I thank all the Deputies for their contributions and for the many interesting and thoughtful points raised during the debate. I will try to respond to some of them now, although many of them are more appropriate to Committee Stage. I agree with those Deputies who adverted to the fact that the Bill is in very technical language. It only takes a glance at it to realise that. People also said there was not much light to be found in the explanatory memorandum and I am inclined to agree. I suggest that in future, for extremely technical legislation such as this, the explanatory memorandum should contain a number of examples of how the Bill would operate in practice. This legislation is being introduced as a result of an EU directive which obliges Ireland to bring its law on protection and dissemination of data into line with other EU countries.
This is an amending Bill and must be read in conjunction with the Act it seeks to amend, that is, the Data Protection Act, 1988. This Act regulates the processing of personal data of data subjects, i.e. individuals who are the subject of personal data. It does not protect data relating to companies or other entities. The rights already enshrined in the 1988 Act are as follows: in section 3, the right to establish the existence of personal data and to be provided with a description of the data and the purpose for which it is kept; in section 4, the right of access to personal data; in section 6, the right to have personal data rectified or, where appropriate, erased; and the right to have personal data removed from direct mailing or marketing lists under section 2. The Bill before us proposes to supplement these rights as follows: in section 6, it includes an additional right to have personal data blocked, i.e. marked in such a way that it is not possible to process it for purposes in relation to which it is marked; and, in addition, the right to object to processing that is likely to cause damage or distress to the data's subject.
Several Deputies mentioned CCTV cameras and their potential impact on personal privacy. The purpose of CCTV systems operated by the Garda Síochána is to maintain public order and safety and to assist in crime prevention and detection. Experience to date indicates that the installation of such systems has been welcomed and they are not regarded as an invasion of privacy. People feel safer as a result of the installation of these systems. A system of grants for community-based CCTV has recently been established and in order to ensure compliance with data protection standards, grants will only be approved for schemes that comply with a detailed code of practice developed in consultation with the Data Protection Commissioner. The code deals with practical matters including the location of cameras. Clearly visible signs should be in place so that members of the public are aware that they are in a zone monitored by CCTV. Signs should also indicate the identity of the responsible person or organisation and contain contact details.
Deputies Rabbitte, O'Dowd, Healy and Crawford made reference to information required by law to be made available to the public and to the use of the electoral register for non-electoral purposes. The Data Protection Act, 1988, does not apply to information that the person keeping the data is required by law to make available to the public. Such data includes electoral registers. Concerns have been expressed over the years about the use of such public domain data for purposes such as direct marketing and I understand that this has been the subject of numerous complaints to the Data Protection Commissioner. For this reason it was decided to amend the 1988 Act in order to make it clear that where such data was processed for a purpose other than the purpose for which it was collected, the exemption would no longer apply.
Following discussion of this Bill in the Seanad it became apparent that this new provision might have unintended consequences. For example, the Department of Enterprise, Trade and Employment expressed concerns about the possible impact of the proposed wording on the use of personal data, held by the Companies Registration Office, by a third party for a legitimate purpose. In order to avoid such consequences I am reflecting on whether the proposed provision is essential, keeping two factors in mind. Firstly, we are proposing elsewhere in the Bill, in section 3, to strengthen the provisions relating to direct marketing and this will address the use of registers for direct marketing purposes. Secondly, Deputies will be aware – Deputy O'Dowd mentioned this – that the provisions of the Electoral Act, 1992, as amended, empower registration authorities to prepare and publish what is called an edited supplement, which omits the names and addresses of registered electors or electors on whose behalf requests had been made that their details should not be used for a purpose other than the electoral or statutory purpose. As I indicated earlier, I am considering the possibility of introducing an amendment on Committee Stage to address the difficulties that have been brought to our attention in this regard.
Deputy Rabbitte inquired about the consultation process engaged in prior to the publication of this Bill. A detailed consultation paper was widely circulated in 1997 to a broad range of organisations. A significant number of responses was received up to mid-1998. The subsequent drafting process required extensive consultation with the office of the Attorney General, Departments and the office of the Data Protection Commissioner.
Regarding transposition of the directive into national law, several countries have experienced difficulties in this regard. Like Ireland, France has yet to complete the transposition of the directive. While Luxembourg has enacted legislation, it appears it is not due to come into effect there until next year.
Deputy Stanton mentioned the absence of the definition of direct marketing. Direct marketing is covered under the 1988 Act. Our attention has not been drawn to any difficulties in that regard. In regard to the Deputy's remark concerning political activity and political parties, with a view to safeguarding essential features of our democratic system of elections several provisions in the Bill refer to the processing of personal data by political parties or candidates for electoral office. An exemption to the processing of sensitive personal data is made in the new section 2(b)(ix) inserted in the 1988 Act where the processing is carried out for political parties or candidates for election to, or holders of elective office, for the purpose of compiling data on people's political opinions, subject to compliance with any prescribed requirements. In addition, the right of data subject to objective processing likely to cause damage and distress does not apply to processing carried out by political parties or candidates for election to, or holders of elective political office, in the course of electoral activities.
Deputy Ring raised the issue of child pornography and the Internet. This poses significant legislative and law enforcement challenges worldwide. International co-operation is a key to progress in this area as such co-operation is ongoing in the areas of law enforcement, policy development and international agreements. Our signing of the Council of Europe Convention on Cyber Crime is an example of one of the recent initiatives in international co-operation which will help to address child pornography issues. While the nature of the Internet demands a co-operative approach, it is important to streamline our national laws and structures in order to maximise our contribution to the fight against child pornography. Following the publication by my Department in 1988 of the report of the working group on the illegal and harmful use of the Internet, a number of child pornography initiatives were established.
