Thursday, 8 February 2018
Data Protection Bill 2018: Second Stage
I am pleased to have the opportunity to launch the Data Protection Bill 2018 in Seanad Éireann. I look forward to hearing the contributions of Senators and I hope they will support this important Bill. My officials are available to any Member who wishes to receive a detailed briefing on technical aspects of the legislation. In this regard, a more formal briefing will be provided for Senators on Monday morning next and I hope, if it is convenient, they will avail of the opportunity to attend.I thank the Members of the House who undertook the pre-legislative scrutiny work in their capacity as members of the Oireachtas Joint Committee on Justice and Equality. In a nutshell, this legislation will introduce stronger rules on data protection. People will have more control over their personal data and businesses will benefit from a level playing field. Members of this House will no doubt be aware of the general data protection regulation, generally referred to as the GDPR, of which there has been a great deal of debate both in Ireland and across the European Union. The GDPR regulates the processing by an individual, a company or an organisation of personal data relating to individuals in the EU. It does not apply to data processed by an individual for purely personal reasons or for activities carried out in a person’s home provided there is no connection to a professional or commercial activity.
The GDPR is a significant regulation and this Bill will give further effect to the GDPR as well as transposing the accompanying law enforcement directive into national law. Furthermore, it will establish the data protection commission to replace the Office of the Data Protection Commissioner. The GDPR enters into effect on 25 May next and the directive must be transposed into national law by early May. Accordingly, I am hopeful that with the support of both Houses, this Bill will be signed into law and enter into force next May alongside the GDPR. I believe that the GDPR and this legislation will serve to make our data protection laws fit for purpose in the digital age.
I am conscious that many people may be inclined to switch off at the mention of data protection because they see it as a technical issue, an issue that does not concern them directly. That would be a mistake for the simple reason that the updated data protection rules entering into force in May next will affect all of us in one way or another. It will affect each of us as individuals because it will increase our control over the manner in which, and the purposes for which, our own personal data is used. It will affect businesses, be they large, medium or small, because it will require them to review and update the manner in which they collect, use or store the personal data of their customers, clients or any other individual whose personal data they retain. The same applies to Government Departments and public bodies.
The simple fact is that data protection law has not kept pace with the many technological advances and new business models such as cloud computing that have emerged in recent years. Our current data protection law, which is based on the EU's 1995 data protection directive, predates mass Internet usage, hand-held devices, apps, games, social networking and data analytics, all of which involve the collection and processing of our personal data, often for purposes that are opaque and largely unknown to us. The basic data protection principles set out in the Data Protection Acts 1988 and 2003 will remain largely unchanged following the entry into force of the GDPR in May next. However, the GDPR's provisions will strengthen our control over our own personal data and the purposes for which it may be used.
Increased transparency is essential to increased control. In future, all information must be provided in a concise, transparent, intelligible and easily accessible format using clear and plain language. It will no longer be acceptable to direct users to terms and conditions written in legal jargon. The obligations placed on companies and public sector bodies that collect, use and store personal data are set to increase but will do so in a measured and proportionate manner. The compliance burden will increase for some but that will be proportionate to risks to the rights and freedoms of individuals arising from any accidental or unlawful loss or disclosure of, or access to, their personal data. By proportionate, I mean that for SMEs where data processing is not a core part of the business and where the company's activity does not create risks for individuals, some obligations of the GDPR will not apply, for example, the appointment of a data protection officer, DPO. The new obligations will inevitably pose a greater challenge for bodies, be they in the public or private sectors, that specialise in data processing and for those handling, for example, customers' financial data or patients' sensitive health data.
While large companies have been gearing up for the entry into force of the GDPR for some time, it is likely that the SME sector and micro-enterprises will continue to require assistance and support during the coming period of adjustment. Awareness-raising activities have been under way for the last year and a half involving conferences, seminars and workshops and those activities will continue.The Minister of State, Deputy Breen, who has special responsibility in this policy area, has been very active in promoting awareness of the changes to come and I know he has an ambitious schedule planned for the coming months. Practical guidance is also vital and I strongly recommend the Data Protection Commissioner's web page www.gdprandyou.ie. It contains a wealth of useful information and practical guidance for both business and individuals.
High data protection standards are in everyone's interests, including the interests of business. The harmonised rules set out in the GDPR and the Data Protection Bill will ensure that the same data protection safeguards will operate across the EU. This will provide a level playing field for businesses, especially those involved in the cross-border provision of goods and services. In this context, it is worth remembering that exports are a critical aspect of our strong economy. Enhanced data protection standards will also be beneficial to the increasing numbers who avail of the Government's online services.
