Mr. Simon McGarr:

I thank the committee for the opportunity to address it on the heads of the Bill. This legislation, together with the implementation of the GDPR, will mark a watershed in respect of the relationship between the State and its citizens. I will address three major points and will pick up some of the threads from Mr. McIntyre's submission.

First I will address head 23, a proposal in respect of State agencies, public bodies and administrative fines. It provides for administrative fines to be imposed on public bodies or authorities solely in respect of occasions on which they act as an undertaking. The effect of this exemption is to make sure they are not liable to fines on all other occasions when they are not acting as an undertaking. The result is to exempt public bodies and State agencies from administrative fines. The committee will have heard from the Data Protection Commissioner and other witnesses already. I echo them in saying that this is a very unwise course of action for the State to have taken.

State agencies will not have the same level of accountability as commercial bodies. Between State agencies, a tally in respect of fines over the course of years is a very good initial indicator of any structural or institutional difficulty that may be arising. Such a difficulty is easy to see as the fines build up, should there be repeated fines, and therefore it is less likely that long-term structural difficulties will develop. Administrative fines are cost-neutral for the Exchequer as a whole. The fines levied on public agencies go back into the Central Fund. There is not really a cost saving exercise here for the State or the Exchequer.

The proposed provision requires a legally very complex test to be carried out on each occasion that the Data Protection Commission thinks it is necessary to do so, before any administrative fines could be levied. On every occasion, there would have to be an examination of whether elements of public authority were acting as an undertaking before an administrative fine could be levied. In the explanatory note to the heads of the Bill, it is acknowledged that this is a complicated matter. It cannot be said that a particular State body is an undertaking in all its activities. The example given in the explanatory note is that the HSE in the provision of ambulances is sometimes an undertaking and is sometimes not. This is a high legal threshold for the regulator to have to get over every time it must decide whether it is possible to exercise legal powers. It also introduces the potential of a challenge by the public body to every such effort to exercise those powers, in respect of whether it is acting as an undertaking.

It seems that there is very little by way of compelling reasons for providing this exemption for the State bodies. Certainly there is nothing set out in the explanatory note as to why State bodies ought to be exempt as a matter of policy. There are very clear reasons for having State bodies subject to the same regulatory system as the rest of civil society. Our recommendation is that it would be better if article 83(7) was implemented without any restrictions on the administrative responses available to the Data Protection Commissioner, including such fines as the commission found appropriate in respect of breaches of citizens' personal data privacy.

Head 91 deals with the requirement giving effect to the general data protection regulation, GDPR, that there should be a right of compensation for financial and non-financial loss arising from a breach of the regulation. Article 82 of the regulation is phrased in such a way as to say that there "shall" be provision made for the recovery of compensation for material and non-material loss. The wording of the article is such that precedent would suggest that when a European legislative provision states there shall be provision, it indicates that a further step is likely to be necessary on the part of the member state in order to give force to that intention.

The heads of Bill recognises there is a right of action but on examination it does not explicitly create a right of compensation by a data subject for a breach of their rights. The result would be that there is a question whether the State would have complied with the requirement that there shall be a provision for the recovery of compensation.

This has unattractive features from the point of view of potential data subject citizens where there might have been a breach of their rights. It will also leave the State open to potential claims from people who find that they were unable to enforce their rights as it is a requirement under European law that if a person has not been able to recover their compensation that should have been provided for under European law, as a result of a failure by the State that per the Frankowicz case they have a right to recover such damages as they would have recovered from the third party from the State. The result is that by not implementing an explicit statement saying that there is a right of compensation as opposed to a right of action, the State may hold itself open to any of the damages that would have otherwise fallen on private third parties who were breaching the data protection rights. For all those reasons, we recommend that it would be better to see the intent of Article 2 of the regulation and Article 56 of the directive being made explicit by way of an explicit legislative recognition of the right of recovery of compensation for both material and non-material damages.

