Dáil debates

Thursday, 10 July 2025

Data Protection Act 2018 (Section 60(4)) Regulations 2025: Motion

 

6:55 am

Photo of Gary GannonGary Gannon (Dublin Central, Social Democrats)

It is important to speak today on this motion concerning new regulations under section 64 of the Data Protection Act. We are told these regulations do not introduce new restrictions but simply tighten up existing rules to make them better aligned with Article 23 of the GDPR Act. That is fine - indeed, it is welcome - but we should always be careful with motions like this to ensure that public oversight is maintained and that we are not opening the door to unintended consequences.

This is not some abstract debate about data protection jargon. These regulations affect real people who are trying to access their own information or to understand the decisions made about them by powerful State bodies, namely, the Data Protection Commission, DPC, the Office of Information Commissioner, OIC, and the Comptroller and Auditor General. These are institutions we rightly trust to hold others to account, but when those very institutions restrict the public's right to information, to silence or withhold, even in exceptional cases, we should always leave room for debate. Scrutinising legislation like this has never been more important. We have seen the actions of the British Government taken in recent weeks under terrorism laws, not to target violence but to silence protest. People spray-painting planes as a symbolic act of dissent now face penalties of up to 14 years in prison and simply expressing support for that group is now a criminal offence. That is not national security but the attitude of an authoritarian regime. It should make us all pause. We are living in an age when the misuse of power is often framed as order and if we are not careful, laws once meant to protect will become tools of control.

Under Ireland’s current law, specifically section 60(3)(c) of the Data Protection Act, these bodies can restrict someone’s GDPR rights to safeguard their own functions, in other words to carry out their work without interference. Until recently, that section did not require them to explain why they were restricting a person’s right. There was no clear legal test of necessity, no demand for proportionality, nothing to ensure this power was used sparingly and transparently. That is why the European Commission stepped in. It said, and rightly so, that the law as written looked like a blank cheque for public bodies to block people from exercising their data rights. It could have allowed for a blanket exemption with no oversight. That is not in line with Article 23 of the GDPR and certainly is not in line with the spirit of fairness and accountability.

The Government's move to amend that section and bring forward these regulations is a step in the right direction. It is absolutely progress. However, my concern is that what is written on paper and what happens in practice are often two very different things. Yes, we need regulations but they must come with teeth, built-in accountability and real safeguards for ordinary people, not just policy documents that sit quietly on a website, untested and unread. I also have concerns for those who might have more difficulties navigating the system, the young person wrongly profiled, the migrant trying to challenge the decision, the person with literacy issues and no legal support. These regulations must not become another barrier to justice, wrapped in a legal cloak.

I would like to hear the Minister address the following. Will these regulations include a clear appraisals process when someone's rights are restricted? Will the DPC, the OIC and the Comptroller and Auditor General be subject to independent oversight, not just self-review? Will the Government commit to a public audit of how these powers are used, not once but regularly?

Most important, will the Minister confirm that these regulations cannot be used to shield incompetence or wrongdoing, or simply to avoid scrutiny? If transparency only applies when it is convenient, it is not transparency at all.

Data protection is not just a legal principle but a human right. These regulations should not be technical fixes to satisfy Brussels. They should be meaningful steps to protect people's rights at home and to hold powerful institutions to account. I will support the motion if it comes with guarantees not just that rights are restricted carefully but that the people affected can challenge these restrictions and their consequences when institutions get it wrong.

Comments

No comments

Log in or join to post a public comment.