To make the enhanced protections meaningful, public and private enforcement of data protection law is set to increase. The data protection commission will in future have stronger supervisory and enforcement powers as well as a broader range of sanctions at its disposal, including the possibility of administrative fines. The scope for compensation claims arising from infringements of data protection rules will also increase resulting in higher levels of private enforcement activity.
This Government is committed to achieving the full potential of the digital economy and its capacity to promote innovation, create jobs and boost economic activity in the State. We already host many of the world's leading digital companies and they provide their services well beyond our shores. That number will increase in the future. The GDPR, together with the provisions of this legislation, will ensure that data processing involved in the provision of these services will meet the highest data protection standards and the establishment of the data protection commission will ensure effective supervision and enforcement of these high standards.
Following protracted negotiations, the GDPR was agreed in early 2016 and will, as I mentioned, enter into force across the EU on 25 May 2018. An accompanying directive, which establishes data protection standards for the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection and prosecution of criminal offences and the execution of criminal penalties, requires to be transposed into national law by 6 May 2018.
Both the GDPR and the directive have a legal basis in Article 16 of the Treaty on the Functioning of the European Union and provide for significant reforms to current data protection rules based on the EU's 1995 data protection directive. Both instruments generally provide for higher standards of data protection for individuals and impose increased obligations on bodies in the public and private sectors that process personal data. They also increase the range of possible sanctions for infringements of these standards and obligations.
The GDPR seeks to provide for a uniform interpretation and application of data protection standards across the EU thereby providing a level playing field for all those doing business in the EU digital market. The European data protection board, a new entity that will replace the current advisory committee and that will be made up of representatives of the data protection authorities of all member states, will play an important role in this respect.
At the heart of both the GDPR and the directive is a risk-based approach to data protection. This means that each individual controller and processor is required to put appropriate technical and organisational measures in place in order to ensure and, importantly, to be able to demonstrate that its processing of personal data complies with the new data protection standards. I would remind Senators that the terms "controller" and "processor" apply to us too. Those of us involved in the handling of constituents' queries, requests and representations are data controllers.Any operator of an off-site storage facility for files containing personal data is a processor. This is an issue for the Oireachtas in a most direct way.
For the purposes of assessing the nature, level and likelihood of risks to the rights and freedoms of individuals, controllers and processors must have regard to the nature, scope, context and purposes of their data processing activities. In certain cases, this will in future require the carrying out of a data protection impact assessment in order to take steps to mitigate such risks. Where mitigation measures are not feasible, prior consultation with the data protection commission will be mandatory.
The GDPR and the directive place greatly increased emphasis on the transparency of processing, the responsibility of the controller and processor for compliance with data protection standards, and the need for appropriate security standards in order to protect against data breaches, such as unauthorised or unlawful processing and accidental loss, destruction and damage. The GDPR and the directive impose an obligation on all public authorities and bodies, as well as some private sector bodies, to designate a data protection officer with responsibility to oversee data processing operations and to report data breaches to the relevant data protection authority. The GDPR also limits the grounds for lawful processing of personal data by public authorities and bodies. For example, depending on the circumstances, an individual's consent to the processing of his or her personal data may not provide a reliable basis for such processing by a public authority. The so-called legitimate interest ground in Article 6.1(f) of the GDPR will no longer be available to public authorities when acting in their public capacity.
The GDPR and the directive provide for increased supervision and enforcement of data protection standards by the data protection authorities of member states, including the future data protection commission. The GDPR provides for the possible imposition of substantial administrative fines of up to €10 million, €20 million or 2% or 4% of total worldwide annual turnover in the preceding financial year. I will return to the fines issue shortly.
The liability of controllers and processors will be broadened to include non-material damage such as distress. In future, an individual who has suffered material or non-material damage because of a breach of his or her data protection rights under the GDPR or this legislation will have the right to seek compensation in the courts.
I will turn to the purpose and structure of the Bill. The key purposes of the Bill are as follows: to give further effect to the GDPR in the areas in which member state flexibility is permitted; to transpose the directive into national law; to establish the data protection commission as the State's data protection authority with the means to supervise and enforce the protection standards enshrined in the GDPR and directive in an efficient and effective manner; and to enact consequential amendments to various Acts that contain references to the Data Protection Acts 1988 and 2003.
The Bill, which is lengthy and complex in nature, comprises the following parts. Part 1, comprising sections 1 to 8, inclusive, contains a number of standard provisions, for example, citation, commencement and definitions. Section 7 makes provision for repeals while section 8 defines the residual scope of the 1988 Act.
