Dáil debates

Tuesday, 17 April 2018

Data Protection Bill 2017 [Seanad]: Second Stage

 

7:05 pm

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move: "That the Bill be now read a Second Time."

I am very pleased to have the opportunity to commence Second Stage of the Data Protection Bill 2018 in this House. I look forward to hearing the contributions of Members and obtaining the broad support of the House for the contents of this most important legislation.

I draw the attention of the House to the fact that the Bill was amended during its passage through Seanad Éireann. A number of new provisions have been added to it and I will draw attention to them in due course. The explanatory memorandum, which accompanies the Bill, has been updated to reflect the amendments from the Seanad. The primary purpose of the Bill is to give further effect to the general data protection regulation, GDPR, to transpose the accompanying law enforcement directive into national law and to establish the data protection commission to replace the Office of the Data Protection Commissioner. The GDPR enters into effect on 25 May next and the directive must be transposed into national law by then. I am hopeful that with the support of the House, this Bill will be signed into law and enter into force in May next, alongside the GDPR. I am confident that the GDPR and this legislation will serve to make our data protection laws fit for purpose in the digital age. The updated data protection rules entering into force next month will affect all of us in one way or another. It will affect each of us as individuals, because it will increase our control over the manner in which, and the purposes for which, our personal data are used.

It will affect businesses, whether large, medium or small, because it will require them to review and update the manner in which they collect, use or store the personal data of their customers and clients or any other individual whose personal data they retain. The same applies to Departments and all public bodies.

The simple fact is that data protection law has not kept pace with the many technological advances and new business models such as social media and cloud computing that have emerged in recent years. Our current law, based on the European Union’s 1995 data protection directive, predates mass Internet usage, hand held devices, apps and games, social networking and data analytics, all of which involve the collection and processing of our personal data, often for purposes that are opaque and largely unknown to us. The basic data protection principles set out in the Data Protection Acts 1988 and 2003 will remain largely unchanged following the entry into force of the GDPR. However, GDPR rules will strengthen our control over our own personal data and the purposes for which it may be used. Increased transparency is essential for increased control. In the future, information must be provided for users in a concise, transparent, intelligible and easily accessible format, using clear and plain language. It will no longer be acceptable for service providers to direct users to opaque terms and conditions written in legal jargon. The obligations placed on companies and public sector bodies that collect, use and store personal data are set to increase but will do so in a measured and proportionate manner. The compliance burden will increase for some but it will be proportionate to risks for the rights and freedoms of individuals arising from any accidental or unlawful loss or disclosure of, or access to, their personal data. This will inevitably pose a greater challenge for those bodies, whether in the public or private sectors, that specialise in data processing and for those handling, for example, customers’ financial data or patients' sensitive health data. While large companies have been gearing up for entry into force of the GDPR for some time, it is likely that the SME sector and micro enterprises will continue to require assistance and support during the coming period of adjustment. Awareness raising activities have been under way for the last year and a half involving conferences, seminars and workshops and those activities will continue. Practical guidance is also vital and I strongly recommend the Data Protection Commissioner’s web page, gdprandyou.ie, which contains a wealth of useful information and practical guidance for both business and individuals.

High data protection standards are not anti-business and will not reduce competitiveness. The harmonised rules set out in the GDPR and the Data Protection Bill will ensure that the same data protection safeguards will operate across the European Union. This will provide a level playing field for businesses, especially those involved in the cross-border provision of goods and services. Enhanced data protection standards will also be beneficial to the increasing numbers who avail of the Government’s online services. Public and private enforcement of data protection law is set to increase. In future the data protection commission will have stronger supervision and enforcement powers as well as a broader range of sanctions at its disposal, including the imposition of administrative fines. The scope for compensation claims arising from infringements of data protection rules will also increase, resulting in higher levels of private enforcement activity.

The Government is committed to achieving the full potential of the digital economy and its capacity to promote innovation, create jobs and boost economic activity in the State. We already host many of the world’s leading digital companies here and they provide their services well beyond our shores. That number will increase in the future. The GDPR together with this legislation will ensure that the data processing involved in the provision of these services will meet the highest data protection standard. The establishment of the data protection commission will ensure effective supervision and enforcement of these high standards.

Following protracted negotiations, the GDPR was agreed in early 2016 and will, as I mentioned, enter into force across the European Union on 25 May next. An accompanying directive, which establishes data protection standards for the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection and prosecution of criminal offences and the execution of criminal penalties also requires transposition by May of this year. Both the GDPR and the directive have a legal basis in article 16 of the Treaty on the Functioning of the European Union and they provide for significant enhancements to current data protection rules based on the 1995 data protection directive. Both instruments generally provide for higher standards of data protection for individuals and impose increased obligations on bodies in the public and private sectors that process personal data. They also increase the range of possible sanctions for infringements of these standards and obligations. The GDPR seeks to provide for a uniform interpretation and application of data protection standards across the European Union, thereby providing a level playing field for all those doing business in the EU digital market. The European data protection board, a new entity that will replace the current advisory committee and made up of representatives of the data protection authorities of all member states, will play an important role in that respect.

At the heart of both the GDPR and the directive is a risk based approach to data protection. This means that each individual controller and processor is required to put appropriate technical and organisational measures in place in order to ensure and to be able to demonstrate that their processing of personal data complies with the new data protection standards. I remind the House that the terms "controller" and "processor” are not esoteric concepts. Those of us involved, for example, in the handling of constituents' requests and representations are data controllers and any operator of an off-site storage facility for files containing personal data is a processor. I will return to the point about the work of elected members later in my remarks. For the purposes of assessing the nature, level and likelihood of risks for the rights and freedoms of individuals, controllers and processors must have regard to the nature, scope, context and purposes of their data processing activities. In certain cases, this will in future require the carrying out of a data protection impact assessment in order to take steps to mitigate such risks. Where mitigation measures are not feasible, prior consultation with the data protection commission will be mandatory. The GDPR and the directive both place greatly increased emphasis on the transparency of processing, the responsibility of the controller and processor for compliance with data protection standards and the need for appropriate security standards in order to protect against data breaches such as unauthorised or unlawful processing and accidental loss, destruction or damage.

The GDPR and the directive also impose an obligation on all public authorities and bodies, as well as some private sector bodies, to designate a data protection officer with responsibility to oversee data processing operations and to report data breaches to the data protection authority. The GDPR also limits the grounds for lawful processing of personal data by public authorities and bodies. For example, depending on the circumstances, an individual’s consent to the processing of his or her personal data may not provide a reliable basis for such processing by a public authority. The so-called legitimate interest ground in Article 6.1(f) of the GDPR will no longer be available to public authorities when acting in their public capacity. Both the GDPR and the directive provide for increased supervision and enforcement of data protection standards by the data protection authorities of member states, including the future data protection commission. The GDPR provides for the possible imposition of substantial administrative fines of €10 million or €20 million or 2% or 4% of total worldwide annual turnover in the preceding financial year. I will return to the fines issue shortly. The liability of controllers and processors will also be broadened to include non-material damage such as distress. In future an individual who has suffered material or non-material damage because of a breach of his or her data protection rights under the GDPR or this legislation will have the right to seek compensation in the courts.

