Thursday, 8 February 2018
Data Protection Bill 2018: Second Stage
I am pleased to have the opportunity to launch the Data Protection Bill 2018 in Seanad Éireann. I look forward to hearing the contributions of Senators and I hope they will support this important Bill. My officials are available to any Member who wishes to receive a detailed briefing on technical aspects of the legislation. In this regard, a more formal briefing will be provided for Senators on Monday morning next and I hope, if it is convenient, they will avail of the opportunity to attend.I thank the Members of the House who undertook the pre-legislative scrutiny work in their capacity as members of the Oireachtas Joint Committee on Justice and Equality. In a nutshell, this legislation will introduce stronger rules on data protection. People will have more control over their personal data and businesses will benefit from a level playing field. Members of this House will no doubt be aware of the general data protection regulation, generally referred to as the GDPR, of which there has been a great deal of debate both in Ireland and across the European Union. The GDPR regulates the processing by an individual, a company or an organisation of personal data relating to individuals in the EU. It does not apply to data processed by an individual for purely personal reasons or for activities carried out in a person’s home provided there is no connection to a professional or commercial activity.
The GDPR is a significant regulation and this Bill will give further effect to the GDPR as well as transposing the accompanying law enforcement directive into national law. Furthermore, it will establish the data protection commission to replace the Office of the Data Protection Commissioner. The GDPR enters into effect on 25 May next and the directive must be transposed into national law by early May. Accordingly, I am hopeful that with the support of both Houses, this Bill will be signed into law and enter into force next May alongside the GDPR. I believe that the GDPR and this legislation will serve to make our data protection laws fit for purpose in the digital age.
I am conscious that many people may be inclined to switch off at the mention of data protection because they see it as a technical issue, an issue that does not concern them directly. That would be a mistake for the simple reason that the updated data protection rules entering into force in May next will affect all of us in one way or another. It will affect each of us as individuals because it will increase our control over the manner in which, and the purposes for which, our own personal data is used. It will affect businesses, be they large, medium or small, because it will require them to review and update the manner in which they collect, use or store the personal data of their customers, clients or any other individual whose personal data they retain. The same applies to Government Departments and public bodies.
The simple fact is that data protection law has not kept pace with the many technological advances and new business models such as cloud computing that have emerged in recent years. Our current data protection law, which is based on the EU's 1995 data protection directive, predates mass Internet usage, hand-held devices, apps, games, social networking and data analytics, all of which involve the collection and processing of our personal data, often for purposes that are opaque and largely unknown to us. The basic data protection principles set out in the Data Protection Acts 1988 and 2003 will remain largely unchanged following the entry into force of the GDPR in May next. However, the GDPR's provisions will strengthen our control over our own personal data and the purposes for which it may be used.
Increased transparency is essential to increased control. In future, all information must be provided in a concise, transparent, intelligible and easily accessible format using clear and plain language. It will no longer be acceptable to direct users to terms and conditions written in legal jargon. The obligations placed on companies and public sector bodies that collect, use and store personal data are set to increase but will do so in a measured and proportionate manner. The compliance burden will increase for some but that will be proportionate to risks to the rights and freedoms of individuals arising from any accidental or unlawful loss or disclosure of, or access to, their personal data. By proportionate, I mean that for SMEs where data processing is not a core part of the business and where the company's activity does not create risks for individuals, some obligations of the GDPR will not apply, for example, the appointment of a data protection officer, DPO. The new obligations will inevitably pose a greater challenge for bodies, be they in the public or private sectors, that specialise in data processing and for those handling, for example, customers' financial data or patients' sensitive health data.
While large companies have been gearing up for the entry into force of the GDPR for some time, it is likely that the SME sector and micro-enterprises will continue to require assistance and support during the coming period of adjustment. Awareness-raising activities have been under way for the last year and a half involving conferences, seminars and workshops and those activities will continue.The Minister of State, Deputy Breen, who has special responsibility in this policy area, has been very active in promoting awareness of the changes to come and I know he has an ambitious schedule planned for the coming months. Practical guidance is also vital and I strongly recommend the Data Protection Commissioner's web page www.gdprandyou.ie. It contains a wealth of useful information and practical guidance for both business and individuals.
High data protection standards are in everyone's interests, including the interests of business. The harmonised rules set out in the GDPR and the Data Protection Bill will ensure that the same data protection safeguards will operate across the EU. This will provide a level playing field for businesses, especially those involved in the cross-border provision of goods and services. In this context, it is worth remembering that exports are a critical aspect of our strong economy. Enhanced data protection standards will also be beneficial to the increasing numbers who avail of the Government's online services.
To make the enhanced protections meaningful, public and private enforcement of data protection law is set to increase. The data protection commission will in future have stronger supervisory and enforcement powers as well as a broader range of sanctions at its disposal, including the possibility of administrative fines. The scope for compensation claims arising from infringements of data protection rules will also increase resulting in higher levels of private enforcement activity.
This Government is committed to achieving the full potential of the digital economy and its capacity to promote innovation, create jobs and boost economic activity in the State. We already host many of the world's leading digital companies and they provide their services well beyond our shores. That number will increase in the future. The GDPR, together with the provisions of this legislation, will ensure that data processing involved in the provision of these services will meet the highest data protection standards and the establishment of the data protection commission will ensure effective supervision and enforcement of these high standards.
Following protracted negotiations, the GDPR was agreed in early 2016 and will, as I mentioned, enter into force across the EU on 25 May 2018. An accompanying directive, which establishes data protection standards for the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection and prosecution of criminal offences and the execution of criminal penalties, requires to be transposed into national law by 6 May 2018.
