Dáil debates

Wednesday, 16 May 2018

Data Protection Bill 2018 [Seanad]: Report Stage (Resumed)

 

Debate resumed on amendment No. 13:

-(Deputy Róisín Shortall)

2:20 pm

Photo of Donnchadh Ó LaoghaireDonnchadh Ó Laoghaire (Cork South Central, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

This group of amendments, Nos. 13 to 15, inclusive, deals with similar matters. My amendment No. 14 and amendment No. 13 both deal with the issue of micro-targeting of children under 18 years of age. The difference between my amendment and that proposed by Deputies Daly, Wallace and Shortall is a few words; the presence or absence of "for financial gain". I am not particularly precious about whether it is mine or the other, but I do believe that they are important amendments. The purpose is to restrict the profiling, harvesting and targeting of data on children by companies which advertise on social media. This is vitally important, perhaps more important than some other measures that are considered in the Bill, if we are truly to protect children from harmful online marketing. Deputy Micheál Martin and the Fianna Fáil health spokesperson stated as recently as Monday that they want to see children protected from such practices online. Both these amendments do exactly that. I hope that we will have the support of Fianna Fáil for these amendments.

In response to these amendments on Committee Stage the Minister selectively quoted recital 47 of the general data protection regulation, GDPR, that such activity was a legitimate activity, but he omitted that the purposes of direct marketing were superseded by the public interest and that Governments had the option to provide for the legitimate public interest in that context. I would love to hear the Minister's argument that this type of targeted and cynical direct marketing supersedes the health interests of the children of Ireland. Without the amendment, sugary drinks, for example, and other harmful items and agendas such as those that promote a particular body image could be marketed directly at children in a very exploitative way. This is in a context where the population in Ireland is set to be one of the most obese in Europe by 2030.

Currently, young people are very exposed to data profiling and targeting by commercial organisations and businesses. This needs to be tackled. There are very serious risks in this regard, especially when marketing harmful goods or products or pushing a harmful agenda, such as making young people excessively conscious of their appearance and body. We must tackle this issue, not only for children but for society as a whole. The Cambridge Analytica story shows how these strategies can be used against us all. Facebook has confirmed it has recently banned some 200 apps for that reason. It shows the scale of the risks for us all. Children, however, are particularly vulnerable. Many children will not be aware how their actions online influence the adverts that they see, and they will not be aware of the extent to which their data is being gathered, the profile that is being built up on them and the way it is being used to exploit them.

On the digital age of consent, Sinn Féin believes that 16 is a more appropriate age for young people to be in a position to make informed decisions about their safety and about the data that they are sharing. Putting the digital age of consent at 16 is not a silver bullet but it means that children, in general, will have reached a greater level of maturity when making decisions about when and how they can share their data with companies. Some commentary has intimated that perhaps the digital age of consent does something beyond that. It relates specifically to the capacity to make decisions on sharing data.

This is not a position we have arrived at lightly or without consideration. We have engaged at length with people arguing for both perspectives. I believe all concerned have the best interests of children at heart. There are expert organisations with significant weight on both sides of the argument, which we have considered carefully. On balance, however, it is Sinn Féin's view to err on the side of caution on the very important issue of the online safety of children and to favour 16 years of age as the age of digital consent.

We are conscious that this is not a silver bullet. People have expressed concerns about a false sense of security. I recognise their concerns. Some of the responsibility for dispelling any such sense falls on all of us, but that can only happen if we allow it. I urge those in the media who are covering this story not to mischaracterise it and to reflect upon the fact that much is still required if we are to ensure safety online, not only for children, but for us all. I urge the media to inform parents not to take from this a false sense of security. Parental discretion, oversight and education on social media remain crucial. We favour this issue being kept under ongoing review.

There remains the possibility of young people finding ways around this measure regardless of whether we set the age at 13 or 16 years. Age verification processes are weak and many young people will simply lie to get around them. We need to force companies to tighten up on age verification.

Sinn Féin has tabled amendments on micro-targeting of under 18s. They are supported by the Irish Heart Foundation and many other organisations. Our amendments would go a significant distance towards tackling the exploitative practices of many companies. We also want to see progress on our Digital Safety Commissioner Bill, which passed Second Stage in 2017 and is awaiting Committee Stage. In the context of the significant debate on online safety, I hope that the Government will provide a money message for the Bill if so required. It is important legislation, there is broad consensus on its proposals and it is largely supported by the Taoiseach and the Minister for Communications, Climate Action and Environment. Setting up the office would provide national minimum digital safety standards, codes of conduct and certification of platforms and websites, and create for the first time a statutory body responsible for digital safety.

In the context of a properly resourced digital safety commissioner, a ban on micro-targeting of under 18s and other measures to ensure proper online safety, we would be open to re-examining the digital age of consent, be that through a review built into statute or via other means. At this juncture, however, it is our belief that it is best to err on the side of caution. We will favour 16 years of age in the amendments.

2:30 pm

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

Amendments Nos. 13 and 14 aim to protect children older than the digital age of consent of 13 years but younger than 16 years of age from being targeted, including through the use of sophisticated means, by companies online in a marketing context. The right decision is to have a digital age of consent of 13. All of the child protection experts tell us that this is so if we are to vindicate the legal rights - that is what they are, not aspirations - of children to participate and to be heard. These rights are enshrined in Article 12 of the UN Convention on the Rights of the Child, UNCRC, and Article 24 of the EU charter. Children also have rights to freedom of expression and assembly.

Obviously, it is less desirable that children should be micro-targeted by sophisticated algorithms designed to use their data to manipulate them. Indeed, that would be undesirable in anyone's case. Unfortunately, the GDPR does not give us that protection or the right to raise the bar for everyone, but we should at least do it in respect of children. It is important that children are able to exercise their autonomy in using online services from the age of 13, but we should throw the onus back on the companies that would exploit their data for profit. It is unrealistic to place another responsibility on parents by increasing the age of consent to 16. The increase would run the risk of violating children's fundamental freedoms and create privacy risks for parents. It would be far better if responsibility for policing platforms was placed on the providers, whose bread and butter is the kind of sharp practice we are trying to prevent.

Amendment No. 15 seeks to raise the digital age of consent from 13 years. We agreed the current age on Committee Stage and strongly believe it should be retained. We welcome the Social Democrats' move to a position of upholding the current age. The heat and noise created around this issue by sections of the media are an indictment of the laziness of these individuals in their coverage of important matters. The Bill has 162 pages, but all they can concentrate on is one line. It is pathetic, given the ramifications. A number of political contributions were slightly similar, but I mainly blame the media in this regard. It is the modern equivalent of "Just say no" in respect of drugs and sex education and it denies our young people access to social media and the Internet. They should be educated and enabled in taking a harm reduction approach. Instead, we are perpetuating the myth that we can protect them, which is nonsense.

One of the issues that have been downplayed in this discussion is the question of how to go about verifying children's ages online. It is significant that we thrash this out now, as raising the age of consent to 16 will bring many more children and websites into the dragnet. How do we verify children's ages? In the US, the COPPA Act has been in force for almost 20 years. It obliges operators of child-focused websites to get verifiable parental consent to allow children under 13 years of age to use those websites. In that sense, it is a more limited proposition than requiring parental consent for anyone under 16 years of age to access any commercial website. Despite being narrower, COPPA has been subject to heavy criticism because of the privacy implications of obtaining verifiable parental consent. In the US, ways of getting that consent include requiring a parent to scan and send a copy of his or her credit card or government-issued IDs, which would be held in a central database. A few years ago, the Federal Trade Commission, FTC, approved the use of knowledge-based authentication for verifying children's ages online. That is mad stuff.

As should be clear, all of these methods of verifying parental consent are privacy nightmares and an opportunity to hoover up sensitive parental data. As such, it is not surprising that, in the GCHQ's most recent Cyber Accelerator funding round, it provided a grant to a company called Trust Elevate that, according to itself, solved the problem of age verification and parental consent for young adults and children in online transactions. Interestingly, Trust Elevate was recently recommended as a possible solution to online age verification by some of the loudest voices calling for the age of consent to be increased to 16, the same voices that told the Oireachtas committee that they believed that robust age verification online was one of the most crucial requirements. It is not surprising that individuals with a security and intelligence background have an interest in getting people to reveal their identities online.

If we want to protect children, we should be listening to the people whose primary focus is on doing just that. Every single person and organisation involved in child protection has stated clearly that the current digital age of consent is the best option. People from the security and intelligence industry undoubtedly have valid reasons for their emphasis, but those are not child protection reasons, so the House should not use them as an excuse to follow those people's arguments.

The alternative to tight verification controls that hoover up large volumes of data are light controls, which are basically the type of box ticking seen with WhatsApp. If people are asked whether they are over 16 years of age, they will tick the box to say they are. That is it and good luck. It is nonsense. Who are we conning with this unenforceable digital age of consent? It will have the downsides of denying young people access to important websites that could protect their interests and shutting down many child services out of fear of being implicated in data breaches. It would be a nightmare, so we should uphold best practice and keep the digital age of consent at 13.

Photo of Seán SherlockSeán Sherlock (Cork East, Labour)
Link to this: Individually | In context | Oireachtas source

Our amendment No. 15 substitutes "16 years" for "13 years".

I have spoken on this issue on Second and Committee Stages so will not overly detain the House. I have made clear that I favour a digital age of consent of 16. The advocates for a digital age of consent of 13 have argued that children have a right to a voice online and to participation. However, the digital age of consent applies only when the personal data of children is being gathered and processed. Children under the digital age of consent should be provided with platforms that do not exploit their personal data as a condition of their use, which is particularly important for vulnerable younger children who should not have to rely on parental consent. The issue here is the provision of safe spaces online that protect children's anonymity and platforms which do not profile them on the basis of personal data. Relying on commercial platforms such as Facebook, Instagram, Snapchat and others to provide such safe spaces or attempting to use them as such arguably put vulnerable children at risk. Risk may also arise from an unintentional breach a child's anonymity, his or her targeting through advertising and marketing campaigns based on his or her interactions online or potential exposure to individuals online who might not have the child's best interests at heart. I am speaking euphemistically there but people will understand to what I refer. A digital age of consent of 16 would be in line with that in place in Germany, the Netherlands, France and other countries which have best-in-class approaches to protecting children online. The political position in the Netherlands in adopting 16 as the digital age of consent was based on two simple principles: that parents must parent and that medical consent is granted at the age of 16 and, that being so, it followed that the digital age of consent was also set at 16. Many parents with genuine concerns about the age being set at 13 have contacted me on this issue.

The Committee on Children and Youth Affairs had a discussion with Professor Barry O'Sullivan of University College Cork and Dr. Mary Aiken on this issue in the context of cybersecurity for children and young adults. Professor O'Sullivan stated:

For clarification, the digital age of consent is not about when a child can access the Internet, it is merely the age at which a child can consent to a profiling of their personal data and that is it. It is not about access, it is just the age at which a child can say he or she is happy to be profiled by a social media company or by a game. Notably, Ireland has opted for 13, the lowest age of digital consent allowed under the GDPR. The Data Protection Bill 2018, which enshrines an Irish digital age of consent of 13, was submitted to the Seanad on 8 February 2018 and is currently under consideration.

He further stated:

There is a need to stop conflating a child's right to access information online with the digital age of consent which specifically relates to the age at which a child can sign legal agreements with online service providers who gather, profile, sell, and commercialise personal data. We both agree that this conflation has mis-stepped the entire debate on the digital age of consent in Ireland because people think it is about access when it is not.

One could argue that the GDPR, which sets a digital age of consent of 16 but allows member states to lower it to 13 or otherwise, does not take account of the points dealt with by amendments Nos. 13 and 14. Amendment No. 13 states: "It shall be an offence under this Act for any company or corporate body to process the personal data of a child as defined by section 29 for the purposes of direct marketing, profiling or micro-targeting, for financial gain." It would be useful to hear the Minister's justification for not having within the legislation very clearly delineated lines regarding the exploitation of children in terms of the use of their information for direct marketing or profiling purposes or for micro-targeting, as the amendment states.

One could argue the digital age of consent is a moot point because the age verification issues of which all Members are aware have not been resolved. Members are quite tuned in to the fact that notwithstanding what we legislate for, anybody of any age will be able to access information and create false profiles. However, on the balance of probability, to set the digital age of consent at 16, as is the case across Europe, would be the best possible course of action here. A digital age of consent of 16 is the best of a bad set of choices in terms of seeking to provide some legal protection for those under the age of 16. The issue of self-verification was also dealt with at the Committee on Children and Youth Affairs. It was told that self-verification does not work but that there is potentially a role for Ireland to be a leader in that regard and that could be done through the Data Protection Commissioner and so on.

We intend to press amendment No. 15. This is about legislating to provide maximum protection against the exploitation of children.

2:40 pm

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

The three amendments under discussion all seek to provide greater protection for children under the Bill. Amendment No. 15 seeks to raise the age of digital consent from 13 to 16. I mentioned on Committee Stage that Fianna Fáil supports a digital age of consent of 16. I will not address that amendment today as my colleague, Deputy Thomas Byrne, will do so.

I wish to address amendments Nos. 13 and 14, which seek to provide greater protection for children by protecting them from micro-targeting and profiling. All Members should support that objective provided it does not conflict with the provisions of the GDPR. There is too much commercialisation that tries to target children with products such as fast food or particular games. If we can, we should provide protection from such targeting.

It is instructive to note that a child is defined in the Bill as a person under the age of 18, so amendments Nos. 13 and 14, if passed, would apply to all persons under the age of 18 rather than only those aged between 16 and 18. I would rather support amendment No. 14 as tabled by Deputy Ó Laoghaire because I note he has removed from it the term "for financial gain" which caused me concern on Committee Stage. I have a slight concern that the amendment only makes it an offence for a company or corporate body to engage in the micro-targeting or profiling of children. Companies may be able to get around that by purchasing data from individuals who carry out the profiling and targeting of the personal data. However, that is not sufficient reason for me to oppose the amendment. If I oppose it, it will be for the reason I gave on Committee Stage, when the Minister indicated that the amendment would constitute a breach of EU law because it would impose a limitation on the type of processing of personal data that is permitted under the GDPR. The Minister stated on Committee Stage that the State would be exposed to infringement proceedings and that had an impact on me.

Following Committee Stage I went back and had a look at the issues in respect of the GDPR. What we need to recognise is that we have limitations imposed upon us in the Oireachtas when we are debating the Data Protection Bill. The reason we have limitations is because the Bill itself seeks to give further effect to a regulation - the GDPR - that we know will come into effect on Friday week. No matter what we do, the GDPR is coming into effect on Friday week. It does not need to be transposed into Irish law because it will become a part of Irish law on Friday week. The Data Protection Bill also has other provisions in it which seek to give effect to other directives. The issue that causes concern is whether the amendments are consistent with the GDPR. If they are consistent with the GDPR, then I and Fianna Fáil will support them.

I went back and had a look at the GDPR and it is instructive to note that it does give very special recognition to the protection required for children. Recital 38 says that children merit specific protection with regard to their personal data. The other relevant recital is recital 47 to which the Minister referred. This indicates that the legitimate interests of a controller may provide a legal basis for processing, and therefore the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

We then need to look at the other recital that deals specifically with profiling, and that is recital 71. It says that a data subject should have the right not to be subject to a decision which is based on profiling. An issue that arises is whether amendment No. 14 will have the effect of constituting a decision that is created by profiling. It is also instructive to note that recital 71 says that such measures which are introduced should not concern a child. The recitals are very clear. They want to provide protection for children. They also recognise that certain types of processing are legitimate. Article 4 in the GDPR makes clear that profiling is a form of processing. It is described as any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person.

The Minister has relied on Article 6 on numerous occasions. Article 6.1(f) states that one lawful basis for processing is where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Again, the GDPR gives express recognition to the vulnerability of children and the fact that they are deserving of special protection under the regulations and under any transpositive laws that are introduced in member states.

Article 22 refers to automated individual decision-making, including profiling. It says the data subject shall have the right not to be subject to a decision based solely on profiling. That will not apply, for instance, if it is authorised by the Union or member state law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests.

I and Fianna Fáil want to support amendment No. 14 but we do not want to expose Ireland to infringement proceedings down the road. I have had another look at the GDPR and it seems to be that the protection of children is very much at the forefront of the recitals in the GDPR and indeed in respect of certain articles. What the Minister has to do is satisfy my colleagues and me that if we introduce the amendment, we will not be in flagrant breach of the articles contained within the GDPR. It does not stand out that that is the case but I am interested to hear what the Minister has to say as that will very much dictate how Fianna Fáil votes in respect of the amendment.

2:50 pm

Photo of Thomas ByrneThomas Byrne (Meath East, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I am delighted to speak on the amendment relating to the digital age of consent. There is no doubt that this has resulted in quite a fiery debate online, in the media and among politicians in recent weeks. That is welcome because when policy is informed by experts on both sides of a debate, it makes for better policy. Listening to the arguments put forward on both sides gets better outcomes. In fairness, that is what Fianna Fáil has tried to do in recent weeks and months, namely, to listen to the voices urging us in particular directions. Each side of the debate is worth listening to. Some people who have been in favour of having 16 as the digital age of consent have been grossly denigrated in the debate which is very unfortunate given that we are talking about some of the most important scientists in the country, for example, who advocate the age of 16, and we are talking about children's rights organisations-----

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

Could Deputy Byrne name a few of them? Who are they?

Photo of Thomas ByrneThomas Byrne (Meath East, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Professor Barry O'Sullivan is responsible for €140 million-----

Photo of Pat GallagherPat Gallagher (Donegal, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Deputies should speak through the Chair.

Photo of Thomas ByrneThomas Byrne (Meath East, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

-----worth of research-----

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

That is very interesting. Could Deputy Byrne give us a few more names?

Photo of Thomas ByrneThomas Byrne (Meath East, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

-----but that is completely dismissed.

Photo of Pat GallagherPat Gallagher (Donegal, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Deputy Daly should not interrupt.

Photo of Mick WallaceMick Wallace (Wexford, Independent)
Link to this: Individually | In context | Oireachtas source

Unfortunately, all he did was on one side.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

Yes.

Photo of Pat GallagherPat Gallagher (Donegal, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Deputy Wallace does not usually interrupt.

Photo of Thomas ByrneThomas Byrne (Meath East, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I have acknowledged that there are people in this debate who favour having 13 as the digital age of consent and I have listened to them respectfully. In the GDPR the default age is 16. There is no argument about raising the digital age of consent, but the proposal from the Government, supported by Independents 4 Change and some other Deputies, is that we would reduce the age to 13. The truth is that there is very little evidence that one age is better than another. The precautionary approach must be that we would go for the highest age, which is the standard age favoured by Germany, the Netherlands and many other countries because that is the default age in the GDPR. The GDPR requirement for parental consent for processing does not apply to preventative or counselling services, so the concerns that have been raised by some in terms of whether children will be able to get access to the services they need in that regard is not an issue. That is covered by the GDPR and it is covered by the legislation.

There is also a review built into the legislation that the Minister introduced relating to the age of 13, and that is welcome but it could also apply to the age of 16 so that if there are unintended consequences, there would be a review. That is welcome and it must happen. There is very little empirical evidence on either side and the position that we have taken is to take the precautionary approach, namely, to opt for the standard, which is the older age. This is about the processing of data and the profiling of data subjects who happen to be children. It is not about giving them access to services online. That is the truth of it. That has been conflated and it is wrong simply to take the approach to this debate of a child's right to participate when we are not discussing the child's right to participate. We are merely discussing-----

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

We are not-----

Photo of Thomas ByrneThomas Byrne (Meath East, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Tá mé ag iarraidh caint. Ní raibh mise ag cur isteach ar na Teachtaí nuair a bhí siadsan ag caint. We are not talking here about the child's right to participate. We are talking about the tech company's right to participate in what the child is doing online. That is the key difference here. This debate has been well rehearsed at this point and it is now being rehearsed on the floor of the Dáil. I do not understand the bitterness in this debate. There are important views on both sides of the debate, including within political parties, but we have to make a call and Fianna Fáil has made a call on the age of 16 as being the best possible approach in this particular case. That is what we are advocating and supporting. There will be a democratic vote in the Dáil. There is a review and children will not be prevented from participating.

The point about setting the age at 16 is that if there is a breach and someone is profiled without parental consent under that age, the penalty is not on the child or the parent but on the tech company. Let us be honest. Tech companies lobbied extremely hard through Chambers Ireland for this particular provision to be reduced to 13. We should also admit that there are some organisations that are very vocal on this issue, whom I am sure are worthy organisations, but they are sponsored by tech companies or some members of their boards of directors are employees of tech companies. We have to take all of those voices and consider them carefully, but that has not been mentioned in the debate and I think it is an important point.

We must protect our children as best we can. We need to keep an eye on the operation of this section, whatever age the Dáil decides to choose today. I will support that, but we must take the most precautionary approach possible to our children and, accordingly, go for what is in the law, namely 16, and not reduce it to 13.

3:00 pm

Photo of Michael CollinsMichael Collins (Cork South West, Independent)
Link to this: Individually | In context | Oireachtas source

4 o’clock

I am glad to have the opportunity to speak on the eagerly awaited Data Protection Bill 2018. The Bill incorporates Ireland's national implementation measures required under the GDPR and creates a new regulatory framework for the enforcement of data protection laws in Ireland. The digital age of consent has been the subject of considerable debate in the Oireachtas. Many child protection experts, psychologists, mental health specialists and those working on the front line with children have expressed the strong view that the age of digital consent should be set at 13 years. There are compelling child protection reasons for this being the best option to keep children safe online. We need to face the reality that our children will be accessing online information and using Internet enabled devices from a young age but by reducing the age of digital consent, we are providing more protection for our children.

The draft scheme of the Bill as published last year did not make provision for representative action to be taken. There was much debate on this issue during the pre-legislative scrutiny stage and the Bill has now shifted quite a bit. It now permits a data subject to mandate a not-for-profit body to lodge complaints with the data protection commission. A mandated, not-for-profit body may also bring a civil claim on behalf of a data subject before the courts. However, such a body will not be able to claim compensation on behalf of data subjects. In effect, a not-for-profit body will be able to seek injunctive relief but not damages on the data subject's behalf. The Bill does not address how the rules and regulations on legal costs will apply to actions taken by non-profit bodies. In particular, guidance will be needed on whether a court can award costs against the data subject as well as the non-profit body in the event of an unsuccessful civil claim.

As Deputies, we possibly need to be educated further on the issue of data protection. How are we, as politicians, going to cope with this new data protection regime? We are finding it more difficult to access information as it stands. Sometimes bodies or individuals hide behind data protection and use it as a handy way to get rid of one or not to give one an answer. That is a very serious issue and a worry for politicians.

On the positive side, I visited Spearline last Friday, a west Cork technology firm based in Skibbereen. This company is a huge asset to the local community. The Minister of State at the Department of Justice and Equality, Deputy Pat Breen, launched the first phase of the company's development. The company will employ up to 60 people in its new risk compliance and data protection division. Spearline will also produce a new line of software called Spearline Data Protection which will focus on supporting organisations and data protection officers in meeting the requirements of GDPR that are due to come into effect on 25 May this year. Spearline is a wonderful example of why we need a Data Protection Bill. Not only will this Bill protect people in the context of data usage and storage, it will also create many jobs across the country in towns like Skibbereen, thus keeping rural communities alive.

Photo of Stephen DonnellyStephen Donnelly (Wicklow, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I want to talk about the digital age of consent and whether it should be set at 16 or 13. I strongly believe that it needs to be set at 16 but I acknowledge that everybody in this debate, including the Minister and others who are advocating setting it at 13, wants to act in the best interests of young people and provide them with the best protection. Some of the debate has been fractious, which is unfortunate but nobody engaged in this debate has anything but the best of intentions for the children involved.