Part 2, comprising sections 9 to 27, inclusive, establishes the data protection commission to replace the Data Protection Commissioner as the State's data protection authority. Its primary task will be to act as the supervisory authority for the purposes of the GDPR and the directive. Establishment of the commission, comprising at least one and not more than three commissioners, is a future-proofing provision to allow, should the need arise, for the appointment of additional commissioners in response to an increased commission workload.
Part 3, comprising sections 28 to 55, inclusive, gives further effect to the GDPR in a number of areas, mainly affecting the public sector, in which the regulation gives member states a margin of flexibility. In certain cases, this involves the creation of a regulation-making power that will permit the making of more detailed regulations in due course.
Part 4, comprising sections 56 to 62, inclusive, contains a number of provisions that are consequential on replacement of the Data Protection Commissioner with the data protection commission. The intention is to provide for a smooth and frictionless transition from current arrangements to the new structure.
Part 5, comprising sections 63 to 99, inclusive, transposes the law enforcement directive's provisions into national law. Part 6, comprising sections 100 to 151, inclusive, contains provisions dealing with enforcement of the obligations and rights set out in the GDPR and directive by the data protection commission. The intention is to ensure effective supervision and enforcement mechanisms, together with the necessary procedural and due process safeguards. Part 7, comprising sections 152 to 157, inclusive, contains a number of miscellaneous provisions mainly concerning the application of data protection rules to the courts and a number of related legal matters. Part 8, comprising sections 158 to 162, inclusive, contains consequential amendments to a number of Acts.
As regards substance, the explanatory and financial memorandum that accompanies the Bill contains much detail. I do not intend, therefore, to delve into all of the Bill's provisions. However, I wish to take the opportunity to highlight a number of issues and, in particular, to refer to Part 5, which transposes the law enforcement directive into national law.
Sections 7 and 8 of the Bill contain provisions concerning the Data Protection Acts 1988 and 2003. While Article 2.2(a) of the GDPR provides that its provisions do not apply to the processing of personal data in the course of an activity falling outside the scope of EU law, there has been considerable uncertainty about the scope of that exclusion in light of evolving Court of Justice case law. A detailed analysis of relevant Court of Justice case law by the Office of the Attorney General has concluded that this exclusion is essentially limited in practice to data processing in the context of national security, defence and the international relations of the State.
While national security and defence lie outside the scope of EU law, the Council of Europe's 1981 data protection convention - Convention 108 - contains provisions that apply to data processing for these purposes. The process of updating and modernising this convention is under way in Strasbourg, but that process has not concluded. Pending the updating of Convention 108, section 8 proposes to confine the scope of the Data Protection Act 1988 to data processing in the context of national security, defence and the international relations of the State. On completion of that process, it will be possible to update the content of this legislation by means of an amending Act and to repeal the 1988 Act. All key data protection standards will then be found in a single consolidated Act.
The GDPR contains a "consistency mechanism", or so-called one-stop-shop, which is intended to streamline the handling of data protection infringements and complaints across the EU. For this purpose, it employs the concept of a lead supervisory authority, that is, the data protection authority of the member state in which a controller's "main" or only EU establishment is located. It means that complaints will be investigated by the data protection authority of that member state irrespective of the member state of origin of the complaint. That data protection authority may request assistance from other authorities for investigation purposes, but the initial decision as to whether an infringement has occurred or is occurring will be the responsibility of the lead authority.
Before arriving at any final decision in cross-border cases, the lead authority must submit a draft decision to the other data protection authorities that have an interest in the case for their views and must have regard to any objection received from them. If there are remaining objections to a revised draft decision, it may trigger a referral of the case to the European Data Protection Board, EDPB, which comprises representatives of all supervisory authorities, for a binding decision. The EDPB will make a binding decision by majority vote, which may or may not coincide with the revised draft decision of the lead supervisory authority.
This mechanism has a special significance for Ireland, since many multinational companies that provide digital services across the EU and beyond have their headquarters here. This means that the data protection commission and its handling of cross-border complaints will be the focus of particular and sustained attention across the EU.
This is the backdrop to the proposals in Part 2 of the Bill to establish a data protection commission with at least one but not more than three commissioners. While there are no specific plans at present to increase the number of commissioners, significant levels of additional financial and staffing resources have been allocated to the Office of the Data Protection Commissioner in recent years in order to prepare for the expected workload increases following the entry into force of the GDPR and this legislation. Staff resources have trebled from 30 in 2013 to more than 90 currently. Additional funding of €4 million in 2018 will bring the overall budget to approximately €11.7 million, which will facilitate the recruitment of additional staff, bringing the total to in or around 140.
