Garret Kelleher (Fine Gael)
Link to this: Individually | In context

I move:

That Seanad Éireann approves the following Regulations in draft: Data Protection Act 2018 (Section 60(4)) (Data Protection Commission) Regulations 2025,

Data Protection Act 2018 (Section 60(4)) (Information Commissioner) Regulations 2025,

Data Protection Act 2018 (Section 60(4)) (Comptroller and Auditor General) Regulations 2025, copies of which were laid in draft before Seanad Éireann on 2nd July, 2025.

Niall Collins (Limerick County, Fianna Fail)
Link to this: Individually | In context

I am pleased to be here with Members of Seanad Éireann today to seek approval of regulations under section 64 of the Data Protection Act 2018 in respect of the Data Protection Commission, Office of the Information Commissioner and the Comptroller and Auditor General. The EU Charter of Fundamental Rights and the GDPR established the protection of personal data as a fundamental right and a core value of the European Union.In Ireland, the Data Protection Act 2018 gives further effect to the GDPR and supports its practical implementation. The draft regulations before us today are being made under section 64 of that Act, which provides for the making of regulations prescribing requirements to be complied with when the rights of data subjects and obligations of data controllers, referred to in section 60 of the Act, are restricted.

There are three separate but identical regulations, save for the references to the relevant body. One may ask why rights or obligations under GDPR would ever be restricted. The right to data protection is not an absolute right. It must always be balanced against other rights and interests. The GDPR recognises that there may be limited circumstances under which an organisation has grounds to refuse to grant an individual’s request to exercise his or her data protection rights. GDPR sets out limited circumstances in which restrictions apply and permits further restrictions in national law, provided that the restrictions respect the essence of fundamental rights and freedoms of individuals and must be necessary and proportionate to safeguard certain objectives of societal or general public interest.

In Ireland, section 60 of the 2018 Act gives further effect to Article 23 of the GDPR and provides for restrictions on the obligations of controllers and the rights of data subjects for important objectives of general public interest. The rights and obligations concerned are those provided for by Articles 12 to 22, inclusive, as well as Article 34 and a part of Article 5 of the GDPR. This includes rights to access the personal data, right of erasure and right to rectification.

While section 60 provides for a suite of public interest matters, including Cabinet confidentiality and parliamentary privilege, these regulations are specifically concerned with section 60(3)(c). Section 60(3)(c) provides that the rights and obligations under Articles 12 to 22, 34 and a part of Article 5 of the GDPR are restricted to the extent that the personal data concerned are kept by the Data Protection Commission, the Office of the Information Commissioner and the Comptroller and Auditor General in the performance of their functions.

Concerns were raised by the European Commission that section 60(3)(c) of the Data Protection Act 2018 could be interpreted as providing a blanket exemption to the Data Protection Commission, the Information Commissioner and the Comptroller and Auditor General by not requiring an assessment of the necessity and proportionality of restricting rights and obligations on a case-by-case basis, as required by GDPR. To address the concerns raised, two sets of regulations were prepared. First, regulations under section 3 of the European Communities Act 1972 were made in November 2024 to amend section 60(3)(c) to clarify that the restrictions applied by the Data Protection Commission, Information Commissioner and Comptroller and Auditor General, as the case may be, must be necessary and proportionate to safeguard the performance of a function of the body concerned.

In addition, the updated section outlined the matters each body must have regard to when determining whether a restriction would be necessary and proportionate. These include the extent to which the exercise of a right or a compliance with an obligation would prejudice the performance of a function of the body or whether the disclosure of the performance of a particular function would be prejudicial to that body. Further, the bodies are required to respect the essence of the right to data protection of a data subject and have regard to the risks to the rights and freedoms of a data subject that may result from such a restriction.

The draft regulations before the House today are procedural in nature and seek to build upon the requirements set out in the regulations made last year. They are the second and final regulations in a suite of regulations to address the Commission’s concerns. Specifically, the regulations require the Data Protection Commission, the Information Commissioner and the Comptroller and Auditor General to ensure that restrictions, which are being applied under section 60(3)(c) for the performance of their functions, are only in place for as long as is necessary and are proportionate to safeguard the relevant function, and that relevant information about the restrictions is provided to the data subject, including the reason, except where disclosure would prejudice the body in the performance of its functions. In addition, each body must prepare and implement policies and procedures detailing data storage, security and access arrangements and must periodically review its policies and procedures.Also, each regulation provides that any communication between the body and a data subject must be in an easily accessible form and be in plain language. The Department has engaged extensively throughout the drafting process with each of the bodies concerned, all of which have expressed satisfaction with the draft regulations.

I confirm that these draft regulations put in place procedural obligations on the Data Protection Commission, the Information Commissioner, and the Comptroller and Auditor General when seeking to restrict the rights or obligations necessary to safeguard the performance of a function of the body concerned. The draft regulations do not introduce any new restrictions nor reduce the rights of data subjects. They are drafted to better align our national provisions with Article 23 of the GDPR and ensure that clear procedures are in place governing the limited circumstances in which rights or obligations are restricted under section 60(3)(c).

Garret Kelleher (Fine Gael)
Link to this: Individually | In context

Is maith an rud é a bheith ann fáilte a chur roimh an Aire Stáit, an Teachta Collins, arís chuig an Seanad chun an tAcht um Chosaint Sonraí 2018 a mhíniú agus, go háirithe, na rialacháin atá os ár gcomhair inniu a phlé.