Both the GDPR and the directive have a legal basis in Article 16 of the Treaty on the Functioning of the European Union and provide for significant reforms to current data protection rules based on the EU's 1995 data protection directive. Both instruments generally provide for higher standards of data protection for individuals and impose increased obligations on bodies in the public and private sectors that process personal data. They also increase the range of possible sanctions for infringements of these standards and obligations.
The GDPR seeks to provide for a uniform interpretation and application of data protection standards across the EU thereby providing a level playing field for all those doing business in the EU digital market. The European data protection board, a new entity that will replace the current advisory committee and that will be made up of representatives of the data protection authorities of all member states, will play an important role in this respect.
At the heart of both the GDPR and the directive is a risk-based approach to data protection. This means that each individual controller and processor is required to put appropriate technical and organisational measures in place in order to ensure and, importantly, to be able to demonstrate that its processing of personal data complies with the new data protection standards. I would remind Senators that the terms "controller" and "processor" apply to us too. Those of us involved in the handling of constituents' queries, requests and representations are data controllers.Any operator of an off-site storage facility for files containing personal data is a processor. This is an issue for the Oireachtas in a most direct way.
For the purposes of assessing the nature, level and likelihood of risks to the rights and freedoms of individuals, controllers and processors must have regard to the nature, scope, context and purposes of their data processing activities. In certain cases, this will in future require the carrying out of a data protection impact assessment in order to take steps to mitigate such risks. Where mitigation measures are not feasible, prior consultation with the data protection commission will be mandatory.
The GDPR and the directive place greatly increased emphasis on the transparency of processing, the responsibility of the controller and processor for compliance with data protection standards, and the need for appropriate security standards in order to protect against data breaches, such as unauthorised or unlawful processing and accidental loss, destruction and damage. The GDPR and the directive impose an obligation on all public authorities and bodies, as well as some private sector bodies, to designate a data protection officer with responsibility to oversee data processing operations and to report data breaches to the relevant data protection authority. The GDPR also limits the grounds for lawful processing of personal data by public authorities and bodies. For example, depending on the circumstances, an individual's consent to the processing of his or her personal data may not provide a reliable basis for such processing by a public authority. The so-called legitimate interest ground in Article 6.1(f) of the GDPR will no longer be available to public authorities when acting in their public capacity.
The GDPR and the directive provide for increased supervision and enforcement of data protection standards by the data protection authorities of member states, including the future data protection commission. The GDPR provides for the possible imposition of substantial administrative fines of up to €10 million, €20 million or 2% or 4% of total worldwide annual turnover in the preceding financial year. I will return to the fines issue shortly.
The liability of controllers and processors will be broadened to include non-material damage such as distress. In future, an individual who has suffered material or non-material damage because of a breach of his or her data protection rights under the GDPR or this legislation will have the right to seek compensation in the courts.
I will turn to the purpose and structure of the Bill. The key purposes of the Bill are as follows: to give further effect to the GDPR in the areas in which member state flexibility is permitted; to transpose the directive into national law; to establish the data protection commission as the State's data protection authority with the means to supervise and enforce the protection standards enshrined in the GDPR and directive in an efficient and effective manner; and to enact consequential amendments to various Acts that contain references to the Data Protection Acts 1988 and 2003.
The Bill, which is lengthy and complex in nature, comprises the following parts. Part 1, comprising sections 1 to 8, inclusive, contains a number of standard provisions, for example, citation, commencement and definitions. Section 7 makes provision for repeals while section 8 defines the residual scope of the 1988 Act.
Part 2, comprising sections 9 to 27, inclusive, establishes the data protection commission to replace the Data Protection Commissioner as the State's data protection authority. Its primary task will be to act as the supervisory authority for the purposes of the GDPR and the directive. Establishment of the commission, comprising at least one and not more than three commissioners, is a future-proofing provision to allow, should the need arise, for the appointment of additional commissioners in response to an increased commission workload.
Part 3, comprising sections 28 to 55, inclusive, gives further effect to the GDPR in a number of areas, mainly affecting the public sector, in which the regulation gives member states a margin of flexibility. In certain cases, this involves the creation of a regulation-making power that will permit the making of more detailed regulations in due course.
Part 4, comprising sections 56 to 62, inclusive, contains a number of provisions that are consequential on replacement of the Data Protection Commissioner with the data protection commission. The intention is to provide for a smooth and frictionless transition from current arrangements to the new structure.
Part 5, comprising sections 63 to 99, inclusive, transposes the law enforcement directive's provisions into national law. Part 6, comprising sections 100 to 151, inclusive, contains provisions dealing with enforcement of the obligations and rights set out in the GDPR and directive by the data protection commission. The intention is to ensure effective supervision and enforcement mechanisms, together with the necessary procedural and due process safeguards. Part 7, comprising sections 152 to 157, inclusive, contains a number of miscellaneous provisions mainly concerning the application of data protection rules to the courts and a number of related legal matters. Part 8, comprising sections 158 to 162, inclusive, contains consequential amendments to a number of Acts.
As regards substance, the explanatory and financial memorandum that accompanies the Bill contains much detail. I do not intend, therefore, to delve into all of the Bill's provisions. However, I wish to take the opportunity to highlight a number of issues and, in particular, to refer to Part 5, which transposes the law enforcement directive into national law.
