances.

Where the watchdog considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects, it can apply to the High Court for an order suspending, restricting or prohibiting the processing of data or its transfer outside of the European Economic Area (EEA).

Provisions set out in the Data Protection Act 1988 will continue to apply to complaints made, investigations initiated and suspected contraventions that occurred prior to the new Act coming into force.