Clare Daly (Dublin Fingal, Independent) | Oireachtas source

This group of amendments deals with the section of the Bill that gives effect to Article 80 of the general data protection regulation, GDPR, on the representation of data subjects. There is a huge problem when it comes to people's privacy rights under data protection legislation in that individuals do not have the expertise, knowledge, time or money to enforce their legal rights. We are aware that the Irish legal system is incredibly expensive and it is difficult for lawyers to navigate, never mind people who are unfamiliar with it. Many people will never have the right to enforce their rights through the courts because the costs are beyond them.

Article 80 of the GDPR has a mandatory provision that member states must allow individuals to nominate a not-for-profit body to act on their behalf to make complaints to a data protection authority, appeal against the decisions, or take action against a controller such as an Internet service provider where it has abused personal data.

Two optional parts of the Article 80, that member states may allow individuals to nominate not-for-profit groups to act on their behalf to seek damages and they may allow not-for-profit groups to bring actions on their own initiative without the need for an individual to nominate them. When Dr. T. J. McIntyre appeared before the Oireachtas Joint Committee on Justice and Equality during the pre-legislative scrutiny of the Bill he said, "It is very important that Ireland would take up the two aspects of flexibility in the GDPR", which we have not. As it stands, this Bill does not allow mandated non-profit bodies to seek damages and it does not allow non-profit bodies to take actions independently, be it by bringing a complaint to the Data Protection Commissioner or by going to court on behalf of people's data rights. Clearly the GDPR contains the provision on non-profit bodies taking independent actions because the people who negotiate it know that in many cases in this area of law data subjects would not even know enough about their rights to know if they had been breached.

It is notable that the massive safe harbour data sharing agreement was struck down as being unlawful on the basis of one person who knew his rights and asserted those rights as a data privacy campaigner. It was not the case that a bunch of people started asserting their rights. This is why the safe harbour arrangement went down. Most people did not know that what was happening to them was illegal. It took one dogged campaigner who knew enough and who was consistent enough after being fobbed off by the Irish Data Protection Commissioner who dismissed his complaint as frivolous to take a challenge. The whole edifice of dodgy sharing of data with the United States of America fell down off the back of that complaint. This is why we need to take up the optional provision around non-profit bodies taking cases independently.

In its most recent opinion on the dangers posed by marked targeting, micro-targeting and manipulation during political campaigns, the European Data Protection Supervisor strongly recommended, on the basis of the dangers posed to democracy by such manipulation, that member states take up the optional provisions to allow non-profit bodies to take cases independently. This is what we are at. We need that provision and the provision for damages to have effective privacy rights and access to justice.

In brief, amendments Nos. 100, 114 and 116 are about giving effect to the two optional provisions under the GDPR in an everyday context. That is all circumstances except in criminal justice. Amendment No. 100 provides for the right for complaints to be lodged with the data protection commission and for cases to be taken independently by non-profit bodies. Amendment No. 114 allows for non-profit bodies to go to court independently. Amendment No. 115 allows for non-profit bodies taking cases, if they are mandated to do so by a data subject, to seek damages. Amendment No. 116 says that if a non-profit body takes a case independently of a person's mandate, then it is not allowed to seek damages. This is a provision of the GDPR and it is why we have it included it here.

The Government's amendment No. 122 seeks to remove the amendment that we succeeded with on Committee Stage, and I am absolutely sure of this, that allows non-profit bodies taking action on behalf of data subjects under Part 5 to seek damages on the data subject's behalf. We will resist the rowing back on this amendment from Committee Stage.

Our amendment No. 117 seeks to insert a Part 5 provision whereby non-profit bodies can independently lodge claims where they feel that data rights have been breached. Amendment No. 123 is consequential on that since it provides that they cannot seek damages, as in the case of amendment No. 116 where non-profit bodies taking a case independently are not allowed to seek damages under the GDPR. That is the way we see it. We strenuously object to amendment No. 122 and we very strongly recommend the other amendments in the group.

See this speech in context