Dr. Maeve O'Rourke:

I thank Deputy Cairns for her question. Head 40, in our view, is hugely problematic. Apart from the information session provision, it goes to the heart of everything that is wrong with the Bill as proposed. It is entirely unclear how the Bill will interact with the GDPR. The latter protects the right to access one's personal data, including mixed personal data one shares with other people, whether dead or alive. That right is protected under the EU Charter of Fundamental Rights; it could not be more protected. Head 40 is definitely non-compliant with Article 23 of the GDPR, which sets out the requirements for any restrictions on the subject's rights under GDPR. Head 40 provides that the rights and obligations under the GDPR are restricted to the extent necessary to enable, in essence, the effective functioning of the information and tracing scheme provided for in the Bill. This gives, in effect or at least on paper, a carte blanche for the GDPR to be disapplied in respect of adopted people's rights to their information.

The Bill includes an explicit right to request access to personal data held either by Tusla or the Adoption Authority of Ireland. It is unclear whether the Bill will mean that people cannot ask anybody else for copies they hold. For example, the Department of Children, Equality, Disability, Integration and Youth is not currently defined as a relevant body but it is responding to GDPR subject access requests. Will people still be able to make such requests to the Department or any other body that holds adoption records or copies of same? That is not clear.

There are huge restrictions that are not permissible under the GDPR regarding categories of mixed personal data, to which the Deputy alluded. The definition of care information to which people are entitled excludes everything about a parent's or adoptive parent's care review. There is a blanket restriction that is not compatible with all the different requirements of Article 23 of the GDPR. If you want to restrict subject rights, you need to give all the details about what you are restricting, why it is strictly necessary in a democratic society and how you will protect the essence of the right. None of that is there.

The Bill also completely restricts people's access to any identifying information about their siblings, even though that is personal data. Information on whom a person is related to is that person's information as well as being the information of his or her siblings. There are huge issues with how this Bill is going to interact with the existing GDPR rights of adopted people. It also looks like it will not enhance access for mothers and relatives in the context of the rights they currently have under the GDPR. There really needs to be clarity in this regard because the GDPR does not function by magic, particularly in a historical context where there has always been a lot of secrecy. We need to see a data protection impact assessment and the Bill needs to go back to the drawing board in terms of how the GDPR functions alongside it.