Charles Flanagan (Laois, Fine Gael) | Oireachtas source

Arising from the rather lengthy discussions we had on Committee Stage, I again recognise the strongly-held views of Senators on this issue. Arising from the discussions we had, I am, therefore, tabling amendment No. 9, which provides for a new subsection (3) for a review of the digital age of consent no later than three years after the entry into force of this section. Amendment No. 8 in the name of Senators McDowell and Boyhan proposes that the age of 13 years be replaced by 16 years. I am unable to accept that for reasons we elaborated on during the last occasion that were referred to by Senator McDowell earlier. I still remain of the view that the digital age of consent should be set at 13 years but that we should build in the review within a period of three years.

Regarding amendments Nos. 10 and 11, Senators Ruane and Higgins tabled similar amendments on Committee Stage. I saw the opportunity at that time to reflect on these amendments. Arising out of the consideration given, having particular regard to the matter of children and taking into account the direct effect of the GDPR on our law, I propose amendments Nos. 12 and 13 as alternatives. Amendment No. 12 introduces a completely new section 31 on the matter of codes of conduct and children. It provides for a code intended to contribute to the proper application of the GDPR with regard to the following specific areas, namely, the protection of children, the information to be provided by a controller to children, the manner in which the consent of the holders of parental responsibility over a child is to be obtained for the purposes of Article 8 and integrating the necessary safeguards into processing to protect the rights of children in an age-appropriate manner for the purposes of Article 25. Putting an EU-wide code of conduct in place will have a great advantage in so far as it will provide protection for children irrespective of the location of the controller or processor.

I should point out that the Minister can have no role in the process of making regulations because any such involvement would cut across both the independence of the data protection commission and the role given to the new European Data Protection Board under the GDPR. I make this point in response to Senator Higgins's later comments that the independence of the data protection commission needs to be acknowledged and appreciated at every remove. There is no role for the Minister in the process of making regulations that could well have the effect of interfering with, disrupting or indeed undermining the role of the data protection commission, having regard to the role it has in law. The first step is that the data protection commission will use its powers to encourage controllers targeting children with goods and services to draw up and then submit a draft code. Second, the commission will provide an expert opinion on whether the draft code complies with the GDPR. If it does not, it will immediately go back for adjustment. Where the code relates to processing within the State only, the commission will register the code and publish it and it will apply within the State. If the code relates to processing of children's data across several member states, for example, a draft code prepared by Facebook and other social media would also relate to processing in other member states, the commission will be obliged to refer it to the European Data Protection Board, which is made up of representatives of the supervisory authorities of all member states, for its approval. The board will have the power to seek require further adjustments as may be necessary and appropriate. Where the European Data Protection Board is satisfied that the code is GDPR-compliant, it will submit its opinion to the European Commission. The European Commission can then adopt a formal implementing act, which will give the code legal validity right across the EU.

This new section makes provision for consultations with children, bodies that represent their interests, holders of parental responsibility over children and the Ombudsman for Children's Office. I believe that their input will ensure that all relevant matters are taken into account and that children will enjoy a level of data protection that takes full account of their needs, status and vulnerability. I believe that it is worthwhile developing a statutory code that will have the force of law across the European Union, thereby protecting all children irrespective where they live in the Union and the state in which they might reside.

Amendment 13 introduces a specific right to be forgotten for children. I acknowledge the initiative on the part of Senator Ruane in particular and Senators Higgins, McDowell and Boyhan. The right to be forgotten was also recommended by the joint committee in its report during pre-legislative scrutiny of the Bill. This will strengthen the right of children to erasure of any data collected during the provision to them of information society services referred to in Article 8.1 of the GDPR. I am unable to accept amendments Nos. 10 and 11 in the names of Senators Ruane and Higgins. I say that with confidence that these are matters which can be covered by the codes under the new section 31 that I have proposed.