There is some contention surrounding the Data Protection Bill 2018, which has just been presented to the Irish Parliament. The Data Protection Bill is intended to introduce General Data Protection Regulation (GDPR) into Irish law. However, there has been concern regarding the way the Bill deals with the issue of fines for non-compliance
Once GDPR becomes law across Europe, on 25 May 2018, businesses and organisations can face costly fines if they do not comply. The maximum fine for non-compliance is 20 million Euros, or 4% of annual turnover, whichever is greater. In Ireland, the Data Protection Bill which is about to be discussed by Parliament states that government bodies are excluded from these fines, unless they act in direct competition with a private company
Concerns of the Data Protection Commissioner
When it was first suggested that government bodies would be exempt from fines, last year, the Data Protection Commissioner, Helen Dixon expressed her concerns. She asserted that the fines were in place to deter organisations from potential non-compliance and stated that surely this was important in government bodies, where most people expected a higher level of data protection security than in private companies. Despite these concerns being raised, the Bill still refers to the fact that fines will not be imposed on government bodies.
However, this may not be the end of the story. When he was asked about the contentious inclusion of the exclusion in the Bill, Justice Charlie Flanagan stated that the Bill had yet to be discussed by Parliament. So, is it still possible that changes will be made?
Whatever happens in Parliament, and whatever the Bill states, Justice Flanagan also made it clear that all government bodies will be expected to comply with GDPR; in fact they will be expected to act as a role model for others. At present, it does not seem as though there will be any financial implications for government bodies that do achieve these expectations.