Thursday, 15 February 2018
Data Protection Bill 2018: Committee Stage
Amendment No. 1 replaces the definition of "public authority" in this section. This is important because article 37 of the General Data Protection Regulation, GDPR, requires public authorities to designate a data protection officer to carry out the tasks listed in article 39. The amended definition would ensure that both the Office of the Director of Corporate Enforcement and the Irish Auditing and Accounting Supervisory Authority were classified as public authorities under the Bill. The definition will exclude recognised schools other than those established and maintained by education and training boards, ETBs, and where the ETB is the sole patron. From the entry into force of the GDPR next May, all schools, as data controllers, will be required to implement appropriate measures to ensure, and to be able to demonstrate, that the processing of personal data is performed in accordance with the regulation. However, most of the 4,000 recognised schools are small and independently owned and, therefore, the exclusion of non-ETB schools from the definition is recognition of the fact that many of them, as small, independent organisations, would face additional administrative burdens were they to be so defined as public authorities. ETB schools in contrast are part of a larger ETB organisation, which is the data controller for all processing activities within the board.
The revised definition will also ensure that certain bodies funded by the Health Service Executive, HSE, will be classified as public authorities for the purpose of the Bill. The Health Acts empower the HSE to enter into arrangements with service providers to provide health and social services on its behalf. Specifically, section 38 arrangements involve organisations, mainly large voluntary organisations, being funded to provide services on behalf of the HSE. Section 38 bodies are found primarily in the acute hospital and disability sectors. The public funding provided to these bodies by the executive is significant and the Minister for Health considers that it is proper from a data protection perspective that such bodies should be treated in a similar manner to statutory bodies operating in the same area. The inclusion of paragraph (g) in the definition of "public authority" will achieve that purpose.
Amendment No. 37 can be moved by Senator Higgins. Amendment No. 38, which substitutes the correct definition of "genetic data" in section 63, is taken directly from article 4 of the GDPR and article 3 of the directive. Amendments Nos 57 and 58 are drafting amendments to the definitions of "relevant enactment" and "relevant provision" in section 100.
There is serious concern about amendment No. 1. I appreciate that the Minister is suggesting that it is important that a data processor would be appointed in companies that are contracted by the HSE and I understand that is what he is trying to get at. However, the amendment does not do that in the most appropriate way and it opens up other potentially unforeseen dangerous provisions. For example, there is nothing to prevent the Government inserting a separate section on Report Stage which specifically addresses companies, voluntary and private, that are contracted by the State and requires them to have in place a data processor and to meet the highest standards in processing the data of individuals. There is a concern that provisions have not been put in place throughout the legislation in respect of the procedures private companies must follow to implement the GDPR. The regulation will stand regardless and any individual can take a case, but in respect of legislative guidance or procedures or processes for companies based in Ireland to demonstrate to us as legislators, who are the first point of call, that they are compliant with the GDPR, there are few provisions in the Bill unfortunately. It seems the Bill is more focused on actively finding points at which data protection may not apply to public authorities rather than enforcing data protection requirements on private companies. There is a double concern in this regard - the removal of responsibility on public companies and the failure to give clear guidance. For example, there should be a provision that requires every corporate entity, whether voluntary or non-voluntary, to have a data processor, to have clear criteria in place for data processing and to show how they will implement GDPR provisions such as the right to be forgotten.
However, the way the Minister proposes to deal with the concern of companies contracted by the HSE is to amend the definition of "public authority", which is significant, so that a public authority can be any private company contracted by the HSE. He indicated the responsibilities he wants public authorities to take on and there is nothing to preclude him from placing those responsibilities on them in their own right without them having to be a public authority, but section 54(3)(iii) outlines restrictions to data protection rights for individuals, which can be applied "for the administration of any tax, duty or other money due or owing to the State, a local authority or other public authority or body,". This would seem to give any body classed as a public authority under section 2 the right to bypass data protection rights if money is involved. That raises a serious concern. We cannot in this early section of the legislation leave hostages to fortune in later sections. I regret that the Bill is being rushed thorough. We requested an additional week to tease these issues out. Now that it is bring rushed through, we have been told that the debate will be curtailed, which is unfortunate.