Should the age of consent be set at 16, 13 or somewhere in between? As Deputies Thomas Byrne and O'Callaghan have pointed out, Fianna Fáil's position is that it should be set at 16. I support that position and want to explain why. The question that the Minister, in advocating for 13, will have to answer is whether 13 or 14 year olds should have to consent to being profiled by Internet companies and to sharing their online activity including text messages, photographs and location with service providers. Should they, for example, consent to Facebook permanently owning all of the photographs they put up online and all of their location information? Should they consent to companies psychologically profiling them based on their use of applications and then using their images, online behaviour, location and demographics to target them and sell to them? That is what the online providers want to do because that is how they make money and stay in business. The industry wants the age of consent to be 13 because it wants to be able to tell potential advertisers that young people aged 13 or 14 have said that they consent to technology companies having full access to their photographs, contacts, text messages, location, everything they like, dislike or express a view on; to being profiled; to being sold stuff; and to the selling of the information gathered about them to other third party providers. That is what the technology companies would like because they will make more money that way. Should 13 to 15 year olds have to consent to being profiled as products in order to be able to use Teamer or WhatsApp or any other application? No, they should not have to do that.

The argument I have heard from those advocating 13 as the age of digital consent is that if we opt for 16, the service providers will argue that no-one using their platform is below the age of 16 and will create an environment or platform that is only suitable for those aged 16 and over. The suggestion is that 13 to 15 year olds will still access those platforms and that therefore, we are implicitly accepting that 13 to 15 year olds will end up on platforms that the service providers have designed for those aged 16 and over. They will be accessing inappropriate platforms. That is one argument. The other argument is that if the above does not happen, the 13 to 15 year olds will be locked out of the platforms or services. The evidence provided for this argument is WhatsApp saying that it will not let 13 to 15 year olds access its product. The argument is that if the digital age of consent changes to 16, service providers will not provide a service for younger people. Do 13 to 15 year olds have the right to engage in online activity and to communicate with their friends through social media applications? Of course they have that right. Let us follow the argument through. Let us say we opt for 16, which I hope we do for all of the right reasons. The argument is that then a bunch of 13 year olds will go onto sites or platforms and be exposed to an inappropriate environment. If that happens regulators, parents, consumer groups, politicians and journalists will be all over those applications very quickly. We know that they need good publicity and are sensitive to how they are portrayed. We have just seen Facebook and Google pull back from running referendum advertisements in Ireland. We would have to believe that service providers would knowingly allow 13 year olds onto platforms designed for those aged 16 and over and would be okay with taking that risk. They would not be okay with that and those dumb enough to take such a risk would very quickly be found out and shut down. That is what happens if there is non-verification of 13 year olds.

If there is verification, the argument is that the 13 to 15 year olds will be locked out of applications like Teamer or WhatsApp. However, for that to be true, we would have to believe that we live in a world where another service provider would not immediately move in and offer an age appropriate platform to 13 to 15 year olds. That age cohort is the fastest growing consumer group for digital platforms so it is simply not credible that if 13 to 15 year olds are locked out of current platforms that age-appropriate equivalents will not be provided immediately. In fact, what will happen is that those companies that say they will not provide access to their application to those under 16 will actually do so. They will do it very quickly and will do it for all of the countries that opt for a digital age of consent of 16 because if they do not, they will be turning their backs on the biggest consumer group in the country for no good reason.

I repeat that I believe everyone is coming at this with the best interests of young people at heart.

I believe the arguments put forward for the relevant age to be 13 simply do not stack up against reality. The best way to ensure young people are suitably protected from having to give up ownership of their texts, photos and online activity to companies so that they can be profiled and sold to, while still having access to an online world, is to set the age at 16.

3:10 pm

Photo of Mattie McGrathMattie McGrath (Tipperary, Independent)
Link to this: Individually | In context | Oireachtas source

I am happy to speak on this Bill and particularly on amendments Nos. 14 and 15. Amendment No. 14 reads:

In page 28, after line 34, to insert the following:"Micro-targeting and profiling of children

30. It shall be an offence under this Act for any company or corporate body to process the personal data of a child as defined by section 29 for the purposes of direct marketing, profiling or micro-targeting. Such an offence shall be punishable by an administrative fine under section 140.".

While I accept the argument underpinning that amendment, I have to point out that fines often do not mean an awful lot to big technology companies. They are so wealthy and have so much turnover that fines often do not punish them in a proper way. It is probable that "punish" is the wrong word, so I will say instead that fines do not have much of an impact on their balance sheets. Amendment No. 15, in the names of Deputies Sherlock, O'Callaghan and Thomas Byrne, reads:

In page 29, line 2, to delete "13 years" and substitute "16 years".

As we all know, the issue of data protection must be addressed as we contend with the ever-expanding powers of social media platforms and online companies. Deputy Donnelly has referred to the impact of the decision made by Google and Facebook to shut down certain activities during the ongoing referendum campaign. It is strange that they have not made the same decision when other elections have been taking place across Europe since the 2016 US election. I have issues in that regard.

In an article in the Irish Independentlast week, Charlie Weston provided an excellent example of the issues we are talking about when he revealed that "the AIB banking group has been accused of playing Big Brother with its customers after it emerged that it spies on customers' social media accounts". I remind the Minister that we owned over 90% of this bank after we bailed it out some years ago. Mr. Weston pointed out that "the lender is trawling through Facebook, Twitter, YouTube and other social media accounts held by customers for comments on its service". As the service is now pretty unfriendly to customers, the comments are not going to be very good. When one tries to meet a teller, one has to deal with a machine. Mr. Weston's article continued:

The bank tells customers that the move "helps us understand your behaviour" [how ironic]. As part of the mortgage application process, customers are now required to sign a consent form, which gives permission for a range of things, such as a credit check, to be carried out on them and to allow their social media accounts to be looked at by the bank. It applies to those seeking mortgages with AIB [which does not give many of them anyway] and its subsidiaries, EBS and Haven. AIB Group is 71pc-owned by the State and is the Republic's biggest mortgage lender. Mortgage broker Karl Deeter accused the bank of invading the privacy of customers by spying on them. He said: "I'm confident that people would not be comfortable knowing that the bank can play Big Brother with their social media information." Mr Deeter, of Irish Mortgage Brokers, said it wasn't clear if someone who posts on Facebook that they attend the likes of anti-eviction protests would end up having a mortgage application refused if the bank was to see this.

Of course such an application would be refused because the bank would have to help its friends.

In my capacity as a Member of the Oireachtas, I recently attended an excellent briefing provided by Dr. Mary Aiken and Professor Barry O'Sullivan on the digital age of consent. I would like to quote from an email that was sent by Dr. Aiken on behalf of herself and Professor O'Sullivan this morning:

As you know there will a vote this afternoon regarding the Irish Digital Age of Consent. We take the opportunity to clarify:

- The Digital Age of Consent is about protecting the personal data of children.

- This issue is not about when children can go online.

- Parents have the right to parent their children.

In two years of campaigning on this issue, every parent we have spoken to supports a Digital Age of Consent of 16. I am a Cyberpsychologist, Prof. O'Sullivan is a Data Scientist we are internationally recognised experts in this area - we strongly support 16.

I expect that everyone is coming at this from a different angle, but the email from which I have quoted sets out the factual situation as far as I understand it. The email had to be sent out after very unfair allegations were put in the public domain by opponents of Dr. Aiken and Professor O'Sullivan. After I brought this matter to the attention of those who made the allegations, they sent out an apology and took down the allegations. If they had not done so, they would rightly be dealing with litigation and facing Deputy O'Callaghan or one of his colleagues. One is entitled to one's good name. The email sent by Dr. Aiken and Professor O'Sullivan, in which they say they "believe that the vast majority of parents of Ireland want 16 as a Digital Age of Consent, as do the teachers, the Gardaí and doctors of Ireland", makes it perfectly clear what is at stake here. The harvesting of children's data is not something we should actively encourage and promote, but that is exactly what this Bill will allow. For that reason, as I have said, I will be opposing the Bill and supporting those who are seeking to set the digital age of consent at 16.

Photo of Pat GallagherPat Gallagher (Donegal, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Go raibh maith agat.

Photo of Mattie McGrathMattie McGrath (Tipperary, Independent)
Link to this: Individually | In context | Oireachtas source

Níl mé críochnaithe fós, a Leas-Cheann Comhairle. Tá nóiméad eile fós agam.

Photo of Pat GallagherPat Gallagher (Donegal, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

On the amendments.

Photo of Mattie McGrathMattie McGrath (Tipperary, Independent)
Link to this: Individually | In context | Oireachtas source

Of course. I have read the two amendments I am speaking about.

Photo of Pat GallagherPat Gallagher (Donegal, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

The Deputy's comments should relate to the contents of the amendments.

Photo of Mattie McGrathMattie McGrath (Tipperary, Independent)
Link to this: Individually | In context | Oireachtas source

I am talking to the subject matter of the amendments.

Photo of Pat GallagherPat Gallagher (Donegal, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

It is Second Stage every day.

Photo of Mattie McGrathMattie McGrath (Tipperary, Independent)
Link to this: Individually | In context | Oireachtas source

Not at all. People have come at this issue from different angles. I accept everyone's bona fides in this regard. As legislators, we have to make a choice when we are dealing with and voting on these two amendments. I appeal to the Minister to show understanding to the people who are here. There is a big difference between processing and profiling, or between profiling and processing. It is a question of use and abuse. We can never be too aware of how data is used nowadays. Those between the ages of 13 and 16 comprise the fastest-growing market. My children have just come through those years. My youngest child is 16. I understand totally that they want to be on these platforms. Being on them is one thing, but their personal data should not be allowed to be compiled, processed, used and misused. I believe the potential for misuse and abuse of their data is what we are talking about. I am concerned about these issues. I do not want to see Ireland being ridiculed for being out of kilter with many other countries in not taking the opportunity to safeguard our children's data. It is for this reason that I am supporting these amendments and opposing the Government's stated position.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

When this Bill was discussed in the Seanad and when it went through the rigorous select committee process, I explained comprehensively the consultation processes that resulted in the Government proposing a digital age of consent of 13 years. I do not propose to repeat those points this afternoon, not least because I thought the argument in favour of 13 being set as the relevant age was well made by Deputy Shortall in her constructive contribution last night. She outlined the reasons that a digital age of consent of 13 years will serve to protect children.

I want to take this opportunity to say I fully agree with the contribution of Deputy Clare Daly. I am seldom in a position to say that. I agree with the really good case she made. I also agree with what Deputy Wallace has said on this issue. I will add to what they said by making the point that Ireland's decision to choose 13 years as our digital age of consent is firmly in line with many other EU member states, including Denmark, Sweden and Finland. We look to these countries, more than most, for examples of good practice in the areas of child support and child protection. Countries like Latvia and Estonia can also be regarded as examples of good practice. Estonia perhaps gives more Government time to issues of e-activity, e-learning and e-government than any other EU member state. Our neighbours in the UK have also opted for 13 years as the digital age of consent, as have Spain and Portugal.

I want to acknowledge that there has been a rigorous process going back over a number of years. This has included the process of pre-legislative scrutiny on the part of the Joint Committee on Justice and Equality, which comprises Deputies and Senators of all parties and none.

There was also the matter of the public consultation which fed into the decision of Government. Through the Seanad, Committee Stage and now Report Stage in the Dáil, this was not done lightly and it was not a decision taken without due careful and comprehensive consideration.

If I may now focus on amendments Nos. 13 and 14 tabled by Deputies Clare Daly, Wallace, Shortall and Ó Laoghaire, these amendments seek to criminalise the processing of children's personal data for direct marketing and profiling purposes. I wish to state again that while I am sympathetic to their objective, I am not in a position to accept the amendments. As Deputy Wallace stated last night, the processing of personal data for marketing and profiling purposes takes place under the so-called "legitimate interests" ground in Article 6.1(f) of the GDPR, and recital 47 states this particularly. During the select committee meetings, we addressed the issue of whether national law can impose additional conditions on processing carried out under the data protection directive. The court underlined the importance of free movement of personal data under the 1995 directive and concluded categorically that member states could not add new principles or impose additional conditions that have the effect of amending the scope of any of the grounds in Article 7 of the directive. Put simply, the imposition of prohibitions in national law on the processing of personal data that is lawful under the GDPR, or the criminalisation of processing that is lawful under the GDPR, will be in breach of EU law. I think Deputy O'Callaghan acknowledged this. If he was not convinced, he certainly saw the difficulty. The State will be exposed to infringement proceedings and possible sanctions. We all know what that means.

I draw attention to the important difference between the wording of "legitimate interests" in Article 6 and the text of Article 7(f) of the 1995 directive. In the 1995 directive, Article 7 states that the personal data may be processed where necessary for the purposes of the legitimate interests of the controller, except where such interests are overridden by the fundamental rights and freedom of the data subject. The corresponding text in the GDPR contains an important addition, namely, "in particular where the data subject is a child". Taken together with the statement in recital 38 that children merit specific and special protection with regard to personal data because they may be less aware of risks or consequences and safeguards concerning their rights in respect of the processing of data, we can see that the GDPR itself imposes stricter conditions, which is worthy of consideration.

I share the concerns expressed by Deputies during earlier debate in respect of child protection. For that very reason, I have introduced section 31 providing for codes of conduct with regard to the processing of personal data of children for the purposes of direct marketing. I said on previous occasions that I expect this issue to be dealt with as a matter of urgency. In the light of concerns expressed here again, I assure the House that I will make early contact with Commissioner Jourová requesting the Commission to do all in its power to advance child protection issues. I met her last year. I will convey to her the concerns that have been expressed here on all sides of the House.

I am satisfied that it would not be in the interests of child protection to insert the section concerned into the Bill. The inclusion of provisions designed to criminalise processing that may be lawful under the GDPR would expose the State to infringement proceedings and distract attention from the overriding issues of child protection which have been amplified here by everybody on all sides. I agree with the Deputies. As far as the exposure of the State is concerned, it is not just my view nor that of my officials and Department but also the firm view of the Attorney General.

3:20 pm

Photo of Thomas ByrneThomas Byrne (Meath East, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

On the digital age of consent, I do not think the full picture has been given in terms of the public consultation. There was a consultation in 2016, and while a number of organisations submitted for a digital age of consent of 13, they were not the majority of submissions. There were other submissions arguing for 16, as has been mentioned, by Professors Aiken and O'Sullivan along with others. Since that public consultation, we do know that other organisations have contacted the Department. I raised a question last night in the Dáil as to why these have not been put on the record. We know the paediatricians' section of the Royal College of Physicians of Ireland has advocated for 16, as have some other organisations. The teachers' unions, as I understand-----

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

There has been no secrecy.

Photo of Thomas ByrneThomas Byrne (Meath East, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

There has been secrecy. I would ask the Minister to set out who has urged that we retain the age at 16 and is not listed on the public consultation. That was a little bit of a disservice to the debate. Deputy O'Callaghan, as our spokesperson, will be considering our position on the profiling amendments. There is no doubt that we can properly choose to protect children by having the digital age of consent at 16, as it is in the regulation the Europeans have set for us. The Minister has helpfully listed countries that are going for 13. We have also listed large and important countries that are going for 16. I urge the Minister to let us know who has advised him for 16. If there are any others advocating for 13 who contacted the Department but have not been part of the public debate so far, I would certainly be interested in hearing about them.

Photo of Róisín ShortallRóisín Shortall (Dublin North West, Social Democrats)
Link to this: Individually | In context | Oireachtas source

I will repeat what I said last night about everybody in this House being interested in and concerned about child protection. We all share the same objective. The question is as to the best way to do that. We cannot ignore the very strong representations we have heard from Barnardos, the Children's Rights Alliance and the ISPCC. They make a number of very cogent points. The predominant point is that raising the age of consent to 16, or whatever age, does give a false sense of security that it solves the problem when we know that simply is not the case. This is a once-off action a parent takes in handing over consent. If they say no, it means the child is denied access to that platform. If they say yes, which an awful lot of parents will do because they do not know what they are handing over, that is a problem also. If we recognise that it is a reality that many children lie online, we have to accept that it is a significant factor. Children also have ways around age verification mechanisms. If we are serious about curtailing and preventing the micro-targeting of children for commercial purposes, we have to restrict the ability of companies to target children and harvest their data.

On Committee Stage, the Minister rejected similar amendments to this. The amendments we have tabled, however, are not an additional condition of a new principle. They are within the scope of both EU jurisprudence and the GDPR. Article 6.1(f) states that processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests of the fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. I would contend that the Minister is perfectly within the law to make it an offence for companies to engage in what they are doing at the moment, namely, the relentless targeting of children for commercial purposes whether it is in respect of junk food, alcohol, or gambling and other things. It is that practice that we need to outlaw.

Photo of Seán SherlockSeán Sherlock (Cork East, Labour)
Link to this: Individually | In context | Oireachtas source

Article 8 of the GDPR deals with the issue of consent to the processing of personal data in connection with what we call information society services. That is the headline language that is used. The article itself proposes 16 years as the minimum age at which a child may independently consent to such processing.

Younger children's data may be processed "only if, and to the extent, that consent is given or authorised by the holder of parental responsibility over the child".

Our approach to a digital age of consent of 16 years is to facilitate parents to give them the opportunity to parent, not create a situation where the law gives a 13 year old the right to consent to profiling and the use of his or her personal information for all sorts of service, be it exploitative or not. I do not believe we should legislate on the basis that we know that children will lie about the age they give in the age verification process. We have to legislate on the basis of what we believe to be the correct course of action. If we are talking about contract law, a digital age of consent of 16 years would err on the better side in the expression of clear judgment in ensuring parents have the right to parent.

3:30 pm

Photo of Donnchadh Ó LaoghaireDonnchadh Ó Laoghaire (Cork South Central, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

In terms of having a false sense of security, it is not just because of what is in the provision but to an extent what we say and is said in the media that we need to be clear that more needs to be done to ensure the safety of children online. The Minister's opposition to the amendments on micro-targeting and the profiling of under-18s is based primarily on an argument made that there can be no amendments to the principles outlined in EU data protection law. This legislation is not simply a transposition of the GDPR. It is more than that. It is a directive which has direct effect in many aspects. However, this is Irish primary legislation. If the amendment was tabled to other legislation which had nothing to do with the director of regulation, would the same principle apply? There is nothing in the GDPR that prevents the Government and Parliament from making amendments of this kind. The GDPR will come to pass and stand. This legislation is likely to be passed. Ultimately, we have the right and authority to legislate, not beyond EU law but within its constraints. There is nothing in the GDPR which prevents us from providing stand-alone legislation. There is nothing in the amendments which refers to the GDPR. This is the Data Protection Bill 2018. There is nothing in it to prevent us from taking legislative action against micro-targeting. There is the potential for the public interest to override any legitimate desire of commercial organisations to advertise and use this activity. I simply do not see that argument.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

The horse has bolted when it comes to the Internet. All kids, 13 years and under, use it. Those who are in denial should cop themselves on. The reason most countries have moved to an age lower than 16 years is they are concerned that valuable websites will be denied to young people as it is unclear what services would fall under the term "information society services". It is absolute nonsense to claim consenting to have one's data profiled is a link with some evil social media website. It could also very much cover educational websites and so on.

Members have spoken about striking a balance in the debate. If one looks at this as a seesaw, all of the weight of the argument is on one side. It is very interesting how the debate has changed since earlier times. It is very suspicious and weird and I have never seen the likes of it. On one side, we have a section of the media, a few politicians, some of whom have changed their minds - I am not talking about the Social Democrats - a data analytics entrepreneur, an adviser to Interpol, Europol, the FBI and Paladin Capital Group. The latter is a government security and intelligence focused venture capital firm headed by the former deputy director of the NSA. On the other side, we have every single child protection organisation in the State, namely, the ISPCC, the Irish Society for the Prevention of Cruelty to Children, Children's Rights Alliance, the special rapporteur for children, the Ombudsman for Children, Cyberspace Ireland, SpunOut.ie, the president and president-elect of the Psychological Society of Ireland, the director of the National Anti-Bullying Research and Resource Centre, the UNESCO chair for children, youth and civil engagement and a variety of senior clinical psychologists. It is not surprising that individuals with a security and intelligence background would have an interest in getting people to reveal their identities. If we are all in favour of child protection, I will side with the child protection experts and go for a digital age of consent of 13 years.

Photo of Mick WallaceMick Wallace (Wexford, Independent)
Link to this: Individually | In context | Oireachtas source

We accept that most children will get around the age verification step easily. We should not set up a system which will encourage kids to lie. It will simply encourage them to hide their online activity from their parents and not seek help and support. It will undermine the ability of parents to engage with their children on their online activity to teach them critical thinking skills in the digital world. A 2015 report, Net Children Go Mobile, found that 40% of children in Ireland under 11 and 12 years of age had a social networking account, despite the fact that social networking sites had an age restriction of 13 years. We already have age restrictions that do not work and this will only create a false impression of safety online.

If the digital age of consent is set at 16 years, online platforms will be able to argue that their spaces are for older teenagers and adults and simply reduce their protections accordingly. We can create a digital safety programme through education, as suggested by the ISPCC, the Ombudsman for Children and others, through the establishment of an office of digital safety commissioner with statutory powers to regulate and educate about the online space. As the director of the National Youth Council of Ireland, Ms Mary Cunningham, said a few days ago, learning to cross the road is far more useful than hoping for a ban on cars. In the same way, education and a focus on developing critical thinking will be far more useful tools for young people and the adults in their lives than an increased digital age of consent which risks providing a false sense of security.

The justice committee heard from many experts in the area. Its Chairman, Deputy Caoimhghín Ó Caoláin, fully agrees with the digital age of consent being set at 13 years. I do not believe for one second that Deputy Jim O’Callaghan does not either. This is madness.

Photo of Seán SherlockSeán Sherlock (Cork East, Labour)
Link to this: Individually | In context | Oireachtas source

The Deputy can now answer Deputy Mick Wallace's point.

Photo of Seán Ó FearghaílSeán Ó Fearghaíl (Ceann Comhairle; Kildare South, Ceann Comhairle)
Link to this: Individually | In context | Oireachtas source

Let the Deputy speak for himself.

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

One of the advantages of the amendment dealing with the digital age of consent is that we know, whether we go for 13 or 16 years, we are not going to be in breach of the GDPR because it goes out of its way to give a certain leeway to national states to decide the age at which they want to set it. I am not a Eurosceptic, but it does reveal the extent to which we operate with limited sovereignty when it comes to certain parts of this legislation. I support amendments Nos. 13 and 14 as they are sensible. The only point which would block me supporting them is if they would be in breach of the GDPR if inserted into legislation. We cannot introduce an amendment which would be in breach of the GDPR.

During the course of my earlier contribution I went through the different recitals and articles in the GDPR which were relevant. I regret to say I have not got huge satisfaction from the Minister. He said it would subject it to infringement proceedings. When one looks at Article 6, however, it is the basis of the Minister's contention. He has said processing is lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or third party. That is expressly set down in Article 6(1)(f). It continues to state processing is not legitimate if it is the case that "interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child".

I believe we are entitled to introduce protection where the interests of a child are at stake. The Minister has not really given me the full comfort that I require to believe we will definitely be subject to infringement proceedings.

3:40 pm

Photo of Stephen DonnellyStephen Donnelly (Wicklow, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I want to come back to the digital age of consent of 16 years. I have a great deal of respect for Deputy Daly as a parliamentarian but she has scurrilously discredited one of the people arguing for a digital age of consent of 16 years in her contribution. She said everyone agreed with her. Then, she presented one substantive argument to the effect that people who are 13, 14 or 15 years of age will be locked out of the applications but they have a right to those applications. This is a fundamental misunderstanding of the marketplace. It assumes that if WhatsApp or an educational software platform decides only to provide for those aged 16 years and upwards, then those aged 13, 14 and 15 years will not quickly have access to similar products designed for them. That is simply not the case. Let us suppose we were having an argument about whether we should have an age of eligibility to buy alcohol. The argument would be that we should not set the age at 18 years but at 13 years because we do not want children to lie about their age. The thinking is that if the age limit is set at 18 years, then no drinks will be offered that are appropriate to those aged 13 or 14 years. That is the analogy and it simply does not stack up.

