Mr. Dale Sunderland:

I thank the Chair and members for the opportunity to present before the committee and to contribute to its discussions on this proposed legislation. While the proposed Bill gives rise to a broad range of issues from both a policy and legal perspective, I will limit my comments to matters relating to the processing of personal data and the requirements of data protection law.

As a general observation, I would like to emphasise that the obligations on public authorities and bodies processing personal data for law enforcement purposes flow from EU law and, in particular, from the 2016 EU law enforcement directive, which was transposed into Irish law by the Data Protection Act 2018. This Act requires that any legislation enacted concerning the processing of personal data for law enforcement purposes must specify the objectives and purposes of the processing and the personal data to be processed. Legislation must also meet the standards of clarity, precision and foreseeability in accordance with the case law of the Court of Justice of the European Union and the European Court of Human Rights. In addition, legislation can be in both primary and secondary form to meet those standards.

The Data Protection Commission, DPC, has in recent years conducted a number of investigations into public authorities and their processing of personal data, especially in the context of surveillance technologies deployed. What we found in those investigations was a trend that the legislative underpinning for those bodies and their functions has not been updated to reflect the requirements of the law enforcement directive. In my written statement, which members have, I referenced Article 8 of the law enforcement directive, which I shall not read but which sets out the standard in the European directive in terms of the legislative requirements of processing for law enforcement purposes. In the context of this Bill, it is essential the Department, An Garda Síochána and the Oireachtas carefully consider all elements of the powers of An Garda Síochána that necessitate the processing of personal data and include provision for this processing in the legislation or in the proposed statutory codes of practice. While we identified a number of comments in written submissions that we have made on the Bill, the DPC is not best placed to identify if all the powers that will necessitate the processing of personal data have been included as required.

In the time remaining, I will highlight a few of the observations we made in our written submission. Part 1 provides for regulation-making powers, including statutory codes of practice. They will be very important in assisting An Garda Síochána to uphold the data protection rights of individuals when exercising powers contained within the proposed Bill. They will do that by providing further clarity and granularity on the manner in which those powers should be exercised and how the issues around data protection engage with those powers. We recommend that the codes of practice should, as appropriate, be accompanied by a data protection impact assessment and that the approved codes should be made public in a transparent and an easily accessible manner.

With reference to part 2 of the proposed Bill in respect of the protection of fundamental rights, we welcome the objective of this part of the Bill and note that the protection of fundamental rights will also include those rights enumerated by the EU Charter of Fundamental Rights.