The key purposes of the Bill are to give further effect to the GDPR in the areas in which member state flexibility is permitted to transpose the directive into national law; to establish the data protection commission as the State’s data protection authority with the means to supervise and enforce the enhanced protection standards enshrined in the GDPR and directive in an efficient and effective manner; and to enact consequential amendments to various Acts that contain cross-references to the Data Protection Acts 1988 and 2003. The Data Protection Bill 2018, which is both lengthy and complex in nature, comprises numerous parts. Part 1, sections 1 to 8, inclusive, contains a number of standard provisions, including citation, commencement and definitions. Part 2, sections 9 to 27, inclusive, establishes a data protection commission to replace the Data Protection Commissioner as the State’s data protection authority. Its primary task will be to act as the supervisory authority for the purposes of the GDPR and the directive. Part 3, sections 28 to 58, inclusive, gives further effect to the GDPR in a number of areas, mainly affecting the public sector, in which the regulation gives member states a margin of flexibility.

In certain cases, this involves the creation of a regulation-making power that will permit the making of more detailed regulations.

Part 4, comprising sections 56 to 65, inclusive, contains a number of provisions that are consequential on replacement of the Office of the Data Protection Commissioner with the data protection commission. Part 5 transposes the provisions of the law enforcement directive into national law. Part 6 contains provisions dealing with the enforcement of the obligations and rights set out in the GDPR and the directive by the data protection commission. Part 7 contains a number of miscellaneous provisions, mainly concerning the application of data protection rules to the courts and a number of related legal matters. Part 8 contains a limited number of consequential amendments to a number of Acts. I intend to table a substantial amendment to Part 8 on Committee Stage to incorporate the necessary adjustments to a large number of Acts of the Oireachtas that contain cross-references to the Data Protection Act 1988.

As regards substance, the updated explanatory memorandum that accompanies the Bill contains much detail. For that reason, I do not intend to delve into the provisions of the Bill in great detail. However, I want to take this opportunity to highlight a number of issues and to refer to Part 5, which transposes the law enforcement directive into national law.

Sections 7 and 8 of the Bill contain provisions concerning the Data Protection Acts 1988 and 2003. While article 2.2(a) of the GDPR provides that its provisions do not apply to the processing of personal data in the course of an activity falling outside the scope of EU law, there has been considerable uncertainty about the scope of that exclusion in light of evolving Court of Justice case law. A detailed analysis of relevant Court of Justice case law by the Office of the Attorney General has concluded that this exclusion is essentially limited in practice to data processing in the context of national security, defence and the international relations of the State. While national security and defence lie outside the scope of EU law, the Council of Europe's 1981 data protection convention - Convention 108 - contains provisions that apply to data processing for these purposes.

The GDPR contains a consistency mechanism, or so-called "one-stop-shop", which is intended to streamline the handling of data protection infringements and complaints across the European Union. For this purpose, it employs the concept of a lead supervisory authority of a member state. This means that complaints will be investigated by the data protection authority of that member state, irrespective of the member state of origin of the complaint. Before arriving at a final decision in cross-border cases, the lead authority must submit a draft decision to other data protection authorities that have an interest in the case and must have regard to any objections received from them. In order to underline and further enhance the independence of the commission as required by the GDPR and by Court of Justice case law, the commissioner will be the Accounting Officer of a separate financial Vote. This is covered in sections 25 and 165.

I would like move on to the child-related provisions of the Bill. Article 8 specifies a "digital age of consent" of 16 years but allows member states to lower it but not below 13. In late 2016, my Department launched a consultation process and invited submissions from interested parties on the digital age of consent to apply in this jurisdiction under article 8. The Government Data Forum, which brings together legal and data protection experts, business representatives, sociologists, psychologists and education specialists, also carried out a consultation process. A majority of respondents recommended that the digital age of consent should be set at 13 years and the Government approved such an age limit in June of last year. When the Special Rapporteur on Child Protection, Dr. Geoffrey Shannon, appeared before the Joint Committee on Justice and Equality during the pre-legislative phase of this process, he also recommended that the digital age of consent should be set at 13 years. This is the background to the Government's decision to specify 13 years as the digital age of consent in section 30 of the Bill before the House.

Arising from the sincere and strongly-held concerns that were expressed during its discussions on this matter, the Seanad accepted my proposal for a review clause. This clause, which is provided for in section 30(3) of the Bill, means that the operation of this provision must be reviewed not later than three years after its coming into operation. I want to refer to article 6.1(f) and to article 12, which imposes high standards of transparency on controllers. Article 17 relates to the right to erasure. Article 40 makes general provision for codes of conduct. Article 57 requires data protection authorities to promote public awareness and understanding. Arising from the discussion in the Seanad, I proposed the inclusion of section 31 of the Bill as it now stands. Another new section, section 32, makes specific provision for an enhanced right to be forgotten in the case of children. Before I conclude what I have to say on the protection of children, I express my support for the joint committee's recommendation for consultations with children in relation to data protection measures.

Article 57 of the GDPR requires data protection authorities, such as the proposed data protection commission, to promote public awareness and understanding of the risks, rules, safeguards and rights in regard to data processing. Article 23 makes provision for possible restrictions on controller obligations. The need to apply restrictions will arise from time to time. Section 57 of the Bill provides for proportionate restrictions in order to safeguard a range of important objectives of general public interest - for example, to avoid obstruction of any official or legal inquiry, investigation or process.

I have referred to article 57 of the GDPR. Article 83 provides for the imposition of administrative fines for infringements. To ensure fair and equitable trading conditions, section 139 of the Bill provides that administrative fines may be imposed on public bodies that are acting as "undertakings" by providing goods or services for gain in competition with private bodies. This will ensure fair competition. In Chapter 2, section 68 contains provisions outlining the general principles of data protection. Chapter 3 outlines the obligations on controllers when acting within the scope of Part 5. Chapter 4 specifies the data protection rights of individuals, including rights in respect of automated decision-making in sections 87 to 90, inclusive. Part 6 of the Bill contains detailed provisions relating to the supervision and enforcement of the GDPR and the data protection standards set out in Part 5.

I want to mention the important report that was drawn up on foot of the pre-legislative process. I thank the committee and other stakeholders for their work in that regard. Before I conclude, I need to mention a specific amendment that I intend to introduce on Committee Stage. Deputies will be aware that concerns have been raised that the GDPR and the Bill before the House may have an adverse impact on the ability of elected representatives, including Members of this House, to make representations on behalf of their constituents and carry out other aspects of their work as elected representatives. I intend to bring forward a Committee Stage amendment to ensure there is an appropriate legal basis for, inter alia, the processing of personal data for the purposes of dealing with constituents' representations and requests from members of the public, interest groups and stakeholders, which is the essence of our work as public representatives. This amendment is being finalised at present. I intend to circulate it at the earliest opportunity and obviously in advance of Committee Stage.