Sections 7 and 8 of the Bill contain provisions concerning the Data Protection Acts 1988 and 2003. While Article 2.2(a) of the GDPR provides that its provisions do not apply to the processing of personal data in the course of an activity falling outside the scope of EU law, there has been considerable uncertainty about the scope of that exclusion in light of evolving Court of Justice case law. A detailed analysis of relevant Court of Justice case law by the Office of the Attorney General has concluded that this exclusion is essentially limited in practice to data processing in the context of national security, defence and the international relations of the State.
While national security and defence lie outside the scope of EU law, the Council of Europe's 1981 data protection convention - Convention 108 - contains provisions that apply to data processing for these purposes. The process of updating and modernising this convention is under way in Strasbourg, but that process has not concluded. Pending the updating of Convention 108, section 8 proposes to confine the scope of the Data Protection Act 1988 to data processing in the context of national security, defence and the international relations of the State. On completion of that process, it will be possible to update the content of this legislation by means of an amending Act and to repeal the 1988 Act. All key data protection standards will then be found in a single consolidated Act.
The GDPR contains a "consistency mechanism", or so-called one-stop-shop, which is intended to streamline the handling of data protection infringements and complaints across the EU. For this purpose, it employs the concept of a lead supervisory authority, that is, the data protection authority of the member state in which a controller's "main" or only EU establishment is located. It means that complaints will be investigated by the data protection authority of that member state irrespective of the member state of origin of the complaint. That data protection authority may request assistance from other authorities for investigation purposes, but the initial decision as to whether an infringement has occurred or is occurring will be the responsibility of the lead authority.
Before arriving at any final decision in cross-border cases, the lead authority must submit a draft decision to the other data protection authorities that have an interest in the case for their views and must have regard to any objection received from them. If there are remaining objections to a revised draft decision, it may trigger a referral of the case to the European Data Protection Board, EDPB, which comprises representatives of all supervisory authorities, for a binding decision. The EDPB will make a binding decision by majority vote, which may or may not coincide with the revised draft decision of the lead supervisory authority.
This mechanism has a special significance for Ireland, since many multinational companies that provide digital services across the EU and beyond have their headquarters here. This means that the data protection commission and its handling of cross-border complaints will be the focus of particular and sustained attention across the EU.
This is the backdrop to the proposals in Part 2 of the Bill to establish a data protection commission with at least one but not more than three commissioners. While there are no specific plans at present to increase the number of commissioners, significant levels of additional financial and staffing resources have been allocated to the Office of the Data Protection Commissioner in recent years in order to prepare for the expected workload increases following the entry into force of the GDPR and this legislation. Staff resources have trebled from 30 in 2013 to more than 90 currently. Additional funding of €4 million in 2018 will bring the overall budget to approximately €11.7 million, which will facilitate the recruitment of additional staff, bringing the total to in or around 140.
In order to underline and further enhance the independence of the commission as required by the GDPR and Court of Justice case law, the commissioner will be the Accounting Officer of a separate financial Vote. This is covered in sections 25 and 156, respectively.Commencement of these provisions will take place when the necessary procedures for a separate Vote are in place.
Article 8 of the GDPR specifies a "digital age of consent" of 16 years but allows member states to lower it, but not below 13 years.
This means that where information society services are offered directly to children, the processing of a child's personal data will be lawful only if, and to the extent that, consent is given or authorised by the holder of parental responsibility over the child. In such cases, the service provider must make reasonable efforts to verify that consent is given or authorised by the holder of parental responsibility over the child.
In late 2016, my Department launched a consultation process and invited submissions from interested parties on the digital age of consent to apply in this jurisdiction under Article 8. The Government Data Forum, which brings together legal and data protection experts and business representatives from SMEs and multinationals, in addition to sociologists, psychologists and education specialists, also carried out a consultation process. A majority of respondents, including the Office of the Ombudsman for Children, the Internet Safety Advisory Committee and the Children's Rights Alliance, recommended setting the digital age of consent at 13 years.
When appearing before the Oireachtas Joint Committee on Justice and Equality for the pre-legislative scrutiny of the general scheme of the Bill last July, the Special Rapporteur on Child Protection, Dr. Geoffrey Shannon, also recommended setting the digital age of consent at 13 years. This recommendation was adopted by the committee in its report, published last November.
The Government considers that a digital age of consent of 13 years represents an appropriate balancing of children's rights, namely, a child's right to participation in the online environment and a child's right to safety and protection, rights that are enshrined in the UN Convention on the Rights of the Child. Provision is made for that in section 29.
As regards preventive or counselling services provided for children, subsection (2) clarifies that such services are excluded from the scope of Article 8. The legal advice available to the Department points to the risks of attempting any definition of such services. Any inadvertent exclusions could risk the termination of preventive or counselling services already being provided for the benefit of children under 13 years.
I fully support the recommendation of the joint Oireachtas committee for consultation with children in regard to data protection measures. Article 57 of the GDPR requires data protection authorities, such as the Office of the Data Protection Commissioner, to promote public awareness and understanding of the risks, rules, safeguards and rights in regard to data processing, and it states activities addressed specifically to children must receive specific attention. Adequate consultation with children in regard to the content of such activities will be necessary and appropriate.
I also support the committee's recommendation that education programmes be implemented to assist children in exercising their data protection and digital rights. In this context, I want to draw attention to the webwise initiative webwise.ie, operated by the Professional Development Service for Teachers, which promotes online awareness and safety objectives. My Department provides funding to webwise.ieand I am working with the Minister for Education and Skills, Deputy Bruton, the Minister for Children and Youth Affairs, Deputy Zappone, and the Minister for Communications, Climate Action and Environment, Deputy Naughten, on the broader issue of child safety online.
