Data Protection Legislation and Reform
Data protection law restricts the collection, storage and use of personal data. Personal data is that which concerns a living person. The objective is to protect privacy and to restrict the use of information to legitimate purposes. Personal data must be collected for specified explicit and legitimate purposes and must not be processed in a way, incompatible with those purposes. The legislation applies both to electronic information and to structured physical files or manual data, where it is structured by reference to individuals or criteria relating to individuals.
Data Protection legislation derives from European Union Directives. The Irish and UK Data Protection Acts are broadly similar because of this common origin.
The GDPR which became effective on 25 May 2018 has replaced most of this legislation with similar but enhanced EU wide rules. It is accompanied by the Data Protection Act 2018 in Ireland and the Data Protection Act 2018 in the UK, which covers some areas which EU member states competences are and gives effect to options which the GDPR grants to Members States.
The GDPR Reforms
The EU wide General Data Protection Regulation (the GDPR) came into effect on 25 May 2018 (Regulation (EU) 2016/679). As a regulation, it is directly effectively law in all European Union States. It is now the principal source of Data Protection Law in the UK and Ireland.
Common EU wide law has now replaced most national legislation, which was based on older EU Directives. There are narrow exclusions on EU competences in relation to criminal and security legislation, this continues to be governed by domestic law.
This area is the subject of a separate EU Directive dealing with processing of personal data by national authorities for the purposes of the prevention, investigation, detection and prosecution of criminal offences and the execution of criminal penalties. The Directive (EU) 2016/680) is given effect in Ireland by the Data Protection Act 2018 in Ireland.
Both the GDPR and law enforcement Directive (implemented by the Data Protection Act 2018) are based on in Article 16 of the Treaty on the Functioning of the European Union, and they provide for significant reforms to current data protection rules based on the EU’s 1995 Data Protection Directive.
Both instruments generally provide for higher standards of data protection for individuals (“data subjects”) and impose increased obligations on bodies in the public and private sectors that process personal data (“controllers” and “processors”).They also increase the range of possible sanctions for infringements of these standards and obligations.
EU Objective of Single Regulation
Many key data protection concepts and principles remain broadly similar under the GDPR, to those already set out in the Data Protection Acts 1988 and 2003 (which have given effect in national law to the 1981 Council of Europe Data Protection Convention (Convention 108) and the EU’s 1995 Data Protection Directive respectively).
The GDPR seeks to provide for a more uniform interpretation and application of data protection standards across the EU, thereby providing a level playing field for those doing business in the EU digital market. The European Data Protection Board comprising representatives of the data protection authorities of all Member States, will play an important role in this respect
The GDPR lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
The GDPR protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
The free movement of personal data within the EU shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
Scope
The GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
The GDPR does not apply to the processing of personal data:
- in the course of an activity which falls outside the scope of Union law;
- by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
- by a natural person in the course of a purely personal or household activity;
- by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
For the processing of personal data by the EU institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies. 2Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data shall be adapted to the principles and rules of the Regulation in accordance with Article 98.
GDPR Territorial Scope
Data protection law and the GDPR applies to the processing of personal data where that data controller or processor is established in the State and data is processed in the context of the activities of that establishment. This is the case regardless of whether the processing takes place in the European Union or not.
The GDPR applies to the processing of personal data of data subjects who are in the European Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.
The GDPR also applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
Risk Based Approach
The EU Regulation and Directive (implemented by the Data Protection Act 2018) introduce new elements and some enhancements. Both require a “risk-based” approach to data protection. This requires that each individual data controller and processor is required to put appropriate technical and organisational measures in place in order to ensure – and to be able to demonstrate – that their processing of personal data complies with the new data protection standards.
For the purposes of assessing the nature, level and likelihood of risks for the rights and freedoms of data subjects, they must take account of the nature, scope, context and purposes of the data processing. In certain cases, this requires the carrying out of data protection impact assessments, and where mitigation of risk is not possible, prior consultation with the Data Protection Commission will be mandatory
Language and Scope of the Legislation
The original data protection legislation predates the internet and modern data processing. To some extent, it does not sit well with the vast and growing amount of personal information that is available on the internet, instantly. Even, in the reformed GDPR setting, the essential scope and terminology of the earlier legislation remains intact.
The legislation applies to all data held electronically or to all other data (e.g. on paper etc.) which is held as part of a filing system. Some of the key definitions and concepts in Data Protection legislation are very broad and their full scope and meaning is not intuitively obvious. Some are in such general terms that its extent and boundaries may not always be apparent.
Much of the key language used in the legislation is not commonly used in everyday life. The legislation applies primarily to personal “data” and its use by data controllers and data processors. “Data” is a very broad concept and refers to information in any form or media whatsoever. Data “controllers” and “processers” are broadly those who acquired store or use information.
Personal data is information that can by itself or with other data, directly or indirectly, identify an individual. This key concept is very broad in scope and includes much data which would not be readily thought to be personal information in an everyday sense. It includes images and sound files. The data subject is the person to whom the information refers.
This General Data Protection Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. Files or sets of files, as well as their cover pages, which are not structured according to specific criteria, do not fall within the scope of this Regulation.
The GDPR does not apply to the processing of personal data:
- by a natural person in the course of a purely personal or household activity;
- in the course of an activity which falls outside the scope of Union law;
- by the Member States when carrying out asylum and immigration functions
- by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
The second, third and fourth category of data is covered by the domestic Data Protection legislation enacted pursuant to a contemporaneous directive.