Tuesday, 6 March 2018
Data Protection Bill 2018: Committee Stage (Resumed)
I move amendment No. 9b:
In page 23, to delete lines 28 to 33 and substitute the following:"must be necessary and proportionate, shall include limitations on the access to the personal data undergoing processing within a workplace in order to prevent unauthorised consultation, alteration, disclosure or erasure of personal data, and may include— (a) explicit consent of the data subject for the processing of his or her personal data for one or more purposes,".
The Senator's amendment is the first for consideration. I was just making the point that if amendment No. 9b was agreed to, amendments Nos. 10 and 11 could not be moved. Amendments Nos. 9b to 14a, inclusive, and 18 are related. Amendments Nos. 10 and 11 are physical alternatives to amendment No. 9b. The amendments may be discussed together, by agreement. Is that agreed? Agreed.
I could not see the relationship, but I am happy to speak to them as determined.
Section 32 was one on which I thought that if we were able to engage constructively, we might be able to address a number of concerns. It relates "suitable and specific measures" for processing. This term is invoked 16 subsequent times in the Bill. It was conceived originally to be used in respect of special categories of personal data. In the general data protection regulation it is indicated that the processing of special categories of personal data may be necessary for reasons to do with the public interest in the areas of public health without the consent of the data subject and that such processing should be subject to suitable and specific measures so as to protect the rights and freedoms of natural persons. The term "suitable and specific measures" appears throughout the Bill where the measure will replace consent, although it might not be mentioned in the sections, particularly a number of sections in the 40s. These are cases in which the obtaining of individuals' consent will no longer be a requirement for data to be processed. Where legislative permission has been given for the processing of personal data that bypasses the requirement for consent, suitable and specific measures are to be brought forweard as a further safeguard, given that the key and primary safeguard of a requirement to obtain consent has been removed.
The Minister might note that I have tabled a number of amendments on this issue, but I will not push all of them. This section is not very clear and is quite wide. I was concerned that what was clear in it was that elements such as explicit consent; measures to prevent unauthorised use, the disclosure or erasure of data; time limits for the erasure of data; and training for those dealing with data were entirely optional and at the discretion of the Minister. The section states specific measures may be taken and regulations made under the Bill which "may" include these areas. I had hoped we could deal with concerns about the many sections later in the Bill, but I hoped that we could first replace the word "may" with "shall" so as to ensure the toolbox of protections for individuals and their data would always be used in its fullest sense. However, looking at places where the phrase "suitable and specific measures for processing" is used, it seems that it is utilised in a wide set of circumstances, which presents a problem. It is used in parts that are not clearly framed within the GDPR.The GDPR is clear, for example, that suitable and specific measures might be appropriate for archives, public health and certain other areas. However, the GDPR does not want suitable and specific measures to be used as a mechanism to bypass consent when it comes to how personal data is used in, for example, elections or political opinion, which is dealt with later and we will discuss that later. The problem is that the phrase "suitable and specific measures" is widely used. I may proceed with my amendment that seeks to change the word "may" to "shall" but I recognise that there are situations, such as instances where criminal proceedings are under way or archival work, where consent may not be appropriate or even possible.
I am still extremely concerned about this section and I wish to advise that I shall return to it on Report Stage. In the interim, I am intent on proposing a measure today as a basic safeguard, which I hope the Minister will accept because it will indicate the grounds for us to work on the improvement of this section. I wish to refer to section 32(b) that reads: "limitations on access to the personal data undergoing processing," which refers to instances where consent has been removed and bypassed. In cases where permission has been given for the processing of specific personal data, I want to ensure that there are limitations placed on the access to that data in order to "prevent unauthorised consultation, alteration, disclosure or erasure" of personal data.
Minister, I cannot foresee any situation in which any Minister, making regulations on the processing of personal data, would not wish to ensure and, indeed, needs to ensure that there are limitations on how that data is accessed in order to prevent unauthorised use, consultation or other actions.
My amendment No. 9b reads:
In page 23, to delete lines 28 to 33 and substitute the following:“must be necessary and proportionate, shall include limitations on the access to the personal data undergoing processing within a workplace in order to prevent unauthorised consultation, alteration, disclosure or erasure of personal data, and may include—a) explicit consent of the data subject for the processing of his or her personal data for one or more purposes,”.
I emphasise the words "shall include limitations on the access to the personal data". At the start of my amendment No. 9b I introduced the words "necessary and proportionate" because that element is used as a standard test throughout the GDPR and, therefore, should be reflected in this legislation. My amendment also stipulates "may include" when it comes to the other elements of the toolkit. I wish to advise that more work may need to be done on this aspect on Report Stage. As amendment No. 9b may need further work I shall refrain from pressing my amendments Nos. 10 and 11 now.
My amendment No. 11a is another key amendment. It provides that a Minister may make regulations on what safeguards may be put in place in terms of how personal data is processed. It reads "the Minister has consulted with such other Minister of the Government as he or she considers appropriate and has also consulted with and sought the advice of the Commission". I included that provision because we have seen, and we have very visible examples at the moment, whereby Ministers may well consult with the current Data Protection Commissioner or the new data protection commission. However, consulting the data protection commission does not give us any assurance that the Ministers will take on board the advice that they receive from the Data Protection Commissioner or the data protection commission. I shall outline a worrying example that is in play at present. The Data Protection Commissioner has indicated her extremely serious concern about the manner in which the public services card has been rolled out. These are serious concerns not only about the legislative basis but about the facilities to ensure appropriate access. A number of concerns have been expressed but I will not fully elucidate them here. Despite such concerns the roll-out of the public services card has been accelerated, not only by the Department of Employment Affairs and Social Protection but also the Department of Public Expenditure and Reform. Recently these issues were discussed by the Oireachtas Joint Committee on Employment Affairs and Social Protection, of which I am a member. On that occasion we specifically discussed the card with the Department official from the Department of Public Expenditure and Reform who directly advised us to talk to the Minister for Justice and Equality about the Data Protection Bill as the legislation is the best way to address the matter.I am now trying to follow up on that advice and address the concern that a Minister may disregard the advice given by the data commission and proceed with suitable and specific regulations which the data commissioner may consider inadequate. Given that the data commissioner constitutionally cannot trump the Minister, which I recognise, I have put forward an additional safeguard whereby the Minister, having sought the advice of the commission and consulted with any other Ministers he or she considers appropriate, should, if he or she intends to set out regulations which are not compliant with the advice of the commission, produce a written rationale for the decision not to take the advice of the commission, and seek and receive Cabinet approval for the proposed regulations. This is a very mild additional safeguard that will ensure that if the very serious decision to disregard the advice of the data commission is taken, we will have the rationale for it and it will at a minimum be discussed at Cabinet. Having spoken to other Oireachtas Members since submitting this amendment, I know that others may seek to strengthen it further. Other Members may wish to ensure that where the advice is not taken, that would be discussed by the Oireachtas committee or the Houses of the Oireachtas and a rationale laid before them. My amendment is comparatively mild and simply calls for collective Cabinet responsibility of in terms of addressing this issue.
Amendments Nos. 12 to 14, inclusive, regard the deletion of "may" and substitution of "shall" in various parts of the section. The problems involved in the earlier discussed deletion of "may" and substitution of "shall" do not apply in these instances.
Amendment No. 14a amends section 32(5) by inserting that whatever regulations for suitable and specific measures are made under subsection (2) as discussed should have regard to "the necessity and proportionality of the processing" in addition to the current provision for "the nature, scope, context and purposes of the processing". This addresses the necessity and proportionality test that used to be applied throughout. It is important that it should be directly considered in this section. I particularly hope the Minister might be able to accept this amendment because it is quite mild and very much in tune with the aims of the general data protection regulation, GDPR.
As regards amendment No. 18, we will have a more lengthy debate on section 42 when we reach it so I will not speak at length on this amendment. It concerns the example I gave of an area where suitable and specific measures have been added in and it is very important under such circumstance in regard to electoral activities that there be no bypassing of the issue of consent. The GDPR addresses appropriate safeguards for the use of data by political parties but there are numerous problems with that section so perhaps it is not appropriate to dive into it in too much detail now. I note that under the wide frame that is currently put on it, the consent of a person whose political opinions are being discussed would and should be a requirement.
I am willing to have a fresh look at section 32 and to bring forward amendments on Report Stage if the Senator is minded not to press the amendments to section 32 on this Stage. I remind the House that the purpose of section 32, which is entitled "Suitable and specific measures for processing", is to establish a toolbox of specific and appropriate measures to be applied in the context of data processing under later sections of the Bill, namely, sections 40 to 44, inclusive, and 46, some of which have been mentioned by Senator Higgins. She is correct that we will have an opportunity to go through those section by section.All of the relevant sections make the use of suitable and specific measures mandatory. The choice of which measure from the toolbox could, should or may be used will depend on the circumstances of the processing.
I stress that these safeguards are in addition to, rather than a substitute for, the technical and organisational measures required under the risk based approach in Article 24 of the general data protection regulation. These additional measures are brought forward by virtue of the fact that they will apply to the special categories of personal data, which are referred to under Article 9 of the GDPR. In some cases, encryption of the personal data concerned might be highly desirable, while in other cases, the appointment of a data protection officer by the controller might be more effective. In this context, it is important that we consider the text of 32(4), which will permit the specification of compulsory safeguards in respect of certain types of data processing.
Having listened carefully to the Senator and examined her amendments, I accept there is a need to clarify what can best be described as the interplay between this section and the later sections which require the use of the toolbox measures. I am willing to review matters in light of the Senator's comments. Rather than dealing with the matter conclusively today, I ask her to consider withdrawing the amendment and not moving her other amendments to the section, in return for which I will give a commitment to introduce appropriate amendments to the section on Report Stage.
Amendments Nos. 11 and 18 in the Senator's name del awith consent-related issues. I understand they are part of the group because, as the Cathaoirleach stated, amendment No. 11 is an alternative to amendment No. 9b to which I have made reference. With regard to amendment No. 11, there is no need to insert the word "informed" after the word "explicit" because this is already an essential requirement for what could be described as a valid consent under the GDPR. The definition of "consent" in Article 4 makes clear that the matter of consent must always be freely given, specific and informed. Section 2(3) makes clear that a word or expression used in the Act that is also used in the GDPR has the same meaning in this legislation as it has in the GDPR unless the context otherwise requires. Amendment No. 11 cuts across this and I am not minded to accept it.
Amendment No. 18 proposes to insert a consent requirement in section 42, which seeks to give effect to Recital 56 of the general data protection regulation. I am open to considering the possibility of imposing a consent requirement. In any event, we will have an opportunity to discuss the issue again when we deal with amendments Nos. 19 to 21, inclusive.
Having listened carefully to the Senator's submissions and the reasoning behind her amendments, I give a commitment to return to the issue on Report Stage.