As I mentioned, this is a complex and lengthy Bill. I acknowledge the positive and constructive engagement on it that took place in the Seanad. That it is lengthy or complex, or both, should not blind us to the central purpose of the Bill, which is to promote and facilitate the exercise of our right as individuals to the protection of our personal data and to increase our control over it and the uses to which it may be put. Article 8 of the EU Charter of Fundamental Rights provides simply that "everyone has the right to the protection of personal data concerning him or her". The GDPR and this Bill seek to make that a reality. In acknowledging the constructive debate in Seanad Éireann, and in showing that I am open to engaging in debate, I hope to set the scene for a similar type of engagement here. Many of the parties represented in this House were successful in working to ensure the legislation I am introducing is fit for purpose. I hope we can advance it on Second Stage in the next couple of days before moving on to Committee and Report Stages with a view to having it enacted well in advance of the due date of 25 May next.

7:25 pm

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I would like to share time with Deputy James Lawless.

Photo of Seán Ó FearghaílSeán Ó Fearghaíl (Kildare South, Ceann Comhairle)
Link to this: Individually | In context | Oireachtas source

Is that agreed? Agreed.

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I welcome the opportunity to speak to this important Bill. As the Minister mentioned, the purpose of the legislation is twofold: first, to give effect to the general data protection regulation, GDPR; and second, to transpose into Irish law the accompanying directive in respect of law enforcement governing the area of data protection. Like the Minister, I am conscious that the regulation itself comes into force on 25 May next. We will seek to facilitate the Government in respect of its commitment to try to get the legislation enacted by the end of May. However, I think we need to be aware that this vital legislation, which will affect the rights of citizens throughout this country, should not be rushed. It is important that we get it right, as opposed to simply enacting it as quickly as possible in order to get this done by the end of May.

Before looking at a number of specific provisions in the Bill, I will refer to the developments in data protection that have taken place in the past 30 years. Legislation dealing with data protection was first introduced in this country in 1988. I do not know if anybody present was in this Chamber back in 1988, but if he or she was when the data protection Bill of that year was being discussed, I doubt anyone could have envisaged the developments that would take place in data protection in the subsequent 30 years. We must recognise that the debate on this legislation takes place against the background of an extraordinary technological revolution that has taken place in the world in the past 20 years, in particular. I am talking about the development of the Internet and the establishment of data and large technology companies that have been able to develop enormous powers through the accumulation, collation and use of personal data for individuals. This is something we never envisaged prior to the creation of the Internet and the revolution that took place in data technology in the past 20 years.

It is important to note that there have been many beneficial developments as a result of the technological revolution. We have seen great developments in access to information and through this revolution people have been able to access information that they have never been able to access before. Accessing that information has become much more democratised since very many people can use the Internet and search engines. There have been benefits in providing people with the opportunity to become more aware of their culture and past; that is a great benefit generated by the technological revolution.

Another great development and benefit for society is in communication. Many years ago when people left Ireland, they did so with the certainty that they would probably never be able to communicate with the individuals they were leaving behind in any meaningful or regular way. That has now gone as a result of the excellent developments that have taken place in technological and Internet communications.

There have been very many benefits as a result of the technological revolution, but there have also been very many negative consequences. I will give a couple of examples. No society has been exposed to the prevalence of pornography more than this one. Young people have never previously grown up with the promotion of pornography being so general and broad on the Internet. It must necessarily have an impact on their sexual development and perception of sexuality in general. We do not yet know what the consequences will be, but it is something we must watch carefully. We need to assist young people who are being exposed to matters such as this that previous generations were never exposed to. Another very negative consequence of the technological revolution is its facilitation and enablement of child abuse on an international basis as never encountered before. A third negative consequence is what is generally referred to as "fake news", with false information being given out and accepted by individuals as being true.

The issue on which I want to concentrate in this contribution is the damage being done in another important area of public life by the technological revolution. I am talking about the damage done by it to individualism. This is not a political philosophy; it is more of a social outlook or personal philosophy. Individualism is generally about individual people being able to make decisions for themselves based on their own intellectual capacity and life experiences. There is great benefit in a society having widespread individualism. It encourages the exchange of ideas and asks people not to get involved in "groupthink" which can be prevalent in certain societies. It adds to the intellectual life of a nation, when individuals can think differently for themselves, and promotes an exchange of ideas. It enables individuals to be honest with themselves about the generation of personal views, as opposed to the formulation of views based on what others think. Unfortunately, I am sure many others and I believe the technological revolution that has taken place in the past 20 years and, in particular, the accumulation of data from individuals have damaged the principle and practice of individualism.

Part of the reason large technology companies have so much information on individuals is they naïvely give away much information on themselves. There is also a purpose behind large technology companies or corporate entities wanting to accumulate data for individuals. They do it because they want to categorise individuals into groups and commodify them. They want to make it easier to sell these groups to advertisers or people who believe such groups would be of interest to a particular market for a product they wish to sell. We must be very conscious of the fact that this process of accumulating data for individuals and commodifying them into groups is having a very damaging effect on individualism. It is something we need to recognise and discourage. We need to constantly tell young and old people that they should formulate their own views and opinions based on their own intellectual assessments, rather than being told to do it or being malleable or impressionable while following a crowd. Unfortunately, many people now make up their minds not only on political issues but sometimes even on personal choices based on how they see the group to which they have affiliated acting. That should not be the case. It was always the case in Ireland and around the world that people could have a variety of views, but, unfortunately, we are now seeing homogenous views among society's groups. This is being used in a political context and around the world people's political views are sometimes formed because they believe the group to which they see themselves aligned in a data process has been identified as voting for or against some topic. Individuals naïvely see themselves as being in favour of that topic. Throughout history people have been impressionable and malleable, but, unfortunately, the technological revolution that has taken place with data makes that malleability even more apparent. It is one of the major concerns I have about the entire practice of data accumulation and the commodification of data by individuals.

I am sorry. I did not realise I had gone on so long giving what was probably a boring lecture for everybody.

7:35 pm

Photo of Richard Boyd BarrettRichard Boyd Barrett (Dún Laoghaire, People Before Profit Alliance)
Link to this: Individually | In context | Oireachtas source

I have to say I am finding it quite interesting.

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I thank the Deputy. It is welcome that the Minister has identified that something will be done for Members of this House and other elected representatives. Looking at the equivalent British legislation, we can see that they are going through a similar process with their Bill. Some regulations have been included in it, not for the purpose of exempting politicians but recognising the very unique role politicians play in society. If we do not stand up for the status of what we do, as politicians, we may as well give up being Members of the House. We are not doing this to benefit ourselves but rather for the benefit of democracy.

It is important to recognise that we can have all of the data protection laws in the world in place, but there will be a huge responsibility placed on the Data Protection Commissioner. Fortunately, we have very many large technological companies in the country. Notwithstanding my views about the threat posed to individualism, it is welcome that employment is provided by these large groups. We need to recognise that the Data Protection Commissioner will have a major job to do as a result of the passing of the Bill and the extra responsibilities that will rest with the office.

