Tuesday, 6 March 2018
Data Protection Bill 2018: Committee Stage (Resumed)
I will speak specifically to Sinn Féin's amendment which is mild. It does not seek to restore the full, large-scale fines under the general data protection regulation, given that they include fines of 4% of income, turnover and all the rest. It would simply give a power to the commission. I do not believe the commission, as established under the Bill, would be acting frivolously if it were to choose to impose an administrative fine on a processor which was a public authority or body. We would not be triggering automatic fines which might be found to relate to private entities under the general data protection regulation. Nonetheless, we are seeking to ensure the commission would have an additional power to impose a fine where a public body or authority was flagrantly disregarding the general data protection regulation and had repeatedly been found to be in breach of it. That would be appropriate. Will the Minister speak specifically to that question? Is there a reason he believes the commission should not have the power to impose an administrative fine on a controller? I am sure caveats that the commission would act in accordance with due diligence and that there would be proportionality, a necessity to do so and all the rest could be added. It could even be seen as a measure of last resort that would be triggered after multiple breaches of data protection rights.
I am also concerned about where public authorities and bodies are considered to be undertakings. The concern is that the private sector should not be disadvantaged where the public sector acts as an undertaking. However, a division has perhaps been inadvertently opened between those public sector bodies which are acting as undertakings and those which are directly delivering public services. We will see some public authorities being held to adhering to a higher standard than others? That is a concern. Will the Minister address these two points?
Senator Alice-Mary Higgins surmised much of what I was going to say to the Minister. It might just be legislative fatigue at this stage, but I did not hear anything from the Minister which convinced me that there would be repercussions for public bodies or other entities in breach of data protection rules, regardless of whether it was a one off or consistent.I did not hear anything from the Minister that would convince me that there will be repercussions for public bodies or other entities which breach data protection regulations, whether once, numerous times or consistently. What are the incentives that will discourage such entities from repeating the offences? We are not saying this for the craic; there are serious and well known examples of large-scale data protection issues and losses by public and other entities. At the risk of being the most hated man in Seanad Éireann, I am minded to push the amendment, but I would rather hear something from the Minister to ensure the issues raised by Senator Alice-Mary Higgins will be addressed.
There is no question of acting with impunity or any public body or company not being held responsible for its actions, be it a breach or anything else. A civil remedy is available to an injured or complaining party. Preparing or listing penalties and fines in law, in many ways, might accord with the reality of business, but I would like public bodies to apply the highest standards as they are charged with ensuring there is no illegality, breach or injured party. I would be concerned if standards were not applied or breaches were widespread and public bodies which are funded by the taxpayer paid fines such that public services were reduced and people suffered. There is a circular flow of public money-----
I would like to see a regime in place in the public sector that would ensure the application of the highest standards. That, rather than a list of substantial fines, should be the focus of our endeavours. When public bodies and authorities act as undertakers or engage in private sector competition, there should not be an unfair advantage to the private sector, as evidenced by Senator Alice-Mary Higgins. A fine should be available as a penalty, but the main remedy will be a civil action. For the first time under data protection law, an injured party or complainant will be able to take a civil action and it will be open to the courts to assess damages and make an award against a body in the public sector, in the same way as they might against a body in the private sector.
People might be confused. When fines are paid, they are paid into the Exchequer, as the Minister can confirm. Taxpayers' money is not lost to the public. It may be reissued to the same body but with additional or new conditions attached. While a civil action is one mechanism, it is a very laborious legal route for any individual to take. In many cases, citizens are not looking for large financial compensation. They simply want a poor practice to be addressed in order that in six months' time the same concern will not arise for their neighbour or someone else. It is not appropriate that in all public bodies which are not undertakings we leave the responsibility for ensuring high standards to individuals taking on crusades or challenges in court. Individuals have taken a brave stand in the past, but there is a duty on us, as legislators, to ensure there are mechanisms in place to have proper public penalties. As identified, the commission is the appropriate place. The amendment does not contain a list of administrative fines. It simply insists on it being a measure that could be used. I imagine there will be more amendments on this issue on Report Stage and there are many ways to resolve it. I do not think the answer given is satisfactory.
Senator Alice-Mary Higgins has said all I wanted to say about fines. I agree with the Minister that we all want to see the highest standards implemented by public bodies to ensure data protection. For all of the reasons outlined by the previous speaker, nothing in the amendment would prohibit organisations from adopting the highest standards of data protection protocols and directives. It has the potential to complement and enforce them in a practical and tangible way.
In the event that the House will divide on the amendment, I am prepared to reconsider it on the basis of what the Senators have said, but I do not want to see a circular flow of public money as conceded by Senator Alice-Mary Higgins. Let us see what we can do between now and the next Stage.
I move amendment No. 90:
In page 116, between lines 25 and 26, to insert the following:“(2) (a) In addition to the publication requirements contained in section 144(1), the Commission shall publish details of public authorities or public bodies that have been found to have contravened the Act.(b) Subsection (2)(a) shall not apply to a public authority or body where the authority or body was acting as an undertaking within the meaning of the Competition Act 2002.
(c) The publications under subsection (2)(a) shall be in at least one national newspaper and in a publication circulating in the area in which the public authority or public body guilty of the contravention is situate and/or operates from.”.
I will speak briefly. My amendment seeks to ensure that in respect of a public body the publication aspect is strengthened and admonishment is put in place for a public body which is found to be in breach of the legislation. I am interested in hearing the Minister's thoughts and whether he would consider accepting the amendment.
There is merit in the amendment It is constructive and worthy of further consideration as an alternative to the imposition of administrative fines. In effect, this is a form of public naming and shaming. With the assent of the Senator, I will come back to the amendment. I would certainly be willing to revisit the matter on Report Stage and have a look at the wording. We can revisit the amendment in a way which ensures that the point raised by the Senator is reflected in the final Bill.