GDPR & Data Protection [EU]
Data Protection Legislation and Reform
Data protection law restricts the collection, storage and use of personal data. Personal data is that which concerns a living person. The objective is to protect privacy and to restrict the use of information to legitimate purposes. Personal data must be collected for specified explicit and legitimate purposes and must not be processed in a way, incompatible with those purposes. The legislation applies both to electronic information and to structured physical files or manual data, where it is structured by reference to individuals or criteria relating to individuals.
Data Protection legislation derives from European Union Directives. The Irish and UK Data Protection Acts are broadly similar because of this common origin.
The GDPR which became effective on 25 May 2018 has replaced most of this legislation with similar but enhanced EU wide rules. It is accompanied by the Data Protection Act 2018 in Ireland and the Data Protection Act 2018 in the UK, which covers some areas which EU member states competences are and gives effect to options which the GDPR grants to the Members States.
The GDPR Reforms
The EU wide General Data Protection Regulation (the GDPR) came into effect on 25 May 2018 (Regulation (EU) 2016/679). As a regulation, it is directly effectively law in all European Union States. It is now the principal source of Data Protection Law in the UK and Ireland.
Common EU wide law has now replaced most national legislation, which was based on older EU Directives. There are narrow exclusions on EU competences in relation to criminal and security legislation, this continues to be governed by domestic law.
This area is the subject of a separate EU Directive dealing with the processing of personal data by national authorities for the purposes of the prevention, investigation, detection and prosecution of criminal offences and the execution of criminal penalties. The Directive (EU) 2016/680) is given effect in Ireland by the Data Protection Act 2018 in Ireland.
Both the GDPR and law enforcement Directive (implemented by the Data Protection Act 2018) are based on in Article 16 of the Treaty on the Functioning of the European Union, and they provide for significant reforms to current data protection rules based on the EU’s 1995 Data Protection Directive.
Both instruments generally provide for higher standards of data protection for individuals (“data subjects”) and impose increased obligations on bodies in the public and private sectors that process personal data (“controllers” and “processors”). They also increase the range of possible sanctions for infringements of these standards and obligations.
EU Objective of Single Regulation
Many key data protection concepts and principles remain broadly similar under the GDPR, to those already set out in the Data Protection Acts 1988 and 2003 (which have given effect in national law to the 1981 Council of Europe Data Protection Convention (Convention 108) and the EU’s 1995 Data Protection Directive respectively).
The GDPR seeks to provide for a more uniform interpretation and application of data protection standards across the EU, thereby providing a level playing field for those doing business in the EU digital market. The European Data Protection Board comprising representatives of the data protection authorities of all Member States will play an important role in this respect
The GDPR lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
The GDPR protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
The free movement of personal data within the EU shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
Scope
The GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
The GDPR does not apply to the processing of personal data:
- in the course of an activity which falls outside the scope of Union law;
- by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
- by a natural person in the course of a purely personal or household activity;
- by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
For the processing of personal data by the EU institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies. 2Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data shall be adapted to the principles and rules of the Regulation in accordance with Article 98.
GDPR Territorial Scope
Data protection law and the GDPR applies to the processing of personal data where that data controller or processor is established in the State and data is processed in the context of the activities of that establishment. This is the case regardless of whether the processing takes place in the European Union or not.
The GDPR applies to the processing of personal data of data subjects who are in the European Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.
The GDPR also applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
Risk-Based Approach
The EU Regulation and Directive (implemented by the Data Protection Act 2018) introduce new elements and some enhancements. Both require a “risk-based” approach to data protection. This requires that each individual data controller and processor is required to put appropriate technical and organisational measures in place in order to ensure – and to be able to demonstrate – that their processing of personal data complies with the new data protection standards.
For the purposes of assessing the nature, level and likelihood of risks for the rights and freedoms of data subjects, they must take account of the nature, scope, context and purposes of the data processing. In certain cases, this requires the carrying out of data protection impact assessments, and where mitigation of risk is not possible, prior consultation with the Data Protection Commission will be mandatory
Language and Scope of the Legislation
The original data protection legislation predates the internet and modern data processing. To some extent, it does not sit well with the vast and growing amount of personal information that is available on the internet, instantly. Even, in the reformed GDPR setting, the essential scope and terminology of the earlier legislation remain intact.
The legislation applies to all data held electronically or to all other data (e.g. on paper etc.) which is held as part of a filing system. Some of the key definitions and concepts in Data Protection legislation are very broad and their full scope and meaning is not intuitively obvious. Some are in such general terms that its extent and boundaries may not always be apparent.
Much of the key language used in the legislation is not commonly used in everyday life. The legislation applies primarily to personal “data” and its use by data controllers and data processors. “Data” is a very broad concept and refers to information in any form or media whatsoever. Data “controllers” and “processers” are broadly those who acquired store or use information.
Personal data is information that can by itself or with other data, directly or indirectly, identify an individual. This key concept is very broad in scope and includes much data which would not be readily thought to be personal information in an everyday sense. It includes images and sound files. The data subject is the person to whom the information refers.
This General Data Protection Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. Files or sets of files, as well as their cover pages, which are not structured according to specific criteria, do not fall within the scope of this Regulation.
The GDPR does not apply to the processing of personal data:
- by a natural person in the course of a purely personal or household activity;
- in the course of an activity which falls outside the scope of Union law;
- by the Member States when carrying out asylum and immigration functions
- by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
The second, third and fourth category of data is covered by the domestic Data Protection legislation enacted pursuant to a contemporaneous directive.
Data Controllers and Processing
The GDPR and Data Protection Act provides key principles for the holding and use of personal data, which are binding on data controllers and data processors. A data controller is anybody who alone or in conjunction with others, controls personal data. Personal data means any data relating to a living individual who can be identified from the data or in conjunction with other information in the data controller’s possession or which may come into their possession.