7 o’clock

The Data Protection Commissioner is going to have a huge job to do as a result of the passing of this Bill and the extra responsibilities that will rest on her. We need to fund it properly.

I am also pleased to hear the Minister say he has looked at the recommendations of the Oireachtas Joint Committee on Justice and Equality. Much work was done on that committee on pre-legislative scrutiny. We produced a number of recommendations. One point that concerned me during the pre-legislative scrutiny, and this may provoke a wry smile from some people here, is that the law in respect of data protection will become a lawyer's holiday. The last thing we want is to have a situation where people can have their data infringed to a minor extent but a team of lawyers will advance a data protection claim which will result in not an enormous award of damages to the person whose data has been breached but it will be accompanied by correspondingly large legal bills.

I also support the finding of the Joint Committee on Justice and Equality recommending that fines be administered to public bodies in breach of new data protection legislation. If fines are not imposed on public bodies, there is no real sanction. The argument is that it is just a fine going from one public body to another. However, in that case, no sanctions would ever be imposed on a public body. We need to have a sanction in place. It is not so much the actual payment of the fine that is significant, but the fact that the fine has been imposed, recognising the wrongdoing on the part of the public body. I welcome that there is an entitlement to seek compensation. In general, the courts to date have awarded small amount of damages in respect of data protection breaches. Obviously, there may be examples of where large damages should be awarded. In general, however, I think the damages awarded should be moderate. That echoes the concern I have about the fact that we have to careful not to generate it into an industry where people can take class actions for breaches of data protection and the awarded damages will be minimal but the costs will be significant.

I have gone on for long enough. I and Fianna Fáil will be co-operating with the Minister and the rest of the House in trying to ensure this is enacted. We will probably be tabling our own amendments on Committee Stage and I welcome listening to the other contributors to the debate.

7:45 pm

Photo of James LawlessJames Lawless (Kildare North, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

To follow on from Deputy Jim O'Callaghan's comments, I welcome the Data Protection Bill implementing the GDPR. I will reflect on the origins of data protection in general for a moment. Deputy Jim O'Callaghan spoke of the rights of the individual. It is important to note that data protection is not a technological aspect but a human rights issue. Data protection has its origins in the many august institutions founded post the Second World War, including the Universal Declaration of Human Rights and the United Nations Commission on Human Rights, UNCHR, and the European Convention on Human Rights, ECHR, later on. It emanated from concerns about promoting peace and international co-operation and ensuring that the events of the Second World War would never happen again. The state does not need to know someone's religious preferences, sexual orientation or other sensitive information about an individual which could be exploited in horrendous ways or indeed for purposes slightly less malign but with many other malevolent possibilities.

Data protection legislation and theory has advanced from those early fundamental concepts into the Internet age, through the age of the PC and into the age of social media. Indeed, we had the Data Protection Commissioner, Ms Helen Dixon, and representatives from Facebook, before the Oireachtas Joint Committee on Communications, Climate Action and Environment this afternoon talking about the Online Advertising and Social Media (Transparency) Bill 2017. They also spoke about these issues which remain relevant today. I welcome the GDPR and this Bill coming before the House. However, I think the fundamental concepts in the previous legislation, the five or six general principles, were fairly sound. By being principle-based, they were easier to follow and implement because we had things like no more than is necessary, collect for the purpose consented to, and no more than for that purpose, etc. Those broad principles served us well. The GDPR is complex legislation. It has been thought through in detail in Europe and now here. However, it is fair to acknowledge the European Union, in particular as a driver of this, has been the gold standard in data protection and indeed the right to privacy in these areas to date.

Ireland is the home to much of Europe's data. As many multinational corporations are based in Ireland, that means we are the data centre for European operations. That in turn means that essentially most of the world's data that is not in the United States is controlled, managed and regulated out of Dublin. In a sense this is a good thing and a great opportunity as Deputy Jim O'Callaghan said. I refer to foreign direct investment, employment and technological advancement. Being in proximity to that for our students and graduates is a fantastic thing and long may it continue. However, it places strains on our regulatory officers, and the Data Protection Commissioner in particular. In the committee this afternoon I asked her a question I will now put to the Minister and flag it to the House in general. We saw a situation in the United Kingdom where the Information Commissioner's Office had to face the unedifying spectacle of appearing on national television announcing the seeking of a warrant to raid the Cambridge Analytica offices. The warrant was, I think, eventually procured a week later. Generally in matters of criminal investigation or evidence gathering, it is not a great start to give a week's notice to the office about to be raided. It is not the way it is done. I hope the powers and resources are available to the Data Protection Commissioner for the likes of dawn raid scenarios or any other scenarios of enforcement as may arise. If they are not there, it is something we need to look at and incorporate into either this Bill or elsewhere because regulation is only effective with enforcement. We have seen that in a number of sectors to date and this is no different.

On the Bill coming before us, we have heard it is important that fines are included. I am glad that public bodies are no longer exempt. That did not really make sense because the State is one of the largest controllers and processors of information overall. Why should it be exempt? That would seem to give carte blancheto ignore the rules and I am glad that has been addressed in the Seanad. The impact on the small firms sector has been a source of concern. Many are worried about the legislation because they understand it is onerous and complicated. With good faith and the best will, they want to implement it but they are concerned they may not be able to. I hope there is a degree of proportionality in respect of the introduction and early enforcement of that as firms do get up to speed. It is important they be given some degree of understanding and support to get there. Having said that, I think firms should not look at it as an entirely negative issue. It is an opportunity for firms to differentiate themselves and it could become a marketing strategy that a firm was GDPR compliant and the first in its sector to be so. They could turn it from a shield into a sword and become a positive.

If it unfortunate we are debating the legislation in the Dáil for the first time with five weeks to D-Day. It is less than five weeks. I think it is four and a half weeks now. Going back to the SME sector, I am aware of many firms in my constituency, and I am sure around the country, desperately trying to get up to speed and put in place training, regulation and audit regimes. I spoke to some recently and I said we would be amending it; therefore, the fact that the Bill is still a work in progress and small firms are desperately trying to get up to speed is far from ideal. I am not sure why it is only now, with four and half weeks to go, that we are getting to debate it in the Dáil. I know it has been through the Seanad in the past two weeks, but even at that, the debate in the Houses of the Oireachtas started six or seven weeks out from the due date. We knew this was coming for a couple of years. I understand the Minister flagged that there was consultation with the committee and perhaps wider consultation.

However, it seems that in this House we have ended up with two parallel systems. One is where the Government issues Bills which undergo deep and wide consultation, apparently, but much of it is unknown to us in the Houses of the Oireachtas and much of it is done privately behind the scenes in the Departments. The other is where Private Members' Bills are introduced and then the Government criticises them for being introduced too quickly, but there is no other option. We look forward to Committee and Report Stages being the place to thrash them out and indeed the scrutiny phase. On one hand the Government criticises Opposition Deputies for introducing Private Members' Bills and doing so, as it describes it, rapidly, whereas in actual fact it is only the normal process. On the other hand, if the Government delays introduction of a Bill to the Oireachtas until four and a half weeks before it is due to become law at European level, there is a difficultly with that.