I oppose amendment No. 1. Powers are given to public authorities in later sections in circumstances in which the right of individual data subjects can be bypassed. Public authorities are given the potential authority to collect biometric data, for example. There are also implications for the protection of children. Article 6.1(f) of the GDPR states: "Processing shall be lawful... processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child." Will children who access services that are contracted out by the HSE be subject to lesser protections? Private companies may have a contract with the executive in one area of the health service but may have a number of contracts in other areas. I respectfully suggest that the Minister may wish to address this important issue of the regulation of contracted parties with a separate explicit section, which sets out proper provisions and protections, rather than by amending the definition of "public authority" in this regard or if he must bring in a category of public authority, let it be a separate category explicitly excluded from the exceptions given to public authorities later in the legislation. There are a number of ways the issue may be tackled but it is crucial that it should be.
I did not realise my amendments would be grouped like this and it is unfortunate to have to jump to amendment No. 37. There are nine mentions of the phrase, "necessary and proportionate", throughout the legislation. It is invoked where general data protection rights of an individual may be overridden. I understand that is a European framework and there is no clear European definition.There is a concern. Perhaps the Minister could clarify what processes will be in place to determine what is "necessary and proportionate". Will it be entirely in reference to European case law or will the Minister be drawing on other processes? That is a clear issue because the definition is missing from section 2.
The justice committee requested that the full text of the GDPR with all of its provisions might be included in section 2, yet this is also missing. I may table amendments in this respect on Report Stage. The argument has been that we need to have a separation of European and domestic law and that they cannot simply be transferred. The concern is that many of the provisions in the GDPR have not been reflected in comparable or complementary sections in the Bill. One very blunt solution would be to include the text or a reference to the text of the GDPR.
My other amendments in this group are to a much later section. I do not see how they are connected with amendment No. 1 but I will not challenge a judgment of the Chair in that regard. Amendment No. 37 is to section 63 of the Bill, which is a very important section that sets out a definition of biometric data. The definition included in the Bill at present is contrary to understood definitions of biometric data in Europe and elsewhere. This is a crucial point because the definition of biometric data included in section 63 at present is complementary to the interpretation the Government has chosen to employ in the context of the public services card debate.
Biometric data as largely understood in most contexts means personal data relating to physical, physiological or behavioural characteristics of an individual that allow or confirm the unique identification of the individual, including facial images or dactyloscopic data. That is the common definition. However, a reference has been inserted here by the Government, which I seek to remove, to "personal data resulting from specific technical processing" A person's biometric data is their data. One's fingerprints are one's fingerprints, one's blood is one's blood, one's facial profile is one's facial profile, and one's irises are one's irises. However, the insertion of "from specific technical processing" would mean an individual's biometric data is not really his or her biometric data unless it is processed in a specific way.
This argument has been used in respect of the public services card, for which biometric data such as photographs and potentially, in the future, fingerprints, etc., are gathered. Unless there is a particular kind of technical processing involved in what they do with that data, they are claiming that it is not biometric data. That claim has been widely challenged by most parties and has been named as a specific issue of concern for the Data Protection Commissioner in the section 10 investigation she is currently conducting into the public services card. The commissioner expressed her lack of satisfaction with the Government's answers in respect of biometric data and how the Government was choosing to define it. The Government is now seeking to embed that chosen interpretation into a new piece of legislation which would no doubt be retrospectively applied. I am sure it will not be retrospectively applied and it certainly would not be retrospectively applicable. When we come to vote on this amendment at a later stage, I urge the House to strongly consider that the very simple deletion of the phrase "from specific technical processing" will give us a definition that is comparable to the most internationally accepted understanding of biometric data.
Amendment No. 38 is related to amendment No. 37. Later in section 63, the Government includes a definition of genetic data. I note that it is choosing to change its definition of genetic data by way of amendment No. 38. It is probably doing so because some of its legal advisers have informed it that it will run into the same problem. Perhaps the Minister can confirm that point.
The current definition in section 63 of the Bill is as follows:
“genetic data” means personal data—(a) relating to the inherited or acquired genetic characteristics of an individual that give unique information about the physiology or health of the individual, and
(b) that result from an analysis of a biological sample from the individual in question;
Paragraph (a) reflects the normal understanding of genetic data, but paragraph (b) limits the definition to genetic data resulting from an analysis of a biological sample. Obviously, that narrows what will be considered genetic data and also opens up the scope for all kinds of things to be considered genetic data which do not result from a biological sample. The Government has recognised that this is a problem and the new definition it is proposing in amendment No. 38 is as follows:
“genetic data” means personal data relating to the inherited or acquired genetic characteristics of an individual that give unique information about the physiology or the health of the individual and that result, in particular, from an analysis of a biological sample from the individual in question;
This is a tacit acknowledgement that although it may result specifically from biological sample, that is not the only way genetic data can be transferred. It is still a woolly attempt to bring the biological sample into the wording in a woollier way. Given that the Government has acknowledged that it cannot make technical processing a criterion for how data is determined in terms of genetics, I suggest that it may wish to provide a similar frame of reference in respect of biometric data and may similarly wish to reconsider the current definition and its reliance on a specific form of technical processing.
