Charles Flanagan (Laois, Fine Gael) | Oireachtas source

I move: "That the Bill be now read a Second Time."

I am very pleased to have the opportunity to commence Second Stage of the Data Protection Bill 2018 in this House. I look forward to hearing the contributions of Members and obtaining the broad support of the House for the contents of this most important legislation.

I draw the attention of the House to the fact that the Bill was amended during its passage through Seanad Éireann. A number of new provisions have been added to it and I will draw attention to them in due course. The explanatory memorandum, which accompanies the Bill, has been updated to reflect the amendments from the Seanad. The primary purpose of the Bill is to give further effect to the general data protection regulation, GDPR, to transpose the accompanying law enforcement directive into national law and to establish the data protection commission to replace the Office of the Data Protection Commissioner. The GDPR enters into effect on 25 May next and the directive must be transposed into national law by then. I am hopeful that with the support of the House, this Bill will be signed into law and enter into force in May next, alongside the GDPR. I am confident that the GDPR and this legislation will serve to make our data protection laws fit for purpose in the digital age. The updated data protection rules entering into force next month will affect all of us in one way or another. It will affect each of us as individuals, because it will increase our control over the manner in which, and the purposes for which, our personal data are used.

It will affect businesses, whether large, medium or small, because it will require them to review and update the manner in which they collect, use or store the personal data of their customers and clients or any other individual whose personal data they retain. The same applies to Departments and all public bodies.

The simple fact is that data protection law has not kept pace with the many technological advances and new business models such as social media and cloud computing that have emerged in recent years. Our current law, based on the European Union’s 1995 data protection directive, predates mass Internet usage, hand held devices, apps and games, social networking and data analytics, all of which involve the collection and processing of our personal data, often for purposes that are opaque and largely unknown to us. The basic data protection principles set out in the Data Protection Acts 1988 and 2003 will remain largely unchanged following the entry into force of the GDPR. However, GDPR rules will strengthen our control over our own personal data and the purposes for which it may be used. Increased transparency is essential for increased control. In the future, information must be provided for users in a concise, transparent, intelligible and easily accessible format, using clear and plain language. It will no longer be acceptable for service providers to direct users to opaque terms and conditions written in legal jargon. The obligations placed on companies and public sector bodies that collect, use and store personal data are set to increase but will do so in a measured and proportionate manner. The compliance burden will increase for some but it will be proportionate to risks for the rights and freedoms of individuals arising from any accidental or unlawful loss or disclosure of, or access to, their personal data. This will inevitably pose a greater challenge for those bodies, whether in the public or private sectors, that specialise in data processing and for those handling, for example, customers’ financial data or patients' sensitive health data. While large companies have been gearing up for entry into force of the GDPR for some time, it is likely that the SME sector and micro enterprises will continue to require assistance and support during the coming period of adjustment. Awareness raising activities have been under way for the last year and a half involving conferences, seminars and workshops and those activities will continue. Practical guidance is also vital and I strongly recommend the Data Protection Commissioner’s web page, gdprandyou.ie, which contains a wealth of useful information and practical guidance for both business and individuals.

High data protection standards are not anti-business and will not reduce competitiveness. The harmonised rules set out in the GDPR and the Data Protection Bill will ensure that the same data protection safeguards will operate across the European Union. This will provide a level playing field for businesses, especially those involved in the cross-border provision of goods and services. Enhanced data protection standards will also be beneficial to the increasing numbers who avail of the Government’s online services. Public and private enforcement of data protection law is set to increase. In future the data protection commission will have stronger supervision and enforcement powers as well as a broader range of sanctions at its disposal, including the imposition of administrative fines. The scope for compensation claims arising from infringements of data protection rules will also increase, resulting in higher levels of private enforcement activity.

The Government is committed to achieving the full potential of the digital economy and its capacity to promote innovation, create jobs and boost economic activity in the State. We already host many of the world’s leading digital companies here and they provide their services well beyond our shores. That number will increase in the future. The GDPR together with this legislation will ensure that the data processing involved in the provision of these services will meet the highest data protection standard. The establishment of the data protection commission will ensure effective supervision and enforcement of these high standards.

Following protracted negotiations, the GDPR was agreed in early 2016 and will, as I mentioned, enter into force across the European Union on 25 May next. An accompanying directive, which establishes data protection standards for the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection and prosecution of criminal offences and the execution of criminal penalties also requires transposition by May of this year. Both the GDPR and the directive have a legal basis in article 16 of the Treaty on the Functioning of the European Union and they provide for significant enhancements to current data protection rules based on the 1995 data protection directive. Both instruments generally provide for higher standards of data protection for individuals and impose increased obligations on bodies in the public and private sectors that process personal data. They also increase the range of possible sanctions for infringements of these standards and obligations. The GDPR seeks to provide for a uniform interpretation and application of data protection standards across the European Union, thereby providing a level playing field for all those doing business in the EU digital market. The European data protection board, a new entity that will replace the current advisory committee and made up of representatives of the data protection authorities of all member states, will play an important role in that respect.

