Tommy Broughan (Dublin Bay North, Independent) | Oireachtas source

I am pleased to have the opportunity to contribute briefly to the debate on this important Data Protection Bill which is both lengthy and comprehensive. I commend Senator Alice-Mary Higgins and other colleagues for the work they did to try to improve the Bill which was introduced in Seanad Éireann. The Bill will serve to give effect to EU Regulation 2016/679 and transpose EU Directive No. 2016/680.

While we have known that updated EU-wide data protection regulations have been in the works for the past two years, transposition is coming at an opportune time. Mark Zuckerberg recently appeared for questioning before the United States Congress, while this week Facebook executives appeared before the Joint Committee on Communications, Climate Action and Environment. It is great that we are talking about greatly improving data protection for data subjects - for all citizens - and the value of our data to large multinationals. The recent Facebook scandal involved approximately 87 million Facebook users having their data harvested unbeknownst to them. This has thrown the issue of digital data into the spotlight once again. How Cambridge Analytica was allowed to secretly harvest data from the friends of people who had downloaded the This is Your Digital Life app is shocking, as are allegations that harvested data have been sold and used to manipulate the outcome of election results such as those involving President Trump and Brexit. Recent revelations and allegations about serious data breaches at Independent News & Media are also concerning. I echo the calls of Deputies Micheál Martin and Mary Lou McDonald for legislation in this area and greater support for the Office of the Director of Corporate Enforcement. It beggars belief that 19 individuals, including such distinguished journalists as Brendan O'Connor and Sam Smyth, were targeted to allegedly have their emails and records scraped, taken to the United Kingdom and then interrogated by unknown third parties.

In April 2017 the House was presented with an important report by Mr. Justice John L. Murray on the review of the law on the retention of and access to communications data.

Mr. Justice Murray's report highlights the importance to our democracy and society of the confidentiality of journalistic sources and called for legislation to govern access to retain communications data, including the data of journalists. In his reply, the Minister of State might indicate where within this very detailed Bill, which like my colleague, Deputy Pringle, I have studied carefully, is that issue addressed. The report concludes that such legislation should be consonant with a system of communications data retention and disclosure of safeguards laid down by the European Court of Justice in the Tele2 case. That system should include standards and procedures to be observed by service providers to ensure effective protection and security of retained data against the risk of abuse or unlawful access to or use of the data. Will the Minister confirm all the key recommendations of Mr. Justice Murray's report on data retention, particularly on the protection of journalists, will be implemented in the Bill before us or will we have to return to that on Committee Stage?

I note that a joint class action under the US Stored Communications Act has been launched against Facebook, Cambridge Analytica, SCL Group Limited and Global Science Research Limited by lawyers in the UK and the US. US legislation sets out a minimum $1,000 penalty meaning that damages could be in excess of $87 million, based on the figure Mark Zuckerberg gave to Congress. It seems the majority of the people affected by Cambridge Analytica data breach are in the US - more than 70 million, more than 1 million are in the UK, others are in Australia, India and Canada, and up to 45,000 - those of us who have a page on Facebook - are possibly affected in Ireland.

The Oireachtas joint committee in its prelegislative scrutiny of the Bill recommended that a provision for class actions should be explicitly prescribed in this legislation but the final Bill does not include that. Our always informative Bills digest and our Oireachtas Library and Research Service mentions the Sinn Féin Private Members' Bill on class actions, the Multi-Party Actions Bill 2017, which was referred to the Select Committee on Justice and Equality and it will undergo prelegislative scrutiny. The importance of having such an option for data subjects in Ireland, and many people can be affected, has been clearly evidenced in this matter. I hope that the Multi-Party Actions Bill will be prioritised with the urgency it requires and deserves.

We had the Law Reform Commission Report of 2005 on that matter and it set out a Bill on that issue. I note Deputy Penrose and the Labour Party have produced a similar class action Bill on mass harm. I also supported the important Online Advertising and Social Media (Transparency) Bill 2017 brought forward by the Ceann Comhairle's colleague, Deputy James Lawless, which passed Second Stage. Deputy Lawless's Bill requires online political advertising to fulfil transparency standards and outlaws the use of "bots" to cause misleading online presences directed towards political ends of the type referred to by my colleague, Deputy Pringle.

I agree with the principles of the Bill to give effect to the GDPR, the establishment of the data protection commission with up to three data protection commissioners and the significant administrative fines for private companies. Section 8 of Part 1 provides for certain parts of the Data Protection Act 1988 relating to defence and national security to remain governed by our national legislation. That is an area that might also be explored again in amendments to this Bill. Part 2 of the Bill provides for the changes to the data protection commission and I welcome confirmation that preparation had already been under way to get ready for an increased workload with the increase of staff resources to around 120, up from only 30 in 2013, and with a budget of €11.7 million in 2018. I note, however, that there are no plans to appoint additional commissioners. Like other agencies with which we would be familiar, we should fill the three commissioner posts.

