Jim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context

I move:

That Dáil Éireann approves the following Regulations in draft: Data Protection Act 2018 (Section 60(4)) (Data Protection Commission) Regulations 2025;

Data Protection Act 2018 (Section 60(4)) (Information Commissioner) Regulations 2025; and

Data Protection Act 2018 (Section 60(4)) (Comptroller and Auditor General) Regulations 2025; copies of which were laid in draft before Dáil Éireann on 2nd July, 2025.

I am seeking the House’s approval of regulations made, drafted and signed by me under section 60(4) of the Data Protection Act 2018. These regulations I have signed are in respect of three statutory bodies: the Data Protection Commission, the Office of the Information Commissioner and the Comptroller and Auditor General. In fact, the last body is a constitutional officeholder as opposed to a statutory body. The regulations before us are identical save that they refer to different public bodies, whether it be the Data Protection Commission, the Office of the Information Commissioner or the Comptroller and Auditor General.

Section 60(4) of the Data Protection Act permits the making of regulations prescribing requirements to be complied with when the rights of data subjects and obligations of data controllers, referred to in section 60 of the Act, are restricted. The regulations are being made to address concern raised by the EU Commission that section 60(3)(c) of the Data Protection Act 2018 could be interpreted as providing a blanket exemption for the Data Protection Commission, the Office of the Information Commissioner and the Comptroller and Auditor General when restricting certain rights in the performance of their functions, on the basis that it did not expressly require consideration of necessity and proportionality on a case-by-case basis. The regulations seek to address that concern.

This Government is committed to maintaining strong data protection rights for citizens in line with the general data protection regulation, GDPR. Where potential issues are brought to our attention regarding our national transposing measures, we are happy to examine the issues and act where necessary, as we are doing in this instance. While the GDPR provides strong levels of protection for individuals, the right to data protection is not absolute and it must be balanced against other rights and interests. In this regard, the GDPR recognises that there may be limited circumstances in which an organisation could have grounds to refuse to grant an individual’s request to exercise their data protection rights.

Where a Member State provides for further restrictions, the following conditions, which are strict, apply: first, the restrictions must be set out national law; second, they must respect the essence of the fundamental rights and freedoms of individuals; and third, they must be necessary and proportionate to safeguard certain objectives of societal or general public interest.

In Ireland, section 60 of the Data Protection Act gives further effect to Article 23 of the GDPR and provides for restrictions on obligations of controllers and rights of data subjects for important objectives of general public interest. The rights and obligations concerned are those provided for by Articles 12 to 22, inclusive, Article 34 and part of Article 5 of the GDPR. This includes rights of access to personal data, the right to erasure and the right to rectification.

While section 60 provides for a collection of matters including Cabinet confidentiality and parliamentary privilege, these regulations are specifically concerned with section 60(3)(c) of the Act. That provision provides that the rights and obligations under Articles 12 to 22, inclusive, Article 34 and part of Article 5 of the GDPR are restricted to the extent that the personal data concerned are kept by the Data Protection Commission, the Office of the Information Commissioner and the Comptroller and Auditor General in the performance of their functions.

The European Commission contacted my Department and expressed concern about how section 60(3)(c) of the Data Protection Act had been drafted and that it could be interpreted as providing a blanket exemption to the entities concerned by not expressly requiring an assessment of the necessity and proportionality of restricting rights and obligations on a case-by-case basis, as required by the GDPR and, in particular, by Article 23. As an EU regulation, the GDPR is directly applicable in Irish law and section 60(3)(c) must be viewed in the context of Article 23 and operated at all times in keeping with its requirements. However, we recognised that the drafting of that section could be more explicit with respect to the requirements of the GDPR. To address this, two sets of regulations were prepared. First, regulations under section 3 of the European Communities Act 1972 were made in November 2024 to amend section 60(3)(c) to clarify that the restrictions applied by the Data Protection Commission, the Office of the Information Commissioner and the Comptroller and Auditor General, as the case may be, must be necessary and proportionate to safeguard the performance of a function of the body concerned.