It is all well and good standing up under privilege, as Deputy Daly has done, and making serious allegations about someone who, for the very best of reasons, is advocating an age of consent of 16 years. It is easy to stand up under Dáil privilege and make the kind of accusations Deputy Daly has made but the only substantive argument she made was that younger children will be locked out. They will not. Therefore, the digital age of consent of 16 years should stand. I believe it is the right thing to do.

Photo of Seán Ó FearghaílSeán Ó Fearghaíl (Ceann Comhairle; Kildare South, Ceann Comhairle)
Link to this: Individually | In context | Oireachtas source

I want to be clear now. I did not hear Deputy Daly making any personal accusation.

Photo of Stephen DonnellyStephen Donnelly (Wicklow, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Then you were not listening carefully enough.

Photo of Seán Ó FearghaílSeán Ó Fearghaíl (Ceann Comhairle; Kildare South, Ceann Comhairle)
Link to this: Individually | In context | Oireachtas source

Maybe I was not. Deputy Daly, were you saying that?

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

Absolutely not, a Cheann Comhairle. I was reiterating the biography of someone who has made vocal representations. It is not in any way derogatory to quote a person's biography. It is simply testament to the credentials or expertise in this field of the person.

Photo of Seán Ó FearghaílSeán Ó Fearghaíl (Ceann Comhairle; Kildare South, Ceann Comhairle)
Link to this: Individually | In context | Oireachtas source

We have to be careful here. We do not have the right to take someone's reputation. We have made the point and Deputy Daly has clarified it. I call Deputy Mattie McGrath.

Photo of Mattie McGrathMattie McGrath (Tipperary, Independent)
Link to this: Individually | In context | Oireachtas source

I admit that I have concerns. I also admit and respect that the committee sat and discussed this for a long time. I am not a member of the committee and I was neither involved in this nor kept abreast of it.

There are issues with regard to public consultation, as Deputy Byrne said. In most public consultations many people do not get involved. They might miss the deadlines because of the way they are advertised and so on. It could be a simple thing relating to a road or something as serious as this. People simply do not see these things. We are all so busy in our lives and we do not see them. People may not be aware of it until something is brought to their attention by a discussion here, by meeting experts in the field or lobbyists or whomsoever.

It would be nice to get a full picture of the people who made contact with either the Department or officials who were dealing with this during the consultation and after the consultation finished. If representatives of the Royal College of Surgeons in Ireland and paediatricians are concerned, then we must accept that as well and see the full list.

I understand Article 8 of the general data protection regulation suggests that 16 years of age is appropriate. The Minister has said that we cannot go against what is provided for in the GDPR. Either we can or we cannot. I am unsure whether we can.

Perhaps if we have a limit of 13 years, parents will be unhappy because the age of consent will be 13 years and they may prefer it to be 16 years. Are we going to be blocking the parents from exercising proper parental control and watching over their children? We know that if the age is 16 years the companies will adapt quickly. They probably have the apps ready for people between 13 and 16 years of age. It is a complex area. I have not heard anything to change my mind on it.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I wish to make two points by way of concluding remarks. The first relates to age. I wish to reiterate all the points made relating to the consultation process and the arrival at the age of consent of 13 years.

I am a little concerned at issues being introduced that were not considered earlier in the debate. Deputies have talked about secrecy of the public consultation process. I wish to make clear that many people made a contribution or provided input during the public consultation process. In all cases, their documentation was received and duly given careful consideration. All submissions made to the Department during the course of public consultation are on the website. There should be no issue regarding secrecy or implications that follow therefrom by way of question mark. The submissions are all on the Department website. I am happy to state that by way of confirmation for Deputy McGrath. Once again he wishes to introduce some cloud and fog into the process.

Deputy O'Callaghan commented on amendments Nos. 13 and 14 in particular. A code of conduct can guide interpretation of Article 6(1)(f) but there is no reference in this provision to national law. Indeed, the court has already found that member states are unable to or cannot limit the scope of the provision. Deputy O'Callaghan stated that he was not a Eurosceptic but that he has a difficulty about relinquishing of national sovereignty. I look at it differently. I look at the pooling of sovereignty and the influence we can bring to bear to ensure that what we wish to do in terms of child protection can have EU-wide effect.

Photo of Seán Ó FearghaílSeán Ó Fearghaíl (Ceann Comhairle; Kildare South, Ceann Comhairle)
Link to this: Individually | In context | Oireachtas source

Thank you, Minister. Time is up.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I will make early contact with Commissioner Jourová on the disposition of Members. I share the object of Members but I have no wish to do anything that might ultimately give rise to exposing the State to infringement proceedings.

Photo of Seán Ó FearghaílSeán Ó Fearghaíl (Ceann Comhairle; Kildare South, Ceann Comhairle)
Link to this: Individually | In context | Oireachtas source

Amendment No. 13 is in the names of Deputies Shortall, Daly and Wallace. How stands the amendment, Deputy Daly?

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

It is very confusing, a Cheann Comhairle. I have no wish to be difficult but part of the problem is what the Select Committee on Justice and Equality has started. Deputies Shortall and Ó Laoghaire have gone to debate the Parental Leave (Amendment) Bill. All of us should probably be there as well.

Photo of Seán Ó FearghaílSeán Ó Fearghaíl (Ceann Comhairle; Kildare South, Ceann Comhairle)
Link to this: Individually | In context | Oireachtas source

Deputy Shortall moved the amendment. She would have been entitled to another two minutes, but she is not here. Therefore, no one else is entitled to speak.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

That means we cannot speak.

Photo of Seán Ó FearghaílSeán Ó Fearghaíl (Ceann Comhairle; Kildare South, Ceann Comhairle)
Link to this: Individually | In context | Oireachtas source

You cannot. I am sorry.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

I really do not know what to do now. I know Deputy Shortall wanted to push this, and we do as well. However, the Minister seems to be saying that if we push it then we are exposing the State to a breach and potential liabilities and so on. We have to take that into consideration as well. Now, we are paralysed and we do not know what to do because those Deputies are not here.

Photo of Seán Ó FearghaílSeán Ó Fearghaíl (Ceann Comhairle; Kildare South, Ceann Comhairle)
Link to this: Individually | In context | Oireachtas source

Minister, do you wish to give a brief response?

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I have made a comment but I am adding to it as well. I would be happy to bring the actual concerns, as raised by Deputy Daly and Deputy Shortall, directly by way of written early communication with Commissioner Jourová. I appeal for that to be accepted. Of course I will circulate any further correspondence that comes in on that particular issue.

Photo of Seán Ó FearghaílSeán Ó Fearghaíl (Ceann Comhairle; Kildare South, Ceann Comhairle)
Link to this: Individually | In context | Oireachtas source

Thank you, Minister. We cannot keep doing this. How stands amendment No. 13? Is the amendment being pressed?

Amendment put and declared lost.

3:50 pm

Photo of Donnchadh Ó LaoghaireDonnchadh Ó Laoghaire (Cork South Central, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 14:

In page 28, after line 34, to insert the following:

"Micro-targeting and profiling of children30. It shall be an offence under this Act for any company or corporate body to process the personal data of a child as defined by section 29 for the purposes of direct marketing, profiling or micro-targeting. Such an offence shall be punishable by an administrative fine under section 140.".

Amendment put:

The Dáil divided: Tá, 62; Níl, 43; Staon, 0.


Tellers: Tá, Deputies Donnchadh Ó Laoghaire and Brian Stanley; Níl, Deputies Joe McHugh and Tony McLoughlin.

Richard Boyd Barrett, John Brady, John Brassil, James Browne, Pat Buckley, Joan Burton, Mary Butler, Thomas Byrne, Jackie Cahill, Dara Calleary, Pat Casey, Shane Cassells, Jack Chambers, Lisa Chambers, Seán Crowe, John Curran, Pearse Doherty, Stephen Donnelly, Dessie Ellis, Martin Ferris, Kathleen Funchion, Pat Gallagher, Seán Haughey, Danny Healy-Rae, Séamus Healy, Brendan Howlin, Alan Kelly, Gino Kenny, James Lawless, Catherine Martin, Micheál Martin, Mattie McGrath, Michael McGrath, Denise Mitchell, Aindrias Moynihan, Michael Moynihan, Imelda Munster, Margaret Murphy O'Mahony, Catherine Murphy, Darragh O'Brien, Jim O'Callaghan, Willie O'Dea, Fiona O'Loughlin, Louise O'Reilly, Frank O'Rourke, Jan O'Sullivan, Eoin Ó Broin, Caoimhghín Ó Caoláin, Éamon Ó Cuív, Donnchadh Ó Laoghaire, Aengus Ó Snodaigh, Maurice Quinlivan, Anne Rabbitte, Brendan Ryan, Eamon Ryan, Eamon Scanlon, Seán Sherlock, Róisín Shortall, Bríd Smith, Niamh Smyth, Brian Stanley, Robert Troy.

Níl

Maria Bailey, Pat Breen, Colm Brophy, Tommy Broughan, Peter Burke, Catherine Byrne, Ciarán Cannon, Joe Carey, Joan Collins, Michael Collins, Marcella Corcoran Kennedy, Simon Coveney, Michael D'Arcy, Clare Daly, Pat Deering, Andrew Doyle, Bernard Durkan, Damien English, Frances Fitzgerald, Peter Fitzpatrick, Charles Flanagan, Brendan Griffin, Simon Harris, Seán Kyne, Josepha Madigan, Joe McHugh, Tony McLoughlin, Kevin Moran, Eoghan Murphy, Denis Naughten, Tom Neville, Michael Noonan, Kate O'Connell, Patrick O'Donovan, Fergus O'Dowd, Maureen O'Sullivan, John Paul Phelan, Michael Ring, Noel Rock, Shane Ross, David Stanton, Mick Wallace, Katherine Zappone.

Amendment declared carried.

4:00 pm

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 15:

In page 29, line 2, to delete "13 years" and substitute "16 years".

Amendment put:

The Dáil divided: Tá, 56; Níl, 51; Staon, 0.


Tellers: Tá, Deputies Jim O'Callaghan and Brendan Ryan; Níl, Deputies Joe McHugh and Tony McLoughlin.

John Brady, John Brassil, Tommy Broughan, James Browne, Pat Buckley, Joan Burton, Mary Butler, Thomas Byrne, Jackie Cahill, Dara Calleary, Pat Casey, Shane Cassells, Jack Chambers, Lisa Chambers, Seán Crowe, John Curran, Pearse Doherty, Stephen Donnelly, Dessie Ellis, Martin Ferris, Kathleen Funchion, Pat Gallagher, Seán Haughey, Danny Healy-Rae, Brendan Howlin, Alan Kelly, James Lawless, Micheál Martin, Charlie McConalogue, Mattie McGrath, Michael McGrath, Denise Mitchell, Aindrias Moynihan, Michael Moynihan, Imelda Munster, Margaret Murphy O'Mahony, Darragh O'Brien, Jim O'Callaghan, Willie O'Dea, Fiona O'Loughlin, Louise O'Reilly, Frank O'Rourke, Jan O'Sullivan, Maureen O'Sullivan, Eoin Ó Broin, Éamon Ó Cuív, Donnchadh Ó Laoghaire, Aengus Ó Snodaigh, Maurice Quinlivan, Anne Rabbitte, Brendan Ryan, Eamon Scanlon, Seán Sherlock, Niamh Smyth, Brian Stanley, Robert Troy.

Níl

Maria Bailey, Richard Boyd Barrett, Pat Breen, Colm Brophy, Richard Bruton, Peter Burke, Catherine Byrne, Ciarán Cannon, Joe Carey, Joan Collins, Michael Collins, Marcella Corcoran Kennedy, Simon Coveney, Michael D'Arcy, Clare Daly, Pat Deering, Regina Doherty, Andrew Doyle, Bernard Durkan, Damien English, Frances Fitzgerald, Peter Fitzpatrick, Charles Flanagan, Brendan Griffin, Simon Harris, Séamus Healy, Gino Kenny, Seán Kyne, Josepha Madigan, Catherine Martin, Joe McHugh, Tony McLoughlin, Kevin Moran, Catherine Murphy, Eoghan Murphy, Denis Naughten, Tom Neville, Michael Noonan, Kate O'Connell, Patrick O'Donovan, Fergus O'Dowd, John Paul Phelan, Michael Ring, Noel Rock, Shane Ross, Eamon Ryan, Róisín Shortall, Bríd Smith, David Stanton, Mick Wallace, Katherine Zappone.

Amendment declared carried.

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

5 o’clock

I move amendment No. 15:

In page 29, line 2, to delete "13 years" and substitute "16 years".

Amendment put:

The Dáil divided: Tá, 56; Níl, 51; Staon, 0.

4:10 pm

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 16:

In page 31, line 38, to delete “may” and substitute “shall”.

Section 35 deals with suitable and specific measures for processing data. In general, throughout the Bill these measures are used as a substitute for gaining somebody's consent to process the most sensitive data. It is obviously significant because the idea of these suitable and specific measures is that they are technical and organisational safeguards, things such as limitations on access by staff in an organisation to highly sensitive data or a logging-in system so it is clear who has access to data and when, that sort of thing. With this amendment, we are proposing that any regulations made under the section in order to either identify suitable and specific measures that have to be used in certain situations or to specify that some of those measures are mandatory shall first identify different measures for different categories of personal data, different categories of controllers and so on and, second, specify that at least one of the measures set out in the list in subsection 35(1) is mandatory. We think it is important that regulations in this regard are obligated to be fairly clear and detailed. That is because those measures are a requirement in so many different processing situations throughout the Bill and because they are so crucial to safeguarding people's rights and their data, the rules around them should therefore be pretty precise. In other words, those rules should take into account what kinds of data are being processed, by whom and what kinds of processing actions are being taken on them. We also think it is important that at least one, but ideally more, of the measures listed in section 35 have to be made mandatory if a Minister is going to the trouble of drawing up regulations and the measures listed in subsection 35(1) are fairly basic. It should not be a major cross to bear to make at least one of them mandatory.

I will give a very brief example. The Minister said on Committee Stage that schools hold data on children's allergies and other health issues so obliging them to implement limitations on access would be too onerous. Flipping that around, it implies the Minister is okay with any visitor to the school getting access to highly sensitive information about a young child's health. We do not really think in that context access limitations are too onerous at all. It would be great to think that regulations were mandatory in this particular context. To give another example, I recently heard of one school where staff were told the GDPR means the school has to hang on to permissions slips for school tours until the children are 21. It is utter madness. There is a huge misunderstanding out there. Targeted training is another measure listed in subsection 35(1). It should be made mandatory in certain contexts because we are opening the road to utter chaos otherwise.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I am unable to accept the amendment which, as we said earlier, arises out of something of a misreading of the purpose of subsection 35(4). As it stands, subsection (4) permits regulations to identify different toolbox measures for different categories of personal data or different categories of controllers. However, it is probably not appropriate to have such a differentiation in all cases. Deputy Daly set out an example. It might be appropriate to apply the same toolbox safeguard measures to different categories of data or on occasion to different categories of controllers. It might, for example, be appropriate to impose the same encryption requirement on different categories of controllers but if the amendment is passed it would prevent that and mean it could not be done.

I am not happy with the amendment and I will not accept it.

Amendment put and declared lost.

4:15 pm

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 17:

In page 32, to delete lines 8 to 27 and substitute the following:"(5) Subject to subsection (6), regulations may be made under subsection (2)—
(a) by the Minister following consultation with such other Minister of the Government as he or she considers appropriate, or

(b) by any other Minister of the Government following consultation with the Minister and such other Minister of the Government as he or she considers appropriate.
(6) The Minister or any other Minister of the Government shall consult with the Commission before making regulations under subsection (2).

(7) The Commission may, on being consulted under subsection (6), make observations in writing on any matter which is of significant concern to it in relation to the proposed regulations and, if the Minister or any other Minister of the Government proposes to proceed to make the regulations notwithstanding that concern, that Minister shall, before making the regulations, give a written explanation as to why he or she is so proceeding to—
(a) the Committee established jointly by Dáil Éireann and Seanad Éireann known as the Committee on Justice and Equality or any Committee established to replace that Committee, and

(b) any other Committee (within the meaning of section 19(1)) which that Minister considers appropriate having regard to the subject matter of the regulations.".

Amendment agreed to.

Photo of Seán Ó FearghaílSeán Ó Fearghaíl (Ceann Comhairle; Kildare South, Ceann Comhairle)
Link to this: Individually | In context | Oireachtas source

Amendments Nos. 18, 21 and 22 are related and will be discussed together.

Photo of Mick WallaceMick Wallace (Wexford, Independent)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 18:

In page 33, lines 18 to 23, to delete all words from and including "for—" in line 18 down to and including line 23 and substitute the following:"for the performance of a function of a controller conferred by or under an enactment

or by the Constitution.".

This amendment addresses section 37(1)(b) which seems to give far too much scope to third party data processing in respect of non-statutory schemes, particularly given that this section of the Bill describes a situation where the consent of the data subject will be bypassed. We should not, for example, give marketing companies working on non-statutory schemes such exemptions from the requirement to obtain consent. It is not too difficult simply to require such third parties working on non-statutory projects to obtain consent to process personal data. On Committee Stage the Minister defended this part of the Bill by saying that section 37(1)(b) was necessary for non-statutory schemes such as the free fuel scheme, free travel scheme and the back to school clothing allowance. Surely these schemes are already provided for in the GDPR under Article 6.1.(f) and the idea there of "legitimate interests". Nobody is going to dispute that the processing of data for the free fuel scheme is a legitimate interest as per the GDPR.

Amendment No. 21 seeks to limit the purposes for which personal data that is collected can be processed by insisting that the purposes be specified at the outset which is listed in Article 23 of the GDPR as a specific provision that any legislative measure referred to in Article 23 shall contain. This section refers to personal data processed in the public interest which according to Article 6 of the GDPR allows the data controller to bypass the consent of the data subject. There will be times when such bypassing of consent will be necessary and that is why the GDPR provides for such occasions. We have already expressed some concern about section 37(1)(b) and said on Committee Stage that we were very open to Sinn Féin's proposal to oppose the section as it seeks to carve out exemptions to the GDPR that exceed what the GDPR allows. Processing of data for purposes other than the purpose for which that data is collected is prohibited except in very limited circumstances such as preventing a threat to national security. Insisting that the purposes for which data is collected be specified at the outset in regulations made under section 37(4) is a sensible provision and would protect against processing for other or unspecified purposes in the public interest. I acknowledge that section 37(5)(c) provides for a Minister to impose other conditions on processing which he or she see as appropriate while such conditions would not be mandatory.

Amendment No. 22 is an attempt to introduce an extra layer of protection which is necessary given the wideranging powers section 37 gives to Ministers. We have concerns about the whole section. The lines we seek to insert are taken from section 48 of the Bill which itself borrows heavily for its wording from the GDPR.

Amendments Nos. 21 and 22 seek to limit ministerial powers in terms of processing data in the so-called public interest. As I said on Second Stage the public services card project and more important, the single customer view behind it is the largest data sharing project in the history of the State and has massive problems. It shows clearly the liberties successive Governments in various Departments have already taken in sharing data in the so-called public interest.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

In respect of amendment No. 18, on Committee Stage when the Minister listed the free fuel and travel schemes and the school meals programmes, operated by the Department of Employment Affairs and Social Protection on a non-statutory basis, he said that this processing complies with the GDPR because Recital 41 states: "Where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament" each time. If this processing is compliant with the GDPR why do we need section 37(1)(b)? The GDPR already has direct application and if the Department's administration of these non-statutory schemes is already compliant we do not need anything in the Bill to make them compliant. Therefore, we are a bit suspicious about why this clause is there. Is the Minister trying to provide cover for an issue that might not necessarily be compliant, as in the instance given by Deputy Wallace where the public services card is required to obtain a passport which is non-statutory? That might be called into question because the processing is of questionable legality. Is the Minister trying to make it legal with this clause? We would be concerned about that.

Under the old Data Protection Acts there was a specific exemption for the non-statutory schemes cited by the Minister but it was much more narrowly drawn than this one. There was also an exemption in the old Data Protection Acts to allow processing of personal data for the performance of any other function of a public nature performed in the public interest by a person. This is broadly similar to what is permitted under the GDPR. We think it a bit odd that this Bill wants to diminish data protection rights relative to our law and European law rather than bring them up to the standard we are obliged to do.

Deputy Wallace dealt with amendment No. 21 about purpose limitation, one of the fundamental principles relating to processing of personal data laid out in Article 5. I do not think that for the avoidance of doubt the Minister putting in "purpose" presents a huge difficulty. It is far more specific than the word "circumstance". That is all we want to do there.

Section 22, as Deputy Wallace said, is lifted from section 48. Regulations giving statutory and non-statutory bodies carte blancheto ignore the GDPR should at the very least meet basic standards.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

It is important to retain section 37 for legal certainty and for transparency and I cannot therefore accept the amendments. In the field of social protection, for example, certain important and valuable schemes operated by the Department of Employment Affairs and Social Protection, operate on a non-statutory basis, such as the free fuel scheme, free travel scheme, back to school clothing and footwear allowance and the school meal programme. All of these schemes do now, and will continue to, require the processing of personal data, and that processing is compliant with GDPR. Recital 41 states that where the GDPR refers to a legal basis "this does not necessarily require a legislative act adopted by parliament". I am sure Members will agree that these schemes, and other similar non-statutory measures, such as schemes to assist victims of flooding and of the recent fodder shortage, can be administered pretty quickly without the need to have a statutory basis. These are beneficial, and it would not be in anybody's best interests if they were jeopardised by the introduction of what might be regarded as legal uncertainty in respect of the data processing that is essential for their operation.

Subsection (4) allows for the making of regulations to specify that processing of personal data is necessary for the performance of a task carried out in the public interest by a controller or in the exercise of official authority which may be vested in the controller. As in the case of previous amendments, amendments Nos. 21 and 22 appear to arise from a misreading, on the basis that the regulations referred to in subsections (4) and (5) will not create a lawful basis for processing. The legal basis is Article 6 of the GDPR. The amendments are intended to clarify that certain processing is necessary for the performance of a task. I cannot accept amendments 21 and 22.

I reiterate that section 37, as it stands, is important and essential for reasons of legal certainty and that I cannot accept amendments to it.

Amendment put and declared lost.

4:25 pm

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 19:

19. In page 33, to delete lines 37 to 39, and in page 34, to delete lines 1 to 19 and substitute the following:"(4) Subject to subsection (5), the processing of personal data which is necessary for the performance of a task carried out in the public interest by a controller or which is necessary in the exercise of official authority vested in a controller may be specified in regulations made—
(a) by the Minister following consultation with such other Minister of the Government as he or she considers appropriate, or

(b) by any other Minister of the Government following consultation with the Minister and such other Minister of the Government as he or she considers appropriate.
(5) The Minister or any other Minister of the Government shall consult with the Commission before making regulations under subsection (4).

(6) The Commission may, on being consulted under subsection (5), make observations in writing on any matter which is of significant concern to it in relation to the proposed regulations and, if the Minister or any other Minister of the Government proposes to proceed to make the regulations notwithstanding that concern, that Minister shall, before making the regulations, give a written explanation as to why he or she is so proceeding to—
(a) the Committee established jointly by Dáil Éireann and Seanad Éireann known as the Committee on Justice and Equality or any Committee established to replace that Committee, and

(b) any other Committee (within the meaning of section 19(1)) which that Minister considers appropriate having regard to the subject matter of the regulations.".

Amendment agreed to.

Amendment No. 20 not moved.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 21:

In page 34, line 23, to delete “and” and substitute the following:"(c) the purposes for which the personal data may be processed, and".

Amendment put and declared lost.

Photo of Mick WallaceMick Wallace (Wexford, Independent)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 22:

In page 34, between lines 26 and 27, to insert the following:"(6) Regulations made under subsection (4) shall—
(a) respect the essence of the right to data protection, and

(b) enable processing of personal data only in so far as is necessary and proportionate to the legitimate aim pursued.".

Amendment put and declared lost.

