Mick Wallace (Wexford, Independent) | Oireachtas source

I move amendment No. 18:

In page 33, lines 18 to 23, to delete all words from and including "for—" in line 18 down to and including line 23 and substitute the following:"for the performance of a function of a controller conferred by or under an enactment

or by the Constitution.".

This amendment addresses section 37(1)(b) which seems to give far too much scope to third party data processing in respect of non-statutory schemes, particularly given that this section of the Bill describes a situation where the consent of the data subject will be bypassed. We should not, for example, give marketing companies working on non-statutory schemes such exemptions from the requirement to obtain consent. It is not too difficult simply to require such third parties working on non-statutory projects to obtain consent to process personal data. On Committee Stage the Minister defended this part of the Bill by saying that section 37(1)(b) was necessary for non-statutory schemes such as the free fuel scheme, free travel scheme and the back to school clothing allowance. Surely these schemes are already provided for in the GDPR under Article 6.1.(f) and the idea there of "legitimate interests". Nobody is going to dispute that the processing of data for the free fuel scheme is a legitimate interest as per the GDPR.

Amendment No. 21 seeks to limit the purposes for which personal data that is collected can be processed by insisting that the purposes be specified at the outset which is listed in Article 23 of the GDPR as a specific provision that any legislative measure referred to in Article 23 shall contain. This section refers to personal data processed in the public interest which according to Article 6 of the GDPR allows the data controller to bypass the consent of the data subject. There will be times when such bypassing of consent will be necessary and that is why the GDPR provides for such occasions. We have already expressed some concern about section 37(1)(b) and said on Committee Stage that we were very open to Sinn Féin's proposal to oppose the section as it seeks to carve out exemptions to the GDPR that exceed what the GDPR allows. Processing of data for purposes other than the purpose for which that data is collected is prohibited except in very limited circumstances such as preventing a threat to national security. Insisting that the purposes for which data is collected be specified at the outset in regulations made under section 37(4) is a sensible provision and would protect against processing for other or unspecified purposes in the public interest. I acknowledge that section 37(5)(c) provides for a Minister to impose other conditions on processing which he or she see as appropriate while such conditions would not be mandatory.

Amendment No. 22 is an attempt to introduce an extra layer of protection which is necessary given the wideranging powers section 37 gives to Ministers. We have concerns about the whole section. The lines we seek to insert are taken from section 48 of the Bill which itself borrows heavily for its wording from the GDPR.

Amendments Nos. 21 and 22 seek to limit ministerial powers in terms of processing data in the so-called public interest. As I said on Second Stage the public services card project and more important, the single customer view behind it is the largest data sharing project in the history of the State and has massive problems. It shows clearly the liberties successive Governments in various Departments have already taken in sharing data in the so-called public interest.

See this speech in context