Dr. T.J. McIntyre:

I would like to make four points today on behalf of Digital Rights Ireland. First, I thank the committee for the opportunity to discuss the Bill. This is an area of law of immense importance and the decisions taken in implementing the general data protection regulation, GDPR, will be in place for many years to come. After all, it is now nearly 30 years after the 1988 Act came into effect and I suspect we will see this in place for something close to the same time.

The first point I would like to make is on the structure of the Bill. I know that previous witnesses have said the Bill is over-ambitious in that it tries to do much in one document, and I agree with that.

In particular, it would be desirable to separate the provisions the Bill, specifically in Part 4, which implement the law enforcement data protection directive and place them in a separate instrument. This is because there is a significant overlap, or at least a perceived overlap, between the two areas. I have already seen a degree of confusion on the part of people reading the heads of Bill who have read a section in Part 4 that appears to be reflecting the General Data Protection Regulation, GDPR, when it is not implementing it but rather the directive. There is a real risk that the very similar language will lead to a degree of confusion on the part of users.

The other point made by previous witnesses, in particular the commissioner and Mr. Denis Kelleher was that the residual Parts of the 1988 and 2003 Acts should be repealed and re-enacted as a stand-alone instrument rather than being left in place. I support that argument. It seems that if we leave any Parts of the 1988 and 2003 Acts in place, we will have a position where to deal with certain matters, in particular those with an overlap between public and private processing of data, we will have to look to the 1988 Act, determine how it was amended by the 2003 Act, determine how that was amended by what would be the 2018 Act and then look to the GDPR on top of that, possibly while looking to other European instruments on top of that as well. For example, these might include European instruments regarding the Schengen information system. It seems that would be a real recipe for confusion.

It would be greatly preferable to, as far as possible, deal with the few aspects remaining in the 1988 Act in a short, separate and stand-alone instrument. These are the aspects required of Ireland under the 1981 Council of Europe privacy convention but not dealt with under the GDPR or the law enforcement data protection directive. This is something we will have to do in any event. The Council of Europe convention on the protection of personal data is in the process of being modernised and we are at a point where we are very close to agreement on a final text. This is something that will be implemented certainly in the next couple of years in any event. It would be very useful at this point to pre-empt that as far as possible by separating those provisions.

The next point relates to article 80 of the GDPR, which deals with representation of data subjects. A real problem in this area has been that individuals can lack the expertise, knowledge, time and money to enforce their legal rights. As members know, the Irish legal system is expensive and difficult to navigate for lawyers, never mind those people unfamiliar with it. Many of these rights, if they are to be enforced, would involve a trip to either the Circuit Court or the High Court at a cost that is simply beyond the scope of the average individual. The GDPR aims to alleviate that problem with a mandatory and two optional provisions with article 80. The mandatory provision is that member states must allow individuals to nominate a not-for-profit body to act on their behalf to make complaints to a data protection authority, appeal against decisions of a data protection authority, or take an action against a controller, like an Internet service provider, where it has abused personal data. The optional parts of the article are that member states may allow individuals to nominate not-for-profit groups to act on their behalf to seek damages and they may allow not-for-profit groups to bring actions on their own initiative without the need for an individual to nominate them to do so.

It is very important that Ireland would take up the two aspects of flexibility in the GDPR and it is rather disappointing the heads of Bill do not address these points at all. The heads of Bill before us now would exercise the discretion silently that would not take advantage of these options. There are practical and principled reasons it would be useful to make these changes. The practical reason is that given Irish law does not allow for class actions, as such, and there is no general provision for them, if individuals are not able to nominate a representative body to bring an action for damages on their behalf, there will be a multiplicity of claims being brought before the courts that the courts simply are not equipped to address. One might think about a data breach, for example, such as the Yahoo compromise or the Ashley Madison data breach, where there could be thousands, tens of thousands or hundreds of thousands of individuals affected, some of whom may be very seriously affected. In that context we can expect a similar number of cases coming before the courts. The GDPR gives us the option to effectively consolidate these cases if we allow people to nominate not-for-profit bodies to act on their behalf to bring a single action. Without that option - it is not an option under the heads of Bill as they stand if individuals are seeking damages - the individuals, if they have time, expertise and knowledge to bring an action individually, will have to do so individually.

The second reason is a principled one. It seems that if individuals are not able to nominate not-for-profit bodies to bring an action for damages on their behalf, and if not-for-profit bodies are not able to bring an action in appropriate cases where an individual complainant has not come forward, there will be a gap in protection. In many cases, in particular discussing sensitive personal data, individuals - even if they can be identified and know they have been harmed - would be very reluctant or unable to come forward. Individuals who find sensitive medical records leaked, for example, or like with the Ashley Madison case, those who find information relating to their sexual life has been leaked, would be very often unwilling to become the public face of the issue for very understandable reasons. Although we might be able to identify an affected individual, that is not to say the individual would be in a position to bring a complaint or action in respect of the matter.

