Thursday, 8 February 2018
Data Protection Bill 2018: Second Stage
I welcome the Minister to the House and assure him we will try to work constructively and positively with him and his officials on what is at its heart very important legislation. We will table a number of amendments on Committee Stage. The Minister will expect me to reiterate comments made by colleagues on the speed with which the legislation has come to Second Stage. There has only been a week between its publication and this Stage of the Bill. It is not the optimal way of dealing with legislation and important and substantial issues. That has been said so I will not over-egg the pudding but it is an issue that merits being mentioned.
I support Senator Conway in his request in regard to the briefing on Monday. If there is an opportunity, the Minister might explore the possibility of it happening on a sitting day.
Sinn Féin will not oppose the passage of the Bill to Committee Stage. We acknowledge there is a need to complete this work by 25 May but we have some serious reservations regarding significant sections of the Bill. We are not alone in that. If they are not addressed we may not support the passage of the Bill into law. In particular we are concerned about the far-reaching exemptions in section 54. In that section, the Minister has allowed himself a ministerial power which we do not believe would pass the proportionality test set out in the landmark case on delegated powers in Cityview Press v. An Chomhairle Oiliúna.
The Bill partially emanates from the general data protection regulation, GDPR, which is a regulation through which the European Parliament, the Council of Europe and the European Commission attempt to strengthen and unify data protection for all individuals in the European Union. The general data protection regulation is essentially a minimum standard expected of each member state on the threshold and rights afforded to citizens of member states and the data protection of individuals within those states. Much of it has direct effect. Some elements require legislation as there is a margin of appreciation in how jurisdictions apply them. The age of digital consent, which can be 18, is 13 in this legislation, which we welcome, as all young people's advocacy groups do.
Some of the Bill relates not to the regulation but to a related directive. Ireland has not been in compliance with EU data retention law since the Tele2-Watson case, which is significant. We have been in breach of EU law since late 2016. I am not entirely sure - the Minister might refer to it - whether this legislation rectifies that. We have observed one of the pitfalls in the protection of data protection officers from the interference of a data controller who aims to suppress a release of information on the basis that despite its release being in the public interest, it is not in the interest of a data controller for a variety of reasons that anyone can imagine. The lack of protections or avenues for addressing these concerns for such an officer is an oversight and a flaw in the Bill and the general data protection regulation. As recently as yesterday my party met with officials from the Minister's office and although they pointed to general law having already covered the potential for this, it would be beneficial for specific protections to be explicitly stated in this context. Committee Stage is the optimal time to deal with them.
The manner of the drafting is not ideal or clear. After the Bill has been passed, there will be a need to consult three Acts, the general data protection regulation and any other relevant European instruments in order to be aware of the legal position. It would have been better, clearer and more comprehensible for the provisions of the Data Protection Acts 1998 and 2003, which are still required, to have been put into this Bill and for those Acts to have been repealed in their entirety. There is potential for confusion and possible litigation.
Another gap is that the Bill does not include the requirement under Article 81 of the directive that not-for-profit groups can bring actions on behalf of data subjects. The general data protection regulation also envisaged a form of multi-party action akin to a class action but there is nothing on it in this Bill. The Sinn Féin Multi-Party Actions Bill, which would cover it in a wider sense, goes to pre-legislative scrutiny in two weeks. I hope the Minister will get a money message so it can proceed to enactment as soon as possible. It will be relevant not only from a data protection point of view but also in a number of areas including the tracker mortgages injustices. Significantly, it has disregarded the recommendation of the Oireachtas Joint Committee on Justice and Equality on section 136(3), under which the Government is still trying to exempt public bodies from fines for breaching data protection rights of citizens.
I will not indulge in repetition. This is vast and very important legislation. We approach it with a positive and co-operative frame of mind and I hope we have responsible and co-operative engagement on Committee Stage.