We in the Fine Gael group recognise the importance of a positive resolution of the three draft regulations before us today and of striking the right balance between enabling certain State bodies to carry out their regulatory and oversight roles while also recognising the need to protect the rights of individuals with regard to limitations in the storage and use of their personal information and data under the general data protection regulation, GDPR. Since the introduction of GDPR from 2018 onwards, we have become aware of some unintended consequences of the regulations that need to be addressed and improved. One of these which I am aware of from my time as a local councillor and involvement in Tidy Towns is in the area of surveillance of illegal dumping, where local authorities have found it impossible to prosecute those who have engaged in wholesale illegal dumping, thereby destroying our countryside and towns, as the authorities are prevented from using CCTV footage as part of their evidence under the current interpretation of the GDPR. This is another area that requires legislative change.

The concerns expressed by the European Commission, as comprehensively outlined by the Minister of State, in respect of the Data Protection Commission, the Office of the Information Commissioner, and the Comptroller and Auditor General are valid and require clarification. I believe the regulations before us today achieve the clarity we seek. As the Minister of State outlined, the draft regulations are solely intended to close any potential loopholes of possible alternative interpretation and do not create any new restrictions on the rights of obligations of data subjects and controllers under the GDPR. For these reasons, we are happy to support the three regulations before the House today.

Nicole Ryan (Sinn Fein)
Link to this: Individually | In context

I welcome the Minister of State back to the House. I rise to speak on the motion concerning the draft regulations under section 60(4) of the Data Protection Act 2018. Sinn Féin will be supporting these regulations, but it is important that we are honest about why they are being introduced and what they represent. These regulations are being brought forward not because of a sudden commitment by Government to strengthen the data rights of our citizens but because the European Commission raised concerns about the compatibility of our legislation with GDPR. Specifically, the Commission was concerned that section 60(3) of the Act would be interpreted as giving the State a blanket exemption that would allow the Government bodies to bypass core data rights without having to assess the necessity or proportionality of these restrictions.

What rights were potentially on the chopping block? They were the right to be informed, the right access one’s own data, the right to rectification and the right to erasure. These are not fringe rights. They are fundamental protections under Articles 12 to 24, inclusive, and 34 of the GDPR, rights that protect our privacy, dignity and autonomy in the digital age. A blanket exemption would be a direct breach of Article 23 of the GDPR.

The regulations we are debating today apply to three public bodies, as the Minister of State mentioned: the Data Protection Commission, the Office of the Information Commissioner, and the Comptroller and Auditor General. Each set of the regulations is near identical and imposes basic but important obligations, which are mainly that data subjects are informed when their rights are being restricted, that any restrictions imposed must be time-limited and proportionate, and that the relevant offices publish their policies and procedures related to these restrictions.These are welcome additions, but, quite frankly, they are the bare minimum in terms of what we should be expected to do in a functioning democracy. Transparency, accountability and respect for rights are not optional; they are foundational. From a Sinn Féin perspective, we believe in a rights-based approach to governance and that includes data rights.

The Government's initial approach, which, in effect, enabled State bodies to exempt themselves from GDPR protections, is quite concerning. While today's regulations mark a step in the right direction, the truth is that it should not take pressure from Brussels for Ireland to do the right thing. We should lead by example when it comes to data protection, especially in a world where digital surveillance, data profiling and algorithmic discrimination are growing threats. We have been reactive instead of proactive.

While we support the motions, we continue to scrutinise how the State handles personal data because no Government, regardless of who is in power, should be allowed to write itself a blank cheque to interfere with people's fundamental rights. The message has to be clear. Data protection is not a bureaucratic box-ticking exercise. It is about power and how that power is used, checked and held to account.

Diarmuid Wilson (Fianna Fail)
Link to this: Individually | In context

I will be brief. I am representing my colleague, Senator Gallagher, who is on his way here but may not make it in time. I welcome the Minister of State, Deputy Collins, to the House and thank him for his comprehensive contribution on the motion. Fianna Fáil fully supports the motion.

I agree with Senator Kelleher on the difficulties with putting in place CCTV systems to, for instance, find out who is dumping illegally. There is also difficulty in providing CCTV footage coverage in many towns. Data protection or GDPR is used as an excuse. Will the motion have any significant effect on alleviating that difficulty?

As public representatives, we all know GDPR is often used by Departments not to answer questions that we ask on behalf of our constituents. I want to put that on the record of the House. Will the motion do anything to stop that happening? I understand from the contribution of the Minister of State that the motion involves putting into law what is happening at the moment. Perhaps he could clarify the points I have raised. I would be very grateful if he did so. I again thank the Minister of State.

Niall Collins (Limerick County, Fianna Fail)
Link to this: Individually | In context

I thank all Senators for their contributions and support for the motion. There is no doubt that GDPR is hugely important and has significantly benefited many people in terms of protecting their rights, enhancing their privacy and ensuring that their personal details are held properly and safely. That is really important.

As Senator Wilson said, sometimes friction arises in the area of public representation, and we are all public representatives. The initial legislation on GDPR recognised and provided for the role of public representatives. As a Deputy, I do not experience or come up against any GDPR barriers in terms of making legitimate representations for constituents. Sometimes questions are raised. My experience has been that is sometimes due to a lack of experience on the part of the people with whom we are interfacing. It is right and proper that public representatives are allowed to carry out their role on behalf of the constituents we seek to represent and who ask us to represent them.

As Senators know, there have been challenges around the country with the roll out of community-based and local authority backed CCTV schemes. This issue arose in Limerick, where for a significant period of time CCTV was stepped down. I understand we have got around that. It is a challenge. I will revert to Senator Wilson with a proper update on that.