Article 23 of the GDPR makes provision for possible restrictions on the exercise of data subject rights in order to safeguard the important objective of general public interest, some of which restrictions are set out in paragraph 1. It specifies that such restrictions must comply with three conditions: they must be in a legislative measure; they must respect the essence of the fundamental rights and freedoms of individuals; and they may not exceed what is necessary and proportionate in a democratic society.
The need to apply restrictions on the exercise of data subject rights might arise, for example, where a regulatory body, such as the Legal Services Regulatory Authority or the Medical Council, is examining a complaint regarding fitness to practice or an allegation of improper conduct. It could also arise where the Health and Safety Authority is investigating a workplace accident. The objective in such cases is not to set aside permanently the data protection rights of individuals concerned but, rather, to protect the investigation or examination from access requests or requests for rectification or erasure of personal data so that the investigation or examination can be brought to a conclusion and appropriate action can be taken.
Section 54 of the Bill provides for appropriate restrictions in order to safeguard a range of important objectives of general public interest, such as avoiding obstructions to any official or legal inquiry, investigation or process. Such public-interest objectives also include Cabinet confidentiality, judicial independence, parliamentary privilege and legal privilege. Any such restrictions must be set out in law or in regulations under subsections (6), (7) and (8), and the regulations must comply with subsection (10), which requires one to respect the essence of the right to data protection, and restrict the exercise of data subject rights only in so far as is necessary and proportionate in a democratic society. Similar safeguards apply in the case of restrictions on data subject rights under Part 5. These are provided for in section 89.
Article 57 of the GDPR confers a broad range of corrective powers and sanctions on the data protection authorities, including the Office of the Data Protection Commissioner. These range from issuing warnings or reprimands to ordering public or private bodies to facilitate the exercise of data subject rights and to bring their data-processing operations into line with data protection law. The commission will also have the power to impose a temporary or permanent ban on non-compliant processing operations. Data transfers to third countries may be suspended if data protection standards applicable there are considered inadequate by the European Union. All of these corrective actions, including prohibition orders, apply equally to the public and private sectors.
Article 83 of the GDPR provides for the imposition of administrative fines for infringements, including data breaches. It states each member state may lay down the rules on whether, and the extent to which, administrative fines may be imposed on public sector bodies. While the possibility of imposing such fines on Departments, public authorities and public bodies could have a deterrent effect, it would also reduce the funds available to such bodies for the provision of important services to the public. Any deficit arising from the payment of fines would be likely to lead to demands for replacement funding by means of a supplementary budget. This could result in a wasteful, circular flow of funding. On the other hand, the Government recognises that non-application of administrative fines could create competition distortions in those areas in which public and private bodies operate in the same market, for example, public and private hospitals, and public and private transport providers.
To ensure fair and equitable trading conditions, section 136 of the Bill provides that administrative fines may be imposed on public bodies when they act as "undertakings", that is, when they are providing goods or services for gain in competition with private bodies. This will ensure fair competition between the public and private sectors in the provision of goods and services.
Part 5 of the Bill, containing sections 63 to 99, inclusive, transposes the law-enforcement directive into national law. Chapter 1 contains relevant definitions — section 63 — and outlines the scope of this Part — section 64. It applies to data processing carried out by public authorities and bodies for the purposes of the prevention, investigation, detection or prosecution of criminal offences, including the safeguarding against, and the prevention of, threats to public security or the execution of criminal penalties. While it will apply in the main to bodies operating within the criminal justice system, its provisions will also apply to administrative bodies such as the Health and Safety Authority and others authorities, such as fire authorities, when they are engaged in the investigation and prosecution of offences.
Chapter 2 contains provisions outlining the general principles of data protection. I refer to section 65. The principles are broadly similar to those in the GDPR. Also outlined are the following: the need for adequate security measures in section 66; conditions applicable to the processing of special categories of personal data in section 67; and standards applicable to data quality in section 68.
Chapter 3 outlines the obligations on controllers and processors when acting within the scope of Part 5. These are broadly similar to obligations set out in Part 4 of the GDPR, including: the need for appropriate security standards; reporting of data breaches to the Office of the Data Protection Commissioner; the need for contracts with processors; the carrying out of data protection impact assessments; and, in certain cases, mandatory consultation with the Office of the Data Protection Commissioner. Section 76 imposes a specific requirement on controllers and processors to create and maintain data logs, which must record consultation and disclosures of data in automated processing systems. All public authorities and bodies must designate a data protection officer.
Chapter 4 specifies the data protection rights of individuals. These include rights in regard to automated decision-making, section 84; the right to information, section 85; the right of access, section 86; and the right to erasure and rectification of personal data, section 87.Section 89 outlines the grounds on which the exercise of data subject rights under this Part may be restricted in whole or in part. Where exercise of a data protection right is restricted, the data subject may seek indirect exercise of that right through the Office of the Data Protection Commission, section 90.
Part 6 contains detailed provisions that deal with supervision and enforcement of the general data protection regulation, GDPR, and the data protection standards set out in Part 5. These include provisions for the handling of complaints received by the commission, the carrying out of detailed investigations, and the imposition of sanctions.
I want to mention the report on pre-legislative scrutiny of the draft Bill submitted by the Joint Committee on Justice and Equality. I wish to thank the joint committee for its work and recommendations, many of which have been taken on board in the Bill before us today. I have already referred to a number of areas where it has not been possible to adopt the committee's recommendations. I also take this opportunity to thank the many other stakeholders for their inputs into the preparation of this legislation.
