Róisín Shortall (Dublin North West, Social Democrats)
Link to this: Individually | In context | Oireachtas source

228. To ask the Tánaiste and Minister for Justice and Equality his views on data harvesting; the steps he is taking to ensure the practice is regulated and not open to abuse; and if he will make a statement on the matter. [14895/18]

Róisín Shortall (Dublin North West, Social Democrats)
Link to this: Individually | In context | Oireachtas source

229. To ask the Tánaiste and Minister for Justice and Equality the reasoning behind adopting a digital age of consent below the EU recommendation; if it will be reconsidered in view of the abuse of data harvesting that has come to light in recent days; and if he will make a statement on the matter. [14896/18]

Charles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I propose to take Questions Nos. 228 and 229 together.

The position is that section 2 of the Data Protection Act 1988 specifies that personal data shall be obtained only for one or more specified, explicit and legitimate purposes and shall not be further processed in a manner incompatible with that purposes or those purposes. For any such further processing (including disclosure, sharing or otherwise making the data available) to be lawful, a legal basis, such as the consent of the individuals to whom the date relate, is required. This ‘purpose limitation’ principle is also set out in Article 5.1(b) of the General Data Protection Regulation (GDPR), which will enter into force across the EU on 25 May. It means that an appropriate legal basis will continue to be required for the purposes of such further processing.  

While supervision and enforcement of data protection law in the State, including the handling of complaints, is currently a matter for the Data Protection Commissioner, Part 2 of the Data Protection Bill 2018, which yesterday completed its passage through the Seanad, provides for establishment of a Data Protection Commission to supervise and enforce the strengthened data subject rights in the GDPR. The Commissioner performs her statutory tasks and exercises her powers in an independent manner; the same will apply to the Commission following its establishment.   

Following entry into force of the GDPR, the Commission will be responsible for administering a broad range of sanctions in cases in which the data protection standards of the GDPR have been breached. These include the possible imposition of administrative fines of up to €10 million or €20 million (or 2% or 4% of total worldwide annual turnover in the preceding financial year). I am confident that establishment of the Data Protection Commission, together with the availability of strengthened sanctions, will facilitate effective supervision and enforcement of the GDPR’s enhanced data protection standards.

As regards the digital age of consent, the position is that while Article 8 of the GDPR provides for an age of 16 years, it clearly states that Member States may provide for a lower age but no lower than 13 years. The age of 16 years is not an EU recommendation, but rather the upper age limit and Member States have adopted different approaches to implementing this provision.

In order to assist the Government in making its decision on the digital age of consent to apply in this jurisdiction both my Department and the Government’s Data Forum – which brings together legal and data protection experts, business representatives from SMEs and multinationals, as well as sociologists, psychologists and education specialists – carried out public consultation processes.  Following the completion of these consultation processes, the Government opted for a digital age of consent of 13 years. When making this decision, the Government took account of the expertise and knowledge of those that responded to these consultation processes in reaching this decision. A majority of respondents – including, notably, the Ombudsman for Children's Office, the Internet Safety Advisory Committee and the Children's Rights Alliance – recommended a ‘digital age of consent’ of 13 years.

Moreover, when appearing before the Joint Oireachtas Committee on Justice and Equality for the pre-legislative scrutiny of the General Scheme of the Data Protection Bill last July, Special Rapporteur on Child Protection, Dr Geoffrey Shannon, also recommended setting the ‘digital age of consent’ at 13 years. This recommendation was adopted by the Joint Committee in their report published in November last.

I should add, finally, that a number of other Member States, including Sweden, Denmark, Finland, Czech Republic, Latvia, Poland, UK and Spain, have also adopted a digital age of consent of 13 years.