James Browne (Wexford, Fianna Fail) | Oireachtas source

Amendment No. 18 inserts a new section 26A into the Data Protection Act of 2018 to provide a prohibition on disclosure of confidential information by persons engaged with the Data Protection Commission in connection with certain defined functions. There appears to be some misinterpretation of the scope and purpose of this amendment and, frankly, some misconceived arguments have been made in recent days. I will address some of these.

The purpose of the amendment is to bolster the integrity of the statutory process and the provision to the DPC of confidential and commercially sensitive information in the course of carrying out certain statutory functions. It applies only to persons engaged with the DPC in the context of the performance of certain defined statutory functions, including inquiries and investigations. It applies only to confidential information which is defined in the new section as information that is commercially sensitive given in confidence or, in the opinion of the Data Protection Commission, likely to prejudice the effectiveness of the relevant function of the DPC. To be clear, nothing in this amendment will prevent a complainant from speaking out about the nature of their data privacy complaint or that a complaint had been made to the Data Protection Commission. There is no impact on journalists or media reporting and no impact on the obligations of the DPC under the GDPR.

Under Article 58 of the GDPR, the DPC and all other national supervisory authorities have far-reaching powers, including the power to order a controller or processor to provide any information it requires for the performance of its tasks and the power to obtain access to all personal data. It has unique investigative powers as a body and can compel the provision of information by people and companies. The DPC must exercise these powers in a manner consistent with other applicable provisions of the GDPR, including obligations arising under Articles 5 and 32 relating to the maintenance of security and confidentiality of personal data. The DPC has identified a need for a provision to be made along the lines of section 26A in order for it to be in a position to carry out its functions under the GDPR effectively, efficiently and lawfully and to ensure fair procedures for data controllers and data subject alike. In short, the DPC has sought this, not the industries. It follows from Article 52(4) of the GDPR that the State is under a duty to ensure the DPC is provided with all or any ancillary powers necessary for the effective performance of its tasks and the exercise of its powers as a national supervisory authority.

Deputy Ó Ríordáin raised an issue with the flow of information. This provision will not in any way interfere with the proper flow of information between the DPC and other supervisory authorities. As a public body, the DPC is required to exercise its powers in a manner consistent with EU law. This includes a duty of the DPC under Article 51(2) and chapter 7 of the GDPR to co-operate with other supervisory authorities and the European Data Protection Board, EDPB.

As to how the matter was brought forward, it was flagged previously. It was brought up on Report Stage and Final Stage in the Seanad. It was quite quick but I made a clear statement and nobody else commented on the matter. It was, therefore, flagged previously that such an amendment would be brought.

See this speech in context