The General Data Protection Regulation (the 'GDPR') came into force on 25 May 2018 and is directly effective in each Member State of the European Union (the 'EU') with the goal to harmonise data protection laws across the EU. On 24 May 2018, the Data Protection Act 2018 (the '2018 Act') was enacted and the Commencement and Establishment Day orders signed by Minister for Justice and Equality, Charlie Flanagan TD. Since the final text of the GDPR was agreed in April 2016, the administrative fines which supervisory authorities can now impose on data controllers and processors in case of infringements of their data protection obligations became one of the most commented on changes brought about by the new European legislation.
Under the Data Protection Acts 1988 and 2003 (the 'DPAs'), the Data Protection Commissioner had broad investigation and enforcement powers but did not have the power to impose fines for breaches, which was reserved for the courts. The GDPR introduced in Ireland a two-tiered system of administrative fines for non-compliance of up to 20 million or 4% of the total worldwide annual turnover of the controller or processor in the preceding financial year (whichever is higher).
The lower tier of fines (up to the higher of 10 million or 2% of the total worldwide annual turnover of the controller or processor in the preceding financial year) can be imposed for infringements of obligations relating to the conditions for obtaining a child's consent, communication of a personal data breach to the supervisory authority or the data subject or the designation, position and tasks of the data protection officers.
The higher tier of fines (up to the higher of 20 million or 4% of the total worldwide annual turnover of the controller or processor in the preceding financial year) can be imposed for infringements of obligations relating to the core data protection principles such as transparency and accountability, the processing of sensitive personal data and data subjects' rights.
The Irish Data Protection Commission (the 'DPC') can impose administrative fines in addition to or instead of other corrective measures such as warnings, reprimands, orders, and limitations and bans on the processing of personal data.
The GDPR expressly provides that administrative fines must be effective, proportionate and dissuasive and lists a number of factors which a supervisory authority must take into account when deciding on the amount of the...