As I mentioned at the outset, this is a lengthy Bill and it also complex legislation. That should not obscure its central purpose, which is to promote and facilitate the exercise of our rights as individuals to protection of our personal data and to increase our control over it and the uses to which it may be put. Article 8 of the EU Charter of Fundamental Rights provides simply that "[e]veryone has the right to protection of personal data concerning him or her". The GDPR and this Bill seek to make that a reality. I, therefore, commend the Bill to the House.
That was a tour de force. Can I take it I have the Members' permission to depart from the rota of speakers in calling the next speaker, in accordance with the Members having agreed to this among themselves? Agreed. I call Senator Higgins.
I will probably not need eight minutes and I apologise in advance for having to leave immediately after I finish, but I am sure I will see the Minister again on Committee Stage.
Despite the extensive focus on and debate around the GDPR, I regret this Bill is being rushed. Second Stage is being taken this week and despite the requests of a number of leaders of groups in the House, Committee Stage is being taken next week. While a briefing on it may be taking place on Monday, given the length, significance and detail in this Bill, that is not a sufficient or appropriate length of time to ensure proper oversight of it by us as Senators and for us to have a proper opportunity to work together and with the Minister and his Department around a constructive amendment process. Nonetheless, we will be tabling a number of amendments. It is a pity we will not have a better process in that regard.
The GDPR, as the Minister outlined, is both best practice and its adoption is a legal obligation on the part of the State. It is deeply concerning that the legislation that has been brought before this House does not fully reflect either best practice nor legal obligations. It is concerning that it has not incorporated, as the Minister acknowledged, many of the substantial important recommendations made by the committee during the pre-legislative stage.
The Bill crucially seeks to make exemptions for the State in respect of fines. In this the State is contravening good practice and the strong recommendation of both experts and the EU regulation. I note with concern that where there is a question of commercial concern, the undertaking question is dealt with, but is that to be of less concern, of less merit in terms of fines than the rights of individuals and their rights to their privacy? It is notable that we address the concerns of business in this regard but we do not address the concerns of individuals and their right to see a full and appropriate response to situations where their data are mishandled or breached. We do not have the important deterrent that needs to be there, bearing in mind that any moneys collected in fines are returned to the Exchequer and, therefore, they are not a loss to the State. It is unfortunate we are not placing that important imperative in terms of an individual's privacy on our public bodies.
Individuals will still have the right to seek material and non-material damages through the courts, and I am sure many of them will. If we have situations, for example, where 1,000 or 2,000 individuals suffer a breach in terms of their data, 1,000 or 2,000 cases may go through the courts. Aside from the pressures that may place on our courts system, there is also a very real concern. It is not appropriate that we, as a State, should consistently rely on individuals who may simply wish to identify a poor practice and have it dealt with but who would have only the courts as their key source of recourse in that regard. We are relying on individuals yet again to correct mistakes that we should be identifying at the legislative point.
However, a more serious concern is the exemptions which the State seems to make in terms of data processing. It is not only bad practice but is regarded by many legal experts as potentially illegal and leaves us open to potential EU court cases and penalisation. This will not be allowed to pass. This was made to the clear to the Department of Justice and Equality, and it was outlined during the pre-legislative scrutiny stage, but the Department has chosen to ignore this guidance and plough ahead with what is flawed in that regard.
In 2015, in the Bara case, the European Court of Justice found the Romanian Government to be in breach of the Charter of Fundamental Rights and the data protection directive. The fact that the Romanian state was compliant with its own Romanian legislation did not exempt it from facing sanction by the European Court of Justice. That is why the legislation we pass on data protection needs to be fully compliant with European law. There is not a middle ground where we can produce law which gives us, individuals or states, other options. That is also a very important issue here. The Minister mentioned the question of proportionate in the context of the GDPR, and it is a key point. There is no clear test of what is proportionate within the legislation. We need to have clear guidance as to what is a proportionate use of an individual's data in any situation.
Another important recommendation from the committee was that the GDPR and the data protection legislation should be the comprehensive means of dealing with this area. It would mean repealing a number of earlier Acts. As the Minister pointed out, the GDPR requires clear and accessible information in terms of legislation. We discussed at the Joint Committee on Employment Affairs and Social Protection earlier the fact that the Social Welfare Consolidation Act, which has been amended numerous times, does not meet the test of clarity in terms of an individual's privacy. That is also an issue that will arise.
Data protection is a hugely important and crucial area for the State to address. We debated at the joint committee earlier the issue of the public services card, the single customer view database and the issues of data protection in that respect. There are increasingly more examples of how individuals' and collective data uses can lead to great damage. We have seen significant breaches in that regard. For example, there was a situation in the Department of Employment Affairs and Social Protection recently where people's individual data were being sold for €27. Of course, that was a criminal act and has been appropriately treated. The joint committee heard about the case of an individual who had her pension withheld because she required and insisted on having the legal basis for her being obliged to get a public services card. That case was taken forward but the State then withdrew from it because it realised it could not adequately prove that legal basis. That is a serious concern and it is still not appropriate that individuals have to challenge and bring forward such cases. Let us try to address that issue at the outset.
Given the spirit underpinning the GDPR, when the Data Protection Commissioner, whose responsibility will intensify - that responsibility is deeply important and, as the Minister said, crucial to Ireland's compliance with the GDPR - indicated concern and initiated a section 10 investigation into the public services card, it was extremely concerning that the State ploughed ahead with making it obligatory in many areas, including potentially for people to access college, by denying them Student Universal Support Ireland, SUSI, grants. Those are very serious issues and contravene the spirit underpinning the GDPR.
