Maurice Quinlivan (Limerick City, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

We have a quorum. All present in the committee room are asked to exercise personal responsibility and protect themselves and others from the risk of contracting Covid-19. Members who wish to participate remotely need to do so from within the Leinster House complex as they are well aware. We have received apologies from Deputy Shanahan.

Our business today is to consider the Data Protection Act 2018 (Section 60(6)) (Corporate Enforcement Authority) Regulations 2022; Data Protection Act 2018 (Section 60(6)) (Competition and Consumer Protection Commission) Regulations 2022; and Data Protection Act 2018 (Section 60(6)) (Irish Auditing and Accounting Supervisory Authority) Regulations 2022. The regulations if adopted will provide for the restriction of the rights and obligations provided for in the Data Protection Act 2018 where it is necessary and proportionate to safeguard the statutory functions of the Competition and Consumer Protection Commission, CCPC, the Corporate Enforcement Authority, CEA, and the Irish Auditing and Accounting Supervisory Authority, IAASA.

I am pleased we have an opportunity to consider these matters further today with the Minister of State with responsibility for trade, promotion, digital and company regulation, Deputy Calleary. I would also like to welcome from the Department of Enterprise, Trade and Employment Ms Tara Keane, principal officer; and Ms Orla O'Brien, assistant principal.

Before we start I wish to explain some limitations to parliamentary privilege and the practices of the Houses regarding references witnesses may make to another person when giving evidence. The evidence of witnesses physically present or who give evidence from within the parliamentary precincts is protected pursuant to both the Constitution and statute by absolute privilege. Witnesses are reminded of the long-standing parliamentary practice that they should not criticise or make charges against any person or entity by name, or in such a way as to make him, her or it identifiable or engage in speech that might be regarded as damaging to the good name of the person or entity. Therefore, if witnesses' statements are potentially defamatory in respect of an identifiable person or entity, they will be directed to discontinue their remarks. It is imperative that witnesses comply with any such direction.

The opening statement from the Minister of State has been circulated to members. I invite the Minister of State to make his opening remarks.

Dara Calleary (Mayo, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I thank the Chairman and members for facilitating the discussion of the draft statutory instruments today. I know the committee has a busy work programme so members' time is appreciated. I am joined by Ms Tara Keane and Ms Orla O'Brien from my Department and I thank them for their work on this issue.

I understand a briefing note has been circulated so I will begin by setting out further background to the draft instruments for the three bodies. The Competition and Consumer Protection Commission, the Corporate Enforcement Authority and the Irish Auditing and Accounting Supervisory Authority each perform important statutory functions which can lead to a range of enforcement activities. They are a vital part of a robust regulatory framework that is responsive and reflects international best practice to facilitate enterprise and entrepreneurship while also protecting employees, members, creditors and consumers with appropriate safeguards.

All three statutory bodies have the power to take civil court proceedings or adopt administrative measures in certain circumstances to enforce the law in the public interest. In addition, the bodies work closely with each other and other regulatory and enforcement authorities in Ireland and within the EU that have administrative and civil enforcement powers. The Government is committed to ensuring that each body has the requisite legislative powers and resources to exercise their functions effectively. Members of the committee are aware of the establishment of the Corporate Enforcement Authority as a stand-alone statutory body in July this year and the enhanced powers introduced for the Competition and Consumer Protection Commission in the Competition (Amendment) Act 2022. The Irish Auditing and Accounting Supervisory Authority powers were also enhanced most recently in the Companies (Statutory Audits) Act 2018.

When the General Data Protection Regulation was introduced in 2018, it strengthened the rights of individuals in respect of the privacy and fair use of their personal data. It also introduced a balancing provision under Article 23 to ensure that this did not undermine the statutory functions of public bodies. Accordingly, section 60 of the Data Protection Act 2018 provides that the statutory instruments we are considering today may be introduced to protect important objectives of general public interest. Examples of the objectives specified in the Act and included in the draft instruments are avoiding obstructions to any official or legal inquiry; taking any action for the purpose of considering and investigating a complaint made to a regulatory body in respect of persons carrying out a profession or other regulated activity; and preventing, detecting, investigating or prosecuting breaches of the law that are subject to civil or administrative sanctions. What is being prevented by the regulations, therefore, is the potential for data protection rights to be used as a way of undermining these and other essential functions. This could be done by way of a data access request or multiple requests seeking the disclosure and possibly amendment or deletion of information that is part of an active investigation or inquiry that therefore fundamentally undermines the processes under way.

Turning to the content of the draft regulations, each is composed on the same lines of policy and technical approach. They were prepared with the Office of the Parliamentary Counsel and in close consultation with the three bodies. The regulations respect the right to data protection including the interests of the data subject. The data subject's rights are only restricted insofar as is necessary and proportionate to protect the functions of the statutory agencies. First, any restrictions must be considered on a case-by-case basis following an assessment of the relevant circumstances. Second, safeguards are in place obliging the CCPC, the CEA, and IAASA to notify the data subject and provide reasons for the restriction, unless to do so may prejudice the achievement of a relevant objective. Third, the data subject must be informed of the right or obligation affected by the restriction, whether the restriction applies in whole or in part, and of the right to lodge a complaint with the Data Protection Commission. The proposed measures also require the bodies to have in place certain policies and procedures relating to safeguards to prevent abuse or unlawful access or transfer of data and purposes of the processing or categories of processing. The measures also require that each body ensures that all information provided in relation to these regulations is provided in a clear, concise and accessible manner.

In accordance with the provisions of the Data Protection Act, my Department consulted with the Data Protection Commission and the Minister for Justice on the draft regulations. Following that consultative process, the Data Protection Commissioner wrote to confirm that the commission has identified no matter which is of significant concern in relation to the proposed regulations. The Minister for Justice has also acknowledged her agreement with the proposed measures.

The legal instruments are balanced and proportionate and there are strong policy reasons for adopting the restrictions sought. There is a reasonable expectation that the absence of restrictions to access to personal data will pose a serious risk to the statutory functions of these high-profile bodies. It is in the public interest that they are able to function effectively and efficiently. For the purposes of their civil and administrative enforcement functions, it appropriate that they be permitted to avail of the section 60 restrictions.

I recommend to the committee that the statutory instruments are necessary and balanced. I thank the Chairman and members of the committee for their time today.

Maurice Quinlivan (Limerick City, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

I now invite members to speak. Anybody who is contributing remotely should use the "raise hand" function and, more important, when they are finished speaking, they should take their hand down. As this meeting will be shorter than normal, I am limiting the speaking time to five minutes per member.

Richard Bruton (Dublin Bay North, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I take the opportunity to welcome the Minister of State and welcome the statutory instrument. We know how constrained State agencies need to play cat and mouse with well-resourced bodies which can use every opportunity to obstruct them. This is a logical and welcome approach to containing that sort of behaviour. It is reassuring that the Data Protection Commissioner has lodged no objections to it. I thank the Minister of State and his officials for their work on this.

Maurice Quinlivan (Limerick City, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

I thank the Minister of State and his officials for attending and I thank members for their input. Is it agreed that we regard the regulations as adequately scrutinised and considered? Agreed.