Deirdre Clune (Fine Gael)
Link to this: Individually | In context | Oireachtas source

I wish to ascertain the steps being taken to ensure that personal data is afforded a greater level of security on the Internet. This question is exercising many people at this point and the Edward Snowden scandal was a wake-up call with regard to what can happen with the sharing and usage of data for inappropriate purposes. It is again a question of what is inappropriate, which is anybody's guess. I make a distinction between information provided for security reasons and that which relates to personal data. A European Commission survey confirms 72% of Europeans do not feel in control of the data they have disclosed on social network sites and 90% indicate that having their data protection rights respected whenever data is collected or processed is very important. That is clear.

Since the Snowden affair we have heard from Commissioner Reding that she has put strong rules on the table that will ensure companies offering products and services to European customers will have to play by European rules, even if the companies are based in the US, Asia, India or anywhere else. National data protection authorities will be able to sanction firms that violate the rules. There is a difference between how the US and EU, for example, regulate data privacy, and that has been recognised for a long time. In the US, data can be processed unless the act is specifically prohibited but in the EU, personal data cannot be processed unless the task is specially authorised. There is a difference but companies outside the EU work here under the guise of guidelines and self-regulation; we need to get to a point where companies outside the EU but operating within the Union and providing services abide by EU regulations, laws and rules rather than those from the home country.

It is an important issue and Commissioner Reding has indicated strong rules have been put on the table to control the matter. Will the Minister of State detail Ireland's view on this and how we will move forward in the area? We have guidelines and proposals from Commissioner Reding but we need to act swiftly to give users of the Internet confidence that their personal data is not being used or abused for services they do not want. I accept that information is needed for security reasons in the fight against terrorism - we all need to feel safe and secure on our streets - but private data can be used by companies for reasons other than that for which it was surrendered in the first place. We need to move swiftly, as the media reaction following the Snowden affair has alarmed many people and suggested that private data is not secure.

Dinny McGinley (Donegal South West, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I am standing in for my colleague, the Minister for Justice and Equality, who is unavailable. At the outset, I thank Senator Clune for raising this important subject, which is relevant to all of us who use the Internet, whether for commercial, personal or leisure purposes. By way of introduction, I should state that general issues of Internet security are matters for the Minister for Communications, Energy and Natural Resources and his Department, whereas data protection policy falls within the area of responsibility of the Minister for Justice and Equality.

Communication networks and information systems have become an essential component of both our economic systems and social life. All of us here today have witnessed an information technology revolution in our lifetimes, and the pace of change shows no sign of slackening. Electronic communication systems and networks have become necessary utilities almost the same as electricity or water supplies. The security of those networks and information systems is therefore a matter of utmost concern, not only for business but for individual citizens. Security breaches, whether they arise from accidental loss, mistakes or unauthorised access such as hacking, pose a threat for businesses and for individuals alike. They also put at risk the trust and confidence of users of the Internet services which are essential to the continued development of the digital economy and the economic growth and job creation potential of this dynamic sector.

The threats to Internet security are continuously changing. The European Union has reacted by establishing the European Union Agency for Network and Information Security, ENISA, to raise awareness of network and information security and to develop and promote a culture of network security in society for the benefit of citizens, consumers, businesses and public sector bodies. It also assists member states in enhancing and strengthening their capability to prevent, detect and respond to network and information security breaches. Specific safeguards for the protection of personal data, which also apply in respect of the processing of such data in the Internet context, are also in place at European Union level. I would like, on behalf of the Minister for Justice and Equality, to take this opportunity to briefly set out the background.

The centrepiece of existing EU legislation on personal data protection is Directive 95/46/EC, which seeks to reconcile the protection of personal data with the free flow of such data within the Internal Market and to countries outside the EU. It has been transposed into Irish law in the Data Protection (Amendment) Act 2003, which supplements the Data Protection Act 1988. This legislation requires all those handling personal data to take appropriate security measures against unauthorised access to, or unauthorised alteration or disclosure of, the data, in particular where processing operations involve the transmission of such data over a network. In determining what is appropriate in any particular case, account must be taken of the risk of harm that might result from security breaches and the state of technological development and costs of implementation. These security measures also apply where data are transferred to a destination outside the European Union.

The 1995 data protection directive has been supplemented by other more specific legislative measures, such as the e-privacy directive which applies to providers of publicly available electronic communications services, namely, telecom providers and Internet service providers. This directive requires such companies to take appropriate measures to safeguard security of their services and to protect the confidentiality of communications and related traffic data. In January 2012, the European Commission tabled proposals for a reform of the current data protection framework and these proposals are currently being discussed separately in the Council of the European Union and in the European Parliament. These proposals, if implemented in their current form, would provide substantial extra protection for the privacy of citizens across Europe.

It is generally recognised that the 1995 directive's standards need to be updated to take account of more recent developments such as the increased usage of mobile phones, cloud computing, social networking and increasing globalisation of data transfers. Key features of the existing legislation, including the need for appropriate security measures, remain part of the reform agenda. The proposed regulation's enhanced data protection standards will, when agreed, apply directly in all member states without the need for transposing national legislation.

Achieving progress on the reform proposals was a priority of the Irish Presidency and I am pleased that substantial progress was achieved on key aspects of the reform package. The reform proposals remain a priority for the current Lithuanian Presidency. A detailed debate on an important aspect of the reform proposal took place at a meeting of the Justice and Home Affairs Council in Luxembourg yesterday, which the Minister attended and participated in. However, it is not possible to predict when agreement between the Council and the European Parliament can be reached.

Deirdre Clune (Fine Gael)
Link to this: Individually | In context | Oireachtas source

I am glad that the issue was on the Council's agenda yesterday. I am sure the issue I have raised about companies from outside the European Union that are operating here not being subject to as strict regulation as companies from within the Union will be addressed in the detail of the proposals. We will progress that issue again.