The General Data Protection Regulation (GDPR) will enter into force on 25 May 2018 and will regulate the processing of personal data inside the EU and of EU residents. The GDPR is regarded as the most significant change to the European data protection regime in over 20 years and it has been speculated that it is the most lobbied-about piece of EU legislation to date. That said, the GDPR builds upon many of the existing data protection principles under the current laws.
The GDPR is expected to increase data protection standards globally as its remit expands beyond the EU, in particular to non-EU organisations which offer goods or services to EU residents or monitor their behaviour, even where that processing of personal data does not take place in the EU. As a result, those non-EU organisations will also be required to comply with the GDPR. With the impending due date of the GDPR in less than one year, we are now seeing many of our clients implementing the changes required to comply with the GDPR’s standards. In addition, the Office of the Data Protection Commissioner has increased its GDPR awareness campaigns.
As a Regulation (which has direct effect under Member States’ laws), the GDPR will replace both EU and national data protection legislation. In Ireland, the GDPR will replace the 1995 Data Protective Directive (Directive 95/46/EC), which is the EU Directive on which the current Irish data protection legislation, the Data Protection Acts 1988 and 2003 (as amended), is based.
Since the 1995 Data Protection Directive was introduced, there have been significant advances in technology and the uses that organisations can make of personal data has become increasingly sophisticated. It also became apparent that there are differences between Member States in terms of how they have implemented the 1995 Data Protection Directive, which has caused compliance difficulties for organisations that operated in a number of different EU jurisdictions. For these reasons, it was decided at an EU level that data protection law reform was needed to make Europe fit for the digital age, strengthen citizens’ rights in the digital age and also to eliminate the current fragmentation in implementation between Member States.
After four years of negotiations, the European Parliament adopted the final text of the GDPR on 14 April 2016. We have set out a brief timeline of the main events leading up to the GDPR’s adoption.
While the GDPR is aimed at harmonising the data protection framework throughout the EU, full and complete harmonisation will not been achieved by the GDPR. In this regard, the GDPR gives scope to Member States to introduce their own data protection requirements in certain circumstances and it also gives the European Commission the power to make delegated acts. In Ireland, the Department of Justice and Equality recently published the General Scheme of the Data Protection Bill 2017 (General Scheme) on 12 May 2017. The General Scheme essentially gives us a summary of the main provisions that are likely to be included in the Data Protection Bill. The Data Protection Bill will give effect to, and provide for derogations from, the GDPR when it is enacted. Interestingly, the digital age of consent for online services in Ireland was left blank in the General Scheme but recent reports indicate that the Cabinet has set it at thirteen. It is expected that there will be changes before the Data Protection Bill is enacted and it should be noted that the General Scheme is very much in draft form at this time.
We will continue to monitor developments and will keep you updated on the GDPR.
This material is provided for general information purposes only and does not purport to cover every aspect of the themes and subject matter discussed, nor is it intended to provide, and does not constitute or comprise, legal or any other advice on any particular matter.