Alice-Mary Higgins (Independent) | Oireachtas source

The Tallinn Declaration is a declaration, whereas the GDPR is law. They are quite different. The GDPR takes significant precedence on the hierarchy of priority. I suggest that in invoking the once-only principle, the Minister of State has given the Tallinn Declaration an equivalent status. However, it is not in any way equivalent to the necessity and proportionality test we now have under the GDPR.

Convenience, as represented by the once-only principle, is not a ground that stands on its own in fulfilment of the requirements of necessity and proportionality. That has been determined by the highest courts. That the case involved a private body rather than a public body is not pertinent in this context because it is a matter of necessity and proportionality. I am not challenging the grounds we already have regarding a public body's performance of its functions, a large number of which are set out in section 12. I refer to more effective delivery, etc. All of those grounds relate to a benefit to the individual data subject whose data this is, who owns this data and whose benefit has to be paramount. Those are the other circumstances.

Perhaps it is misleading to refer to this as just one of many purposes. Only one of these categories is needed to justify the protection of data sharing. All that is needed is to have the function and the fact of it being administratively and financially convenient or less burdensome to the public body, rather than to the individual. The Bill that is being proposed is not a matter of convenience to the individual - it is a matter of convenience for the public body. Again, that is going away from the principles of the Data Protection Acts and the principles of benefit for the individual and, where possible, choice for the individual.This incompatibility has not been addressed.

There is a reason that these provisions are included in the GDPR. It has not been done to make life difficult for anybody but to achieve a balance. We see in Hungary and other parts of Europe examples of states where there has been overreach by public bodies. It is appropriate that checks and balance apply regarding how public bodies share data of citizens among themselves. There are times when data sharing is merited and times when it is questionable. The grounds provided are so wide that almost any data sharing of individuals' data among public bodies will be possible. The backstops are not really relevant. They relate to the process of checking, but the initial data sharing agreement needs to be on a legal basis. What is proposed in this section - a financial and administrative burden on the public body - is not a legal basis that satisfies the criterion that the data sharing be necessary and proportionate. It is simply not legal and does not meet that standard. I ask the Minister of State to re-evaluate the section. Regardless of what the Data Protection Commissioner or any other body may say down the line, the starting point must be to operate from a basis of legal compatibility with the relevant laws, not simply declarations.