Clare Daly (Dublin Fingal, Independent) | Oireachtas source

I will try to be as brief as possible. There are groupings and mini-groupings. I am open to supporting the Sinn Féin opposition to the section in its entirety.

We are trying to go for a middle road or whatever. At the moment, the Bill proposes that the processing of personal data shall be lawful if it is necessary and proportionate and for it to be done by or on behalf of a controller in order to administer any non-statutory scheme once the legal basis for the administration of that scheme is a function conferred by law on the controller who wants to do the processing. To break that down, it means that because the processing can be done on behalf of a controller - let us call him or her controller A - as long as he or she has a function conferred in law then somebody else - let us call him or her processor B - can process data on his or her behalf without any of the restrictions in the GDPR. It is a significant issue.

Fáilte Ireland, for example, has a statutory function. It could come up with an online marketing campaign for the Wild Atlantic Way to collect emails, place banner and target ads on social media and so on. The marketing company concerned would be administering a non-statutory scheme on behalf of Fáilte Ireland in its statutory function. This is giving such a marketing scheme a wide exemption from consent and the other obligations in data protection which the GDPR is about. Not only is it far too wide and includes large numbers of organisations, it is also unfair on a marketing company which is not working for the statutory organisation which has to comply with onerous data protection guidelines, as appropriate, given its importance. This is an important issue.

Amendment No. 46 is about trying to limit the circumstances in which the exemptions the Government wants to provide under this section can apply. We think it is clear that the GDPR envisages that in circumstances where point E of the regulation applies, which determines more precisely the specific requirements for processing and other measures to ensure lawful and fair processing is being relied on, member states will adopt the rules of the GDPR via specific and precise requirements which cover processing where this data is being relied upon. The exemption is wide and vague. There is no guarantee that any Minister would pass regulations specifying any rules or limitations and so on. If the Government wants to give very broad powers to State and non-State bodies for them to not have to abide by the data protection rules that everybody else has to abide by, which is what we are discussing, then the Government has to set out the limits of those powers. It cannot be left to the vagueness of section 37. At an absolute minimum, therefore, a requirement for Ministers to set out more precisely the ways and means by which personal data can be processed under the public interest official authority exemptions is reasonable.

Amendment No. 47 is like amendment No. 43, in that it asks that the Minister would seek the advice of the commission before drawing up regulations. Again, that is not a significant burden and is in line with the amendments passed earlier.

Amendment No. 48 in this group states that regulations created under section 37 must specify a few things as the Bill stands. Section 37 deals with regulations to allow statutory and, in some instances, non-statutory bodies to be exempt from the rules of GDPR in processing personal data. This is not insignificant. We propose to add a number of things to the list of regulations in the section which the section has to specify. They include how long the data can be kept, what it can be used for and the kinds of processing operations and procedures they can undergo. The additional things we have specified are taken from Article 6 and Recital 45 of the GDPR, which is why we chose them. We feel that is important and in line with the GDPR.

As Deputy Wallace said, the wording for amendment No. 49 has been lifted straight from section 48 which deals with the special categories of data, that is, the most sensitive, and given that fact the protections under this section should be in line with that because section 37 is too vague as it stands.