There is much more I could say but I will conclude because we are out of time. However, I do want to flag that I will be studying the Bill along with Deputy O'Callaghan and my colleagues and I am sure we will be bringing amendments forward on the next Stage. I look forward to further engagement and discussion on the legislation.

7:55 pm

Photo of Donnchadh Ó LaoghaireDonnchadh Ó Laoghaire (Cork South Central, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

Ba mhaith liom fáilte a chur roimh an Aire. Beimid ag obair leis go pointe áirithe. Tá roinnt amhrais orainn faoi chuid mhaith den Bhille. Déanfaimid iarracht déileáil leis na deacrachtaí sin trí leasuithe a mholadh ar Chéim an Choiste. This is significant, complex and lengthy legislation. From our point of view there are still many concerns. The Bill was improved on several fronts in the Seanad. However, we still have significant concerns in respect of the legislation and if these concerns are not addressed we may not support the Bill at the final vote.

We acknowledge the need to complete this work by 25 May but we have serious reservations relating to ministerial exemptions, potential inconsistencies with the general data protection regulation and several other areas.

As has been outlined, the Bill partially emanates from the general data protection regulation. The European Parliament, the European Council and European Commission have attempted to strengthen and unify data protection for all individuals in the European Union through the regulation. The GDPR is essentially a minimum standard expected of each member state on the threshold and rights afforded to citizens of member states and the data protection of individuals within those states. More important, it supersedes domestic law. We supported the GDPR in the European Parliament. The principles behind it are good. Where we divert from the GDPR is where the Bill runs into trouble. As I have stated, this legislation has direct effect but some elements require legislation. Some elements allow for a margin of appreciation or discretion in how jurisdictions apply the provisions, such as digital age of consent.

The Bill is far longer than it needs to be. Deputy James Lawless made a point in reference to small and medium-sized enterprises and how the Bill could be amended in the context of the challenges they face. However, the reality is that the GDPR will be the GDPR and it will have supremacy. It will be European law and, therefore, it will be Irish law. We should seek to ensure that where there are allowances left to member states, we make decisions on them. Too much of this Bill attempts to adjust, make exceptions to or amend the principles and provisions of the GDPR.

Ireland is not fully in compliance with EU data retention law currently as of the Tele2 Sverige and Watson case. Essentially, we have been in breach of EU law since 2016.

There is a need for the protection of data protection officers from the interference of a data controller who aims to suppress a release of information on the basis that despite its release being in the public interest it is not in the interest of the data controller for a variety of reasons. We can imagine an employer or someone in a public body who may have an interest in the data protection officer not doing his or her job properly. The lack of protections or avenues for addressing these concerns represents an oversight. This flaw was raised in the Seanad. Nevertheless, it is something that can be provided for. The Minister has informed us that the general law covers this, but it would be beneficial and necessary for specific protections and procedures to be explicitly stated and put in place in that context.

The manner of the drafting of this Bill is not ideal or clear. After the passing of the Bill there will be need to consult three Acts, the data protection regulation and any other relevant European instruments in order to be aware of the legal position. It would be far clearer, better and more comprehensible for the provisions of the Data Protection Acts 1998 to 2003 to be consolidated into this Bill and for those Acts to be repealed. Deputy O'Callaghan has identified the potential for significant confusion and litigation. While such a move is no longer feasible at this stage before the coming into force of the GDPR, the Minister should consider consolidating data protection legislation as soon as possible.

One important change made in the Seanad was proposed by my Sinn Féin colleagues. The amendment required transparency and required the Data Protection Commissioner to conduct an impact assessment where the Minister of the day decides to involve public interest to bypass consent. The basis of the amendment was that the ministerial exceptions in this legislation are too broad. That was the reason we put in place the safeguard. We remain concerned but we believe the amendment must be retained as a safeguard.

It is welcome that the Minister has accepted that public bodies should be open to being fined. That is welcome and important. This was a flaw with the original Bill but it is welcome that the Minister has taken the point on board. It is important there is an incentive for compliance, including for public bodies. It is welcome that this has been taken on board. The concern was shared by many.

The Seanad held a comprehensive debate on this Bill. I commend Senators on their work, including my colleague, Senator Niall Ó Donnghaile, and Senator Alice-Mary Higgins, who made a significant contribution across a wide range of amendments. Despite their best efforts I still have misgivings. In general, our concerns relate to the far-reaching exemptions and discretion. We are also concerned that the protection for data protection officers from the interference of a data controller who aims to suppress the release of information is inadequate - I addressed this point earlier.

There is potential for a lack of legislative clarity due to the potential contradictions between this legislation and the GDPR. I am concerned about section 45, which I believe may not be fully in compliance with article 9 of the GDPR. Article 9(1) states: "Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited." The expression "shall be prohibited" is the key phrase. I understand there are exemptions under article 9(2)(g) of the GDPR. However, my party believes that the relevant section in the Bill does not fit the definition of the exemptions outlined in the GDPR. I do not believe, therefore, that the Bill is in compliance with article 9. This is the basis for our significant concerns.

Aside from being contrary to the GDPR, and by extension, European law, the Bill is ambiguous in a number of aspects and there may be several unintended loopholes. This could lead to an infringement of rights in the context of data protection for citizens. Such loopholes would leave us in a situation whereby Ireland could become a target for those who deal in micro-targeting and data harvesting due to inadequate regulation and oversight. My interpretation is that the amendment to section 45 proposed on Report Stage in the Seanad fell short of what was required. It was an improvement but, as I read it, the provision would allow a political party, organisation or data company of whatever kind to come to Ireland with the intention of compiling voter data or data on citizens for the purposes of an election or electoral purposes elsewhere. This would be contrary to article 9. Perhaps the Bill deals to some extent with data collected in this State for use in the State but I do not believe the extraterritorial issues have been adequately dealt with.

The data breach relating to Cambridge Analytica has been discussed at great length. Deputy Jim O'Callaghan articulated well the advantages of modern information technology, as well as the dangers. Even where it is legal, I imagine many would have reservations and misgivings about the scale of data gathering that occurs and the analysis and management of it.

I do not believe the legislation properly manages the prevention of the collection of data of those under the age of 18 years. We should consider a ban on the micro-targeting of those under the age of 18 years, as well as banning their psychometric profiling.

I have concerns about section 36. I do not believe it is in compliance with the general data protection regulation, GDPR. It should be the same as it. As with this and many of the other provisions, the GDPR, when it takes effect, will not only be European law but also Irish law. It is an unusual European instrument in that it will largely have a direct effect, but it does allow some flexibility. I do not know why the Department and the Minister have taken the approach of trying to spell out everything where it is not necessary to do so.

Likewise, while section 38 has been improved by the introduction of the proportionality test, I am concerned that it is not necessarily in compliance with the Bara judgment. As with many provisions in the section, the Department has adopted an approach of providing that something shall be lawful, with some exceptions, whereas the GDPR takes the approach of providing that something "shall be prohibited", with some exceptions. That does matter and it is those differences and forms of language that will be examined by the courts in making decisions in cases in which there may be contradictions.

