Thursday, 22 March 2018
Data Protection Bill 2018: Report Stage
Government amendment No. 1 arises out of committee proceedings. Amendments Nos. 1, 25 to 30, inclusive, 38 and 39 are related. Amendments Nos. 26 and 27 are physical alternatives to amendment No. 25. Amendment No. 27 is a physical alternative to amendment No. 26. Amendment No. 30 is a logical alternative to amendment No. 29. Amendments Nos. 1, 25 to 30, inclusive, 38 and 39 may be discussed together.
There is no need for respect, everybody will get the opportunity. I have already read that. A Senator may speak once on each amendment, except in the case of the proposer who may reply at the end of that particular amendment.
-----let me offer my respect to the Chair and, indeed, to the Members of the Upper House. In accordance with the Leas-Chathaoirleach's implied, if not expressed, suggestion, I will be brief.
Amendment No. 1 inserts a definition of "political party" in section 2 of the Bill, while amendments Nos. 25, 38 and 39 replace sections 43, 53 and 54 with updated text. These three sections contain references to "political party" and that is why they have been grouped with amendment No. 1.
Arising from our Committee Stage discussions and in particular, certain concerns that had been raised regarding the scope of section 43, I undertook to submit a revised text of section 43 and that is the purpose of amendment No. 25. In the meantime, there has been considerable media focus on this section in recent days and I want to take this opportunity to provide some further clarification on its purpose in the Bill.
Article 9.1 of the general data protection regulation, GDPR, generally prohibits the processing of special categories of personal data, including "personal data revealing political opinions". Paragraph 2 of Article 9 lifts the prohibition in paragraph 1 in respect of a broad range of situations listed in paragraph 2.
While Article 9.2 itself does not provide for the processing of personal data revealing political opinions, recital 56 of the GDPR – the purpose of recitals is to provide guidance to interpretation of the GDPR’s articles – introduces uncertainty in respect of the extent of the prohibition on processing of personal data revealing political opinions in Article 9 by stating "Where in the course of electoral activities, the operation of the democratic system in a Member State requires that political parties compile personal data on people's political opinions, the processing of such data may be permitted for reasons of public interest, provided that appropriate safeguards are established."
In short, while Article 9.2 does not do so, recital 56 refers to the processing of such personal data subject to appropriate safeguards. I should add that an identical recital is included in the 1995 EU Data Protection Directive under recital 36 and a provision almost identical to section 43 can be found in section 2B(b)(x) of the Data Protection Act 1988. The difference is that section 43 of this Bill will impose stronger safeguards on the processing. This section is in compliance with the GDPR.
The Government's main objective for including section 43 in the Bill has been, therefore, to continue to prevent misuse and to impose the appropriate section 33 safeguards on the processing of personal data revealing political opinions.
Section 43 imposes the following safeguards. It limits processing of personal data revealing political opinions to political parties; candidates for election to, or holders of, political office; and the Referendum Commission. It makes any such processing subject to "suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects". This refers to the toolbox of safeguards set out in section 33 of the Bill. We had an opportunity earlier of discussing this, both at Second Stage and at Committee Stage. In short, processing cannot take place unless such safeguards are in place.
The safeguards include a broad range of measures to protect the rights and freedoms of individuals. Section 33 permits the relevant Minister to make the application of specific safeguards mandatory for specific types of data processing, including the processing of data revealing political opinions.
The revised wording of section 43 also makes it clear that the electoral activities to which reference is made are electoral activities carried out in the State by a political party registered under section 25 of the Electoral Act 1992; a candidate for election to, or a holder of, office in the State; or the Referendum Commission.
There are no grounds for fearing that this State can in any circumstances become a hub for the carrying out of electoral activities in respect of elections taking place outside the jurisdiction or in other countries.
I will take this opportunity to point out that section 43 provides a legal basis for elected representatives, Members of this House and members of other institutions, whether members of political parties or not, to engage in data processing for electoral activities, including canvassing.This represents an important aspect of the manner in which we engage in our democratic system. It allows elected representatives and candidates for elective office to reflect the concerns, anxieties and priorities of the citizens of the State, that is, the electorate. Supervision and enforcement of data protection standards and rules, including section 43, will be a matter for the independent office of the data protection commission.
Government amendments Nos. 38 and 39 incorporate the revised wording in respect of the Referendum Commission into sections 53 and 54, respectively. As regards amendments Nos. 28 to 30, inclusive, I cannot accept amendment No. 26. I probably need to speak to these amendments now in anticipation of their being moved.
I do not see the added value of amendment No. 28 which refers to a private or commercial company, which is not defined in the amendment. Section 43 confines the processing of data revealing political opinions to candidates, political parties, holders of or aspirers to elected office in the State and the Referendum Commission. In conclusion, I fear that amendments Nos. 29 and 30 are based on a misinterpretation of Article 9.2(d) of GDPR in that they appear to transpose that provision into national law. There is no need for that because it has direct effect without any need for national law. I cannot accept amendments Nos. 29 and 30.
I welcome the Minister to the House and the discussion on the Bill. I also very much welcome the move by Senator McDowell to open the matter up for discussion. I imagine that some of these amendments arise from the situation caused by the revelations about Cambridge Analytica. They are indeed extremely worrying.
As an aside, with regard to university elections and access to data, it is a significant hindrance that candidates in university elections are disbarred from access to the database which provides details of email addresses. I have had a long battle about sending out manifestos and using allowances. One of the responses I received was that I could easily do such work by email. One cannot do work by email when one does not have the email addresses. It seems to me there should be some flexibility.
The Minister said that the Bill would prevent Ireland becoming a hub for interference in other countries' elections. I hope he is right, but I do not know whether that is the case. People are now so extraordinarily sophisticated, especially in Russia, that it is difficult to predict exactly what they can or cannot do. It is important that we allow freedom to candidates in elections to use information from databases.
Some of the data protection issues are a little bit fussy. Some time ago I sent an email to a small section of the electorate and asked my secretary to contact the agency which looked after this for me. I wanted to advise it that I wished to exclude the people to whom I had already sent material. When we contacted the company, it told us it had destroyed that information under data protection rules. It is a bit mad that when one selects a target group and instructs a company to send out materials, on contacting the company later it then says it no longer has the information under data protection law. Who is being protected? There are some significant issues.
I welcome the fact that we appear to be addressing the kind of situations which have been revealed to us by Cambridge Analytica. I welcome what is being done. I say that even though I am computer illiterate and hope to remain so.
We are speaking to the first group of amendments. I am supportive of the amendments, except for amendments Nos. 25 and 39. On amendment No. 25, I wish to quote from Article 9.1 of the GDPR, which states:
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
The key phrase is "shall be prohibited". I understand that there are exemptions under Article 9.2, but Sinn Féin is of the opinion that the amendment presented by the Minister today does not fit the definitions of any of those exemptions outlined. Therefore, we have reached the conclusion that what the Minister has proposed directly contradicts Article 9.
The Minister may point to Recital 56, but that is an interpretation rather than actual law and for Sinn Féin does not provide sufficient safeguards. It is on that basis that we will oppose the Bill in its entirety, along with other reservations we have outlined during the debate. Aside from being contrary to the GDPR and, by extension, European law, it is far too ambiguous. It creates a situation in which an unintended loophole may arise, leading to an infringement of rights in the context of data protection for our citizens. I will also oppose amendment No. 39 for the same reasons.
Section 43 of the Bill deals with a political party and uses a definition of a political party. I am not trying to stray outside the groupings. The section reads:
Subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects, the processing of personal data revealing political opinions shall be lawful where the processing is carried out in the course of election activities for the purpose of compiling data on peoples’ political opinions by—(a) a political party,
(b) a body established by or under an enactment (other than the Act of 2014 or a former enactment relating to companies within the meaning of section 5 of that Act), or
(c) a candidate for election to, or a holder of, elective political office.
