Tuesday, 22 May 2018
Data Protection Bill 2018: [Seanad Bill amended by the Dáil] Report and Final Stages
In accordance with Standing Order 148, this Bill is deemed to have passed its First, Second and Third Stages in the Seanad and has been placed on the Order Paper for Report Stage. On the question, "That the Bill be received for final consideration", the Minister may explain the purpose of the amendments made by the Dáil and this is looked upon as the report of the Dáil amendments to the Seanad.
For the convenience of Senators, I have arranged for the printing and circulation of those amendments. The Minister will deal separately with the subject matter of each related group of amendments. I have also circulated a proposed grouping in the House. A Senator may contribute once on each grouping. I remind Senators that the only matters that may be discussed are the amendments made by the Dáil.
I want to welcome Senators back to Report Stage, which deals with amendments made to the Bill by Dáil Éireann. Before introducing the amendments in group 1, that is, amendments Nos. 1, 9, 11 to 23, inclusive, and 85 to 83, inclusive, I wish to thank Senators for their detailed comments, all of which were helpful to me and the Bill in its latest iteration. Senators will be aware that the GDPR comes into force on Friday of this week. I hope we can get through our business as expeditiously as possible. In this regard, I look forward to a continuation of the constructive approach adopted by the House during the earlier detailed discussions we had on the legislation. I look forward to the support of the House for the completion of the Bill's passage today. This will be necessary in order to ensure its entry into force on Friday to coincide with the GDPR.The entry into force of the GDPR necessitates the amendments to the Acts of the Oireachtas which contain cross-references to the 1988 Act and the 2002 Act, or which may be otherwise affected by the entry into force of the GDPR. These changes form the subject matter of the largest group of Dáil amendments, namely, amendments Nos. 112 to 121, inclusive, and 123 to 184, inclusive. Subject to the approval of this House, it is not my intention to deal with the amendments individually but as a group.
I should never have given any indication that I intended doing anything without agreement or the prior approval of Senators. Many of the amendments made by Dáil Éireann arise from proposals and suggestions first made during the early discussions here and most of them go in the direction advocated during those discussions. I trust, therefore, that they will find ready acceptance here this evening.
The first group of amendments is concerned with the membership and operation of the data protection commission, established in Part 2 of the Bill. The following amendments form part of this group. Amendment No. 1 adjusts the Long Title to the Bill. Amendment No. 9 inserts subsections (3) and (4) in section 12 to clarify that the commission is designated for the purposes of Chapter 4, mutual assistance with the Council of Europe's data protection convention - these provisions are currently in section 15 of the 1988 Act. As regards section 15 on the membership of the commission, amendment No. 11 clarifies that the Public Appointments Service shall recommend a person for appointment as commissioner following an open selection competition held for that purpose, and that it should appoint a selection panel for that purpose, according with the normal Public Appointments Service procedures for selection in respect of such appointments.
Amendments Nos. 12 to 14, inclusive, deal with the retirement age of the commissioners. Amendment No. 15 replaces section 18, regarding the acting commissioner, with a more detailed text which precludes a member of staff acting as a commissioner from exercising certain specified functions more appropriate to the commissioner. Amendment No. 16 amends section 20 to clarify matters relating to the assignment of staff to the data protection commission. Amendments Nos. 17 to 23, inclusive, involve technical changes to section 23, which deals with the accounts of the commission.
Amendments Nos. 83 and 84 incorporate a reference to the data protection commission into section 92 in order to safeguard investigations and prosecutions taken by the commission under Part 5, an issue which exercised Senator Ó Donnghaile and other Senators. Amendment No. 85 clarifies that the commission is not a supervisory authority for courts when acting in their judicial capacity under Part 5.
I recognise the strong engagement the Minister had with this House throughout this process and the fact that he has taken on board many proposals in the Dáil on Committee and Report Stages. I believe there was a change, which was made on Committee Stage but was undone on report Stage, relating to the appointment of data protection commissioners and I wonder if the Minister could clarify. The idea of having a role for the data protection commissioner on the selection panel in the European Data Protection Supervisor's office was discussed.The data protection commission in Ireland will play a key role on a European level. Much as the fundamental rights agency has a role in the selection process for the Irish Human Rights and Equality Commission, it had been envisaged that there would be a potential role for those European authorities in the selection process. I know that had been discussed and I believed the change had been made on Committee Stage so perhaps the Minister might just explain the rationale for why that change has not been maintained and perhaps give some assurances that we will ensure these are open competitions and that we ensure the very best people that are available on a European level or globally can come and fill the roles. It has been made clear by the current Data Protection Commissioner that this is a key role for Ireland. We will effectively be a first line of regulation in many cases, certainly affecting the large tech agencies.
I acknowledge the point raised by Senator Higgins. It is one that did form part of our discussions here earlier, and one that was the subject matter of discussion in the Dáil.
My officials did make direct contact with the office of the European Data Protection Supervisor, EDPS, on the matter of a subsection that may require him to nominate a member of the selection panel. We received a response and that response merely said that the EDPS had reservations about the idea and did not think it would fit within the system of international co-operation. We did notify the office but ultimately, the European Data Protection Board advised us of its wish to stay neutral and impartial in all of the issues surrounding appointments and procedures. It was precisely because of that, that we decided to proceed as we are now doing.
I am sorry but I cannot allow Senator Higgins in again. We are moving on to group 2. These amendments relate to the appropriate authority and they are the subject matter of amendments Nos. 2 to 4, inclusive, 89 and 96. Does Senator Higgins wish to speak on this group?
The purpose of the amendments in group 2, which are somewhat technical in nature, is twofold. The amendments to subsections (1) and (2) of section 3 provide that where an appropriate authority under the Civil Service Regulation Acts designates a civil servant as its controller, any action taken by a data subject to seek compensation and any administrative fine imposed by the data protection commission shall be taken against, or imposed on, the appropriate authority, rather than the designated civil servant. That is the purpose of amendments Nos. 2, 3, 89 and 96. These adjustments arise from the Seanad’s earlier acceptance of my proposal to permit the imposition of administrative fines, subject to a limit of €1 million, on public authorities and bodies for infringements of the GDPR.
