Thursday, 8 February 2018
Data Protection Bill 2018: Second Stage
I thank the Minister for coming to the House. I will start with the concluding paragraph of his report to us. He knows better than anyone else that this is very complex legislation, but, at the end of the day, it is both important and necessary. As he says, it is lengthy and complex. I acknowledge the Oireachtas Library and Research Service which has provided a very comprehensive digest on the Bill. I acknowledge its amazing support of the work we do in both Houses of the Oireachtas.
The Minister touched on a number of issues and spoke about acknowledging the work done in the pre-legislative scrutiny process and adopting many recommendations arising from it. From the digest we know that 12 of the 18 recommendations made were not included in the Bill. It is very important work, if the Minister has not seen it. I do not propose to read all 18 recommendations, although I see the Minister has the digest; I never doubted that he was one of the wiser men. That assists me because I can refer to the relevant pages of the digest. A red light was given to 12 of the 18 recommendations made. I do not propose to read all of them, but I want to draw the Minister's attention to two.
Recommendation No. 14, on page 16, deals with administrative fines. It states: "The Committee recommends that fines be administered to public bodies in breach of the new data protection legislation, where appropriate, to encourage compliance with data protection provisions in the new legislation". The second recommendation to which I wish to refer is No. 15 which is critical and deals with the right to receive compensation. I am not in the business of slapping people on the wrist - I do not think the Minister is either - and saying they have been bad and should not do something again, but there have to be sanctions. If this is to be meaningful, they have to apply across the board. I know the differences between the various authorities, on which I will touch, but recommendation No. 15 is: "The Committee recommends that an explicit right to compensation be outlined in the new legislation for breaches of data protection provisions. A consultation with the DPC, Office of the Attorney General, the European Commission could assist in the drafting of such a provision".
They are two reasonable and effective ways to deal with issues. I am aware of the subtle difference in the public authorities as defined in the legislation, which definition includes Ministers, Departments, regional assemblies, local authorities, An Garda Síochána and persons holding office established by statute. Are we saying those holding very sensitive information will not be subject to monetary sanctions? Will there be no compensation if there are breaches? If that is what the Bill states, it has huge shortcomings which I want to confirm. As the Minister knows, I am a member of the Independent group in the Seanad. We will bring forward a series of amendments based on this. The legislation, not me or the Minister, defines public bodies as State-owned companies formed under the Companies Act 2014 or its predecessors. There is a difference between public authorities and public bodies. I flag this as a concern because many public bodies hold extremely sensitive information and if they go wrong, how will we sanction them? That is a really important issue.
On the processing of special categories of personal data, what I call sensitive personal data, although the word "sensitive" is not used, there is always the issue of consent, which is very important. Chapter 2 in Part 3 of the Bill, sections 39 to 49, inclusive, provides details of the rules for the processing of special categories of personal data, defined under section 2. As previously noted, these categories include data which identify a person's racial origin, political or religious views, genetic data and sexual orientation or activities. We need to look at that issue and be careful It highlights the sensitivity of certain data which are being kept.
The Bill goes on to talk about exemptions. Data collected by political parties, office holders, candidates or bodies in the course of elections are exempt. The Minister will be familiar with what is called a marked register which politicians can seek. What can we glean from a marked register? There are many assumptions, but we can tell if there is only one person registered in a home. Therefore, it does not take much to say Mary Bloggs is female if she is the only person in a home. The cumulative effect of bringing all of these data and political affiliations together is highly sensitive and they could be abused. I would like to think that, when bringing forward legislation, we would bring forward legislation on how we conduct ourselves as politicians. At some point in the future I want to home in on the data held by politicians for electoral registers. Can a person opt in or opt out? There are certain areas and categories out of which a person can opt out and certain ones out of which he or she cannot do so. That goes from the top of this House to the bottom and relates to how we deal with our own data in the Oireachtas. We need to get it right and be clear. We need to reassure people outside on how we are handling those data in a responsible fashion. I am not saying we are not but that we need to focus on it. If we are bringing forward legislation, we need to bring it forward for everybody and be fully compliant with it.
I have covered the issue of public bodies and local authorities. I am not happy with that provision which we could strengthen. I will not go on at length because I am conscious and have already told the Minister that we will bring forward amendments, but I want to work with him, which is very important. It is a matter of getting it right and having good legislation. The Taoiseach said last week that he wanted Senators to be actively involved in polishing and being active in dealing with amending legislation. He saw it as a critical role in our work here and I agree with him. I thank the Minister's Department for agreeing to have its representatives come to Leinster House next Monday for a briefing on aspects of the Bill. That is helpful because it will help Members to understand it. It is complex legislation which I want to support in principle.
The Minister makes the valid point that Article 8 of the European Charter of Fundamental Rights provides simply for everyone having the right to protection of personal data. I agree and hope he will consider accepting some amendments. This legislation is necessary, but it has to be equal across all sectors of society. I will wrap up by saying we must have sanctions for everyone involved. There must be no exemptions in the imposition of fines and sanctions.