Mr. Simon McGarr:

I thank the Chair and the members of the committee for their kind invitation to speak on this proposed legislation. I do not intend to presume on the members' time by doing a line-by-line reading of the proposed heads of Bill. However, I think it is worthwhile addressing some specifics by way of illustration of what I think is a common error of approach throughout.

To start, we should recognise that this Bill represents a proposal for a change in how the State addresses the rights of adopted people. As recently as 2001, the Irish State was proposing to create criminal penalties as part of access to adoption records, should the records be used in a way the State did not approve of.

The intent in this latest effort to bring the State in line with international human and fundamental rights is described as recognising the importance of a person knowing her or his origins and to achieve this through the provision of access to certain data related to them. In itself this is a welcome, if belated, change in approach and aims.

If I am to be of service to the committee, it is likely to be in examining the proposed heads of Bill through the lens of the rights acknowledged under EU law by the general data protection regulation. Therefore, while again acknowledging the improvements of intention and policy this legislation represents, I am afraid I will attempt to make the most of our time by focusing on areas where I think further improvements are still needed to bring it in line with EU law. I will also discuss some of the legal consequences of passing national legislation which is at odds with the GDPR and the administrative risks and consequences that will inevitably bring.

The first point to make is that this Bill seeks, in part, to legislate for a legal right which is already in existence. Head 2 goes to great length to attempt to define the documents and data to which it intends to provide access in the rest of the legislation: birth certificate, birth relative information, care information, early life information, and medical information.

Of course, all of this is simply covered by the definition of personal data set out in Article 4 of the GDPR, as subsequently defined, widely and most helpfully, by the Court of Justice of the European Union, CJEU, in the Breyer case. If personal data means "any information relating to an identified or identifiable natural person (‘data subject’)", as it is defined in Article 4.1 of the GDPR, then each of those defined categories of data or records is simply a subset of the general set of all personal data relating to an adopted person. If a relevant body holds records or personal data relating to a person, and that person makes a request for that data, there is no gap in the current law that is required to be filled. The GDPR requires that request is granted within a month, as matters stand now. Failures to comply with the law are failures of administration, not failures of legislation. Thus, head 12 of the proposed Bill’s attempt to legislate away the right of access to birth certificate data of an adopted person is simply not legal under the GDPR. It would inscribe into national law a restriction on the Article 15 GDPR right of access to personal data, without demonstrating in law any necessity or proportionality for that restriction.

This also goes for the requirement to attend a meeting before a person’s data will be provided, as described in the heads of the Bill. In the case of Gebhard, the CJEU set out the test for any national law which sought to interfere with a fundamental right or freedom of EU law. The court stated:

... national measures liable to hinder or make less attractive the exercise of fundamental freedoms guaranteed by the Treaty must fulfil four conditions: they must be applied in a non-discriminatory manner; they must be justified by imperative requirements in the general interest; they must be suitable for securing the attainment of the objective which they pursue; and they must not go beyond what is necessary in order to attain it ...

There is a long line of case law that has grown up around this concept of necessity and proportionality. There is no legislative provision setting out what the purpose of this restriction would be, as it is acknowledged that the record will be granted in all cases. It appears to be conflating the process of accessing personal data with the process of initiating potential contact with a birth parent. It would therefore fail on the requirements of necessity and proportionality.

For the same reason, the attempt in heads 5 and 6 to create a list of elements of personal data to which a person would have a right of access is a dead letter, as the general right to all their personal data set out in Article 15 of the GDPR precedes and supersedes it. Similarly, the restriction in head 7 on the requirement for the provision of birth information to specified relevant bodies is also non-compliant with the State’s duties under Article 15 of the GDPR. It cannot restrict where data is to be requested from. Any entity, including any State entity, must provide any personal data it holds to a requester on receipt of an Article 15 subject access request. The same objection holds for heads 8 and 9. It also holds for head 10, but with the additional issue that head 10 seeks to also refuse to provide information directly to the requester, but instead provide it to a medical practitioner. This is an additional layer of illegality, in that there is no basis for this interference in the right of access provided for in the statute. Therefore, it fails the necessity and proportionality test outright by itself. The final, most extreme example of an attempt to try to legislate away the individual’s GDPR rights can be found in head 40, which grossly misapplies Article 23.1(i) to try to set this Irish national law above the EU rights of access derived from the Charter of Fundamental Rights and the GDPR.

I thank the committee for its time. I have delivered my speech in what I consider to be record time. I apologise that I do not have more to say initially but that means there will be more time for questions, which might be useful in itself.