Second, the purpose of amendment No. 4 is to insert a new subsection (3) into section 3, the text of which is carried over from section 1(3)(c) of the Data Protection Act 1988.
I acknowledge the very important step that was taken by the Minister, which he took in the previous debate, to agree to the imposition of administrative fines of up to €1 million on public authorities. That is appropriate. I see the concern the Minister is addressing in the amendments. I accept them and I think they are practicable. It is still important that there would be a strong level of internal accountability within public authorities but in terms of the imposition of fines it is appropriate that it is the authority rather than the individual who would pay them.
It will be an important test for the Government to follow through on the agreement that fines can be imposed. It is important that we see a seriousness of approach and message to all public authorities in the implementation of the Bill. I am sure the Minister can assure me of that.
Given that I did not have a chance to come back in on the previous group, I wish to add that I accept the Minister's points on the European bodies but could he assure me that it will be a European-wide competition for the data commission?
Yes, it will be an open competition that will be advertised. It will be open to anybody who believes he or she has the appropriate level of expertise and will follow the Public Appointments Service practice and procedure.
I thank Senator Higgins for the earlier points she made in respect of administrative fines imposed on public bodies. We had a pretty comprehensive debate on that. She need be in no doubt as to the will on the part of the Government to ensure that this legislation is working and workable.
Senators will recall that several sections, notably sections 35, 37, 48, 52, 57 and 70, provide for possible future regulations to be made by the Minister for Justice and Equality or another Minister. The Bill, as initiated, provided for consultation by the relevant Minister with the Minister for Justice and Equality and the data protection commission prior to the making of regulations. Nonetheless, concerns were expressed in the House that the Bill granted an excessively wide margin of discretion to Ministers and that improved oversight by the Oireachtas would be desirable. Dáil amendments to the relevant sections have strengthened the role of the data protection commission and oversight by both Houses of the Oireachtas.
As regards amendments Nos. 30, 32, 38, 44, 53 and 67, they will mean that where the Minister for Justice and Equality or another Minister consults the data protection commission on proposed regulations, the commission may make observations in writing on any matter that is of significant concern to it regarding the proposals. If the Minister or relevant Minister proposes to proceed to make the regulations notwithstanding that concern, that Minister must provide a written explanation as to why he or she is proceeding to do so to the justice and equality committee of the Houses or any other relevant or appropriate committee. That will ensure that any commission concerns that have not been taken on board by the relevant Minister must be brought to the attention of the appropriate Oireachtas committee.
In addition, amendment No. 5, which amends section 6, will require that in the case of any regulations to be made under sections 48, 57 and 70, such regulations may be made only if both the Dáil and Seanad have passed resolutions approving the draft regulations. Amendment No. 31 deletes section 35(7) and its content is transferred to section 48 by means of amendment No. 38. I am sure Senators will fully agree with the amendments which allow for a greater level of oversight and input by Members of this House and Members of Dáil Éireann.
I very strongly welcome this set of amendments. One of the concerns that had been identified which was only partially addressed in the Seanad was around the lack of transparency and accountability in the circumstances under which exemptions were made in areas such as public interest. I strongly commend all those in the Dáil who put forward what I believe are extremely nuanced and constructive proposals that strengthen the Bill and ensure that, specifically in areas where exemption is being made to a data subject’s rights or, crucially, where a decision is being made in the public interest, there is accountability and transparency. It is in the public interest that exemptions in the public interest would be subjected to a proper process such as this.These amendments will ensure we do not have a situation whereby any exception, or a series of exceptions, becomes the rule, but instead that an exception to the highest level of protection for data subjects always remains just that, an exception, and is subject to scrutiny. I commend everyone in the Dáil who proposed the amendments, and the Minister for accepting and keeping them.
Group 4 deals with aspects of sections 7, 8 and 14. Amendments Nos. 6, 7 and 10 make a number of technical adjustments to subsections (3) and (4) of section 7 and to section 14. Amendments Nos. 8 and 65 concern the scope of section 8. They clarify that the data protection commission must complete any investigation under section 10 of the 1988 Act that was commenced by the Data Protection Commissioner but not completed before the establishment of the commission. This matter was raised here during earlier discussions. They also provide that the processing of personal data under the Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 or the Vehicle Registration Data (Automated Searching and Exchange) Act 2018 shall continue to the extent that the 1988 Act applies to those Acts. These are the so-called Prüm measures, and the European Commission intends to table proposals to bring its data protection standards into line with the law enforcement directive in due course. The Prüm measures, comprising Council Decision 2008/615/JHA and 2008/616/JHA, are concerned with the automated exchange of data between member states in the matter of cross-border crime and terrorism. The data concerns DNA profiles, fingerprints and vehicle registration data. The DNA and fingerprint aspects of Prüm are provided for in the 2014 Act, while the sharing of vehicle registration data is provided for in the 2018 Act, which was signed into law less than a month ago.
Amendment No. 77 deletes section 86, which excluded Forensic Science Ireland from Part 5.
I am happy to assure Senators that any investigations commenced by the Data Protection Commissioner but not completed before the establishment of the commission, which was raised by Senator Higgins and Ó Donnghaile, does not require any great discussion, but I am very pleased to clarify the issues as raised by the Senators.
I welcome the Minister's assurance. There is, of course, a section 10 investigation under way at present on the way the public services card has been rolled out and the single customer view system. It is interesting because we are talking about forensics and crime. It is funny that while we hear the phrases "cybersecurity" and "cyberterrorism" floated around, there have been very serious concerns about the way data has been stored in the single customer view data system.
I welcome the Minister's assurance. It is very important that we do not simply attempt to give legal sanction retrospectively to activities which may have taken place outside proper legal grounds in the period previous. While the legislative context may change, it is still important to note that data gathered improperly must be dealt with in a way that fully acknowledges this. This is not to pre-empt, as we do not know what the discussion will be or what the outcome of the Data Protection Commissioner's investigation will be.