Photo of Seán Ó FearghaílSeán Ó Fearghaíl (Ceann Comhairle; Kildare South, Ceann Comhairle)
Link to this: Individually | In context | Oireachtas source

Amendments Nos 23 to 41, inclusive, 51 to 58, inclusive, 68 to 73, inclusive and 148 are related and will be discussed together. Amendments Nos. 52 to 55, inclusive, are physical alternatives to amendment No. 51; amendments Nos. 69 and 70 are physical alternatives to amendment No. 68 and amendments Nos. 72 and 73 are physical alternatives to amendment No. 71.

Photo of Thomas ByrneThomas Byrne (Meath East, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 23:

In page 35, line 9, to delete “A specified person” and substitute the following:"Having regard to the importance of the right of freedom and expression and information in a democratic society, a specified person may,".

I do not propose to delay the House on this matter as there are other matters of substantially more importance to be dealt with. On the amendments the Minister made on Committee Stage in inserting sections 38 and 39 into the Bill, I have raised concerns with him and his officials. Rather than repeat those concerns which generally stem from what I believe may be a narrow definition of "electoral activities", I would like the Minister to set out the position, as he understands it, including whether he accepts my contention that the definition is too narrow. This is about allowing politicians and public representatives to do their work which is in the public interest and essential to democracy.

On politicians and the need for data protection, there have not been major scandals or outrages about the abuse of data by politicians, other than a few incidents involving some very unwise people in sending text messages from phones which should not have been used. That is not what I am seeking to address in my amendments; rather, they seek to allow the work of democracy to proceed as best it can. I am happy to allow the Minister to explain why he thinks I am wrong and that the definition of "electoral activities" does include the normal work politicians do outside the electoral cycle.

Photo of Seán Ó FearghaílSeán Ó Fearghaíl (Ceann Comhairle; Kildare South, Ceann Comhairle)
Link to this: Individually | In context | Oireachtas source

Before we proceed, I would like to make a rather unusual intervention. It has been brought to my attention that we have a distinguished visitor in the Visitors Gallery. While it is against the rules of the House to refer to persons in the Visitors Gallery and I am here to enforce them, I can also break them on occasion. James Connolly, a retired brigadier general, was born on 1 November 1923. He was commissioned by President Douglas Hyde in 1945. He was a pilot and, at one stage, head of the apprentice school at Baldonnel. He did UN tours in the early 1960s and the Middle East. His grandfather was James Connolly. His father, Roddy Connolly, son of James Connolly, was at various times a Member of the Dáil and the Seanad. His aunt, Nora Connolly-O'Brien, who, with her mother, wife of James Connolly, visited him on the night before his execution, was an Independent Member of Seanad Éireann as a Taoiseach's nominee in the late 1950s and mid-1960s. It is a great privilege to have him in the Visitors Gallery.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I welcome anyone who was born on 1 November, my birth date.

Photo of Seán Ó FearghaílSeán Ó Fearghaíl (Ceann Comhairle; Kildare South, Ceann Comhairle)
Link to this: Individually | In context | Oireachtas source

It is an auspicious occasion.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

This is a large group of Opposition and Government amendments which deal with sections 38, 39, 47, 57 and 58, all of which are linked with the operation of our democratic system of government. I am unable to accept amendments Nos. 25, 51, 68 and 71 which have been tabled by Deputies Clare Daly, Mick Wallace and Donnchadh Ó Laoghaire and which propose the deletion of sections 38(2), 47, 57 and 58, respectively, as I believe these sections contain appropriate and proportionate measures to facilitate the smooth operation of our democratic system and to allow elected representatives in the State to maintain contact with and serve the electorate. This is a fundamental duty in our membership of the House.As amendments Nos. 57 and 58, in the name of Deputy Donnchadh Ó Laoghaire, appear to be alternatives, I am also unable to accept either of them.

Turning to the amendments tabled by Deputy Thomas Byrne, while I am very favourably disposed towards their objective, the Office of the Attorney General has advised that they may not be GDPR-compliant and that, furthermore, they may be open to legal challenge, which is a concern. The key changes proposed by the Deputy are replacement of all references to "electoral activities" with "political activities"; insertion of a non-exhaustive definition of "political activities"; the introduction of an additional condition in relation to representations made on behalf of data subjects who, by reason of physical or mental incapacity, are unable to do so themselves; the introduction of a further, potentially limiting, condition for elected representatives in responding to requests and representations in section 39(4); and replacement of section 38(3) with looser security conditions in a new subsection (6).

On the first change proposed, section 6A(3)(c) of the Data Protection Act 1988 which is carried over in section 58 of the Bill restricts the right to object to processing carried out in the course of electoral activities. Recital 56 of the GDPR also refers to processing personal data in the course of electoral activities. The risk is that replacing the reference to "electoral activities" which is in the current law and the GDPR with a reference to "political activities" would result in uncertainty and might give rise to legal challenges based on an apparent non-compliance with the GDPR.

On the second change proposed, inclusion of a non-exhaustive definition of "political activities" would cut across Article 9.2(d) of the GDPR which is directly applicable and does not require transposition into national law. It permits, among other things, the processing of personal data, including special categories of personal data, during the course of its legitimate activities by a political party where the processing relates to members, former members or those who have regular contact with it. This covers processing connected with membership, fundraising and all other activities in which we engage from time to time.

The introduction of a reference to protection of “the vital interests of the data subject” in amendment No. 35 is problematic because that term appears in Article 6.1(d) of the general data protection regulation, GDPR, and it has been given a very narrow and restrictive interpretation. If adopted in this context, it would impose a heavier burden on the person making a request or representation on behalf of a data subject without the capacity to make a request or representation on their own behalf.

Amendment No. 40 would appear to introduce an unnecessary consistency test whereas the current wording provides a legal basis for a response enabling an elected representative to respond to a request or representation. Amendment No. 40 would impose a condition that any such response must be "in such manner as is consistent with his or her role and functions as an elected representative". It is important to note that responsibility for compliance with this test would rest with the person disclosing the data to the elected representative, not with the elected representative.

The proposal in amendment No. 41 to replace the specified safeguard in section 38(2) with a general reference to “reasonable and proportionate measures” would not meet the “suitable and specific measures” threshold in section 35. The current text of section 38(2) incorporates the safeguard set out in section 35(1)(b) of the Bill.

I draw Members' attention to Government amendment No. 148, which contains amendments to section 13A of the Electoral Act 1992 in a new section 173. It inserts a new subsection (3C), which provides that the electoral register may be used by a specified person referred to in section 38 for the purpose of communicating with data subjects under that section, or by an elected representative referred to in section 39 for the purposes of that section.

I do not wish to introduce any element of confusion because it is very important that we are clear here. I am confident that the combined impact of sections 38, 39 and 173, which is the new section that we will come to later on, will preserve the important role of elected public representatives in performing their representative functions and day-to-day tasks in serving the electorate. I have been in this House a long time by dint of my work as a public representative and through my constituency work, serving my electorate. I have examined the situation closely. The objective of Deputy Thomas Byrne is clear in his amendment. I am in agreement with him on this but I do not want to do anything that might result in uncertainty. I do not want to do anything that might ultimately end in a conflict or a difficulty as far as our obligations are concerned.

4:35 pm

Photo of Donnchadh Ó LaoghaireDonnchadh Ó Laoghaire (Cork South Central, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

There were two versions of the amendment - amendments Nos. 57 and 58. I made this point on Committee Stage so I will not over-labour it but I believe the whole section is far too broad. Arguments have been made, in respect of numerous parts of the Bill, that the effort to provide excessive detail means that the Bill as drafted is unnecessary because the relevant sections of the GDPR have a direct effect. Article 9 provides adequately for all the political purposes that are described. It does not appear to me that any political representation on behalf of constituents or anything like that is not covered by Article 9 of the GDPR. Provided that consent is freely given and is fully informed then I believe that is covered.

My amendments amend section 47 also, which I raised on Committee Stage. The section creates a loophole allowing companies from other jurisdictions that operate in the State on electoral activities outside of Ireland to gather data and use it in electoral contests elsewhere. I recognise that electoral activities here are already covered but it would potentially create a situation where companies such as Cambridge Analytica could operate here provided they were not interfering in electoral activity in the State. I may come back in on one of the other amendments.

Photo of Mick WallaceMick Wallace (Wexford, Independent)
Link to this: Individually | In context | Oireachtas source

I will speak on amendment No. 25. Sections 38 and 39 are new additions to the Bill and refer to the processing of personal data and specific categories of personal data by political parties, elected representatives and candidates for political office. The Department and the various political parties in government or in opposition seem determined to accommodate what they see as the peculiarities and seeming uniqueness of the Irish electoral system. This is in spite of the fact that what is proposed in terms of the processing of political opinion in the Bill will still be illegal under the GDPR.

Section 38, for the most part, is fairly harmless. It defines electoral activities for the first time in the legislative process but this definition is not very useful for the other relevant, extremely important and problematic sections to which the definition of section 38 refers, namely, sections 47, 57 and 58. We propose to delete section 38(2). Communication of the type described in section 38 is clearly committed under the GDPR as a "legitimate interest". I am not sure why we need to declare such communication to be a task in the public interest in such specific terms given that processing in the public interest in the GDPR gives us scope to bypass the consent of the data subject, for example. I understand the basic necessity for political parties to communicate with the electorate, and this kind of communication is, obviously, for the most part in the public interest. I wonder why we need such an explicit statement of this fact in the Bill.

Photo of Thomas ByrneThomas Byrne (Meath East, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

The Minister is in agreement with me about my objectives, which he said he shares, and I am in agreement with the Minister in that I certainly do not wish to put the State at any risk of infringement proceedings. I do, however, at times feel that this threat - that the proposals infringe the Constitution - is often put against Private Members' Bills. We often hear this. I do, however, accept that it is a risk.

My concern is around the definition of electoral activities. Is the Minister confident that "electoral activities" covers it and that we do not need my amendment, which covers "political activities"? It could also have been representational activities. The Minister has said that this is not needed and that "electoral activities" covers Members' work and communications as public representatives in the public interest.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

Unfortunately, this is a monster group of amendments that covers a lot of different aspects of GDPR rights and sections that could open us up to fines and legal proceedings, so I must take some time on this. The potential of exposing Members to that was the reason for siding with the Minister with regard to our previous amendment to an earlier section. They are very important aspects.

I will speak on amendment No. 25. The new section inserted by the Government on Committee Stage designates direct marketing by politicians, as long as it is in writing, as being carried out as a task in the public interest. It is highly questionable that a politician perpetuating his or her existence and inflicting it on anybody else could be legitimately defined as "in the public interest". It is completely unnecessary. Politicians and political candidates can already rely on the legitimate interest ground in the GDPR. Artificially designating written communication, which could include text messages from politicians, as being "in the public interest" when they could rely on the legitimate interest ground could cause problems because it takes away some of the obligation we have to balance the rights of citizens and the rights of politicians. This is why we have tabled amendment No. 25, which proposes to delete the odd public interest designation. We believe it is unnecessary. Politicians can already communicate and it is already lawful.

We must, however, take into account the fact that in the 2011 election, the then Data Protection Commissioner, Mr. Billy Hawkes, received many complaints about politicians' unsolicited text messages. Unlike the old data protection legislation, section 38 of this Bill would allow for that. We are weakening citizens' position in that regard.

Deputy Thomas Byrne's amendments would make the situation worse. He is extending the definition of "electoral activities" and referring to communications with party memberships, but since the latter are allowed for under the GDPR on a range of grounds, the amendment is unnecessary. The Deputy is proposing that fundraising and political surveys could be deemed to be in the public interest. That would make it lawful for a political party to send me an email every day for the rest of my life looking for money. I would have no legal way of making it stop.

4:45 pm

Photo of Thomas ByrneThomas Byrne (Meath East, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

We are not going to do that. Do not worry.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

Worse, the Deputy's amendment seeks to extend the permission to cover party members. I could join Fianna Fáil tomorrow and use my membership as a cover to access other people's personal data and send them unsolicited emails, text messages, surveys and questionnaires every day. If someone felt his or her privacy had been violated, he or she could do nothing about it.

Photo of Thomas ByrneThomas Byrne (Meath East, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

That is not what is envisaged.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

It is madness. It may be an unintended consequence. I will defer to the Deputy's assertion that it is not intended-----

Photo of Thomas ByrneThomas Byrne (Meath East, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

It is not intended.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

-----but it is what would arise. Turning to our amendment No. 51, section 47 is important and troublesome. Under it, the Government proposes to rely on recital 56 to justify allowing political parties anywhere to process the political opinions of anyone for the purposes of electoral activities. There is no territorial limit. If a German Cambridge Analytica wanted to process the political opinions of a few million Germans to sway the next German election, it would just have to send the data to Ireland. With such a vague definition of "electoral activities", there is no time limit on when political parties can process the data. People who want to get their hands on data about political opinions just have to put themselves forward as candidates for election. Lo and behold, they would then get around the general prohibition in the GDPR on that kind of data processing without explicit consent. That is why we are opposing the section. There is no non-creepy reason for allowing anyone to do this and profile people without their consent. One can profile people all one wants if one gets their consent.

All of Ireland's main data protection experts are vehemently against this section. Before Committee Stage, they wrote an open letter to The Irish Timescalling for the removal of the section's blanket exemptions on the processing of personal data revealing political opinions. These people pursued litigation previously and they know what they are talking about, so we would be silly to ignore their viewpoint. What is being proposed in this section is permission to create databases, profiles or whatever one wishes to call them for people who have nothing to do with a political party.

I will respond to points made by Deputy O'Callaghan on Committee Stage. Polls, focus groups, canvass tallies and so forth would still be allowed if this section were deleted. If people plan on using such information in the course of one of those activities, all that is required is for consent to be gained to note someone's political view, name and address. That is not a major ask, given that we are discussing the collection of personal data that can be used to match information to identify people.

Our amendment No. 68 is important. This section removes the right of citizens to object to their data being processed in order to post them letters and flyers from politicians. It tries to claim that mailings from politicians are not direct marketing. Articles 17 and 21(2) of the GDPR make it clear that the citizen has an absolute right to object to the use of his or her personal data to send him or her direct mail, text messages, etc. This section, however, allows politicians to send out unsolicited mail and stops people from objecting to that. In a balancing test, the desirability of citizens being informed about what their politicians are doing against the rights of citizens to object if they feel that their privacy is being invaded should come down on the side of the citizen. Citizens should have the right to object. Politicians get that all of the time. For example, people have told me that they do not want me to send them leaflets. That is fine, but this section removes the right to object. That is wrong.

Amendment No. 71 addresses section 58, which proposes to remove the right of citizens to object to the processing of their data for any purpose as long as it is carried out by political parties, candidates or the referendum commission. While various exemptions under the GDPR permit processing in the public interest, recital 69 makes it clear that the right to object in those circumstances must remain. Even if we accept that the processing of personal data by political parties for electoral purposes is in the public interest, which is arguable, we cannot strip people of their right to object to it while staying compliant with the GDPR. This amendment must be carried.

Photo of Seán Ó FearghaílSeán Ó Fearghaíl (Ceann Comhairle; Kildare South, Ceann Comhairle)
Link to this: Individually | In context | Oireachtas source

The prospect that the Deputy holds out of her joining Fianna Fáil is certainly fascinating.

Photo of Thomas ByrneThomas Byrne (Meath East, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

She should not worry. We will not accept her.

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

We took in Deputy Donnelly.

Photo of Thomas ByrneThomas Byrne (Meath East, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

We would not be the first.

Photo of Donnchadh Ó LaoghaireDonnchadh Ó Laoghaire (Cork South Central, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

Did Deputy O'Callaghan just read that into the record?

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I do not agree with much of what Deputy Clare Daly stated, including her prospects or otherwise of joining any party, much less Fianna Fáil.

I will address a couple of points. Deputy Daly made an assertion at the outset while referring to unsolicited text messages. My understanding is that unsolicited text messages are prohibited by law in any event on the basis of e-privacy regulations. Irrespective of anything in the Bill, the prospect of receiving unsolicited text messages during the course of an election-----

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

Is the Minister saying that a text message is not communication in writing?

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

It would in effect be prohibited. Regarding section 47 and influences from outside the State or otherwise, the section is clear in that its provisions are confined to electoral activities within the State for elections within the State by a political party registered within the State. It does not cover, nor should it, electoral activity in another state.

I stand over the important changes that we have made, in particular to section 38, and I am anxious to be of assistance to Deputy Thomas Byrne. In that regard, electoral activity must be clearly understood in a broad sense to be more than just activity within the confines of the three weeks, 28 days or whatever. In support of this point, I will point out that we do not have fixed-term parliaments. As such, all of the activities of elected representatives and candidates are undertaken with an eye on the next election. Suffice it for me to draw on our earlier debate when Deputy O'Callaghan gave way to Deputy Byrne on the matter of the digital age of consent. Regardless of when an election takes place, electoral activity continues. I say this to be of assistance to Deputy Byrne and to assure him that I am keen to go as far as I can on the objective of his amendments within the strictures of the GDPR and without introducing new elements of uncertainty in the matter of political activities. I take the Deputy's point about political activities and I like the phrase "political activities", but if we are to introduce new definitions or phrases without an appropriate level of definition, we will get into uncertainty and difficulty. "Electoral activities" is known in law to be the work that we do on a continual basis. I am sure that Deputies Daly and Wallace also do that work, although they might not like it to be termed as such.

Amendment, by leave, withdrawn.

6 o’clock

Amendment No. 24 not moved.

4:55 pm

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 25:

In page 35, to delete lines 12 to 14.

Section 38 of the Bill is potentially in conflict with the GDPR because it states "in writing". It is a grey area. This vague terminology could be in conflict with the e-privacy regulations of the GDPR because it would include text messages.

Amendment put and declared lost.

Photo of Thomas ByrneThomas Byrne (Meath East, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I will not move amendments Nos. 26 to 41, inclusive, on the basis of the Minister's assurances.

Amendments Nos. 26 to 41, inclusive, not moved.

Photo of Seán Ó FearghaílSeán Ó Fearghaíl (Ceann Comhairle; Kildare South, Ceann Comhairle)
Link to this: Individually | In context | Oireachtas source

Amendments Nos. 42 to 45 are related and may be discussed together.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 42:

In page 36, line 20, to delete “and special categories of personal data”.

I will try to be brief. We have resubmitted these amendments on Report Stage because they are quite important. According to recital 50, processing for purposes incompatible with the one for which the data was originally collected may be allowed if the person consents and the processing is based on European Union or member state law which constitutes a necessary and proportionate measure in a democratic society to safeguard important objectives of general public interest. Section 40 of the Bill allows for the processing of sensitive categories of data, such as one's political opinion, sexual orientation, race and so on, and general personal data for reasons other than that for which they were collected in order to prevent a threat to national security, to prevent, investigate or prosecute crimes or for the purpose of getting legal advice and so on.

Amendments Nos. 42 and 45 propose that further processing of very sensitive data would be permitted for all those crime stopping and public security reasons except the prevention of crime. The reasoning for that is that the GDPR does not apply to competent authorities such as the Garda Síochána when processing data for the purpose of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. It applies to everybody except competent authorities such as the Garda.

Section 38 proposes to give public bodies or companies the right to collect or compile databases in which people's identities are linked to things such as their political opinions, trade union membership, religion and so on for the purposes of preventing crime. It is very hard to imagine a situation where information held by a private company or public body about a person's religious affiliation, sexual orientation, political opinion, trade union membership or so on would ever be so absolutely essential for preventing crime as to outweigh the dangers of the impact on people's freedom of expression and association. It would not be worth it because the prevention of crime is a very nebulous concept. The amendment would allow the passing on of special category data by private companies to the Garda for the investigation and prosecution of criminal offences or the prevention of threats to national security but the prevention of crime would be open to too many interpretations. It is a catch-all and a step too far.

Amendment No. 44 proposes that further processing of personal data would be lawful for all the various crime and security reasons but rather than it being lawful for the purposes of preventing crime, the tighter wording of "avoiding prejudicing the prevention of crime", taken from the equivalent UK legislation, would be used. Amendment No. 43 provides that further processing would be allowed only if it is necessary and proportionate for various crime and terror fighting purposes, having regard to the fundamental rights and legitimate interests of the data subject. That introduces a balancing requirement whereby such further processing would only be lawful if the fundamental rights and legitimate interests of the data subject did not outweigh the reasons to reprocess his or her personal data.

Taken as a group, these amendments do not prevent the reuse of personal data by private or public organisations in general for crime prevention but, rather, only special category data. Data such as names, phone numbers, addresses, email addresses and IP addresses could still be used for crime prevention reasons as the amendments only address data such as one's sexual orientation, trade union membership, political views and so on.

Photo of Mick WallaceMick Wallace (Wexford, Independent)
Link to this: Individually | In context | Oireachtas source

These amendments attempt to reshuffle section 40 and involve the insertion of a new section 41. We are trying to deal with personal data and special categories of personal data separately. The two categories are currently lumped together in the Bill. Article 23 of the GDPR is the relevant provision in this regard. It does not make an explicit distinction between the processing of personal and specific categories of data but several sections of the GDPR state that special categories of data should be treated with special care. We have, therefore, attempted to separate personal data from special categories of personal data through amendments Nos. 42 to 45. I accept that Article 23 of the GDPR refers to the prevention, investigation, detection or prosecution of criminal offences, for example, which is provided for by section 40(b) of the Bill. However, the problem these amendments are trying to address relates to the scope the word "preventing" introduces in regard to criminal offences, in particular in the context of special categories of personal data such as religious beliefs, political opinion, ethnicity and sexual orientation. The GDPR and section 40 of the Bill do not apply to the Garda and the processing of data referred to in this section does not, therefore, apply to it. Section 40 would essentially permit profiling based on race, political ideology or religious beliefs should the processing of special categories of data be included. As I stated on Committee Stage, a body other than the Garda would, therefore, be able to profile a person based on his or her ethnicity, religion or political opinions in the name of preventing a criminal offence in the broadest sense. The phrasing in our amendment, "avoiding prejudicing the prevention, investigation or prosecution of" a criminal offence is based on wording used in the British Data Protection Bill and would prevent the kind of profiling to which I have referred.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I regret that I have been unable to advance matters with Deputies Clare Daly and Wallace since our debate on this issue on Committee Stage when I took the opportunity to explain and put into context the importance of the section. I gave several examples and referred to important statutory enactments such as the Criminal Justice (Money Laundering and Terrorist Financing) Act, under which a range of designated persons, such as auditors, property service providers and financial institutions, who know, suspect or have reasonable grounds to suspect, on the basis of information available to them, that another person has been or is engaged in an offence are required to report that knowledge or suspicion or those reasonable grounds to the Garda and the Revenue Commissioners. Under sections 2 and 3 of the Criminal Justice (Withholding of Information on Offences against Children and Vulnerable Persons) Act 2012, it is an offence to withhold any information on offences referred to in that Act. As I stated on Committee Stage, the public interest must be considered in ensuring that we combat threats to public security and crime and do not do anything that might interfere with, jeopardise or compromise a criminal investigation or the prevention of a threat to public security.

This section provides an effective safeguard against excessive use on the basis that further processing is permitted only to the extent that it is both "necessary and proportionate". It is not a case of either-or.

I cannot accept the proposals in amendments Nos. 42 and 45 to remove the reference to special categories of personal data in section 40 and to add a new section, or amendment No. 44, which to my mind would weaken the section to such an extent as to result in difficulties.

Neither can I accept insertion of the words "having regard to the fundamental rights and legitimate interests of the data subject" as an additional threshold in amendment No. 43. We debated this to some extent on Committee Stage. We took the view that there may be unnecessary, uncertain or additional burdens, for example, on a youth worker reporting suspected harm to a child, or on a bank official reporting his or her suspicions that certain transactions might be linked to money laundering or terrorist financing. There are circumstances where the burden imposed by the additional threshold in amendment No. 43 would result in actions not being taken that might otherwise lead to the successful detection, investigation and prosecution of a crime.

It is much the same as on Committee Stage. I am not in a position to advance matters. I do not want to do anything that might weaken the proposal at hand and I am unable to accept amendments Nos. 42 to 45, inclusive, for those reasons.

Amendment put and declared lost.

5:05 pm

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 43:

In page 36, line 22, after “that” to insert “, having regard to the fundamental rights and legitimate interests of the data subject,”.