Inserting section 38 appears to be the way the Department intends to legislate for the public services card. I believe it knows - it has all but admitted it, as have other Departments - that the legal basis for demanding the public services card in exchange for services from the Government is effectively non-existent. The Government is attempting, in what I believe is a cynical way, to shoehorn in this provision. It is a very serious matter. If there is to be a requirement to have a public services card and for the gathering of that kind of data in the management of public services, it should be the focus of a separate debate. This is a general provision which is attempting to provide legislative cover where it was not provided previously without adequate safeguards, at the very least to require people to produce a public services card.

The public interest is referred to as the safeguard for numerous exemptions provided for in the Bill. There are more than 20 exceptions from the GDPR generally where the public interest is referred to, but the public interest is not properly defined or specified in the Bill. It is much more specific in Article 9.2(g) of the GDPR which states the interferences with the public interest should "...respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject". Given that the Minister has taken the approach of trying to put as much as possible into the legislation, which is questionable, it is unusual that some of the less specific points relate to the safeguards which have not made it into the legislation.

I am also concerned that electoral activities under sections 45, 55 and 56 are not properly defined. There is surely potentially ample room for challenge and query and for legal cases to be taken on the basis of a lack of clarity and a contradiction with the GDPR.

Another gap in the Bill is that it does not include the provision in Article 81 that not-for-profit groups can bring actions on behalf of data subjects. The regulation envisages a form of multi-party action akin to a class action, but that is not provided for in the Bill. Our Multi-Party Actions Bill has passed pre-legislative scrutiny stage. I hope it can proceed to Committee Stage at an early date and that the Minister can provide a money message to ensure it can be enacted as soon as possible. It is relevant not only from a data protection point of view but also to a number of other areas.

I referred to electoral activities. Clearly, there is a need for a greater definition and greater clarity as to what is involved. There is certainly the potential for disagreement on what electoral activity involves. The Minister made reference to amendments that he was likely to bring forward on the operations of Deputies in their offices. Their work in their constituency offices regularly involves making representations or inquiries on behalf of constituents. It is unfortunate that people often believe the only way they can get satisfaction with respect to matters concerning public services is to go to a Deputy, whereas, by right, they should be able to seek out and achieve answers on such matters themselves, but that is another matter. I do not believe there is anything in the GDPR that prevents this from happening. I will carefully examine the amendments when they are brought forward as it is a role that needs to be carefully protected. My understanding of the GDPR is that where such representations are likely to be made, it requires full and informed consent and good records to be kept. There is nothing in it that prevents anyone from making representations. I will examine the amendments, but I do not believe the GDPR in any way prevents it from happening. If the Minister believes it does, that should be stated.

I made a point about incentives and fines. Recital 149 of the GDPR allows member states to penalise companies that break data protection law with a clawback of the profits obtained through misbehaviour. That would mean that those acting outside the law, intentionally or otherwise, would be deterred from taking an action that could see them profit financially, even in an illegal way. That is something the Government should consider. It is not something that has been considered up to now. It is one of the areas in which the EU institutions have allowed flexibility. I do not believe the Minister has addressed it thus far in this debate, the debate in the Seanad or elsewhere. It would be a significant deterrent to companies to misbehave. The examples are all around us. We heard at a joint committee this week that the potential for the misuse and exploitation of data was very clear. The Government should consider this. We will bring forward amendments in that regard. If companies are going to exploit, undermine and abuse data and profit from them, why should they, when caught, not be penalised for it through a clawback of their profits? It is eminently logical and sensible and right.

I have a concern about this legislation in the context of Brexit. When the United Kingdom becomes a third country after Brexit, for the purposes of legal certainty in the GDPR, the European Union and its institutions will require an adequacy decision from the United Kingdom. The Government has stated thus far that it is confident that will be achieved and not present difficulties. However, Jan Philipp Albrecht, the European Parliament's rapporteur for the GDPR, has expressed doubts about whether the United Kingdom could obtain adequacy, as he has said there would be fewer safeguards for intelligence services in the United Kingdom than in the United States. That is a matter of enormous seriousness, given the Border, the great concern in this state about Brexit across a wide range of areas and the fact that there are a number of areas in which data may need to be transferred between various authorities in the North and the South with the usual safeguards. However, if the United Kingdom cannot obtain an adequacy statement, that will present very significant problems for this state. Will the Minister provide greater clarity on this issue, on whether there will be an adequacy statement and whether it will be achieved immediately? We need to inquire of the European Parliament's rapporteur to a greater extent why he believes there may be difficulties in that regard. It is extremely serious and an implication of Brexit that has not been properly explored up to now, either here or in London.

We will approach this legislation on the basis of critical engagement. We will support positive amendments. However, we are very concerned about the level of ministerial exceptions, the inconsistencies with the GDPR and the potential for a lack of legal clarity.

8:15 pm

Photo of Seán SherlockSeán Sherlock (Cork East, Labour)
Link to this: Individually | In context | Oireachtas source

The first issue I wish to raise relates to the complexity of the data protection code. In Ireland we have chosen to retain most of the Data Protection Acts 1988 and 2003, although we will in the future apply them only to cases involving national security, defence or international relations. For every other case, we will have the new EU data protection regulation which has 173 recitals and 99 articles. We will also have this implementing Bill which has 165 sections and three Schedules. The Bill and the regulation will have to be read side by side.

Data protection compliance is as pervasive an issue in modern society as tax compliance and the code is becoming as complex, attracting its own cohort of professional advisers who are needed to explain all of it to those of us who must comply with it. The rules do not just apply to the Mark Zuckerbergs and Denis O'Briens of this world. The reality is that every one of us who has even a basic mobile phone that stores names and numbers is a data controller in the eyes of the law. Years ago the code was extended to apply to manual as well as electronic records. The rules will not apply to what are called "purely personal or household activities", but if someone has any name or number on his or her phone that he or she no longer needs for personal or household activities, strictly this law will apply to that person and he or she will be in breach of it. I wonder how many citizens are aware of this.

An example of the complexity are the rules relating to children. First, there is the so-called digital age of consent. This is the age at which a child has the capacity to consent to the processing of personal data by the provider of an "information society service". The regulation deals with personal data, data that identify or are about an individual person and include names, addresses, dates of birth and anything that a person shares on social media such his or her preferences, status updates and, in many cases, private conversations over messaging apps, among other elements.

A key issue in the GDPR involves the notion of profiling. Profiling is essentially about using algorithms, data analytics and artificial intelligence to predict what a person might like, what his or her fears might be, what his or her biases might be, what advertisements he or she would like to see and to what messages he or she would respond well. While this all sounds of little consequence, recent scandals such as those involving Cambridge Analytica show that profiling is an extremely powerful tool and can be used to undermine democracy and manipulate ordinary citizens. The tools used to profile users are complex computer algorithms that use machine learning, data analytics and artificial intelligence. A major question in the context of data protection is whether the typical user of any online platform on which one shares data actually has a good enough understanding of how these algorithms work and what the consequences of sharing data that are fed to them might be.

