Charles Flanagan (Laois, Fine Gael) | Oireachtas source

I hope that, having heard my contribution, she will withdraw some of the amendments in this group. I will start with the good news, however. Having regard to the Deputy's contribution and the content of the amendment, I will accept amendment No. 36. However, I am not in a position to accept the other amendments and I will set out the reasons for my decision.

On section 35, which deals with suitable and specific measures for processing, we are establishing a package or toolbox of suitable and specific measures to be applied in the context of data processing under certain later sections of the Bill. I strongly advise that we read this section in conjunction with sections 43, 45, 46, 47 and 50 because all of these sections make the use of suitable and specific measures mandatory. The choice of which measure from the toolbox is to be used will depend on the individual circumstances of the processing.

While I agree with Deputy Daly that this is important, I stress that the safeguards we are discussing are in addition to, and not a substitute for, the technical and organisational measures under the risk-based approach in Article 24 of the GDPR. These additional measures are justified by the fact that they will apply to special categories of personal data under Article 9. In some cases, encryption of the personal data concerned might be highly desirable but in other cases the appointment of a data protection officer by the controller might in essence be more effective and practical.In this context, I draw attention to section 35(4), which will permit the specification of compulsory safeguards with respect to certain types of data processing.

I cannot accept the amendments proposed by Deputies Daly and Wallace because they would impose a disproportionately heavy or difficult burden on many controllers in circumstances where such burdens would not be necessary. Amendment No. 38, for example, proposes to make all measures in subsection (2) mandatory in all cases. This would impose additional and highly disproportionate obligations on, for example, trade unions handling membership data, schools and voluntary organisations handling health data of pupils or members. In the case of a school, for instance, this could relate to information about allergies to which certain children are susceptible or perhaps religious groups or practices. Such obligations and duties would be onerous and heavy in circumstances where the ordinary running of the organisation or school may not give rise to any type of disproportionate obligation or mandatory work that might be regarded as excessive.

The amendments, in particular, amendment No. 38, would place a high burden on elected representatives making representations on behalf of constituents, especially where issues arise concerning medical treatment. Public representatives deal with such matters daily, for example, in respect of the fair deal scheme, on which we make representations and seek information and services on behalf of constituents. This is part of the routine work we do. It is important to note, in the context of reading this legislation, that this is much more than a theoretical exercise. It imposes real and practical obligations which must be enforceable, including on Oireachtas Members and our colleagues on local authorities. It also extends to clubs, organisations, societies, trade unions, schools and health organisations. While it is important that there is compliance with the legislation and the GDPR as we enter this new era, it is also important that we do not make matters so burdensome and onerous as to become unworkable. This is a difficulty with amendment No. 38.

Amendment No. 37 is largely based on subsection (1) of section 35 but it incorporates provisions from Article 32(1)(b)(c) and (d) of the GDPR, which are already applicable. It is not necessary to go further because this article of the GDPR is clear and is being transposed.

Similarly, amendment No. 43 seeks to impose a heavy procedure in respect of any regulations made under the section. If I understand Deputy Daly correctly, it seeks to impose an obligation on the data protection commission to provide advice in response to every consultation and an obligation on Ministers to inform the relevant Oireachtas committee in cases where the advice is not followed. I remind members of Article 57 of the GDPR, which allows the data protection commission to inform Oireachtas committees directly of any concerns it may have following consultations on proposed amendments. This will enable the relevant committee to monitor any regulations made subsequently. This approach is much more practical and also carries the import of which Deputy Daly spoke.

I do not want a circumstance to arise in which we or bodies across society are faced with a heavy procedure and onerous and burdensome obligations. Section 35, as it stands, establishes an appropriate and balanced package of measures. It sets out a mechanism where specific measures are made mandatory in certain cases. On balance, it is proportionate and deals with circumstances satisfactorily. It is against this background and the need for balance between protection and safeguards, on the one hand, and obligations, on the other, that I am unwilling to accept the amendments, other than amendment No. 36. My amendment No. 44 proposes to delete subsection (7) from the section.