Dr. McIntyre has dealt with the separate implementation of regulation and directive but I would like to add that the current general scheme of the Data Protection Bill seeks to do three separate things: to largely, but not completely, replace the existing data protection Acts under head 5; to legislate for a small number of matters in the GDPR which have been left to member states such as the Internet age of consent and other matters; and to transpose entirely by way of part 4 of the heads of Bill, Directive 216/680 in respect of national security. We do not think it is a good idea to attempt to do those three things because this legislation must be passed and it is on a deadline. The GDPR comes into force in May of next year and by running the implementation measures in respect of the GDPR together with the complicated matters in transposing a directive and the partial repeal of the data protection Acts, we run the risk from a practical point of view of either legislative gridlock preventing the matter from progressing at the required speed, or of the matter passing without the necessary scrutiny in respect of one area of the Bill because there is such a pressing deadline in respect of other areas. For those reasons, we recommend that it is better to address the transposition of Directive 216/680 by way of a specific legislative instrument separately. This would allow any of the necessary residual elements required from the data protection Acts for that transposition, or as a result of the requirements of the State as a member of the Council of Europe, to be dealt with separately in another issue. This would then allow for the full repeal of the existing data protection Acts which are intended for partial repeal under head 5 and their replacement by the GDPR in Irish law.

We think it would be a good idea if the GDPR is reproduced as either an annexe or appendix verbatim in the final Bill, together with a few domestic legislative variations which are provided for under the regulation. As well as providing clarity for users and the courts in the consideration of what is quite a complex area of law – I am sure every lawyer says their pet subject is a complex area of law – but I hope the committee will agree that this one does seem to meet the bar for that description. It also significantly reduces the chance of any legislative uncertainty as to what provisions are being applied by the court at any given moment. Therefore, the likelihood of challenges to the interpretation by the new Data Protection Commissioner before the courts is reduced. That is a valuable aim in itself. The Data Protection Commission, which is set up, will be a new body exercising significant new powers and it is important for building up confidence in that body, but also in respect of the courts relationship with that body as a place of appeal from its decision making, that exactly the laws it is working under and exactly the powers it is implementing are as clearly set out by the Oireachtas, in advance of the commencement of the commission in order to allow the commission to fully exercise its rights without the fear of constant challenge, which we have seen in previous regulatory systems which have been introduced. Particularly where large amounts of financial administrative fines are at stake there is an incentive for judicial challenge. That is always available for people to take and if bodies or individuals feel they have not been treated properly by the Data Protection Commission, it is right that they should be able to take the matter to the courts. We are suggesting, however, that in order to make sure that those appeals are minimised, it is best that the law the decisions are taken under is as clear as possible for all users.

I want to deal with a couple of matters that Dr. McIntyre has raised, specifically the exemption carved out to give the Ministers powers to effectively grant an exemption to anybody on any matter they think relevant. I think that is under head 20. This is a matter that has been live before the European courts in recent years. In 2015, the Bara judgment dealt with a data sharing provision by the Romanian Government on foot of legislation which the European Court of Justice said was not acceptable on the basis that it had shared this data between two government agencies and that doing this without the prior knowledge of the data subjects was contrary to the charter of fundamental rights and the data protection directive. This is significant because it means that even when the matters are provided for by legislation, the State does not have a free hand to pass any such legislation that it wants to in order to carve out exceptions from a matter that is underpinned by the charter of fundamental rights. In passing any such exemptions, it must give consideration to the questions of necessity or proportionality.

The heads of Bill take no account of these limitations on the national member state's executive powers. They deal with a very wide range of stated and a general catch-all unstated basis on which these powers could be exercised, including such things as maintaining registers for reasons of general public interest. This seems to be a general right to build databases in respect of the population. Whether these provisions, if they were passed into legislation, would pass scrutiny before the European Court of Justice I could not say for sure, but certainly some provisions that are foreseen as being carved out by head 20 would fall foul of the same legal arguments that struck down the Romanian legislative provisions on data sharing. I know the Data Protection Commissioner has issued a guidance note to State agencies on data sharing following the Bara judgment and the State has received guidance from its legal advisers in respect of the desirability of passing such data-sharing exemptions from the data protection directive by way of primary legislation. It is important that if the State is to provide for certain matters to be dealt with and if primary legislation is required in order to ground an exemption from the data protection directive on a lawful basis, which is a provided for in the directive, it should not provide for non-primary legislative means.

It seems like a recipe for challenge and, in all likelihood, a recipe for the Data Protection Commissioner to have to deal with a repeated number of complaints and challenges to actions of the State. There have been recent examples in respect of the primary online database where certain databases were rolled out with very long or indefinite retention periods involving holding the data of five year olds indefinitely and those matters have had to be rolled back following the engagement with the Data Protection Commissioner as to what was and was not appropriate under European law. I do not think we should allow for an unqualified right of a Minister to provide for exemptions from European law at the stroke of a pen by way of a statutory instrument regardless of whether that is attractive to the Executive as a method of providing for regulatory activity. It should be the case that we should go by way of primary legislation if there is to be a reliance upon the lawful basis exemptions from the data protection directive. That is all I wanted to say on that matter.