I reiterate those points to stress we must take this issue very seriously. We will be putting forward amendments on Committee Stage. I regret we have not been given the time required for dealing with this legislation but I am sure we will have Committee Stage sittings to deal with it further.
I thank the Minister for his input. I also thank all the Members for obliging me by allowing me to contribute at this point.
I thank the Minister for coming to the House. I will start with the concluding paragraph of his report to us. He knows better than anyone else that this is very complex legislation, but, at the end of the day, it is both important and necessary. As he says, it is lengthy and complex. I acknowledge the Oireachtas Library and Research Service which has provided a very comprehensive digest on the Bill. I acknowledge its amazing support of the work we do in both Houses of the Oireachtas.
The Minister touched on a number of issues and spoke about acknowledging the work done in the pre-legislative scrutiny process and adopting many recommendations arising from it. From the digest we know that 12 of the 18 recommendations made were not included in the Bill. It is very important work, if the Minister has not seen it. I do not propose to read all 18 recommendations, although I see the Minister has the digest; I never doubted that he was one of the wiser men. That assists me because I can refer to the relevant pages of the digest. A red light was given to 12 of the 18 recommendations made. I do not propose to read all of them, but I want to draw the Minister's attention to two.
Recommendation No. 14, on page 16, deals with administrative fines. It states: "The Committee recommends that fines be administered to public bodies in breach of the new data protection legislation, where appropriate, to encourage compliance with data protection provisions in the new legislation". The second recommendation to which I wish to refer is No. 15 which is critical and deals with the right to receive compensation. I am not in the business of slapping people on the wrist - I do not think the Minister is either - and saying they have been bad and should not do something again, but there have to be sanctions. If this is to be meaningful, they have to apply across the board. I know the differences between the various authorities, on which I will touch, but recommendation No. 15 is: "The Committee recommends that an explicit right to compensation be outlined in the new legislation for breaches of data protection provisions. A consultation with the DPC, Office of the Attorney General, the European Commission could assist in the drafting of such a provision".
They are two reasonable and effective ways to deal with issues. I am aware of the subtle difference in the public authorities as defined in the legislation, which definition includes Ministers, Departments, regional assemblies, local authorities, An Garda Síochána and persons holding office established by statute. Are we saying those holding very sensitive information will not be subject to monetary sanctions? Will there be no compensation if there are breaches? If that is what the Bill states, it has huge shortcomings which I want to confirm. As the Minister knows, I am a member of the Independent group in the Seanad. We will bring forward a series of amendments based on this. The legislation, not me or the Minister, defines public bodies as State-owned companies formed under the Companies Act 2014 or its predecessors. There is a difference between public authorities and public bodies. I flag this as a concern because many public bodies hold extremely sensitive information and if they go wrong, how will we sanction them? That is a really important issue.
On the processing of special categories of personal data, what I call sensitive personal data, although the word "sensitive" is not used, there is always the issue of consent, which is very important. Chapter 2 in Part 3 of the Bill, sections 39 to 49, inclusive, provides details of the rules for the processing of special categories of personal data, defined under section 2. As previously noted, these categories include data which identify a person's racial origin, political or religious views, genetic data and sexual orientation or activities. We need to look at that issue and be careful It highlights the sensitivity of certain data which are being kept.
The Bill goes on to talk about exemptions. Data collected by political parties, office holders, candidates or bodies in the course of elections are exempt. The Minister will be familiar with what is called a marked register which politicians can seek. What can we glean from a marked register? There are many assumptions, but we can tell if there is only one person registered in a home. Therefore, it does not take much to say Mary Bloggs is female if she is the only person in a home. The cumulative effect of bringing all of these data and political affiliations together is highly sensitive and they could be abused. I would like to think that, when bringing forward legislation, we would bring forward legislation on how we conduct ourselves as politicians. At some point in the future I want to home in on the data held by politicians for electoral registers. Can a person opt in or opt out? There are certain areas and categories out of which a person can opt out and certain ones out of which he or she cannot do so. That goes from the top of this House to the bottom and relates to how we deal with our own data in the Oireachtas. We need to get it right and be clear. We need to reassure people outside on how we are handling those data in a responsible fashion. I am not saying we are not but that we need to focus on it. If we are bringing forward legislation, we need to bring it forward for everybody and be fully compliant with it.
I have covered the issue of public bodies and local authorities. I am not happy with that provision which we could strengthen. I will not go on at length because I am conscious and have already told the Minister that we will bring forward amendments, but I want to work with him, which is very important. It is a matter of getting it right and having good legislation. The Taoiseach said last week that he wanted Senators to be actively involved in polishing and being active in dealing with amending legislation. He saw it as a critical role in our work here and I agree with him. I thank the Minister's Department for agreeing to have its representatives come to Leinster House next Monday for a briefing on aspects of the Bill. That is helpful because it will help Members to understand it. It is complex legislation which I want to support in principle.
The Minister makes the valid point that Article 8 of the European Charter of Fundamental Rights provides simply for everyone having the right to protection of personal data. I agree and hope he will consider accepting some amendments. This legislation is necessary, but it has to be equal across all sectors of society. I will wrap up by saying we must have sanctions for everyone involved. There must be no exemptions in the imposition of fines and sanctions.
I think we all agree that the legislation is very complex. The Minister's contribution was extremely comprehensive and informative. We have all been trying to work out the legislation. I concur with Senator Victor Boyhan on the document we received from the Oireachtas Library and Research Service. I received the email confirming that there would be a briefing on Monday morning ahead of Committee Stage. I respectfully request that it be held in the afternoon because some of us live on the other side of the country.