Amendment put and declared lost.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 44:

In page 36, line 24, to delete “of preventing, detecting, investigating or prosecuting” and substitute “of avoiding prejudicing the prevention, investigation or prosecution of”.

Amendment put and declared lost.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 45:

In page 36, between lines 25 and 26, to insert the following:

“Processing of special categories of personal data for purpose other than purpose for which data collected

41.Without prejudice to the processing of personal data for a purpose other than the purpose for which the data has been collected which is lawful under the Data Protection Regulation, the processing of special categories of personal data for a purpose other than the purpose for which the data has been collected shall be lawful to the extent that such processing is, having regard to the fundamental rights and legitimate interests of the data subject, necessary and proportionate for the purposes⁠—(a) of preventing a substantial threat to national security, defence, or public security,

(b) of avoiding prejudicing the detection or prosecution of criminal offences,

(c) set out in paragraphs (a)or (b)of section 46.”.

Amendment put and declared lost.

Photo of Seán Ó FearghaílSeán Ó Fearghaíl (Ceann Comhairle; Kildare South, Ceann Comhairle)
Link to this: Individually | In context | Oireachtas source

Amendments Nos. 46 to 49, inclusive, are related. Amendment No. 48 is a physical alternative to amendment No. 47. Amendments Nos. 46 to 49, inclusive, may be discussed together.

Photo of Donnchadh Ó LaoghaireDonnchadh Ó Laoghaire (Cork South Central, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 46:

In page 37, to delete lines 22 to 24 and substitute the following:

“43.(1) For the purposes of Article 86, personal data may be disclosed where a request for access to a record is granted under and in accordance with the Act of 2014 pursuant to an FOI request, a request for access to environmental information is granted under and in accordance with the Regulations of 2007 pursuant to a request for environmental information or a request to release documents for re-use is granted under and in accordance with the Regulations of 2005 pursuant to a request.”.

The amendments were submitted on Committee Stage. Amendments Nos. 46, 48 and 49 are my amendments. The intention is that people would have the same access to all the relevant documentation and personal data under freedom of information as is available under the environmental regulations. My reading of the Minister's amendment No. 47 is that it covers essentially what was intended by amendments Nos. 46, 48 and 49. Perhaps the Minister could elaborate on that. If the effect is the same, I will withdraw my amendments.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

During Committee Stage discussions, I undertook to examine proposals to extend the scope of section 43 to include the Re-Use of Public Sector Information Regulations 2005 and the Access to Information on the Environment Regulations 2007. I did examine the matter and I now propose in amendment No. 47 to extend the scope of section 47 to include the Access to Information on the Environment Regulations 2007. It is a coincidence that we are dealing with amendment No. 47 and section 47. I propose to extend the application of section 47 by a new amendment No. 47.

The Re-Use of Public Sector Information Regulations 2005 to 2015 do not permit the disclosure of personal data except in accordance with data protection legislation and the Freedom of Information Act 2014. Any release of personal data under the regulations would be in aggregated and pseudonymised form. For that reason, my amendment does not encompass reference to those regulations because I should not do so. I thank Deputy Ó Laoghaire for raising this important issue and I hope he accepts that the Government amendment addresses the issue and that amendments Nos. 46, 48 and 49 are not required in those circumstances.

Amendment, by leave, withdrawn.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 47:

In page 37, to delete lines 25 to 28 and substitute the following:“(2) For the purposes of Article 86, personal data contained in environmental information may be disclosed where the information is made available under and in accordance with the Access to Information on the Environment Regulations pursuant to a request within the meaning of those Regulations.

(3) In this section⁠—
"Access to Information on the Environment Regulations" means the European Communities (Access to Information on the Environment) Regulations 2007 (S.I. No. 133 of 2007);

“Act of 2014” means the Freedom of Information Act 2014;

"environmental information" has the same meaning as it has in the Access to Information on the Environment Regulations;

"FOI request" has the same meaning as it has in the Act of 2014;

"record" has the same meaning as it has in the Act of 2014.".

Amendment agreed to.

Amendments Nos. 48 to 50, inclusive, not moved.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 51:

In page 38, to delete lines 17 to 28.

Amendment put:

The Dáil divided: Tá, 27; Níl, 65; Staon, 0.


Tellers: Tá, Deputies Clare Daly and Donnchadh Ó Laoghaire; Níl, Deputies Joe McHugh and Tony McLoughlin.

Amendment declared lost.

Amendments Nos. 52 to 56, inclusive, not moved.

5:20 pm

Photo of Donnchadh Ó LaoghaireDonnchadh Ó Laoghaire (Cork South Central, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 57:

In page 38, between lines 28 and 29, to insert the following:"(2) This section does not permit the sharing or processing of personal data revealing political opinion with or by any private company, as defined under section 2(1) of the Companies Act 2014 without the consent of the data subject even when that private company has been contracted by the actors or entities specified under paragraphs (a), (b) or (c).".

Amendment put and declared lost.

Photo of Donnchadh Ó LaoghaireDonnchadh Ó Laoghaire (Cork South Central, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 58:

In page 38, between lines 28 and 29, to insert the following:"(2) This section does not permit the sharing or processing of personal data revealing political opinion with or by any private company, as defined under section 2(1) of the Companies Act 2014 without the consent of the data subject even when that private company has been contracted by—
(i) a political party, or

(ii) a candidate for election to, or a holder of, elective political office in the State.".

Amendment put and declared lost.

Photo of Pat GallagherPat Gallagher (Donegal, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Amendments Nos. 59 and 60 are related and may be discussed together.

Photo of Mick WallaceMick Wallace (Wexford, Independent)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 59:

In page 39, line 3, after "subjects," to insert "and subject to subsection (2),".

We proposed a number of amendments to section 49 of the Bill on Committee Stage. We are returning with some of the same amendments on Report Stage and we have left others behind. We have taken on board some of the concerns listed by the Minister on Committee Stage. It is significant that these concerns are shared by a number of other member states. We appreciate that there are many factors at play in this section, which essentially provides exemptions from the GDPR requirement for explicit consent for the processing of special or sensitive categories of data. Obviously, that is fine as long as we adhere to the possible exemptions provided for in the GDPR. This amendment proposes that processing might take place without the consent of the data subject if the data controller cannot reasonably be expected to get this consent, for whatever reason. In other words, obtaining consent should be a reasonable step. As the Minister has said he has sought advice from the Office of the Attorney General about the need for this section, we will not force the issue. The processing of special categories of data is a serious issue under the GDPR. That is what we are trying to highlight in this section. We appreciate the concerns of the Department and the Minister about the problems that arise with regard to contracts because of the definition of "consent" in Article 4.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

We considered these amendments on Committee Stage. I have been in contact with the Office of the Attorney General, which has agreed that this section is needed to address a specific problem arising from the strict definition of "consent" in the GDPR. The Deputy is right when he says this issue has arisen during the preparation of legislation in a number of other member states. The Deputy has acknowledged the difficulty that exists. I undertook to pursue matters further and I have done so. On foot of the advice I have received, I am not in a position to accept these amendments.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

I find the Minister's position a bit strange because these amendments are based on a similar provision in the UK Act. They seek to insert an additional safeguard for people when private insurance companies and banks are using their data without their consent. Such use is allowed only when someone has not explicitly said "No" and when the bank or insurance company would face an insurmountable task in getting consent. I think that is reasonable. I do not see how it could be allowed in the UK legislation if our Attorney General is saying it cannot be done.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

It is not so much a question of the consent, but of the nature of the consent.

Amendment put and declared lost.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 60:

In page 39, between lines 9 and 10, to insert the following:"(2) The processing of data regarding health under this section can be carried out without the consent of the data subject only if, in addition to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects—
(a) the controller cannot reasonably be expected to obtain the consent of the data subject, and

(b) the controller is not aware of the data subject withholding consent.".

Amendment put and declared lost.

Amendment No. 61 not moved.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 62:

In page 40, between lines 9 and 10, to insert the following:"(9) Regulations may be made under this section only if—
(a) a draft of the proposed regulation has been laid before the Houses of the Oireachtas, and

(b) a resolution approving the draft has been passed by each House.".

Amendment put and declared lost.

Photo of Pat GallagherPat Gallagher (Donegal, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Amendments Nos. 63 and 76 are related and may be discussed together.

5:30 pm

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 63:

In page 42, line 5, to delete “persons authorised” and substitute “persons who are or were authorised”.

These are minor drafting amendments to sections 54 and 59. They extend the reference to "persons authorised to carry on a profession or other activity" to "persons who are or were authorised". They are minor amendments but nevertheless essential.

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 64:

In page 42, to delete lines 22 to 39, and in page 43, to delete lines 1 and 2 and substitute the following:“(4) Subject to subsection (5), regulations may be made under subsection (3)
(a) by the Minister following consultation with such other Minister of the Government as he or she considers appropriate, or

(b) by any other Minister of the Government following consultation with the Minister and such other Minister of the Government as he or she considers appropriate.
(5) The Minister or any other Minister of the Government shall consult with the Commission before making regulations under subsection (3).

(6) The Commission may, on being consulted under subsection (5), make observations in writing on any matter which is of significant concern to it in relation to the proposed regulations and, if the Minister or any other Minister of the Government proposes to proceed to make the regulations notwithstanding that concern, that Minister shall, before making the regulations, give a written explanation as to why he or she is so proceeding to—
(a) the Committee established jointly by Dáil Éireann and Seanad Éireann known as the Committee on Justice and Equality or any Committee established to replace that Committee, and

(b) any other Committee (within the meaning of section 19(1)) which that Minister considers appropriate having regard to the subject matter of the regulations.”.

Amendment agreed to.

Photo of Pat GallagherPat Gallagher (Donegal, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Amendments Nos. 65 and 141 are related and may be discussed together.

Photo of Donnchadh Ó LaoghaireDonnchadh Ó Laoghaire (Cork South Central, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 65:

In page 43, between lines 17 and 18, to insert the following:“Processing of special categories of personal data for identity verification purposes

55. Processing of special categories of personal data for identity verification purposes will be lawful provided no copy of identification or information contained within is stored or retained for any reason.”.

This is an amendment to section 55. It is intended to prevent the holding of surplus data, particularly where that would be copies of forms of identification. Given that there is so much ministerial discretion contained within the section and the Bill, this is a strong measure that ensures the fundamental rights of data subjects are protected. It specifically allows for the processing of special categories of personal data for identity verification purposes, as is consistent with the rest of the section. This will be lawful provided no copy of identification or information contained within is stored or retained for any reason.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

One of the difficulties is that these amendments were not considered or raised in earlier discussions. In light of the nature of the debate and the number of amendments, I would not be prepared to accept them at this stage having regard to the fact that we did not have an opportunity to examine them in the detail such amendments deserve.

The proposal in amendment No. 65 would require intense scrutiny, not least because of the possibility of far-reaching consequences. Biometric data is a special category of personal data referred to in Article 9(1) of the GDPR and the generally applicable data retention rules will apply to any processing of such data.

While there may well be merit in amendment No. 141, the proposal to permit the making of regulations would require the development of policies and principles but they have not been included in the amendment. I am not prepared to take on something the consequences of which I have not been in a position to examine. I say that not as any form of excuse but as a justified reason on this Stage and I ask the House to accept that.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

I thought these were very good amendments and we would certainly support them. Amendment No. 65 will prevent identity databases from being created by, for example, the Government. Such databases could be exploited for a range of purposes. Amendment No. 141 is an effort to prevent the Government from continuing to maintain its gigantic and illegal biometric database, created through forcing people to get a public services card for a range of reasons such as getting a passport or, until recently, a driver's licence, reasons that have no basis whatsoever in law. They are very worthy provisions and, whether we discussed them on Committee Stage or not, it is important to insert them at this stage.

Photo of Donnchadh Ó LaoghaireDonnchadh Ó Laoghaire (Cork South Central, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

I had failed to notice that amendment No. 141 was grouped with amendment No. 65. The Minister referred to the requirements and the exceptions in that they are not contained in the Bill. The GDPR as European law will be Irish law. They are well enumerated in the GDPR. It outlines biometric data as personal data resulting from specific technical processes relating to the physical, physiological or behavioural characteristics of a natural person which allows or confirms the unique identification of that natural person, such as facial images or dactyloscopic data. The GDPR consent requirements define biometric data as special categories of personal data and prohibit its processing, thereby protecting people from having their data shared with third parties without their consent. The exception to that consent is that processing is prohibited unless necessary for carrying out obligations of the controller or the data subject in the field of employment, social security and social protection.

This is very relevant to the issue of the development of the public services card and the questions about the use of biometric data in that regard. The Government has found itself in difficulty, especially in respect of the Road Safety Authority recently and the requirements that were provided there, as well as the Department of Employment Affairs and Social Protection. We have not had adequate public debate on the use of biometric data or the possibility of the public services card being used as a sort of proxy identity card with biometric data. Whatever arguments are to be made in support of that have not been made honestly or directly. In that context and in the context of governments here and around the world increasingly using biometric data to build profiles of people and the potential for that data to be compromised, I think these are reasonable safeguards to put into the legislation.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I get no joy from telling Deputies what I cannot do. I would rather say what I can do. We are on Report Stage of what is lengthy and complex legislation. Deputies may be aware that the programme for Government includes legislation entitled the data retention Bill, which is not yet ready. I will look at Deputy Ó Laoghaire's amendments in that context. I know it is not ideal. I may have certain sympathies with the objectives of the amendments but in the circumstances I am unable to accept them. Maybe if I said to the Deputy we will look at it in the context of forthcoming legislation which is not too far away in terms of timeframes and scheduling, I could say that to the House by way of what I think is beneficial.

Amendment put and declared lost.

Photo of Pat GallagherPat Gallagher (Donegal, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Amendments Nos. 66 and 78 are related and may be discussed together.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 66:

In page 43, to delete lines 20 to 28 and substitute the following:“Right of access to results and scripts of examination and results of appeal

55. (1) Subject to subsection (3), a request by a data subject under Article 15 in relation to the result of an examination at which he or she was a candidate, or in relation to a script completed by him or her in the course of such an examination shall, for the purposes of that Article, be taken to have been made on the later of—
(a) the date of the first publication of the results of the examination, or

(b) the date of the request.
(2) A request by a data subject under Article 15 in relation to the result of an appeal by the data subject against the result of an examination at which he or she was a candidate shall, for the purposes of that Article, be taken to have been made on the later of—
(a) the date of the first publication of the results of the appeal, or

(b) the date of the request.
(3) Where—
(a) a request by a data subject referred to in subsection (1) relates to a script completed by him or her in the course of an examination in the Leaving Certificate Examinations conducted by the State Examinations Commission, and

(b) the data subject, whether before or after the making of that request, appeals the result of the examination referred to in paragraph (a),
that request shall be taken to have been made on the date of the first publication of the results of the appeal referred to in paragraph (b).

(4) In this section—
“appeal” means any formal process to enable a candidate to request a recheck of an examination result which is specified by a person who operates the examination;

“examination” means any process for determining the knowledge, intelligence, skill or ability of a person by reference to his or her performance in any test, work or other activity;

“script” means any work produced by a candidate as part of an examination including any examination answer-book (whether in written or digital form), journal, portfolio, audio and visual recording, practical piece or artefact and, for the purposes of this definition, shall be deemed to include—
(a) an audio or visual recording, produced in the course of an examination, of the performance of the candidate in the examination, and

(b) any marks or comments added to the script, or made in relation to the script, by an examiner in the course of his or her marking of the script.”.

On Committee Stage I undertook to examine amendments tabled by my colleagues, Deputies Brophy and Burke, which sought to insert provisions into the Bill that will address the far-reaching implications of the European Court of Justice ruling in December in the Nowak case that examination scripts are personal data for the purposes of data protection law. Amendment No. 66 inserts a new, more detailed section 55 in the Bill, while amendment No. 79 will permit the making of regulations, if required, to restrict access rights of individuals to safeguard the integrity and security of examination systems. I note in passing that the Court of Justice ruling in the Nowak case, which was referred to the Luxembourg court by our Supreme Court, is an example of the dynamic and expansive approach being taken by the court in the field of data protection. I propose these amendments on that basis.

Amendment agreed to.

5:40 pm

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 67:

In page 44, to delete lines 5 and 6 and substitute the following:“him or her to—

(I) make representations to the controller in relation to the decision,

(II) request human intervention in the decision-making process,

(III) request to appeal the decision.(2) In the case of requests made under subsection (1)(b)(ii)(II) or (III) the controller shall—(a) comply with the request, and

(b) notify the data subject in writing of—

(i) the steps taken to comply with the request, and

(ii) in the case of an appeal under subsection (1)(b)(ii)(III), the outcome of the appeal.”.

The GDPR puts several protections in place for people in circumstances where they might be subjected to automated decision-making. Article 22 states that decision-making based on automated processing is prohibited except if a decision made in this way is necessary for entering into a contract between a person and a controller or if it is based on the person’s explicit consent. If these bases are used, then the controller has to implement safeguards, including the right to obtain human intervention and the right to appeal. Article 22 also states decisions can be made on the basis of automated processing if they are authorised by Union or member state law which also lays down suitable measure to safeguard the data subject’s rights, freedoms and legitimate interests.

It is clear that the type of safeguards the GDPR had in mind when public authorities are using automated processing are matters like the right to obtain a human intervention and the right to make an appeal. The Bill, however, does not include those rights. It simply states people can make a representation. We do not believe that is good enough. Article 29 Working Party, the God of guidance on the GDPR, stated on automated processing per Article 22 and recital 71, minimum safeguards must provide an explanation of the decision reached to the data subject, a way for the data subject to obtain human intervention, express their point of view and contest the decision.

In the Bill people have a right to make representations if they are not happy. That is not really much use. It is no guarantee that they will get a human intervention if they want it. There is no obligation, even on a controller, for example, the Department of Employment Affairs and Social Protection processing welfare claims, to respond or deal with representations it gets. As the Bill is currently constituted, it can just ignore them.

That is way too serious. We know for example that in the United States where automated benefit systems operate, it has resulted in millions of benefit applicants being denied over a period of years. Those people at least had the right to an appeal and a human intervention. Another example was the Garda roll-out of the automatic number plate recognition system. When introduced, it was misreading number plates and showing everybody as having no car insurance. Fortunately, at the time it was so broad, the system was stopped and corrected. However, one can easily imagine another case where not everybody was caught up in the loop and somebody was tied up in having to make an appeal and require human intervention. It is not guaranteed now. It is quite an important amendment. It is not onerous, it will actually defend citizens’ rights and make us much more compliant.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

The essential features of the amendment are already contained in section 56. I am concerned by accepting this amendment that we run the risk of damaging laws put in place to combat fraud and tax evasion. I cannot allow for anything that might conflict these measures.

Section 56 makes it clear that these steps must include an arrangement whereby a data subject has the opportunity to make representations on any intended decision. This means that a data subject must have information on any proposal to make such a decision and have the opportunity to bring any concerns to the attention of the controller.

The GDPR mentions fraud and tax evasion as areas justifying automated process. I am satisfied that the safeguards are adequate and GDPR compliant. I do not want any measures which may not be GDPR compliant. I cannot, therefore, accept the amendment.

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

This is an interesting amendment put forward by Deputies Clare Daly and Wallace. Since it was discussed on Committee Stage, I have had an opportunity to look in more detail at Article 22 on the issue of micro-profiling. It deals with decisions based solely on automated processing including profiling.

It is worth pointing out that Article 22(3) gives specific recognition to the fact that a data subject is entitled to have the right to obtain human intervention on the part of the controller. I note what the Minister said. Part of the problem that arises in respect of legislation, however, is that part of it gives further effect to the GDPR and other parts of the legislation give effect to Directive (EU) 2016/680. There is an attempt in section 56 to indicate the rights individuals have under Article 22. I note it begins by stating it is subject to Article 22(4). Any person looking at what will hopefully become the Data Protection Act by this time next week will want to know the full extent of his or her rights under section 56. Under the legislation, he or she would then have to go to Article 22 of the GDPR to find out that he or she has a right to obtain human intervention on the part of the controller in order to assess whether an automated decision can be checked again.

Unless I hear a convincing argument from the Minister in response, my inclination is to support the amendment.

7 o'clock

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

An opinion under Article 29 will act as a guide on the matter of interpretation of automated processing, including the operation of the section. That is another opportunity for the issues raised by Deputy Clare Daly to be considered. On the one hand, we have sufficient safeguards but, on the other, I would add an opinion under Article 29 which will ultimately assist in the interpretation of automated processing. That will inform the operation of the section.

Amendment put:

The Dáil divided: Tá, 53; Níl, 33; Staon, 0.


Tellers: Tá, Deputies Clare Daly and Mick Wallace; Níl, Deputies Joe McHugh and Tony McLoughlin.

Amendment declared carried.

5:55 pm

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 68:

In page 44, to delete lines 7 to 15.

Amendment put and declared lost.

Amendments Nos. 69 and 70 not moved.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 71:

In page 44, to delete lines 16 to 24.

Amendment put:

The Dáil divided: Tá, 25; Níl, 62; Staon, 0.


Tellers: Tá, Deputies Clare Daly and Donnchadh Ó Laoghaire; Níl, Deputies Joe McHugh and Tony McLoughlin.

Amendment declared lost.

Amendments Nos. 72 and 73 not moved.

6:00 pm

Photo of Pat GallagherPat Gallagher (Donegal, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Amendment No. 74 is in the names of Deputies Clare Daly and Mick Wallace. As amendments Nos. 75 and 77 are related, they may all be discussed together.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 74:

In page 45, line 34, to delete "Subject" and substitute the following:"Having regard to the balance of the rights and freedoms of data subjects and the rights and freedoms of others, and subject".

Section 59 proposes that the Minister should have wide discretion in limiting the rights of persons given to them by Articles 12 to 22, inclusive, in respect of certain subjects united under the vague banner of "general public interest". The section also proposes to give the Minister wide discretion to limit the rights and freedoms of persons if he or she thinks it is necessary to do so for the protection of a data subject or where he or she thinks the exercise of a right is likely to cause serious harm to the physical or mental health of a data subject. That seems to be fair enough, but there is no provision in the section to oblige the Minister to balance the rights and freedoms of data subjects and others in circumstances where he or she is proposing to restrict a right, for example, access to information. It cannot be the case that the Minister is the final arbiter in deciding whose rights trump whose without having to perform a balancing action. That is where we are coming from in amendment No. 74. It would oblige the Minister to have regard to the balance of rights and would not be a great imposition. It is important that the Minister should have to do this.

Amendment No. 74 ties in with amendment No. 75. Under section 59, the Minister will have the power to limit data subjects' rights in the case of data obtained and kept in the course of the carrying out of social work by a public body, a voluntary organisation or another body. On the face of it, this also seems to be vaguely okay, but if we scratch a little deeper, it becomes obvious that this restriction of rights probably will be used, for example, to refuse information to adopted children on their natural parents. We have a history of this happening in this country. Given that one of the rights listed between Articles 12 and 22, inclusive, is a right to access information a data controller holds on a person, it seems obvious that this provision could be used to limit the right to access information of adopted persons in a broad and non-transparent way. For example, there could be a refusal to grant a person information on the grounds that it might damage his or her mental health. That is critically important.

Amendment No. 77 seeks to delete ensuring the effective operation of the immigration system as one of the general public interest grounds on which the rights of persons can be suspended. The reason we have tabled this amendment is to put it on the Minister's radar that we will be keeping an eye out for regulations made under the section that will seek to restrict the right of persons to access information or to have corrected erroneous information held on them by bodies such as the INIS.

There is an enormous controversy in the United Kingdom about a similar provision in its Data Protection Bill and a legal case against it is being prepared. In the United Kingdom it is proposed to restrict the rights of persons under Articles 14 to 16, inclusive, among others. Those taking the case point out that the provision is discriminatory and will mean that those involve in immigration disputes will find it impossible to obtain the data immigration authorities have used against them, thus making it impossible to build a case or lodge an appeal against a decision made against them. The suspension of these rights will also mean that it will be impossible for immigrants to correct or challenge erroneous data held on file about them. It will also prevent them from finding out how their data were obtained and shared, thus allowing unlawful data to be shared, go unchallenged and remain a secret.

