Donnchadh Ó Laoghaire (Cork South Central, Sinn Fein) | Oireachtas source

Ba mhaith liom fáilte a chur roimh an Aire. Beimid ag obair leis go pointe áirithe. Tá roinnt amhrais orainn faoi chuid mhaith den Bhille. Déanfaimid iarracht déileáil leis na deacrachtaí sin trí leasuithe a mholadh ar Chéim an Choiste. This is significant, complex and lengthy legislation. From our point of view there are still many concerns. The Bill was improved on several fronts in the Seanad. However, we still have significant concerns in respect of the legislation and if these concerns are not addressed we may not support the Bill at the final vote.

We acknowledge the need to complete this work by 25 May but we have serious reservations relating to ministerial exemptions, potential inconsistencies with the general data protection regulation and several other areas.

As has been outlined, the Bill partially emanates from the general data protection regulation. The European Parliament, the European Council and European Commission have attempted to strengthen and unify data protection for all individuals in the European Union through the regulation. The GDPR is essentially a minimum standard expected of each member state on the threshold and rights afforded to citizens of member states and the data protection of individuals within those states. More important, it supersedes domestic law. We supported the GDPR in the European Parliament. The principles behind it are good. Where we divert from the GDPR is where the Bill runs into trouble. As I have stated, this legislation has direct effect but some elements require legislation. Some elements allow for a margin of appreciation or discretion in how jurisdictions apply the provisions, such as digital age of consent.

The Bill is far longer than it needs to be. Deputy James Lawless made a point in reference to small and medium-sized enterprises and how the Bill could be amended in the context of the challenges they face. However, the reality is that the GDPR will be the GDPR and it will have supremacy. It will be European law and, therefore, it will be Irish law. We should seek to ensure that where there are allowances left to member states, we make decisions on them. Too much of this Bill attempts to adjust, make exceptions to or amend the principles and provisions of the GDPR.

Ireland is not fully in compliance with EU data retention law currently as of the Tele2 Sverige and Watson case. Essentially, we have been in breach of EU law since 2016.

There is a need for the protection of data protection officers from the interference of a data controller who aims to suppress a release of information on the basis that despite its release being in the public interest it is not in the interest of the data controller for a variety of reasons. We can imagine an employer or someone in a public body who may have an interest in the data protection officer not doing his or her job properly. The lack of protections or avenues for addressing these concerns represents an oversight. This flaw was raised in the Seanad. Nevertheless, it is something that can be provided for. The Minister has informed us that the general law covers this, but it would be beneficial and necessary for specific protections and procedures to be explicitly stated and put in place in that context.

The manner of the drafting of this Bill is not ideal or clear. After the passing of the Bill there will be need to consult three Acts, the data protection regulation and any other relevant European instruments in order to be aware of the legal position. It would be far clearer, better and more comprehensible for the provisions of the Data Protection Acts 1998 to 2003 to be consolidated into this Bill and for those Acts to be repealed. Deputy O'Callaghan has identified the potential for significant confusion and litigation. While such a move is no longer feasible at this stage before the coming into force of the GDPR, the Minister should consider consolidating data protection legislation as soon as possible.

One important change made in the Seanad was proposed by my Sinn Féin colleagues. The amendment required transparency and required the Data Protection Commissioner to conduct an impact assessment where the Minister of the day decides to involve public interest to bypass consent. The basis of the amendment was that the ministerial exceptions in this legislation are too broad. That was the reason we put in place the safeguard. We remain concerned but we believe the amendment must be retained as a safeguard.

It is welcome that the Minister has accepted that public bodies should be open to being fined. That is welcome and important. This was a flaw with the original Bill but it is welcome that the Minister has taken the point on board. It is important there is an incentive for compliance, including for public bodies. It is welcome that this has been taken on board. The concern was shared by many.