I note some of the comments made by the Minister for Justice and Equality in his opening speech yesterday, including the need for further assistance to small and medium enterprises and the risk-based approach to be taken to data protection. It makes sense that each controller and processor of data will analyse their collection, collation and use of data, assess the risks associated with being responsible for other people's data and then put the appropriate measures in place to comply with the new and improved data protection standards.

Section 29 confirms the definition of a child to mean anyone under the age of 18 years. Section 30(1) specifies the digital age of consent to be 13 years of age. Article 8 of the general data protection regulation, GDPR, allows member states to set the digital age themselves as long as it is between 13 years and 16 years. That provision gave rise to considerable discussion during the debate on the Bill in the Seanad and in the media. I believe a digital age of 16 years would have been more appropriate. I note that leading children’s groups such as the Children’s Rights Alliance and the Irish Society for the Prevention of Cruelty to Children recommended that the digital age of consent be set in line with most of Europe at 13 years. However, given the amount of data which we know are being unscrupulously harvested by social media companies, 13 seems very young for these companies to start taking, manipulating and using their data without consultation with their parents or guardians. I welcome the amendment of section 30 for the review of the digital age of consent within three years, which the Minister agreed to in the Seanad. Section 32 provides for the right to be forgotten for children, as per Article 17 of the GDPR, which is also very important.

The key aspect of this debate is the responsibility of social media platforms. We saw Mark Zuckerberg argue that Facebook and many of its apps are publishers not platforms. Debates have taken place in the US around that, particularly a decision of Congress when there was a great deal of lobbying by the massive IT industry in California in 2015. However, surely Facebook, Twitter, YouTube, Instagram, Snapchat and all the other platforms with which we are familiar are also responsible for the vitriol which is often directed at people. We have seen the publisher apps being used by terrorists on those platforms showing videos of executions. We have seen hate speech broadcast and normalised. We have seen online bullying lead to young people dying by suicide. Why should faceless trolls or sometimes school peers be allowed to target and bully people in this way? We can see it currently with the referendum campaign and those who have had to sign up to Repeal Shield to protect themselves from online attack. Repeal Shield is an online tool which blocks hurtful, abusive and insulting accounts for people contributing to the debate. Why should Twitter, Facebook, Google, YouTube, Instagram, etc., not be responsible for the content that is posted? The argument about just being a publisher is vacuous. As well as being responsible for the data that is held on the users of those and other sites, organisations such as Facebook should also be responsible for abusive content. I welcome this week's news that Ireland will be included in the new advertising transparency measure being piloted by Facebook, which is due to begin on 25 April. That is important, given that many of those companies have their headquarters not very far from this House.

As my colleague, Deputy Pringle, noted the GDPR will profoundly affect our political work and the work of the Oireachtas. We are contacted day in and day out, and 24-7 at times, by constituents and civil society bodies and groups with personal information and needs and it is necessary to hold that information while we are making representations and trying to achieve outcomes for our constituents who turn to us in desperation. I have always believed, however, in keeping all my constituents informed of my work in the House and the constituency and for that reason I have always published a quarterly newsletter throughout my time in this House, but I note that sections 52 and 53 of the Bill will exempt the right to object to direct mailing when it is for electoral purposes. Senator Alice Mary Higgins has, however, raised concerns that there is nothing in the Bill, as it stands, to prevent political parties engaging the services of a company such as Cambridge Analytica. Perhaps that is something to which the Minister for Justice and Equality or the Minister of State would return when replying to this debate. Given that there are indications that the techniques of this company were used to interfere in the Trump presidential election and the Brexit referendum in the UK, the closing of such potential loopholes is important. That is something that might be addressed by the Minister of State when replying to this debate and on Committee Stage.

There are many welcome provisions in the Bill. Section 33, for example, providing for the designation of a data protection officer is important. We were briefed today again by our own legal team on how the GDPR will impact on us and the conditions that we have to fulfil in regard to it and to the Bill.

I also welcome section 83 of the Bill which sets out provisions for dealing with breaches of personal data and the notification of such breaches. Section 83(1) states that the controller shall notify the commission of the breach within 72 hours and if it is longer than 72 hours the controller must include the reason for the delay in notification. However, section 84 seems to state that data subjects do not always have to be notified of data breaches; as per subsection (2), if data has been encrypted and was unintelligible, the controller is not obliged to inform data subjects. With the massive developments in IT and media platforms in recent years, as my colleague, Deputy Pringle, said, we are always chasing to catch up with the latest developments.

I do not believe that many people understood why the Minister was going to exempt Government and public bodies from regulatory fines for breaches of data protection rights. Following the excellent work of Senators, there will now be fines of up to €1 million for breaches and this is far lower than the €20 million, or 4% of global annual turnover, which will be directed against other organisations.

The Data Protection Commissioner, Ms Helen Dixon, told the Oireachtas committee last year that the proposed exemption from fines by public bodies was of concern to her and something that we should not have done.

I will support the Bill. I hope that the rights of data subjects, which we all are, will be reinforced and respected from now on.

See this speech in context