James Lawless (Kildare North, Fianna Fail) | Oireachtas source

To follow on from Deputy Jim O'Callaghan's comments, I welcome the Data Protection Bill implementing the GDPR. I will reflect on the origins of data protection in general for a moment. Deputy Jim O'Callaghan spoke of the rights of the individual. It is important to note that data protection is not a technological aspect but a human rights issue. Data protection has its origins in the many august institutions founded post the Second World War, including the Universal Declaration of Human Rights and the United Nations Commission on Human Rights, UNCHR, and the European Convention on Human Rights, ECHR, later on. It emanated from concerns about promoting peace and international co-operation and ensuring that the events of the Second World War would never happen again. The state does not need to know someone's religious preferences, sexual orientation or other sensitive information about an individual which could be exploited in horrendous ways or indeed for purposes slightly less malign but with many other malevolent possibilities.

Data protection legislation and theory has advanced from those early fundamental concepts into the Internet age, through the age of the PC and into the age of social media. Indeed, we had the Data Protection Commissioner, Ms Helen Dixon, and representatives from Facebook, before the Oireachtas Joint Committee on Communications, Climate Action and Environment this afternoon talking about the Online Advertising and Social Media (Transparency) Bill 2017. They also spoke about these issues which remain relevant today. I welcome the GDPR and this Bill coming before the House. However, I think the fundamental concepts in the previous legislation, the five or six general principles, were fairly sound. By being principle-based, they were easier to follow and implement because we had things like no more than is necessary, collect for the purpose consented to, and no more than for that purpose, etc. Those broad principles served us well. The GDPR is complex legislation. It has been thought through in detail in Europe and now here. However, it is fair to acknowledge the European Union, in particular as a driver of this, has been the gold standard in data protection and indeed the right to privacy in these areas to date.

Ireland is the home to much of Europe's data. As many multinational corporations are based in Ireland, that means we are the data centre for European operations. That in turn means that essentially most of the world's data that is not in the United States is controlled, managed and regulated out of Dublin. In a sense this is a good thing and a great opportunity as Deputy Jim O'Callaghan said. I refer to foreign direct investment, employment and technological advancement. Being in proximity to that for our students and graduates is a fantastic thing and long may it continue. However, it places strains on our regulatory officers, and the Data Protection Commissioner in particular. In the committee this afternoon I asked her a question I will now put to the Minister and flag it to the House in general. We saw a situation in the United Kingdom where the Information Commissioner's Office had to face the unedifying spectacle of appearing on national television announcing the seeking of a warrant to raid the Cambridge Analytica offices. The warrant was, I think, eventually procured a week later. Generally in matters of criminal investigation or evidence gathering, it is not a great start to give a week's notice to the office about to be raided. It is not the way it is done. I hope the powers and resources are available to the Data Protection Commissioner for the likes of dawn raid scenarios or any other scenarios of enforcement as may arise. If they are not there, it is something we need to look at and incorporate into either this Bill or elsewhere because regulation is only effective with enforcement. We have seen that in a number of sectors to date and this is no different.

On the Bill coming before us, we have heard it is important that fines are included. I am glad that public bodies are no longer exempt. That did not really make sense because the State is one of the largest controllers and processors of information overall. Why should it be exempt? That would seem to give carte blancheto ignore the rules and I am glad that has been addressed in the Seanad. The impact on the small firms sector has been a source of concern. Many are worried about the legislation because they understand it is onerous and complicated. With good faith and the best will, they want to implement it but they are concerned they may not be able to. I hope there is a degree of proportionality in respect of the introduction and early enforcement of that as firms do get up to speed. It is important they be given some degree of understanding and support to get there. Having said that, I think firms should not look at it as an entirely negative issue. It is an opportunity for firms to differentiate themselves and it could become a marketing strategy that a firm was GDPR compliant and the first in its sector to be so. They could turn it from a shield into a sword and become a positive.

If it unfortunate we are debating the legislation in the Dáil for the first time with five weeks to D-Day. It is less than five weeks. I think it is four and a half weeks now. Going back to the SME sector, I am aware of many firms in my constituency, and I am sure around the country, desperately trying to get up to speed and put in place training, regulation and audit regimes. I spoke to some recently and I said we would be amending it; therefore, the fact that the Bill is still a work in progress and small firms are desperately trying to get up to speed is far from ideal. I am not sure why it is only now, with four and half weeks to go, that we are getting to debate it in the Dáil. I know it has been through the Seanad in the past two weeks, but even at that, the debate in the Houses of the Oireachtas started six or seven weeks out from the due date. We knew this was coming for a couple of years. I understand the Minister flagged that there was consultation with the committee and perhaps wider consultation.

However, it seems that in this House we have ended up with two parallel systems. One is where the Government issues Bills which undergo deep and wide consultation, apparently, but much of it is unknown to us in the Houses of the Oireachtas and much of it is done privately behind the scenes in the Departments. The other is where Private Members' Bills are introduced and then the Government criticises them for being introduced too quickly, but there is no other option. We look forward to Committee and Report Stages being the place to thrash them out and indeed the scrutiny phase. On one hand the Government criticises Opposition Deputies for introducing Private Members' Bills and doing so, as it describes it, rapidly, whereas in actual fact it is only the normal process. On the other hand, if the Government delays introduction of a Bill to the Oireachtas until four and a half weeks before it is due to become law at European level, there is a difficultly with that.

There is much more I could say but I will conclude because we are out of time. However, I do want to flag that I will be studying the Bill along with Deputy O'Callaghan and my colleagues and I am sure we will be bringing amendments forward on the next Stage. I look forward to further engagement and discussion on the legislation.

See this speech in context