The problem I want to tease out slightly here is that we are talking about processing carried out in the course of election activities. That is temporally limited. To take a concrete example, Joe Soap is standing as an Independent candidate in the constituency of Kerry. He has a group of canvassers out working for him. Those canvassers work door to door with the registers in, for example, Tralee. They note that Senator David Norris has said that he is concerned about issues A, B and C. He lives in Tralee for the purposes of this example.
Fair enough. In any event, he is noted as somebody who is particularly interested in some particular issues, issues A and C. The question is then whether processing of that material is lawful in the context of an election but unlawful at a later point? For instance, if the Senator says that he is hugely interested in having a referendum on issues X, Y and Z - we will leave out Y to be fair to the Senator - is the political party or candidate effectively required to stop processing that information thereafter? Are they allowed to come back to him, process his data and put him on lists of people who are interested in issues X and Z thereafter?
I have no doubt that the Data Protection Commissioner is a very reasonable officer, but will people be able to ring up political parties or Joe Soap, the Independent candidate, and say that canvassers had visited them two years ago, that they expressed some opinions, and that they want the party or candidate to never visit that issue again? Is that the kind of territory we are in? If we are to have this provision in respect of a candidate for office, if that is what we are going to do, is it personal to the candidate or are people or a movement supporting a candidate, other than a political party, also required not to process the data? Do these protections arise in that context?
I will use a topical example. Suppose there was a party which had strong pro-life views and that it canvassed strongly on that issue, or that there was an individual who was standing on a pro-life ticket. Suppose that individual amassed, through his or her canvassing, a picture of people's preferences in respect of that issue, one way or the other. Is that person obliged to cease processing outside of the electoral process? Does it become unlawful to process those opinions other than for an electoral purpose?
I am slightly worried that in putting all of this in such explicit detail we are ruling out a lot of things which could be perfectly legitimate as part of the democratic process. That is really what I would like to tease out here. I feel that we are putting in place fairly strict constraints on the processing of these kinds of materials. For instance, in my years standing for the Dáil - and I stood six times, winning three times and losing three times - I could have accumulated a fair amount of information from registers about what people thought, what they did not think and whether they were going to vote. I would like to have some indication as to whether I am entitled thereafter to use that material or whether I will be suddenly told that I will only be able to process that material for electoral purposes.
I will begin by responding on the wider set of amendments. I will address the concerns raised by Senator McDowell. I do not think that he needs to be concerned in respect of those areas, although there are very serious reasons for concern in respect of other inadvertent consequences and loopholes which are opened up by section 43 of the Bill.
I will pick up on one or two points which the Minister made because it is important to clarify them. This will allow me to answer Senator McDowell's questions. The Minister suggested that Article 9(2) of the GDPR did not in itself address the question of political processing and that therefore he had turned to the recital in generating the responses and the elements within this Bill. Article 9(2) is, in fact, very clear. To spell it out, Article 9 is the section of the General Data Protection Regulation that sets out special categories of information. These are data above and beyond. It is not names, addresses and ages. It is information considered to be particularly sensitive such as information on one's health, sexual orientation, or religious or political beliefs. The General Data Protection Regulation seeks to give special protections to those areas of sensitive data.
Article 9(2) sets out a number of circumstances under which such data can be processed, because it is a realistic set of regulations which recognises the need to process data such as this at certain times. Again this refers to processing data at certain times without consent. Consent is a key issue to which I will return. It recognises that there are circumstances in which consent may not explicitly need to be sought in order to process data. One of those circumstances is laid out in Article 9(2)(d).
It refers to situations in which "processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body [the inclusion of not-for-profit bodies is important in terms of the rationale for one of my amendments] with a political, philosophical, religious or trade union aim and on condition [this part relates to the questions which Senator McDowell has asked] that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes [that is in connection to those political purposes] and that the personal data are not disclosed outside that body without the consent of the data subjects". To clarify, certain of the actions which the Senator has described are completely appropriate and still possible. Other actions may be required to pass the extra bar of consent. That is appropriate.
To look at the register, it has been made very clear by the Minister and his Department that electoral registers are a completely separate issue to section 43. Electoral registers are not included as a special category of personal data. Perhaps they might be if there were markings on them or so on.
Under the GDPR and under my amendment, processing the data of persons who are in regular contact with a candidate or party is allowed under the GDPR. These might be, for example, people who have said that they would really like a referendum on a given issue and whom the candidate or party reverts to, has correspondence with and notes that they are interested in that area if the issue arises subsequently.
What is probably not allowed under the GDPR but which may be allowed under this section is for a candidate to take data which falls under special categories of personal data relating to a person's sexual orientation or religious, philosophical or political beliefs, which he or she has gathered in a completely different context, and to simply transfer them over to somebody else without consent. That is not allowed under the GDPR, however it might be allowed under the Government's amendment and that is a concern.
The debate on section 43 which we have heard in recent days addresses the processing of personal data revealing political opinions for the purposes of electoral activities. There has been increased concern about this. I have been concerned about this area for a long time and spoke on this area at the World Forum for Democracy last autumn. It is a deep concern for parliamentarians right across Europe. What we have seen brought to the fore again in recent weeks is just how dangerous unregulated processing of personal data can be in affecting and distorting political outcomes and the political process. We have seen the cynical and manipulative work carried out by Cambridge Analytica.I am sure Members have heard how the data of 50 million voters was harvested so that the personal information that they had shared on a social platform could be used by political actors to microtarget advertisements to them to sway their position, without them giving any consent or having any knowledge that this process was happening. The company accessed the data of 50 million users, advertised to them in a microtargeted way, played on their specific fears and concerns in order to influence their votes and allegedly used 40,000 to 50,000 variants of advertisements every day. The response was continually measured and the targeting was adapted and evolved based on that response. This is a dangerous new development in the distortion of democracy and it has rightly been a cause for alarm.
There is nothing in section 43 of this Bill or the amended section 43 proposed by the Minister to stop that from happening in Ireland. I recognise that the amendment to section 43 seeks to limit it to electoral activities within the State. However, if a political party, a candidate for election or a holder of elected political office in the State wishes to hire Cambridge Analytica, or the many hundreds of clones of Cambridge Analytica which now proliferate in countries across the world, there is nothing in this section of the Bill to stop that from happening.
I am conscious that this Bill will not affect the current referendum because it will probably only come into effect at the time of the referendum. Senator McDowell mentioned actors who may be affiliated with a pro-life campaign. They are not compiling canvassing records. We know that one of the sides in the referendum, those who are advocating against repeal, have already hired a former analyst from Cambridge Analytica. They are already working with that person. App developers who worked with the Trump-Pence campaign to harvest data are working with political actors here in Ireland now. It is happening, and it is a real and present danger. There may be an attachment to some of the old ways of doing things and a concern about which activities might need to be re-evaluated. However, I genuinely believe that genuine political activities, for example the taking of an electoral register or going door-to-door to canvass those who are on the electoral register, are still completely legitimate. The danger arises from the new kind of activity, which is legitimised and allowed for under this section. It is a very serious concern. I acknowledge that the Minister has taken on board one of our recommendations from Committee Stage, in that the provision has been narrowed to refer to the Referendum Commission in the performance of its functions, rather than a wide framing of multiple bodies. I acknowledge that narrowing. It is constructive.
I also acknowledge that the Minister has listened to the genuine alarm expressed across Europe that Ireland should become a hub for this kind of dangerous electoral manipulation and targeting. The Minister has sought to limit it to electoral activities in the State. However, with respect, the fundamental problem still remains. There is nothing here to limit this activity and to ensure that private companies are not hired to do it.
I also support those who are seeking to have this section removed, reframed and reconstructed. That is something the Minister might want to genuinely consider. He has a chance to reconsider this entire area. Nonetheless, I propose three new sections which I think could ameliorate some of the worst impacts of section 43.
My amendment No. 28 specifically refers to, "The processing of any special category of personal data [those special categories of personal data include sexual orientation, religious and political beliefs, and several other enumerated items] by a private or commercial company [the Minister may query the term "commercial company", but it gets to the core of what is intended by Article 9 of the EU GDPR] for political or electoral purposes shall be prohibited without explicit full and informed consent of the data subject."
