With the General Data Protection Regulation (GDPR) less than a year away from implementation, Ireland’s Data Protection Commission could quickly become one of the busiest in Europe. New rules dictating that multinationals can treat any supervisory authority as their single regulating body may lead to Google, Amazon, Facebook, Twitter, LinkedIn, Microsoft, and many more tech giants currently residing in Ireland causing a paper jam in Ireland’s supervisory authority. But just how much of an adjustment is the system in Ireland set to undergo, if it is to implement the GDPR in full and in time?
Quite a lot, in fact. In the past, Ireland has faced scrutiny over its soft approach to data protection law, with some criticizing it as an off-shore privacy hub to attract multinationals at the cost of the individual. The incoming GDPR is set to change that, and Ireland has shown positive growth in accepting its soon-to-be responsibility. The budget for the Data Protection Commission has been multiplied fourfold, as well as its plans for a 150% increase in staff members.
The bridge between the current laws in force and the provisions of the GDPR may be bigger than in some other countries of the European Union, but many of the main concepts and principles of the GDPR are also present in Ireland’s current Data Protection Acts 1988 and 2003. The core differences Ireland is facing are:
- An expansion of the territorial scope of the Irish Data Protection Act (which, in its current state, has no legal reach outside of Ireland and the EU)
- Data subject’s Rights of Access also expand, with companies needing to provide access for free (as opposed to for a maximum fee of €6.35), within one month from the date of the request (a reduction from the current period of 40 days)
- The introduction of Breach Notifications
- The introduction of Data Protection Officers
- An expansion of penalties for companies in the event of a breach (which “can result in a criminal prosecution with fines up to €5,000 and on indictment €250,000 per offence”) to new maximums of €2,000,000 or €4,000,000, depending on the category of breach
The regulation does not require any transposition into Irish law, and will come into direct effect on 25th May 2018. From this date, conflicting provisions of the Data Protection Acts will simply no longer be valid. The Irish Government have published the General Scheme of the Data Protection Bill 2017 to fully transpose the GDPR, as well as the Law Enforcement Directive (2016/680) (concerning processing of personal data in criminal investigations), into Irish law. Though the Bill is still in its preliminary stages, no drastic changes are anticipated prior to enactment. To date, there have been no indications that Ireland will be making use of the opening clauses in the GDPR.
A phenomenon that is not unique to Ireland, however, is the challenge of increasing awareness of the increased responsibility on businesses that the GDPR brings. Research conducted by Amárach Research on behalf of the Data Protection Commission found that just 14% of Irish SMEs have begun preparation for the GDPR, with 83% of businesses being unable to name any changes for their organisation.
It remains to be seen just how Ireland will balance this duty to SMEs with its potentially incumbent, non-appointed and non-official role as Tech Giant Data Protection Referee. As the work load for Ireland’s Data Protection Commission continues to heave, cracks may appear.