Indeed. Some of us travelled for three hours to get here. Some of us are away from home most weeks from Tuesday morning to Thursday evening. I suggest a little consideration be given to this or perhaps they might be a second briefing because we do not want to inconvenience people either.
Data protection is now a fact of life. Many data belonging to people are held electronically compared to what the position was 30 or 40 years ago when there was an entirely different scenario and set of circumstances when it was effectively a paper trail. Now many things are computerised. Computer systems can cross-reference data at a tap of a button. Information can now be procured extremely quickly. This legislation is being brought forward for a good reason. It is being brought forward in order that we can comply with our obligations as a member of the European Union and to citizens. Data collection and assembly are now big business and many people are employed in the area, in which many companies make money both in the collection and dissemination of data. Therefore, the legislation is long overdue.
I am concerned about how the legislation will affect not just political parties since many involved in political parties are volunteers but also sports organisations, community groups and individuals who donate millions of hours a week on a voluntary basis and who include children, youth, sportspeople and others.I have some limited knowledge of what the GAA has been endeavouring to do to comply with future legislation in this area. It seems to be on the money. I had a discussion with Seán Kelly, MEP, on this issue. He has recommended that other political and community groups look at what the GAA is doing in this area and the safeguards and protections it is putting in place. I have no doubt it is still learning but it seems to be well ahead of many other organisations. There is not an evening when community groups throughout the country are not being briefed or doing training on data protection. A month or six weeks ago there was a big conference in Croke Park at which a lot of community groups and volunteers became aware of data protection.
I look forward to Committee Stage. Our role in the House is to strengthen legislation to ensure there is a fair and equitable distribution of requirements and obligations. I heard what the Minister said about fines, enforcement and sanctions. There is merit in it and I look forward to hearing the arguments on Committee Stage. There is a lot in this Bill to get one's head around in terms of the various aspects and requirements. The opt-outs are there for particular reasons and the Minister has shed some light on it in his contribution. We have a lot of work to do on the Bill. I suspect Committee Stage will last many hours but ultimately we have an obligation to pass the Bill. It is necessary because there have been too many breaches of people's data rights. Too many of our citizens have been exposed as a result of breaches of data. We owe it to our citizens in this world of ICT to protect them and ensure the correct protocols, procedures and protections are in place.
I thank the Minister for an enlightening and detailed contribution.
I welcome the Minister to the House and assure him we will try to work constructively and positively with him and his officials on what is at its heart very important legislation. We will table a number of amendments on Committee Stage. The Minister will expect me to reiterate comments made by colleagues on the speed with which the legislation has come to Second Stage. There has only been a week between its publication and this Stage of the Bill. It is not the optimal way of dealing with legislation and important and substantial issues. That has been said so I will not over-egg the pudding but it is an issue that merits being mentioned.
I support Senator Conway in his request in regard to the briefing on Monday. If there is an opportunity, the Minister might explore the possibility of it happening on a sitting day.
Sinn Féin will not oppose the passage of the Bill to Committee Stage. We acknowledge there is a need to complete this work by 25 May but we have some serious reservations regarding significant sections of the Bill. We are not alone in that. If they are not addressed we may not support the passage of the Bill into law. In particular we are concerned about the far-reaching exemptions in section 54. In that section, the Minister has allowed himself a ministerial power which we do not believe would pass the proportionality test set out in the landmark case on delegated powers in Cityview Press v. An Chomhairle Oiliúna.
The Bill partially emanates from the general data protection regulation, GDPR, which is a regulation through which the European Parliament, the Council of Europe and the European Commission attempt to strengthen and unify data protection for all individuals in the European Union. The general data protection regulation is essentially a minimum standard expected of each member state on the threshold and rights afforded to citizens of member states and the data protection of individuals within those states. Much of it has direct effect. Some elements require legislation as there is a margin of appreciation in how jurisdictions apply them. The age of digital consent, which can be 18, is 13 in this legislation, which we welcome, as all young people's advocacy groups do.
Some of the Bill relates not to the regulation but to a related directive. Ireland has not been in compliance with EU data retention law since the Tele2-Watson case, which is significant. We have been in breach of EU law since late 2016. I am not entirely sure - the Minister might refer to it - whether this legislation rectifies that. We have observed one of the pitfalls in the protection of data protection officers from the interference of a data controller who aims to suppress a release of information on the basis that despite its release being in the public interest, it is not in the interest of a data controller for a variety of reasons that anyone can imagine. The lack of protections or avenues for addressing these concerns for such an officer is an oversight and a flaw in the Bill and the general data protection regulation. As recently as yesterday my party met with officials from the Minister's office and although they pointed to general law having already covered the potential for this, it would be beneficial for specific protections to be explicitly stated in this context. Committee Stage is the optimal time to deal with them.
The manner of the drafting is not ideal or clear. After the Bill has been passed, there will be a need to consult three Acts, the general data protection regulation and any other relevant European instruments in order to be aware of the legal position. It would have been better, clearer and more comprehensible for the provisions of the Data Protection Acts 1998 and 2003, which are still required, to have been put into this Bill and for those Acts to have been repealed in their entirety. There is potential for confusion and possible litigation.
Another gap is that the Bill does not include the requirement under Article 81 of the directive that not-for-profit groups can bring actions on behalf of data subjects. The general data protection regulation also envisaged a form of multi-party action akin to a class action but there is nothing on it in this Bill. The Sinn Féin Multi-Party Actions Bill, which would cover it in a wider sense, goes to pre-legislative scrutiny in two weeks. I hope the Minister will get a money message so it can proceed to enactment as soon as possible. It will be relevant not only from a data protection point of view but also in a number of areas including the tracker mortgages injustices. Significantly, it has disregarded the recommendation of the Oireachtas Joint Committee on Justice and Equality on section 136(3), under which the Government is still trying to exempt public bodies from fines for breaching data protection rights of citizens.
