Two extra data protection commissioners may be appointed to deal with the significant increase in workload the regulator’s office is expected to face due to EU legislation coming into effect next year.
The provision is included in legislation being drawn up by the Government to implement the General Data Protection Regulation, which will be law from May 25th 2018.
Under the regulation, businesses will face fines of up to 4 per cent of their annual turnover, or €20 million, for data breaches or for failing to comply with new rules about how they may handle personal data.
The new EU law also provides for greater co-operation between European data protection authorities.
The Irish Data Protection Commissioner’s role will be central as it will be the lead supervisory authority (under a so-called one-stop-shop mechanism) for the regulation of the many multinational companies established here, including Facebook, LinkedIn and Apple.
Draft heads of a new data protection Bill provide that there would be at least one, but not more than three commissioners heading the body renamed as the Data Protection Commission.
Notes in the draft legislation specifically refer to the likely impact of the new EU regulation on the office.
The notes say the “anticipated additional workload arising from the GDPR”, arising especially in the context of the one-stop-shop, requires an “examination of the need to make provision for the appointment of additional commissioners”.
“The possibility of stringent sanctions, including large administrative fines, arising from the investigation of complaints or the conduct of data protection audits, means that rigorous procedural safeguards and due process standards must be maintained in order to withstand likely court challenges,” the notes add.
“This will require the separation of the investigative and adjudicative processes within the commission and will impose a significant additional workload on the commissioner.”
Depending on the circumstances of a case, such as where the imposition of a large administrative fine is likely, the commissioner may need to hold an oral hearing.
The draft Bill says there is a likelihood of “resource-intensive” one-stop-shop cases arising in this jurisdiction in light of the large number of data processing companies based here, “including those servicing data subjects across the EU such as Facebook, LinkedIn etc”.
One of the three commissioners appointed on the recommendation of the Public Appointments Service would be a chairperson. The commissioners would serve on a full-time basis for not less than three years and not more than five.
The legislation also proposes, where appropriate, that the commission’s internal procedures would be prescribed in regulations “to make them more resistant to any legal challenge”.
The new law also proposes to exempt public sector bodies from the huge administrative fines provided for in the EU regulation, save where they are competing in a commercial area with a private sector body.