At the heart of both the GDPR and the directive is a risk based approach to data protection. This means that each individual controller and processor is required to put appropriate technical and organisational measures in place in order to ensure and to be able to demonstrate that their processing of personal data complies with the new data protection standards. I remind the House that the terms "controller" and "processor” are not esoteric concepts. Those of us involved, for example, in the handling of constituents' requests and representations are data controllers and any operator of an off-site storage facility for files containing personal data is a processor. I will return to the point about the work of elected members later in my remarks. For the purposes of assessing the nature, level and likelihood of risks for the rights and freedoms of individuals, controllers and processors must have regard to the nature, scope, context and purposes of their data processing activities. In certain cases, this will in future require the carrying out of a data protection impact assessment in order to take steps to mitigate such risks. Where mitigation measures are not feasible, prior consultation with the data protection commission will be mandatory. The GDPR and the directive both place greatly increased emphasis on the transparency of processing, the responsibility of the controller and processor for compliance with data protection standards and the need for appropriate security standards in order to protect against data breaches such as unauthorised or unlawful processing and accidental loss, destruction or damage.

The GDPR and the directive also impose an obligation on all public authorities and bodies, as well as some private sector bodies, to designate a data protection officer with responsibility to oversee data processing operations and to report data breaches to the data protection authority. The GDPR also limits the grounds for lawful processing of personal data by public authorities and bodies. For example, depending on the circumstances, an individual’s consent to the processing of his or her personal data may not provide a reliable basis for such processing by a public authority. The so-called legitimate interest ground in Article 6.1(f) of the GDPR will no longer be available to public authorities when acting in their public capacity. Both the GDPR and the directive provide for increased supervision and enforcement of data protection standards by the data protection authorities of member states, including the future data protection commission. The GDPR provides for the possible imposition of substantial administrative fines of €10 million or €20 million or 2% or 4% of total worldwide annual turnover in the preceding financial year. I will return to the fines issue shortly. The liability of controllers and processors will also be broadened to include non-material damage such as distress. In future an individual who has suffered material or non-material damage because of a breach of his or her data protection rights under the GDPR or this legislation will have the right to seek compensation in the courts.

The key purposes of the Bill are to give further effect to the GDPR in the areas in which member state flexibility is permitted to transpose the directive into national law; to establish the data protection commission as the State’s data protection authority with the means to supervise and enforce the enhanced protection standards enshrined in the GDPR and directive in an efficient and effective manner; and to enact consequential amendments to various Acts that contain cross-references to the Data Protection Acts 1988 and 2003. The Data Protection Bill 2018, which is both lengthy and complex in nature, comprises numerous parts. Part 1, sections 1 to 8, inclusive, contains a number of standard provisions, including citation, commencement and definitions. Part 2, sections 9 to 27, inclusive, establishes a data protection commission to replace the Data Protection Commissioner as the State’s data protection authority. Its primary task will be to act as the supervisory authority for the purposes of the GDPR and the directive. Part 3, sections 28 to 58, inclusive, gives further effect to the GDPR in a number of areas, mainly affecting the public sector, in which the regulation gives member states a margin of flexibility.

In certain cases, this involves the creation of a regulation-making power that will permit the making of more detailed regulations.

Part 4, comprising sections 56 to 65, inclusive, contains a number of provisions that are consequential on replacement of the Office of the Data Protection Commissioner with the data protection commission. Part 5 transposes the provisions of the law enforcement directive into national law. Part 6 contains provisions dealing with the enforcement of the obligations and rights set out in the GDPR and the directive by the data protection commission. Part 7 contains a number of miscellaneous provisions, mainly concerning the application of data protection rules to the courts and a number of related legal matters. Part 8 contains a limited number of consequential amendments to a number of Acts. I intend to table a substantial amendment to Part 8 on Committee Stage to incorporate the necessary adjustments to a large number of Acts of the Oireachtas that contain cross-references to the Data Protection Act 1988.

As regards substance, the updated explanatory memorandum that accompanies the Bill contains much detail. For that reason, I do not intend to delve into the provisions of the Bill in great detail. However, I want to take this opportunity to highlight a number of issues and to refer to Part 5, which transposes the law enforcement directive into national law.

Sections 7 and 8 of the Bill contain provisions concerning the Data Protection Acts 1988 and 2003. While article 2.2(a) of the GDPR provides that its provisions do not apply to the processing of personal data in the course of an activity falling outside the scope of EU law, there has been considerable uncertainty about the scope of that exclusion in light of evolving Court of Justice case law. A detailed analysis of relevant Court of Justice case law by the Office of the Attorney General has concluded that this exclusion is essentially limited in practice to data processing in the context of national security, defence and the international relations of the State. While national security and defence lie outside the scope of EU law, the Council of Europe's 1981 data protection convention - Convention 108 - contains provisions that apply to data processing for these purposes.

