Mr. Billy Hawkes:

The timescale for implementation is in the lap of the political gods. The objective is to have the legislative package approved by next May when the European Parliament elections will take place. The Deputy will be aware from the address by the Minister for Justice and Equality, Deputy Alan Shatter, of the efforts he deployed during the Irish EU Presidency to push the package through and significant progress was made. I am assured by those who know the system, including my colleague Mr. O'Dwyer, the deputy commissioner, who is just back from Brussels, that the challenge of getting this through purely on technical grounds by next May is significant. It will require a significant political push both in the Council of Ministers and the European Parliament to get the package through, taking into account the significant differences that still remain on key issues about the package.

It has always been recognised that the so-called “right to be forgotten” is a slogan. Giving it concrete expression is more challenging. The concept is understood as the idea, particularly in the world of the Internet, that one should have some sense of control over information on oneself. In concrete terms, what this boils down to is, first, a requirement on organisations to limit the collection of data. Clearly, there is written into the regulation, as there is in existing law, an obligation to only collect information that is necessary to deliver a service.

A second issue concerns the retention of data. In other words, one should only retain personal data for as long as is necessary to achieve the purpose for which it was collected in the first place. The third issue concerns the right to request the deletion of data where one believes there is no reason to hold on to it. As the Minister made clear in his presentation, much as one would like it, one does not have the right to have one’s criminal record erased. It will not go that far. However, the Oireachtas will be considering spent convictions legislation which has the objective of giving people the chance to move on after they have met their debt to society. In practice, once one is reported in a newspaper, there will always be a record of what one may have done. The challenges in this area are significant.

A particular challenge is presented by the idea that where the data were originally collected by one organisation but have been replicated across the Internet, how far can one realistically expect action to be taken to delete all traces of them. It is a difficult challenge. Within data protection law it is about maintaining the existing principles of minimising the collection of data, deleting the data when they are no longer required and then making reasonable efforts to respond to requests for deletion of data both by the original organisation and where they may have been replaced.

The concept in Europe is that we have the right to control the collection of our personal data. The issue of consent goes to the heart of the fact that data protection is a fundamental right. What it means in different contexts is a difficult issue. On the one hand, one wants to have the right respected by giving us full control over what data are collected and used in important issues. On the other, there are other cases where, if one insisted on data protection being used in dealing with Internet advertising or website pop-ups that occur every second, data protection would become more unpopular than it already is in some circles. There is a balance to be struck in this regard, recognising that there are other interests involved. For example, the State has a right to collect information on one’s income, regardless of whether one likes it. Accordingly, there is no issue of consent when dealing with the Revenue Commissioners.

There is an increasing tendency for the State to insist on its right to access data. That is a balance issue for parliamentarians rather than for me to consider. It is a difficult issue.

The new resolution maintains the idea that consent is a very important legal basis but not the only one. It also maintains that there can be a legitimising of data collection when there is a public interest involved, as when the law lays down that one must give details of one's income to the Revenue Commissioners, one must give relevant details to the State if one seeks means-tested benefits, etc. Although it is controversial, there is also a recognition in the new law, as there was in the existing directive, that an organisation can also assert that it has a legitimate interest in using one's information to pursue its own commercial interests, but there is a balancing test, so the legitimate interests of an organisation are balanced against one's right to data protection.

Stepping back from the details of the law, data protection has always been a set of principles to be applied in particular contexts. That situation will not change, although we are now dealing with the regulation that is to be applied uniformly across the EU. There will still be large areas for interpretation and for how the law should be applied in particular contexts, which will mean that my successors and I will continue to be in work for some time to come.