This document deals with the issues surrounding the Data Protection Act in terms of the geographic location of the data controller.
Territorial Application of the Data Protection Act
European Communities (Data Protection) Regulations, 2001
Naturally, if a data controller is based completely outside of Ireland, does not use equipment in Ireland for its processing, and does not have any branches or agencies acting on its behalf in Ireland, the data controller is not subject to the Data Protection Act, 1988. Conversely, if a data controller is located in Ireland, carries on its activities in Ireland, and uses equipment and agencies located in Ireland, it is obvious that the Act applies to it.
However, what about less clear-cut cases? If the data controller is based outside of Ireland, but uses branches or agencies in Ireland to collect and process personal data, does the Irish Act apply? What if a company is legally established in Ireland, but carries on all of its activities in other countries? Does it affect matters if the other country is an EU or EEA country?
Up to now, issues such as these have been dealt with under section 23 of the Data Protection Act, 1988. As a result of the new European Communities (Data Protection) Regulations, 2001, this section is to be replaced with new provisions, in line with Article 4 of the EU Data Protection Directive. The new provisions, which take effect of 1 April 2002, will introduce simpler, clearer rules for determining whether the Irish Data Protection Act applies in particular cases. In essence, the Act will apply to data controllers 'established in Ireland', and to data controllers established outside the EEA who make use of equipment in Ireland for processing personal data. Further details are given below.
Data controllers established in Ireland
The Irish Data Protection Act applies to all data controllers established in Ireland. It does not matter whether the personal data relates to non-Irish people, or whether the data controller actually carries on all of its activities outside of Ireland. Once the data controller is established in Ireland, then it is subject to Irish data protection law.
However, the term ?established in Ireland? requires some clarification. The new Regulations provide clear rules on which organisations are to be treated as established in Ireland, summarised below.
- Individuals normally resident in Ireland. Comment: Individuals can be data controllers e.g. doctors, pharmacists, politicians and lawyers. Where the individual data controller is resident in Ireland, he or she must comply with the provisions of the Data Protection Act, 1988.
- A body incorporated under the law of the State. Comment: The bulk of Irish data controllers will fall into this category, which includes companies and other bodies corporate that are incorporated under Irish law. Note that this category includes all companies incorporated in Ireland, including a company that is a wholly-owned subsidiary of an overseas company.
- A partnership or other unincorporated association formed under the law of the State. Comment: This category includes some legal and accountancy firms, medical practices, and voluntary associations.
- A person who is not mentioned in the previous three paragraphs, but who maintains either an office, branch, or agency in Ireland, through which the person carries on any activity, or a regular practice in Ireland. Comment: This important category provides for situations in which a data controller located outside of Ireland carries on business activity in Ireland - whether through a branch, through retaining the services of an agency, or through maintaining a regular practice in Ireland. Any non-Irish data controller that does business in Ireland in this way is subject to Irish data protection law - at least insofar as its activities conducted in Ireland are concerned. Note that this rule makes no distinction between data controllers that are established in European Economic Area (EEA) countries, and those established in non-EEA 'third countries'.
However, data controllers based elsewhere in the EEA who have direct dealings with Irish people - e.g. data controllers who engage in direct marketing over the telephone or the internet - are not covered by this category. Such data controllers, which do not operate via an Irish-based intermediary, would normally be subject to the data protection laws of the EEA country in which they are based.
Data controllers established outside of the EEA are subject to special rules.
Data controllers established outside the EEA
Data controllers established outside of the European Economic Area (EEA) are subject to Irish data protection law in certain limited circumstances. The Regulations specify that any such non-EEA data controllers are subject to the Data Protection Act only in cases where they make use of equipment in Ireland for the purpose of processing personal data. (However, this rule does not apply if the only processing involved is the transit through the State of the personal data. This exemption may be of relevance to some telecommunications service providers, or telecommunications infrastructure companies.)
Non-EEA data controllers that are covered by this rule must designate a representative established in Ireland. This representative would, in general, be expected to be answerable for compliance with Irish data protection laws.
- Technically, the Regulations refer to data controllers 'established in the State'. As a matter of legal interpretation, 'the State' does not include Northern Ireland.
- The European Economic Area (EEA) is comprised of the fifteen EU countries together with Norway, Iceland and Liechtenstein.