I welcome this. I recognise the need for the exchange of forensic information and information relating to vehicle registration, although I would say this is an area we need to monitor very closely and ensure it is in line with all areas of policing. We must ensure its usage and application does not end up extending inappropriately. I know that is absolutely not the intention.
Group 5 comprises amendment Nos. 24 to 28, inclusive. These amendments focus on safeguarding children and their data protection rights under the GDPR. The subject was debated at some length in this House. When I introduced sections 29 to 31, inclusive, in response to concerns and worries expressed by Senators I also introduced a review mechanism in section 30, which would have required a review of the digital age of consent of 13 years within three years. I acknowledge the role of Senators in this regard and, in particular, Senator Ruane and others. Since the Bill passed through the House on 28 March, sections 30 and 31 have been further amended and a new section has been inserted. Amendment No. 25 has substituted 16 years for 13 years as the digital age of consent. This means the review will take place within three years of the entry into force of the section, and will now review the suitability of 16 years rather than 13 years. Amendment No. 26 extends the scope of codes of conduct for the protection of children under section 31. It means a code may be drawn up to provide necessary safeguards for the processing of the personal data of children for the purposes of direct marketing and creating a personality and user profiles.
Amendment No. 24 inserts a new section entitled "Micro-targeting and profiling of children". During earlier discussions in the House, and during Dáil debates, I had suggested, based on input from the Office of the Attorney General, that such a provision would be likely to infringe the GDPR and expose the State to infringement proceedings, and perhaps even sanctions. Following acceptance of the amendment by the Dáil, the Department has formally requested legal advice from the Office of the Attorney General and a response is awaited. In the meantime, it may be necessary to delay or defer commencement of this section of the Bill, and I am happy to keep Senators informed of developments.
I thank the Minister for his engagement, particularly on this section. I have been completely opposed to raising the age to 16, not only because I feel it inappropriate from a personal standpoint and as a parent and legislator, but also because I chose to listen to experts in the field, such as the CEO of Barnardos, the CEO of Childline and CEO of the Children's Rights Alliance. Not listening to the people who are there to protect our children and advocate for our children was an odd move on behalf of some of the other political parties. The amendment which the Minister states might be an issue is an amendment I support. I understand the Minister's concerns about it, but for me it is a positive amendment. My only fear is that it is weakened by the age of consent being set at 16. The reason I believe it is weakened is from the beginning of the debate we heard from people who wanted the age set at 16 because this is about protecting children's data, protecting children online and protecting them from being targeted. We will only allow children to stay within the loop of not being targeted through amendment No. 24. Setting the age at 16 means those aged 13 must say they are 16, and by the time they turn 15 their online profile will state they are 18, which will allow them to be targeted before they have reached the age of consent. While I see amendment No. 24 is very strong, those who campaigned to raise the age to 16 have done a disservice to the function of amendment No. 24 and I want to put this on the record. I do not know why it was not picked up earlier in the Dáil when Sinn Féin and Fianna Fáil supported raising the age of consent to 16 that, in fact, amendment No. 24 would have done what we set out to do while also protecting children and allowing them to tell the truth about their age at 13.
I want to add my own words of support for amendment No. 24 and its significance. It is an important amendment. This section of the Bill and the matters contained therein have proved contentious and difficult to deal with. Despite this, there has been a great deal of co-operation and sincerity in terms of trying to come to a legislatively competent conclusion that can, if such a thing is possible, at least go some way in trying to meet the concerns about this and the differing and competing views on it. I take Senator Ruane's points with deep sincerity because I know how passionate she is about this issue. There is no doubt there is merit in what she has flagged, and that is the difficulty there has been with this part of the Bill. Yes, we have had to listen to competing views and competing expertise on this.We have also had to listen to a wide range of parental and family views as well as those of children and young people. For our part, it has been a difficult, long and drawn-out process internally in the Sinn Féin group within both Houses of the Oireachtas. Ultimately, we have decided to err on the side of caution for the digital age of consent by opting for 16 years of age.
The issue on amendment No. 24 and what it seeks to do was summed up well by Senator Ruane. We have flagged and talked previously and at length about the dangers concerned with cultivating and harvesting data relating to young people. I am keen to hear what the Minister has to say on some of the more mechanical points raised about the general data protection regulation. I believe it would be a pity if, at this stage, we were to unnecessarily replicate a vote in respect of which we might know the outcome. I do not mean to be presumptuous in that regard. I simply want to flag that I hope we can get this done in a way that is speedy and compliant for the Minister and his officials.
I wish to acknowledge the Minister's efforts in this area. I absolutely note the position of Senator Ruane on the digital age of consent. To be honest, it confuses me a little. Unlike Senator Ruane, I am not blessed with having children so she is probably far more in tune with them than I am. Having said that, I have a deep concern for their welfare.
Children are particularly ICT-aware now. In many cases they show their parents how to deal with technology and so forth. Unfortunately, we are in a world where the question of whether the digital age of consent is 16 or 13 years is probably academic. This is because even from a younger age, children are able to access the Internet. What troubles me is that a 13 year old child could put up a compromising picture of himself or herself on the Internet. If the digital age of consent was 13 years, the parents would not have the authority or right to tell the child to take it down. The child would have legal control of what goes up from age 13 years. This is very much an evolving situation. I imagine we will see this legislation amended many times in future as technology, lifestyle and habits change.
It has been a useful debate. I have listened to the arguments and my views have evolved on the matter. I have come down very much on the side of leaving the age at 13 years because I believe it is academic and it seems to accord with international best practice. One message that really needs to go out from both Houses is that, whatever position people take, everyone is in unison in terms of the importance of protecting children from the Internet. We have a great deal of work to do to ensure that.
Others have spoken to the question of the age of consent. I note that there will be a review of it. The Minister mentioned that this would be within three years. Perhaps the Minister can outline in his response what the process is likely to be around that review. Different ages have been set across different EU states. I believe we will be in a position to look at best practice and what the consequences may have been, whether direct or inadvertent, of setting the age differently in different EU states. Perhaps the Minister could indicate the process of that review here and how we plan to draw on the experience elsewhere.