I warmly welcome the Minister's commitment and acknowledge the interest his officials have shown in engaging in this area. The Minister will understand that I am seeking to be constructive with regard to the amendments. While I will not press most of the amendments to a vote, I may press one or two of them because this will put us on stronger ground in terms of collectively working together as we move forward. I will be pleased to work with the Minister and support on Report Stage any amendments he tables that perform more effectively the function of some of my amendments.Nonetheless, given that Report Stage will by necessity have a constrained opportunity for back and forth debate I may move one or two of the amendments today. I am not going to do this very often but there are just one or two points which I would like to make as they will give us a better starting point in terms of our work together on Report Stage.
I acknowledge what Senator Higgins has said about our constructive relationship but I would not see today as being a starting point. I thought we already started to embark on what I felt was a very constructive relationship in the context of our debate.
To clarify, I was in fact acknowledging that there has been constructive engagement, both with the Minister and his officials, and I think it was really useful at the last Stage. I am very happy to continue what has been a constructive discussion. In acknowledgement of that, there are a number of amendments which I might not press today. I accept I have about 40 amendments, but there are one or two that I think are a really useful basis for us to have in terms of moving forward. I thank the Minister very much for his appropriate correction to the record.
Ivana Bacik, Frances Black, Lorraine Clifford Lee, Rose Conway Walsh, Gerard Craughwell, Mark Daly, Paul Daly, Maire Devine, Paul Gavan, Alice Mary Higgins, Colette Kelleher, Terry Leyden, Pádraig MacLochlainn, Niall Ó Donnghaile, Keith Swanick, Fintan Warfield.
Colm Burke, Paddy Burke, Jerry Buttimer, Maria Byrne, Paudie Coffey, Paul Coghlan, Martin Conway, Frank Feighan, Maura Hopkins, Gabrielle McFadden, Michelle Mulherin, Catherine Noone, Kieran O'Donnell, Joe O'Reilly, James Reilly, Neale Richmond.
There was an equality of votes. Therefore, pursuant to Article 15.11.2° of the Constitution, I exercised my casting vote. In accordance with precedent, I vote against the question in this case, the result of the vote now being: Tá, 16; Níl, 17.
I move amendment No. 11a:
In page 24, to delete lines 18 to 22 and substitute the following:"(a) the Minister, provided that—(i) the Minister has consulted with such other Minister of the Government as he or she considers appropriate and has also consulted with and sought the advice of the Commission, and(b) any other Minister, provided that—
(ii) the Minister has, if he or she intends to set out regulations which are not compliant with the advice of the Commission, produced a written rationale for his or her decision and received Cabinet approval for the proposed regulations,(i) that Minister has consulted with such other Minister of the Government as he or she considers appropriate and has also consulted with and sought the advice of the Commission, and
(ii) that Minister has, if he or she intends to set out regulations which are not compliant with the advice of the Commission, produced a written rationale for his or her decision and received Cabinet approval for the proposed regulations.".
Catherine Ardagh, Ivana Bacik, Frances Black, Lorraine Clifford Lee, Rose Conway Walsh, Gerard Craughwell, Mark Daly, Paul Daly, Maire Devine, Paul Gavan, Alice Mary Higgins, Colette Kelleher, Terry Leyden, Pádraig MacLochlainn, Niall Ó Donnghaile, Fintan Warfield.
Colm Burke, Paddy Burke, Jerry Buttimer, Maria Byrne, Paudie Coffey, Paul Coghlan, Martin Conway, Frank Feighan, Maura Hopkins, Gabrielle McFadden, Michelle Mulherin, Catherine Noone, Kieran O'Donnell, Joe O'Reilly, James Reilly, Neale Richmond.
I move amendment No. 14a:
In page 24, after line 39, to insert the following:“(b) the necessity and proportionality of the processing,”.
I will withdraw this amendment and I would have the hope that this particular amendment is one that the Minister himself may reintroduce on Report Stage. If not, I will.
Amendments Nos. 15 and 15a are related, with amendment No. 15a being a physical alternative to amendment No. 15. The amendments may be discussed together by agreement. Is that agreed? Agreed. It is to be noted that, if the question on amendment No. 15 is agreed, amendment No. 15a cannot be moved.
I move amendment No. 15:
In page 25 to delete lines 29 to 35.
I will not prolong the agony for Members. We are opposed to this section in its entirety, and the amendment is a deletion in that regard. I will press this to a vote. The amendment is self-explanatory, so I do not need to go into great detail.
Section 34 is one of the most deeply problematic sections in the Bill and needs intensive revision. The main concern is that, while provisions are made in respect of specific and, in some cases, appropriate circumstances that we have already discussed with the Minister whereby personal data might be processed, section 34 is wide in terms of what is construed and potentially construable as the public interest. It allows for the processing of personal data by any local authority where considered necessary and includes an extensive list of bodies, for example, museums, agencies, broadcasters, financial bodies like NAMA, tourism boards and housing agencies. It also makes further provision for the disclosure of personal data for the purpose of preserving the common travel area by air carriers and leaves to the discretion of the Minister, without accountability to the Cabinet, Dáil or the Oireachtas, the determination of what data are necessary to be processed and under which conditions. This is an extraordinarily wide remit and the section needs substantial revision. I hope that there will be scope for us to work across the Houses on that revision.
I support Sinn Féin's amendment, as the list of bodies established by enactment is long. We need to be more specific. My amendment is a small one and I hope that the Minister will take it on board. The section reads: "The processing of personal data shall be lawful to the extent that such processing is necessary for". As has been well aired, necessary and proportionate is the test under GDPR. My amendment reinserts "and proportionate" in that context. Notwithstanding the wider discussion that we might need to have on the section, the inclusion of the necessary and proportionate test is appropriate.
The short answer to Senator Higgins is that I will not accept her amendment, minor and all as she suggests it is. Actually, she used the word "small", which is somewhat different. I would be pleased to give it further consideration and see how we can meet each other on Report Stage, but I will not accept it as currently drafted.
Amendment No. 15 proposes the deletion of section 34(1). I will give vent to a number of reasons as to why I will not accept it. Article 6.3 of the GDPR provides that the basis for the processing referred to in Article 6.1(c) and (e) shall be laid down in EU law or national law and that the purposes of the processing shall be laid down in that legal basis. Unlike the position in some member states, however, Acts of the Oireachtas that confer statutory functions on public authorities and bodies do not normally provide specifically for the processing of personal data for the purpose of discharging statutory functions. The same applies to functions deriving from our Constitution. The processing of personal data for those purposes is implicit rather than explicit.
This is an issue of legal certainty, and to ensure that, section 34(1)(a) provides that the processing of personal data shall be lawful to the extent that such processing is necessary for the performance of a function conferred by an enactment or the Constitution. This is fully in line with Article 6.1(c) of the GDPR which provides that data processing is lawful if it is necessary for compliance with a legal obligation to which the controller is subject. What is important here is that, first, a statutory function must have been conferred on the controller by law and, second, the processing shall be lawful to the extent that the processing is necessary for the performance of that function.
Section 34(1)(b), which the amendment also seeks to delete, provides a statutory basis for data processing that necessarily arises where non-statutory schemes, programmes, funds or arrangements are administered by public authorities, such as a Department, in the performance of a function conferred on them by an enactment or the Constitution. Let me give an example. In terms of social welfare, some important and valuable schemes are administered by the Department of Employment Affairs and Social Protection but operate on a non-statutory basis. I am referring to, for example, the free fuel scheme, the free travel scheme, the back to school clothing and footwear allowance and the school meals programme. Such non-statutory schemes have also been put in place in the past to deal urgently with emergency situations such as our current adverse weather conditions, the aftermath of a storm, flooding, landslides, farm crop destruction and fodder shortages, of which Senator Coffey and others will be aware. Passing specific legislation to deal with such cases is not something that we do because we do not deem it necessary.There is also the question of timing and of the need for the Oireachtas to respond urgently to supply aid or assistance to communities. All these schemes will require the processing of personal data of applicants and beneficiaries. This is widely permitted under the terms of the general data protection regulation, GDPR. Recital (41) states: "Where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament." I invite Members to agree with me that there are circumstances where these non-statutory schemes, or other similar non-statutory measures, are important and beneficial to communities. We should not put them at risk by creating conditions of legal uncertainty following the coming into force of GDPR later in the year. In these circumstances I suggest that amendment No. 15 be withdrawn because of the uncertainty that will ensue.
I am concerned that acceptance of amendment No. 15a may also jeopardise operation of certain statutory and non-statutory schemes and measures. I wish to impress on Senators the fact of Article 61C GDPR being based on a necessity test. It does not incorporate a proportionality test but inserting a reference to proportionality here could well have an adverse impact on some of the schemes whose administration we from time to time facilitate. It could leave them open to challenge and to an interpretation of uncertainty. I will give further consideration to amendment No. 15a but I will not accept it today. I do have a difficulty with amendment No. 15 and ask Senator Ó Donnghaile to reflect on my point. If he were to withdraw it he could reserve the right to come back on Report Stage.
I never question the bona fides of the Minister. This amendment seeks to ensure that further protection is put in place because it is our view, with the greatest respect to the Minister, that this grants him too much discretion and power. I will reflect on what he said and will withdraw the amendment, with a view to bringing it back on Report Stage.
We can continue to work on amendment 15a. I appreciate that the Minister is interested in considering it. I do not think anybody in this House would disagree about the circumstances the Minister has outlined where it would be appropriate. The concern is that as it stands subsection (1)(a) does not cover only urgent situations. It covers any situation or law that is brought in. I am more concerned about it now because the Minister said it may not require legislation brought through the House but may be another legislative measure. Would that be a ministerial order? We are using the word lawful but the GDPR is law. We are introducing a new hierarchy whereby the GDPR would be subservient to any other law that might be brought in in respect of data processing. The reference to "any other future or current" raises serious concern about how wide this is. I appreciate that, as the Minister said, there are circumstances where urgency is needed and my amendment sought to deal with that by ensuring it is proportional. For example, where the Minister described a need to respond in urgent situations such as flooding and crop shortages, any test of proportionality would find that the processing of data was appropriate.
The proportionality test is not designed to tie the hands of Government. As I understand it, section 34 is wider than some of the sections we have debated because it does not even require ministerial responsibility. Subsection (1) refers to "the performance of a function of a controller conferred by or under an enactment or by the Constitution". That is very wide. We will not necessarily know what decisions may be made in interpreting the performance of their functions. Certain functions of controllers predate the legislation before us today. We should endeavour to ensure that the functions of any controller or anybody charged with data protection are brought into line with these new higher standards we put forward rather than saying that these standards may not apply where an existing way of functioning existed. It does need revision. We are happy to work with the Minister on the proportionality question. I will not press the amendment now because there is much ground to cover today. If there are exceptional circumstances let us legislate for those and not for the blanket provision.
I may return to this point on Report Stage, even the very limited safeguard of "suitable and specific measures" which I had concerns about in a previous section is not included here. I do not see where the safeguards are in the absence of a proportionality test. Nonetheless, I am happy not to press the amendment now and to work with the Minister and his Department.
I move amendment No. 16:
In page 28, between lines 12 and 13, to insert the following:“38.(1) No application to access data processed for journalistic purposes may be made by any party, including, for the avoidance of doubt, an authorised officer, An Garda Síochána, the Garda Síochána Ombudsman Commissioner, the Revenue Commissioners or the Defence Forces, except by way of application to the High Court by motion and affidavit and on notice to the journalist data processor.
