New Data Protection Regulations In Ireland

The European Communities (Data Protection) Regulations, 2001 came into force on 01/04/02. These regulations represent Ireland’s first steps in implementing the 1995 EU Data Protection Directive No. 95/46/EC.

The newly implemented regulations make several amendments to the Data Protection Act, 1988.

Under the Data Protection Act, 1988 data controllers were under a duty to provide appropriate security measures to ensure personal data could not be accessed without authorisation or altered, lost or destroyed. This became increasingly difficult as information is transferred more and more by electronic medium. The new regulations allow data controllers to balance the cost of security measures and the technology available to use them against the type and value of the data involved and the damage which would occur if it was accessed. This effectively removes the need to spend vast sums of money protecting data that is of little value.

It is now more difficult to prohibit transfers of data to countries outside the European Economic Area. If that country ensures an adequate level of data protection in line with EU regulations then the Data Protection Commissioner cannot prohibit it. In addition if US companies are in line with the US ‘Safe Harbour’ agreement then they are also seen as ensuring an adequate level of data protection. Should the Data Protection Commissioner wish to prohibit a transfer he must balance the damage it would cause to the subject against the necessity to facilitate international data transfers. He can also look at other factors such as the nature of the data and its destination.

Restrictions on transfers to countries outside the EEA also do not apply to transfers where the subject has given his consent to it or where the transfer would be necessary for the performance or conclusion of a contract between the parties.

If a data controller retains the services of an agent or data processor to process data on their behalf then they must use a contract in writing or equivalent form which deals adequately with issues of security, confidentiality and other data protection matters.

The Regulations reflect the changing global economy and advances in technology since the Data Protection Act, 1988 was implemented. It is expected that the remainder of the Directive will be implemented at a later stage by the Data Protection (Amendment) Bill, 2002.