The updated provisions also outlined the matters each body must have regard to when determining whether a restriction would be necessary and proportionate. This includes the extent to which the exercise of a right or compliance with an obligation would prejudice the performance of a function of the body including by disclosing that a particular function was being performed where it may prejudice the performance of the function concerned, or prevent the processing of personal data for a period of time where any delay may prejudice the performance of a function. In addition, the bodies concerned must have regard to the essence of the right to data protection of a data subject and the risks to the rights and freedoms of a data subject that may result from such a restriction.

The draft regulations before the House today are procedural in nature and seek to build upon the requirements set out in the regulations made last year, and are the second and final in the collection of regulations to address the Commission’s concerns. Specifically, the regulations require the Data Protection Commission, the Office of the Information Commissioner and the Comptroller and Auditor General to ensure that when restrictions are being applied under section 60(3)(c) for the performance of their functions, those restrictions are only in place for so long as is necessary and proportionate to safeguard the relevant function; and that relevant information about the restrictions is provided to the data subject, including the reason, except where disclosure would prejudice the body in the performance of its function. In addition, each of the bodies is required to prepare and implement policies and procedures that set out how they will deal with important issues such as data storage, security and access arrangements. Additionally, the bodies must periodically review the policies and procedures they have in place.

Each regulation provides that any communication between the body and a data subject must be in an easily accessible form and be in plain language. My Department engaged with the three entities during the drafting process and they have confirmed that they are satisfied with the draft regulations. I take this opportunity to thank the three bodies involved for their constructive engagement throughout the preparation of the regulations.

These draft regulations put in place procedural obligations on the Data Protection Commission, the Office of the Information Commissioner and the Comptroller and Auditor General when seeking to restrict the rights or obligations necessary to safeguard the performance of a function of the body concerned. They do not introduce any new or additional restrictions on the rights of data subjects. The purpose of these regulations is to ensure our national measures better align with the intent of Article 23 of the GDPR and that clear procedures are in place, governing the limited circumstances in which rights or obligations are restricted under section 60(3)(c).

I am seeking the House's approval for the regulations drafted in respect of the three entities. I believe the regulations are necessary because they are proportionate and required for the purpose of ensuring there is compliance with the GDPR.

Matt Carthy (Cavan-Monaghan, Sinn Fein)
Link to this: Individually | In context

Gabhaim buíochas leis an Aire as ucht an eolais sin. I acknowledge, as the Minister has outlined, that these regulations will not in any way limit the rights of citizens.

They will, in fact, place greater obligations on related offices in terms of the circumstances in which they may limit the right of citizens to information. The limitations the regulations place on organs of the State to limit citizens rights are entirely reasonable. They ensure that any such limitation is time-limited to only what is necessary to safeguard the work of relevant offices and mandate that an impacted person be informed that this has occurred. Crucially, the right to appeal any such restriction is in place. This is welcome and as such will be supported by Sinn Féin.

However, it is worth examining how the need for these regulations came about and how they came to light. The need for these regulations arises because when transposing the general data protection regulation, GDPR, into domestic law, the Government included what could have amounted to a blanket exemption from crucial components of the GDPR for the Comptroller and Auditor General, the Office of the Chief Information Commissioner and the Data Protection Commission itself - bizarrely, I have to say. It is worth putting on the Dáil record what rights the Government was granting this exemption in relation to. Largely, it comprised the rights outlined in chapter 3 of the regulation, the rights of the data subject. Anyone would agree that chapter is crucial - perhaps the most crucial component of the regulation. This blanket exemption applied to ten out of the 11 articles therein, articles that related to transparency, right of access to personal information, the right to rectification and the right to erasure, which is of course better known as the right to be forgotten. It also applied to Article 34, communication of a personal data breach to the data subject, and again I am certain that anyone in this House would agree that they are among the most fundamental rights for which the regulation provided.