To be clear, Red C polling, focus groups and market research can all continue. This amendment simply provides that if a candidate or party brings a private commercial company into the electoral process and charges it with gathering and processing data, whether in the form of polling, market research or focus groups, there must be certainty that those participating are aware that it is for political purposes and agree to it. They must at least agree that political purposes are part of the function of what they are doing. Article 9.2(a) of the GDPR makes that clear. This proviso is the clearest and most important provision, "the data subject has given explicit consent". I have responded to polls on the phone and I have given my consent to ask questions. I am sure many will continue to do so. My amendment seeks to prevent those situations where people's information is gathered, they have not given consent to that information being used politically and it is used to target and manipulate them.
I want to be clear. Cambridge Analytica and Facebook are only the beginning of this problem unless we address it. There are 100 clones of Cambridge Analytica. Many of those who worked for Cambridge Analytica have set up their own companies. There are multiple companies seeking to work in this way. Facebook has allowed that data to be harvested. We should not rely on social media platforms not to allow data to be harvested from them. For every Facebook there will also be apps, small companies or fly-by-night social media platforms that appear for a while simply for the purposes of gathering data. We know that there are apps whose entire purpose is to gather data which can then be sold. If the operators come under pressure, the apps can disappear and the companies can fold and reopen as different companies. We are looking at a dangerous landscape in which mercenary actors can seek to actively influence political outcomes, unless we get this right and regulate it.
It is important to note that when I talk about the harvesting of personal data, I refer to the processing of personal data revealing political opinions. There is no constraint on what kind of personal data it is or where it is found. Is it found in a Snapchat conversation or a Facebook conversation? There is no limitation. There are three elements here. The first question concerns who is doing the processing. Whether or not it is carried out by private companies is a key issue. I know that addressing this is the intention the Minister has set out for section 43. The other two issues are whose data is being processed and what kind of data is being processed.
My amendments Nos. 29 and 30 relate to the question of whose data is being processed. In these amendments I have returned to the language of Article 9.2(d) of the GDPR, which provides that the data should be that of "members or to former members of the body" carrying out the processing, namely, persons who are in pre-established contact with a candidate or a party around political issues. In that respect, the Minister has said that he does not feel that it is necessary to put the language from Article 9.2(d) into the Bill, because the GDPR applies. If the Minister will not accept my amendments, which I think would add clarity and be very useful, can he confirm that under section 43 it is only those categories set out Article 9.2(d) whose data can be processed?My amendment is complementary to section 43 and would ensure that any actions taking place under the section come into line with those appropriate and acceptable data subjects for processing identified in the GDPR. Could the Minister clarify that?
The Bill has been recommitted in respect of these amendments but I hope we will not have to go back and forth too much. However, I have a serious concern in respect of amendment No. 39 and section 54 overall. I am aware that it is being opposed. We talked about how appropriate it might be to seek consent when one is choosing to process personal data people give - for example, in respect of their religious beliefs or faith - for political purposes. There will be situations whereby people's faith alone will be used to target ads at them, potentially politically, under section 43. In the context of amendment No. 39, not only are we removing the requirement for consent, we are also saying that the right of a data subject to object to the processing of personal data concerning him or her shall not apply. There is a real danger in this section. Not only are we not requiring consent, we are also removing the possibility to object.
As a basic principle, a person should surely have the option to object if his or her data is being processed in an inappropriate way for electoral purposes. Senator McDowell said that an individual should be able to make a phone call and say that he or she does not want his or her information processed. People should be able to do this. If somebody is sufficiently concerned at how his or her personal data is being processed in the context of political or electoral activities, it should be possible for him or her to take that active step and say "I do not want to be part of this particular processing by this party or by this candidate." He or she should have the right to object and to be removed from the list. If I am receiving micro-targeted ads again and again from a candidate, then I should be able to say I do not want them any more and that I would like to be removed from the relevant database. All of us will have had one or two people over the years who have said that they did not want to be in our database. That is an appropriate thing to ask. We say "Yes" and remove them from it. It is a basic right and I am very concerned at it being removed under amendment No. 39.
Perhaps Senator Higgins misunderstands me. I am not just dazzled in this context by Cambridge Analytica or Big Brother doing X or Y with data they have harvested around the world; I am concerned with very basic, ordinary aspects of our political process.
Exactly. I am not suggesting for one moment that Senator Higgins is not right to be concerned about the other issues. They are probably much more contentious and more newsworthy this week than they were previously. However, I am actually concerned with the whole process of participating in the political life of our country. I do not have all the answers and do not claim to be expert in all of this. I do have reservations, for example, about confining this to processing in the course of electoral activities. Political purposes are often different from simple electoral activities.
The Bill has to go to the Lower House and there will be time to consider these matters further. I am not going to be obstructive in any way. However, I ask the Minister to consider whether this is perhaps too narrow a focus. What would be the position if one could no canvass other than in the context of elections? I remember talking to the former Taoiseach, Bertie Ahern, and he said that in order to see how the wind was blowing, he used to spend a Saturday afternoon talking to people on their doorsteps.
One could say it was the electoral wind but he would have said it was something different.
The other point is that in this context, the term "electoral" may have to be defined as including campaigns to amend the Constitution and referendum campaigns. Elections are different from referendums. A political party, its members or a candidate for election to or a holder of electoral office are very personal and restrictive categories and I think they should be broadened and the phrase "by or on behalf of" should be introduced. To grant the right to process data to an independent candidate in Kerry South is not much good. He cannot sit at home processing all his own data. Somebody has to do it on his behalf. Likewise, a party's members may or may not be the people who sit down to draw up the lists and collate the information that has come back.
I fully agree with Senator Higgins that we have to have an eye on the Big Brother aspects of Cambridge Analytica. I note that the latter has Steve Bannon among its former directors, which sets alarm bells ringing in many people's minds. However, I am much more concerned with what happens in Ireland. I do not want to talk about the pro-life referendum at this stage in this context because that will only distract people. However, it is perfectly legitimate for groups of people who are not members of political parties to organise in order to change the Constitution or to resist change to the Constitution. I know, for example, in the context of the upcoming referendum, there are campaigning groups that are not political parties being formed on both sides of the issue. I am worried that the language being proposed here is very narrow in scope and should be broader if we are really to have a healthy democracy.
The other aspect Senator Higgins might take into account is that processing data does not necessarily mean giving it to somebody or receiving it from somebody else. Processing refers to anything one does at all, such as, for example, converting a list of people who said they would vote for one into a list of those to whom one might write reminding them that polling day is the day after tomorrow or whatever. It is not just a matter of people harvesting data from Facebook sites internationally, moving them around the world and engaging in this kind of "Star Wars" existence, which is frightening. The more I hear about it, the more frightened I become. The bit that worries me, however, is that what we are legislating for here, if it is going to be upheld by the Data Protection Commission from here on, could be extremely restrictive.
As somebody who has contested many general elections, one thing that I always am slightly annoyed about is "no junk mail" notices. If I want to communicate with my voters through a newsletter or whatever, I do not consider my newsletter to be junk mail. Rather, I consider it my right to tell them why I am standing and, at the very least, communicate with them in an ordinary way. Unless it is going to be done by post with a stamp for every communication or whatever, the only way we can do that is to get our material through their letterboxes. I am afraid that the no-junk-mail mentality would apply to data subjects, which would make it extremely difficult for political parties for non-party political movements to carry out their activities.