I will not indulge in repetition. This is vast and very important legislation. We approach it with a positive and co-operative frame of mind and I hope we have responsible and co-operative engagement on Committee Stage.
I appreciate the comprehensive nature of the Minister's speech. This is a lengthy Bill. It will take some time to digest the Bill and the Minister's speech. I was quite impressed by the Minister's stamina and ability to get through it in the manner in which he did. This is a terrifying area, which the Minister and his officials appreciate. No matter how we try to legislate for this area, the fear is that in five years' time whatever we have on the Statute Book will be out of date. Those who are engaged in this sphere in a malevolent and dangerous way are trying to work their way around national and European legislation and will spend whatever money they can to stay ahead of the game.The danger is not only that privacy rights, which are central to what we are trying to achieve, will be lost but also that the protection of children will be undermined. We are in a dangerous area and I expect the legislation will touch on everything we do from here onwards in all spheres, whether transport, education, health, foreign affairs or another area. When I was the Minister of State with responsibility for drugs, we found that regardless of what we sought to do on the drugs issue, fashions and the ability to manipulate things changed, which meant we struggled to keep ahead of the game. I appreciate what the Minister is trying to achieve and the Labour Party will not be obstructive in seeking to achieve our aims. We will introduce amendments to strengthen and improve the Bill. We appreciate that the Minister is doing his best to do the right thing.
The issues as they relate to children frighten all of us. While most people will have questions about setting the age of consent at 13 years, from listening to media reports and the Minister's comments on the offices and bona fides of those who arrived at this age threshold, I believe it is difficult to argue with their rationale. We will also focus on this area.
On the political aspects of the issue, if we were honest about the way we use data, we could have a highly illuminating conversation. Reference was made to the marked register, which is data that all politicians who have their heads screwed on use to their benefit. The register shows who has voted and in which election or referendum they voted. When we visit a house we then know that X, Y or Z person registered at the address voted in the previous election or referendum. The data and knowledge available to people in authority and those with influence must be regulated. We need to be comfortable with this and people need to know that this information is readily available. However, we are in the middle of a digital age which will only gather pace. It will be a serious challenge for parliamentarians and legislators to keep up with it.
The Labour Party will do its best to be of assistance with the legislation. I genuinely appreciate the efforts the Minister and his officials are making. In the years ahead, it will be necessary to amend the legislation many times to make it more relevant. Éamon De Valera once spoke of being terrified by the advent of television. I am genuinely terrified by technology, even though I use it every day and it offers the potential to make much money. However, children can also be damaged, hurt, humiliated and worse because of the age in which we live. I know the Minister appreciates that. With the support of Senators from across the House, we will get the best possible legislation for the citizens of this country.
I thank Senators for their contributions and I am grateful for the broad support the Bill has received in the Seanad. I acknowledge that there are issues to which we will have to return on Committee Stage. I note, in particular, the comments of Senator Higgins and hope, in the spirit of being constructive, to return, at an appropriate time, to any issues Senators agree could constitute an improvement to the Bill.
I acknowledge the contribution of Senator Boyhan who referred to the briefing note available to parliamentarians through the Oireachtas Library and Research Service in the form of a digest. I acknowledge the importance of the service to parliamentarians, in particular in respect to this legislation, much of which is technical in nature. I was struck by the interest shown by an Independent Senator in the matter of the marked register. It underscores that Senator Boyhan could be described as giving due notice to the electorate of Dún Laoghaire or elsewhere.
Senator Conway referred to the briefing arranged for early next week. Monday, as a non-sitting day, was considered an appropriate time. Realising that it will not be possible to accommodate everybody on this issue, I hope the availability of my officials to deal with the technical aspects of the Bill will accommodate interested parties in any event and include as many of them as possible. I believe we can do that.
A number of Senators referred to certain exemptions under the Bill and the issue of class actions. Senator Ó Donnghaile referred specifically to the issue of data retention, which is not covered by the legislation, nor was the Bill designed to cover the issue. There is, however, a specific data retention Bill which is, I understand, subject to pre-legislative scrutiny. The concerns the Senator raises may be more appropriately directed to that Bill.
Senator Boyhan referred to the recommendations of the joint committee, in particular, to those that have not been followed to the letter, rather than those that have been followed to the letter. The actions under data protection set out in sections 112 and 113 respond to recommendation 14 on the matter of the right to compensation to which the Senator referred.
Senator Ó Ríordáin indicated that, owing to ongoing advances in technology and cyberspace, it will be necessary to keep the legislation under review. In this instance, it is important that Ireland, as an active and constructive member of the European Union, complies with its obligations and that we ensure we have legislation enacted and in force within the specified timeframe. I have no doubt this is an area to which we will return in the context of ensuring we strike a balance between citizens' entitlement to the preservation of privacy and personal data and overall freedom of information and expression.
I hope we will resume our deliberations on the Bill in the coming weeks, the object of the exercise being that we introduce stronger rules and regulation on the protection of data to ensure we and our citizens are in a position to exercise more control over our personal data and businesses can operate on the basis of a level and even playing field. I am in the hands of the Business Committee as to when such future deliberations will take place. However, I stress the urgency of this issue and, having regard to the technical provisions and nature of much of the Bill, my officials and I will be keen to assist Senators in their deliberations at every remove.