Paddy Burke (Fine Gael)
Link to this: Individually | In context | Oireachtas source

I move:

That Seanad Éireann approves the following Regulations in draft:

Data Protection Act 2018 (Section 60(6)) (Corporate Enforcement Authority) Regulations 2022,

Data Protection Act 2018 (Section 60(6)) (Competition and Consumer Protection Commission) Regulations 2022,

Data Protection Act 2018 (Section 60(6)) (Irish Auditing and Accounting Supervisory Authority) Regulations 2022,

copies of which have been laid in draft form before Seanad Éireann on 18th October, 2022.

Dara Calleary (Mayo, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I thank Senators for the invitation to discuss the motion on the draft regulations. I also wish to acknowledge and thank the members of the Joint Committee on Enterprise, Trade and Employment for their consideration of the draft measures two weeks ago. I understand that my opening statement is being circulated with a briefing note on the background to the draft regulations.

In summary, the purpose of the draft regulations is to protect important statutory functions in respect of the Competition and Consumer Protection Commission, CCPC, the Corporate Enforcement Authority, CEA, and the Irish Auditing and Accounting Supervisory Authority, IAASA, which can lead to a range of enforcement activities. All three statutory bodies have the power to take civil court proceedings or adopt administrative measures in certain circumstances to enforce the law. The bodies work closely with each other and other regulatory and enforcement authorities in Ireland and within the EU.

When the general data protection regulation, GDPR, was introduced in 2018, it strengthened the rights of individuals in respect of the privacy and fair use of their personal data. It also introduced a balancing provision, under Article 23, to ensure that this did not undermine the statutory functions of public bodies. Accordingly, section 60 of the Data Protection Act 2018 provides that the statutory instruments we are considering today may be introduced to protect important objectives of general public interest. Examples of such objectives specified in the Act and included in the draft instruments are: avoiding obstructions to any official or legal inquiry; taking any action for the purpose of considering and investigating a complaint made to a regulatory body in respect of persons carrying out a profession or other regulated activity; and preventing, detecting, investigating or prosecuting breaches of the law that are subject to civil or administrative sanctions. What is being prevented is the potential for data protection rights to be used as a way of undermining these and other essential functions. This could be done by way of a data access request or multiple requests seeking the disclosure and possibly amendment or deletion of information that is part of an active investigation or inquiry that therefore fundamentally undermines the processes under way.

Turning to the content of the draft regulations, each instrument is composed along the same lines of policy and technical approach. They were prepared with the Office of the Parliamentary Counsel, which we thank for its work, and in close consultation with the three bodies. The draft regulations restrict data protection rights only in so far as is necessary and proportionate to protect the functions of the statutory agencies. Therefore, any restrictions must be considered on a case-by-case basis. Each body must notify the individual data subject and provide reasons for the restriction. The data subject must also be informed of the right to lodge a complaint with the Data Protection Commission.

In accordance with the provisions of the Data Protection Act, the Department consulted with the Data Protection Commission and the Minister for Justice on the draft regulations. Following that consultative process, the Data Protection Commission wrote to confirm that it has not identified any matter which is of significant concern in relation to the proposed regulations. The Minister for Justice has also acknowledged her agreement with the proposed measures. The legal instruments are balanced and proportionate, and there are strong policy reasons for adopting the restrictions sought. There is a reasonable expectation that the absence of restrictions to access to personal data will pose a serious risk to the statutory functions of these high-profile bodies. It is in the public interest that they are able to function effectively and efficiently. Therefore, for the purposes of their civil and administrative enforcement functions, it is appropriate that they be permitted to avail of the section 60 restrictions. I commend the three separate statutory instruments to the House. I thank the Acting Chairperson and the Senators for their time.

Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I thank the Minister of State for his very comprehensive opening statement. Each Member has six minutes, which we can regard as a maximum rather than a target, necessarily. I call Senator Crowe.

Ollie Crowe (Fianna Fail)
Link to this: Individually | In context | Oireachtas source

The position of Cathaoirleach is coming up in a few weeks. Perhaps the Acting Chairperson should put his name forward. He was running the House the last evening we were here and he was flying through the business of the House. I commend him on continuing to do that work.

I welcome the Minister of State to the House. He has been here a number of times now. I thank him for his help and support. I welcome the draft regulations. We all recognise the importance of data protection and of ensuring people have the privacy they are entitled to, but we must also ensure that authorities have the capacity to act in the public interest as required. Currently, the CCPC, CEA and IAASA are operating without appropriate restrictions on data access regarding the civil and administrative function. That represents a risk of the work they carry out in the public interest being undermined and it leaves these authorities legally vulnerable to a fine, or potentially damages, even when acting entirely in line with their mandate. These regulations address that risk and, crucially, they do so in a fair and balanced manner.

The regulations propose to restrict the rights and obligations provided for in the Data Protection Act, DPA, where it is necessary and proportionate to safeguard the statutory functions of the CCPC, CEA and IAASA. An example of where it may be necessary is where the rights being exercised may interfere with or obstruct "any official or legal inquiry, investigation or process". It is welcome that there will be no hard precedents as restrictions must be considered on a case-by-case basis following an assessment of the relevant circumstances. In addition to restrictions being considered on a case-by-case basis, there are a number of other safeguards, with the CCPC, CEA and IAASA all being required to have appropriate policies and procedures in place. Furthermore, these authorities are required to notify the data subject and provide reasons for the restriction, unless doing so may prejudice the achievement of a relevant objective. In addition, the data subject must be informed of the right or obligation affected by the restriction, whether the restriction applies in whole or in part, and of the right to lodge a complaint with the Data Protection Commission. It is important to note that the Data Protection Commission was consulted on these regulations and raised no concerns regarding them.