The GDPR contains a consistency mechanism, or so-called "one-stop-shop", which is intended to streamline the handling of data protection infringements and complaints across the European Union. For this purpose, it employs the concept of a lead supervisory authority of a member state. This means that complaints will be investigated by the data protection authority of that member state, irrespective of the member state of origin of the complaint. Before arriving at a final decision in cross-border cases, the lead authority must submit a draft decision to other data protection authorities that have an interest in the case and must have regard to any objections received from them. In order to underline and further enhance the independence of the commission as required by the GDPR and by Court of Justice case law, the commissioner will be the Accounting Officer of a separate financial Vote. This is covered in sections 25 and 165.

I would like move on to the child-related provisions of the Bill. Article 8 specifies a "digital age of consent" of 16 years but allows member states to lower it but not below 13. In late 2016, my Department launched a consultation process and invited submissions from interested parties on the digital age of consent to apply in this jurisdiction under article 8. The Government Data Forum, which brings together legal and data protection experts, business representatives, sociologists, psychologists and education specialists, also carried out a consultation process. A majority of respondents recommended that the digital age of consent should be set at 13 years and the Government approved such an age limit in June of last year. When the Special Rapporteur on Child Protection, Dr. Geoffrey Shannon, appeared before the Joint Committee on Justice and Equality during the pre-legislative phase of this process, he also recommended that the digital age of consent should be set at 13 years. This is the background to the Government's decision to specify 13 years as the digital age of consent in section 30 of the Bill before the House.

Arising from the sincere and strongly-held concerns that were expressed during its discussions on this matter, the Seanad accepted my proposal for a review clause. This clause, which is provided for in section 30(3) of the Bill, means that the operation of this provision must be reviewed not later than three years after its coming into operation. I want to refer to article 6.1(f) and to article 12, which imposes high standards of transparency on controllers. Article 17 relates to the right to erasure. Article 40 makes general provision for codes of conduct. Article 57 requires data protection authorities to promote public awareness and understanding. Arising from the discussion in the Seanad, I proposed the inclusion of section 31 of the Bill as it now stands. Another new section, section 32, makes specific provision for an enhanced right to be forgotten in the case of children. Before I conclude what I have to say on the protection of children, I express my support for the joint committee's recommendation for consultations with children in relation to data protection measures.

Article 57 of the GDPR requires data protection authorities, such as the proposed data protection commission, to promote public awareness and understanding of the risks, rules, safeguards and rights in regard to data processing. Article 23 makes provision for possible restrictions on controller obligations. The need to apply restrictions will arise from time to time. Section 57 of the Bill provides for proportionate restrictions in order to safeguard a range of important objectives of general public interest - for example, to avoid obstruction of any official or legal inquiry, investigation or process.

I have referred to article 57 of the GDPR. Article 83 provides for the imposition of administrative fines for infringements. To ensure fair and equitable trading conditions, section 139 of the Bill provides that administrative fines may be imposed on public bodies that are acting as "undertakings" by providing goods or services for gain in competition with private bodies. This will ensure fair competition. In Chapter 2, section 68 contains provisions outlining the general principles of data protection. Chapter 3 outlines the obligations on controllers when acting within the scope of Part 5. Chapter 4 specifies the data protection rights of individuals, including rights in respect of automated decision-making in sections 87 to 90, inclusive. Part 6 of the Bill contains detailed provisions relating to the supervision and enforcement of the GDPR and the data protection standards set out in Part 5.

I want to mention the important report that was drawn up on foot of the pre-legislative process. I thank the committee and other stakeholders for their work in that regard. Before I conclude, I need to mention a specific amendment that I intend to introduce on Committee Stage. Deputies will be aware that concerns have been raised that the GDPR and the Bill before the House may have an adverse impact on the ability of elected representatives, including Members of this House, to make representations on behalf of their constituents and carry out other aspects of their work as elected representatives. I intend to bring forward a Committee Stage amendment to ensure there is an appropriate legal basis for, inter alia, the processing of personal data for the purposes of dealing with constituents' representations and requests from members of the public, interest groups and stakeholders, which is the essence of our work as public representatives. This amendment is being finalised at present. I intend to circulate it at the earliest opportunity and obviously in advance of Committee Stage.

As I mentioned, this is a complex and lengthy Bill. I acknowledge the positive and constructive engagement on it that took place in the Seanad. That it is lengthy or complex, or both, should not blind us to the central purpose of the Bill, which is to promote and facilitate the exercise of our right as individuals to the protection of our personal data and to increase our control over it and the uses to which it may be put. Article 8 of the EU Charter of Fundamental Rights provides simply that "everyone has the right to the protection of personal data concerning him or her". The GDPR and this Bill seek to make that a reality. In acknowledging the constructive debate in Seanad Éireann, and in showing that I am open to engaging in debate, I hope to set the scene for a similar type of engagement here. Many of the parties represented in this House were successful in working to ensure the legislation I am introducing is fit for purpose. I hope we can advance it on Second Stage in the next couple of days before moving on to Committee and Report Stages with a view to having it enacted well in advance of the due date of 25 May next.

See this speech in context