Legislation relating to the General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) came into force across the EU on 25 May 2018.
An accompanying Directive establishes data protection standards in the area of criminal offences and penalties. This is known as the law enforcement Directive.
The GDPR and the law enforcement Directive provide for significant reforms to previous data protection rules. They provide for higher standards of data protection for individuals and impose increased obligations on organisations that process personal data. They also increase the range of possible sanctions for infringements of these rules.
As an EU regulation, the GDPR did not generally require transposition into Irish law (EU Regulations have direct effect), so organisations involved in data processing of any sort need to be aware that the GDPR addresses them directly in terms of the obligations that it imposes. You can read about the obligations of data controllers and processors under the GDPR and about the concepts and principles involved.
This document outlines the legislation relating to the GDPR.
Data Protection Act 2018
In Ireland, the Data Protection Act 2018 has:
- Established a new Data Protection Commission as the State’s data protection authority
- Transposed the law enforcement Directive into national law
- Given further effect to the GDPR in areas where member states have flexibility (for example, the digital age of consent)
Read more in this press release.
You can visit oireachtas.ie to view the debates on this legislation, the original text of the Bill and the amendments made as it progressed through the Oireachtas.
Data Protection Directive for Police and Criminal Justice Authorities
The Data Protection Directive for Police and Criminal Justice Authorities has applied since 5 May 2016. As this legislation is a Directive and not a Regulation, EU member states had to introduce national legislation to ensure compliance with the Directive before 6 May 2018.
The Directive specifically regulates the processing of data by police and criminal justice authorities in the EU. The Directive requires the data collected by law enforcement authorities to be:
- Processed lawfully and fairly
- Collected for specified, explicit and legitimate purposes and processed only in line with these purposes
- Adequate, relevant and not excessive in relation to the purpose in which it is processed
- Accurate and updated where necessary
- Kept in a form that allows identification of the individual for no longer than is necessary for the purpose of the processing
- Appropriately secured, including protection against unauthorised or unlawful processing
EU member states must establish time limits for erasing the personal data or for a regular review of the need to store such data.
The Directive requires that the law enforcement authorities make a clear distinction between the data of different categories of persons including:
- Those for whom there are serious grounds to believe they have committed or are about to commit a criminal offence
- Those who have been convicted of a criminal offence
- Victims of criminal offences or persons whom it is reasonably believed could be victims of criminal offences
- Those who are parties to a criminal offence, including potential witnesses
National authorities must implement measures to ensure a level of security for personal data, for example, preventing unauthorised persons access processing equipment; preventing the unauthorised reading, copying, changing or removal of data; and preventing the unauthorised input, viewing, changing or deleting of stored personal data.
Passenger Name Record Directive
The Passenger Name Record Directive (PNRD) has applied since 21 April 2016. EU member states had to introduce national legislation to ensure compliance with the PNRD before 24 May 2018.
The EU (PNR Data) Regulations 2018 have transposed the PNRD into Irish law with effect from 25 May 2018.
The PNRD regulates the use of passenger name record (PNR) data in the EU for the prevention, detection, investigation and prosecution of terrorist offences and serious crimes.
PNR data includes:
- Travel dates
- Travel itinerary
- Ticket information
- Contact details
- Means of payment used
- Baggage information
Each EU member state must establish a Passenger Information Unit (PIU). A PIU is responsible for collecting, storing and processing PNR data, as well as transferring that data or the results of its processing to the competent national authorities.
The Irish PIU has been formally established under the remit of the Department of Justice and Equality and it has begun to process passenger data.
A PIU may exchange PNR data and the results of its processing with other EU member states and with Europol.
Airlines must provide PIUs in EU member states with the PNR data for flights entering or departing from the EU. The Directive also allows, but does not require, EU member states to collect PNR data concerning selected internal EU flights.
Data provided by airlines will be stored in a database by a PIU for 5 years. After 6 months’ storage, the PNR data must be de-personalised.
The data collected may only be processed to prevent, detect, investigate and prosecute terrorist offences and serious crime.
Data should only be processed in the following cases:
- For a pre-arrival assessment of passengers against pre-determined risk criteria and relevant law enforcement databases
- For use in specific investigations or prosecutions
- As input in the development of risk assessment criteria