The need for these regulations came to light because this potential blanket exemption was identified by the European Commission. The European Commission and its President get a lot wrong, as we would contend today more so than on most days, and legitimate criticisms can be made in respect of the application of the GDPR. It can become incredibly burdensome for small businesses and voluntary groups to manage. My own experience of the GDPR is that it is often utilised by State bodies to prevent legitimate questions being asked. I am sure most Members of this House have had experience where the GDPR was cited as an excuse for State bodies or even Departments to fail to interact appropriately with elected representatives. As such, I am always open to revisiting existing policy and legislation to ensure there is a correct balance of rights and obligations. The GDPR, just as with any legislation or law, should not be sacrosanct or entombed. There have to be ways and mechanisms to change it if necessary. Of course, that boils down to the difficulties. When we accept regulations or directives at an EU level, once in place they are incredibly difficult to change. By and large, the GDPR is and has been a landmark piece of legislation. While there are many issues with it, it provides citizens with greater control regarding their own personal data, which is important. It is therefore regrettable that the Government placed not only unnecessary limitations on these rights but seemingly, in the view of the European Commission, potentially illegal limitations.

I accept, as the Minister has said, that the GDPR provides for limited circumstances in which restrictions may apply. However, the issue at hand is that the Government in effect drove an articulated lorry through those limited circumstances. That is the opposite of Sinn Féin's starting point when it comes to new legislative or policy proposals, where we prioritise and take a rights-based approach. The Government should give serious consideration to the situation anytime it seeks to limit citizens' rights, particularly their right to access information pertaining to themselves. A blanket exemption in case it is needed, even if not intended to be utilised, is poor legislative practice.

I have two questions for the Minister regarding these specific regulations, which he or the Minister of State might address in their closing remarks. This is the second set of regulations related to the issues identified by the Commission. I note they were drafted individually in the case of each relevant office on the advice of the Office of the Parliamentary Counsel to the Government in case further amendment is required in the future. Is the Minister confident that these regulations address the potentially illegal blanket exemption identified by the Commission in full or does he expect that further amendment or regulation will be necessary?

My second question is particularly important given the potential limitation the Government's legislation placed on a citizen's rights to transparency. These regulations will mandate the impacted offices to prepare and implement policies and procedures to provide for the matters relating to circumstances whereby a citizen's right may be restricted, including in relation to timeframes whereby a person's right may be restricted. In what timeframe does the Minister envisage such policies and procedures to be developed? Noting that the regulations provide that a citizen whose rights are restricted is entitled to a copy of those policies and procedures, will the Minister ensure that these are published at the earliest opportunity?

Gary Gannon (Dublin Central, Social Democrats)
Link to this: Individually | In context

It is important to speak today on this motion concerning new regulations under section 64 of the Data Protection Act. We are told these regulations do not introduce new restrictions but simply tighten up existing rules to make them better aligned with Article 23 of the GDPR Act. That is fine - indeed, it is welcome - but we should always be careful with motions like this to ensure that public oversight is maintained and that we are not opening the door to unintended consequences.

This is not some abstract debate about data protection jargon. These regulations affect real people who are trying to access their own information or to understand the decisions made about them by powerful State bodies, namely, the Data Protection Commission, DPC, the Office of Information Commissioner, OIC, and the Comptroller and Auditor General. These are institutions we rightly trust to hold others to account, but when those very institutions restrict the public's right to information, to silence or withhold, even in exceptional cases, we should always leave room for debate. Scrutinising legislation like this has never been more important. We have seen the actions of the British Government taken in recent weeks under terrorism laws, not to target violence but to silence protest. People spray-painting planes as a symbolic act of dissent now face penalties of up to 14 years in prison and simply expressing support for that group is now a criminal offence. That is not national security but the attitude of an authoritarian regime. It should make us all pause. We are living in an age when the misuse of power is often framed as order and if we are not careful, laws once meant to protect will become tools of control.

Under Ireland’s current law, specifically section 60(3)(c) of the Data Protection Act, these bodies can restrict someone’s GDPR rights to safeguard their own functions, in other words to carry out their work without interference. Until recently, that section did not require them to explain why they were restricting a person’s right. There was no clear legal test of necessity, no demand for proportionality, nothing to ensure this power was used sparingly and transparently. That is why the European Commission stepped in. It said, and rightly so, that the law as written looked like a blank cheque for public bodies to block people from exercising their data rights. It could have allowed for a blanket exemption with no oversight. That is not in line with Article 23 of the GDPR and certainly is not in line with the spirit of fairness and accountability.

