Charles Flanagan (Laois, Fine Gael) | Oireachtas source

As I mentioned on Committee Stage in the Seanad when we were discussing a similar provision, I am unable to accept this amendment, which would insert a new section into the Bill. The proposed new section would interfere with the operation of Article 34 of the GDPR, which deals with the communication of data breaches to data subjects. As I indicated in the Seanad, it would also cut across section 86 of the Bill, which already imposes an obligation on a controller to inform a data subject where there is a high risk to the data subject's rights and freedoms arising from a data breach. In such a case, the controller must notify the data subjects in clear language of the nature of the breach and its likely consequences, and must describe the measures being taken, or proposed to be taken, to mitigate any possible adverse effects.

The amendment before the House refers to a data breach "which affects" a data subject. The ultimate meaning of those words is really unclear. Under the GDPR and the directive, the thresholds for informing the data protection commission of a data breach, and for informing the data subjects whose data protection rights have been breached, are defined in terms of the risk for the data subject arising from the breach. Under the GDPR and section 86 of this Bill, if a data breach involves a high level of risk for a data subject he or she must be given all relevant information and must have an opportunity to request further information as the need may arise. I am not going to accept amendment No. 140 because I believe it will have the effect of introducing a level of uncertainty.

See this speech in context