The Seanad held a comprehensive debate on this Bill. I commend Senators on their work, including my colleague, Senator Niall Ó Donnghaile, and Senator Alice-Mary Higgins, who made a significant contribution across a wide range of amendments. Despite their best efforts I still have misgivings. In general, our concerns relate to the far-reaching exemptions and discretion. We are also concerned that the protection for data protection officers from the interference of a data controller who aims to suppress the release of information is inadequate - I addressed this point earlier.

There is potential for a lack of legislative clarity due to the potential contradictions between this legislation and the GDPR. I am concerned about section 45, which I believe may not be fully in compliance with article 9 of the GDPR. Article 9(1) states: "Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited." The expression "shall be prohibited" is the key phrase. I understand there are exemptions under article 9(2)(g) of the GDPR. However, my party believes that the relevant section in the Bill does not fit the definition of the exemptions outlined in the GDPR. I do not believe, therefore, that the Bill is in compliance with article 9. This is the basis for our significant concerns.

Aside from being contrary to the GDPR, and by extension, European law, the Bill is ambiguous in a number of aspects and there may be several unintended loopholes. This could lead to an infringement of rights in the context of data protection for citizens. Such loopholes would leave us in a situation whereby Ireland could become a target for those who deal in micro-targeting and data harvesting due to inadequate regulation and oversight. My interpretation is that the amendment to section 45 proposed on Report Stage in the Seanad fell short of what was required. It was an improvement but, as I read it, the provision would allow a political party, organisation or data company of whatever kind to come to Ireland with the intention of compiling voter data or data on citizens for the purposes of an election or electoral purposes elsewhere. This would be contrary to article 9. Perhaps the Bill deals to some extent with data collected in this State for use in the State but I do not believe the extraterritorial issues have been adequately dealt with.

The data breach relating to Cambridge Analytica has been discussed at great length. Deputy Jim O'Callaghan articulated well the advantages of modern information technology, as well as the dangers. Even where it is legal, I imagine many would have reservations and misgivings about the scale of data gathering that occurs and the analysis and management of it.

I do not believe the legislation properly manages the prevention of the collection of data of those under the age of 18 years. We should consider a ban on the micro-targeting of those under the age of 18 years, as well as banning their psychometric profiling.

I have concerns about section 36. I do not believe it is in compliance with the general data protection regulation, GDPR. It should be the same as it. As with this and many of the other provisions, the GDPR, when it takes effect, will not only be European law but also Irish law. It is an unusual European instrument in that it will largely have a direct effect, but it does allow some flexibility. I do not know why the Department and the Minister have taken the approach of trying to spell out everything where it is not necessary to do so.

Likewise, while section 38 has been improved by the introduction of the proportionality test, I am concerned that it is not necessarily in compliance with the Bara judgment. As with many provisions in the section, the Department has adopted an approach of providing that something shall be lawful, with some exceptions, whereas the GDPR takes the approach of providing that something "shall be prohibited", with some exceptions. That does matter and it is those differences and forms of language that will be examined by the courts in making decisions in cases in which there may be contradictions.

Inserting section 38 appears to be the way the Department intends to legislate for the public services card. I believe it knows - it has all but admitted it, as have other Departments - that the legal basis for demanding the public services card in exchange for services from the Government is effectively non-existent. The Government is attempting, in what I believe is a cynical way, to shoehorn in this provision. It is a very serious matter. If there is to be a requirement to have a public services card and for the gathering of that kind of data in the management of public services, it should be the focus of a separate debate. This is a general provision which is attempting to provide legislative cover where it was not provided previously without adequate safeguards, at the very least to require people to produce a public services card.

The public interest is referred to as the safeguard for numerous exemptions provided for in the Bill. There are more than 20 exceptions from the GDPR generally where the public interest is referred to, but the public interest is not properly defined or specified in the Bill. It is much more specific in Article 9.2(g) of the GDPR which states the interferences with the public interest should "...respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject". Given that the Minister has taken the approach of trying to put as much as possible into the legislation, which is questionable, it is unusual that some of the less specific points relate to the safeguards which have not made it into the legislation.

