Shane Ross (Dublin Rathdown, Independent) | Oireachtas source

I thank the House for the opportunity to present the Bill. It is a very specialised Bill which is necessary in order to meet obligations entered into by Ireland under European Union measures known as the Prüm decisions. These decisions are named after the town in Germany where the principles behind them were originally agreed and address the need to share certain kinds of information between member states in order to combat terrorism and other serious crime. They require member states to share, in particular, DNA, fingerprint and vehicle registration data. Legislation to share DNA and fingerprints, which is the responsibility of the Department of Justice and Equality, was passed in 2014. This Bill will address the sharing of vehicle registration data.

The Prüm decisions were reached in 2008. At the time, member states had the choice of whether to opt into them and Ireland did so by votes of both Houses of the Oireachtas. Once we opted in, the decisions became mandatory for us under EU law. Compliance with the decisions does not only mean passing the necessary legislation, as we are not deemed to be compliant until we begin sharing information with other member states. Under an agreement reached by the EU in 2009, data will also be shared with Iceland and Norway under the decisions.

The legislative aspect of giving effect to the decisions has proven very complex. As I said, the legislation to give effect to the sharing of DNA and fingerprint information was passed in 2014, six years after the decisions. As that constituted the major part of the decisions, legislation for sharing of vehicle registration data was to be dealt with only after the DNA and fingerprint legislation. A number of legal difficulties had to be resolved and it is only now that we are in a position to bring forward the necessary legislation to allow for exchange of vehicle registration data as required by the decisions.

Due to these delays, as well as technical delays to the sharing of DNA and fingerprint data, the EU has begun the initial stages of action against the State for possible infringement of European Union law. I understand that the technical processes necessary for arriving at actual sharing of DNA and fingerprint data are well advanced, with the crucial stage of EU evaluation visits to assess readiness being scheduled for February and March in the case of fingerprinting and DNA, respectively. Vehicle registration data cannot be shared under the decisions until this Bill is passed.When this Bill has been passed, we will proceed to sharing data under it as quickly as possible.

We are in a very fortunate position for rapid implementation in one respect. Vehicle registration data are already being shared with other member states under a separate EU instrument dealing with the investigation of serious road traffic offences. As this is being done over the same network that will be used for the Prüm decisions, the technical measures required to implement the present Bill are mostly in place. Speedy implementation will enable us to end EU infringement proceedings and avert the risk of reputational damage and financial penalties the State might incur in the case of being found to have infringed EU law. On the matter of reputational damage, I would like to point out that the Prüm decisions are rightly regarded as an important law enforcement tool by our EU partners, particularly those that have suffered from terrorism in recent years. I need hardly stress the importance of retaining goodwill at European level in the present climate of the Brexit negotiations.

Before I set out the details of the Bill, I will explain what we are talking about in practice. If a car that was involved in a serious crime in France, such as a terrorist incident or an armed robbery, was registered in Ireland, it would be possible under the Prüm decisions for the French authorities to send an electronic request to check Irish records to ascertain the identity of the registered owner of the vehicle. Equally, were a French-registered vehicle to be used in a serious crime in Ireland, An Garda Síochána would be able to find out the identity of the registered owner by checking the French data. The contents of this Bill may be described as falling into four areas, namely, general provisions for sharing of vehicle registration data under the Prüm decisions, specific provisions for sharing Irish vehicle registration data with other member states, specific provisions for Ireland to access vehicle registration data held by other member states and data protection provisions.

The Prüm decisions require each member state to designate a national contact point for the sharing of vehicle registration data under them. As the statutory holder of the information in question is the Minister for Transport, Tourism and Sport, the Bill names the Minister as the national contact point for the purposes of sharing these data. The Prüm decisions require that those involved in the processing of data exchange under the decisions should be authorised named individuals. Therefore, this legislation will allow me as Minister to designate individuals as the authorised people to process data under the decisions. These people may be officials of my Department - in other words, the people who already manage the data - or members of An Garda Síochána.

The second area in the Bill is the setting out of specific measures relating to access to Irish data for the national contact points of other member states. In line with the limits and safeguards set out in the Prüm decisions, a search of the Irish data may be made only with a full registration number or vehicle identification number, VIN. The purpose for which a search may be made is limited to prevention and investigation of criminal offences. The Bill also sets out the content of any reply and limits its use by the receiver to the purpose for which it was supplied and to keeping records of data sharing under the Prüm decisions. The keeping of the latter records is a requirement to enable examination and verification that data protection rules are being respected.

The third area in the Bill involves searches by Ireland of vehicle registration data held by other member states. It applies much the same rules regarding the conduct of searches by full registration number or VIN and the use of data solely for the purpose for which it was supplied or for keeping records or data sharing. In this case, as we are talking about searches which are part of investigations of crimes in Ireland, the Bill allows the sharing of the data with the courts, the Garda Síochána and the Director of Public Prosecutions, or other appropriate bodies, but only with the consent of the state that supplied the data.

As members can see, data protection must be at the heart of any process of this nature. Anyone who is familiar with EU data protection law will be aware that the current EU legislation on data protection, as reflected in Irish law under the Data Protection Act 1988, is due to be replaced in May of this year by a new legal framework which consists of the general data protection regulation and the policing directive. As Prüm is a law enforcement measure, the policing directive is the part of the new legislative framework which would naturally apply to it. However, the EU, in preparing the new legislation, decided specifically to exclude Prüm from the new framework and require the continued application of existing data protection law. Therefore, the policing directive explicitly states that it does not apply to Prüm and that existing legislation will continue to apply. The practical effect of this is that the Bill must - and does - state that the provisions of the Data Protection Act 1988 apply to data sharing under Prüm.

In addition, the Prüm decisions impose specific obligations on the data protection authorities of member states. These obligations relate to the monitoring of data sharing under the decisions and the processing of complaints from individuals who may believe their data should not have been shared or the data shared may have been inaccurate. Additional measures include the requirement on the national contact point to maintain records of data sharing under the decisions for two years and then delete such records, to carry out random checks on those records and to produce the records of such checks on request by the Data Protection Commissioner. There are specific provisions for the correction of inaccurate data and the deletion of data which should not have been supplied. The Data Protection Commissioner is given specific responsibility for monitoring data sharing under the decisions and for carrying out random checks on such data sharing. Individuals may ask the commissioner to investigate the legality of the sharing of their data. The commissioner is empowered to engage with data protection authorities in other member states to ensure proper investigation of complaints, regardless of whether those complaints emanate from within the State or from another member state.

The provisions of this Bill have been carefully examined and drafted to ensure they meet the requirements of EU in terms of the Prüm decisions and in terms of data protection law. We need to pass this Bill into national law to enable compliance with EU law and to proceed to data sharing under the decisions and thereby avoid being found to have infringed EU law. I appreciate that this short Bill does not make light reading. It is significant and something that our EU partners are very eager to see completed. I thank the House again for its consideration. I would appreciate the passage of this Bill as soon as possible.