Clare Daly (Dublin Fingal, Independent) | Oireachtas source

I am sharing time with Deputy Mick Wallace.

I listened to the debate last night. Many colleagues laid out many of the gaps and issues associated with the Bill so I will certainly not repeat some of them. I want to take some time, however, to put in context why data protection and privacy are such important matters and why the GDPR is such a significant regulation to which we must all pay considerable attention.

It can sometimes be hard to explain the significance of data protection to people. Some people just have a gut aversion to data being hoovered up and their privacy being invaded. Others have the attitude that if one has nothing to hide one should have nothing to worry about. Others really do not care or have not paid enough attention to the issue. Therefore, it is important for us to outline why data protection is important and what the real-world implications are if one's private data are not protected.

Last year in the United States, data on 143 million Americans was stolen from the credit check company Equifax.

The data included dates of birth, social security numbers, bank account numbers, driver licence numbers and so on. The hackers got in through a side door using a simple web app. It was not difficult and it was not like they were trying to get into Fort Knox. However, the problems that caused for individuals were immense. In one case, a woman's identity was stolen 15 times. Her credit rating was wrecked and she could not get a mortgage. She spent hours trying to untangle herself from this. Every person in the US who had taken out a loan in the previous few years had his or her data stolen because of the sharing of information and not only the people who had dealings with the company. That is a good example to highlight the importance of the data protection principles underpinning the GDPR. Data must be kept secure and only the minimum data necessary should be collected for a particular purpose. The example demonstrates how easy it can be for data to be stolen if it is being shared and the major consequences of losing control of personal data. It is possible for companies and organisations people have never heard of to have huge wads of information about them.

Let us imagine a world where most, if not all, of people's daily activities are constantly monitored and evaluated, including what they buy in shops and online, their location at any given time, who their friends are and how they interact with them, how many hours they spend watching television, what they read and what they skip over when they are reading, how long they sleep and the bills and taxes they pay. However, that is the world we live in now thanks to organisations such as Google, Facebook, Instagram and health tracking apps such as Fitbit. If in this world there is a system where these activities and behaviours are rated as positive and negative and distilled into a single score according to the rules set by the government, that creates a citizen score and tells everyone where people are trustworthy with their rating publicly ranked against the entire population and used to determine their eligibility for a mortgage or a job, where their children can go to school, how much they must pay for flights and even whether they are allowed to take train or taxi journeys. Again, we do not have to imagine this. This is happening right now in China where the government is developing a social credit system to test the trustworthiness of its 1.3 billion citizens. The scheme is voluntary for now but it will become mandatory by 2020 and the behaviour of every citizen will be rated and ranked whether they like it. Sadly, that is the world we live in and there is surveillance of our every move and desire and almost our every thought. They are all visible to some private company. When all that data are put together with a government that has a big interest in controlling its citizens, that gives us China's social credit score. There is no escape or opt out. If people opt out, they get a low score, which means no mortgage, job, travel or education.

We have the beginnings of that here with employers monitoring Facebook profiles and landlords trawling thorough Twitter feeds. It is not a huge leap from that to the situation in China and that is the backdrop to this debate. It is enormously important and we all have to, not only as Members but as citizens, wake up to this issue because the technical ability to implement full-scale, 24-hour surveillance on every citizen in Ireland, Europe and most of the world is in place. Many of us have for years willingly signed up to this surveillance of our lives by various private companies, which, in many cases, know as much, if not more, about us that we do ourselves. That is why the GDPR is important. We have become anaesthetised to giving up our data to private companies to manipulate and profit from. In 1996, for example, the hugely underrated Silicon Valley commentator, Paulina Borsook, warned about the dangers of corporate America's hunger to exploit our data for profit. We could and should have done something about this 15 years ago but it is better late than never. We must look at the devil in the detail but whether the GDPR goes far enough to protect us is an open question, as many people have pointed out. I generally side with their fears that it does not go far enough.

We will examine the Bill in more detail on Committee Stage. The justice committee has prioritised it and has said we will sit for however long it takes to get it through that Stage and to make it fit for purpose within the deadline the Government has set for us to have signed up and have the legislation enacted. It is clear that the Government has set out on a path to grab for itself the maximum flexibility to maintain as far as possible the privacy compromising status quo. That is not a surprise when it comes to data protection. It is difficult to accept the State as an honest broker in this regard. One only has to consider the public services card, individual health identifiers project, CCTV projects in Limerick, wide-ranging Garda surveillance powers and powers to access phone records, and a data retention regime, which according to a former Chief Justice amounts to mass surveillance of the entire population. We have witnessed a great deal of intransigence, carelessness and intrusiveness on the part of the State and a wilful disregard for people's fundamental right to privacy. We have to take cognisance that this is the backdrop.

The individual health identifiers project is steaming ahead regardless, despite the fact that it is on a shaky legislative foundation. There is minimal public knowledge and understanding of it, let alone people consenting to be part of it. While there may be legitimate reasons for creating databases that can contribute to public safety and public health, there must be a level of trust and understanding. Clarity on what the databases will and will not be used for and how people can opt in and opt out is needed. We do not have any information on that in the context of this project. Last summer, solicitor and data expert, Simon McGarr told the justice committee that it is likely following the Barr judgment that the health identifiers Act does not even comply with European law, something that would open the State up to damages claims from every person in the database, which means every person in the State. We have no idea what is going on with it. The project is rolling ahead and the HSE's interim chief information officer giddily told Silicon Republicabout the possibility of linking Apple Watch to people's electronic health records as a mechanism of patient empowerment, which is ludicrous. Empowerment was one of the buzz words used by Google and Facebook in the early days and look at where all that ended up. It is not a stretch to imagine a scenario where information on people's blood pressure, heart rate, sleep patterns and blood-alcohol level is fed into a gadget such an Apple Watch and passed on to health insurers which will then charge higher premia to people who are not living right or behaving properly, with the upshot being that the unhealthy will be cut off from health care in its entirety. As the HSE's chief information officer said, "It is not science fiction anymore".

As T. J. McIntryre said about the PSC, it is not an aberration but it exemplifies a systematic disregard for privacy and data protection throughout the State. It is instructive to note that under sections 115 and 126 the Government has not chosen to implement the optional provision in article 80 of the GDPR to allow non-profit organisations and other activist organisations to seek damages for breaches. However, I will table a hell of a lot of amendments on Committee Stage.

See this speech in context