(2) In determining whether to allow access to data processed for journalistic purposes, the High Court shall have regard to the importance of freedom of expression in a democratic society and to the importance of confidential sources of information to the right of freedom expression.
(3) The High Court may permit access to data processed for journalistic purposes, including for the purpose of identifying confidential sources of information, only where the journalist processor whose data is sought is the subject of investigation for suspected commission of a serious criminal offence or for unlawful activity which poses a serious threat to the security of the State.(4) (a) In exceptional cases, where the security of the State is under immediate threat or where it is suspected that a serious criminal offence is likely to be committed in the immediate future, an application may be made ex parte to the High Court for access to data processed for journalistic purposes.(5) An appeal shall, by leave of the High Court, lie from a determination of that Court under this section on a question of law to the Court of Appeal.”.
(b) Where an ex parteapplication under this section is made, the journalist processor whose data is the subject of the application shall be notified of the application by, and given the opportunity to make representations before, the High Court as soon as practicable.
This is a sincere attempt to strengthen the Bill by affording further protections to journalists and their sources. I will not go into it in great detail because the amendment speaks for itself and lays out clearly what we hope to achieve, the protection of the integrity of important journalistic work and the service it provides to citizens and the State by holding government and other agencies to account. It does not seek to hinder or block journalists from obtaining necessary data. It merely puts in place considered, measured, thoughtful, proper filters, protections and guidelines to protect the integrity of the journalism and its ethos, showing that we respect that institution and the important and critical role that journalists play.We have seen that role played out in recent times and the significant contribution journalists can make to the democratic process and ensuring the State is held to account. The amendment seeks to insert a number of protections; it does not seek to cause any unnecessary or undue barrier to obtaining the necessary data where they are legally required through High Court applications and to the filter process that seeks to protect journalistic integrity and, indeed, the integrity of their sources moving forward. I will press the amendment. I hope the Minister will acknowledge why we view this to be of such critical importance at this stage.
I support the amendments, which are constructive. I am happy to support these proposals but I urge the Minister to consider working with all parties on them as they would like to move to a resolution to ensure the integrity of the Fourth Estate is maintained.
I have listened carefully to what Members said on these issues and I agree that we should give the matter due and full as well as careful consideration, but I am concerned that these issues of considerable importance will be decided in the legislation. Aspects of the amendments are far-reaching. The importance of the text is influenced by a recent recommendation of Joint Committee on Justice and Equality arising from pre-legislative scrutiny of the Communications (Retention of Data) Bill 2017. The joint committee's report has only been tabled recently, and the Government, including, importantly, the Office of the Attorney General, has not had the opportunity to examine the recommendation in the detail that is required. That is why I agree with Senator Higgins that these issues can be examined at a later stage. They are far-reaching, detailed and important. Second, I reiterate that the legislation is not the correct vehicle for such a wide-ranging and far-reaching statutory provision. The Long Title confines the content of the legislation to data protection matters. The Senators have gone beyond those in the amendments.
The provision in section 38(3) whereby the High Court could permit identification of confidential sources of information where a journalist "is the subject of investigation for suspected commission of a serious criminal offence" raises important issues that go well beyond data protection matters, and the GDPR and this legislation, which is a direct consequence of the GDPR. For example, what is a "serious offence"? I do not wish in any way to take from the importance of the amendments but balancing the right of journalists to protect their sources with other rights is a matter for the courts. The European Court of Human Rights in Strasbourg has underlined, for example, that protection of confidential sources is an essential means of enabling the press to perform its important function on a daily basis and it should not be restricted or inhibited. The important role of the press as public watchdog should not be interfered with except in exceptional circumstances where a vital public or individual interest may be at stake. I do not want in any way to detract from the importance of the amendments. I suspect that there is a relationship between the tabling of the amendment and the joint committee's report, which deserves due and careful consideration. It would not be appropriate to insert such a far-reaching, consequential amendment in this legislation. I am not minded to accept it for the two reasons I outlined. The first is the recent origin of the amendment but I will certainly examine that issue. I have a difficulty with the wider issue, which I hope Senators will accept in the spirit in which I tender it.
I am reluctant to divide the House on this issue because of the Minister's comments. I disagree with elements of them but that is the nature of our discussion. I will withdraw my amendment and reserve the right to table it again on Report Stage. Both myself and my colleague in the other House, Deputy Ó Laoghaire, are keen to engage with officials and the Minister to tease out how we can insert some of the core and necessary elements of the amendment in the legislation ultimately. I am keen to engage with him on that basis. Given the sensitivity and importance of what the amendment seeks to do, I do not want to divide the House. In withdrawing the amendment, I wish to make to clear that I reserve the right to table it again. If there is not a satisfactory conclusion from the engagement with the Minister and his officials, I reserve the right to resubmit it on Report Stage.
I move amendment No. 17:
In page 28, between lines 13 and 14, to insert the following:
"38.(1) No application to access personal data processed for journalistic purposes may be made by any party, including, for the avoidance of doubt, an authorised officer, An Garda Síochána, the Garda Síochána Ombudsman Commissioner, the Revenue Commissioners or the Defence Forces, except by way of application to the High Court on notice to the data processor.
(2) In determining whether to allow access to personal data processed for journalistic purposes, the High Court shall have regard to the right of freedom expression and information.
(3) The High Court may permit access to personal data processed for journalistic purposes, including for the purpose of identifying confidential sources of information, only where the data processor in question is under investigation for suspected commission of a serious criminal offence or for unlawful activity which poses a serious threat to the security of the State.(4) (a) In exceptional cases, where the security of the State is under immediate threat or where it is suspected that a serious criminal offence is likely to be committed in the immediate future, an application may be made ex parteto the High Court for access to data processed for journalistic purposes.
(b) Where an order is made under subsection (4)(a), the data processor shall be notified of the making of the order and afforded the opportunity of making representations to the High Court as soon as practicable thereafter.".
I move amendment No. 18:
In page 29, line 10, after "lawful" to insert "where consent is freely given, specific, informed and unambiguous by data subjects and".
I will withdraw the amendment and reserve the right to reintroduce it on Report Stage on the basis that the Minister indicated he was interested in revisiting the issue of consent in this section.
I move amendment No. 19:
In page 29, to delete lines 13 to 15.
I will withdraw amendment No. 19 while reserving the right to resubmit it on Report Stage. Sinn Féin will support amendment No. 21 in the name of Senator Higgins.
I will speak to my amendments Nos. 20 and 21. I do not propose to press amendment No. 20 as I do not wish to create an artificial disadvantage for new candidates compared with existing representatives. I recognise the concern that has arisen on this matter, on which I have engaged with the Department. Nonetheless, there remains a concern that the section, as constituted, goes significantly beyond what is envisaged in the general data protection regulation regarding the use of data collected for electoral purposes. The relevant section of the GDPR refers to data that are designed for use by political parties. This is very much the way in which its use is constrained.
I recognise that we have many independent candidates and representatives, including me. The electoral purposes envisaged in the GDPR appear to be those that are internal to persons who are putting themselves forward for election to public office. However, the provision in this section is constructed with a much wider scope. We discussed the fact that a body established by or under an enactment is extremely wide in scope. It could allow, for example, political opinions to be processed for electoral purposes or to influence such matters as manifestoes. It potentially blurs the line between the role of various bodies established under enactment and the role of political parties, government and Departments. The section is unclear and I expect it was designed to encompass, for example, a referendum commission and similar bodies. However, it is framed much too widely and could potentially lead to inappropriate use.
Amendment No. 21 is a much more important proposal providing that the section will "not permit the sharing or processing of personal data revealing political opinion with or by any private or commercial company, even when that private or commercial company has been contracted by the actors or entities specified under paragraphs (a), (b) or (c)." We have seen the role played by companies such as Cambridge Analytica in the Brexit vote and Trump campaign. There is a real and present danger of private companies being contracted to influence and shape electoral outcomes.
The Standards in Public Office Commission has indicated it is not satisfied with the adequacy of regulation in respect of how social media advertising and promotion are being and could be used to influence electoral outcomes. If we include in the Bill a provision that results in a politician, party or aspiring candidate being able to share with a private company information about citizens' political opinions, which may have been entrusted to the candidate in confidence, for example, in the course of constituency work, democracy will find itself on dangerous and shaky ground. This is a serious concern.
I do not want to focus on one company. With regard to the forthcoming referendum, for example, analytics companies have been hired which have very close relationships with companies that were highly active on the vote on Brexit and various elections. This is a real and present danger and one which is not exclusive to extreme cases. A well resourced political party should not be in a position to share extensive information on the political opinions of citizens with an expensive company. While I do not wish to digress, we have seen in recent weeks how strongly members of the public feel about the importance of integrity in communicating messages and advertisements and promoting positions. Absolute transparency is needed on how such communications are conducted.
While I acknowledge that this section does not explicitly provide for a right to share personal data related to political opinions with private companies, it does not preclude the sharing of such data. I hope the Minister will be able to work with me to ensure the legislation preclude the sharing of such data.
It may be more effective to divide section 42 into two sections. Anyone who has sought or seeks political office will know the publicly available register of electors may be used to ensure his or her message is communicated. It may be effective to deal with issues such as the register of electors in a specific section. Other areas of political opinion, which extend beyond information that a person has or has not voted or is registered, could be teased out in another section. This may a constructive approach to addressing this issue. I do not expect people to stand in the Minister's way on the use of the register of electors. We could have a separate section on that issue and another section dealing with other uses of data related to a person's political opinion. It is not clear whether the provisions of section 42, as currently worded, include data on persons who may have contacted political representatives by email or other means expressing a political view on an issue of the day. Perhaps the Minister will assure me that such data are not covered by the section.
I concur with Senator Higgins. The Minister is speaking to colleagues on the issue of political representation. Members of the public want to be updated on the work being done by political representatives. My understanding, which may be incorrect, is that a new set of guidelines will be introduced to deal with this issue. Similarly, if a member of the public contacts a Member of the Oireachtas with a specific query, Members will find it difficult to engage with various Departments on the issue. The Minister is aware of this as an issue because he has been a politician for a long time, probably longer than I have been around. He knows exactly what is required of us in the Irish political system, which is different from most other political systems.The only similar system is in Malta, which has a proportional representation single transferable vote system akin to that used to elect the Irish Parliament.
Irish people have a certain expectation of Members. When there was no Citizens Information Board, people such as the Minister, his father and others provided citizens with information and assistance and helped them in an advocacy role. It is very important for that to continue because although, thankfully, many people now know their rights and are able to advocate for themselves, there are still many people who are unable to access information or advocate for themselves and do not know how to go about simple tasks such as applying for a medical card. If constituency offices around the country are hampered in this very important advocacy role, the data protection legislation will have gone too far. When one contacts Departments, depending on who speaks to, one may be put through a list, including some looking for written consent. In one situation involving SUSI of which I am aware there had been a marital breakup and written consent had to be obtained from the student and both parents. Such requirements make the work of a public representative in terms of advocating on behalf of people very difficult. When this legislation comes to a finality, that issue must be cleared up.
