Mr. Daragh O'Brien:

It was not fit for purpose in 2014. Things have moved on since then. The Deputy asked about the definition of "disclosure". When we reviewed the original scheme of the Bill for Digital Rights Ireland in 2014, we highlighted the lack of such a definition. We identified three possible categories of sharing that might take place, with different levels of risk associated with each. We proposed three possible definitions that could be used. Since then, we have had the GDPR and the Bara ruling and there has been a shift in the public perception and awareness of the impact of data sharing. It would be unfair to suggest we thought the Bill was fit for purpose in 2014 or 2015. Today, we are concerned that it lacks governance controls and definitions.

Deputy Burke mentioned offences. As Mr. Kelleher has correctly said, the GDPR takes care of offences and administrative sanctions at the organisational level, but there is a gaping hole at the level of the individual person being asked or put under pressure to do a thing. If people in such circumstances had something to point to, they would be able to say that they will carry a personal liability at criminal or civil level if they do that thing without appropriate authorisation or control. The only comparable model is the offence of unauthorised disclosure of taxpayer information by a current or serving office of the Revenue Commissioners or a contractor who processes data on behalf of the Revenue Commissioners. Something like that would be a valuable addition to the Bill. As it stands, it would be remiss of me to say it is anywhere near being fit for purpose.