A group was established to oppose the referendum to abolish this House. I was part of that group and was a member of one of its committees. There were approximately 200 or 300 people in the group.When I was standing for election to the Seanad on the NUI panel, I wrote to the individuals who had been in that group who I could identify as NUI voters to say that I was standing on a reform the Seanad campaign. I got two snotty replies to say how dare I process data and communicate with people about a subject about which we were supposedly all in agreement about a year earlier. For a few weeks I feared that I would be reported to the Data Protection Commissioner for abusing one list in order to write to people when I knew they had an interest in the subject. I apologise if I am not soaring into the heights of Cambridge Analytica. I am concerned about what happens on people's doorsteps. I am concerned that groups that want to campaign in referendums should have their rights protected and accommodated in the same way as party politicians. I am concerned that a political party and its members are in one category but that a personal candidate or the holder of an office is put in the other category. Most personal candidates are not in a position to process much data by themselves. I ask that we consider the language here and, not to be obstructive or negative, I ask the Minister to give some indication that he will look at these issues again because it has to be brought to the other House, even if it has to come back here after this Report Stage. I want to ensure that these issues are addressed.
I recognise the concerns, and that is why there is some tension about Article 9.2(d). I urge Senator McDowell to look again at Article 9.2(d). That provision permits a wide range of activities. It is important because it applies not just to political parties but is much wider than that. It refers to any "not-for-profit body with a political, philosophical, religious or trade union aim". In many ways the general data protection regulation, GDPR, provides a wider vision of the kinds of activities that might be taking place than those set out in section 43. I have tried to bring in one part of Article 9.2(d) by way of amendments Nos. 29 and 30. I agree with the Minister about the other parts of this provision. A trade union must be able to process political opinion, including that of its members and those who are in contact with it. That is envisaged and allowed for in the European regulations.
I have canvassed and gone door to door at length in many campaigns, for example in the Seanad referendum, alongside the Senator. I believe that canvassing, market research and polling are allowed under this legislation. Market research and polling must be done by consent, and those responding must be aware that they are participating in political polling or political market research. That is appropriate. The information that is not in the special category of personal data, such as age and address, is not covered under the professional categories and personal data headings in the same way. Special categories of personal data, the categories we are talking about trying to protect, are sensitive categories, and that is why they must be used sensitively and appropriately. Those kinds of data can be processed under Article 9.2(d) where they are being used for purposes that are appropriate. The key here is the reference to "not-for-profit body". If an NGO or a grouping wishes to campaign on a referendum it is free to do so, but if a company established to make a profit wants to get involved, that is different. That is why amendment No. 28 seeks to bring in stronger rules when a for-profit company is involved. These companies may have multiple clients. We need to have an extra safeguard against these companies. I believe that the normal, healthy activities of a vibrant political state can continue without section 43.
These issues will of course be subject to further consideration as the Bill travels from the Upper House to the Lower. I very much value the opportunities we have had over the past hour or more, having recommitted the legislation to Committee Stage. I acknowledge the breadth of the debate with Senator Higgins on one end of the argument and Senator McDowell on the other. The legislation attempts to reach a balance. Its essence is about the protection of the data of our citizens. This is important legislation for the consumer and the citizen, and for those whose data may well be the subject matter of abuse. Section 43 is important because it allows for something of a special status for the conducting of political activity, which as both Senators have said is important in the context of our democracy. We are traversing the terrain between Cambridge Analytica on the one hand and Cambridge Road, Rathmines, on the other. We need to address the balance here.
Senator McDowell is of the view that the section as currently constructed is too narrow and that in many ways it could well curtail or restrict what he, and I am sure all of us here present, would regard as lawful political activity. I remind Members that the revised text of section 43 refers to "electoral activity" rather than "election activity". Undoubtedly electoral activity is considerably broader in context than what might be described as a narrower election activity, lest Members be of the view that this provision would only apply within a certain timeframe, namely, during an election campaign, once an election has been announced or after these Houses have been dissolved. That is not the case. Electoral activity is considerably broader and, to my mind, will cover the issues as raised by Senator McDowell in terms of flexibility, or in terms of the processing of data for political activity. It will not just apply during the timeframe of an election campaign but perhaps at any stage in the context of our political deliberations. I feel that the element of flexibility in the revised text will meet the concern of Senator McDowell. It is broader, and it does denote a greater level of flexibility.
I found the debate useful, and while I do not accept amendments Nos. 28 to 30, inclusive, tabled by Senator Higgins, I acknowledge the importance of the issues she raised. The issue will be given further consideration. Even though Senator Higgins is not a Member of the Lower House, when the House is considering the matter I know she will be keeping a close eye on matters in any event, having regard to her interest in this issue. Article 9.2(d) of the GDPR relates to membership bodies, including political parties, but it does not refer to candidates, nor does it cover people going for electoral office, people entering an electoral contest or people engaging in political activity who are not members of a political party, for example, an Independent member seeking election to political office in this State. I also recall Senator Higgins using the phrase "pre-established contacts". If they are pre-established contacts, they are not new and if they are not new, they could well disadvantage, or be to the exclusion of, somebody who decides, not having engaged in the particular process, to run for office, not having done so in the past. Those people represent a very important aspect of our political engagement. It is important they would not be placed at something of a disadvantage.
My section 43 will allow for Independents who are not members of registered political parties to process data that does not seem to me to be covered by Article 9.2(d) of the general data protection regulation, GDPR. If I were to accept the Senator's amendments, having regard to the very positive and helpful nature that is intended, I would be concerned, for example, that Independent candidates would be allowed to process political opinions of members or former members of political parties only but that it may not allow for the processing of data for the public at large. If that were to be an interpretation, acknowledgment or a ruling in that respect, that, in essence, would be bizarre.
I would be happy to give it further consideration but I believe over the last while, between Senator McDowell on the one hand and Senator Higgins on the other, we have seen the need to engage in a type of balancing that will allow for ongoing engagement with the public on the part of people running for office, having particular regard to this being a special aspect of engagement that might not necessarily be the case in other countries.
I refer to the concept of door-to-door canvassing and the level of competition in the course of an election, in the run up to an election or during times when an election is not taking place, the type of engagement we have with our electorate being probably somewhat closer or perhaps even more personal than might be the case in other jurisdictions. It is precisely because of this that I believe section 43 is important, the importance of it also being in the context of it confining the processing of data revealing political opinions to parties and candidates for elections, those going for office, a referendum commission and those engaged in active political participation. I am a little concerned that amendments Nos. 29 and 30 do not fully accord with the reading of Article 9.2(d) of the GDPR. They would appear to merely transpose that provision into national law which, to my mind, is not as clear or as potentially wide in scope as section 43.
I welcome the Minister's openness to look at all these issues again. There is quite a difference between Cambridge Road, Rathmines, and Cambridge Analytica. Perhaps I am much more pedestrian in my focus but I am looking at it from that point of view.
There is now an explicit reference to a referendum commission carrying out a processing of political opinions. I would make one observation on that. It is a long-established phenomenon in politics that people lie in retrospect about what they did in elections and referenda when they are surveyed afterwards. John Kennedy scrapped home with a tiny margin when elected to office in America but as soon as the opinion polls were done shortly afterwards, the number of people who claimed to have voted for him suddenly shot up to 55% or 60% just like that.
The findings in several referenda in which the Referendum Commission here has published its post-referendum analysis are interesting. I noted, for instance, that the margin in the referendum to keep the Seanad suddenly shot up when people told the Referendum Commission the way they had voted, the implication being that people almost always like to be on a winning side.
I would put this marker down for various referendum commissions in the future: they should not rely too much on their opinion polls. People will say they were confused but these are people who are already deceiving them as to what they actually did. People have said that they found the ballot paper confusing. In many cases the percentage of people who told the Referendum Commission they voted differs widely from the percentage of people who turned out. We should not put too much credence on opinion polls. Future referendum commissions should be circumspect in their reliance on post-referendum opinion research because it is nearly always untrue and distorted by wishful thinking on the part of the people to whom they have spoken. I will not push my points any further and I will not delay on this matter. I am happy that we go out of Committee Stage if everybody else is agreeable.
We have much ground to cover today and we will move on to that shortly. Amendments Nos. 29 and 30 were an attempt to marry Article 9.2(d) with the provision set out by the Minister's Department in section 43. The language as to who is included is the language taken from section 43, which includes election candidates of every kind, Independent, party or otherwise.