I want to address one thing that for me is far more significant than the question of the age of consent. The issue was originally highlighted by myself and Senator Ruane. It relates to the profiling of children and micro-targeting of children. I commend those in the Dáil who worked to ensure that amendments were inserted to address this issue. The phrasing proposed by Deputy Donnchadh Ó Laoghaire is reflected in amendment No. 24 and it is important. Amendment No. 24 states:
It shall be an offence under this Act for any company or corporate body to process the personal data of a child as defined by section 29for the purposes of direct marketing, profiling or micro-targeting. Such an offence shall be punishable by an administrative fine under section 139.”.
I note amendment No. 28 is similar and reflects this view as well.
I was a little concerned when the Minister mentioned that there may be a delay in the commencement of certain provisions in the Act. I am keen to ensure we do not overly delay the commencement of the important amendments around micro-targeting and profiling of children. I believe they are positive amendments. They strengthen the Bill and represent good practice. They are compatible with the GDPR.
Article 22 of the GDPR addresses the question of automated decision making, that is, decision making that may be facilitated by profiling and micro-targeting. Article 6 also has relevance here. Crucially, the intention of the GDPR is made clear in the recitals. Recital 71 specifically says that automated decision making, including profiling that has significant effects, should not apply to children. Recital 38 states:
Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child.
The definition of a child in all these provisions is set out in section 29 and applies to a child of 18 years or under. None of the protections under the GDPR is in any way diluted by the age of consent or by the fact that a child may have given consent with regard to a service or participating online.
I believe these are excellent amendments. I believe they are absolutely in tune with the letter and interpretive recitals of the GDPR. I call on the Minister to assure me that there will be no undue delay in the commencement of these sections. I heard that and I want the matter clarified because I would be very concerned if that was the case.
This will make a real difference at a concrete level. This is the difference between a young person, whether 17 years or 13 years of age, being online and being subject to aggressive marketing. Examples include lip fillers being sent to 17 year olds or young people having messages targeted at them that may play on the particular vulnerabilities or insecurities of young people. The same applies to exploitative marketing. I call on the Minister to outline the plan for commencing the provisions.
My final point on the section relates to the code of conduct. I welcome and recognise the importance of the code of conduct that the Minister has indicated will be introduced in respect of the protection of children. Will the Minister indicate specifically with regard to the question of age verification that arises in these situations, whether for those aged 13 years or those aged 16 years, if there are proper guidelines around the age verification process? The idea is to avoid a situation whereby national identification papers, data that is effectively or potentially linked to the public service identity set or biometric data are not inappropriately sought, kept or stored by private companies. I am not asking the Minister to tease out all of this today. However, he might indicate if he believes that within the code of conduct there will be scope to ensure we have process to ensure we do not have inappropriate leakage of public or State data. The same applies to data of individuals that is shared with the State. It should not be overly captured by private company actors.
On the final point made by Senator Higgins, if there is leakage it would be inappropriate, and if there is inappropriate leakage there will be sanctions.
I shall make some brief comments on the amendments with regard to setting of the digital age of consent. I acknowledge the will and wish of Dáil Éireann as far as this issue is concerned. It is not my intention to revisit the debate in its entirety but while acknowledging the majority view of the House I do not agree with it. It is not my intention to revisit the putting of the amendment in any other form. I assure Senators that the only issues with which I have a real and serious remaining problem are issues that might have been the subject of amendment in Dáil Éireann, and that may have constitutional consequences or may give rise to infringement proceedings on the part of our EU colleagues. I accept the view of Dáil Éireann.
Senator Higgins referred to a delay but I assure the House that there will be no undue delay. I am very supportive of the objective of the new section. I intend to ensure that we have the appropriate level of advice from the Office of the Attorney General at the earliest opportunity. I cannot do anything further than that. The creation of a new offence, under this section, will require an element of advance notice so that individuals - or anybody who may be involved, affected or interested - will know that they are committing an offence that is criminal in nature and hence the issue being discussed today. I am happy to engage bilaterally, perhaps with Senator Higgins or with the spokespeople, as soon as the advice comes through. I assure the House of my support for the objective, subject to receiving clearance and no undue delay. The only reason I ask for forbearance now is to ensure we meet our commitment to the completion of the legislation.
With the consent of the House I will invite my colleague, the Minister of State, Deputy Pat Breen, who has specific and special responsibility for the area of data protection. I am due in Dáil Éireann and I will leave now, with the greatest respect to the House.
We are sorry to lose the Minister, but we are thankful to have the Minister of State, Deputy Breen, to ably step into the seat the Minister has occupied. Perhaps he is here to keep an eye on Senator Conway, and maybe vice versa.
I welcome the Minister of State, Deputy Breen to the House, and I thank the Minister, Deputy Flanagan. We will ask the Minister of State, Deputy Breen to speak on the group 6 amendments. Amendment Nos. 35 to 37, inclusive, 39 to 43, inclusive, 45 to 47, inclusive and 49 to 52, inclusive, giving further effect to GDPR in relation to data processing.
This group of amendments deals with GDPR related data processing under Part 3 of the Bill.
Amendment No. 36 amends section 41 of the Bill, which reconciles the right to data protection with freedom of information rights. It broadens the scope of section 41 by incorporating reference to the European Communities (Access to Information on the Environment) Regulations 2007.
Amendments Nos. 35 and 37 are drafting amendments to section 38 and 42 respectively.
Amendments Nos. 39 to 42, inclusive, are drafting amendments.
Amendment No. 43 is an amendment to section 52 and will permit the making of future regulations to authorise, where necessary and proportionate, the processing of conviction data to assess the risk of bribery or corruption or both, or to prevent bribery or corruption or both.
Amendment No. 52 is a related amendment and it would permit, should the need arise and if the Houses of the Oireachtas agree, the making of regulations to restrict student access to examinations scripts in order to safeguard the integrity and security of the examination systems.
Amendment No. 46 inserts the additional safeguards in section 54, which deals with automated decision making.