Senator Conway made several important points. There are issues in the context of the Bill that require careful scrutiny along the lines he suggests.
As regards amendment No. 21, I listened carefully to the consideration given by its proposer, Senator Higgins, and, on reading section 42(a), (b) and (c), I do not see where there is any legal basis for the sharing of personal data revealing political opinions. I do not, therefore, see the necessity for amendment No. 21. I do not disagree with the points raised by Senator Higgins but she is reading far too much into section 42. There is no legal basis for the issues that she wishes to amend and amendment No. 21 is not required.
The purpose of section 42 is to give structure and substance to Recital 56 of the GDPR, which provides that "Where in the course of electoral activities, the operation of the democratic system in a Member State requires that political parties compile personal data on people's political opinions, the processing of such data may be permitted for reasons of public interest, provided that appropriate safeguards are established." It is a loosely worded recital. It is unusual that there is no corresponding substantive provision in the GDPR and the objective of section 42 is to limit potential misuse of recital 56 through making the processing for its purposes subject to suitable and specific measures, as referred to in section 32.
Amendment No. 19 proposes the deletion of subsection (b). Although I accept that the provision is drafted in a broad manner, the intention is to underpin any processing of political opinion data by a referendum commission. I note the point raised by Senator Ó Donnaghaile in that regard but I think he said he was not going to press it. However, I am willing to redraft that subsection in the context of a Report Stage amendment, which will trigger corresponding changes in sections 52 and 53.
Amendment No. 20 proposes the deletion of the words "a candidate for election to, or" in paragraph (c) of section 42. That would mean that although an elected representative could take advantage of the section, a candidate who might be competing and seeking election for the first time could not, which may be less than consistent. I do not believe that is the import of what Senator Higgins wishes to achieve, so I will not accept the amendment. We will return to this in terms of debating section 42 but I would be concerned at the introduction of unnecessary text.
I ask the Minister to clarify one point: is it his interpretation that under the section as it currently stands no personal data revealing political opinions could be shared with any private company for the purposes of processing?
I move amendment No. 21:
In page 29, between lines 16 and 17, to insert the following:“(2) This section does not permit the sharing or processing of personal data revealing political opinion with or by any private or commercial company, even when that private or commercial company has been contracted by the actors or entities specified under paragraphs (a), (b) or (c).”.
I reserve the right to reintroduce amendment No. 21. We need to tease it out somewhat and perhaps paragraph (b) of section 42 may be a more appropriate section under which to deal with it.
Although I did not wish to delay the process at the time of the discussion of section 40, I note that section 44 potentially relates to it. Section 44 will be the subject of amendment on Report Stage. It involves the bundling of two purposes - insurance and pensions - which should be separated into two sections because different provisions may apply to each. Although it may be appropriate to process special categories of personal data in regard to pensions, the GDPR, in a continuation of the section I read earlier regarding the question of public interest in areas of public health without consent, states that suitable and specific measures could be inserted at that point. However, there is a clear interpretation of public health being, "all elements related to health, namely health status, including morbidity and disability" and so on, but the key point is that "Such processing of data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties such as employers or insurance and banking companies." Section 44 contains provisions relating to the mortgaging of a property, health insurance and health-related interest. Although I recognise public interest in the area of health is not what is being evoked in the section, I nonetheless believe that the spirit of the GDPR is quite clear in its interpretation, in that it does not seem to consider that the processing of personal data without consent - because we are clear that, wherever suitable and specific measures apply, such processing is likely to be without consent - would be appropriate by entities such as insurance or banking companies. Concern is expressed within the GDPR in respect of such processing and I am concerned by such processing within the section. I will be putting forward amendments to the section on Report Stage.
I move amendment No. 22:
In page 30, line 5, after “necessary” to insert “and proportionate”.
This is a simple change to insert "proportionate" after "necessary". It is straightforward. It relates to a belief or a worry that there is an overt degree of power and discretion granted to the Minister in this regard. I think we can just speak on amendment No. 22 at this point, or can I move to amendment No. 23?
I accept that there is some justification for the proposal to insert a reference to proportionality here in section 45 and maybe even some other consequential sections. If Senators agree, I will revisit this on Report Stage, having regard to what Senator Ó Donnghaile has said. There are a number of other sections where the same issue of proportionality arises that I probably need to tidy up too. We will do that.
I move amendment No. 23:
In page 30, between lines 14 and 15, to insert the following:“(4) (a) Such regulations shall be referred to the Data Protection Commissioner before their enactment, who shall conduct an impact assessment, undertaken by the Data Protection Commission.
(b) The impact assessment shall have the purpose of ascertaining whether the proposed processing of special categories is—(i) necessary,(c) The impact assessment, shall be returned to the Minister within three months of the Ministers referral, and it shall make recommendations as to whether the proposed processing of special categories is in compliance with the criteria laid out in paragraph (b)and shall recommend any changes necessary to the regulation to ensure compliance, or may recommend that the Minister not proceed with the regulation.
(iii) is in compliance with subsection (4)of this section, and
(iv) is in compliance with the GDPR.
(d) In the event that the Minister does not follow the recommendation of the Commission, the Government shall publish inIris Oifigiúila reasoned written explanation of the decision of the Government not to follow the recommendation of the Commission.
(e) In the event that the Minister does not follow the recommendation of the Commission, the Government shall cause to be laid before the Houses of the Oireachtas a statement containing a reasoned written explanation of the decision of the Government not to follow the recommendation of the Commission.”.
Amendment No. 23 would see the Data Protection Commissioner be granted the powers to assess the request to release personal data if it is in the public interest. This potentially pulls the subjectivity of what is deemed to be in the public interest on the part of the Government of the day. These amendments are trying to not necessarily curtail but to almost democratise ministerial discretion. I again alert colleagues about this and I will wait to hear what the Minister has to say but we have deep concerns about this section. We believe this amendment would add greatly to the Bill. I will listen to what the Minister has to say.
There are a number of parts to this amendment. I support the spirit of it. I know there may be issues relating to the question of impact assessment and who the appropriate person to perform an impact assessment is, whether the data controller or the Data Protection Commissioner. The key to this and the spirit in which it was discussed earlier is something the Minister will have seen a strong feeling about across the House, and I hope he will be able to work with us all on it because it will come up in multiple sections. Throughout the Bill, it simply allows Ministers to act following consultation with the commission with no guarantee that the decisions made by the Minister will in any way reflect the advice of the commission or even have due regard to it. There is far too much ministerial discretion. We need to have other safeguards. I think that the safeguards proposed under subsection (e) of the amendment, "In the event that the Minister does not follow the recommendation of the Commission, the Government shall cause to be laid before the Houses of the Oireachtas a statement containing a reasoned written explanation of the decision of the Government not to follow the recommendation of the Commission", is stronger than what I had put forward relating to section 32 and is probably better. All parties, with the exception of the Government party, have expressed concern about the formulation throughout the Bill which allows Ministers to seek advice and then act as they wish without giving any explanation when they choose to stray, dissent or override the commission. Given the huge importance of the general data protection regulation, GDPR, as we have heard eloquently expressed by the Minister on Second Stage, surely we need to have some kind of safeguard. I urge the Minister to note that this issue is arising in multiple places from multiple sources and to look genuinely to how, every time we have a point of pure ministerial discretion, we at least ensure that there will be some kind of written rationale for the decisions being made.
Amendment No. 23 seeks to insert paragraphs into section 45 and amendment No. 36 seeks to insert the same paragraphs into section 54, which is why we are taking them together. The position here is that the imposition of a statutory duty on the Data Protection Commissioner to conduct an impact assessment on regulations to be made under section 45(2) is in conflict with article 36(4) of the GDPR. That provision states that a member state's data protection authority must be consulted on proposals for any legislative measures to be adopted by a national parliament or a regulatory measure based on such a legislative measure which relates to the processing of data. The GDPR imposes an obligation on controllers and on processors, in certain cases, to carry out data protection impact assessments. There is no such an obligation on the data protection authority itself. The imposition of such an obligation not only would have resource implications of some significance but would, in essence, be in conflict with the complete independence of the supervisory authority that is required under Article 52. It will be open to the Data Protection Commissioner to request a controller, whether a Department or any other public authority with a regulation-making power, to carry out such an assessment when it is consulted on the proposed legislative measures. The carrying out of data protection impact assessments will be an obligation on controllers and processors. That is clear under Article 35 of the GDPR. The tasks of the data protection authority specified in Article 57 do not really foresee such a role or obligation. I am not in a position to accept the amendments for those reasons.
Colm Burke, Paddy Burke, Jerry Buttimer, Maria Byrne, Lorraine Clifford Lee, Paudie Coffey, Paul Coghlan, Martin Conway, Mark Daly, Paul Daly, Frank Feighan, Maura Hopkins, Gabrielle McFadden, Michelle Mulherin, Catherine Noone, Kieran O'Donnell, James Reilly, Neale Richmond.
I move amendment No. 27:
In page 34, to delete lines 1 to 7 and substitute the following:"(b) the effect of that decision is to grant a request of the data subject."
The GDPR is clear that persons should not be subjected to automated decision-making, and decisions that will have a significant impact on the lives of an individual or a data subject should not be made automatically. This relates again to Article 22.1, which states, "The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her ". However, the Government exempts itself from that under the section, which states that those protections will not apply where "the decision is authorised or required by or under an enactment" and either "the effect of that decision is to grant a request of the data subject" or "in all other cases ... adequate steps have been taken by the controller to safeguard the legitimate interests of the data subject...". The concern is that the Government is giving itself permission to have an automated decision made in respect of an individual, which directly contravenes the spirit of Article 22. I recognise that there may be circumstances in which it might be expeditious when a large volume of requests are being put through that they are processed in a positive way. However, I am concerned that section 51(b)(i) provides that an automated decision could be made which would deny a request made by the data subject. Somebody may, for example, be subjected to an automatic refusal in respect of a social protection payment, with the decision not made with due consideration by an official but by an algorithm. It would be deeply contrary to the spirit of the GDPR, which specifically seeks to safeguard against the impact of automated decision-making.
I acknowledge section 51(b)(ii) states, "in all other cases (where subparagraph (i) is not applicable), adequate steps have been taken by the controller to safeguard the legitimate interests of the data subject which steps shall include the making of arrangements to enable him or her to make representations to the controller in relation to the decision.". This means that the data subject can be automatically refused on the basis of his or her data being processed automatically by an algorithm or other programme but he or she can then make an appeal. In many cases, the gap between the refusal and the taking of the appeal could have negative consequences for an individual. This does not exclusively relate to social protection schemes but the Minister will excuse my mind going there because this concern has been raised in other jurisdictions and I am a member of the Joint Committee on Employment Affairs and Social Protection. If persons were automatically refused disability or child benefit or, for example, refused a driver's licence, the impact would be significant and immediate. Simply knowing that they can make representations and have a period to appeal is not adequate.