I have taken the language used by the Minister's Department in the who does the processing element in section 43 and applied it to the who is processed element from Article 9.2(d). There is provision to perhaps have a better transposition of all of the spirit of Article 9.2(d), which would deal with those wider actors that were mentioned but for now I believe the concerns do not arise in respect of Independent candidates except as they arise potentially anyway under section 43.
The Minister drew on a recital in his initial speech around the functioning of democracy and so forth. It is the interpretation of such recitals which is perhaps justifying that slightly wider element but it is still in the spirit of Article 9.2(d).
Amendment No. 28 specifically relates to entities that are not not-for-profit bodies as envisaged under the GDPR but which are commercial entities and their role as actors in that context. That is a crucial amendment. In respect of the other amendments, I am happy to work with the Minister to see how we can marry Article 9.2(d) better with section 43.I have to press amendment No. 28 on the role of private and commercial actors. Does the Minister have any last thoughts on that and could he address the concern about amendment No. 39 which makes it the case that people will not have the capacity to object to the data on their political opinions being processed?
That is not unreasonable. That is not unreasonable and if it is not clear in the legislation it is worthy of further consideration.
To return to Senator McDowell's point about junk mail or unsolicited material, it is very subjective. We probably all form the view that the other candidates' mail is the junk mail and ours is not.
However, it is the person going to the polling booth who decides which is the junk and which is not.
I want to return to a point that I may not have made clear, and to go back to Cambridge Analytica, rather than Cambridge Road. There is absolutely no reason for anybody to fear that Ireland, our jurisdiction, will become a hub for the carrying out of any electoral activities in respect of elections not taking place within this jurisdiction or beyond. That is clear in my amendment to section 43. That is also important in the context of the current debate on the harvesting or alleged misuse of data as processed.
This amendment seems to be a bit odd because it purports to delete two lines and by deleting them it makes a complete grammatical mess of the whole paragraph which starts: "An appropriate authority (within the meaning of the Civil Service Regulation Act". The two lines deleted start with the end of the Title of the Act "1956) may, as respects all or part of the personal data kept by the authority, designate a civil servant in relation to whom it is the appropriate authority to be a controller and". We are left swinging with an "and" at the end. If it was so amended, and I hope I am right, "on page 11 to delete lines-----
I am very glad to realise that any impugning of the grammatical proficiency of my dear friends on the seats behind the Minister is regarded as redundant. That is all I have got to say on the Bill. I am off, thank you very much. Bye-bye.
These amendments relate to section 33 of the Bill. We discussed it at length on Committee Stage. It concerns the "Suitable and specific measures for processing". These measures are a toolkit introduced by the Minister as suitable specific additional measures for processing. They are usually applied in a situation where the consent of the data subject, the person, is being bypassed. They relate to many sections of the Bill whereby a legislative permission to process data is put in that does away with the requirement for consent.
The Minister has engaged with me in this area. I feel, however, that there may be a distance to travel. I knew this would be resubmitted so I have only touched on these areas. I will not go into great detail. Could the Minister explain why he has removed what was part (vi), "other technical and organisational measures designed to ensure that the processing is carried out in accordance with the Data Protection Regulation and processes for testing and evaluating the effectiveness of such measures." That was in the previous version of the Bill and I thought it was positive. While "pseudonymisation" and "encryption" are kept, the tool, or option, to use other technical and organisational measures seems to have been removed.
Previously, the Minister would have regard to the public interest and the need for the protection of individuals in respect of the processing of their personal data. I may be incorrect but it seems to have disappeared from the section or it has been moved. There will be reference again and again to suitable and specific measures. Even in our last discussion the Minister invoked the capacity to introduce suitable and specific measures as an assurance to us. It is important, however, that while this amended section 33 states that the Minister can consult with other Ministers and the data commission, there is no guarantee that a Minister will take the advice of the data commission and we do not have a mechanism for transparency such that in those cases where a Minister chooses not to take the advice of the data commission we at least are informed of the rationale for that.
When we are being told about this toolkit it is important to remember that Ministers may or may not choose to use the toolkit fully. While I recognise and appreciate that when the Minister gives suitable and specific regulations they may be mandatory for the data controller, the target of the regulation, there is still nothing mandatory about the Minister's action or indeed anything fully transparent and accountable about the Minister's decision on how the regulations are formed. I acknowledge that the impact of the regulations is strengthened in some ways by the amendments here but the making of them leaves something to be desired. Perhaps we can pursue that further.
I want to stress that the "toolbox" of safeguards as referred to by Senator Higgins, is in addition to, and not a substitute for, the technical organisational measures required under a risk-based approach in Article 24.These additional safeguards are justified by the fact that they will apply to the special categories of personal data under Article 9, to which we referred earlier. On Committee Stage I accepted the need to clarify the interplay between section 33 and later sections. I stated I would have a fresh look at section 33 in the light of earlier amendments tabled by Senator Higgins. Arising from that, I have tabled this group of amendments. Amendment No. 14 proposes to adjust the content of subsection (1), while amendment No. 15 proposes to replace subsections (2) to (5). I do not perceive section 2(2) as any longer serving a useful purpose, which is behind my proposal to delete it. If Senator Higgins believes there are further issues which need consideration, I would be happy to do so.
In amendments Nos. 14 and 15, however, I believe I have clarified the issues that were brought to the attention of the House by Senator Higgins in the earlier part of the debate.
Government amendments Nos. 3 to 6, inclusive, are in respect of sections 7 and 8. Let me refer to Senator Higgins's contribution to the Committee Stage debate during which she sought assurances that the setting up of the Data Protection Commission under Part 2 of the Bill would not in any way interrupt or disrupt investigations of complains already under way under the existing legislation from 1988. Arising from a reassessment of the continued application of the Act of 1988 to complaints lodged before the establishment of the commission, I propose amendment No. 5 to insert a new subsection (4) in section 7, which makes clear that the repeals referred to in section 7 will not apply to complaints made or investigations commenced before the setting up of the commission. Other amendments in this group, are merely adjustments to other provisions in sections 7 and 8. I wish to acknowledge the initiative of Senator Higgins in that regard and I thank her for raising the issue. I hope we have met her concerns.
I thank the Minister for taking on boards those concerns. I think they will give greater clarity, in particular in one of the significant investigations taking place at present, which is the investigation in respect of the public service card and the single customer view database, in which the Data Protection Commissioner is currently engaged. It is important that this would be able to proceed in a timely way. I think these are useful amendments. I thank the Minister for taking my concerns on board.
I move amendment No. 7:
In page 21, between lines 9 and 10, to insert the following:“(5) The annual report should include a list of organisations found in breach of this Act during the period covered by the report.”.
This amendment refers to organisations that are in breach of the Act and proposes that they be listed in the annual report of the Data Protection Commissioner. In these amendments we are trying to ensure that we would have greater transparency and a greater capacity to identify trends in data breaches or where we have a situation where multiple breaches are occurring that we are able to identify the sectors in which they are occurring and respond to them. At present the Data Protection Commissioner will report on those cases which have gone through court proceedings and moved to the courts. There are, however, many cases where breaches will have been recorded but may not proceed to a court. We would certainly not want a case where every breach would go through a lengthy and gruelling court proceedings. In order to ensure there is accountability without needing to have recourse to court proceedings, it would be very useful if, in the powers and in the intentions of the functions of the Data Protection Commission, that in its annual report it would also include a list of those organisations, public or private, that have been found to be in breach of the law. We would then have a sense and the pattern is public and that we are not simply reliant on those cases that have gone to the courts. I think it would be very useful and also would allow us to identify instances of multiple breaches. The Minister might respond to this point.
Amendment No. 65 brings a further layer of transparency and will ensure that where complaint cases have been taken and decisions made that the information would be shared on the decisions made on the complaints.
I am not in a position to accept these amendments. I point to section 145 of the Bill, which adequately deals with this issue and provides in an appropriate manner for the publication of convictions and certain other sanctions.