Section 57 is a further amendment with amendments Nos. 47, and 49 to 51, inclusive. Amendment No. 47 replaces the text of subsection (2) with simpler wording. Amendment No. 49 inserts the word "commercial" in subsection (3)a 6. Amendment No. 50 incorporates reference to the Comptroller and Auditor General in subsection (3)c, alongside the Data Protection Commission and the Information Commissioner. Amendment No. 51 is a drafting amendment to subsection (7)c.
I thank the Minister of State. Do Senators have any contributions on matters covered by the group 6 amendments? No.
We shall move on to group 7 amendments relating to elected representatives, amendment Nos. 33, 34 and 122.
This is a very important part of the GDPR for public representatives. Senator Conway first raised the potential impact of GDPR on the ability of elected representatives to make requests or representations in the House. Arising from that intervention, the Minister, Deputy Flanagan, announced his intention to introduce new provisions to establish a robust legal basis for the making of representations by Members of the Houses of the Oireachtas and by members of local authorities. The Minister took the view then, and it remains his view, that assisting constituents by making representations and requests on their behalf are time honoured and valuable aspects of our democratic system of government.
Amendment No. 33 introduces a new section that will facilitate specified persons to use personal data in the course of their electoral activities in the State for communicating with their data subjects. Under subsection (2) such a communication is considered as the preference of a task carried out in the public interest.
Amendment No. 34 introduces a new section that will provide a robust legal basis for making representations on behalf of individuals. Where special categories of personal data are involved, subsection (3) will require that measures to limit access to the data would be taken in order to prevent unauthorised consultation, alteration, disclosures or erasures of the data.
Subsection (4) establishes a legal basis for responding to representations and requests received by public authorities and public bodies from elected representatives on behalf of data subjects.
Amendment No. 122 amends the Electoral Act 1992 to provide for continued use of the electoral register in connection with the two new sections.
The combined effect of the amendments will permit the elected representatives of Dáil Éireann, Seanad Éireann and local authorities to continue to perform their functions as elected representatives by continuing to communicate and serve their electorate.
I thank the Minister of State, Deputy Breen, for his clarification on the amendments.When the House dealt with Committee and Report Stages, concern was raised by a number of people about their role in engaging with local authorities and their members. A number of colleagues in the Fine Gael Parliamentary Party raised serious concerns about how this would impact on those people doing their job daily.
Ireland and Malta are the only two countries in the world with a proportional representation single transferable vote system, PR-STV, on a multi-seat constituency basis which creates a certain dynamic and requirements. Ireland is probably even more distinct than Malta in that people go to their elected public representatives for citizens' advice and information. Deputies, Senators and local authority members provide an advocacy role for their constituents with local authorities and various State agencies as well as private financial institutions. I regret that banks and other private companies are not covered by the Bill. If we are asked to advocate with a financial institution which is privately owned, I understand we will be subject to the same data protection requirements as anybody else.
If we are engaging with public organisations, such as SUSI, the fact that public representatives have a mandate means that they have an implied and absolute authority and freedom from any data protection requirements to engage, as do their staff. Constituency staff in my constituency, that of the Minister of State, Deputy Breen, and anybody else's who have to advocate and engage to try to resolve a difficulty for constituents can do that. The data protection legislation, which is very important in the advancing ICT world, will not preclude representatives from advocacy. It would be a great pity if a culture of political representation on behalf of constituents were to be stopped or frustrated in any way as result of important data protection legislation.
I am glad that Minister, Deputy Flanagan, following the substantial case I made on behalf of Senators and our colleagues in local authorities, has responded positively and has brought in a suite of amendments to ensure that we can continue to do our job and perform our role as we have done.
I have very serious concerns about this area. I raised them when the Bill was passed by the Seanad and they have deepened somewhat. While I recognise that there are some constructive elements to the amendments which have been made and it is important that people are able to do their representative work as described by Senator Conway, I am concerned that the serious dangers I flagged very clearly during the course of the debate in the Seanad were not addressed at all. In fact, the danger may have increased.
There have been ongoing revelations in recent months around the role of political consultancy and data mining firms such as Cambridge Analytica in election campaigns. We know there are hundreds, if not thousands, of clones of similar public and political consultancy and data mining firms. My concern about the previous incarnation of the Bill was that it did not have enough to ensure that the exemptions which were being made in respect of electoral activities by specified persons, such as political parties, Members of the Houses or the European Parliament, candidates for office for election to any House and so forth, would preclude such actors from signing a contract with or hiring the services of a private company such as Cambridge Analytica, or its many imitators, and effectively using the exemption granted in the Bill. We need to bear in mind that a single candidate could decide to become a candidate simply for this purpose. I am concerned that we may have given a very wide exemption to such an actor and, through him or her, to private actors or companies which may wish to influence electoral outcomes in our country.
I highlighted that Article 9, which deals with what is recognised by the GDPR as a special category of personal information, that is, political opinion, is recognised as a sensitive category of personal information and one which needs particular protection. I highlighted that I was concerned that what had been brought forward in the Bill had exceeded the generous provision which was made under Article 9(2)(d), that is, the processing of a special category of personal information like political opinion. It states that it is legitimate to process political opinion when that is carried out in the course of legitimate activities, with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim. Crucially, this is on the condition that the processing relates solely to the members or former members of that body or persons who have regular contact with it in connection with those purposes, that is, for example, party members or constituents, and that the personal data are not disclosed outside that body without the consent of the data subject.
Under Article 9(2)(d), a person can function as a political party or representative and communicate in respect of the political opinion of constituents or members. A person cannot, however, share the information of constituents or those in touch with him or her or party members with a private company or another external actor without getting consent. That might mean a person can work with a focus group, RED C and so on, but if he or she does so, that person needs the consent of data subjects. I raised the concern that the Bill as posited did not contain the same limits and an attempt has been made to get around that.
An amendment invokes the public interest. Instead of relying on Article 9(2)(d), the part which refers to the question of public interest seems to have been invoked in a very sweeping way. This is the section to which I will speak longest. I will be much shorter about other sections.
