Charles Flanagan (Laois, Fine Gael) | Oireachtas source

I have a problem with the clarity of the issue. As I mentioned in the Seanad when dealing with a similar amendment, I am unable to accept an amendment which would insert a new subsection (9) in section 84.

Under section 84 there is already an obligation on a controller to inform a data subject where there is a high risk to the data subject's rights and freedom arising from a breach. In such a case, the controller, in clear and plain language, must notify the data subjects of the nature of the breach, its likely consequences and a description of the measures taken or proposed to be taken to mitigate its possible adverse effects. The proposed amendment refers to a data breach which affects a data subject. It is far from clear what it is intended to mean. Under the GDPR and the law enforcement directive, the thresholds for informing the Data Protection Commissioner of a data breach and informing the data subject whose data protection rights have been breached are defined in terms of risks for the data subject arising from the breach.

If a data breach involves a high risk for the data subject, then the data subject must be given all relevant information and may require further information. I should add that acceptance of the amendment would also create a confusing and perhaps even undesirable divergence between the reporting thresholds in the section and the corresponding provision in the GDPR. I know where Deputy O'Callaghan is coming from, but I am somewhat concerned that we would be making matters less certain. For those reasons, I am not minded to accept the amendment. Perhaps the Deputy would like to think about it further.