I will leave it at that. I had not expected to be speaking to these amendments to a later section of the Bill at this point but I am sure we will have a chance to return to the wider questions of biometric data, if not the particular amendments, in the future.
Amendment No. 1 recites some of the material in the original Bill but it also extends the coverage to include the Office of the Director of Corporate Enforcement and the Irish Auditing and Accounting Supervisory Authority. There is a change in paragraph (f)and where it previously stated "a person" it now states "any other person" and then adds other information as follows:
(i) a recognised school or board within the meaning of section 2 of the Education Act 1998 but including a recognised school established and maintained by an education and training board and a board of a school so established and maintained, and
(ii) a management committee established under section 37(3) of the Education Act 1998,
Then there is another new piece:
(g) a person with whom the Health Service Executive has, under section 38(1) of the Health Act 2004, entered into an arrangement for the provision of a health or personal social service by that person on behalf of the Executive,
I remember quite a number of years ago fighting on this issue of describing companies as persons. It is a little disingenuous because the average citizen reading a Bill like this would think it was a person in the sense of a human individual, although the provision clearly envisages a company. This would appear to give considerable exemptions to private companies in line with the exemptions given to public authorities and that is a cause for concern. It also allows them to call in biometric data.
I listened with great interest to the very erudite exposition by Senator Alice-Mary Higgins and, pending listening to what the Minister has to say, I am persuaded by her on amendments Nos. 37 and 38. It seems to me that she makes extremely good points in support of deleting "resulting from technical processing" and substituting a definition of genetic data which is more appropriate to the Bill. Unless I am otherwise persuaded by the Minister, I will certainly be voting with Senator Alice-Mary Higgins on this issue.
In respect of amendment No. 37, I am not sure of the extent to which the Minister can influence the disposition of Senator Norris now or, indeed, ever.Senator Higgins's amendment seeks to change the definition of "biometric data" in section 63. The definition is taken directly from Article 3.13 of the directive. It is identical to the definition in Article 4.14 of the general data protection regulation, GDPR. I do not see how there is scope for diverging from these definitions in our national law and, therefore, I am unable to accept the amendment. The definition in the Bill is fully in line with the GDPR. It is an issue that I believe is important in the context of the Bill. It comes directly from the directive. I am not putting down any amendment. I am not encouraging any divergence. I am merely saying that what we have here is a direct derivation from the definition permitted. While Senator Higgins went into some detail and at some length, I believe what we have done in the circumstances is entirely appropriate having regard to the transposition of the regulation into our national law. Any derivation from that or any departure from the alignment will give rise to an element of uncertainty that I am not sure will be helpful in the context of this legislation.
As regards issues raised by Senator Higgins, when she speaks about what is necessary and proportionate, I would point to the important changes and the increased authority of the Office of the Data Protection Commissioner, which will have a considerable increase in its authority and membership and will be properly resourced to ensure it can engage in the type of activities that will be necessary under the law. The issue of proportionality and necessity will be enforced by the data protection commission. It is a rights threshold. It has been developed and, presumably, will continue to be developed in accordance with the European Court of Justice and the European Court of Human Rights. This is an issue that will be monitored closely, supervised and enforced by the data protection commission.
I note what the Senator said regarding the obligations on private companies and the perceived lack of information about the new regulatory framework. I agree it is very important that there be a national campaign, an appropriate level of information and that companies be advised, encouraged and mandated to prepare for what is a changed landscape. As we process this legislation through the House, there will be a wide range of information meetings, seminars and engagements throughout the country. The GDPR applies directly to private companies and all other data controllers.
On the issue of the supervisory role, much of the information campaigning that is under way is being orchestrated and organised by the Office of the Data Protection Commissioner, ably assisted by Government, but there is a lot we can all do, as public representatives, to ensure there are appropriate and adequate preparations on the part of private companies, as well as public companies and agencies. I advise on the important information tool, that is, the website www.GDPRandYou.ie. I do not believe that what we are doing through Government amendment No. 1 is opening the door for widespread exemptions within the private sector. That will not happen. The Data Protection Commissioner will ensure a role in respect of oversight, supervision and enforcement.