The Government's move to amend that section and bring forward these regulations is a step in the right direction. It is absolutely progress. However, my concern is that what is written on paper and what happens in practice are often two very different things. Yes, we need regulations but they must come with teeth, built-in accountability and real safeguards for ordinary people, not just policy documents that sit quietly on a website, untested and unread. I also have concerns for those who might have more difficulties navigating the system, the young person wrongly profiled, the migrant trying to challenge the decision, the person with literacy issues and no legal support. These regulations must not become another barrier to justice, wrapped in a legal cloak.

I would like to hear the Minister address the following. Will these regulations include a clear appraisals process when someone's rights are restricted? Will the DPC, the OIC and the Comptroller and Auditor General be subject to independent oversight, not just self-review? Will the Government commit to a public audit of how these powers are used, not once but regularly?

Most important, will the Minister confirm that these regulations cannot be used to shield incompetence or wrongdoing, or simply to avoid scrutiny? If transparency only applies when it is convenient, it is not transparency at all.

Data protection is not just a legal principle but a human right. These regulations should not be technical fixes to satisfy Brussels. They should be meaningful steps to protect people's rights at home and to hold powerful institutions to account. I will support the motion if it comes with guarantees not just that rights are restricted carefully but that the people affected can challenge these restrictions and their consequences when institutions get it wrong.

Jim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context

I thank Deputies Carthy and Gannon for their contributions. Deputy Carthy was correct in stating that these regulations are not seeking in any way to restrict the rights of a data subject. In fact, they are seeking to add protection to the rights of a data subject by ensuring that the three agencies that are the subject matter of the regulations act only where necessary and in a proportionate way when they are seeking to restrict access.

I welcome the fact that both Deputies are supportive of the new regulations. Deputy Carthy also wondered why it was not fully transposed when the GDPR was being enacted in the Data Protection Act. I was a member of the justice committee at that stage. It was an enormous task. I am conscious of the task the Deputy faces, as Cathaoirleach of the current justice committee, with the International Protection Bill. There was a similar task when the GDPR came before that committee for the purposes of pre-legislative scrutiny and Committee Stage. In fairness, understanding human frailty, things can be missed. I do not think it was a deliberate miss or anything like that.

To answer the Deputy's question, I am confident that the regulations address the issue of the legal blanket exemption. The regulations are proportionate and necessary. I do not believe I will be back again seeking to add further regulations in that regard.

The Deputy also asked what is the timeframe for the two statutory bodies and the one constitutional body to have these policies in place. I can tell him that at present, they all have policies in place and available. They will obviously need to be updated. I understand and hope they will be published next term or in the autumn. That is my expectation.

Deputy Gannon said we should have public oversight, and I agree entirely. That is what we are doing here today. The legislation states that I, as Minister, can make regulations but they will only be approved if the Houses of the Oireachtas approve them. That is a very good provision. I cannot just introduce the regulations, sign them in and have them become law. I need to come back to the Houses for the approval of the elected representatives of the Irish people. That is how we are having public oversight.

I agree with the Deputy that we should scrutinise legislation. We have good democratic oversight of legislation in this country. I sometimes contrast the position of an Irish Minister with the people who are in power in other countries. We are subject to committee hearings, frequently answer questions in the Dáil and Seanad and expose ourselves to the media in respect of the legislation. We have a thorough process for checking draft legislation before it is enacted. I support that thorough process. That is the way we should do it. The last thing we want is a situation whereby laws can be made relatively easily.

The Deputy also asked questions about the process in respect of anyone who wishes to pursue these regulations or make a complaint. When it comes to any data complaint, we have the Data Protection Commission, the Information Commissioner and the courts. Anyone who is dissatisfied with the operation of the regulations for which I am seeking approval can lodge a complaint under Article 77 of the GDPR and it will be dealt with in the ordinary course. A statutory mechanism is in place to ensure that anyone who believes his or her data rights have been unfairly appraised and determined can avail of the provisions within the GDPR and the Data Protection Act to ensure they are vindicated.