Jim O'Callaghan (Dublin Bay South, Fianna Fail)

I move:

That Dáil Éireann approves the following Regulations in draft: Data Protection Act 2018 (Section 60(4)) (Data Protection Commission) Regulations 2025;

Data Protection Act 2018 (Section 60(4)) (Information Commissioner) Regulations 2025; and

Data Protection Act 2018 (Section 60(4)) (Comptroller and Auditor General) Regulations 2025; copies of which were laid in draft before Dáil Éireann on 2nd July, 2025.

I am seeking the House’s approval of regulations made, drafted and signed by me under section 60(4) of the Data Protection Act 2018. These regulations I have signed are in respect of three statutory bodies: the Data Protection Commission, the Office of the Information Commissioner and the Comptroller and Auditor General. In fact, the last body is a constitutional officeholder as opposed to a statutory body. The regulations before us are identical save that they refer to different public bodies, whether it be the Data Protection Commission, the Office of the Information Commissioner or the Comptroller and Auditor General.

Section 60(4) of the Data Protection Act permits the making of regulations prescribing requirements to be complied with when the rights of data subjects and obligations of data controllers, referred to in section 60 of the Act, are restricted. The regulations are being made to address concern raised by the EU Commission that section 60(3)(c) of the Data Protection Act 2018 could be interpreted as providing a blanket exemption for the Data Protection Commission, the Office of the Information Commissioner and the Comptroller and Auditor General when restricting certain rights in the performance of their functions, on the basis that it did not expressly require consideration of necessity and proportionality on a case-by-case basis. The regulations seek to address that concern.

This Government is committed to maintaining strong data protection rights for citizens in line with the general data protection regulation, GDPR. Where potential issues are brought to our attention regarding our national transposing measures, we are happy to examine the issues and act where necessary, as we are doing in this instance. While the GDPR provides strong levels of protection for individuals, the right to data protection is not absolute and it must be balanced against other rights and interests. In this regard, the GDPR recognises that there may be limited circumstances in which an organisation could have grounds to refuse to grant an individual’s request to exercise their data protection rights.

Where a Member State provides for further restrictions, the following conditions, which are strict, apply: first, the restrictions must be set out national law; second, they must respect the essence of the fundamental rights and freedoms of individuals; and third, they must be necessary and proportionate to safeguard certain objectives of societal or general public interest.

In Ireland, section 60 of the Data Protection Act gives further effect to Article 23 of the GDPR and provides for restrictions on obligations of controllers and rights of data subjects for important objectives of general public interest. The rights and obligations concerned are those provided for by Articles 12 to 22, inclusive, Article 34 and part of Article 5 of the GDPR. This includes rights of access to personal data, the right to erasure and the right to rectification.

While section 60 provides for a collection of matters including Cabinet confidentiality and parliamentary privilege, these regulations are specifically concerned with section 60(3)(c) of the Act. That provision provides that the rights and obligations under Articles 12 to 22, inclusive, Article 34 and part of Article 5 of the GDPR are restricted to the extent that the personal data concerned are kept by the Data Protection Commission, the Office of the Information Commissioner and the Comptroller and Auditor General in the performance of their functions.

The European Commission contacted my Department and expressed concern about how section 60(3)(c) of the Data Protection Act had been drafted and that it could be interpreted as providing a blanket exemption to the entities concerned by not expressly requiring an assessment of the necessity and proportionality of restricting rights and obligations on a case-by-case basis, as required by the GDPR and, in particular, by Article 23. As an EU regulation, the GDPR is directly applicable in Irish law and section 60(3)(c) must be viewed in the context of Article 23 and operated at all times in keeping with its requirements. However, we recognised that the drafting of that section could be more explicit with respect to the requirements of the GDPR. To address this, two sets of regulations were prepared. First, regulations under section 3 of the European Communities Act 1972 were made in November 2024 to amend section 60(3)(c) to clarify that the restrictions applied by the Data Protection Commission, the Office of the Information Commissioner and the Comptroller and Auditor General, as the case may be, must be necessary and proportionate to safeguard the performance of a function of the body concerned.

The updated provisions also outlined the matters each body must have regard to when determining whether a restriction would be necessary and proportionate. This includes the extent to which the exercise of a right or compliance with an obligation would prejudice the performance of a function of the body including by disclosing that a particular function was being performed where it may prejudice the performance of the function concerned, or prevent the processing of personal data for a period of time where any delay may prejudice the performance of a function. In addition, the bodies concerned must have regard to the essence of the right to data protection of a data subject and the risks to the rights and freedoms of a data subject that may result from such a restriction.

The draft regulations before the House today are procedural in nature and seek to build upon the requirements set out in the regulations made last year, and are the second and final in the collection of regulations to address the Commission’s concerns. Specifically, the regulations require the Data Protection Commission, the Office of the Information Commissioner and the Comptroller and Auditor General to ensure that when restrictions are being applied under section 60(3)(c) for the performance of their functions, those restrictions are only in place for so long as is necessary and proportionate to safeguard the relevant function; and that relevant information about the restrictions is provided to the data subject, including the reason, except where disclosure would prejudice the body in the performance of its function. In addition, each of the bodies is required to prepare and implement policies and procedures that set out how they will deal with important issues such as data storage, security and access arrangements. Additionally, the bodies must periodically review the policies and procedures they have in place.

Each regulation provides that any communication between the body and a data subject must be in an easily accessible form and be in plain language. My Department engaged with the three entities during the drafting process and they have confirmed that they are satisfied with the draft regulations. I take this opportunity to thank the three bodies involved for their constructive engagement throughout the preparation of the regulations.

These draft regulations put in place procedural obligations on the Data Protection Commission, the Office of the Information Commissioner and the Comptroller and Auditor General when seeking to restrict the rights or obligations necessary to safeguard the performance of a function of the body concerned. They do not introduce any new or additional restrictions on the rights of data subjects. The purpose of these regulations is to ensure our national measures better align with the intent of Article 23 of the GDPR and that clear procedures are in place, governing the limited circumstances in which rights or obligations are restricted under section 60(3)(c).

I am seeking the House's approval for the regulations drafted in respect of the three entities. I believe the regulations are necessary because they are proportionate and required for the purpose of ensuring there is compliance with the GDPR.

See this speech in context