Amendment No. 7 would require the Data Protection Commission to publish in its annual report a list of controllers and processors who have been found to be in breach of the legislation. Section 145 already requires the commission to publish particulars of all serious breaches of data protection law, including all cases in which an administrative fine has been imposed. Section 145 also enables the commission at its discretion to publish details of less serious infringements where it exercises a corrective power. The section also leaves it to the commission to decide how this information is to be published. It could decide for example to publish such material in an ongoing basis on the commission's website, in advance of or outside of the annual report.
Amendment No. 65 would require the commission to publish details of all decisions reached in complaint cases. This would be unduly burdensome. It would be an obligation that would be cumbersome, having regard to the fact that in 2017 almost 2,600 complaints were concluded by the Data Protection Commission. Annual reports of the commissioner over the years have contained summaries of interesting cases, cases that from time to time would be regarded by the commission - the authors of the report - as being very much in the public interest or those also involving unprecedented or perhaps novel instances or aspects of the data protection law. This is also in line with other bodies or offices, such as the Ombudsman's report.
I am of the view that this approach is more effective and perhaps more useful than publishing a full list of decisions taken. I will not accept these amendments for these reasons.
I thank the Minister. I will not press the amendments at this point but my purpose was to highlight and capture the wider pattern of breaches and where they are occurring, not simply in terms of the examples.
I know this would add to the volume of work and I will not press for this at present but I will work with Members in the other House to address instances in which a large number of complaints may have been made in respect of one data controller, regardless of whether they have reached an administrative fine level. Where there has been a high volume of complaints and concerns, perhaps there should be some contexts whereby that would be reported. It might be a more nuanced approach and I am happy to work with the Minister and his Department on it. I think it is important that we do not wait until things have become serious before they appear in the reports but that we find ways to capture emerging trends.
I move amendment No. 8:
In page 23, line 6, to delete "is 13 years of age" and substitute "shall not be a lower age than already defined in Article 8".
I note the Minister's proposed amendment No. 9 on a review operating in respect of these subsections and I welcome it. My views have not changed since the previous occasion and repeating them would be somewhat needless. We have to be conscious of the role of parents and their entitlement, in respect of children under their guardianship, to make or be involved in decisions that can have significant effects on those children.
I support the proposals made by Senators Ruane and Higgins in amendments Nos. 10 and 11. I welcome the Minister's amendments Nos. 12 and 13. Will he indicate whether the role of the commission in encouraging the drawing up of codes of conduct has teeth? Will he explain how it would work and why people would be likely to draw up such codes of conduct and comply with them? How does he envisage his new section 31 operating? I strongly welcome the new section 32 on the right to be forgotten. It is important. I reiterate what I said to the Minister on a previous occasion. Whatever procedures are laid down in respect of the right to be forgotten, especially if we are dealing with young, immature people, they have to be so simple that they can be easily implemented. One cannot ask 14 or 15 year olds to behave as if they are law students, law graduates or law professionals in respect of their own affairs. There has to be a simple way of exercising the right to be forgotten. I hope that whatever is done will not merely exist as a remedy on paper but will be capable of being exercised by children so as to allow them, with the benefit of hindsight, to tidy up their profiles on social media platforms in particular.
I second the amendment. I thank the Minister for his time and for his engagement to date, especially on the issue of child protection as it relates to this amendment. It was raised in the Committee Stage debate on the legislation and it is great to see Government amendments in the area that I welcome overall. I am happy to see Government amendments Nos. 12 and 13, which allow for codes of conduct on how the data of children is processed. I will get to it in a few minutes. As Senator McDowell said, the issue is whether it has any teeth. The word "encouragement" is used instead of the word "require".
I welcome the review of the age of consent in amendment No. 9. It seems an appropriate response to many concerns. The right to be forgotten is also a welcome measure.
I am concerned that the data protection issues in my amendment No. 10 would still not be comprehensively addressed under the code of conduct system proposed in amendment No. 12. The fact the legislation only uses the word "encourage" as opposed to "require" is of concern. It would seem to make such codes optional instead of a duty. We want strong, rigorous regulation in this area. I would appreciate if the Minister could outline the enforcement mechanism to ensure data controllers prepare the codes of conducts. The word "encourage" does not fill me with confidence that the codes will be binding, accountable and enforceable. If the codes of conduct are broken by controllers, what will be the penalties? How will the State ensure that they are adhered to? In the UK counterpart to this Bill, an amendment has been tabled in the House of Lords to make the codes of conduct for data controllers a requirement rather than advised. Will the Minister explain why the word "encourage" and not "require" has been used? The UK could risk infringement proceedings as such a move goes beyond the text of the GDPR. Will the Government consider putting such a legal requirement on the data protection commission, making the regulation in this area stronger and more robust? What is there now is a good start. How does the Minister envisage it will work in practice? Where will oversight and enforcement responsibilities fall? Perhaps it is an issue that can be worked out further in the Dáil. The stronger move of making it unlawful for a data controller to process the data of children for commercial and marketing purposes as proposed in my amendment No. 9 will work as a stronger deterrent to the inappropriate uses of children's data. I will listen to the Minister with interest to decide what I will do with my amendments. Will he consider making some of the language a little bit stronger in his proposed amendment with regard to words such as "encourage"?
I will speak to the amendments in order. Very strong arguments were made across the House on the previous occasion regarding the question of the age of digital consent. I have already indicated that I have moved back and forth on the issue. I have serious concerns about the younger age of consent in terms of the protections that might be afforded. One of my key concerns is about the right to be forgotten. I highlighted the importance of the right to be forgotten previously and I very much welcome Government amendment No. 13 to address the issue. I also welcome the review clause that has been introduced because we need to be open to examining the issue. I am open to it and have found very persuasive arguments on the different perspectives on the digital age of consent. It is very important to have that openness and that we have the review conducted in a timely manner. When the review occurs it should look at the evidence on how the differing ages of consents have been implemented across Europe. Various European jurisdictions have taken a different perspective on the digital age of consent. We should ensure that the review is fully informed by the concerns and consequences that may have arisen from the ages of consent that have been set.
I will return to the right to be forgotten. It is fundamental. I am glad it is made clear. If 16 or 17 year olds wish to remove information they have shared on a social platform and the Internet, for example, when they were 13 or 14, it is vital it is done in a timely way and is something that can be done quickly. On issues such as cyberbullying and digital safety, I support the introduction of a digital safety commissioner but it is vital it is practicable.
The amendment is very good. I would like if it had made more explicit reference to the points in Recital 58 of the GDPR, which is very clear that the way it is put into effect needs to be concise, easily accessible, easy to understand, in clear and plain language and with visualisation and visual images where necessary. It is something to which the ISPCC and others have referred. The importance of ensuring that information such as the right to be forgotten is presented in a child-friendly manner in order that a 17 or 18 year old, without having to go to their parents, can activate the right to be forgotten.
My colleague has spoken very clearly on the code of conduct. It is a lovely thing to see the code of conduct but it is very concerning that it is not clear how it is to be enforced and is not clear that such codes of conduct will even need to be in place because the commission shall only encourage the drawing up of codes of conduct. It needs to be a lot more robust.I suggest that we still will be obliged to put forward amendments Nos. 10 and 11, which deal with the actual nuts and bolts and which say that we should not have the commercial processing of data. When we spoke earlier in this debate today, we talked about micro-targeted advertisements. My colleague has spoken about the micro advertisements that appear on of the websites of 14 and 15-year-olds such as Facebook. Can the Minister see his way towards supporting our amendments and ensuring that such inappropriate commercial targeting does not place in respect of those under 16? A key question in respect of amendment No. 11 is crucial in respect of the Facebook issue because the key issue there was not simply the information people shared about themselves but the information of those with whom they were in contact, the information they inadvertently shared and the information relating to their friends and families. The key issue relating to the Facebook scandal was the ease with which people could inadvertently share information about those close to and around them. This amendment tries to tackle that issue. Perhaps the Minister might clarify the position regarding information shared previous to the digital age of consent in terms of the right to be forgotten or eliminated. In many cases, persons will not even know that the information has been shared and consequently are not in a position to exercise consent or indeed seek removal. I have a suggestion the Minister might take on board as this Bill goes to the Dáil. As a complementary measure to the code of conduct, would it be possible to introduce specific regulations that would give the Minister the power to introduce mandatory requirements in order that he can produce a set of regulations under that section 33, which would include consent as is appropriate, as well as those additional safeguards relating to the processing of the previous special categories of information in respect of children such that there might be a higher bar on the processing of personal data in respect of children using that section of the Bill? It may be a way of approaching this and giving us a more robust requirement. On the right to be forgotten, I thank the Department for taking that on board. It will make a real concrete difference in children's lives.