In order to underline and further enhance the independence of the commission as required by the GDPR and Court of Justice case law, the commissioner will be the Accounting Officer of a separate financial Vote. This is covered in sections 25 and 156, respectively.Commencement of these provisions will take place when the necessary procedures for a separate Vote are in place.
Article 8 of the GDPR specifies a "digital age of consent" of 16 years but allows member states to lower it, but not below 13 years.
This means that where information society services are offered directly to children, the processing of a child's personal data will be lawful only if, and to the extent that, consent is given or authorised by the holder of parental responsibility over the child. In such cases, the service provider must make reasonable efforts to verify that consent is given or authorised by the holder of parental responsibility over the child.
In late 2016, my Department launched a consultation process and invited submissions from interested parties on the digital age of consent to apply in this jurisdiction under Article 8. The Government Data Forum, which brings together legal and data protection experts and business representatives from SMEs and multinationals, in addition to sociologists, psychologists and education specialists, also carried out a consultation process. A majority of respondents, including the Office of the Ombudsman for Children, the Internet Safety Advisory Committee and the Children's Rights Alliance, recommended setting the digital age of consent at 13 years.
When appearing before the Oireachtas Joint Committee on Justice and Equality for the pre-legislative scrutiny of the general scheme of the Bill last July, the Special Rapporteur on Child Protection, Dr. Geoffrey Shannon, also recommended setting the digital age of consent at 13 years. This recommendation was adopted by the committee in its report, published last November.
The Government considers that a digital age of consent of 13 years represents an appropriate balancing of children's rights, namely, a child's right to participation in the online environment and a child's right to safety and protection, rights that are enshrined in the UN Convention on the Rights of the Child. Provision is made for that in section 29.
As regards preventive or counselling services provided for children, subsection (2) clarifies that such services are excluded from the scope of Article 8. The legal advice available to the Department points to the risks of attempting any definition of such services. Any inadvertent exclusions could risk the termination of preventive or counselling services already being provided for the benefit of children under 13 years.
I fully support the recommendation of the joint Oireachtas committee for consultation with children in regard to data protection measures. Article 57 of the GDPR requires data protection authorities, such as the Office of the Data Protection Commissioner, to promote public awareness and understanding of the risks, rules, safeguards and rights in regard to data processing, and it states activities addressed specifically to children must receive specific attention. Adequate consultation with children in regard to the content of such activities will be necessary and appropriate.
I also support the committee's recommendation that education programmes be implemented to assist children in exercising their data protection and digital rights. In this context, I want to draw attention to the webwise initiative webwise.ie, operated by the Professional Development Service for Teachers, which promotes online awareness and safety objectives. My Department provides funding to webwise.ieand I am working with the Minister for Education and Skills, Deputy Bruton, the Minister for Children and Youth Affairs, Deputy Zappone, and the Minister for Communications, Climate Action and Environment, Deputy Naughten, on the broader issue of child safety online.
Article 23 of the GDPR makes provision for possible restrictions on the exercise of data subject rights in order to safeguard the important objective of general public interest, some of which restrictions are set out in paragraph 1. It specifies that such restrictions must comply with three conditions: they must be in a legislative measure; they must respect the essence of the fundamental rights and freedoms of individuals; and they may not exceed what is necessary and proportionate in a democratic society.
The need to apply restrictions on the exercise of data subject rights might arise, for example, where a regulatory body, such as the Legal Services Regulatory Authority or the Medical Council, is examining a complaint regarding fitness to practice or an allegation of improper conduct. It could also arise where the Health and Safety Authority is investigating a workplace accident. The objective in such cases is not to set aside permanently the data protection rights of individuals concerned but, rather, to protect the investigation or examination from access requests or requests for rectification or erasure of personal data so that the investigation or examination can be brought to a conclusion and appropriate action can be taken.
Section 54 of the Bill provides for appropriate restrictions in order to safeguard a range of important objectives of general public interest, such as avoiding obstructions to any official or legal inquiry, investigation or process. Such public-interest objectives also include Cabinet confidentiality, judicial independence, parliamentary privilege and legal privilege. Any such restrictions must be set out in law or in regulations under subsections (6), (7) and (8), and the regulations must comply with subsection (10), which requires one to respect the essence of the right to data protection, and restrict the exercise of data subject rights only in so far as is necessary and proportionate in a democratic society. Similar safeguards apply in the case of restrictions on data subject rights under Part 5. These are provided for in section 89.