“Processing” covers keeping, collecting, storing, altering, adapting, retrieving, consulting, using, transmitting, disseminating or otherwise making available, the data. It includes combining, blocking, erasing and destroying data.
A data processor is a person who processes personal data on behalf of a data controller. A data processor is subject to most of the same obligation to which the data controller is subject. Their relationship should be structured by a contract or other arrangements. It should specify the conditions under which data may be processed, minimum security requirements, procedures and provisions to procure compliance, risk management and rights of verification.
In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in the GDPR or in other EU or national law including the necessity for compliance with a legal obligation to which the controller is subject or the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Fair Collection
Fair processing requires that the data subject be given certain information before his data is collected. He should be given information about the identity of the data controller, to whom it may be disclosed to and the purposes for which it is to be used. The information should be furnished before the data controller first processes the data.
The information must be made available to the person affected. In some cases, the furnishing of information on a website could suffice. The GDPR requires that it be given more directly. Consent should be informed consent in all cases. In the case of a minor, the consent of a parent or guardian should be obtained.
Data must be collected for a particular specified, explicit and legitimate purpose. It must not be processed in a manner which is incompatible with that purposes. The relevant purpose must be specified at the time of collection.
Data must not be collected which is irrelevant to the purposes for which it is required. The controller must assess the adequacy, relevancy and nexus of the data in an objective way. He must act fairly bearing in mind the purpose of the data collected and acquisition.
Processing and Security
Personal data must be accurate and kept up-to-date. It must be adequate, relevant and not excessive in relation to the purposes for which it is collected. It must be accurate and where necessary, kept up to date. Every reasonable step must be taken to ensure that data which is inaccurate or incomplete having regard to its purposes, is erased or corrected. Data is inaccurate if it is incorrect or misleading in relation to the factual position.
Data processing must be objectively necessary. Data must not be retained for any longer than necessary. Data processing must be relevant to the purpose for which it is collected. It must not be excessive in the context of the purposes for which it is collected.
Data controllers must take security measures to prevent unauthorised access to, unauthorised alterations of, unauthorised disclosures and destruction of personal data. Appropriate security must be provided for personal data subject to the current state of technology, the costs, the nature of the data and the harm that might result from loss or unauthorised use.
Territorial Scope
Data protection law applies to be processing of personal data where that data controller is established in the State and data is processed in the context of that establishment. It also applies where the data controller is established neither in the State nor in another EU state but uses equipment in the State for processing data, other than for transit purposes.
An establishment is a concept which entails having a certain minimum presence and business operations in the State. Accordingly, a transient presence or the presence of small elements of a business would usually suffice in order to bring the entity within the control of Irish data protection, if the entity is established in another EEA state. The latter states will have equivalent data protection rights and laws, deriving from the EU legislation.
An individual resident in the state is deemed established. A company incorporated in the state is deemed established. A partnership formed in Ireland under the laws of Ireland is deemed established. Outside of these categories, a person or entity is established if he or it has an office, branch or agency in the State, through which he or it carries out a regular practice. See the sections on tax, which use similar concepts in defining the degree of presence necessary to bring an entity within the charge to Irish tax.
Personal data kept by an individual in the management of his personal family and household affairs or kept only for recreational purposes is exempt. The Act does not apply at all to information that must otherwise be made public or under separate legislation.
Rights of Data Subject
Where a person believes another person has personal data about them he may write to the person concerned requesting a copy. The data controller must inform him whether he holds personal data and supply a description of the data and certain other information in relation to it. The data controller must give a description of the data and the purposes for which it is kept. This request must be complied with, within a specified period.
The data subject has a right of access to the data, subject to certain exceptions, designed to protect the legitimate interest of the data controller. The data subject is entitled to have the data rectified, erased or blocked if the person does not comply with the duties. The data controller must comply with requests within a reasonable time.
The data subject may by notice in writing request the data controller to cease or not to process personal data where the processing is likely to cause substantial damage or distress or would be unwarranted. There are certain public interest exceptions.
Where a decision which affects a person, either significantly or in a legal sense, it may not be based solely on an automatic processing of personal data where it relates to personal matters such as creditworthiness, work performance, reliability, conduct. Certain exceptions exist.
Transparency and Public Bodies
The GDPR Regulation and Directive (implemented by the Data Protection Act 2018) place greatly increased emphasis on the transparency of processing, the responsibility of the controller and processor for compliance with data protection standards, and the need for appropriate security standards to be implemented in order to protect against data breaches such as unauthorised or unlawful processing and accidental loss, destruction or damage.
Both instruments impose an obligation on all public authorities and bodies, as well as some private sector bodies, to designate a Data Protection Officer with the responsibility to oversee data processing operations, and to report data breaches to the relevant data protection authority.
The GDPR also limits the grounds for lawful processing of personal data by public authorities and bodies. For example, depending on the circumstances, an individual’s consent to the processing of his or her personal data may not provide a reliable basis for such processing by a public authority. The so-called “legitimate interest” ground will no longer be available to public authorities when acting in that capacity
Enhanced Enforcement
Both the GDPR and Directive (implemented by the Data Protection Act ) provide for increased supervision and enforcement of data protection standards by the data protection authority.
The GDPR also provides for the possible imposition of substantial administrative fines (up to €10 million or €20 million, or 2% or 4% of total worldwide annual turnover in the preceding financial year). Both the GDPR and Directive (implemented by the Data Protection Act 2018) provide that any data subject who has suffered material or non-material damage because of a breach of his or her data protection rights shall have the right to seek compensation in the courts.