The Irish Data Protection Act 2018 was signed into law on 24 May 2018, to coincide with the coming into effect of the GDPR. The Act implements derogations permitted under the GDPR and represents a major overhaul of the regulatory and enforcement framework. At the final parliamentary stages, some unexpected changes were made to the Act.
Key provisions and amendments
- Setting the digital age of consent at 16 years
- Enabling a not-for-profit body (mandated by a data subject) to bring a civil action seeking compensation and injunctive relief on behalf of the data subject for a breach of data protection law
- Providing that any reference to “child” in the GDPR shall be taken to be a person under 18 years (other than in regard to Article 8 of the GDPR)
- Making it an offence, punishable by an administrative fine, to process the personal data of a child under 18 years of age for the purposes of direct marketing, profiling or micro-targeting
- Providing a specific right to be forgotten for children requiring a controller, on request, to erase personal data collected in relation to the offer of information society services to a child
- Requiring the Irish Data Protection Commission (DPC) to encourage the drawing up of codes of conduct to ensure the proper application of the GDPR with regard to children
- Enabling administrative fines of up to €1 million to be imposed on public bodies or public authorities that do not act as undertakings (i.e. that are not in competition with private sector bodies)
- Providing restrictions on individuals’ rights on the grounds of legal privilege, for archiving, scientific or historical research purposes or statistical purposes, and in other specified circumstances for important objectives of general public interest
- Providing new investigative and enforcement powers for the DPC, including enhanced search and seizure powers, the appoint of expert reviewers, the drawing up of investigation reports, examining witnesses under oath and conducting oral hearings
- Permitting the processing of personal data and special categories data for a purpose other than that for which it was collected where necessary and proportionate: to prevent threats to national security; investigate or prosecute criminal offences, or for legal advice or legal proceedings
- Providing a derogation for the right to freedom of expression and information which must be interpreted in a broad manner
- Permitting the processing of health data for insurance and pension purposes ƒ Permitting the processing of personal data relating to criminal convictions and offences in specified circumstances
- Establishing a number of criminal offences punishable by a fine of up to €5,000 and/or 12 months imprisonment on summary conviction, or up to €250,000 and/or 5 years’ imprisonment on conviction on indictment