The amendment provides that there can be an automatic decision where that decision grants a request when, for example, 1,000 people have been asked to apply and it would not have a detrimental effect but automatic decision-making should not have a detrimental effect on people. We should be true to the spirit of Article 22.
My concern is the unintended consequences of the deletion of section 51(b)(ii), which is the import of the amendment. An example of a consequence that I am sure is unintended is it would facilitate wrongdoing and fraud. Section 51 gives further effect to Article 22 of the GDPR, which deals with automated processing of personal data, including profiling. Paragraphs 2(a) and (c) have direct effects. Section 51 ensures an appropriate level of safeguards by requiring that any automated processing must be authorised or required by or under an enactment and, furthermore, that the effect of any decision is to either grant a request of the data subject or that adequate steps have been taken to safeguard the interests of the data subject. The section makes clear that these steps must include an arrangement whereby the data subject has the opportunity to make representations in respect of an intended decision. This means, in the first place, that a data subject has to be informed of any proposal to make such a decision and, second, have the opportunity to bring concerns to the attention of the data controller. It is important that these safeguards are compliant with the requirements of Article 22. If I accepted the amendment, there would be unintended consequences that could give rise to difficulty in practice.
I am still concerned because the areas in which automatic decision-making will be used have not been listed. We do not know how many areas may adopt this. With regard to wrongdoing and fraud, I hope we have better safeguards than automatic decision-making and algorithmic methods. Wrongdoing and fraud will continue to be crimes and the processing of data in respect of them is provided for elsewhere in the legislation.
The Minister indicated that a person would be informed of the intention to make a decision in respect of him or her by an automatic method. Is it the case that persons would be informed of the possibility of an automated decision being made prior to the decision being made? If persons were to request a non-automated decision and that the decision be made by an official, would they have that power?Prior to any decision having been made, there would have been the opportunity for representations and engagement. I believe it is important that there would be advance notice of that decision being made.
Let me indicate that I foresee this issue arising again. Members of the Oireachtas know the difficulties that many citizens, particularly vulnerable citizens, in the State will have in navigating bureaucracy.
I accept that the way I framed amendment No. 27 may not be acceptable to the Minister, but I put it to him that I believe he will see a re-emergence of this concern in respect of automated decision making. If the Minister cannot exclude all circumstances of automated decision making, automated decision making in respect of vulnerable persons or where there is an immediate and serious consequence may need to be dealt with differently.
I will not press my amendment. I am willing to work on refining it. If the Minister spoke of unintended consequences, I think there are very severe unintended consequences to automated decision making becoming the norm. I believe all Departments will see hundreds and hundreds of cases where people are distressed and concerned about an automatic decision that was made on them. It will put undue pressure on all our systems and on the controller in any given Department. Perhaps we can find ways to resolve it.
I will withdraw the amendment but I reserve the right to return to the issue.
Section 52 touches on some of the issues we already discussed when dealing with section 42. I wish to indicate that I may table amendments to ensure we have clarity on what kinds of direct marketing and on the uses of the electoral register. I am not necessarily seeking to preclude such use but to make sure we have clarity on the issue.
Amendments Nos. 29 to 34, inclusive, are related. Amendment No. 31 is a physical alternative to amendment No. 30. Amendment No. 33 is a physical alternative to amendment No. 32 and amendments Nos. 29 to 34, inclusive, may be discussed together by agreement.
I move amendment No. 29:
In page 34, to delete lines 28 to 30, and substitute the following:“12 to 22 are restricted to the extent specified in subsection (3).”.
I will speak to all the amendments together. Basically section 54 relates to the restriction of the exercise of the data subject rights. Data subject rights are the core reason we have the General Data Protection Regulation, GDPR. The function of GDPR to a large extent is to ensure appropriate protection of data sets. These are the circumstances under which it might be restricted. Again we see the situation whereby the scope of the Government to restrict a data subject's rights are very widely interpreted in the section.
Section 54 (2) states:
Subsection (1) is without prejudice to any enactment or rule of law which, on the coming into operation of this section, restricts the rights and obligations referred to in that subsection.
Section 54 (5) also gives wide-ranging powers to any Minister. We have the same concerns on the levels of ministerial discretion, which have and will be raised again and again throughout the section.
Amendment No. 30 seeks to delete section 54 (3)(a) and (3)(a) (i) to (iv), inclusive, because I believe they are very wide. The term "data subject" refers to individuals not just citizens but any individuals resident in the State, effectively the people in Ireland and their data rights.
This Bill is fundamentally about enshrining and supporting the data subject rights of people. Under section 54(3) all of their data rights may be restricted where it is viewed to be necessary to safeguard the courts, Cabinet confidentiality, to deal with prosecutions, for the administration of taxes, but also for the purposes of estimating the amount of the liability of a controller on foot of claim.
Section 54(3)(b) states: "the personal data relating to the data subject consist of an expression of opinion about the data subject by another person given in confidence or on the understanding that it would be treated as confidential to a person who has a legitimate interest in receiving the information, or." The scope of the section is wide. I understand some of the provisions, and some of them stand up, but I would like to see them teased out so that is the reason I have tabled amendments.
The crucial amendment is amendment No. 32, in which I propose to delete lines 1 to 42, and in page 37, to delete lines 1 to 12.
Section 54(7) sets out the objectives of general public interest. Earlier in the Bill, the question of public interest was discussed as a basis on which decisions may be made. Later in section 54(7) examples of public interest are set out. I have a real concern that the examples of public interest might apply here in terms of the limitation of data subject rights but they may also be used or interpreted in relation to earlier points in the Bill, where public interest was invoked. I have a number of areas of concern in regard to subsection (7), however I want to highlight section 54(7) matters of public interest include, in particular "(h) matters relating to international protection and immigration". Will individual's data rights be constrained or overridden when it relates to immigration? What are the circumstances in which this will apply? I think there is a danger of inequity of treatment, and prejudice. I have a real concern, that any person, be they a citizen, an immigrant, or an EU citizen and sharing the rights of the GDPR as well should be subject to data protection in the same way as other person. I feel there is a lack of clarity in paragraph (h) which refers to "safeguarding the economic or financial interests of the European Union or the State, including on monetary, budgetary and taxation matters" and it would be a very serious concern if immigration became in any way a basis for the restriction of a data subject rights.
That would be fine in respect of taxation matters, but what is not clear to me is what would happen in a case where an individual's exercise of his or her rights were to have a cost to the State, for example if an individual is asking to be informed of any breaches of his or her personal data. An individual's right to have the appropriate treatment of his or her data should not be removed simply because by exercising that right, the individual may have put a cost on the State.Section 54(7)(i) would allow a Department to say that, if it allowed an individual to exercise his or her rights, it may have to increase his or her payment or to offer compensation and might leave itself open to a suit in the European Court of Justice or elsewhere under the GDPR. There is a real concern that we could see access to justice and rights in the area of data protection being precluded simply because giving such access might cost money. I know the Minister will say there are other points to consider such as the necessity test but I feel this section is wide-reaching. Perhaps the Minister could fully assure me in this regard, but that is my concern in respect of section 54(7).
I will not go through each amendment in detail because I will not be pressing any of them. I just wanted to highlight two examples in what is a very long list of circumstances in which the public interest is to be interpreted very widely to the detriment of individual rights.
I will say very briefly that I am prepared to withdraw amendments Nos. 30 and 31 and to reserve the right to table them again on Report Stage. The Minister had indicated that he would be open to looking at amendment No. 31 which proposes to insert “and proportionate” after "necessary" in section 54(3)(a).
I appreciate that. I did indicate already that I would revisit it, and I will. These amendments to section 54 give effect to Article 23 of the GDPR. I accept that there has been some public commentary about this section which, in many respects, has involved some misunderstanding as to the likely impact it will have. The overall purpose of this section is to offer protection to the public. These objectives are very much in the public interest. I do not see any circumstances in which it could be described as restricting the data protection rights of citizens. I would not like that interpretation to endure because the overall purpose of the section is to provide protection to the public and individuals. I will give some examples of what is intended in this section.
If we take, for example, the Medical Council or the Property Services Regulatory Authority, both embark on investigations from time to time in respect of doctors or estate agents on foot of complaints from clients or patients who allege that a serious breach or lapse has occurred or, in many cases, that a person is unfit to practice. If the data protection rights of the doctor, estate agent or auctioneer concerned are not restricted on a temporary basis while the complaint is being investigated, it would be open to that person to apply to have the data rectified, restricted or even erased completely. Of course any of these actions would have the consequence of ensuring the investigation would not be satisfactorily concluded or even take place, which would be against the interests of the person making the complaint and may well be against the public interest in the matter of the investigation of a complaint.
I would like to make it clear that regulations made under this section will permit the regulatory body concerned and other similar regulatory bodies to carry out their statutory obligations to conduct inquiries or investigate complaints in the knowledge that the individuals being investigated will not be permitted to exercise data subject rights in a manner that could derail or jeopardise such activities. Those being investigated and who are the subject matter of a complaint will not be permitted to exercise these rights to rectification or erasure while investigations are ongoing.
In a similar manner, section 54(7) will permit investigations of, for example, an alleged harassment or sexual harassment incident in the workplace and will not permit the alleged perpetrator of such an act to obstruct or frustrate the investigation that will take place by seeking to exercise rights of access, constriction, rectification or erasure of personal data. That is important. Article 23 of the GDPR allows limited restrictions on data subject rights for such purposes, and this section gives effect to that article by allowing such restrictions in order to safeguard important objectives of general public interest. It will introduce higher levels of data protection safeguards which will be superior to or will bolster restrictions already in place under section 5 of the Data Protection Act 1988, which will be well known to Senators.
I want to stress that the restrictions permitted by Article 23 of the GDPR are far more limited that those permitted under current law. In future, restrictions will be subject to the following conditions: they must be set out in a legislative measure, that is either in primary legislation or in regulations; they must respect the essence of the individual’s rights, which of course involves respect for individual freedoms; and they should be necessary and proportionate in a democratic society. These three important conditions are met in the text of section 54.
Sections 54(1) and 54(2) give effect to the introductory text of Article 23(1). Section 54(3) restricts the exercise of data subject rights and corresponding controller obligations in respect of the important objectives of general public interest outlined in sections 54(3)(a) to 54(3)(c). These include, for example, the matter of Cabinet confidentiality, the independence of the Judiciary, and the matter of parliamentary privilege, which would be well known to us here in the Houses of the Oireachtas. In the case of parliamentary privilege, the right of a data subject named during debates in this House to have his or her personal data erased from the record of proceedings is restricted in section 54(3). The manner in which data subject rights could be exercised in respect of parliamentary proceedings was raised with my Department by the Houses of the Oireachtas Commission during preparation of the Bill. This provision has been included in order to address the matters that were raised on that occasion.