Arising from the rather lengthy discussions we had on Committee Stage, I again recognise the strongly-held views of Senators on this issue. Arising from the discussions we had, I am, therefore, tabling amendment No. 9, which provides for a new subsection (3) for a review of the digital age of consent no later than three years after the entry into force of this section. Amendment No. 8 in the name of Senators McDowell and Boyhan proposes that the age of 13 years be replaced by 16 years. I am unable to accept that for reasons we elaborated on during the last occasion that were referred to by Senator McDowell earlier. I still remain of the view that the digital age of consent should be set at 13 years but that we should build in the review within a period of three years.
Regarding amendments Nos. 10 and 11, Senators Ruane and Higgins tabled similar amendments on Committee Stage. I saw the opportunity at that time to reflect on these amendments. Arising out of the consideration given, having particular regard to the matter of children and taking into account the direct effect of the GDPR on our law, I propose amendments Nos. 12 and 13 as alternatives. Amendment No. 12 introduces a completely new section 31 on the matter of codes of conduct and children. It provides for a code intended to contribute to the proper application of the GDPR with regard to the following specific areas, namely, the protection of children, the information to be provided by a controller to children, the manner in which the consent of the holders of parental responsibility over a child is to be obtained for the purposes of Article 8 and integrating the necessary safeguards into processing to protect the rights of children in an age-appropriate manner for the purposes of Article 25. Putting an EU-wide code of conduct in place will have a great advantage in so far as it will provide protection for children irrespective of the location of the controller or processor.
I should point out that the Minister can have no role in the process of making regulations because any such involvement would cut across both the independence of the data protection commission and the role given to the new European Data Protection Board under the GDPR. I make this point in response to Senator Higgins's later comments that the independence of the data protection commission needs to be acknowledged and appreciated at every remove. There is no role for the Minister in the process of making regulations that could well have the effect of interfering with, disrupting or indeed undermining the role of the data protection commission, having regard to the role it has in law. The first step is that the data protection commission will use its powers to encourage controllers targeting children with goods and services to draw up and then submit a draft code. Second, the commission will provide an expert opinion on whether the draft code complies with the GDPR. If it does not, it will immediately go back for adjustment. Where the code relates to processing within the State only, the commission will register the code and publish it and it will apply within the State. If the code relates to processing of children's data across several member states, for example, a draft code prepared by Facebook and other social media would also relate to processing in other member states, the commission will be obliged to refer it to the European Data Protection Board, which is made up of representatives of the supervisory authorities of all member states, for its approval. The board will have the power to seek require further adjustments as may be necessary and appropriate. Where the European Data Protection Board is satisfied that the code is GDPR-compliant, it will submit its opinion to the European Commission. The European Commission can then adopt a formal implementing act, which will give the code legal validity right across the EU.
This new section makes provision for consultations with children, bodies that represent their interests, holders of parental responsibility over children and the Ombudsman for Children's Office. I believe that their input will ensure that all relevant matters are taken into account and that children will enjoy a level of data protection that takes full account of their needs, status and vulnerability. I believe that it is worthwhile developing a statutory code that will have the force of law across the European Union, thereby protecting all children irrespective where they live in the Union and the state in which they might reside.
Amendment 13 introduces a specific right to be forgotten for children. I acknowledge the initiative on the part of Senator Ruane in particular and Senators Higgins, McDowell and Boyhan. The right to be forgotten was also recommended by the joint committee in its report during pre-legislative scrutiny of the Bill. This will strengthen the right of children to erasure of any data collected during the provision to them of information society services referred to in Article 8.1 of the GDPR. I am unable to accept amendments Nos. 10 and 11 in the names of Senators Ruane and Higgins. I say that with confidence that these are matters which can be covered by the codes under the new section 31 that I have proposed.
Does it get to the point where those codes of conduct are never drawn up because the role of the commissioner is only to encourage rather than require? That almost gives an option for the codes of conduct not to be drawn up, not to get to the point where they could be a legal requirement.
I have no doubt that when somebody is encouraged, the controller concerned has little alternative if they wish to avoid further consequential action, such as an audit or an investigation of their practices and enforcement. I gave some consideration to what Senator Ruane might regard as being somewhat stronger than encouragement. I do not want to run the risk of infringing the GDPR. I want at all stages to remain on the right side of it but I do take the Senator's point. I do so, however, in the belief that in these circumstances the word "encourage" fits the bill.
I move amendment No. 10:
In page 23, between lines 9 and 10, to insert the following:“(3) It shall not be lawful for a data controller to process the data of a child for commercial or marketing purposes, when the child is under the age of 16.”.
I move amendment No. 11:
In page 23, between lines 9 and 10, to insert the following:"(3) It shall not be lawful for a data controller to process data in relation to the parents, guardians or family members of a child, without the consent of the person to whom the data pertains, save for age verification purposes, when the child is under the age of 16.".
Amendments Nos. 16, 17, 37, 49 and 54 are related. Amendment No. 17 is a logical alternative to amendment No. 16. Amendments Nos. 16, 17, 37, 49 and 54 may be discussed together by agreement. Is that agreed? Agreed.
I move amendment No. 16:
In page 25, between lines 16 and 17, to insert the following:"(7) If the Minister intends to set out regulations under this section which are not compliant with the advice of the Commission, he or she must lay a rationale for his or her proposed regulation before the Oireachtas Committee on Justice and Equality and any other relevant committee.".
These amendments all relate to the same core issue. The two points I highlighted on Committee Stage were that too free a hand was given to the Minister in how to set out regulations, limit data subjects' rights and choose to enforce or not enforce the legislation. There are many places in the Bill where the same formula occurs - that the Minister will make a decision, having consulted with whichever other Ministers he or she thinks appropriate and with the data protection commission. In all those sections, which these amendments seek to address, there is no guarantee that the Minister will, having consulted with the commissioner, in any way abide by, or take on board, the advice offered. The Minister can proceed to make regulations, take action, exercise restrictions and so forth even when that may be in direct contravention of the considered advice of the data protection commission, which we put in place to ensure that Ireland is in full compliance with the GDPR.
One of my amendments is a caveat in respect of section 33 regarding special and specified measures that relate to sensitive areas of personal data. If the Minister chooses not to take the advice of the commission in respect of how that sensitive data should be processed and what the special safeguards should be, a rationale should be provided. My amendments seek to ensure that the Minister does not have a free hand but that where he or she takes a decision which contravenes the advice of the data protection commission, he or she should provide a written rationale for that decision and present it to the Joint Committee on Justice and Equality and any other committee that may be appropriate. If, for example, a case relates to the area of health, it would also be relevant to the Joint Committee on Health. This is in order to provide a useful and appropriate level of transparency to ensure that the Legislature can be confident that the decisions made by the Minister can be justified and will not lead us, as a State, into inadvertent breach or violation of the GDPR, and, more importantly and in immediate terms, that they will not lead to inappropriate protections or violations of people's data rights.
Having raised this issue on Committee Stage, however, and having tabled these amendments, I recognise that the phrasing in amendments Nos. 32 and 35 tabled by Sinn Féin is more nuanced than mine. Acknowledging that Fianna Fáil, Sinn Féin and many Independent and Labour Senators are concerned about this issue because we do not want the Ministers to have a free hand but transparency in how decisions are made, I am happy to withdraw my amendments and, instead, lend my support to the complementary amendments tabled by Sinn Féin. I note, however, that there are one or two places where there is not a corresponding Sinn Féin amendment. I will withdraw mine in the hope that those areas might be addressed when the Bill goes to the Dáil. However, this gives the Minister an opportunity to engage with us on the issue.