Before proceeding, I acknowledge the work of people like Professor Barry O'Sullivan, to whom I have deferred on this matter as a guide on its technical elements. Professor O'Sullivan who is a professor of computer science at University College Cork highlighted to me that an important point to remember was that the Internet was designed as a democratic environment in which all users were treated and regarded equally. As a consequence, no special allowance is made for children online, but they do deserve special attention.

There has been considerable debate in the Houses on the digital age of consent. It is Professor O'Sullivan's contention, as an expert in the field, that the digital age of consent is not about when children can go online, use devices, etc.; rather, it only relates to situations where the processing of the personal data of a child is performed. The Bill sets the Irish digital age of consent at the lowest possible age - 13 years - but do we believe a child of 13 is able to understand the power of algorithmic profiling? Do we believe children understand how their actions online influence the adverts that they see or the content suggested to them? The answer is surely not. Of course, one can easily make this argument against 16 year olds also, but we should err on the side of caution and set the digital age of consent at the upper end of the allowed age band, that being, 16 years. Doing so would keep Ireland in line with Germany, the Netherlands, France and others that have best-in-the-class approaches to protecting children online. A digital age of consent lower than 16 years is out of line with the age of consent for other matters, for instance, giving consent for health procedures.

It is important that parents have the power to give consent for young children, which a digital age of consent of 16 years would provide. Parents need to be in a position to parent their children, not to be excluded in this instance at the age of 13 years. Advocates for a digital age of consent of 13 years might argue that children have a right to a voice online and a right to participation. No one is arguing against this. However, the digital age of consent only applies when their personal data are being gathered and processed. The argument should be about providing children under the digital age of consent with platforms that do not exploit their personal data as a condition of their use. This is particularly important for vulnerable younger children who should not have to rely on parental consent. The issue in this instance becomes the provision of safe places online that protect their anonymity and platforms that do not profile them on the basis of personal data. Relying on commercial platforms such as Facebook, Instagram, Snapchat and others to provide such safe places or to attempt to use them as such puts vulnerable children at risk. Such risks can arise from the unintentional breach of their anonymity, their targeting through advertising and marketing campaigns based on their interactions online and the potential exposure to individuals online who might not have their best interests at heart.

Many special interest groups and children's rights representatives have argued for a digital age of consent of 13 years. Some of the arguments include the question of how we should support children whose parents are, for example, abusive and, therefore, cannot be relied on to give consent; the need for a child in care to have access to his or her birth family, other family members and friends where it is not clear who has the power of parental consent; and those children who need access to support and preventive services.

It is important to stress that it is dangerous to rely on social media platforms to provide a mechanism for vulnerable or at-risk children to network with like-minded children. First, the existence of these children on such platforms is often easy to discover by a parent. For example, if the child and the parent use phones to access Facebook and each has the mobile number of the other on his or her phone, Facebook can recommend each of them as a possible friend to the other. In other words, the anonymity of the child is not protected, as has been argued on social media sites.

Second, the closed groups might themselves be dangerous since predatory individuals might lurk in them to befriend vulnerable children.

The solution that must be provided to support the children of abusive parents is not standard social media companies but platforms that are safe and that do not process personal data, which would make them exempt from the digital age of consent. Who has parental responsibility for the child is something that should be clarified in the Data Protection Bill 2018. For example, such consent could be given by the person or entity that has guardianship of the child. This is something the Bill needs to include and that can easily be solved.

We have to acknowledge the complexity of the world in which children live. In this party we take the view that we should err on the side of caution and that the most appropriate digital age of consent is 16 years.

The regulation defines an information society service as a service normally provided for remuneration at a distance by electronic means and at the individual request of a recipient of the service. It includes services that are not directly remunerated by those who receive them, if they represent an economic activity. Google search, as an obvious example, falls within the definition of an information society service. The Government has decided to set at 13 years the age at which a child can consent to the processing of his or her personal data in connection with an offer from an information society service. I note that a Seanad amendment provides for a review of this age limit after three years. However, the Bill contains provisions relating to codes of conduct for the protection of children who, for this purpose, are all persons under 18 years of age. We will have 13 year olds with the capacity to sign away their personal data, even though for the next five years of their lives they will be the subject of special protective codes because in the eyes of the law they are still children. It is a contradiction in terms.

On top of this, we have to incorporate the common law rules relating to children and contracts. As I see it, these rules have not been displaced or amended by the Bill. Article 8 of the regulation specifically states its provisions "shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child". What is the position on this apparent contradiction? The digital age of consent is not about a child’s general capacity to enter into a contract; it is solely about his or her capacity to consent to the processing of personal data. It does not affect the general law of Ireland on the validity or effect of a contract with a child or so it states. As I said, under Irish common law, an individual does not have full capacity to make a contract until he or she is 18 years of age. There is an exception for the sale to a minor of what the law calls "necessaries". If these common law rules are left in place and unamended, it seems that the outcome will be that a minor will have the capacity at 13 years to consent to the processing of his or her personal data but may not have capacity to enter the substantive contract in question on the grounds that it is not a contract for a "necessary". Whether the contract is for a necessary entirely depends on a court’s views on the contract in question and, in particular, the goods or services in question and the minor’s need for them. If that is so, in such a case the contract will be unenforceable against the minor such that, for example, any debt accruing will not be recoverable. My point is not so much about whether these are good or bad rules. My question is whether it is an improvement to have two sets of rules that can conflict with each other and which cease to apply at different ages. That is the nub of what I am saying.

I will speak briefly about electoral activities. Following the Cambridge Analytica saga, the mass manipulation of personal data banks for electoral and referendum purposes has attracted a great deal of interest and comment. The Minister responded in the Seanad with amendments to section 45. The section now provides that, as an exception to a general prohibition, the processing of personal data revealing political opinions is lawful where it is carried out in the course of electoral activities in the State by a political party or candidate or a referendum commission. I wonder if this tightly drafted exception has missed the point. As I understand it, Cambridge Analytica is not accused of processing personal data that revealed political opinions. It is accused of amassing data from Internet usage that enables it to compile a crude psychological profile of an individual in order to assist an advertiser in deciding how to shape a political message that would specially appeal to that individual, a custom designed message that would not be seen by the broad mass of voters. If that is correct, I do not see how section 45 would apply to these activities at all. The section, as amended, does seem broad enough to cover political canvassing and the marking of the register, but, as the Minister seemed to admit in the Seanad, it is not a form of exemption envisaged by the regulation. In other words, there does not seem to be a specific provision of the regulation that enables the Oireachtas to carve out an exception enabling the processing of political opinions for electoral purposes. The best the Minister can point to is Recital (56) which states "Where in the course of electoral activities, the operation of the democratic system in a Member State requires that political parties compile personal data on people's political opinions" and so forth. I note that the Minister has said he intends to bring forward an amendment. I do not know if it will speak specifically to that issue. I am hopeful it will. We are putting him on notice that it is our intention to speak to this issue further on Committee Stage.

