Jim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

548. To ask the Tánaiste and Minister for Justice and Equality if it was a decision by the drafters of the Data Protection Bill 2018 not to specifically refer to closed-circuit television, CCTV, and data protection impact assessments; the reason not to specifically legislate for two issues; and if he will make a statement on the matter. [15786/18]

Charles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

The general position is that the Data Protection Acts 1988 and 2003 apply to personal images recorded by means of video cameras except where the recording activity relates to an individual's own personal, family or recreational activities. The recording of images in public places by means of CCTV systems is, therefore, a form of personal data processing that is covered by general data protection rules and safeguards. That will continue to be the case under the General Data Protection Regulation (GDPR), which will enter into effect on 25 May next. The GDPR does not make specific provision for Member States to give any further effect to rules and standards applicable to CCTV systems in their national laws. For this reason, Part 3 of the Data Protection Bill 2018, which gives further effect to the GDPR in certain areas, does not make any such provision. The same applies to Part 5 of the Bill, which transposes the law enforcement Directive into national law.

With regard data protection impact assessments, the position is that Article 35 of the GDPR provides for the carrying out of impact assessments where processing of personal data is likely to result in a high risk for the rights and freedoms of individuals. It provides, in particular, that such impact assessments must be carried out in cases of systematic monitoring of publicly accessible areas. This GDPR obligation is directly applicable on controllers and processors concerned and there is no requirement for national laws to give effect to it. However, paragraph 4 of Article 35 provides that the data protection authorities of the Member States shall prepare and publish a list of the kind of processing operations that are subject to the requirement for a data protection impact assessment.

Article 27 of the law enforcement Directive also makes provision for the carrying out of data protection impact assessments by competent authorities where a type of data processing, including the use of new technologies, is likely to result in a high risk for the rights and freedoms of individuals. This obligation, which is not directly applicable, is given effect in section 81 of the Bill. Section 81(9) provides that the Data Protection Commission established under Part 2 of the Bill may, following consultation with the Minister, prescribe types of processing in respect of which impact assessments must be carried out. Prior to making any such regulations, the Commission will be required to publish its draft proposals and to consider any submissions it receives in relation to them.

I look forward to engaging in further discussions with The Deputy when the Data Protection Bill comes before the Dáil.