Data Protection and Applicable Laws

Data protection is a fundamental right set out in Article 8 of the EU Charter of Fundamental Rights, which states:

  1. Everyone has the right to the protection of personal data concerning him or her.
  2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
  3. Compliance with these rules shall be subject to control by an independent authority.

Even prior to the General Data Protection Regulation (GDPR), European countries had privacy laws in place for decades. In Ireland it was the Data Protection Acts 1988 and 2003, and the 1995 Directive.

Many elements we encounter in GDPR today were already part of previous legislations and are not as new as most people might think. However, it took the GDPR and its compliance measures to bring data protection or data privacy, as it is called in most countries beyond Europe, to wider attention.

On 25 May 2018, the General Data Protection Regulation (GDPR) came into effect following a two-year transition period aimed at allowing to prepare for GDPR. GDPR is a ‘regulation’, and as such is a binding legislative act, which must be applied in its entirety across the EU. This is why it has a harmonising legislative effect across European data protection legislation.

At the same time GDPR allows in some specified areas for each EU country to retain the ability to introduce derogations, which however must respect “the essence” of the right to data protection and be a necessary and proportionate measure. In Ireland the Data Protection Act 2018, including  the Health Research Regulations, which are part of the Data Protection Act 2018, formulate such national GDPR derogations.

The option for EU Member States to introduce national derogations in some areas of data protection mean that anyone operating across national boundaries, for example in research collaborations, needs to be cognisant of potential differences between legal requirements affecting collaborators in other countries.

GDPR is a principle based, very general piece of legislation. Sometimes it applies in tandem with more specialised laws on data protection, which all need to be taken into account by those responsible for the processing. Examples of more specialised privacy related laws include ePrivacy Regulations or the Clinical Trial Regulation (CTR). In such cases the more specific rules of the specialised laws apply too, giving additional definition to the more general rules of the GDPR. On a number of occasions, the European Data Protection Board, (EDPB), which represents all EU Data Protection Authorities, published guidance / an opinion on the interplay between specialised laws and the more general GDPR, examples include ePrivacy interplay with GDPR; or Clinical Trials Regulation interplay with GDPR.