Thomas Pringle (Donegal, Independent) | Oireachtas source

Privacy is sacred. It is a person's fundamental right to enjoy privacy.

The extent of that enjoyment depends on the level of protection afforded to the individual's personal data to prevent exploitation or their misuse by the State, non-governmental organisations or the private sector.

We are at an impasse as the digital revolution unfolds. Privacy is becoming more and more relevant as exchanges of personal data are carried out more and more online. However, at this rate, we are doomed to play catch-up. For the Legislature, this means doing all that is within its power to prevent the misuse of information and protect individuals from the harm such exploitation can cause, especially when it comes to interactions online. Not only do we need to catch up with the lawlessness and illegal activity carried out in large swathes of the Internet, we also need to protect people's personal data from commercial exploitation. Recent and ongoing developments related to Cambridge Analytica and Facebook harvesting, micro-targeting and manipulating personal information are examples of how we need to play catch-up. Hundreds of millions of people throughout the world have had their data misused. I reckon the figure is far higher than we are aware. What is more alarming is not only were personal data used without consent to maximise profits but they were used to undermine and manipulate democratic systems through third party interference. We saw this unfold in President Trump's election and the Brexit referendum.

My concerns lie with the forthcoming referendum on the eighth amendment, for which the Bill has come far too late. Already those in the online community are seeing the effects of this lawlessness. People have noted fake Facebook profiles, online quizzes and polls disguised as representing one side but revealed to be from the opposite side. This has left their online profiles vulnerable to harvesting, micro-targeting and manipulation for the sake of political and private sector profit. The current lack of transparency enables external third parties to use social media to sway opinion. Some have already called the eighth amendment referendum a post-truth campaign as Facebook algorithms continue to allow highly emotive content to gain prominence. Facebook still allows other countries to target specific groups of voters in Ireland by buying advertisements. Many throughout the world will be watching closely to see to what extent data will be harnessed for political purposes.

We have, rightly, been focusing much of our attention on Russia and cyberwarfare, but the bigger question will be how democracies can protect themselves against interference by foreign interests on all sides and, more importantly, how people's data can be protected from such exploitation. Placing the onus on companies to self-regulate is futile. Efforts to date carried out by large online conglomerates such as Facebook and Google have proved futile. Thus far, we have seen a lack of will on the part of private sector conglomerates to do much to tackle political influence and misinformation. As a consequence, it has been left to us to address the issue. The only way for us to address it is to get the provisions in this Bill right.

I echo the concerns raised in the Seanad about the need to amend section 45 to prevent the likes of Cambridge Analytica and other political consultancy firms from exploiting the loophole in place. The Bill, as it stands, will do nothing to prevent companies such as Cambridge Analytica from being hired by candidates or political parties and giving them permission to harvest and process personal data for the purposes of political interests. I understand the Minister made some amendments to limit the impact of section 45 on other European countries, but he failed to address the remaining loophole. I commend Senator Alice-Mary Higgins for proposing amendments to explicitly prohibit private or commercial firms from processing data on behalf of previously mentioned categories or without explicit consent from data subjects. The amendments would not prevent polling or focus groups as they operate with the explicit consent of an individual, but they would effectively prohibit data mining and targeting firms such as Cambridge Analytica from interfering with an electoral or referendum process.

While I support endeavours to protect personal data across the board, I have concerns about the practical implementation of the general data protection regulation system in the context of public representation. The offices of Deputies lack resources and especially time to review the entirety of our databases and ensure all unnecessary data are deleted. I suggest we look at more modern ways to process, save and store data to help to facilitate the GDPR process. For example, the provision of timely reminders when data must be deleted after two years could help.

One cornerstone of democracy is the ability to access a public representative. Other Deputies and I go to great lengths to facilitate it as best we can. I operate as a public representative in County Donegal. There could be up to 100 miles between my constituency office and Malin Head, for example, from where someone could be contacting me. I would only be able to help such an individual by obtaining verbal consent over the telephone as opposed to written consent. I deal with individuals who have literacy problems or who are not computer literate and do not use emails. The law needs to be clearer on how we can deal with vulnerable adults in our constituencies as public representatives. I understand verbal consent is accepted, but it is not considered to be best practice when it comes to protecting ourselves and our constituents from data breaches. This automatically puts Deputies at a disadvantage because often verbal consent is all we have as we deal with time-sensitive issues or people in crisis. That is why they come to us. Often, they have nowhere else to turn. To start with, that constituents access Deputies for a plethora of reasons is a symptom of a dysfunctional system. Oftentimes people are intimidated or do not understand the workings of the social welfare and health systems. They do not believe the process is transparent enough to trust it. Whether we believe it or otherwise, people trust politicians to navigate through these bureaucratic behemoths on their behalf and hold the Government and Departments to account. Therefore, Deputies deal with a large amount of personal data and we should be held to account in protecting them as they pass through our hands. However, any effort to enforce greater protection of personal data should not inadvertently place barriers for constituents in accessing democratically elected public representatives. I hope, therefore, that there will be clarification of the implications of the Bill for public representation as it progresses.

I understand the Minister for Justice and Equality, Deputy Charles Flanagan, introduced an amendment to section 139 on Report Stage in the Seanad to allow fines on public bodies, with an upper limit of €1 million. If the Government had concerns initially about implementing the GDPR within Government bodies, perhaps it might understand the difficulties to be faced when the GDPR is rolled out in May. I hope that in the latter Stages of the Bill we will be able collectively to look at ways to improve the rolling out of the GDPR in the context of our constituency offices in a way that will not place an unnecessary burden on them, our staff and constituents.

Ireland has a terrible record in holding the private sector to account for white collar crime. We do not bother collecting the tax that is rightly ours. We allow multinationals to avoid paying tax entirely. If we are serious about protecting the right to privacy, we must ensure compliance is monitored and that enforcement will be carried out. Too often legislation passes through this House with grand gestures but with few resources to ensure its effective application. Does the Government intend to increase the resources allocated to the Office of the Director of Corporate Enforcement to ensure compliance in the private sector with the GDPR? Will the Standards in Public Office Commission be provided with the necessary clarification of its remit and awarded the necessary resources to oversee compliance in government and Departments?

See this speech in context