The Irish Government has published its legislation programme for Autumn 2018.  The programme lists priority legislation for publication this Autumn, as well as legislation expected to undergo pre-legislative scrutiny. Listed below are the data protection, cyber-security and IP-related Bills coming down the track.

Priority Legislation

  • Communications (Retention of Data) Bill – This Bill will revise and replace the Communications (Retention of Data) Act 2011. The Heads of this Bill were published last October 2017, following publication of Mr Justice Murray’s Review of the Law on the Retention of and Access to Communications Data.  That Review concluded that many features of the 2011 Act are precluded by EU law. The 2011 Act requires telephone companies and ISPs to store everyone’s metadata for up to two years which, in Mr Justice Murray words, constitutes “a form of mass surveillance of virtually the entire population of the State”. Mr Justice Murray said that Irish legislation should be consonant with the limitations as to the proper scope of a system of communications data retention and disclosure laid down by the EU Court of Justice in a number of recent cases, including the Tele2 case. The Heads of the Bill are available here.


Non-Priority Bills due to undergo pre-legislative scrutiny

  • Interception of Postal Packets and Telecommunications Messages (Regulation) (Amendment) Bill – This Bill will amend various pieces of legislation in respect of electronic communications.  The Heads of Bill were approved on 5 July 2016, but have not been published. In 2016, however, the Department of Justice and Equality published a policy document discussing why this area of law needs to be amended (see our blog here).
  • Cybercrime Bill  – This Bill will give effect to those provisions of the Convention on Cybercrime 2001 not already provided for in national law. The legislation programme notes that preparatory work is underway, but there is no indication as to when the Bill will be published. Last year, the Government enacted the Criminal Justice (Offences Relating to Information Systems) Act 2017 which creates a number of cybercrime offences including: accessing or interfering with the functioning of an information system without lawful authority (e.g. hacking); interfering with data without lawful authority intercepting the transmission of data without lawful authority; and using a computer programme, password, code or data for the commission of any of the above offences.
  • Communications Management (Agency) Bill – The legislation programme notes that this Bill will “provide for a single entity to manage the State’s commercial communications contracts including the National Broadband Plan Contract(s), act as a centre of expertise in relation to the State’s commercial activities in communications and undertake additional functions in relation to implementation of policy”. The Heads of Bill are currently being prepared.

Bills currently on the Dáil and Seanad Order Paper

  • Copyright and Other Intellectual Property Law Provisions Bill 2018 – This Bill will introduce a series of amendments to the Copyright and Related Rights Act 2000 aimed at modernising copyright and also to take account of certain exceptions to copyright permitted by Directive 2001/29/EC on the harmonisation of certain aspects of copyright and related rights in the information society. The Bill aims to improve access to the courts system for IP claims, in particular to facilitate lower value IP infringement cases to be brought before the District and Circuit courts. It has been passed by the Dáil and is now due before the Seanad.  The text of the Bill is available here.
  • Data-Sharing and Governance Bill 2018 – This Bill provides a legal mechanism to facilitate lawful data-sharing and data–linking for public bodies, and defines standards for data governance and security to be followed in any data sharing or data-linking activities.  It is currently at the third stage of the Seanad.  The text of the Bill is available here .

Transposition of the NIS Directive

Earlier this week, the Government published the European Union (Measures for a High Common Level of Security of Network and Information Systems) Regulations 2018, which implement the Network and Information Systems (NIS) Directive in Ireland.  Member States were required to transpose the NIS Directive into national laws by 9 May 2018.

The Regulations apply to Digital Service Providers and Operators of Essential Services (OESs).  A “Digital Service Provider” is a legal person who provides a digital service including: (a) an online marketplace; (b) an online search engine and (c) a cloud computing service.  The Government must identify and compile a list of companies, in sectors such as energy, transport, banking, healthcare, and drinking water supply, that will be designated as OESs by 9 November 2018.

The new security requirements set out in the Regulations are mandatory principles that all Digital Service Providers and OESs will have to meet within their organisations. The security requirements are built around five central themes; Identify, Protect, Detect, Respond and Recover, which provide an overall view of an organisation’s management of cybersecurity risk. Each operator is required to assess and implement appropriate security measures to address the five key areas, taking into account sector specific factors and the identified risks of their own organisation and its environment. A person guilty of an offence under the Regulations will be liable to a fine up to €50,000 in the case of an individual or €500,000 in the case of any other person.

A draft copy of the Regulations have been made available on the website of the Oireachtas library. The official version will be published shortly, but the text will not change.