We do not yet know which of the rights under Articles 12 to 22, inclusive, the Minister will seek to restrict under this section in the case of immigrants. It will be laid out in regulations down the line. As a Parliament, we will be asked to approve those regulations, which is fair enough. We are merely flagging this serious issue. We want to mark it here and now, particularly as it is the subject of litigation across the water.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I remind the Deputy of the amendments that were passed last night which have some significance in the context of the safeguards about which she has spoken.

Amendment No. 74 proposes to insert some text at the beginning of subsection (5). It does not appear to be necessary because of subsection (12) as inserted by amendment No. 80, to which we agreed last night. It already provides that any regulation made under section 59 to which the Deputy referred must respect the essence of the right to data protection and restrict the exercise of data subject rights only in so far as it is both necessary and proportionate.

Amendment No. 75 seeks to delete subsection (5) in its entirety. I have a problem with this because the particular provision is carried over from section 5(8) of the 1988 Act. It allows limited restrictions on data subject rights for social work purposes where, for example, a risk to the health or welfare of children is being assessed by a social worker. Regulations under the section will allow the necessary inquiries to be made by the social worker and access to the data collected in the case could be restricted by means of regulations but only to the extent that and for as long as the release of such information would be likely to cause serious harm to the physical health or mental health of the data subject.

Amendment No. 77 seeks to delete section 59(7)(h). I have a difficulty with this, too. As a result of the amendments made last night, the data protection commission must be consulted on all regulations to be made under the section. Any significant concern not taken on board by the relevant Minister must be communicated directly to the justice committee and any other relevant committee of the Houses. In addition, the draft regulations, because of the positive resolution or positive affirmation that is necessary, must be submitted to both Houses for positive resolutions. The safeguards will provide an opportunity in both Houses to discuss the merits of any such proposal at that time and in such a format as might be proposed within the regulations. Because of this, I have a difficulty with accepting the amendments.

6:10 pm

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

I will restate the point on amendment No. 74. We see no reason we would not balance the rights of one person, for example, a mother who put her baby up for adoption, against the rights of the baby who was adopted in making a decision on whether the child should be given information on the mother. It would not always result in a decision in the child's favour. The requirement is that the two sets of rights, where they potentially clash, be balanced, with one person wanting to move on and the other wanting to know from where he or she came. Both viewpoints would have to be taken on board. It is a balancing provision. We thought the Minister might accept that amendment. We take on board his points about the other amendments in the sense that we can deal with them in regulations.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

On the point made by the Deputy about the regulations and, for example, her first point about an adopted child and the information sought, the matter will be debated in the House at the time in specific terms, rather than in less specific terms now. My advice and view on it are that we wait for the regulations, the contents of which we will be obliged to debate fully. At the time we will be dealing with draft proposals, rather than hypothetical examples as suggested by the Deputy. I would be concerned about a disadvantage being conferred on a party in the example proposed by her, but it is very much hypothetical. What we should do is wait until there is a proposal before us which must be debated fully.

Amendment, by leave, withdrawn.

Amendment No. 75 not moved.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 76:

In page 46, line 16, to delete “persons authorised” and substitute “persons who are or were authorised”.

Amendment agreed to.

Amendment No. 77 not moved.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 78:

In page 47, between lines 19 and 20, to insert the following:“(n) safeguarding the integrity and security of examinations systems;”.

Amendment agreed to.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 79:

In page 47, between lines 21 and 22, to insert the following:“(8) (a) In circumstances where it is proposed to restrict the rights and obligations referred to in subsection (1) for important objectives of general public interest other than those listed in paragraphs (a) to (n) of subsection (7), the Minister shall cause to be laid before both Houses of the Oireachtas a written statement of those further objectives.
(b) Regulations may be made restricting the rights and obligations referred to in subsection (1) only if a resolution approving the written statement laid before the Houses under paragraph (a) has been passed by each House.”.

Amendment put and declared lost.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 80:

In page 47, to delete lines 27 to 40, and in page 48, to delete lines 1 to 10 and substitute the following:“(9) Subject to subsection (10), regulations may be made under subsection (5) or (6)—
(a) by the Minister following consultation with such other Minister of the Government as he or she considers appropriate, or

(b) by any other Minister of the Government following consultation with the Minister and such other Minister of the Government as he or she considers appropriate.
(10) The Minister or any other Minister of the Government shall consult with the Commission before making regulations under subsection (5) or (6).

(11) The Commission may, on being consulted under subsection (10), make observations in writing on any matter which is of significant concern to it in relation to the proposed regulations and, if the Minister or any other Minister of the Government proposes to proceed to make the regulations notwithstanding that concern, that Minister shall, before making the regulations, give a written explanation as to why he or she is so proceeding to—
(a) the Committee established jointly by Dáil Éireann and Seanad Éireann known as the Committee on Justice and Equality or any Committee established to replace that Committee, and

(b) any other Committee (within the meaning of section 19(1)) which that Minister considers appropriate having regard to the subject matter of the regulations.
(12) Regulations made under this section shall—
(a) respect the essence of the right to data protection and protect the interests of the data subject, and

(b) restrict the exercise of data subjects’ rights only in so far as is necessary and proportionate to the aim sought to be achieved.”.

Amendment agreed to.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 81:

In page 48, between lines 10 and 11, to insert the following:“(11) Regulations made under this section shall—
(a) respect the essence of the right to data protection and protect the interests of the data subject, and

(b) restrict the exercise of data subjects’ rights only in so far as is necessary and proportionate to the aim sought to be achieved.”.

Amendment put and declared lost.

Photo of Donnchadh Ó LaoghaireDonnchadh Ó Laoghaire (Cork South Central, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 82:

In page 48, between lines 10 and 11, to insert the following:“(11) (a) Such regulations shall be referred before their enactment to the Data Protection Commissioner for their opinion under the terms of section 100.
(b) The impact assessment shall have the purpose of ascertaining whether the proposed processing of special categories is—
(i) necessary,

(ii) proportionate,

(iii) in compliance with subsection (4),

(iv) in compliance with the GDPR.
(c) The impact assessment shall be returned to the Minister within three months of the Minister’s referral, and it shall make recommendations as to whether the proposed processing of special categories is in compliance with the criteria laid out in paragraph (b) and shall recommend any changes necessary to the regulation to ensure compliance, or may recommend that the Minister not proceed with the regulation.

(d) In the event that the Minister does not follow the recommendation of the Data Protection Commission, the Government shall—
(i) publish in Iris Oifigiúil a reasoned written explanation of the decision of the Government not to follow the recommendation of the Commission,

(ii) cause to be laid before the Houses of the Oireachtas a statement containing a reasoned written explanation of the decision of the Government not to follow the recommendation of the Commission.”.

Amendment put and declared lost.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 83:

In page 59, to delete lines 18 to 20 and substitute the following: “(a) that occurs in the course of an activity falling outside the scope of the law of the European Union,

(b) by an institution, body, office or agency of the European Union, or

(c) to which section 8(1)(b) applies.”.

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 84:

In page 62, to delete lines 36 and 37, and in page 63, to delete lines 1 to 18 and substitute the following:“(3) Subject to subsection (4), regulations may be made under subsection (2)
(a) by the Minister following consultation with such other Minister of the Government as he or she considers appropriate, or

(b) by any other Minister of the Government following consultation with the Minister and such other Minister of the Government as he or she considers appropriate.
(4) The Minister or any other Minister of the Government shall consult with the Commission before making regulations under subsection (2).

(5) The Commission may, on being consulted under subsection (4), make observations in writing on any matter which is of significant concern to it in relation to the proposed regulations and if the Minister or any other Minister of the Government proposes to proceed to make the regulations notwithstanding that concern, that Minister shall, before making the regulations, give a written explanation as to why he or she is so proceeding to—
(a) the Committee established jointly by Dáil Éireann and Seanad Éireann known as the Committee on Justice and Equality or any Committee established to replace that Committee, and

(b) any other Committee (within the meaning of section 19(1)) which that Minister considers appropriate having regard to the subject matter of the regulations.”.

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 85:

In page 63, to delete lines 37 to 39, and in page 64, to delete line 1.

Amendment agreed to.

Photo of Pat GallagherPat Gallagher (Donegal, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Amendments Nos. 86 to 92, inclusive, are related and may be discussed together.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 86:

In page 76, to delete lines 12 and 13 and substitute the following:“(c) ensure that the data protection officer—
(i) reports directly, in relation to his or her functions under subsection (5), to the highest level of management of the controller,

(ii) does not receive any instructions regarding the exercise of such functions, and

(iii) is involved in an appropriate and timely manner in all matters relating to the protection of personal data, and”.

During the discussion on Committee Stage I agreed to examine the content of what are now amendments Nos. 87, 88, 90 and 91, tabled by Deputies Clare Daly and Mick Wallace. Arising from that examination, I have tabled Government amendments Nos. 86 and 89 by way of response to concerns raised on Committee Stage. I thank the Deputies for raising these issues.

I regret that I am unable to accept amendment No. 92 tabled by Deputy Donnchadh Ó Laoghaire, even though I have to admit I have some sympathy for its objective. It deals with the risk a data protection officer may encounter non-co-operation, duress, harassment or victimisation in the workplace and may as a result be unable to perform his or her duties. I had the opportunity to consider this issue during earlier discussions in the Seanad and I am still of the view that a more effective remedy is available to data protection officers under the Protected Disclosures Act 2014. The House will be aware that a disclosure of relevant information is protected under that Act. If, in the reasonable belief of a worker, it tends to show a relevant wrongdoing and it came to his or her attention in connection with his or her employment, "relevant wrongdoing", as defined in section 5(3) of the Act, includes that a person has failed, is failing or is likely to fail to comply with a legal obligation. This includes the data controller's obligation towards the data protection officer.

Section 7 of the Protected Disclosures Act 2014 provides for protected disclosures to an external person prescribed in an order made by the Minister for Public Expenditure and Reform in Statutory Instrument 339/2014, in which the Data Protection Commissioner has been prescribed as a recipient of disclosures in respect of all matters concerning compliance with data protection law.

In SI 339 of 2014, the Data Protection Commissioner has been prescribed as a recipient of disclosures in respect of all matters concerning compliance with data protection law. This provides an effective remedy where a data protection officer, DPO, is experiencing difficulty in performing his or her functions. A further advantage, and an important aspect, is that any DPO making such a protected disclosure will enjoy the extensive protections against dismissal, victimisation and detriment provided under Part 3 of the 2014 Act.

Another shortcoming in Deputy Ó Laoghaire's amendment No. 92 is that it would, if accepted, apply only to DPOs appointed by law enforcement authorities operating under Part 5 and would not protect the larger number of DPOs operating under the GDPR. All DPOs, whether operating under the GDPR or Part 5 of this Bill, will have protection under section 7 of the Protected Disclosures Act 2014 as elaborated by SI 339 of 2014. I have considered this carefully since we last debated it and, while I appreciate the motivation for this proposal and have some sympathy with the import of the amendment, I cannot accept it because we have a more effective remedy under the Protected Disclosures Act 2014. I do not want a situation to arise where in terms of practice there is not only uncertainty but also confusion between two Acts, one of which is specifically designed to meet the protected disclosure, and not have new amendments here in this legislation that have particular relevance to the 2014 Act.

6:20 pm

Photo of Mick WallaceMick Wallace (Wexford, Independent)
Link to this: Individually | In context | Oireachtas source

We appreciate the Government's coming back with amendment No. 86 which is a version of a variety of amendments we tabled on Committee Stage and which we resubmitted in case the Government did not do so. We are happy to support it and will withdraw our amendments Nos. 87 and 90.

These amendments deal with DPOs who work for competent authorities as this section is in Part 5, the criminal justice part. We are curious as to why the Government has rejected our suggestions in amendments Nos. 88 to 91, inclusive. These are, briefly, that a DPO shall not be penalised for the performance of his or her tasks, that one of the DPO's functions is to act as a point of contact for people in regard to what is happening to their information and their rights under this Part, and that a data subject may contact a DPO to ask questions about what is happening to their data and what kind of rights they have under this Part. While we will not push amendment No. 89, we think amendments Nos. 88 and 91 are important.

DPOs, particularly in competent authorities such as An Garda Síochána which has a less than stellar reputation for dealing with people who point out wrongdoing, should have the same protections as their colleagues in other public bodies. Article 38 of the GDPR which applies to everyone except competent authorities like the Garda states that a DPO "shall not be dismissed or penalised by the controller or the processor for performing his tasks". Why would we not protect them similarly under Part 5, especially since the Government has accepted the general principle of giving DPOs in Part 5 most of the Article 38 protections? Equally what reason could there be for a DPO not to have as part of his or her job answering questions from people suspected of crime or victims of crime about what is happening to their data and what kind of rights they have under this Part?

Photo of Donnchadh Ó LaoghaireDonnchadh Ó Laoghaire (Cork South Central, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

I support Deputy Wallace's and Deputy Clare Daly's amendments because while they deal with different aspects of the Bill, their intention is the same. It is not difficult to anticipate the circumstances in which it would be in the interests of a data controller to hinder, harass or in any way infringe the work of a DPO. That might be in the interests of individuals or senior management within any organisation and could restrict the DPO's ability to do his or her job properly.

I take on board what the Minister has said. It was somewhat more detailed than his contribution on this amendment on Committee Stage. While I recognise that the data protection commission is a prescribed organisation under the legislation I am concerned that the procedure would be protracted and slow. My amendment to subsection (2) of the section that it is intended to insert allows the commission to take corrective action. There should be a direct line between DPOs and the data protection commission beyond the Protected Disclosures Act 2014. If somebody was concerned and contacted them directly outside the scope of the Protected Disclosures Act 2014, there would be scope for advice and support and so on. A complaint made under a section of this Act would allow the commission to take corrective action quickly and directly against the people in those organisations which were potentially hindering, undermining or harassing the person who was trying to do his or her job.

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

This group of amendments seeks to provide protection for the DPO. The objective of the amendments is to ensure that he or she is able to carry out his or her functions independently and without inappropriate interference by senior management or the person who has appointed them. Not only will a DPO have the benefit and advantage of the protected disclosures legislation but he or she will also have the advantage of protection under employment law. If a DPO is dismissed for performing his or her functions, he or she is entitled to seek the protection of the court for wrongful or unfair dismissal or for constructive dismissal if his or her senior manager is preventing him or her from carrying out his or her functions as required.

I support amendment No. 86 but it does give an extraordinary level of protection to a DPO stating that he or she shall "not receive any instructions regarding the exercise of such functions". The objective is to try to ensure that a DPO is not inappropriately interfered with. We have also to recognise the possibility that DPOs who are incompetent, who do not perform their functions in an appropriate manner or who do not carrying them out in accordance with what their job requires will be appointed. Are they to be completely immune from any instructions from their supervisors to say they must carry out their functions in a competent and particular way?

Deputy Clare Daly's and Deputy Wallace's amendment No. 88 would give a DPO extraordinary protection. He or she could never be dismissed for performing his or her tasks. A situation might arise where a DPO is performing his tasks with extraordinary incompetence. Is he not to be dismissed because he is failing to perform his job competently? Providing that an officer shall not be dismissed would be an extraordinary power to insert and would make a DPO immovable.

On Deputy Ó Laoghaire's amendment No. 92, the objective of which is to try to ensure that the data protection officer is protected from inappropriate interference, duress, harassment or victimisation, all employees have protection under employment law from an employer who is imposing duress, harassment or victimisation upon them. I note the objective of the amendment and I support it, but I believe it would be unnecessary to include such a specific provision here when there are protections in place.

6:30 pm

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I note the points made by Deputy O'Callaghan. I am of the view that my amendments Nos. 86 and 89, by and large, deal with the issues raised by Deputies Wallace and Clare Daly on Committee Stage and would obviate the need to proceed any further with amendments Nos. 87, 88, 90 and 91. I have gone as far as I can on this matter. The issues raised on Committee Stage were not insignificant issues and in this regard I am happy to propose amendments Nos. 86 and 89.

Amendment agreed to.

Amendments Nos. 87 and 88 not moved.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 89:

In page 76, after line 38, to insert the following:"(d) acting as the contact point for data subjects with regard to all issues related to the processing of their personal data and to the exercise of their rights under this Part;".

Amendment agreed to.

Amendments Nos. 90 and 91 not moved.

Photo of Donnchadh Ó LaoghaireDonnchadh Ó Laoghaire (Cork South Central, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 92:

In page 77, between lines 3 and 4, to insert the following:"Protection of Data Protection Officers

88. (1) The Data Protection Commission shall provide a protection, whereby Data Protection Officers may seek the assistance of the Data Protection Commissioner, due to the fact that the Data Protection Office is not in a position to carry out their role fully, due to inappropriate interference from the Data Controller, or duress, harassment or victimisation.

(2) Where the Commission receives a complaint under subsection (1), it shall, in addition, make a decision—
(a) as to whether a corrective power should be exercised in respect of the controller or processor concerned, and

(b) where it decides to so exercise a corrective power, the corrective power that is to be exercised.
(3) The Commission, where it makes a decision referred to in subsection (2)(b), shall exercise the corrective power concerned.".

Amendment put and declared lost.

Photo of Pat GallagherPat Gallagher (Donegal, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Amendments Nos. 93 to 95, inclusive, are related and may be discussed together.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 93:

In page 78, lines 9 to 11, to delete all words from and including "data;" in line 9 down to and including line 11 and substitute "data.".

This is a drafting amendment which deletes subparagraph (iv) of section 89(2)(f) as it repeats text included in the introductory text of paragraph (f). On amendment No. 94, section 90 gives effect to Article 14 of the directive. A data subject's rights in regard to automated data processing, including profiling, in the context of law enforcement are set out in Article 11 of the directive and in section 88 of this Bill. As such, I am not inclined to accept amendment No. 94. On Committee Stage references in section 90, now section 91, to section 92, now section 93, were deleted. Arising from a review of the section, amendment No. 95 restores the reference to section 93 in section 91(10)(i), such that this, too, is a drafting amendment.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

Amendment No. 93 is not a tidying-up amendment. It seeks to delete an amendment we had accepted on Committee Stage, which was a pretty innocuous amendment in that it only obliged a controller to give a person such further information as he or she might need to exercise his or rights under Part 5. It adds one additional point to the list in section 89(2) in terms of information which data subjects have a right to get from data controllers. Most of the items of information included in subsection (2), such as information on a controller's contact details, the right to lodge a complaint and the purpose for which the data is being processed and so on, are replicated in the GDPR and the directive but the point, "such further information as is necessary to enable the data subject to exercise his or her rights", is not included in this Bill. The amendment tabled and accepted on Committee Stage sought to ensure that it is included and the Government is now taking it out. Given we are speaking about Part 5 and people caught up in the criminal justice system, people who more often than not are poor or are vulnerable and do not know much about their rights let alone how to exercise them, I do not believe it would be a burden on the Garda Síochána or the Director of Public Prosecutions, DPP, to give these people a leaflet about their rights and information about to whom they can make a complaint if they believe their rights have been infringed. We are at a loss as to why it should be taken out of the Bill.

On amendment No. 94, Article 13(2)(f) of the GDPR gives people a right to be given information about the existence of automated decision-making, including profiling and, at least in those cases, a right to meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject. This right is not replicated in the directive or in this Bill. We believe it should be included and that it could be potentially valuable. The criminal justice directive transposed in Part 5 prohibits automated processing, including profiling that results in discrimination, but to enforce the right not to be profiled, a person would have to be told about it when he or she exercises the right of access to information he or she is being given under section 90, but this section, as drafted, does not oblige the controllers to inform people that they have been profiled or subjected to automated processing. Again, because this is Part 5, what we are talking about is potential profiling of innocent citizens in a discriminatory way by the Garda Síochána and so on. We believe it is very important that people get the information they need. If somebody asks for information about what the Garda has been doing with his or her data, he or she should be given all of the information so that he or she can judge whether the profiling is discriminatory. Amendment No. 94 would achieve this. We have no problem with amendment No. 95 which is essentially a tidying-up amendment.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I do not accept Deputy Clare Daly's point that Government amendment No. 93 may bring about changes to amendments that were accepted on Committee Stage. There is a duplication of text in section 89(2)(f)(iv), which reads, "such further information as necessary to enable the data subject to exercise his or her rights under this Part". This text is included in the beginning of section 89(2)(f). Amendment No. 93 is a tidying-up amendment. I would not like Deputy Daly to think there is any sleight of hand in terms of what we are doing by way of amendment No. 93. It is merely a tidying-up of the text. I cannot accept amendment No. 94 for reasons stated.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

I have to accept the Minister's bona fides on this matter. If the reference to such further information as necessary to enable the data subject to exercise his or her rights under this Part remains in the Bill, I will take the Minister's word on it.

Amendment agreed to.

8 o’clock

Amendment No. 94 not moved.

6:40 pm

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 95:

In page 82, line 12, to delete “the data subject” and substitute “subject to section 93, the data subject”.

Amendment agreed to.

Photo of Frank O'RourkeFrank O'Rourke (Kildare North, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Amendments Nos. 96 to 99, inclusive and 136, 139, 143 and 144 are related and may be discussed together.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 96:

In page 84, line 20, to delete “in”.

Amendments Nos. 96 to 99, inclusive and Nos. 136, 139, 143 and 144 are all Government amendments with regard to sections 92, 101, 102, 132, 156, 162, 164 and 165. I put it to Deputies that these are minor drafting changes across a number of sections and merely include corrections to cross references that were probably less than correct earlier.

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 97:

In page 92, line 39, to delete “to”.

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 98:

In page 93, line 12, to delete “subsection (1)(a)” and substitute “subsection (2)(a)”.

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 99:

In page 93, line 17, after “infringe” to insert “the”.

Amendment agreed to.

Photo of Frank O'RourkeFrank O'Rourke (Kildare North, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Amendments Nos. 100, 114 to 117, inclusive, 122 and 123 are related and may be discussed together.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 100:

In page 96, between lines 1 and 2, to insert the following:“Rights under Article 80(1)
107. (1) In addition to the rights conferred on a data subject under Article 80(1) to mandate a not-for-profit body, organisation or association to which Article 80(1) applies to lodge a complaint on his or her behalf with the Commission and, under section 116(7) to take a data protection action on behalf of the data subject, a not-for-profit body, organisation or association to which Article 80(1) applies may, independently of a data subject's mandate, and if it considers that the rights of a data subject under a relevant enactment have been infringed as the result of the processing of personal data in a manner that fails to comply with a relevant enactment, take the following actions on behalf of a data subject—
(a) lodge a complaint with the Commission under section 107,

(b) exercise the rights referred to in section 116 and section 149.
(2) Where the Commission or a court, in performing its functions under this Act, has reasonable doubts as to whether a particular body, organisation or association is one to which Article 80(1) applies, it may request the provision by the body, organisation or association concerned of such additional information as is necessary in order to confirm that it is such a body, organisation or association.”.

I have my office on to tell me that the Minister was not right on his last amendment so I do not know which is right. My head is melting. I hope we have not conceded in the wrong on amendment No. 93.

Photo of Frank O'RourkeFrank O'Rourke (Kildare North, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

We are on amendment No. 100 now.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

If we have been conned, we will see the Minister in court.

Photo of Frank O'RourkeFrank O'Rourke (Kildare North, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

It is all in good faith.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I assure Deputy Daly that-----

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

Somebody is going to end up in trouble at the end of this, I am not sure who.

Photo of Frank O'RourkeFrank O'Rourke (Kildare North, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Let us stick to amendment No. 100.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

This group of amendments deals with-----

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

Deputy Wallace is a witness anyway. No confidence tricks could be part of-----

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

Deputy Wallace is the one who recommended that we should accept the Minister's bona fides.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

Maybe the question mark is over Deputy Wallace.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

It could be.

Photo of Mick WallaceMick Wallace (Wexford, Independent)
Link to this: Individually | In context | Oireachtas source

Maybe I am just too close to the Minister.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

That could be it.

