Kilroys Solicitors - boardroom picture kilroys solicitors irish ireland law legal library international publication Kilroys Solicitors - Logo
Kilroys Solicitors - Logo Kilroys Solicitors - Logo
Kilroys Solicitors - Insurance Sector Kilroys Solicitors - IT sector Kilroys Solicitors - Public Tendering Sector Kilroys Solicitors - Motoring Sector Kilroys Solicitors - Telecoms Sector Kilroys Solicitors - Financial Services Sector
Kilroys Solicitors - Home page
Kilroys Solicitors - About us
Kilroys Solicitors - Partners
Kilroys Solicitors - Areas of Practice
Kilroys Solicitors - The Library
Kilroys Solicitors - eBusiness in Ireland
Kilroys Solicitors - Careers
Kilroys Solicitors - links
Kilroys Solicitors - Contact us
Kilroys Solicitors - Search this site
Kilroys Solicitors - Terms of use
Kilroys Solicitors - ezine subscription
Subscribe  

<<< Back

New Data Protection Rules come into force

The European Communities (Data Protection) Regulations, 2001 (the Regulations) became law on the 1st April 2002, giving partial effect to the provisions of the EU Data Protection Directive (95/46/EC) of the 24th October 1995 (the Data Protection Directive).

On the 25th February 2002 the Data Protection (Amendment) Bill, 2002 (the Bill) was published by the Department of Justice. The Bill passed all stages of the Seanad on the 24th April 2002. It is anticipated that the Bill will become law later this year. On enactment, the Bill will implement the provisions of the Data Protection Directive and will replace the Regulations.

The essential thrust of the Regulations is to govern the transfer of personal data to third countries outside of the European Economic Area (comprising the 15 EU member states as well as Norway, Iceland and Liechtenstein) (EEA).

The EU Commission has prepared a "white list" of countries where such personal data can be exported. This list presently comprises of Hungary, Switzerland, Canada as well as those US corporations who have signed up to the US "Safe Harbour Principles". The EU Commission is presently examining the data protection legislation of the Isle of Man, Japan and New Zealand, with a view to considering adding these jurisdictions to the "white list".

The essential test to be met before transfers of personal data to third countries can be lawfully made is to ensure that the third country in question has an adequate level of data protection. The "white-listed" countries are accepted by the EU Commission as having such adequate levels of data protection. Exports to third countries which are not on the "white list", give rise to particular requirements.

The EU Commission has published what are termed "model contracts" to be used by data controllers exporting to third countries that are not on the "white list". In essence, there are two different types of model contract, namely a contract to facilitate the transfer of personal data between a data controller within the EU and a data controller outside of the EEA and a contract to facilitate the transfer of personal data between a data controller within the EU and a data processor that is located outside the EEA.

The model contracts contain certain safeguards, which must be contractually signed up to. These include;

  • The adherence to data protection rules which are broadly reflective of the provisions of the Data Protection Directive.
  • The contractual obligation to make available to data subjects on request, details of their data and to provide assistance to such data subjects wishing to make complaints.
  • The obligation to co-operate with national data protection authorities concerning the processing of personal data.
  • The acceptance of the entitlement of a data subject to sue for damages arising out of a breach of the data protection safeguards contained in the contract. This is an important right, because the data subject is not a party to the contract and this is an exception from the general privity of contract rule.

Data controllers do not, strictly speaking, need to deposit a copy of their contract with the Data Protection Commissioner, but there is an entitlement to submit the form of contract to the Data Protection Commissioner for approval.

The Bill, when enacted, will implement in full, the provisions of the EU Directive. As stated earlier, it is probable that the Bill will become law in the latter part of 2002. The Bill will introduce significant changes to the Irish data protection regime and it is therefore important that businesses operating in Ireland are ready to meet the obligations that will be imposed on them by this new law.

The main features of the Bill include the following elements:-

  • The definition of data will be extended to include manual data.
  • The definitions of personal data and sensitive personal data will been extended.
  • There will be new registration requirements. In simple terms, all data controllers with some limited exceptions will have to register with the Data Protection Commissioner.
  • The data protection principles contained in the 1988 Act have been restated and will be extended.
  • The fair processing requirements will be extended. Essentially, data subjects must be informed of the identity of the data controller, the reasons for the collection of the data, the uses to which the data will be put, all obligatory requirements, the fact that there is a right of access an the right to object to the collection or processing of personal data.
  • Data subjects in receipt of direct marketing material will have the right to request in writing and free of charge that direct marketers cease the use of their personal data or the processing of their personal data for direct marketing purposes.
  • Data subjects will have improved rights of access which will include the right to receive copies of what personal data is held by the data controller in intelligible form, the right to access their personal data, the right to object to its processing, not being subjected to "automated decision-making processes" and from an employment law perspective, not being subjected to a forced access request as a condition of recruitment or employment.
  • Transfers of personal data from Ireland to outside of the EEA will be controlled. Broadly speaking, the provisions of the Regulations as outlined above, are replicated in the Bill

There are more specific and onerous security requirements of data controllers set out in the Bill.

Data controllers who have engaged data processors will have to enter into written contracts containing certain essential terms including but not limited to the obligation to act on the instructions of the data controller only and to keep the data secure.

The Data Protection Commissioner will have new powers and functions which will include the right to publish codes of practice, the power to conduct privacy audits and the power to evaluate at registration stage, the types of data processing proposed so as to be satisfied that there is nothing objectionable in what is proposed.

For further information or general enquiries contact: -
Patrick Ryan
Email: pryan@kilroys.ie
Telephone: +3531-439 5600
Fax: +3531-439 5601/439 5602

© Kilroys Solicitors 2002
kilroys solicitors irish ireland law legal library international publication
kilroys solicitors irish ireland law legal library international publication