Article 57 of the GDPR confers a broad range of corrective powers and sanctions on the data protection authorities, including the Office of the Data Protection Commissioner. These range from issuing warnings or reprimands to ordering public or private bodies to facilitate the exercise of data subject rights and to bring their data-processing operations into line with data protection law. The commission will also have the power to impose a temporary or permanent ban on non-compliant processing operations. Data transfers to third countries may be suspended if data protection standards applicable there are considered inadequate by the European Union. All of these corrective actions, including prohibition orders, apply equally to the public and private sectors.
Article 83 of the GDPR provides for the imposition of administrative fines for infringements, including data breaches. It states each member state may lay down the rules on whether, and the extent to which, administrative fines may be imposed on public sector bodies. While the possibility of imposing such fines on Departments, public authorities and public bodies could have a deterrent effect, it would also reduce the funds available to such bodies for the provision of important services to the public. Any deficit arising from the payment of fines would be likely to lead to demands for replacement funding by means of a supplementary budget. This could result in a wasteful, circular flow of funding. On the other hand, the Government recognises that non-application of administrative fines could create competition distortions in those areas in which public and private bodies operate in the same market, for example, public and private hospitals, and public and private transport providers.
To ensure fair and equitable trading conditions, section 136 of the Bill provides that administrative fines may be imposed on public bodies when they act as "undertakings", that is, when they are providing goods or services for gain in competition with private bodies. This will ensure fair competition between the public and private sectors in the provision of goods and services.
Part 5 of the Bill, containing sections 63 to 99, inclusive, transposes the law-enforcement directive into national law. Chapter 1 contains relevant definitions — section 63 — and outlines the scope of this Part — section 64. It applies to data processing carried out by public authorities and bodies for the purposes of the prevention, investigation, detection or prosecution of criminal offences, including the safeguarding against, and the prevention of, threats to public security or the execution of criminal penalties. While it will apply in the main to bodies operating within the criminal justice system, its provisions will also apply to administrative bodies such as the Health and Safety Authority and others authorities, such as fire authorities, when they are engaged in the investigation and prosecution of offences.
Chapter 2 contains provisions outlining the general principles of data protection. I refer to section 65. The principles are broadly similar to those in the GDPR. Also outlined are the following: the need for adequate security measures in section 66; conditions applicable to the processing of special categories of personal data in section 67; and standards applicable to data quality in section 68.
Chapter 3 outlines the obligations on controllers and processors when acting within the scope of Part 5. These are broadly similar to obligations set out in Part 4 of the GDPR, including: the need for appropriate security standards; reporting of data breaches to the Office of the Data Protection Commissioner; the need for contracts with processors; the carrying out of data protection impact assessments; and, in certain cases, mandatory consultation with the Office of the Data Protection Commissioner. Section 76 imposes a specific requirement on controllers and processors to create and maintain data logs, which must record consultation and disclosures of data in automated processing systems. All public authorities and bodies must designate a data protection officer.
Chapter 4 specifies the data protection rights of individuals. These include rights in regard to automated decision-making, section 84; the right to information, section 85; the right of access, section 86; and the right to erasure and rectification of personal data, section 87.Section 89 outlines the grounds on which the exercise of data subject rights under this Part may be restricted in whole or in part. Where exercise of a data protection right is restricted, the data subject may seek indirect exercise of that right through the Office of the Data Protection Commission, section 90.
Part 6 contains detailed provisions that deal with supervision and enforcement of the general data protection regulation, GDPR, and the data protection standards set out in Part 5. These include provisions for the handling of complaints received by the commission, the carrying out of detailed investigations, and the imposition of sanctions.
I want to mention the report on pre-legislative scrutiny of the draft Bill submitted by the Joint Committee on Justice and Equality. I wish to thank the joint committee for its work and recommendations, many of which have been taken on board in the Bill before us today. I have already referred to a number of areas where it has not been possible to adopt the committee's recommendations. I also take this opportunity to thank the many other stakeholders for their inputs into the preparation of this legislation.
As I mentioned at the outset, this is a lengthy Bill and it also complex legislation. That should not obscure its central purpose, which is to promote and facilitate the exercise of our rights as individuals to protection of our personal data and to increase our control over it and the uses to which it may be put. Article 8 of the EU Charter of Fundamental Rights provides simply that "[e]veryone has the right to protection of personal data concerning him or her". The GDPR and this Bill seek to make that a reality. I, therefore, commend the Bill to the House.