Charles Flanagan (Laois, Fine Gael) | Oireachtas source

I will not accept the amendments. The retention of section 37 is not only desirable but it is, to my mind, essential. I thank Deputy O'Callaghan for his support in that regard. This is an area which was the subject matter of some debate in the Seanad.

For the same reasons as then, I am not in a position to accept the amendments now. The purpose of section 37 is to underpin data processing carried out under Article 6.1. Article 6.3 provides that the basis for the processing referred to in Article 6.1 should be laid down either in EU law or national law and, in the case of paragraph (e), shall be necessary for the performance of the task carried out in the public interest or in the exercise of official authority that may from time to time be vested in the controller.

Unlike in some member states, Acts of the Oireachtas that confer functions on public authorities and bodies do not normally provide specifically for the processing of personal data for the purposes of the discharge of their statutory functions. This is implicit. To ensure legal certainty following the entry into force of the GDPR, section 37(1)(a) provides that the processing of personal data shall be lawful to the extent that such processing is necessary for the performance of a function conferred by an enactment or the Constitution. I am back to what we said earlier, about ensuring that the practical outcome of this legislation will not give rise to serious issues from a workability point of view. What this means here is a statutory function must be conferred on the controller and that the processing shall be lawful to the extent that the processing is necessary and proportionate for the performance of that function.

Section 37(1)(b) deals with data processing that arises where non-statutory schemes, programmes or funds are administered by controllers for the performance of a function conferred by an enactment. Let me give a couple of examples. Let us take the Department of Employment Affairs and Social Protection, which operates on a non-statutory basis on an ongoing basis, for example, the free fuel scheme, the free travel scheme, the back to school clothing and footwear allowance, and the school meal programme. All of these schemes necessitate the processing of personal data. This processing is compliant with the GDPR because Recital 41 states that where the GDPR refers to a legal basis or a legislative measure, this does not necessarily require an Act of Parliament each time.

The practical day-to-day reality of this is such that these schemes and other similar non-statutory measures, such as we had recently with the payment that was made by the State to victims of flooding and, even more recently with the fodder shortage, are all beneficial. In many respects they are a response of the State to a certain set of circumstances that often require an urgent response. I would not like to have a body of law or a legal framework where some of these schemes are jeopardised or called into question because of legal uncertainty in respect of data processing, because their continued operation is very much in the public interest.

Subsection (4) allows for the making of regulations to specify the processing of personal data. It is necessary for the performance of a task to be carried out in the public interest by a controller and it is necessary in the exercise of official authority. The need for specification arises here because, as recognised in Recital 45 of the GDPR, it is a matter for national law whether the controller is performing a task carried out in the public interest or in the exercise of official authority should be a public authority or another legal person subject to private rather than public law. The recital recognises that private entities may perform a task in the public interest or in the exercise of official authority, and the purpose of subsection (4) is to ensure transparency as well as legal certainty in such cases. Subsection (5) specifies the conditions.

I am conscious of the time and I am also conscious of the fact we really did go through this in the Seanad in some detail, but it seems the amendments tabled by Deputies Wallace and Daly may well be based on a misunderstanding, because the regulations referred to in subsections (4) and (5) will not create a lawful basis for processing. That already exists elsewhere. Rather, for reasons of transparency and legal certainty, they specify processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The proposal in amendment No. 48, to add paragraphs (c) to (f), inclusive to subsection 5, in many respects cuts across Article 5 of the GDPR and is not, therefore, GDPR compliant. Article 5 principles are directly applicable in all cases without the need for any particular specification of this type. The purpose of the provisions in subsections (2), (3) and (6) is to permit the making of regulations to facilitate the continued operation of the common travel area. Under SI 220 of 30 March 2016, for example, air and sea carriers are already permitted to process personal data for the purpose of the preservation of the common travel area. These subsections will permit the making of new regulations to replace those regulations in due course, but this is even more important in the context of the withdrawal of the UK from the European Union. In short, the retention of section 37 is essential to ensure an element of certainty.