I am also concerned that electoral activities under sections 45, 55 and 56 are not properly defined. There is surely potentially ample room for challenge and query and for legal cases to be taken on the basis of a lack of clarity and a contradiction with the GDPR.

Another gap in the Bill is that it does not include the provision in Article 81 that not-for-profit groups can bring actions on behalf of data subjects. The regulation envisages a form of multi-party action akin to a class action, but that is not provided for in the Bill. Our Multi-Party Actions Bill has passed pre-legislative scrutiny stage. I hope it can proceed to Committee Stage at an early date and that the Minister can provide a money message to ensure it can be enacted as soon as possible. It is relevant not only from a data protection point of view but also to a number of other areas.

I referred to electoral activities. Clearly, there is a need for a greater definition and greater clarity as to what is involved. There is certainly the potential for disagreement on what electoral activity involves. The Minister made reference to amendments that he was likely to bring forward on the operations of Deputies in their offices. Their work in their constituency offices regularly involves making representations or inquiries on behalf of constituents. It is unfortunate that people often believe the only way they can get satisfaction with respect to matters concerning public services is to go to a Deputy, whereas, by right, they should be able to seek out and achieve answers on such matters themselves, but that is another matter. I do not believe there is anything in the GDPR that prevents this from happening. I will carefully examine the amendments when they are brought forward as it is a role that needs to be carefully protected. My understanding of the GDPR is that where such representations are likely to be made, it requires full and informed consent and good records to be kept. There is nothing in it that prevents anyone from making representations. I will examine the amendments, but I do not believe the GDPR in any way prevents it from happening. If the Minister believes it does, that should be stated.

I made a point about incentives and fines. Recital 149 of the GDPR allows member states to penalise companies that break data protection law with a clawback of the profits obtained through misbehaviour. That would mean that those acting outside the law, intentionally or otherwise, would be deterred from taking an action that could see them profit financially, even in an illegal way. That is something the Government should consider. It is not something that has been considered up to now. It is one of the areas in which the EU institutions have allowed flexibility. I do not believe the Minister has addressed it thus far in this debate, the debate in the Seanad or elsewhere. It would be a significant deterrent to companies to misbehave. The examples are all around us. We heard at a joint committee this week that the potential for the misuse and exploitation of data was very clear. The Government should consider this. We will bring forward amendments in that regard. If companies are going to exploit, undermine and abuse data and profit from them, why should they, when caught, not be penalised for it through a clawback of their profits? It is eminently logical and sensible and right.

I have a concern about this legislation in the context of Brexit. When the United Kingdom becomes a third country after Brexit, for the purposes of legal certainty in the GDPR, the European Union and its institutions will require an adequacy decision from the United Kingdom. The Government has stated thus far that it is confident that will be achieved and not present difficulties. However, Jan Philipp Albrecht, the European Parliament's rapporteur for the GDPR, has expressed doubts about whether the United Kingdom could obtain adequacy, as he has said there would be fewer safeguards for intelligence services in the United Kingdom than in the United States. That is a matter of enormous seriousness, given the Border, the great concern in this state about Brexit across a wide range of areas and the fact that there are a number of areas in which data may need to be transferred between various authorities in the North and the South with the usual safeguards. However, if the United Kingdom cannot obtain an adequacy statement, that will present very significant problems for this state. Will the Minister provide greater clarity on this issue, on whether there will be an adequacy statement and whether it will be achieved immediately? We need to inquire of the European Parliament's rapporteur to a greater extent why he believes there may be difficulties in that regard. It is extremely serious and an implication of Brexit that has not been properly explored up to now, either here or in London.

We will approach this legislation on the basis of critical engagement. We will support positive amendments. However, we are very concerned about the level of ministerial exceptions, the inconsistencies with the GDPR and the potential for a lack of legal clarity.

See this speech in context