In Ireland, data protection law is set out in the:
- Data Protection Act 1988;
- Data Protection (Amendment) Act 2003; and
- S.I. 336 of 2011 - European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (“ePrivacy Regulations”).
The aim of the Data Protection Acts and the ePrivacy Regulations was to bring Ireland into line with EU requirements.
Data protection law in Ireland aims to ensure that the right of individuals to privacy in relation to the processing of their personal data is respected and so has important implications for businesses that collect and process information on living individuals, including employees.
The Data Protection Act 1988 and the Data Protection (Amendment) Act 2003 (the “Acts”)
The Data Protection Act 1988 gave effect to The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of the Council of Europe of 1981. The Convention requires parties to it to respect an individual’s rights and fundamental freedoms, in particular, the right to data protection in relation to the automatic processing of his or her personal data. This right must be provided to all living individuals regardless of their nationality or place of residence.
Click here for the Data Protection Act 1988.
The Data Protection (Amendment) Act 2003 transposed into Irish law the EU Data Protection Directive 1995/46/EC, extending the application of data protection law in Ireland to all personal data whether automated or manual, and to the free movement of personal data between European Member States. It commenced into law on 1st July 2003.
However, for manual records created before 1st July 2003 the obligations to keep data accurate, complete and up-to-date, to ensure that it is adequate, relevant and not excessive and to retain it no longer than is necessary for the purpose(s) did not commence until 24th October 2007.
Under the Acts, certain types of data controller and all data processors are required to register with the Data Protection Commissioner. If you are required to register and you do not, you commit an offence under the Acts. However, regardless of whether you are required to register, all data controllers and data processors must comply with the Acts.
The Acts do not apply to:
- personal data that in the opinion of the Minister for Justice, Equality and Law Reform or the Minister for Defence are, or at any time were, kept for the purpose of safeguarding the security of the State;
- personal data consisting of information that the person keeping the data is required by law to make available to the public; or
- personal data kept by an individual and concerned only with the management of his personal, family or household affairs or kept by an individual only for recreational purposes.
Click here for the Data Protection (Amendment) Act 2003.
The ePrivacy Regulations 2011 (Statutory Instrument 336/2011)
The Regulations came into effect on 1 July 2011 and give effect to the EU ePrivacy Directive 2002/58/EC (as amended by Directive 2006/24/EC and 2009/136/EC). They revoke Statutory Instruments 535/2003 and 526/2008.
The Regulations apply to the processing of personal data by data controllers and data processors in connection with publicly available electronic communications networks and services. They are in addition to the general obligations applying to all data controllers and data processors under the Acts. The additional obligations are in the areas of data security (including data breaches), marketing, data retention and data disclosure. Failure to comply with these obligations can lead to severe criminal penalties.
The Regulations apply to:
- electronic communications companies (telecommunications companies & internet services providers); and,
- any entity using such communications and electronic communications networks to communicate with customers, for example, by telephone, by text, via a website or over email.
Click here for the ePrivacy Regulations 2011.