Róisín Shortall (Dublin North West, Social Democrats) | Oireachtas source

In the past few weeks, we have all seen how important it is to have robust data protection and to ensure that we have those measures in place right across society. Be it through the GDPR or domestic legislation, they are now a vital component of everyday life.

The Bill does not go far enough in terms of providing specific protections to young people generally and children in particular. I wish to concentrate my contribution on that issue. Having read the contribution of the Minister, Deputy Flanagan, in the Seanad, it is clear that he is aware of the issues in respect of how the EU has chosen to frame article 8. By structuring the additional protections for children's data in terms of a set age limit and parental consent, the onus of responsibility has been shifted from data processors to parents, which, in my view, is not right. During the drafting phase of the general data protection regulations, GDPR, some countries instead proposed including clear restrictions on marketing activities that specifically target children, which would have provided far more robust protections. It is very regrettable that that course was not taken. The move to a digital age of consent, which does not appear to have been set with any clear evidence base, is a major failing of the GDPR that we must work on addressing before passing the Bill.

The current draft of the Bill is a vast improvement on the original. Placing the right to be forgotten on a statutory basis and specifically citing that right in regard to children and young people is an important move. However, I was disappointed that the most significant change made to the Bill in the Seanad is to task the commission with encouraging rather than requiring codes of conduct in regard to how data processors engage with children and handle their data. Such codes of conduct are already prescribed in article 40 of the GDPR. I suspect the Minister has chosen to adopt this wording in an effort to avoid falling foul of the EU. However, the language of the Bill as drafted does almost nothing to impose additional restrictions on the collection of children’s data. Instead, it gives the companies that will be processing such data huge scope in how they collect, use and monetise it. That is why it is important that we are very clear what we are talking about when we refer to the digital age of consent and what it can and cannot achieve.

Over the past few weeks, there has been much wide-ranging comment on and discussion of the digital age of consent. It has been described as being about everything from keeping children safe online to being a question of free speech. That is simply not the case. As Professor Barry O’Sullivan quite forcefully stated at the Joint Committee on Children and Youth Affairs, "the digital age of consent is not about when a child can access the Internet, it is merely the age at which a child can consent to a profiling of their personal data and that is it." The simple fact is the digital age of consent is about money. The type of profiling to which it will allow 13 year old children to consent is at the root of these companies' business model.

In the past few weeks, we have all seen how easily such data can be misused. We need to ask ourselves if we think it acceptable for the data of children to be used in such a manner and whether we can trust large scale data processors such as Facebook, Google, and Snapchat to do so responsibly without being compelled to do so through legal sanction. I do not think we can. Time and again, such companies have proved that they cannot be trusted to act responsibly when it comes to users' data. On repeated occasions, they have acted to tighten privacy controls only when caught or in response to massive public pressure. I do not allege that anything they did or are doing is illegal but, rather, that that reluctance to act is at the core of the problem. The companies may subscribe to the letter of the law but their sole concern is their bottom line. All Members may agree that the harvesting of the personal data of children for marketing purposes is repugnant but if it is not clearly prohibited there is no incentive for these companies to stop that practice.

The marketing strategy of Facebook and other social media companies is to present themselves as a social good. Facebook has often described itself as a social utility. Google’s corporate code of conduct included the retrospectively threatening motto "don’t be evil". Although truly brilliant pieces of marketing, those slogans are completely removed from the business model of those organisations. They do not provide a service for free; the charge is access to our data. They are not a community or a utility but, rather, businesses based on mass surveillance. There is nothing inherently nefarious in that and there is no doubt that there has been positive change as a result of access to these platforms. However, that does not mean that we should ignore their nature or blindly accept their marketing copy. We must approach the manner in which these companies make billions in profit each year with open eyes. We must accept that, like any other resource, this House has not only the right but also the responsibility to regulate how private industry monetises the public’s data, particularly that of children.

Over the past few months, I have tabled several parliamentary questions on the Bill and the digital age of consent. In his replies, the Minister has consistently cited the support of the Children’s Rights Alliance for these proposals. However, that is not a fair or accurate portrayal of the current position of that organisation. In a recent submission to the Minister, it made clear that relying on digital consent as a means of protecting children’s data is not sufficient. It believes that that approach takes the emphasis off the data controller and that if we are truly concerned about children’s data, we should be imposing more restrictions on the use of their data. I hope that the Minister will continue to give the opinions and recommendations of the Children’s Rights Alliance as much weight as he has to date and heed its call that the Oireachtas should legislate to forbid the use of children’s data for marketing or commercial purposes. I understand that proposal was raised with the Minister on Report Stage in the Seanad and that he suggested it would risk breaching the GDPR or interfering with the independence of the commission. However, on that Stage he introduced an amendment to place the rights of erasure referred to in recital 65 of the GDPR on a statutory footing. I see no reason the same could not be done for recital 38, which states: "Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services". At the very least, the Minister must have considered tasking the commission with encouraging steps to remove the data of children from being collected for marketing purposes.

Article 57(1)(c) of the GDPR makes clear that the commission must have the power to advise the Dáil on administrative or legislative measures relating to data processing. Would the Minister accept an amendment seeking a report from the commission on the use of children’s data for marketing purposes? I would rather that we put in place specific legislation to control such behaviour, similar to the current data protection regime in Spain, which prohibits the collection of data from children about their parents and family. However, I understand the Minister is concerned about the compliance of such action with EU law. If that is the case, it is essential that the Minister outline what legal advice he has sought on this area, why he sought it and what his precise issues of concern are. Will he work with the Opposition to find a way to strengthen our domestic legislation as the Bill does not go far enough? There is a unanimous view that it is repugnant for children's data to be used for marketing and commercial purposes. Members may have heard a representative of the Irish Heart Foundation very eloquently talking about that today and discussing the dangers of the very direct marketing to children of very unhealthy foods such as those high in sugar or salt, or both, and so on. There is no disagreement on any side of the House on that objective.

I hope the Minister will give positive consideration to an amendment in that regard on Committee Stage.

See this speech in context