I am happy also to put them to a vote. I was simply trying to expedite the process so that we did not gratuitously have to put them forward. As amendment No. 16 is not covered by a Sinn Féin amendment I will not withdraw it if that makes it easier for the Minister.
I merely want to point out that if people believe that the Minister has a free hand they are mistaken. Sections 33, 35, 50, 68 and 90 contain provisions for the making of statutory instruments to give further more detailed effect to various provisions in the Bill in accordance with Article 36(4) of the GDPR. Section 79(12) of the Bill provides that the commission must be consulted in advance of any regulations being made. The Minister intends to make regulations and will already have consulted with the Attorney General to ensure that they are compliant with the policies and the principles outlined in the appropriate regulation-making provisions. The obligation in the GDPR and section 79 of the Bill is to consult with the data protection commission. It will be a matter for the commission to decide whether, and if so, to what extent it wishes to provide its opinion or, indeed, advices or guidance in regard to any proposed regulations.
Sections 19 and 25 of the Bill provide for accountability of the commission to the Oireachtas committees. It will be a matter for the relevant committees of the House to make any necessary arrangements for the provision of information to them on the activities of the commission, including the provision of the commission's views on secondary legislation such as statutory instruments made under this legislation. Moreover, Article 57(1)(c) of GDPR makes it clear that the commission may advise national Parliaments or other bodies on administrative or legislative measures relating to data processing.
I have a difficulty accepting the amendments but I do acknowledge the points made by Senator Higgins.
I propose to press it because what is provided for therein is not explicitly addressed elsewhere, but I will withdraw the other amendments.
In response to the Minister's comments on the amendments, the key concern is that while the committees may request a data commissioner to give testimony, they may not be aware of situations where there has been a divergence of view in respect of a Minister and the data commission. That is why the impact assessment conducted by the data commission, to be proposed later, to say what issues may arise from this divergence of view, and that being presented to a committee, will bring about due oversight. The concern is that a committee may decide to call in a data commission to speak on any issue but if such committee does not know that there is an issue then that power is not practicably exercisable. I propose to push amendment No. 16, which relates to section 33, and I will then withdraw the other amendments.
No. I move amendment No. 17:
In page 25, between lines 16 and 17, to insert the following:
"(7) If the Minister intends to set out regulations under this section which are not compliant with the advice of the Commission, he or she must lay a rationale for his or her proposed regulation before the Oireachtas Committee on Justice and Equality and any other relevant committee and receive approval from those committees.".
Amendments Nos. 18 to 21, inclusive, are related. Amendments Nos. 19 to 21, inclusive, are physical alternatives to amendment No. 18 and amendment No. 20 is a physical alternative to amendment No. 19. Amendments Nos. 18 to 21, inclusive, may be discussed together.
This is the same issue. I do not wish to impugn the commitment of any Minister or to put forward an expectation that any Minister would act. A very clear example of this is the very serious concerns expressed by the data commissioner in respect of the roll-out of the public services card. The Department of Public Expenditure and Reform and the Department of Employment Affairs and Social Protection intensified the roll-out of the public services card while serious question marks had been raised, and continue to be raised, and are still under investigation. This is one of the most serious forms of concern that the data commissioner can raise. This is not a hypothetical situation. This is a reality. There will be moments of tension between the data commissioner and what Ministers and Departments would like to do. It is appropriate that there would be absolute transparency around where the tensions are and how the issues might be addressed.
Yes. I move amendment No. 21:
In page 26, to delete lines 26 to 30 and substitute the following:
"(a) the Minister, provided that—(i) the Minister has consulted with such other Minister of the Government as he or she considers appropriate and has also consulted with and sought the advice of the Commission, and
(ii) the Minister has, if he or she intends to set out regulations which are not compliant with the advice of the Commission, laid a written rationale for his or her proposed regulation before the Oireachtas Committee on Justice and Equality and any other relevant committee,(b) any other Minister, provided that—(i) that Minister has consulted with the Minister and such other Minister of the Government as he or she considers appropriate and has also consulted with and sought the advice of the Commission, and
(ii) that Minister has, if he or she intends to set out regulations which are not compliant with the advice of the Commission, laid a written rationale for his or her proposed regulations before the Oireachtas Committee on Justice and Equality and any other relevant committee.".
The amendments in this group provide for the inclusion of the words "and proportionate" in a number of sections in the Bill. Arising out of Committee discussions I undertook to take a further look at the provisions as they applied a necessity test to data processing with a view to assessing whether a proportionality test should also be applied. Arising from this assessment, I am proposing amendments Nos. 22 and 36 to sections 36 and 50(3), respectively, which will insert the words "and proportionate" after "necessary" in each case.
As regards, amendment No. 24 to section 41, I regret that I cannot accept the inclusion of the words "and proportionate" in this regard because this section gives faithful effect to Article 9(2)(b) of GDPR and that does not include a reference to proportionality. Including the words "and proportionate" in this section would lead to a divergence from the GDPR.
I wish to speak to these amendments, which were put forward by Senator Ó Donnghaile, Senator Ruane and myself. Senator Ó Donnghaile regrets he cannot be here today and appreciates the Minister's engagement on them. The amendments are about the importance of a proportionality test. I acknowledge the engagement of the Minister and the Department in agreeing to reinsert that vital proportionality test in a number of sections. There are a couple of other sections in which I still believe a proportionality test should be inserted. We may have a divergence of opinion on that but I want to acknowledge that regarding these three amendments, and the previous amendment No. 20, which I did not get a chance to speak to, the Government has taken on board that feedback.
I move amendment No. 23:
In page 28, between lines 20 and 21, to insert the following:
“39. (1) No application to access data processed for journalistic purposes may be made by any party, including, for the avoidance of doubt, an authorised officer, An Garda Síochána, the Garda Síochána Ombudsman Commissioner, the Revenue Commissioners or the Defence Forces, except by way of application to the High Court by motion and affidavit and on notice to the journalist data processor.
(2) In determining whether to allow access to data processed for journalistic purposes, the High Court shall have regard to the importance of freedom of expression in a democratic society and to the importance of confidential sources of information to the right of freedom of expression.
(3) The High Court may permit access to data processed for journalistic purposes, including for the purpose of identifying confidential sources of information, only where the journalist processor whose data is sought is the subject of investigation for suspected commission of a serious criminal offence or for unlawful activity which poses a serious threat to the security of the State.
(4) (a) In exceptional cases, where the security of the State is under immediate threat or where it is suspected that a serious criminal offence is likely to be committed in the immediate future, an application may be made ex parte to the High Court for access to data processed for journalistic purposes.(b) Where an ex parte application under this section is made, the journalist processor whose data is the subject of the application shall be notified of the application by, and given the opportunity to make representations before, the High Court as soon as practicable.(5) An appeal shall, by leave of the High Court, lie from a determination of that Court under this section on a question of law to the Court of Appeal.”.
I indicated that I wished to speak to it. I simply want to note that this is an issue that has been raised again. I supported it on Committee Stage and it is about addressing the issues expressed by journalists and the very important Fourth Estate. I request that it would be re-examined by the Dáil when it goes to that House.
Ivana Bacik, Frances Black, Paul Daly, Paul Gavan, Alice Mary Higgins, Gerry Horkan, Colette Kelleher, Rónán Mullen, Gerald Nash, Grace O'Sullivan, Ned O'Sullivan, Lynn Ruane, Fintan Warfield, Diarmuid Wilson.
Colm Burke, Paddy Burke, Jerry Buttimer, Maria Byrne, Paudie Coffey, Paul Coghlan, Martin Conway, Frank Feighan, Maura Hopkins, Tim Lombard, Gabrielle McFadden, Kieran O'Donnell, John O'Mahony, Joe O'Reilly, James Reilly, Neale Richmond.