We in this House and the upper House, councillors and every elected representative in the country are not always electioneering. We aim to always be ready for an election. In the interim, we act as a citizens advice bureau and social workers, legal advisers, advocates and facilitators. We explain and, to some extent, humanise the bureaucracy of the State on behalf of our constituents. This daily routine of our lives has nothing to do with section 45. It is not electoral activity and does not involve processing data on political opinions, but in this process we compile varied and detailed files which, of their nature, are full of personal information, much of which is very sensitive. When elections are held, we contact the people in question and remind them of all the occasions on which we engaged with them in the preceding years. There is nothing underhand about this. It would be astonishing if we did not do it, but is it legal to do so?

Sections 55 and 56 of the Bill seem to have been designed to override the general provisions of Article 21 of the regulation. That article gives an individual the right to object to the processing of his or her personal data. The two sections of the Bill state this right does not apply to direct mailing or data processing carried out in the course of electoral activities. I am entirely unclear on whether this covers direct mailing during an election from a database compiled outside election time and which is compiled from constituency clinic cases. There is a need for clarity in that regard because it goes to the heart of what we do. If no clarity is provided, we are in an existential crisis. If, for example, we are obliged under the general rules not to retain constituent data for longer than is necessary to deal with a clinic case, how would we have the wherewithal to generate any direct mailing list at election time? I can well appreciate that the law should apply to our activities and the information we amass and keep, but I cannot help wondering, having regard to our own activities, how well we and, by extension, the rest of the country will, in practice, comply with the detail of the rules we are about to make.

8:35 pm

Photo of Richard Boyd BarrettRichard Boyd Barrett (Dún Laoghaire, People Before Profit Alliance)
Link to this: Individually | In context | Oireachtas source

The reason I am a socialist and believe capitalism needs to be replaced with a system that has a different set of values is that in its essence capitalism turns everything into a commodity from which someone can profit. As he or she accumulates that profit, he or she gains more and more power over society. When the first critiques of the pernicious logic of commodification and profit at the heart of how capitalism operates were developed by people like Marx, they talked about the commodification of raw materials, goods and services and the profits accumulated by the owners of these resources, factories, small businesses, landholdings and so on. Even 200 years ago Marx understood the logic was relentless, that the process of commodification would reach into every single aspect of human existence and the natural world and that slowly but surely everything would be commodified and made subject to the cash nexus. In fairness to Deputy Jim O'Callaghan, perhaps slightly surprisingly, he alluded to this and was absolutely right. That is where we have got to with the digital or information technology revolution. I do not think even Marx could have understood just how far-reaching the process would be in commodifying every aspect of our existence, down to genetics, with the genetic profiling of individuals, categories of people and so on. The digital revolution has facilitated the process of commodification to an absolutely extraordinary degree.

The beneficiaries of the technological process, the owners of the information or the technology that amasses and controls that information on us accumulate levels of wealth parallel to their accumulation of enormous stores of information on us as human beings and individuals and now dominate the economy and the globe like colossi. It could not have been envisaged 200 years ago when capitalist development got under way that a few companies such as Facebook, Google and Apple would absolutely dominate these sectors and control a vast amount of information on us, as we see in the issue being discussed in the courts related to Mr. Denis O’Brien, the richest individual in the country. His extraordinary control of the media, another source of information on our society, beggars belief and deserves another debate on its own merits because one wealthy individual who seems to be fêted constantly by Taoisigh and prominent political figures can control the Irish Independent, Sunday Independent, Sunday World, The Herald, half of the Daily Star, The Kerryman, the Drogheda Independent, the Wicklow People, the Wexford People, the Waterford People, 98FM in Dublin, Newstalk, Today FM, Spin, Spin South West and the list goes on. Now there is an allegation that Mr. Denis O'Brien was using his control over Independent News & Media, an enormous corporation, to access the data of the journalists working for it.

Photo of Pat GallagherPat Gallagher (Donegal, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I have to draw the Deputy's attention-----

Photo of Richard Boyd BarrettRichard Boyd Barrett (Dún Laoghaire, People Before Profit Alliance)
Link to this: Individually | In context | Oireachtas source

It is an allegation. I am just saying it is-----

Photo of Pat GallagherPat Gallagher (Donegal, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

The Deputy does not know what I am going to say.

Photo of Richard Boyd BarrettRichard Boyd Barrett (Dún Laoghaire, People Before Profit Alliance)
Link to this: Individually | In context | Oireachtas source

I apologise.

Photo of Pat GallagherPat Gallagher (Donegal, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I accept. Members should be aware of the sub judicerule. Standing Order 59(3) reads: "A matter shall not be raised in such an overt manner so that it appears to be an attempt by the Dáil to encroach on the functions of the Courts or a Judicial Tribunal".

Photo of Richard Boyd BarrettRichard Boyd Barrett (Dún Laoghaire, People Before Profit Alliance)
Link to this: Individually | In context | Oireachtas source

I am just stating this is happening. The allegation is very much in the public domain. I am not judging or adjudicating on it.

Photo of Pat GallagherPat Gallagher (Donegal, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

That is a matter for the courts to decide, not this House.

Photo of Richard Boyd BarrettRichard Boyd Barrett (Dún Laoghaire, People Before Profit Alliance)
Link to this: Individually | In context | Oireachtas source

I am not deciding it. I am not even offering an opinion on what the outcome of the case in the courts should be. I am simply stating what anyone can read on RTÉ's website, that the matter is being looked at and that there is an allegation which was written about widely in the newspapers at the weekend that Mr. Denis O'Brien and his representative in that company inappropriately accessed journalists' information and their sources, possibly including barristers and so on who were involved in the Moriarty tribunal, possibly including politicians and other sources. That matter is being investigated. Whether he is guilty will be adjudicated on by the courts. I am simply pointing out that that level of control and wealth gives people that access. Will the legislation we are bringing forward to protect data, in this case emails, if people are found guilty of the very serious charges levelled against Mr. Denis O'Brien, result in the police being sent for or will there be administrative sanctions? That is important because there is a parallel system of justice when it comes to these matters. It works in financial areas where, if someone is found guilty of engaging in white collar crime, the Central Bank imposes administrative sanctions and the person concerned is then immune from criminal sanctions. Will this legislation ensure people who are found guilty will be jailed, if, for example, as in this case, the courts adjudicate that there was illegal access of journalists' data? Will the police be sent in or will there be administrative sanctions? I want people who turn out to be guilty of committing that kind of crime, not just in this case but any case, to go to jail. They are doing exactly the same as someone who breaks into a house and burgles it. It should be treated as a criminal offence. There should not be two laws, whereby there are administrative sanctions for the corporate or financial sector or the owners of big digital corporations who have a lot of information on us and inappropriately allow our emails to be given to others, without our permission. They should be jailed. There should be dawn raids to arrest them. They should be subject to the same criminal sanctions as those guilty of common or garden criminal actions or theft. I would like to see legislation that would ensure that would happen.

Debate adjourned.