I will give a brief example of an issue relating to section 54(3)(b), which carries over section 4(4A) of the 1988 Act, which is important in the context of protected disclosures and other activity that might be described as whistleblowing. This provision will protect those who wish to provide information about wrongdoing in confidence and in the knowledge that the origin of the disclosure will not be made known to the individual about whom they are providing the confidential information. Like the previous examples I have given, this section is included because it is in the public interest that the provision of such information be protected and that this new data protection regime does not in any way become an obstacle to such activity.Subsection (6) creates a regulation-making power whereby such restrictions on the exercise of data subject rights and corresponding obligations on the controller may also apply in the case of processing for other important objectives of general public interest, including those set out in subsection (7).
I want to turn now to the specific amendments. For the reasons I have outlined, I cannot accept amendments Nos. 29, 30, 32 and 34, which seek to delete important subsections, namely, subsections (3), (4), (6), (7) and (8) from the Bill. I am, however, willing to revisit amendment No. 33 on Report Stage. It currently refers to "matters relating to international protection and immigration". I take on board the concerns expressed by Senator Higgins and I accept that the wording can be improved. It is intended to deal, for example, with cases involving fraudulent applications or cases where applications for protection would be based on illegality or misrepresentation. We will come back to that. I commit to perhaps improving the wording to accord with the point raised by Senator Higgins.
Senator Ó Donnghaile stated that he will not press amendment No. 31. I am willing to revisit this issue to ensure that we do not have unintended adverse consequences.
I thank the Minister for the fact that he has indicated that he is willing to work with Senator Ó Donnghaile and me on some of the sections in this area. I note that while the Minister has rightly pointed out that there are circumstances in which these measures may protect, nonetheless the very titling of this section is a restriction on exercise of data subject's rights, so it is a section of restrictions. There are appropriate points. It is possibly a problem we have throughout the Bill in that very good and appropriate cases are sometimes placed alongside what I would believe are possibly less appropriate uses. Nonetheless, I acknowledge that the Minister has indicated he may work with me in respect of section 54(7)(h). I am still concerned about section 54(7)(i). The Minister did not get a chance to address that in his response. I am concerned about the danger that a cost to the State may be invoked in respect of a person exercising their rights. Does the Minister have any comment on this before we move to vote?
I move amendment No. 35:
In page 37, line 25, to delete "the essence of".
I initially tabled these amendments because I was concerned that the phrase "the essence of" of data protection as opposed to data protection could be perceived as saying that regulations should respect the essence of the right to data protection. It seemed to be cleaner that they would respect the right to data protection. Nonetheless, having revisited the GDPR, I realise that "the essence of" is a phrase within the GDPR so I will not press these amendments. However, I note with a bit of concern that the language in the GDPR around "the essence of" is a bit stronger. The Bill talks about the essence of the right to data protection and protection in the interests of the data subject. The language in the GDPR talks about respecting the essence of the right to data protection and providing for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject, so the language in the GDPR might be a bit stronger. That said, I will not press these amendments. I realise that it is a phrase that is used in the GDPR. I think, for the record, that it might be really useful if the Minister could clarify his interpretation of "the essence of" rights by possibly speaking briefly to that.
Senator Higgins has answered her own question. The words "the essence of" are included in the corresponding provisions of the GDPR so excluding the words in these sections would create an unacceptable divergence between the GDPR and the provisions in Part 5 in terms of the transposition of the directive. These words are used to convey the idea that the essential, appropriate, necessary and indispensable aspects of the right to data protection must be respected in all cases. As a consequence of saying that, I believe the words "the essence of" are appropriate. I accept what Senator Higgins has said, which is that any divergence would be problematic. I believe it is important that we ensure that we do not have the type of divergence that might otherwise be the case.
I move amendment No. 36:
In page 37, between lines 28 and 29, to insert the following:"(11) (a) Any regulations under this section shall be referred to the Data Protection Commissioner before their enactment, who shall conduct an impact assessment, undertaken by the Data Protection Commission.
(b) The impact assessment shall have the purpose of ascertaining whether the proposed processing of special categories is—(i) necessary,(c) The impact assessment, shall be returned to the Minister within three months of the Ministers referral, and it shall make recommendations as to whether the proposed processing of special categories is in compliance with the criteria laid out in paragraph (b)and shall recommend any changes necessary to the regulation to ensure compliance, or may recommend that the minister not proceed with the regulation.
(iii) is in compliance with subsection (4)of this section, and
(iv) is in compliance with the GDPR.
(d) In the event that the Minister does not follow the recommendation of the Commission, the Government shall publish in Iris Oifigiúila reasoned written explanation of the decision of the Government not to follow the recommendation of the Commission.
(e) In the event that the Minister does not follow the recommendation of the Commission, the Government shall cause to be laid before the Houses of the Oireachtas a statement containing a reasoned written explanation of the decision of the Government not to follow the recommendation of the Commission.".
The Minister will be glad to hear that I am speaking on it to indicate that I will withdraw it while reserving the right to bring it forward at a later stage. I have a number of other amendments I will come back to.
These are drafting amendments that speak for themselves.They are being proffered to ensure consistency with the corresponding provisions in Part 3. There are no real changes to the substance of the legislation and I am unsure of the extent to which the amendments require debate.
I will not delay matters. Most of the amendments are fine and I will not even oppose amendment No. 45 but I note that it relates to section 85 (4) which provides for an exception to where a data subject has a right to information from a controller. It states that the right to information does not apply where the information is already in the possession of the data subject or where "in the case of processing for the purposes of archiving in the public interest, scientific or historical research, or for statistical use, the provision of the information proves impossible or would involve a disproportionate effort". I am just indicating that on Report Stage I may come back to some of the consequences of amendment No. 45 in respect of section 85 and its subsections.
The amendment relates to the processing systems, as do many of sections 71 to 79, inclusive. I note that, as was indicated earlier in the debate, there may be scope for the introduction of additional standards that are complementary but not contrary to the GDPR in regard to such sections. In respect of these sections where specific measures are set out, I intend to look to how we may be able to add complementary measures that might make them more effective, such as the introduction of timelines in regard to some of the measures or time limits for some of the actions outlined. It is a wide point but as the section was opened for discussion by the Government amendment this is a useful opportunity to make that point.
I move amendment No. 43:
In page 63, between lines 34 and 35, to insert the following:“(9) Should a data subject request information in relation to a personal data breach which affects them they have the right to be provided with all the pertinent information in respect of that breach and nothing in subsection (2), (4) or (6) shall place a restriction on their access to that information.”.
Section 81 is an area of very serious concern which I will fully pursue. The report of the data commissioner highlighted the very large number of breaches of personal data that have taken place in the State. For example, in regard to the HSE, personal files have been left in public places or found in the street. Those are examples of accidental and inadvertent but nonetheless very serious data breaches. Crucially, there have also been cases of criminal and inappropriate data breaches such as the case in Donegal involving an official in the Department of Employment Affairs and Social Protection who sold the personal data of individuals to insurance companies for less than €30 each. Prosecutions in such cases will, of course, follow in the normal course but this section relates to a person's right to know when their personal data has been compromised and breached. It deals with a person's right to know if his or her data has been hacked, his or her files have been left in a bag in a public place or his or her data has been sold. These are very serious concerns in terms of the right of the subject to know of such breaches. The subsection does not deal with the point of redress but, rather, the right of a person to know if there has been a breach of his or her data that should not have happened and is not allowed for under the Act or the many wide exemptions that are given.
However, section 81 introduces a number of circumstances under which a person might not be informed about a breach of his or her personal data. Subsection (2) provides that a person does not have to be told about a breach of his or her personal data where the controller has implemented appropriate technological and organisational protection measures and the measures, such as encryption, render the personal data difficult to understand or unintelligible to any person, or "the controller has taken measures in response to the personal data breach that ensure that the high risk to the rights and freedoms of a data subject from the breach is no longer likely to materialise". I am very worried by section (2)(b) because it removes the right to notification if the controller does not think anything bad will happen or a risk is unlikely to materialise because of the breach. Is it a three second rule or what are the rules in that regard? The phrasing of the subsection is very wide.
Subsection (4) is of particular concern. It provides that a controller does not have to tell an individual about a breach of his or her data where to do so would involve a disproportionate effort. The question of what constitutes a disproportionate effort arises in that context.
Subsection (6) introduces a measure governing a situation where a controller notifies the commission of a data breach but has not notified the data subject to whom the personal data relate under subsection (1) or (4), as the case may be, of the personal data breach. It is a safeguard whereby the controller can tell the commission of the breach and the commission may choose to notify the data subject.
Subsection (7) is entirely reasonable and provides that a controller may restrict the exercise of the right of a data subject to be notified of a personal data breach where to do so constitutes a necessary and proportionate measure in a democratic society. It sets a high bar.
Although I have concerns about all of these subsections, my amendment is extremely mild. It is milder than my concerns. I do not currently seek to remove those provisions, although I may do so on Report Stage. The amendment still allows for a controller to be permitted not to inform somebody of a data breach under these dangerously wide circumstances but I am trying to put in a very basic safeguard such that if a person inquires as to whether his or her data has been breached, the issues of whether the commission has been notified under subsection (6), the information was presented in an easily intelligible manner if a high level of effort was made to communicate it should not restrict the person's right to know whether his or her data has been breached.I will come back to our example in Donegal, or the example of the case files left in the street. I am not proposing that there should be a proactive requirement to inform an individual. I am saying that if an individual asks a data controller whether his or her information was hacked, sold or contained in a file that was left in a public place, the minimum that the data controller should have to do is answer the individual's query. This is a mild amendment to a section about which I have much wider concerns, to be honest. I hope the Minister will accept this mild amendment to provide for a stop-gap which will ensure an individual can get an honest answer from a data controller in respect of his or her own data.
Part 5 of this Bill, which deals with criminal justice bodies, does not relate to the HSE or the Department of Employment Affairs and Social Protection. It is concerned with a breach on the part of a criminal justice body, such as the Office of the Director of Public Prosecutions or the Irish Prison Service. This section of the Bill places a clear obligation on the data controller to inform a data subject if there is a high risk to the data subject's rights and freedoms arising from a breach. It clearly specifies that the data subject must be informed of the nature and likely consequences of the breach and must be given a description of the measures being taken or proposed to be taken to mitigate any adverse effects. I am not sure the insertion of the amendment proposed by Senator Higgins would have the effect she appears to wish for. Therefore, I am unable to accept the amendment. All the issues we are dealing with under section 81 of the Bill pertain to criminal justice.
I welcome the Minister's clarification of the scope of the potential application of this section. I continue to have concerns about the right of an individual to know that there has been a breach. A data breach is not normal processing - a data breach is a breach that is outside normal or appropriate processing; for example, where there has been improper or inappropriate sharing of a person's data. Some of the high-profile cases, tribunals of inquiry and debates we have had here in Ireland in recent years have pertained to areas of criminal justice. Questions of inappropriate breaches have arisen in the areas of criminal justice, criminal investigation and policing. There is still a question around the right of an individual to know when his or her information rights were inappropriately breached. In the normal course of prosecution, it is absolutely fine for data to be shared. Perhaps it is something we can revisit. I am certainly happy with the Minister's clarification that the concern is narrower than I might have hoped, but I still have concerns. Nonetheless, I will not press the amendment at this point. I hope to engage on it further.
