Alice-Mary Higgins (Independent) | Oireachtas source

I will probably not need eight minutes and I apologise in advance for having to leave immediately after I finish, but I am sure I will see the Minister again on Committee Stage.

Despite the extensive focus on and debate around the GDPR, I regret this Bill is being rushed. Second Stage is being taken this week and despite the requests of a number of leaders of groups in the House, Committee Stage is being taken next week. While a briefing on it may be taking place on Monday, given the length, significance and detail in this Bill, that is not a sufficient or appropriate length of time to ensure proper oversight of it by us as Senators and for us to have a proper opportunity to work together and with the Minister and his Department around a constructive amendment process. Nonetheless, we will be tabling a number of amendments. It is a pity we will not have a better process in that regard.

The GDPR, as the Minister outlined, is both best practice and its adoption is a legal obligation on the part of the State. It is deeply concerning that the legislation that has been brought before this House does not fully reflect either best practice nor legal obligations. It is concerning that it has not incorporated, as the Minister acknowledged, many of the substantial important recommendations made by the committee during the pre-legislative stage.

The Bill crucially seeks to make exemptions for the State in respect of fines. In this the State is contravening good practice and the strong recommendation of both experts and the EU regulation. I note with concern that where there is a question of commercial concern, the undertaking question is dealt with, but is that to be of less concern, of less merit in terms of fines than the rights of individuals and their rights to their privacy? It is notable that we address the concerns of business in this regard but we do not address the concerns of individuals and their right to see a full and appropriate response to situations where their data are mishandled or breached. We do not have the important deterrent that needs to be there, bearing in mind that any moneys collected in fines are returned to the Exchequer and, therefore, they are not a loss to the State. It is unfortunate we are not placing that important imperative in terms of an individual's privacy on our public bodies.

Individuals will still have the right to seek material and non-material damages through the courts, and I am sure many of them will. If we have situations, for example, where 1,000 or 2,000 individuals suffer a breach in terms of their data, 1,000 or 2,000 cases may go through the courts. Aside from the pressures that may place on our courts system, there is also a very real concern. It is not appropriate that we, as a State, should consistently rely on individuals who may simply wish to identify a poor practice and have it dealt with but who would have only the courts as their key source of recourse in that regard. We are relying on individuals yet again to correct mistakes that we should be identifying at the legislative point.

However, a more serious concern is the exemptions which the State seems to make in terms of data processing. It is not only bad practice but is regarded by many legal experts as potentially illegal and leaves us open to potential EU court cases and penalisation. This will not be allowed to pass. This was made to the clear to the Department of Justice and Equality, and it was outlined during the pre-legislative scrutiny stage, but the Department has chosen to ignore this guidance and plough ahead with what is flawed in that regard.

In 2015, in the Bara case, the European Court of Justice found the Romanian Government to be in breach of the Charter of Fundamental Rights and the data protection directive. The fact that the Romanian state was compliant with its own Romanian legislation did not exempt it from facing sanction by the European Court of Justice. That is why the legislation we pass on data protection needs to be fully compliant with European law. There is not a middle ground where we can produce law which gives us, individuals or states, other options. That is also a very important issue here. The Minister mentioned the question of proportionate in the context of the GDPR, and it is a key point. There is no clear test of what is proportionate within the legislation. We need to have clear guidance as to what is a proportionate use of an individual's data in any situation.

Another important recommendation from the committee was that the GDPR and the data protection legislation should be the comprehensive means of dealing with this area. It would mean repealing a number of earlier Acts. As the Minister pointed out, the GDPR requires clear and accessible information in terms of legislation. We discussed at the Joint Committee on Employment Affairs and Social Protection earlier the fact that the Social Welfare Consolidation Act, which has been amended numerous times, does not meet the test of clarity in terms of an individual's privacy. That is also an issue that will arise.

Data protection is a hugely important and crucial area for the State to address. We debated at the joint committee earlier the issue of the public services card, the single customer view database and the issues of data protection in that respect. There are increasingly more examples of how individuals' and collective data uses can lead to great damage. We have seen significant breaches in that regard. For example, there was a situation in the Department of Employment Affairs and Social Protection recently where people's individual data were being sold for €27. Of course, that was a criminal act and has been appropriately treated. The joint committee heard about the case of an individual who had her pension withheld because she required and insisted on having the legal basis for her being obliged to get a public services card. That case was taken forward but the State then withdrew from it because it realised it could not adequately prove that legal basis. That is a serious concern and it is still not appropriate that individuals have to challenge and bring forward such cases. Let us try to address that issue at the outset.

Given the spirit underpinning the GDPR, when the Data Protection Commissioner, whose responsibility will intensify - that responsibility is deeply important and, as the Minister said, crucial to Ireland's compliance with the GDPR - indicated concern and initiated a section 10 investigation into the public services card, it was extremely concerning that the State ploughed ahead with making it obligatory in many areas, including potentially for people to access college, by denying them Student Universal Support Ireland, SUSI, grants. Those are very serious issues and contravene the spirit underpinning the GDPR.

I reiterate those points to stress we must take this issue very seriously. We will be putting forward amendments on Committee Stage. I regret we have not been given the time required for dealing with this legislation but I am sure we will have Committee Stage sittings to deal with it further.

I thank the Minister for his input. I also thank all the Members for obliging me by allowing me to contribute at this point.