Denise Mitchell (Dublin Bay North, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

597. To ask the Tánaiste and Minister for Justice and Equality if she has received greater clarity and guidance on the way in which the GDPR safeguards apply in the case of children after calls made after the Council working party discussions on the scope of the report on the evaluation and review of the Regulation to the Council and European Parliament; the implications this will have for the amendment and commencement of section 30 Of the Data Protection Act 2018; and if she will make a statement on the matter. [28208/20]

Helen McEntee (Meath East, Fine Gael)
Link to this: Individually | In context | Oireachtas source

Ireland has welcomed the European Commission’s commitment to providing tools to clarify and support the application of data protection rules to children.

The Commission also recommended that the European Data Protection Board (EDPB) adopt guidelines which are practical, easily understandable, and which provide clear answers and avoid ambiguities on issues related to the application of the GDPR, particularly in relation to the processing of children’s data.

To date, neither the Commission nor the EDPB have issued guidelines in relation to the processing of children’s data.

The Deputy will appreciate that the GDPR is an EU wide instrument and member states cannot deviate from its provisions, nor will guidelines supersede that position. Commencement of section 30 raises serious matters, including the risk of infringement proceedings and the potential for significant penalties against the State.

The processing of personal data for marketing and profiling purposes takes place under the so-called “legitimate interests” ground in Article 6.1(f) of the GDPR, with the case law of the Court of Justice underlining the importance of free movement of personal data and establishing that Member States are not permitted to impose additional conditions that would have the effect of amending the scope of any of the grounds now set out in Article 6.1 of the GDPR.

The Office of the Attorney General has also advised my Department that section 30 of the Act appears to go beyond the margin of discretion afforded to Member States in giving further effect to the GDPR and would conflict with Article 6(1)(f), read alongside Recital (47). Put simply, it is not an option for a Member State to unilaterally prohibit a category of processing activities which might otherwise be lawful under Article 6.1(f). The commencement of section 30 could, therefore, give rise to a substantial risk of infringement proceedings against the State pursuant to Article 258 of the Treaty on the Functioning of the European Union.

The European Commission has also confirmed that processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest and that Article 6(1)(f) of the GDPR does not make the processing of personal data of a child for the purposes of direct marketing unlawful.

The Commission also indicated that subject to Article 22 (automated decision-making), processing of personal data of a child for the purposes of profiling is not generally prohibited, albeit the processing must take into account that children merit specific protection as clarified in recital (38).

Moreover, the Commission have indicated that the term "micro-targeting", as referenced in Section 30 of the Act, is not mentioned in the GDPR, and its scope remains uncertain and undefined.

Apart from this apparent conflict with the GDPR, the Office of the Attorney General has advised that section 30 gives rise to difficulties under Article 38.1 of the Constitution and under Article 7 of the European Convention on Human Rights. Article 38.1 provides that no person shall be tried on any criminal charge save in due course of law. In order for a domestic offence provision to comply with Article 38.1, it must be clear, precise and foreseeable in its application. It is not clear under section 30 what might constitute the processing of personal data of a child for the purposes micro-targeting. It is also a requirement under Article 7 of the Convention that offence provisions must be sufficiently clear and precise so as to enable individuals to ascertain which conduct constitutes a criminal offence and to foresee the consequences of engaging in such conduct.