I take the Senator's point and appreciate her decision not to press this amendment at this stage. If a data breach involves a high risk for the subject, of course that person must be provided with all the appropriate and relevant information. He or she may even come back and request further information if that is deemed appropriate. If the breach involves little or no risk and is a matter of no consequence, there are circumstances in which a person might not become aware that a breach has taken place at all.
I ask the Minister to note that the question of encrypted data also arises in this context. A great deal of data in the area of criminal justice and policing is necessarily encrypted. It would be unfortunate if that served to deny an individual who is affected by a data breach the right to information relating to such a breach.
I move amendment No. 44:
In page 65, between lines 3 and 4, to insert the following:"Protection of data protection officers83. (1) The Data Protection Commission, shall provide a protection, whereby data protection officers may seek the assistance of the Data Protection Commissioner, due to the fact that the data protection office is not in a position to carry out their role fully, due to inappropriate interference from the data controller, or duress, harassment or victimisation.
(2) Where the Commission receives a complaint under subsection (1), it shall, in addition, make a decision—(a) as to whether a corrective power should be exercised in respect of the controller or processor concerned, and(3) The Commission, where it makes a decision referred to in subsection (2)(b), shall exercise the corrective power concerned.".
(b) where it decides to so exercise a corrective power, the corrective power that is to be exercised.
The need to protect data protection officers is at the heart of this straightforward and self-explanatory amendment. I would be keen to hear the Minister's reflections on it before deciding on my next steps.
I have some sympathy with the issue at hand. I acknowledge the reasons advanced in support of the far-reaching new section that is being proposed. The position I am adopting in respect of it is the same as the position I adopted earlier when I dealt with a proposal that was first mooted at the Joint Committee on Justice and Equality. I am not going to accept it now because I believe we need an opportunity for further consideration of its provisions. I will revisit this amendment, which seeks to deal with the risk that a data protection officer may encounter a lack of co-operation, on Report Stage. I may even have an opportunity to come back to him in advance of Report Stage. In exploring whether an effective remedy is already available to data protection officers, I will look in particular at the Protected Disclosures Act 2014. Senators will be aware that a disclosure of relevant information is protected under that Act if, in the reasonable belief of a worker, it tends to show a relevant wrongdoing and it came to his or her attention in connection with the worker's employment. Section 5(3) of the 2014 Act defines "relevant wrongdoing" as including circumstances in which "a person has failed, is failing or is likely to fail to comply with a legal obligation". I think this would include the obligations of a data controller under the general data protection regulation and this legislation, including the controller's obligations towards the data protection officer.
Section 6 of the 2014 Act provides for the making of a protected disclosure to a worker's employer. Section 7 of that Act provides for disclosure to an external person who has been prescribed in an order made by the Minister for Public Expenditure and Reform. We will come back to this. I draw the further attention of Senators to Statutory Instrument No. 339 of 2014, in which the Minister prescribed a range of persons whom, by reason of the nature of their statutory responsibilities or functions, appear appropriate as recipients of protected disclosures. This order prescribes the Data Protection Commissioner as a recipient of disclosures in respect of all matters concerning compliance with data protection law. Subject to verification, I am of the view that this may provide an effective remedy when a data protection officer is concerned that he or she is experiencing difficulty in the performance of his or her functions. A further advantage would be that any data protection officer making such a protected disclosure would be in a position to draw on the extensive protections provided under Part 3 of the 2014 Act. When we come back to this matter, I will have a further opportunity to give the Senator appropriate assurances that this matter has been adequately dealt with and to see whether I can accommodate the proposal she has made.I ask the Senator to give me a further opportunity to get back to her with appropriate assurances that the matter has already been adequately dealt with or that we will see if we can accommodate the proposal made by the Senator.
It is important to say, a Leas-Chathaoirleach, at this juncture that I am always far-reaching so I will always stretch my neck out. Based on what the Minister has said and earlier considerations, I do not want to divide the House on issues. I fundamentally believe in the sentiment and practicalities sought by my amendment. The Minister has given me a number of assurances that he will try to offer a compromise as we move forward. I accept his assurances and shall give him some space. I withdraw my amendment but reserve the right to bring it back on Report Stage.
Section 87 refers to the right to erasure and the restriction of processing or the right to forget. I know the matter was discussed extensively early on. I wish to advise that I wish to table amendments on this area. I am very keen to work with the Government and discuss ways to improve the delivery of the right to be forgotten in respect of children and other citizens. There may be scope for complementary measures. I shall come back to this matter on Report Stage.
I move amendment No. 51
In page 74, line 30, after “Commission” to insert “and subject to Cabinet approval”.
My amendment refers to another restriction. Section 89 refers to the restrictions on the exercise of data subject rights. This is another section that restricts the right of an individual in terms of data protection. My amendment expresses my concern, which has been flagged very heavily, about simply allowing ministerial discretion after taking advice from Cabinet. I tabled these amendments quite early. My proposals for section 32 might be more appropriate here. I wish to note the proposal put forward by Sinn Féin in respect of the following idea. If a Minister is going to decide to restrict an individual's or a data subject's rights, or produce regulations that allow for such restrictions, it should not be enough to simply take advice from the commission. Instead, if a Minister chooses not to follow advice then he or she should explain the rationale for his or her decision.
My amendment No. 51 seeks to insert the phrase "subject to Cabinet approval," which is in the spirit of collective responsibility. I tabled my amendment to prevent a situation where an individual Minister may, for example, choose to introduce regulations that restrict data subject rights without the full knowledge of all of the Government, given that the consequences of a breach of the general data protection regulation, GDPR, will certainly fall on all of the Government and, indeed, the State as a whole.
I will not press my amendment. I wish to highlight the fact that the restriction has been approached from three or four different angles in this Bill. Until we deal with the inappropriately high level of pure ministerial discretion in this Bill then the matter will arise in multiple forms. Finally, I reserve the right to come back to this matter on Report Stage.
This amendment provides clarity in relation to the function of the data protection commission under section 90. It clarifies what is already implicit in section 90(3), which is where the commission informs a data subject that it has carried out all necessary verifications or reviews in response to his or her request. It is not obliged to inform the data subject concerned whether his or her personal data have been, or are being, processed.
A particular risk arising under this section, for example, is that an individual who suspects that the Director of Public Prosecutions may be considering the possibility of prosecuting him or her, possibly for an offence committed many years earlier, may seek to exercise his or her right of access, indirectly, through the data protection commission. While the commission will be obliged under this section to verify or review the lawfulness of processing, this amendment will ensure that legal action cannot be taken against the commission to force it to reveal the outcome of its verification or review. Let us remember that we are dealing with criminal justice issues.
I understand the scenarios that the Minister has described in terms of an area of criminal prosecution and others. Nonetheless, it seems the provision is a somewhat wider exclusion of a person's right, given the circumstances. It may be possible to put forward a different version of this amendment that specifically relates to areas such as criminal prosecution and not have as wide an impact. I wonder about the choice to opt for a wider framing rather than explicitly limiting it to questions of investigation. I know that the prosecutions would not just be criminal ones and it is not just the DPP. I recognise, from the earlier debate, that people may want to find out whether they are being investigated for ethical wrongdoing and so forth. Why has the amendment been given a wide frame rather than a more specific one?
Sections 91 and 95 are related and both refer to the transfer of data to recipients in third countries. I wish to note that this area will suffer serious consequences from Brexit. I firmly believe that this matter has not been adequately or appropriately dealt with, not by ourselves, but in respect of Brexit negotiations. I wish to signal that the UK must take action on this area. I may table amendments for section 95 only because it allows for a derogation from section 91.
I move amendment No. 55:
In page 77, line 9, to delete “or” and substitute “and”.
This refers to where personal data is being transferred to a third country. This again will relate to some of the issues around Brexit and so on. I refer to personal data being transferred to a third country and to section 91(1). I have a question around that and section 95. I refer to a country in respect of which a decision has not been made in the context of the European Commission - for example, where the EU does not have a relationship in respect of data processing with that third country.
There is a bar here, namely, section 91(1)(a) and (b). Data can be transferred to a country with which the European Commission does not have an agreement and where there is a legally binding instrument that applies to the transfer with appropriate safeguards or the controller transferring the personal data, or on whose behalf the personal data are being prepared, has assessed all the circumstances relating to the transfer and is satisfied that appropriate safeguards exist with regard to the personal data.
My amendment is a strengthening of this. I suggest we should satisfy both criterion and change the word "or" at the end of section 91(1)(a) to the word "and", partly because I am concerned that section 91(1)(b) on its own, which can stand even in the absence of any legal instrument, might be a little weak. It may leave large discretionary decision-making to a data controller who is transferring data. I refer to him or her having assessed the circumstances and being satisfied safeguards exist. I am concerned about that and seek to strengthen it by attaching it to section 91(1)(a). Perhaps the Minister can indicate if there is a reason not to do that.
Section 91(1)(a) and (b) are alternatives and if there is a legally-binding instrument in place that ensures the appropriate safeguards, that of course is sufficient. If there is not, then section 91(1)(b) will apply and the controller will be required to make details of the transfer available to the Data Protection Commission. I cannot accept amendment No. 55 nor am I in a position to accept amendment No. 56 which proposes to insert the words "or any subject affected by the transfer" into subsection (3).
This section is intended to cover a situation in which personal data may be transferred to the police, prosecution service or, indeed, judiciary of a third country in connection with what, in effect, will be an ongoing investigation into serious international crimes. An obligation to inform the individual concerned could have the effect of seriously calling into question the effective investigation, detection or prosecution of such an offence. That would have a consequence which is clearly not intended by the proposer of the amendment. For that reason, I am not in a position to accept it.
I move amendment No. 60:
In page 84, lines 27 to 30, to delete all words from and including “shall” in line 27 down to and including line 30 and substitute the following:
"shall investigate the complaint, having regard to the nature and circumstances of the complaint, unless the Commission considers the complaint to be frivolous or vexatious.”.
This an overriding concern which cuts across the Bill. As a whole, the Bill provides a number of exemptions for public authorities and, as I mentioned at the very beginning of our discussions, it is not robust enough in ensuring effective mechanisms for the realisation of rights with data. We have a situation in the Bill where for the individual who wishes to call on, or invoke, his or her rights to data protection, that individual's rights to insist on data protection are voidable in many circumstances in relation to public authorities and very difficult to enforce in relation to private companies. To a large extent, the only course of action for an individual who wishes to pursue his or her rights and justice in terms of data protection in respect of the data controller is to go to the data commission. However, the data commission is empowered to not take on an individual's concern. Any individual can pursue a case to the European Court of Justice but that is a very high bar. It is not something available to most people.
In many cases, people will want to seek justice or redress at the earliest point. They may not be interested, for example, in pursuing cases through the courts for compensation. In many cases, individuals may simply want an appropriate action to be taken, perhaps, for example, to have their data removed if it has been inappropriately held or their data not to continue to be shared, if they believe it has been inappropriately shared.