I am referring to sections 38 and 39 of the Bill and amendments Nos. 33 and 34. There is real concern that a very sweeping interpretation of public interest has been proposed, which effectively states that any electoral activity on the part of any party, candidate or Member of the House is in the public interest and therefore bypasses any need for consent. There is some clarification in that it is proposed to include the dissemination of information, including information as to a person's activity and policies that might reasonably be of interest to electors. It does not, however, exclude anything.
I am very concerned and I would like a response from the Minister of State on the proposals to ensure that we do not have a situation whereby private companies can build political profiles of individuals in the State and be hired by or exchange that information with individuals who are considered specified persons and then use that as a context to carry out data harvesting or micro-targeting. Let us be realistic about it. We know that one company was reported in the newspapers just a few weeks ago as having used the period in advance of the GDPR to build databases and political profiles of Irish citizens. It has had the aggressive and very expensive promotion of quizzes about one's political views for Irish citizens. It informs us, on its website, that it has 93,000 political profiles of Irish citizens which are effectively available for purchase and use. What is in this Bill to stop an actor in Ireland from hiring this company, accessing those 93,000 political profiles and arranging for a barrage of micro-targeted messages using the exemptions granted in this section? What are the protections relating to such measures? Where is it said that certain activities are not considered to be electoral activities within the public interest remit? There is no nuance here.
I am concerned. I have flagged these interests. I was more assured when it left the Seanad because at that point the Minister, Deputy Flanagan, had indicated that he believed that any activities would have to be conducted directly by a member or candidate of a political party. With this new, wide interpretation, I do not see where the protections are for individuals. I respect electoral activity and cherish the engagement that we have with our constituencies. I want us to engage in active, engaged campaigning. I also realise, however, that we bring in rules and regulations in this area for a reason and that Article 9 recognised political opinion as an area of sensitivity for a reason. I am worried that we have sought in effect to ensure that political activity evades the protections accorded to the political opinion of individuals. Will the Minister of State address these concerns?
As a rural Deputy, I think it is important that a Deputy, Senator or local authority member is able to communicate with constituents. It is very important. It is part of the role. It is also important to point out with regard to the Bill that Oireachtas Members and local authorities have the same obligations as anybody else with regard to the protection of data that they hold. They are obliged under the Bill to ensure that the information they hold on the constituent or such is secure and safe. That is very important.
The area that Senator Higgins is dealing with, section 38(2), relates to communication. As she rightly pointed out, communication is very important. Some Oireachtas Members like to communicate with their constituents. That is an important part of the job, whether by electronic mail or door-knocking. There are different means of communication. The information that people have, particularly relating to communications, is that the data that one has on hold are not for sharing with others. That is important to point out. Any information that one has must be in the interests of the electorate, as the Senator has rightly pointed out. Any communication is for sharing with the electorate only, not with others. That is in section 38(2).
I thank Senator Higgins and I also thank Senator Conway for his comments on the change that the Minister, Deputy Flanagan, brought in. It is an important change to allow public representatives to be able to communicate and work with their constituents in a responsible way. When one is elected as an Oireachtas Member or to local government, one has responsibilities in every area to ensure one upholds those responsibilities as a public representative. Now there is the GDPR coming into place and the Data Protection Bill, and everyone has the same obligations in terms of the protection of data and ensuring that data are stored safely.
Group 8 includes amendments Nos. 48 and 107 to 110, inclusive. They are court related amendments. These amendments are concerned with the application of data protection safeguards and rules by courts when acting in their judicial capacity. Section 155 deals with the processing of personal data, where the controller is a court acting in a judicial capacity. Amendment No. 107 amends subsection (2) of section 155 while amendment No. 108 converts subsections (3) to (5) of that section into a more detailed, separate, stand-alone section. Consequently, amendment No. 48 deletes the reference to judicial independence and court proceedings in section 57(3) which is no longer required.
Amendment No. 109 inserts a new section into the Bill which provides for the making of court rules by the rules committee for the superior courts, the Circuit Court and the District Court in respect of personal data contained in court records. Such rules may also provide for the processing of personal data and the disclosure of personal data to facilitate fair and accurate reporting of court proceedings. Amendment No. 110 replaces section 156, which is an expanded text which incorporates a legal basis for the publication of a list or schedule of court proceedings or hearings in court proceedings.
Group 9 is quite short. It includes amendments Nos. 29, 54 to 64, inclusive, 66, 68 to 74, inclusive, 78 to 82, inclusive, 86 to 90, inclusive, 93, 98 to 104, inclusive, 106, 111 and 185. They are technical and drafting amendments. It is a large group and it comprises various amendments to the Bill of a technical and drafting nature. They include corrections to cross references, minor drafting changes etc., and I do not propose to speak on them individually or we will be here until tomorrow morning.
Group 10 is quite short. It includes amendments Nos. 75 and 76. They relate to the data protection officer, DPO. Amendments Nos. 75 and 76 amend section 85 and their purpose is to support and strengthen the independence of DPOs operating under Part 5. Amendment No. 75 reads:
(c) ensure that the data protection officer—(i) reports directly, in relation to his or her functions under subsection (5), to the highest level of management of the controller,
(ii) does not receive any instructions regarding the exercise of such functions, and
(iii) is involved in an appropriate and timely manner in all matters relating to the protection of personal data.
Amendment No. 76 provides that the DPO will act as a contact point for data subjects when seeking to exercise their data protection rights.
They are positive amendments and will strengthen the role of the data protection officer in ensuring that they do not come under undue pressure with regard to the performance of their function. That is especially important given that we have significant fines which can apply to a public authority.
The Minister of State might clarify a point. If a data protection officer is reporting to the highest level of management and is meeting resistance or is finding concerns unanswered, I expect he or she would be able to reach out directly to the data protection commission or others. Will the Minister of State clarify that?
Group 11 includes amendments Nos. 91, 92 and 105. They relate to judicial remedy.Amendment No. 91 will mean that in cases taken on behalf of data subjects by a not-for-profit body, organisation or association arising from an alleged infringement of the GDPR a court may grant relief by means of an injunction or declaration, or by way of compensation for material or non-material damage suffered by the data subject.
