Clare Daly (Dublin Fingal, Independent) | Oireachtas source

The last amendment is listed as being in section 39. It is actually section 38, as the line numbers would indicate. Under the GDPR in general, processing of personal data for purposes other than that for which it was initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were collected in the first place. In other words, if one gives Twitter one's phone number to verify when one is connecting from a different device, it cannot start ringing that person about other stuff. That is straightforward but there is some wriggle room according to Recital 50, on processing for purposes which are incompatible with the basis on which the data were initially collected. That can be allowed in two circumstances. First, where somebody gives consent for that to happen and, second, when the "processing is based on Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard, in particular, important objectives of general public interest".

Section 38 tries to give effect to this wriggle room but it goes a little too far because it allows for the processing of both sensitive categories of data, including the serious stuff about political opinions, sexual orientation and so on, and the general personal data, for reasons other than the purposes for which it was collected, in order to prevent a threat to national security, to prevent, investigate or prosecute crimes and for getting legal advice and legal proceedings.

In amendments Nos. 52, 53 and 55, we are proposing that further processing of personal data would be lawful for all of those reasons with the tweak that, rather than it being for preventing crime, we would use the tighter wording of "avoiding prejudicing the prevention" of crime. There is a further small tweak in amendment No. 53, that further processing would be allowed only if "having regard to the fundamental rights and legitimate interests of the data subject". It is necessary and proportionate for various crime and terror-fighting purposes.

The wording for our first amendment is taken from the British wording and our second amendment is a balancing requirement.

In amendment No. 56 we propose that further processing of very sensitive data would be permitted for all of the aforementioned except the prevention for crime. Our reason is that the GDPR does not apply to competent authorities like the Garda. What section 38 asks us to prove is a right for public bodies or companies to collect or compile databases on things like people's political opinions, trade union membership, religious beliefs and so on for the purposes of preventing crime, which is a bit broad.

For example, the Irish Naturalisation and Immigration Service, INIS, has loads of documentation and data about people. Let us say the Garda says there is crime afoot, they think it is linked to an area where there is a higher concentration of immigrants, for example, and want to hoover up all of the data, closed circuit television, CCTV, surveillance and so on that is linked to an immigrant community in a particular area. That is racial profiling. It is very hard to see how information held by private companies or public bodies would be so important to prevent a crime yet outweigh the balance of people's individual rights and so on. That is where my colleague and I are coming from.

On balance, other information about political opinions could be important. Let us say there was an urgent situation to prevent a threat to public security and a bunch of neo-Nazis threatened to set off a bomb in Dublin and the Garda needed to get information from a social media site, such a situation would not be hampered by our amendments. I wish to stress that our amendments do not prevent the reuse of personal data in general, just special category data. Names, phone numbers, addresses, emails and all of that can still be reused for a crime prevention aim. We do not seek to stop that but we want to prevent the more personal and sensitive information being abused.

We think the terminology “avoiding prejudicing the prevention, investigation or prosecution of” is stronger. Again, our amendment is based on the British wording. Anybody can say something is for the prevention of crime. A controversial CCTV scheme is being introduced on that basis even though there is no evidence that extra crime has taken place in that area. If there is an immediate incident of a likelihood of crime, then that is a different situation. I have outlined our motivation for tabling our amendments.