For people who find their data rights contravened, or for people who believe they have been contravened, after going to the local data controller, the main course of redress they have is to go to the Data Protection Commission. However, in this section, the Data Protection Commission is given the right to refuse to investigate a complaint. I am aware that under this Bill the Data Protection Commission will a huge volume of work placed on it. That is clear in all the sections of the Bill. However, I am concerned that the commission may choose to deny an individual an investigation of his or her complaint.
My amendment reads that the commission shall investigate the complaint, having regard to the nature and circumstances of the complaint, unless the commission considers the complaint to be frivolous or vexatious. This is to introduce a higher bar for any case where the data commission may choose not to investigate a case. We all know there may be cases which would be frivolous or vexatious. However, those should be the bars rather than a danger that it may be refused.
The other point is that section 104 states that the commission shall examine the complaint and shall, in accordance with this section, take such action in respect of it as the commission, having regard to the nature and circumstances of the complaint, considers appropriate. Amendment No. 61 seeks to insert the following words: "with the consent of the parties concerned" after the word "Commission". That is in respect of consent around further action. I understand there may be situations whereby a criminal justice issue arises, so I am not going to press that amendment because I realise it is imperfectly worded. However, the spirit of that amendment is to try to say there should still be a level of consent of the parties involved.I previously spoke about the amendment of the Bill on page 85, line 6, saying the rejection of the complaint would only arise where the commission considered it to be frivolous or vexatious. Amendment No. 63 reads: "In page 85, line 7, to delete “dismissal of the complaint” and substitute “dismiss the complaint if the Commission is of the opinion that an infringement of a relevant enactment has not taken place". It is not clear if dismissal will be a matter of judicial interpretation. Will it be dismissal on a specific basis or simply a dismissal?
Amendment No. 66 reads: “(iii) rectify or erase personal data or restrict processing pursuant to Article 16, 17 or 18, and, in respect of that action, to comply with Article 19 and, where applicable, Article 17(2)”.
The last point is probably one of the more important as we know it can cause distress. It refers to where an action has been taken. When the commission has made a decision, it should give the complainant a notice in writing informing him or her of the action taken and also the rationale for said action. For example, if it believes the complaint has no basis, that there has been no transgression or that it is vexatious, the reason the action is being dismissed should be given. It is part of a wider concern I have.
I will not press any further amendment since I know that we are coming close to the end, but how does the Minister see individuals being able to effectively take action when their data rights have been breached? They will, of course, complain to the data controller, but will it be done through the data protection commission? If the commission refuses, what recourse will there be? On Report Stage I may seek to bring forward certain mechanisms to, where there is a large volume of individual complaints, trigger an automatic investigation. There may be a large number of individuals who feel powerless to complain on a subject. Perhaps where a large volume of individual complaints have built up, it might trigger an automatic mechanism.
There are seven amendments being discussed, five of which are in the name of Senator Alice-Mary Higgins, while two are Government amendments. Amendments Nos. 60 and 62 speak to the possibility that the commission might not investigate or dismiss complaints on the grounds that they were vexatious or frivolous. That would not be acceptable. Subsection (1) which complies with the GDPR outlines the approach the commission must take in dealing with complaints. Likewise, subsection (5) outlines alternative courses of action that may be taken by the commission in handling such complaints. I do not think it is appropriate to depart from these avenues. Therefore, I will not accept amendments Nos. 60 and 62.
Amendments Nos. 64 and 66 are merely drafting amendments which do not involve any great change of substance. I have listened to the points raised by the Senator Higgins on amendment No. 61.
I will not accept amendment No. 65 because I do not think including the words proposed and the rationale for said action is needed because all administrative bodies, including the data protection commission, will be required on a general basis to give reasons for their decisions. Without knowing the reasons, it would be very difficult or virtually impossible to appeal a decision. There is an expectation that reasons will be given. Therefore, I do not see the necessity for amendment No. 65.
Similarly, on amendment No. 61, I do not think the proposed insertion of the extra words - "with the consent of the parties concerned"-----
-----is necessary because in any reference to a resolution that might be reached on amicable terms express consent would be necessary. One cannot have a resolution on an amicable basis without there being consent. Subsection (4) makes it clear that where the commission considers an amicable resolution cannot be reached, it will then proceed to handle the complaint under subsection (5) or section 108 in the case of a complaint that might be cross-Border in nature.
With regard to amendment No. 63, it will be a matter for the commission to determine the grounds for the dismissal of a complaint, but it will only be done on the basis of full knowledge that any such legally binding decision may be appealed to a court under section 145.
I know that the Senator is not pressing the amendments, but it is important that I give her the reasons I cannot accept them.
I have a question about amendment No. 62. It is the real underlying concern. Does the Minister expect the data protection commission to decline to deal with individual complaints owing to, for example, the volume of work involved? Will he assure us that that will not arise or that he does not see that happening? On amendment No. 52-----
Section 124 is part of Chapter 4 on inspection, audit and enforcement. I am signalling that as part of the discussion we had on, for example, the automatic triggering of investigations and others, amendments may be tabled to this section on Report Stage.
On section 131 and the power of either triggering reports or audits, I am indicating that those are areas on which I may look to make suggestions, if they be compatible with the general data protection regulation, GDPR, on Report Stage.
I move amendment No. 80:
In page 108, line 27, after “circumstances” to insert “where such a limitation can be clearly justified”.
In regard to an investigation, section 132(3) states, "The Commission may define the scope ... of the investigation [but it may] limit the investigation to matters connected with particular circumstances ...", where such a limitation can be clearly justified. The concern would be that where an issue is being investigated and there are consequent and related issues, we would not have a situation whereby there would be an unnatural or undue constraint on the actions of the commission. It is clearly to raise the question that we do not see an excessively narrow frame for investigation which then potentially could lead to consequences whereby there would be a requirement for further investigations, which we know can arise. It is to ensure that we do not investigate one case when there are multiple examples. That is my point. It is a little detailed and it is to do with a concern about the volume and scope of work. I do not need to press the amendment now. I can discuss it with the Minister at another time if he wishes.
I move amendment No. 82:
In page 111, line 13, after “the” where it firstly occurs to insert “complainant and the”.
This amendment deals with the question of who receives the information of an investigation report. I am suggesting that the final investigation report, which is prepared by the Data Commissioner, should not simply be shared with the controller or processor to whom the investigation relates but potentially with the complainant also. Amendment No. 83 is similar. If an individual triggers an investigation into, for example, a data controller and the use of their data and there is an investigation and a report, they would be able to know to some extent what was in the report of the investigation its consequences. It is to ensure that should the individual be a complainant, he or she is kept informed of the resolution that might have emerged.
I know the point the Senator is making but there is a difficulty, and that difficulty would preclude me from accepting the amendments because circumstances could arise which would seriously frustrate and even jeopardise an investigation being carried out by the commission. If these amendments were accepted and inserted in the text, my concern would be that they would render an investigation open to legal challenge on the basis of due process.
Where a draft report has been prepared on foot of an investigation, procedural justice requires that the contents of such investigation would be shown to the controller or the processor concerned for any representation they wish to make or otherwise. In this regard, the commission will be required to have regard to any such representations, but it does not necessarily require any amendments to the report.
Senators will be aware that in such circumstances, a complainant does not have any role during this investigative stage of the process so if there was to be consultation with the data subject it could well provide a basis for a later legal challenge to the conclusions reached by the commission or a legal challenge to any sanction that may be decided by the commission that might be appropriate for imposing on the controller or processor concerned. The amendment, in effect, would be contrary to due process and to my mind would run the risk of inviting legal challenge, which would have the effect of frustrating or impeding any investigation. I know that is not the point behind the amendment but I believe that would be a logical consequence, which would turn on its head the point Senator Higgins wishes to make.
I accept the Minister's bona fides in terms of his analysis of it. I still have the concern that in some cases the data controller or the data processor who is being investigated may be a very large and well-resourced entity. That potential imbalance of power is a concern in terms of the individual versus what might be a very powerful or well-resourced data processor or data controller. The Minister seems to have understood my concern and perhaps it can be addressed elsewhere to ensure we do not simply have a case whereby people feel they do not know what happens or why their investigation is dropped. It comes back to the earlier question about knowing the rationale behind the reason a complaint may be dismissed. I am concerned about the imbalance of power, particularly in regard to the private sector and the individual. We can come back to it in other ways.
I move amendment No. 85:
In page 113, between lines 10 and 11, to insert the following:“(3) The Commission may decide to impose an administrative fine on a controller or processor that is a public authority or body.”.
I presume we are ploughing on beyond 8.40 p.m.
The Leader is on his way to come to the rescue. I know that we are not allowed to filibuster, but I will try to ensure the Leader makes it here on time.
Amendment No. 85 would provide that "[t]he Commission may decide to impose an administrative fine on a controller or processor that is a public authority or body". It would allow public bodies to be fined for breaches of data protection legislation, which is not allowed for by the Bill in its current form. Appreciating that the Minister may come at this issue by suggesting it is effectively a zero-sum game, what we would like to do is ensure there would be repercussions and examples set for organisations and bodies which might be in breach of data protection legislation. I am keen to hear the Minister's views on the amendment.
This is an issue that arose on Second Stage and that has also been in the public domain in the context of this legislation and the general data protection regulation. I put forward reasons administrative fines should be imposed on public authorities and bodies only where they were acting as undertakings as understood under competition law. It is important that we distinguish between the public and private sectors because, unlike the private sector, a fine imposed on the public sector has the effect of reducing the funds available to it to carry out its statutory functions. For example, if a local authority was to face a fine of €100,000 or more, this would undoubtedly result result in a restriction of services. The sanction would ultimately be felt by the citizen, user or potential user of the public services concerned. That is why fining public bodies differs from imposing the same sanction on private bodies. Of course, the general data protection regulation leaves it to member states to decide whether such fines should be imposed on public authorities and bodies and, if so, to what extent. If public bodies were to be fined, Senators would undoubtedly seek redress or funding in lieu of the fine imposed. Were such replacement funds to be provided to compensate for funds lost in paying a fine, there would be a circular flow of public funds. Where a public body is acting as an undertaking and in competition with the private sector, for example, in the provision of transport or hospital services, the Bill allows for the imposition of fines. In that way, we ensure fair trade and a level playing field and that there will not be an element of discrimination between the public and private sectors which might otherwise be the case.
There is something fundamentally wrong. The rights of the private sector in terms of competition are carefully and preciously guarded, but those of an individual to see to it that there is a consequence when data protection legislation is breached do not seem to carry the same weight and the imposition of fines in this area is not considered to be necessary. We know and have seen the consequences when someone acts with impunity. There will be investigations and reports, but, in the end, there will be no consequences, except where there was an advantage against a private company in terms of its profits. The principles are not defended properly. It is important that there be consequences when data protection legislation is breached. It may be that funds will be reduced and need to be replaced, but they can be replaced with further conditions and caveats imposed. For example, there is nothing to stop rules from being put in place to state there will be a stay on funds where a fine has been administered. If there was no fine, perhaps moneys might be escrowed, subject to compliance and satisfaction of concerns. Otherwise, what will stop public authorities which are defined widely in the Bill from stating they were caught again and again?