Amendment No. 92 will provide similar remedies for infringements of Part 5 of the Bill.
Amendment No. 105 which amends section 148 will mean that the leave of the court will not be required for the purpose of appealing to a higher court on a point of law.
I welcome these amendments which are very important because a lacuna in the original Bill made it very difficult for individuals to seek a redress where the data protection commission may or may not have taken individual complaints on board. In many cases, those who do wish to raise concerns do so not simply because they seek redress for themselves but because they want to highlight concerns about the system and they want to improve the process for others, which is an act of generosity. This is an opportunity to pay tribute to those, both in Ireland and in Europe, who have done us some service, people, including Max Schrems, who have taken individual cases, and groups, such as Digital Rights Ireland, which have done important work in strengthening laws here and internationally by highlighting problems and ensuring they are addressed. This is a constructive amendment which ensures that civil society, which we in the Civil Engagement group endeavour to represent, can play a constructive role in supporting those individuals whose data has been breached.
There are three amendments in this group, amendments Nos. 94, 95 and 97, which concern administrative fines. Amendments Nos. 94 and 95 delete section 131(11) because the provision to which the subsection was connected, that is, section 139(2) is also being deleted. These provisions, which dealt with the rule that two sanctions may not be imposed for the same offence or infringement, have been deleted on the advice of the Office of the Attorney General.
Amendment No. 97 inserts subsections (4), (5) and (6) in section 139. They outline the procedure to be followed when the data protection commission imposes an administrative fine on a controller or processor. They also provide that all income from fines received by the commission must "be paid into or disposed of for the benefit of the Exchequer".
This group deals with amendments Nos. 112 to 121, inclusive, and Nos. 123 to 184, inclusive. They are consequential amendments to other Acts.
Discontinued application of the Data Protection Act 1988, following the entry into force of GDPR and the legislation, necessitates the amendment of a significant number of Acts of the Oireachtas especially those containing cross-references to the 1988 Act. These changes are set out in amendments Nos. 112 to 121, inclusive, and amendments Nos. 123 to 184, inclusive. Except for those that already fall within the responsibility of the Department of Justice and Equality, these have been notified to the Department by the Departments concerned and the Office of the Parliamentary Counsel has drafted them. In each case the amendments to the Acts concerned are intended to ensure compliance with the GDPR and legislation. It is not necessary to speak to each of these amendments individually. They speak for themselves.
It will be the law on Friday. Many people who are not computer literate cannot deal with the intricacies, difficulties and challenges of websites. I would like the Department, through the Data Protection Commissioner, to have a dedicated telephone hotline for a few weeks. Many people may be non-compliant through no fault of their own because there may be bits of information on websites. It is very technical, challenging and new. The Minister of State cannot do this but the officials sitting behind him can. They have a responsibility, and it is required that they would do this because the last thing we want is a flood of people who find they are not compliant. That goes against the spirit of what the EU and this legislation are trying to achieve. The best we can have is a free flow of information and access to information and clarification for businesses, community and voluntary groups which might have a barrage of complaints against them through no fault of their own. As an example, the Gaelic Athletic Association, GAA, is extremely well versed in its obligations under this legislation but I am sure there are many other community groups that are not as well versed in their obligations. We need a hotline to ensure that the people who work every week for nothing, doing their best for their communities, do not inadvertently find themselves in breach of data protection legislation. This is extremely important.
I recognise there is a suite of amendments here and while I do not propose to challenge them I note two strands within them. The first is insurance and banking legislation and I have some concerns about the Bill in these areas. We know, for example, that private insurance companies have been implicated in inappropriate data breaches in accessing social protection information and so on. I do not know that we have adequate safeguards and I hope the Ministers will engage if necessary to create further safeguards for some of the wide exemptions we have granted to banks and insurance companies.
Second, I note that the Residential Institutions Redress Act 2002 and the inquiry into child abuse and other important inquiries are rightly given the exemptions they need to ensure that information that is in the public interest in this area is brought forward. Does the Minister of State feel there is enough future proofing in the Bill for future similar inquiries? Those under way are properly protected in this suite of amendments but what part of the Bill allows scope for future inquiries to avoid a cumbersome legal process to ensure that appropriate data can be accessed? The public interest measure is probably the relevant one but can the Minister of State clarify that?
I thank all the Members of both Houses for their input into this Bill. There was a great deal of engagement in both Houses when I took part of the debate for the Minister, Deputy Flanagan. A lot of work has gone into the Bill to ensure we get the best possible Act.
In response to Senator Conway, I have engaged a great deal with the Data Protection Commissioner and her team in many areas, particularly to ensure that not only companies but also organisations, agencies, etc., would be compliant with GDPR on 25 May.I do not have any issue with many of the big companies out there. They will be GDPR-compliant because they have data protection officers, etc. I am always concerned about small and medium-sized enterprises and micro-enterprises. During the period leading up to 25 May, we have had a number of engagements and meetings around the country. For example, we have engaged with the GAA, which was mentioned by Senator Conway. Representatives of all the umbrella bodies for all the sporting organisations were brought into the Department of the Taoiseach for a meeting which was attended by officials from the Office of the Data Protection Commissioner. When the representatives of the various organisations left the Department after a serious three-hour engagement, they were very happy with the information they had received from the assistant data commissioners.
Senator Conway also mentioned other sporting organisations. We are very conscious of their concerns. We engaged with representatives of many sporting organisations from around the country at a meeting in the Federation of Irish Sport complex in Blanchardstown a few weeks ago. Most of the organisations - I will not go through them all, but they were all there - were very happy with the information they received from the Office of the Data Protection Commissioner. That engagement is extremely important. The Data Protection Commissioner and her team have gone all over the country to speak to organisations. The idea of a hotline has been proposed by Senator Conway. I think it is worth considering.
Additional resources would be needed for a hotline. The Senator is putting pressure on me to ensure the Data Protection Commissioner gets more resources in this year's budget. We have increased her resources sixfold in recent years.