As I said earlier, and as I believe all Members agree, data protection is important and people have the reasonable expectation of privacy. That must be balanced with ensuring these authorities have the capacity to meet their mandate and obligations which is what these regulations are aimed at ensuring. The regulations do so in a balanced and appropriate manner. It should also be noted that similar restrictions are already in place for the Central Bank of Ireland and the Office of the Ombudsman. These regulations are necessary and should be welcomed by all. Go raibh maith agat.

Paddy Burke (Fine Gael)
Link to this: Individually | In context | Oireachtas source

I welcome the Minister of State to the House. I welcome the three draft regulations. They are very much warranted, will put the public mind at ease and will help in many situations where there are investigations.These are very technical regulations, and very difficult to understand if one is an ordinary layperson. The main thing is that the regulations are in the public interest. I really like the idea that any of the restrictions that are going to be considered will be done on a case-by-case basis. That is the main issue here. I note the Minister for Children, Equality, Disability, Integration and Youth, Deputy Roderic O'Gorman, when he dealt with this in the committee, said that what was anticipated in the data protection regulations under article 23 of the data protection regulation, as well as section 60 of the Data Protection Act, may be restricted to protect what are referred to as "important objectives of general public interest". One of these was identified as "avoiding obstructions to any official or legal inquiry, investigation, or process." In practical terms, what is at issue here is the potential for data protection rights that are fundamentally directed at privacy and to the fair use of personal data to be used in a way that was not intended as a means of undermining, delaying, or derailing the Ombudsman's office in the performance of his or her duties. That is very important and I believe it is only right that a person does not have the power to delay or upset any investigations that are going to take place in the public interest.

Section 9 is about the communication with the data subject and that the Ombudsman shall ensure that all information provided to a data subject, under or in relation to these regulations, is provided in a concise, intelligible and easily accessible form, using clear and plain language. That is the most important piece in these regulations. Whatever message is going to be conveyed to the person involved is going to be in the type of language that the person will easily understand because the regulations themselves are very legal in their terms.

I welcome the Minister of State, Deputy Calleary, to the House and I wish him well with these regulations. I believe it is in the public interest to pass these as quickly as possible.

Paul Gavan (Sinn Fein)
Link to this: Individually | In context | Oireachtas source

I do not believe I have formally congratulated the Minister of State, Deputy Calleary, on his promotion, and I want to do so now. I wish him well in his job. We will miss him on the Council of Europe but I am sure that Fianna Fáil will appoint someone equally as dedicated as he was over the time.

I am happy to support this motion on behalf of Sinn Féin. We are happy to see the support for approval of these regulations. The technical changes ensure that data protection regulations do not hinder the work of important functions of the Competition and Consumer Protection Commission, the Corporate Enforcement Agency, and the Irish Auditing and Accounting Supervisory Authority. Indeed, it has been made clear that issues around data protection regulations can have a detrimental effect on ongoing or potential investigations and on the enforcement of law. Without introducing these new regulations, these agencies are also at risk of fines or are liable for damages under the current legislation.

Of course we want people's rights to data privacy to continue to be protected, but it is also important that data protection rights do not undermine the work of these agencies. The Competition and Consumer Protection Commission is a statutory body responsible for promoting compliance with and enforcing competition and consumer protection law in Ireland, as well as providing information to consumers about their rights, personal finance, and product safety. The commission's work in protecting consumer rights is as important as protecting data privacy rights, and is the right thing to do to ensure that balance is struck, and to ensure that abuse of the privacy legislation does not hinder the protection of other rights.

Similarly, the work of the Irish Auditing and Accounting Supervisory Authority, IAASA, and the Corporate Enforcement Authority, must also be uninhibited by this legislative gap. The IAASA is responsible for the supervision of the accounting profession in Ireland, with oversight of statutory auditors, monitoring approval and registration, continuing education, quality assurance systems, and investigative and administrative disciplinary systems.

The Corporate Enforcement Authority functions include enforcing and encouraging compliance with company law, investigating suspected offences under the Companies Act, prosecuting detected breaches of the Companies Act, referring cases to the Office of the Director of Public Prosecutions for prosecution on indictment, and exercising a supervisory role over the activities of liquidators and receivers. In short, Sinn Féin is happy to support this motion.

Dara Calleary (Mayo, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I thank all Senators for their inputs into the debate. I thank Senator Gavan for his good wishes. It was a privilege to serve alongside him, and Senator Fiona O'Loughlin, on the Council of Europe. It is important that this House understands the respect in which Senators Gavan and O'Loughlin are held for their work at plenary sessions and at various committees.

I am pleased the key features of the draft regulations have been welcomed and supported today. The signing into law of these regulations is a priority for me as the Minister of State. They are important legal instruments that complement the Government's package of measures aimed at tackling economic crime and corruption.

Ireland has a hard-won reputation as an attractive destination for foreign direct investment and as an international business hub. Stepping up and maintaining our efforts to tackle white-collar crime shows that we are serious about maintaining and building upon that reputation. These regulations will ensure that the agencies involved can function effectively and efficiently when investigating potential wrongdoing and taking necessary enforcement action.

I thank the officials in my Department for their considerable work on this issue.