Photo of Frank O'RourkeFrank O'Rourke (Kildare North, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

We work in good faith.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

This group of amendments deals with the section of the Bill that gives effect to Article 80 of the general data protection regulation, GDPR, on the representation of data subjects. There is a huge problem when it comes to people's privacy rights under data protection legislation in that individuals do not have the expertise, knowledge, time or money to enforce their legal rights. We are aware that the Irish legal system is incredibly expensive and it is difficult for lawyers to navigate, never mind people who are unfamiliar with it. Many people will never have the right to enforce their rights through the courts because the costs are beyond them.

Article 80 of the GDPR has a mandatory provision that member states must allow individuals to nominate a not-for-profit body to act on their behalf to make complaints to a data protection authority, appeal against the decisions, or take action against a controller such as an Internet service provider where it has abused personal data.

Two optional parts of the Article 80, that member states may allow individuals to nominate not-for-profit groups to act on their behalf to seek damages and they may allow not-for-profit groups to bring actions on their own initiative without the need for an individual to nominate them. When Dr. T. J. McIntyre appeared before the Oireachtas Joint Committee on Justice and Equality during the pre-legislative scrutiny of the Bill he said, "It is very important that Ireland would take up the two aspects of flexibility in the GDPR", which we have not. As it stands, this Bill does not allow mandated non-profit bodies to seek damages and it does not allow non-profit bodies to take actions independently, be it by bringing a complaint to the Data Protection Commissioner or by going to court on behalf of people's data rights. Clearly the GDPR contains the provision on non-profit bodies taking independent actions because the people who negotiate it know that in many cases in this area of law data subjects would not even know enough about their rights to know if they had been breached.

It is notable that the massive safe harbour data sharing agreement was struck down as being unlawful on the basis of one person who knew his rights and asserted those rights as a data privacy campaigner. It was not the case that a bunch of people started asserting their rights. This is why the safe harbour arrangement went down. Most people did not know that what was happening to them was illegal. It took one dogged campaigner who knew enough and who was consistent enough after being fobbed off by the Irish Data Protection Commissioner who dismissed his complaint as frivolous to take a challenge. The whole edifice of dodgy sharing of data with the United States of America fell down off the back of that complaint. This is why we need to take up the optional provision around non-profit bodies taking cases independently.

In its most recent opinion on the dangers posed by marked targeting, micro-targeting and manipulation during political campaigns, the European Data Protection Supervisor strongly recommended, on the basis of the dangers posed to democracy by such manipulation, that member states take up the optional provisions to allow non-profit bodies to take cases independently. This is what we are at. We need that provision and the provision for damages to have effective privacy rights and access to justice.

In brief, amendments Nos. 100, 114 and 116 are about giving effect to the two optional provisions under the GDPR in an everyday context. That is all circumstances except in criminal justice. Amendment No. 100 provides for the right for complaints to be lodged with the data protection commission and for cases to be taken independently by non-profit bodies. Amendment No. 114 allows for non-profit bodies to go to court independently. Amendment No. 115 allows for non-profit bodies taking cases, if they are mandated to do so by a data subject, to seek damages. Amendment No. 116 says that if a non-profit body takes a case independently of a person's mandate, then it is not allowed to seek damages. This is a provision of the GDPR and it is why we have it included it here.

The Government's amendment No. 122 seeks to remove the amendment that we succeeded with on Committee Stage, and I am absolutely sure of this, that allows non-profit bodies taking action on behalf of data subjects under Part 5 to seek damages on the data subject's behalf. We will resist the rowing back on this amendment from Committee Stage.

Our amendment No. 117 seeks to insert a Part 5 provision whereby non-profit bodies can independently lodge claims where they feel that data rights have been breached. Amendment No. 123 is consequential on that since it provides that they cannot seek damages, as in the case of amendment No. 116 where non-profit bodies taking a case independently are not allowed to seek damages under the GDPR. That is the way we see it. We strenuously object to amendment No. 122 and we very strongly recommend the other amendments in the group.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

The purpose of amendments Nos. 100, 114 and 117, as tabled by Deputies Clare Daly and Wallace, is to allow not-for-profit bodies, organisations and associations to exercise data subject rights on behalf of individuals before the Data Protection Commissioner and the courts but without the permission or agreement of those individuals. That would amount to an extraordinary change in our law.

I acknowledge that Article 80(2) of the GDPR recognises that a member state may permit a not-for-profit body, association or organisation to take action on behalf of a data subject without the data subject’s mandate in its national law. That is not part of our national law or legal system, and compliance with the GDPR does not require such a provision. I cannot accept amendments Nos. 100, 114 and 117 for that reason, or the related amendments Nos. 116 and 123.

Section 116(8) provides that a court hearing a data protection action taken by a non-profit organisation or association on behalf of a data subject may not award compensation for any damage suffered. This restriction in the taking of compensation claims by a not-for-profit body, association or organisation seeks to discourage speculative compensation claims, especially where the data subject may be relieved of any risk that the costs of the action may be awarded against him or her. There are sound public policy reasons for discouraging the growth of an excessive compensation culture in data protection claims. As the Deputies will be aware, there is already concern about the level of compensation claims in Ireland, which is contributing to increasing insurance premium costs and affecting business across the board, especially SMEs. Amendment No. 115 tabled by Deputies Clare Daly and Wallace seeks to reverse this position by allowing not-for-profit bodies, associations and organisations that may act on behalf of data subjects to seek and claim compensation and the courts to award compensation. I am not in a position to accept the amendment.

Government amendment No. 122 seeks to replace section 127(7). The subsection was amended by the select committee to allow not-for-profit bodies, organisations and associations to seek compensation on behalf of data subjects for infringements of the law enforcement directives and allow the courts to award compensation. For the reasons I have outlined, I am seeking in the amendment to reinstate the earlier text of the subsection. The amended subsection is a broad departure and one that requires careful consideration that we have not given to it. I am not prepared to accept the broadly based nature of what is, in effect, a wide-ranging public policy change.

6:50 pm

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

We view this as an important part of the Bill. As such, the amendment is one of the most important we have remaining. It concerns an effective remedy, as well as access to a right people have. I will not repeat all of my points. Article 80 has mandatory aspects, but there are two optional parts. Since it is necessary to factor them in, we will press the amendment. There must be an effective deterrent or penalty. That right is only being given to poor people, as it were, or those who cannot access the law and must go to a not-for-profit organisation in order to get justice. If a person has enough money, he or she can go to a lawyer to seek an application. It is important that not-for-profit organisations be able to seek damages. Let us face it - that is the deterrent for someone who is breaching the data rights of others.

Photo of Frank O'RourkeFrank O'Rourke (Kildare North, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I apologise to Deputy Ó Laoghaire who indicated that he wished to speak to the amendments.

Photo of Donnchadh Ó LaoghaireDonnchadh Ó Laoghaire (Cork South Central, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

There is no need to apologise, as I only indicated once. I will speak in support of the amendments which constitute a significant proposal. As mentioned in the context of other legislation, there is an inequality of arms in the legal system. I am not just referring to the making of complaints to the Data Protection Commissioner but also to taking cases to court which can be difficult. If one does not have the money to do so, that remedy is beyond one's reach.

Although it would not address all of the issues raised in the amendments, the Multi-Party Actions Bill 2017 would, to some extent, offer an avenue for persons who had been wronged in any of a variety of ways, including data breaches, to work together in taking a case. I remind the Minister that a money message is required to enable that legislation to proceed to Committee Stage. I hope he will be in a position to provide that message in order that multi-party actions can be taken, as they would not only address data breaches collectively but also a wider variety of issues.

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

It is important that, if there is a data breach, a person affected have an entitlement to seek a judicial remedy. This is provided for in section 116. However, amendment No. 100 tabled by Deputies Clare Daly and Wallace is not only novel but would also completely alter the way litigation was conducted. Currently, if someone is the victim of a data breach, he or she goes through the process with the commission. If that person wishes to bring a case to court, it is wrong to say he or she cannot do so. Most solicitors will take actions on a no foal, no fee basis. These actions will get to court. However, what makes amendment No. 100 so novel, which is an understatement, is that it would enable a not-for-profit body to take an application to court on behalf of a person whose data had been breached, even if that person had not mandated the action. It would be an extraordinary change to the way litigation is conducted. Someone who did not want to go to court or did not say he or she wanted to do so would have a case taken for him or her, independently of his or her mandate, to the courts.

Speaking as a lawyer, this would probably be one of the most popular legislative measures ever introduced. There might be statues built to Deputies Clare Daly and Wallace outside Blackhall Place in the years to come if the amendment was to get through. However, it would be an inappropriate amendment. For example, industrious and enterprising lawyers could decide to set up a not-for-profit organisation. It would be established legitimately and have legitimate interests and take actions on behalf of persons whose data had been breached. They would not mandate the actions or ask the not-for-profit body to go to court. The body would go to court; the case would be lengthy and complex and, while there might not be an award of damages, an injunction or declaration could be granted. The successful party would then be entitled to apply for and receive costs. Were I an industrious and entrepreneurial lawyer, I would set up a not-for-profit body that would take such cases, at the end of which I would receive a large amount in costs. That is not the reason Deputies Clare Daly and Wallace tabled the amendment and Article 80(2) of the regulation expressly provides for this, but it would be inappropriate for our system. Many people have gone before the courts as a result of data breaches. They received a good service and their cases were taken on a no foal, no fee basis. If someone wants a judicial remedy, he or she needs to be interested in going before the court. It would be inappropriate for someone's cause of action to be brought before the court by a body that did not have his or her mandate.

On the other amendments in the group, amendment No. 114 reads, "independently of the data subject's mandate". For the reasons I have outlined, that would not be appropriate. Amendments Nos. 115 to 117, inclusive, are in the same vogue, but I agree that it would be wrong to set aside the decision made by the committee when we agreed to insert in the section an entitlement to award compensation. If someone takes a case to court, the way we reflect damages in the legal system is by an award of general damages. It is a pyrrhic victory if someone who finds out that his or her data have been breached goes to court and succeeds only to receive no award of damages. Unless I hear something persuasive from the Minister, I will not support amendment No. 122.

Photo of Frank O'RourkeFrank O'Rourke (Kildare North, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

If the Minister wishes to respond, he has two minutes in which to do so. Deputy Clare Daly will then make a final contribution.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I will make a point about the payment of compensation.

It is only in the event of the not-for-profit organisation bringing the action that compensation would not be forthcoming. In other cases relating to other aspects of the legislation, an individual can claim and be awarded compensation. I do not accept the amendments because of the fundamental change that would be made to our civil legal code. For such a wide-ranging and broadly based change to be introduced in an amendment to legislation would not be in the best interests of how we do our work and I do not accept it.

7:00 pm

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

The amendments are not in any way novel but rather are an optional protocol to the directive and the legislation. We are not proposing anything new or dramatic as Deputy O'Callaghan suggested. I do not see why legal professionals would reinvent themselves as a not-for-profit organisation to take cases in which we specifically preclude them from being able to seek compensation or damage. Rather, they would keep the barrister's hat on, do the job and get paid for it because that is provided for. The amendment provides an alternative for people who cannot engage legal representation. As I am often contacted by people who wish to access the courts system but cannot afford to do so, I would be very pleased to get the list of solicitors who would take such actions for nothing. I have never encountered any such solicitors so we would be very grateful if Deputy O'Callaghan would pass on those names.

The amendments do not in any way create a free-for-all for not-for-profit organisations. In cases involving clear public interest, however, they may take up a case in the common good without initiating it. Such cases might have a broad impact on the public. The not-for-profit organisation would be excluded from getting damages in that regard, which is very important. These are optional protocols which experts in this area in the State have suggested should be added to the Bill and that is what we are trying to do.

Amendment put and declared lost.

Photo of Frank O'RourkeFrank O'Rourke (Kildare North, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Amendments Nos. 101 to 113, inclusive, 118 to 121, inclusive, and 124 to 128, inclusive, are related and may be discussed together. Amendment No. 102 is a physical alternative to 101 and amendment No. 125 is a physical alternative to 124.

Photo of Donnchadh Ó LaoghaireDonnchadh Ó Laoghaire (Cork South Central, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 101:

In page 96, to delete lines 24 to 27 and substitute the following:“108.(1) For the purposes of section 107(2)(a), on receipt of a complaint the Commission shall investigate the complaint, and issue a formal decision on the conclusion of the investigation, save where subsections (2) to (4) apply, unless the Commission considers the complaint to be frivolous or vexatious.”.

This amendment was discussed on Committee Stage and the Minister stated he might give it further consideration. It is intended to ensure that there is an adequate filtering or triage of cases but the threshold is set very low in order that the vast majority can be taken. It also strengthens the data protection commission as any complaints above that threshold would have to be formally investigated and could not be dismissed. That would bring more transparency and make the Bill and the commission more efficient.

Photo of Mick WallaceMick Wallace (Wexford, Independent)
Link to this: Individually | In context | Oireachtas source

The amendments are designed to obligate the commission to investigate a complaint. Deputy Ó Laoghaire has tabled an amendment similar to that tabled by Deputy Clare Daly and me. The reworkings of the sections are a consequence of this and provide some additional protocols for the Data Protection Commissioner to follow in regard to a complaint. Section 107(1) contains what many consider to be a very strange provision which appears to allow the commission to receive a complaint and to ignore it not because the complaint is frivolous or vexatious but without offering any reason for so doing. During the debate on the Bill in the Seanad, the Minister stated that he did not consider that there would be such fallout from the section and mentioned that the commission would be required on a general basis to give reasons for its decisions. He also pointed out that reasons would have to be provided to the complainant so as to facilitate an appeal. We still think, however, that section 108(1) in particular empowers the commission to ignore a complaint, stating that it shall "take such action in respect of it as the Commission, having regard to the nature and circumstances of the complaint, considers appropriate". That action could be to ignore the complaint without providing a reason for doing so.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

This is a significant set of several amendments, each of which aims to oblige the data protection commission to investigate all complaints it receives from ordinary Joes in the same manner as the Bill provides for it to investigate issues of its own volition or where it is the lead supervisory authority in a broader European investigation. As has been stated, the Bill places no obligation on the data protection commission to investigate the complaints it receives. All of our previous relevant data protection legislation provided that the data protection commission "shall" investigate the complaints it receives but there is no such explicit obligation in this Bill. Rather, the data protection commission can examine the complaint and take such action as it sees fit, which could include throwing the complaint in the bin. There is nothing to prevent it doing so.

When Max Schrems went to the Irish Data Protection Commissioner many years ago, his compliant was deemed frivolous and vexatious. That complaint was later upheld by the European Court of Justice and led to the striking down of the safe harbour principles for data sharing between the EU and the US. It turned out to be a very big deal but it was dismissed by the Data Protection Commissioner. We have tabled these amendments out of concern at what would happen if we allow the data protection commission to do no more than examine, given the outcome of the Schrems case which it was required to investigate.

It is not about the big marquee cases but, rather, trying to assist ordinary people to protect their rights. As was stated in regard to earlier groupings, the vast majority of citizens do not have access to courts in this country. We must have a data protection commission that investigates complaints to keep those complaints out of the courts and prevent the courts being bogged down, as Deputy O'Callaghan stated. We need a data protection commission that helps people to navigate this complicated area and get justice if their rights have been breached. Many Members tabled amendments with a similar aim on Committee Stage. Sinn Féin resubmitted its amendment but Fianna Fáil did not. There was cross-committee agreement, however, that the data protection commission should be obliged to investigate and that that was an important principle. Members differed on how that should be done.

I wish to outline why we have tabled this amendment in this format. Our issue with swapping the word "examine" for "investigate" relates to how the Bill is structured. Complaint handling under section 108, which provides for an individual to submit a complaint, is quite different from complaint handling under the sections providing for situations in which the data protection commission undertakes an inquiry. The Bill states that the data protection commission will initiate an inquiry of its own volition or where it is the lead supervisory authority in a complaint sent to it by another supervisory authority in the EU. "Inquiry" has a particular meaning in the Bill. Rather than the data protection commission having two similar but not identical procedures, one for complaints from the little people and one for issues it decides to look at of its own volition, the same inquiry procedure should apply across the board.

We maintain the position that the data protection commission has a wide discretion in how it conducts an inquiry, what kind of corrective action it takes on foot of a complaint, what kinds of enforcement order it might issue and so on. We do not propose to fetter its discretion. In essence, these large number of amendments are trying to create a single procedure for complaint handling by the data protection commission. It is a complicated Bill. We think these amendments would simplify it such that people looking at it and trying to figure out what will happen when they complain would not get a headache from so doing.

They would be able to get rid of the artificial distinction between complaints from ordinary people and complaints referred by another DPC. It would avert the absolutely cast-iron guaranteed inevitability of people who complain to the DPC feeling their complaint has not been investigated properly - either rightly or wrongly.

It is unfortunate that we did not get to debate the idea of a single, unified procedure for complaint handling properly on Committee Stage instead of getting bogged down in a debate about the phrase "frivolous and vexatious". We are conscious on Report Stage of such an important Bill that if we push these amendments we could possibly run the risk that it could lead to minor drafting issues that could have unintended consequences in other parts of the Bill, which is not our intention. We are conscious of that but we want to strongly register those points on the record and ask the Government at the very least to ask the commission to produce guidance for the general public that makes it clear that it can and will investigate the complaints of the little people. I ask that any such guidance would clarify the various enforcement and corrective powers that the Bill makes clear the DPC has when it comes to what it investigates itself or for other DPCs and that they are also available to us when it comes to our complaints. In order for people to assert their rights they must first understand what they are. Perhaps I will wait and see what the Minister says in his reply but we very much make that appeal in good faith and in the interests of delivering a good and accurate Bill.

7:10 pm

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

Chapters 2 and 3 of Part 6 contain key sections dealing with enforcement of the GDPR and the directive, respectively. Sections 108 and 121 are key sections dealing with the handling of complaints by the commission. As I said earlier and on Committee Stage I fear there may be some misunderstandings about how they will operate. So, at the outset, I will briefly run through the complaints system as set out in the Bill.

Section 108(1) requires the DPC to examine every complaint it receives and to take such action as it considers appropriate, having regard to the nature and circumstances of the complaint. Where, as referred to in subsection (2) of that section, an amicable resolution is not reached in those cases in which the commission considers that there is a reasonable likelihood of the parties reaching such a resolution within a reasonable period, the commission must proceed to take an action specified in subsection (5) in a domestic case, or under section 112 in a cross-border case.

Section 108(4) makes it clear that the commission is under an obligation and that it "shall proceed" to take action. It does not have discretion to simply ignore or disregard a complaint. This means that the reference to "such action" in subsection (1) is a reference to action that the commission must take, not to whether or not to take action.

As regards notification of the data subject, subsection (6) requires the commission, as soon as practicable after taking an action referred to in subsection (5), to give the data subject a notice in writing setting out the action it has taken in response to his or her complaint. As regards paragraph (e) of subsection (5), where the commission conducts an inquiry under that provision in respect of the complaint, it may use any of its extensive powers under Chapter 4.

Under section 111, where an inquiry has been carried out in respect of a complaint and the commission is the competent authority, at that stage the commission must decide whether an infringement has occurred or is occurring. Where it concludes that an infringement has occurred or is occurring, section 111(2) obliges the commission to make a decision on whether a corrective power should be exercised and, if so, the power that is to be exercised.

The corrective powers are set out in Article 58(2) of the GDPR, and they include the possible imposition of hefty administrative fines. Following the making of a decision under section 111, section 115(1)(a) requires the commission to notify the controller or processor concerned in writing of the decision; the reasons for it, and the corrective power it has decided to exercise.

Section 115(1)(b) requires it to provide the same information to the data subject who lodged the complaint. A broadly similar procedure in section 121 applies to the handling of complaints under the directive. That is a summary of the complaints procedure.

I will not respond to each amendment in this large grouping, but I will focus on the key amendments. As regards Deputy Ó Laoghaire'samendment No. 101,which would replace section 108(1), I have a serious problem with the introduction of a discretion on the part of the commission not to investigate a complaint that may be "frivolous or vexatious." First, it would not be GDPR-compliant. Article 57.4 allows a data protection authority to refuse to act on a complaint only where requests "are manifestly unfounded or excessive." Any wider refusal to act on a complaint will in my view be in breach of the GDPR.

Second, as I said on a previous occasion, while the term "frivolous or vexatious" has a specific meaning here when used by Irish courts, that is, that the claim is unsustainable in law and is bound to fail or has no basis, I would not think it is widely understood across Europe. It is a term that is understood by us here in our law under our common law system and system of litigation. It may perhaps be understood in the UK but its future in Europe is under question. However, that is a debate for another day. This is a term that is not widely used nor indeed is it widely understood. On the contrary, to a data subject or a data protection authority in another member state, use of the word "frivolous" suggests that the matter is not regarded as sufficiently serious for investigation, while "vexatious" has a completely different meaning, namely, that the complaint is seen as a deliberate intention to cause annoyance. The scope for such misunderstandings will be much greater under the one-stop-shop mechanism because the data protection commission will be acting as the lead supervisory authority in many cross-border cases.

Unfortunately, the term "frivolous and vexatious" is used in section 10(1)(b) of the 1988 Act and it has created confusion and misunderstandings in recent years, especially in cross-border cases. Deputy Daly mentioned the Schrems case. In that case Judge Hogan commented that the wording of that provision "is somewhat unfortunate". He went further than that and said it might indeed be "unhelpful". Its use was widely misinterpreted and misunderstood in the aftermath of that case in which Mr. Schrems successfully contested the adequacy of the safe harbour mechanism. The risk of misinterpretation and misunderstanding will be very much greater because of the expected increase in the number of one-stop-shop cases handled by the DPC, which have originated in other member states. I will not accept the alternative models put forward in the amendments to the complaints-handling mechanisms in Chapters 2 and 3 of Part 6.

As regards amendments Nos. 102 to 105, inclusive, I cannot accept the proposals therein to delete the options set out in section 108(5). The same applies to amendments Nos. 118 to 120, inclusive, which would involve similar deletions in section 121.

Consequently, amendments Nos. 106 and 121, which propose to insert new sections in Chapters 2 and 3 are not acceptable. Amendments Nos. 107 to 113, inclusive, and 125 to 128, inclusive, are consequential or related and because I cannot accept the earlier ones I will not accept those. In her concluding remarks Deputy Daly suggested that I might ask the commission for guidance and I will do that. I am happy to take the matter further in that regard.

My amendment No. 124 merely amends an incorrect cross-reference in subsection (1) of section 132. Thank you for your forbearance, Acting Chairman.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

Perhaps it is the lateness of the hour but did the Minister say he is going to look to the commission for guidance for himself? What he was asked was to look to the commission to produce guidance for the general public in terms of how they might access and exercise their rights in that regard.

I am assuming that is what the Minister meant and on that basis, we would be happy to withdraw our amendments.

7:20 pm

Photo of Frank O'RourkeFrank O'Rourke (Kildare North, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Does the Minister wish to make any further contribution?

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

Just to be clear, I said that we would seek the guidance of the commission as suggested by Deputy Daly and it is within that frame that we will do so.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

It is the lateness of the hour.

Photo of Jim O'CallaghanJim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I just want to go back to something I said earlier on. Obviously the provision that exists in section 127 gives the right for the award of damages under the heading "Judicial remedy for infringement of relevant provision". However, section 116 deals with a similar topic, namely, "Judicial remedy for infringement of relevant enactment". Since we know from amendment No. 122 that there is the entitlement to award damages in respect of section 127, for consistency that provision should also exist in section 116. For that reason, there is merit in amendment No. 115. I just wanted to say that for the record.

Amendment put and declared lost.

Photo of Mick WallaceMick Wallace (Wexford, Independent)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 102:

In page 96, to delete lines 25 to 27 and substitute the following:“and, unless subsections (2) and (3) apply, take the following actions—

(a) cause such inquiry as it thinks fit to be conducted in respect of the complaint, and

(b) following such inquiry, take such action in respect of it as the Commission, having regard to the nature and circumstances of the complaint, considers appropriate.”.

Amendment put and declared lost.