This is important from a principled perspective because in our own litigation challenging data retention law, the High Court and Mr. Justice McKechnie acknowledged that it was important that Digital Rights Ireland would be able to bring an actio popularis, an action on behalf of the wider population in respect of data retention laws. This was a pressing issue of public concern and if we were not able to do it, individuals would not have the financial ability to bring the action by themselves. In an area where the European Union was eventually found to have acted in a manner that was entirely illegal, this would have gone unchallenged because individuals simply did not have the resources to bring these claims. As members will know from a number of hearings, this is an exceptionally complicated area of law. We say it is unrealistic and unfair to expect individuals to navigate these waters without a guide. The two discretionary provisions in article 80 are necessary to enable individuals to have an effective remedy.

My next point does not appear on the speaking note that was distributed but it relates to head 20 of the Bill, which would allow for restrictions to be placed on controller obligations and the exercise of data subject rights by means of statutory instrument. We are concerned that head 20 appears to introduce a far-reaching power on the part of each individual Minister to effectively exempt particular forms of data processing from the requirements of the GDPR in a way that might not be fully consistent with fundamental rights. It is noticeable that in the heads of Bill the Department acknowledges it would be desirable for Departments to introduce limitations on these rights by means of primary legislation but it suggests it is nevertheless necessary to have a residual power by means of statutory instrument to introduce these exceptions.

This power, certainly as drafted in heads of Bill, goes significantly too far. In head 20, subhead 2(s), there are two typographical errors but the second is the one to which I refer.

It states that a statutory instrument may be introduced which will restrict controller obligations and data subject rights in relation to important objectives of general public interest. What are such objectives? They are defined in head 20, paragraph 2, under the second subsection (s) as "such other important objectives of general public interest of the Union or the State as may be prescribed in regulations". In other words, we may have regulations introduced where necessary for matters of important general public interest. What are matters of general public interest? They are matters which may be defined by the regulations to be introduced to implement matters of general public interest. Even in that aspect of the heads of the Bill there is circularity in the definition.

More generally, there is a concern that we are creating a very far-reaching power to carve out exemptions from the General Data Protection Regulation, GDPR, without clear standards being laid down in legislation to do so. It seems to me that if such a far-reaching power is to be in place, there should be some additional check on it. What that check might be is a matter for the Oireachtas. It could be a requirement for a positive resolution of the Houses before the exemption would come into effect. It could be a sunset clause whereby any regulations introduced under this provision have a finite lifespan and must either be re-enacted in primary legislation or allowed to expire. It could be some other mechanism for parliamentary or perhaps committee scrutiny of particular classes of regulation. As this stands, however, particularly in the context of a minority Government, there is a risk that exemptions could be introduced by ministerial order which might not pass full legislative scrutiny and certainly might not command the support of the Houses of the Oireachtas.

I apologise that my final point is not included in the speaking note provided to the committee. It concerns the position of data protection officers, DPOs, and the protection they have if they are victimised for doing their work. As the members know, under the GDPR data protection officers are required to be independent. Data controllers are not to interfere with the independent exercise of their functions. However, the remedies available for breach of this duty are sanctions imposed by the Data Protection Authority on the data controller. They are not remedies that are available to the data protection officer who might have been victimised as a result. For example, if an individual DPO is sacked for doing his or her job, there is no remedy available to him or her under the GDPR itself or under the heads of the Bill. It seems to me that it would be desirable to provide some form of remedy.

DPOs already have recourse to a limited form of remedy in that they might have the right to bring an action for wrongful dismissal. As committee members will be aware, however, an action for wrongful dismissal is a limited one in the sense that it is quite expensive. It must be brought before the Circuit Court or High Court as appropriate. It would be preferable to provide that DPOs have available to them an action for unfair dismissal, which is a much cheaper, easier, streamlined process that can be brought before the Workplace Relations Commission and the Labour Court.

The analogy here would be to the Protected Disclosures Act, which creates a protection for those who are dismissed on the basis of protected disclosure. There would in fact be an overlap in that, in some cases, DPOs might make a protected disclosure precisely in order to bring themselves within the scope of that legislation, for example by notifying a matter to the Data Protection Commissioner. It would be preferable to avoid the need for them to artificially bring themselves under the purview of the Protected Disclosures Act by explicitly providing that, where an individual is dismissed on the basis of the exercise of his or her functions as a DPO, an unfair dismissal remedy be available to him or her.

That concludes my statement on behalf of Digital Rights Ireland. I welcome further questions.