Tuesday, 6 March 2018
Data Protection Bill 2018: Committee Stage (Resumed)
I will speak specifically to Sinn Féin's amendment which is mild. It does not seek to restore the full, large-scale fines under the general data protection regulation, given that they include fines of 4% of income, turnover and all the rest. It would simply give a power to the commission. I do not believe the commission, as established under the Bill, would be acting frivolously if it were to choose to impose an administrative fine on a processor which was a public authority or body. We would not be triggering automatic fines which might be found to relate to private entities under the general data protection regulation. Nonetheless, we are seeking to ensure the commission would have an additional power to impose a fine where a public body or authority was flagrantly disregarding the general data protection regulation and had repeatedly been found to be in breach of it. That would be appropriate. Will the Minister speak specifically to that question? Is there a reason he believes the commission should not have the power to impose an administrative fine on a controller? I am sure caveats that the commission would act in accordance with due diligence and that there would be proportionality, a necessity to do so and all the rest could be added. It could even be seen as a measure of last resort that would be triggered after multiple breaches of data protection rights.
I am also concerned about where public authorities and bodies are considered to be undertakings. The concern is that the private sector should not be disadvantaged where the public sector acts as an undertaking. However, a division has perhaps been inadvertently opened between those public sector bodies which are acting as undertakings and those which are directly delivering public services. We will see some public authorities being held to adhering to a higher standard than others? That is a concern. Will the Minister address these two points?