On 15 December 2015, the EU institutions agreed the new data protection framework to be implemented under the forthcoming Data Protection Regulation. The European Parliament and European Council are expected to adopt the final text of the Regulation in the next few months and it will then come into effect two years after its adoption (likely mid 2018).
The Regulation will replace the current European legislative framework under the 1995 Data Protection Directive (“Directive”) on which the primary Irish data protection law, the Data Protection Acts 1988 and 2003 (the “Acts”) is based. The current system of various national laws, that transposed the Directive, resulted in a fragmented regulatory system for data controllers operating in the European Union. As the Regulation will have direct effect, it should allow for the application and enforcement of a more standardised data protection law across the EU. The reforms will also specifically address some current technological challenges and opportunities in respect of the processing of personal data in the current digital age, including profiling, data portability and the ‘right to be forgotten’. However, many of the core principles around data processing in the Regulation remain unchanged from the Directive, but have been expanded and clarified to strengthen the rights of data subjects.