Although the hotline proposal is worth considering, it should be pointed out that a hotline might not provide an instant answer. The Office of the Data Protection Commissioner has been inundated with calls in recent months. It cannot get back to everybody immediately. It can do so over time. The provision of a hotline may or may not be the solution, but it is worth considering. We will bring it to the attention of the Data Protection Commissioner for the Senator.
If 500 or 600 people from all over the country try to ring the hotline at the same time, they might not be satisfied with the response they receive from within the resources that are available. The resources of the Office of the Data Protection Commissioner will be taken up with some of the bigger cases for a number of weeks. The Data Protection Commissioner has said she will take a very sympathetic approach in the early stages of the new regime. If people are trying to comply, that will be acknowledged along the way. That is something to point out as well. It is important to point out to Senator Higgins that the safeguards she mentioned will be built into the legislation as we go along.
I thank those who contributed to the debates on this Bill in both Houses. It has been a long journey, but it has been well worth it. Most Members of the Oireachtas who spoke on this legislation can be happy with the input they made. We look forward to seeing what will happen on 25 May next. Someone said to me recently that all the work will start on that date. It is important to thank the officials in the Department of Justice and Equality who spent many hours on this legislation, particularly when drafting Committee Stage amendments. The long hours they worked meant they had many sleepless nights. I thank Séamus Carroll and the team in the Department of Justice and Equality for their efforts. I hope many Irish companies will be GDPR-compliant by 25 May. It is important for all companies, including micro-enterprises and small enterprises, to be GDPR-compliant as we move forward because it will mean more business for them. Ireland needs to lead the way in embracing digital technology because that is the future of work and the way it is going.
That concludes group 13. I was in the Chair for much of this debate, particularly in its earlier Stages. I thank all the Members, the Minister and the Minister of State for their contribution to the debate in the Seanad. I also thank the officials from the Department of Justice and Equality for their work.
I acknowledge the engagement from the Department, particularly from Séamus Carroll and others who have spent time teasing this out. I believe we will return to this area. There is a huge amount of work to be monitored. Like Senator Conway, I recognise that as people get used to the new regime, there will be a period of time when they struggle to figure out how to comply with it. While it is important for supports to be provided in such circumstances, it is also important for us to take this matter seriously. The existence of long processes should not mean that breaches do not have clear consequences down the line. We must struggle to make sure we get that balance right.
As a very passionate European, I think this is one of the most fundamentally important things that the member states of the EU have done together. The Minister of State, Deputy Breen, will recall that I have been very critical in this House of things like EU trade policy and the Comprehensive Economic and Trade Agreement. We have had disagreements about things like permanent structured co-operation in the past. The implementation of the GDPR is a strong signal of what the EU should be, which is a space where we co-operate, protect and engage our citizens. As legislators, we need to ensure we can create spaces of empowerment of citizens. We should not simply be subject to the overflow of corporate or market forces. We need to be able to set down markers regarding what constitutes appropriate use of data and what is acceptable in the spaces we share. I think this is a really important marker. I look forward to continuing to engage with everyone in the House on this issue in the future.
Gabhaim buíochas leis an Aire Stáit. I echo Senator Higgins's remarks about the significance of this legislation and this issue. I am sure it will warrant constant attention and review, legislatively and otherwise. The process of passing this gargantuan legislation - that is not a term I get to use very often in this House - has been complex.
I would never use it inappropriately. The manner in which both Houses have been able to co-operate on this Bill with mutual understanding and appreciation has been very telling. It is understandable that there have been some nuanced disagreements, but there has also been an appreciation of the significance and importance of this legislation.
It is worth noting the work of the officials and of the Minister and his colleagues. They have worked co-operatively to get this through. I hope it does not sound slightly facetious when I say we will see how it goes. It is incumbent on us to ensure we do all we can to get the word out to people about compliance, the operation of this legislation and how it works for people. Regardless of where one stands on the more nuanced aspects of this Bill, the constant thread throughout the debate has been the need to ensure the rights of citizens are protected and their security is upheld.
I pay tribute to my constituency colleague, the Minister of State with responsibility for data protection, Deputy Breen. It is appropriate that a Minister of State is dealing specifically with this new, innovative and demanding area. I acknowledge the Minister of State's role and the role of the officials. It is important to acknowledge the role of Parliament as well. Some aspects of this legislation, such as the debate on the digital age of consent, have been quite controversial. As I said earlier, I have reviewed the matter and I think the digital age of consent should have been left as it was, but others did not agree with that.
I would not do that to the Chair either.I have never met Ms Helen Dixon, but everyone seems to sing her praises. Clearly, she is doing a great job. There has been quite a roadshow. I am aware of the engagement that took place with the GAA. I am delighted that there have been similar, successful attempts to engage with other sports organisations. As time passes, we will probably discover that there is a nucleus of organisations that have been under the radar. As the Minister of State said - he is right - after Friday the job will intensify significantly.
In protecting data in a fast growing world in terms of information technology, communications, the Internet, digital technology and so on, this is a marker for the way things should be done and people's information and details should be protected. As we move forward, I have no doubt that this legislation will be amended many times. It is the introduction to a book, a mission statement and a statement of intent on how the country will respect the integrity of data and information. It respects the uniqueness of our political system. I am very pleased that our role, as public representatives, is respected and now part of the legislation. We will be better equipped and protected in doing our job.
As the Minister of State said, it has been a good period, with long hours. I say, "Well done," to everyone involved. As time passes and the legislation has to be amended, I am sure we will not be found wanting.
I thank the Senator. I am sure if we were to tot the hours spent on the legislation in this and the other Chamber, there is not much legislation that has been deliberated on for as long. I hope after all of that deliberation and the amendments, it is a good, workable Bill that will deliver what it is supposed to. I offer my congratulations to all those who pulled it together, including the Minister of State, Deputy Pat Breen; the Minister, Deputy Charles Flanagan, and the Members of both Houses who participated in and had to chair some of the debates. I will leave myself out. I am referring to the Cathaoirleach, the Ceann Comhairle and everybody else.