Photo of Mick WallaceMick Wallace (Wexford, Independent)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 103:

In page 96, line 39, to delete “complaint, to take an action specified in subsection (5)” and substitute the following:“complaint, and following the conduct of an inquiry into the complaint under subsection (1)(a), to comply with section 110”.

Amendment put and declared lost.

Amendments Nos. 104 to 113, inclusive, not moved.

Photo of Mick WallaceMick Wallace (Wexford, Independent)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 114:

In page 102, between lines 24 and 25, to insert the following:“(8) A data protection action may be brought on behalf of a data subject, independently of the data subject’s mandate, by a not-for-profit body, organisation or association to which Article 80(1) applies.”.

Amendment put and declared lost.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 115:

In page 102, to delete lines 25 and 26 and substitute the following:“(8) The court hearing a data protection action brought by a not-for-profit body, organisation or association under subsection (7) shall have the power to grant to the data subject on whose behalf the action is being brought one or more of the following reliefs:
(a) relief by way of injunction or declaration; or

(b) compensation for damage suffered by the plaintiff as a result of the infringement of the relevant enactment.”.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I can accept amendment No. 115 in the names of Deputies Daly and Wallace.

Amendment agreed to.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 116:

In page 102, between lines 26 and 27, to insert the following:“(9) The court hearing a data protection action to which subsection (8)* applies shall not award compensation for material or non-material damage suffered.”.

Amendment put and declared lost.

Photo of Mick WallaceMick Wallace (Wexford, Independent)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 117:

In page 104, between lines 2 and 3, to insert the following:“(2) A body, organisation or association to which subsection (2) applies may, independently of a data subject's mandate, and if it considers that the rights of a data subject under a relevant enactment have been infringed as the result of the processing of personal data in a manner that fails to comply with a relevant enactment, take the following actions on behalf of a data subject:
(a) lodge a complaint with the Commission;

(b) exercise the rights referred to in section 127 and section 149.”.

Amendment put and declared lost.

Amendments Nos. 118 to 121, inclusive, not moved.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 122:

In page 108, to delete lines 9 to 16 and substitute the following:“(7) The court hearing a data protection action that has been brought, in accordance with section 119, on behalf of a data subject by a body, organisation or association to which subsection (2) of that section applies, shall not award compensation for material or non-material damage suffered.”.

Photo of Clare DalyClare Daly (Dublin Fingal, Independent)
Link to this: Individually | In context | Oireachtas source

If this amendment is going to be declared carried we will call a vote.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

In that case, I withdraw my amendment. I am accepting that it will be defeated.

Amendment, by leave, withdrawn.

Amendment No. 123 not moved.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 124:

In page 114, line 5, to delete “subsection (5), subsection (6)” and substitute “subsection (2), subsection (3)”.

Amendment agreed to.

Amendments Nos. 125 to 129, inclusive, not moved.

Photo of Frank O'RourkeFrank O'Rourke (Kildare North, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Amendments Nos. 130 to 134, inclusive, are related and may be discussed together.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 130:

In page 127, lines 16 and 17, to delete “by whom the data are kept”.

This group of amendments are to section 144 of the Bill and are largely of a drafting and technical nature. They arise from a review of the section following receipt of comments from the Office of the Director of Public Prosecutions.

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 131:

In page 127, line 18, to delete “or any information constituting personal data”.

Amendment agreed to.

7:30 pm

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 132:

In page 127, line 25, to delete "obtaining or".

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 133:

In page 127, line 27, to delete "obtained" and substitute "that were disclosed to the person".

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 134:

In page 127, lines 33 and 34, to delete ", or intended to be obtained, in contravention of subsection (1)" and substitute "without the prior authority of the controller or processor".

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 135:

In page 133, line 32, to delete "or 142(1)" and substitute ",142(1) or paragraph 5 of Schedule 2".

This drafting amendment refers to "paragraph 5 of Schedule 2", which, in turn, refers to "the Circuit Court". This reference was inadvertently omitted from section 154 of the Bill.

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 136:

In page 134, line 9, after "made" to insert "under".

Amendment agreed to.

Photo of Frank O'RourkeFrank O'Rourke (Kildare North, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Amendments Nos. 137 and 138 are related and may be discussed together.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 137:

In page 135, between lines 24 and 25, to insert the following:"(7) Subject to subsection (8), a Committee referred to in subsection (1), (2) or (3) may make rules—
(a) authorising the disclosure, for the purpose of facilitating the fair and accurate reporting of the proceedings, to a bona fide member of the Press or broadcast media and at the member’s request, of information contained in a record of proceedings before a court for which the Committee is the rule-making authority, and

(b) prescribing any conditions subject to which such disclosure is to be made.
(8) Rules made under subsection (7)—
(a) shall not apply to proceedings required by law to be held otherwise than in public, and

(b) shall apply subject to any order made or direction given by a court in the proceedings concerned.".

These amendments relate to the processing of personal data in circumstances in which the controller is a court acting in a judicial capacity. It provides for the making of court rules by the rules committees of the superior courts, of the Circuit Court where applicable and of the District Court in respect of personal data contained in court records. Amendment No. 137 extends the scope of such court rules to include matters relating to the disclosure of such data for the purpose of facilitating fair and accurate reporting of court proceedings. Amendment No. 138 extends the scope of section 159 of the Bill to include any "list or schedule of court proceedings or hearings in court proceedings".

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 138:

In page 135, to delete lines 29 to 31 and substitute the following:"159.The processing of personal data shall be lawful where that processing—
(a) consists of the publication of—
(i) a judgment or decision of a court, or

(ii) a list or schedule of court proceedings or hearings in court proceedings, or
(b) is necessary for the purposes of such publication.".

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 139:

In page 137, line 22, to delete "Article 46(1)" and substitute "Article 46(2)".

Amendment agreed to.

Photo of Donnchadh Ó LaoghaireDonnchadh Ó Laoghaire (Cork South Central, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 140:

In page 137, between lines 31 and 32, to insert the following:"Communication of personal data breach to data subject

164. Should a data subject request information in relation to a personal breach which affects them, they have the right to be provided with all the pertinent information in respect of that breach without restriction.".

This amendment, which is relatively self-explanatory, is essentially being proposed for the avoidance of doubt. It provides that a data subject who requests "information in relation to a personal breach which affects them" will have "the right to be provided with all the pertinent information in respect of that breach without restriction". I suggest that it is necessary for the avoidance of doubt.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

As I mentioned on Committee Stage in the Seanad when we were discussing a similar provision, I am unable to accept this amendment, which would insert a new section into the Bill. The proposed new section would interfere with the operation of Article 34 of the GDPR, which deals with the communication of data breaches to data subjects. As I indicated in the Seanad, it would also cut across section 86 of the Bill, which already imposes an obligation on a controller to inform a data subject where there is a high risk to the data subject's rights and freedoms arising from a data breach. In such a case, the controller must notify the data subjects in clear language of the nature of the breach and its likely consequences, and must describe the measures being taken, or proposed to be taken, to mitigate any possible adverse effects.

The amendment before the House refers to a data breach "which affects" a data subject. The ultimate meaning of those words is really unclear. Under the GDPR and the directive, the thresholds for informing the data protection commission of a data breach, and for informing the data subjects whose data protection rights have been breached, are defined in terms of the risk for the data subject arising from the breach. Under the GDPR and section 86 of this Bill, if a data breach involves a high level of risk for a data subject he or she must be given all relevant information and must have an opportunity to request further information as the need may arise. I am not going to accept amendment No. 140 because I believe it will have the effect of introducing a level of uncertainty.

Amendment, by leave, withdrawn.

Photo of Donnchadh Ó LaoghaireDonnchadh Ó Laoghaire (Cork South Central, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 141:

In page 137, between lines 31 and 32, to insert the following:"Prohibition on the storage of biometric data

164. The Minister shall make regulations prohibiting the storage of biometric data, including facial images or dactyloscopic data, for forms of nationally issued identification including passports and public services cards without the consent of the data subject.".

Amendment put and declared lost.

Amendment No. 142 not moved.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 143:

In page 137, line 35, to delete "Part" and substitute "Act".

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 144:

In page 138, line 4, to delete "Part" and substitute "Act".

Amendment agreed to.

Photo of Frank O'RourkeFrank O'Rourke (Kildare North, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Amendments Nos. 145 to 147, inclusive, and amendments Nos. 149 to 167, inclusive, are related and may be discussed together.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 145:

In page 139, line 35, after "the" to insert "Control of".

As I said when I was introducing this Bill on Second Stage, the discontinuation of the Data Protection Act 1988 following the entry into force of the GDPR and of this legislation will necessitate the amendment of a significant number of Acts of the Oireachtas. Many of these changes were made during the debate at the select committee. The Minister of State, Deputy Breen, indicated at the committee that further amendments would need to be made on Report Stage. These further changes are set out in amendments Nos. 145 to 147, inclusive, and amendments Nos. 149 to 166, inclusive. These changes have been notified to my Department by the Departments concerned and have been drafted by the Office of the Parliamentary Counsel. In each case, the amendments are intended to ensure compliance with the GDPR and with this legislation. I do not intend to speak on each of the amendments in this group individually because they are self-explanatory. I ask that they be accepted along the lines of the similar amendments we made on Committee Stage.

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 146:

In page 140, line 32, to delete "subsection (2)" and substitute "subsections (1)(b), (2) and (3)".

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 147:

In page 140, between lines 32 and 33, to insert the following:"Amendment of Bankruptcy Act 1988

172. The Bankruptcy Act 1988 is amended by the insertion of the following section:
"Restriction of right of access to personal data in certain circumstances

140D. (1) Article 15 (Right of access) of the Data Protection Regulation is restricted to the extent necessary and proportionate to safeguard the effective performance by the Official Assignee of his or her functions under section 61, where the performance of those functions gives rise to the processing of personal data to which the Data Protection Regulation applies.

(2) In this section, 'Data Protection Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).".".

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 148:

In page 141, between lines 13 and 14, to insert the following:"Amendment of section 13A of Electoral Act 1992

173. Section 13A of the Electoral Act 1992 is amended by the insertion of the following subsection after subsection (3B):
"(3C) In addition to any other electoral purpose for which the information contained in the register prepared under section 13, including a draft register or the supplement to the register prepared under section 15 or an electors list published under section 16, being information which is excluded from the edited register, may be used, that information may be used—
(a) by a specified person (within the meaning of section 38 of the Data Protection Act 2018), for the purpose of communicating with a data subject in accordance with section 38 of that Act, or

(b) by an elected representative (within the meaning of section 39 of the Data Protection Act 2018) for the purposes of section 39 of that Act.".".

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 149:

In page 142, between lines 10 and 11, to insert the following:"Amendment of section 24 of the Statistics Act 1993

175. Section 24 of the Statistics Act 1993 is amended—
(a) by the substitution of the following subsection for subsection (2):
"(2) Without prejudice to the Data Protection Regulation and the Data Protection Act 2018, persons and undertakings may provide information and records, or copies thereof, which they may possess to the Director General or officers of statistics on invitation under the provisions of this Act.", and
(b) by the insertion of the following subsection:
"(3) In this section, "Data Protection Regulation" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).".".

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 150:

In page 142, between lines 10 and 11, to insert the following:"Amendment of section 57B of Irish Aviation Authority Act 1993

175. Section 57B(1) of the Irish Aviation Authority Act 1993 is amended by the substitution of the following paragraph for paragraph (d):
"(d) inspect, copy or extract information from any material (including information in any form) or thing found or produced to the authorised person.".".

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 151:

In page 142, between lines 24 and 25, to insert the following:"Amendment of section 142 of Consumer Credit Act 1995

176. Section 142 of the Consumer Credit Act 1995 is amended—
(a) in subsection (2), by the substitution of the following paragraph for paragraph (b):
"(b) which relates to information that constitutes personal data to which the Data Protection Regulation applies.",
(b) in subsection (4), by the substitution of the following paragraph for paragraph (b):
"(b) which relates to information that constitutes personal data to which the Data Protection Regulation applies.", and
(c) by the insertion of the following subsection after subsection (4):
"(5) In this section, “Data Protection Regulation” means Regulation (EU)2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).".".

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 152:

In page 144, between lines 23 and 24, to insert the following:"Amendment of section 9M of the Electricity Regulation Act 1999

179. Section 9M of the Electricity Regulation Act 1999 is amended—
(a) in subsection (4), by the substitution of "the Data Protection Regulation or the Data Protection Act 2018" for "the Data Protection Acts 1988 and 2003", and

(b) by the insertion of the following subsection after subsection (10):
"(11) In this section, "Data Protection Regulation" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).".".

9 o’clock

Amendment agreed to.

7:40 pm

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 153:

In page 144, between lines 23 and 24, to insert the following:

Amendment of

180.Section 51 of the is amended⁠—
(a) in subsection (1) by⁠—
(i) the substitution of the following definition for the definition of “Act of 1988”:
“ ‘Act of 1988’ means the Data Protection Act 1988, as amended by the Data Protection Act 2018;”,
and
(ii)the substitution of the following definition for the definition of “established”:

“ ‘established’, in relation to a data controller or a data processor, shall be construed in accordance with section 1(3B)(b) of the Act of 1988;”,
and
(b) by the deletion of subsection (6).”.

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 154:

In page 144, to delete lines 25 to 27 and substitute the following:

“179.Section 7D of the is amended⁠—
(a) in subsection (3), by the substitution of “Subject to the Data Protection Regulation and the Data Protection Act 2018” for “Subject to the Data Protection Acts 1988 and 2003”, and

(b) by the substitution of the following subsection for subsection (8):
“(8) In this section⁠—

“application”, “assessment” and “service statement” have the meanings assigned to them respectively by Part 2 of the ;

“Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).”.”.

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 155:

In page 145, between lines 30 and 31, to insert the following:

Amendment of section 14 of

184.Section 14(5) of the is amended by the substitution of the following paragraph for paragraph (b):
“(b) Nothing in paragraph (a) shall be construed as restricting the right of a person to inspect the register, in relation to an account, where the person⁠—
(i) proves to the satisfaction of an institution that he or she is, or may be, the account holder,

(ii) proves to the satisfaction of an institution that he or she is authorised by the account holder to so inspect, or

(iii) may act on behalf of the account holder in relation to that account pursuant to regulations made under section 9.”.”.

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 156:

In page 146, between lines 33 and 34, to insert the following:

Amendment of section 12 of

187.Section 12(5) of the is amended by the substitution of the following paragraph for paragraph (b):
“(b) Nothing in paragraph (a) shall be construed as restricting the right of a person to inspect the register in relation to a policy where the person⁠—
(i) proves to the satisfaction of an insurance undertaking that he or she is, or may be, the policy holder,

(ii) proves to the satisfaction of an insurance undertaking that he or she is authorised by the policy holder to so inspect, or

(iii) may act on behalf of the policy holder in relation to that policy pursuant to regulations made under section 7.”.”.

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 157:

In page 149, between lines 15 and 16, to insert the following:

Amendment of Disability Act 2005

192.The Disability Act 2005 is amended⁠—
(a) in section 12, by the deletion of subsection (3),

(b) in section 13, by the deletion of subsection (4),

(c) in section 41⁠—
(i) by the deletion of the definition of “the Acts”,

(ii) by the substitution of the following definition for the definition of processing:

“ ‘processing’ means processing within the meaning of the Data Protection Regulation;”,
and
(iii) by the insertion of the following definition:
“ ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 20161on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);”,
(d) in section 42⁠—
(i) by the substitution, in subsection (1)(b), of “the Data Protection Regulation”, for “the Acts”,

(ii) by the deletion, in subsection (2)(a), of “save in accordance with the provisions of section 12A of the Data Protection Act 1988 (as inserted by the Data Protection (Amendment) Act 2003)”,

(iii) by the substitution of the following subsection for subsection (4):
“(4) A person who contravenes subsection (2) or (3) shall be guilty of an offence and shall be liable⁠—
(a) on summary conviction, to a Class A fine, or

(b) on conviction on indictment, to a fine not exceeding €100,000.”,
and
(iv) by the insertion of the following subsections:
“(5) Where a person is convicted of an offence under subsection (4), the court may order any personal data that appears to the court to be connected with the commission of the offence to be destroyed or erased.

(6) The court shall not make an order under subsection (5) where it considers that a person other than the person convicted of the offence concerned may be the owner of, or otherwise interested in, the data concerned, unless such steps as are reasonably practicable have been taken for notifying that person and giving him or her an opportunity to show cause why the order should not be made.”,
(e) by the deletion of section 43, and

(f) in section 45, by the deletion of subsection (1).”.

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

Imove amendment No. 158:

In page 151, between lines 7 and 8, to insert the following:

Amendment of

197.The is amended⁠—
(a) in section 76(1), by the insertion of the following definition:
“ ‘controller’ means a controller within the meaning of Part 5of the Data Protection Act 2018;”,
(b) in section 79C(7), by the insertion of “or, as the case may be, controller” after “data controller” in each place it occurs,

(c) in section 94, by⁠—
(i) the substitution of the following subsections for subsections (5) and (6):
“(5) Article 7, in its application in relation to the use of personal data contained in evidence or information obtained under the Treaty by a person in the State, is without prejudice to the application of⁠—
(a) subject to section 8of the Act of 2018, section 7 (duty of care owed by data controllers and data processors) of the Act of 1988 in respect of the use of such data (within the meaning of the Act of 1988), and

(b)Part 5of the Act of 2018, in respect of the use of such data (within the meaning of that Part).
(6) (a) Subject to section 8of the Act of 2018, the Data Protection Acts 1988 and 2003 apply in relation to personal data referred to in subsection (5)(a), in respects other than those related to their use.
(b) Part 5of the Act of 2018applies in relation to personal data referred to in subsection (5)(b), in respects other than those related to their use.”,
and
(ii) the insertion of the following subsection:
"(8) In this section⁠—
‘Act of 1988’ means the Data Protection Act 1988;

Act of 2018’ means the Data Protection Act 2018.”,
and
(d) in section 107, by⁠—
(i) the substitution of the following subsections for subsections (2) and (3):
“(2) Subsection (1) is without prejudice to the application of⁠—
(a) subject to section 8of the Act of 2018, section 7 (duty of care owed by data controllers and data processors) of the Act of 1988 in respect of the use of such data (within the meaning of the Act of 1988), and

(b)Part 5of the Act of 2018, in respect of the use of such data (within the meaning of that Part).
(3) (a) Subject to section 8 of the Act of 2018, the Data Protection Acts 1988 and 2003 apply in relation to personal data referred to in subsection (2)(a), in respects other than those related to their use.
(b) Part 5of the Act of 2018applies in relation to personal data referred to in subsection (5)(b), in respects other than those related to their use.”,
and
(ii) by the insertion of the following subsection after subsection (4):
(5) In this section⁠—
‘Act of 1988’ means the Data Protection Act 1988;

Act of 2018’ means the Data Protection Act 2018.”.”.

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 159:

In page 152, between lines 23 and 24, to insert the following:

Amendment of

201.The is amended⁠—(a) in section 2(1), by the insertion of the following definitions:
“ ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 20161on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

‘personal data’ means personal data within the meaning of⁠—
(i) the Data Protection Act 1988,

(ii) the Data Protection Regulation, or

(iii)Part 5of the Data Protection Act 2018;”,
(b) in section 52(2), by the deletion of “(within the meaning of the Data Protection Acts 1988 and 2003)”, and

(c) in section 88(2), by the deletion of “(within the meaning of the Data Protection Acts 1988 and 2003)”.”.

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

Imove amendment No. 160:

In page 152, between lines 37 and 38, to insert the following:

Amendment of section 17A of

202.Section 17A of the is amended⁠—
(a) in subsection (2), by the substitution of “Data Protection Regulation” for “Data Protection Acts 1988 and 2003”, and

(b) by the insertion of the following subsection after subsection (3):
“(4) In this section, “Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 20161on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).”.”.

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 161:

In page 155, between lines 20 and 21, to insert the following:

Amendment of

206.Section 1 of the is amended by⁠—
(a) the substitution of the following definition for the definition of “data”:
“ ‘data’ means automated data and manual data;”,
(b) the substitution of the following definition for the definition of “personal data”:
“ ‘personal data’ has the meaning it has in Part 5of the Data Protection Act 2018;”,
(c) by the substitution of the following definition for the definition of “processing”:
“ ‘processing’, in relation to personal data, has the meaning it has in Part 5of the Data Protection Act 2018;”,
and
(d) the insertion of the following definitions:
“ ‘automated data’ means information that⁠—
(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose, or

(b) is recorded with the intention that it should be processed by means of such equipment;
‘manual data’ means information that is recorded as part of a relevant filing system, or with the intention that it should form part of a relevant filing system;

‘relevant filing system’ means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible;”.”.

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 162:

In page 155, between lines 20 and 21, to insert the following:

“Amendment of

207.The is amended⁠—
(a) in section 2(1), by⁠—
(i) the insertion of the following definition:
“ ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 20161on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);”,
and
(ii) the substitution of the following definition for the definition of “personal data”:
“ ‘personal data’ means personal data within the meaning of⁠—
(a) the Data Protection Regulation, or
(b) Part 5of the Data Protection Act 2018;”,
(b) by the deletion of section 21A, and

(c) by the substitution of the following section for section 186:
“Restriction of right of access to personal data in certain circumstances

186. Article 15 (Right of access) of the Data Protection Regulation, in so far as it relates to personal data (within the meaning of that Regulation) processed by the following persons or bodies, is restricted to the extent necessary and proportionate to enable the person or body to effectively perform his, her or its functions under this Act, in so far as those functions relate to the supervision of personal insolvency practitioners in accordance with section 176A or to carrying out an investigation under this Part:
(a) the Insolvency Service;

(b) an inspector appointed under section 176;

(c) an authorised officer appointed under section 176B;

(d) the Complaints Committee.”.”.

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 163:

In page 155, between lines 20 and 21, to insert the following:

Amendment of section 2 of

208.Section 2(1) of the is amended, in the definition of “record”, by the deletion of “(within the meaning of the Data Protection Acts 1988 and 2003)”.”.

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 164:

In page 156, between lines 7 and 8, to insert the following:

Insertion of section 957A to

207.The is amended by the insertion of the following section after section 957:
“Restriction of application of certain articles of Data Protection Regulation

957A.(1) Articles 14 (Information to be provided where personal data have not been obtained from the data subject) and 15 (Right of access by the data subject) of the Data Protection Regulation are restricted, to the extent necessary and proportionate to safeguard the effective performance by the Director of his or her functions referred to in paragraph (b) and (e) of section 949(1), where the performance of those functions give rise to the processing of personal data to which the Data Protection Regulation applies.

(2) In this section, “Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).”.”.

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 165:

In page 157, between lines 26 and 27, to insert the following:

Amendment of section 41 of

209.Section 41 of the is amended by the deletion of subsections (4), (5) and (10).”.

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 166:

In page 159, after line 29, to insert the following:

“Amendment of

213.The is amended⁠—
(a) in section 2, by the insertion of the following definition:
“ ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).”,
(b) in section 9(2)(a)(iv), by the substitution of “processing (within the meaning of the Data Protection Regulation) personal data (also within the meaning of that Regulation)” for “processing (within the meaning of the Data Protection Act 1988) personal data (also within the meaning of that Act)”, and

(c) in section 35⁠—
(i) in subsection (1)⁠—
(I) by the substitution of “Notwithstanding anything contained in any enactment, but subject to the Data Protection Regulation and the Data Protection Act 2018” for “Notwithstanding anything contained in the Data Protection Acts 1988 and 2003”, and

(II) by the substitution of “controller” for “data controller” in each place it occurs,
(ii) in subsection (3), by the substitution of “controller” for “data controller”, and

(iii) in subsection (4)⁠—
(I) by the substitution of the following definition for the definition of “data controller”:
“ ‘controller’ has the same meaning as it has in the Data Protection Regulation;”,
and

(II) by the deletion of the definition of “data subject”.”.

Amendment agreed to.

Photo of Charles FlanaganCharles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move amendment No. 167:

In page 162, to delete lines 23 to 25.

Amendment agreed to.

Bill, as amended, received for final consideration.