Ireland’s Data Protection Bill 2018 was published in early February. This text, which may be subject to change by the Irish Parliament, will amend the current Irish Data Protection Acts, 1988 and 2003.
When enacted, the Bill will bring into Irish law the General Data Protection Regulation 'GDPR' (EC/2016/679) and the Law Enforcement Directive (EC/2016/680). The Bill addresses the powers of Ireland's Supervisory Authority, the Data Protection Commissioner and enacts the separate Law Enforcement Directive into Irish law.
The draft Bill establishes a Data Protection Commission in place of the current Data Protection Commissioner, Helen Dixon. Up to three Commissioners may be appointed by the Irish government to form the new Commission.
The controversial exemption of public bodies from the administrative fines remains in the Bill, except where these public bodies are acting as an “undertaking” (providing goods or services alongside private bodies).
Liability for individuals who contravene data protection requirements continues to be in force in line with the present Data Protection Acts 1988 and 2003, with fines of up to €50,000 and potential custodial sentences of up to five years. Company directors, managers and other officers also may be held individually liable for contravening the Bill's requirements, once it can be proved an offence was committed with the consent of such an officer.
The Bill contains two exemptions of particular relevance to Insurers. The existing Section 41 states that the processing of special categories of personal data, which includes data indicating racial or ethnic origin, political opinions, religious or philosophical beliefs, health, genetic or biometric data, shall be lawful where the processing is necessary 'for the purposes of, or in connection with, legal claims, prospective legal claims … or is otherwise necessary for the purposes of establishing, exercising or defending legal rights'.
Section 44 establishes a new lawful processing exception in Ireland and is intended to address processing concerns raised by insurers during the Bill's consultation phase. Under this draft Section, 'health data' may also be processed where necessary for policies of insurance, life assurance, health insurance and pensions.
The GDPR permits criminal convictions and offences data to be processed only under the control of official authority or for specified purposes under national law. In line with this authority, the new Bill provides examples of such processing under official authority and specifies five purposes where processing is permitted in Section 49. Insurers presently process data relating to criminal convictions and offences to more accurately assess risk and help prevent fraud. Under the draft Bill, this processing must remain under the control of official authority in Ireland (ie An Garda Siochána) and in compliance with the Irish Commissioner's existing June 2013 Code of Practice on Data Protection for the Insurance Sector.
The Bill is expected to be enacted prior to 6 May 2018, which is the deadline for the introduction of the Law Enforcement Directive into national law.