There are other issues of enforcement to which we will revert later in terms of amendments. I indicated on Second Stage that I was open to listening to Senators in that regard. That still stands. With particular reference to an issue raised relating to public companies, agencies and entities, we will have an opportunity of debating that later.
I am unable to accept amendment No. 37 because it strays from the strict and important reading of the GDPR and the directive. I am not introducing any change and, in the circumstances, I do not believe it is appropriate to introduce a change to such a very important definition in the Bill.
To follow up on one point regarding amendment No. 37, when the Minister spoke about ensuring we do not have any ambiguity, the key concern is the specific technical processing. The Minister might be able to assure us that it will be the widest definition of specific technical processing and that we will not have a situation, for example, where the Government would decide that one particular form of processing was what was specific technical processing. That is something on which the Minister might be able to assure us because it is a key concern.
Regarding my specific question on section 54(3)(a)(iii), it refers to the restriction to data protection rights where money is due or owing to any other public authority or body. That is not a matter of interpretation for the Data Protection Commissioner. It is an explicit right to restrict data protection rights where money is owing to a public authority. The Minister might address the concern that by changing the definition of public authority to a private company contracted under paragraph (g) he is thereby opening up the provision in section 54(3)(a)(iii) and giving that body or company the right to restrict data protection rights when money is due. That is a specific concern.
We will have an opportunity to contribute again on the wider question. An information campaign is not what is needed. The Minister used the words "mandated" and "required". We will come later to the serious restrictions that are placed in terms of the way individuals can seek justice via the new data protection commission. I understand there will be huge resource implications and huge implications for our courts and restrictions in terms of certain areas of legal aid. In practical terms, I understand there is nothing to stop this State introducing complementary provisions in this Bill that set out, for example, clear criteria and clear, immediately accessible guidance, not information about the European regulations but regulations which are complementary and already in our Irish law. Why would we not put those into this Bill?
I wish to assure the Senator that there is no intent on the part of Government to introduce any uncertainty or list of exempted persons, to use the word adopted by Senator Norris. What we are doing here is using the corporate person, which has been enshrined in law for many decades. I assure Senator Higgins that under the stewardship of the Data Protection Commissioner there will be an information campaign.In addition to the information campaign, there will be a preparatory campaign to ensure that Ireland will be ready from the appropriate date in May. A large element of information, knowledge and preparedness is necessary as part of the enforcement and compliance element of this process, which is ongoing. By the time we reach the end of this Bill later in the spring, after Report Stage, we will have seen the type of appropriate campaign that is necessary in these circumstances. I assure Senator Higgins that there are no circumstances in which the introduction of amendment No. 1 will open the door for the type of exempted status she fears. I am happy to return to that.
It is in section 54(3) of the legislation. It is not a matter of assurance. The text of section 54(3)(a)(ii) specifically provides that restrictions on data protection rights can apply "for the administration of any tax, duty or other money due or owing to the State, a local authority or other public authority or body".
I am asking the Minister about his intention regarding section 54. Rather than making a contracted company a public authority, why it is not proposed to include a separate section that makes specific and clear provision for contracted services? Why was it decided to go this way?
The Senator is entitled to do that. Before we proceed with the division, I would like to welcome Deputy Noel Grealish and his friends to the Chamber. They are more than welcome and should not be in any hurry to leave us.
Colm Burke, Paddy Burke, Jerry Buttimer, Paudie Coffey, Martin Conway, Paul Daly, Aidan Davitt, Frank Feighan, Maura Hopkins, Gerry Horkan, Billy Lawless, Gabrielle McFadden, Catherine Noone, John O'Mahony, Joe O'Reilly, James Reilly, Neale Richmond, Diarmuid Wilson.
Victor Boyhan, Rose Conway Walsh, Gerard Craughwell, Maire Devine, John Dolan, Paul Gavan, Alice Mary Higgins, Kevin Humphreys, Michael McDowell, Rónán Mullen, Gerald Nash, Grace O'Sullivan, Trevor Ó Clochartaigh, Niall Ó Donnghaile, Lynn Ruane, Fintan Warfield.
Before we report progress, I welcome to the Gallery Mr. Pat Gilroy, one of the great Dublin footballers and the current manager of the Dublin hurling team. I wish him well in the championship this year, as long as Dublin does not beat Cork. He is welcome to the House.