On the point raised by Deputy Ring in regard to credit institutions storing data, there is a central database stored by the major credit institutions containing factual information on people's credit history. One can access his or her credit details on this database by making an access request under the 1988 Act. I understand that an individual can add details to his or her credit reference file, giving people an opportunity to explain various details about their credit rating.
Deputy Crawford referred to the question of processing health data, including access to the data. This will be permitted under the proposed new section 2(b) where it is necessary to prevent injury or damage to the health of a person.
On the issue raised by Deputy Ó Snodaigh and others in regard to the definition of sensitive personal data, the definition is set out in the EU directive. This includes, for example, data in relation to a person's racial or ethnic origin as well as their political opinions and religious beliefs. Data in regard to trade union membership, physical and mental health and the commission of offences also come under this heading. It is important to point out that we are working on the definition in the EU directive and we cannot go beyond that.
The Office of the Data Protection Commissioner was established under the 1988 Act to perform a range of investigative and enforcement functions set out in that Act. The commissioner's annual report for the year 2000 not only gives informative accounts of activities undertaken during the year in question but contains valuable guiding notes and good data protection practices. The commissioner's website contains useful information and advice on data protection law and good practice.
A number of Deputies mentioned data protection, which I agree is a crucial issue. The 1988 Act already provides that appropriate security measures should be taken against unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction. It also provides that data controllers and data processors owe a duty of care to data subjects. The Bill before us strengthens these provisions by means of the new article 2(c) which deals specifically with security requirements for personal data.
Several Deputies, including Deputies Deasy, Rabbitte and Healy referred to the risk arising from transfer of personal data to countries without adequate data protection standards, which is important. The general position is that transfers of personal data to a destination outside the EEA may not take place unless an adequate level of data protection is in place. However, data may be transferred to a destination outside the EEA if an adequate level of protection is deemed to exist. Switzerland, Hungary and Canada have data protection regimes to satisfy European Community requirements and have been formally recognised in European Commission decisions. A problem arises, however, in regard to countries such as the United States where there is no comprehensive approach to data protection and where the approach to data protection is very different from that pursued in Europe. There is a strong tendency in the US to believe that market incentives and privacy enhancing technologies will be sufficient to protect privacy. By contrast, on this side of the Atlantic countries have enacted comprehensive data protection law to give effect, first, to the Council of Europe's 1981 Data Protection Convention and, more recently, to the EU directive. This disparity of approach between the US and EU is a matter of great concern to us, given the extent of our commercial trade and other links with the US. The agreement reached between both sides under the safe harbour privacy principles and given legal effect in a Commission decision in July 2000 is, therefore, of considerable importance. The safe harbour agreement is based on a set of data protection principles to which bodies in the US can voluntarily sign up and which guarantee adequate protection for personal data supplied to them.
A number of Deputies raised the issue of the passing of personal data to other bodies. According to the onward transfer principle, data may not be passed by a body that has signed up to the safe harbour principles to a third party unless that party is subject to an EU directive, has signed up to the principles or enters a written agreement providing a level of protection equivalent to the principles. The United States Department of Commerce website contains a number of organisations, currently 250, which have signed up to the safe harbour principles. For the purpose of data transfers to other destinations, standard contractual clauses have been jointly developed by the European Commission and the member states in order to provide an adequate level of protection. If these are considered unsuitable for certain transactions, transfers may be made under terms specifically approved by the Data Protection Commissioner who currently has, and under the Bill will retain, the power to transfer a personal data to a destination outside the State.
Deputy Gregory and others referred to e-commerce and the information society. It is clear from the growth of e-commerce in recent years that many consumers are buying goods and services over the Internet. Businesses have also been choosing to buy services in the same way. A certain amount of personal data would be inevitably collected in the course of such transaction, such as registration details, including name and address. There is a risk that this could be used for other purposes without the knowledge or consent of the data subject. For this reason the Data Protection Commissioner made regulations last year requiring all Internet access providers to register with his office. Any company that operates a website is also likely to be a data controller for the purposes of data protection and will need to register. The registration process requires data controllers to indicate the nature and extent of their processing operations. This safeguard will help to build confidence in e-commerce and encourage consumers to avail of the on-line services that are now emerging.
In regard to information policy developments generally, Deputies will be aware that the Taoiseach announced late last year the appointment of a new information society commission. It is chaired by Dr. Danny O'Hare, former President of DCU, and has a key role to play in shaping the evolving public policy framework in this area. I should also say in the current context that an interdepartmental group on legislative issues for the information society, including representatives of relevant Departments and offices, has also been established. This reflects the importance the Government attaches to information society related issues.
We are all aware of the advances in e-mail and Internet technologies that have taken place in recent years. These developments are advantageous in many ways but there are also drawbacks. Several Deputies, including Deputies Deasy and O'Dowd, spoke about the problem of unsolicited communications. The former Minister for Public Enterprise made regulations last May to give effect to the EU Directive 97/66 on the processing of personal data and the protection of privacy in the telecommunications sector. The European Communities data protection and privacy in telecommunications regulations 2002 prohibit unsolicited telephone calls or faxes for the purposes of direct marketing to subscribers who have indicated that they do not wish to receive such communication.
This option has been facilitated by the establishment of an appropriate national database in which subscribers can register their wishes. With regard to directory information, subscribers now have the possibility of indicating that they do not wish to have their personal information used for purposes of direct marketing and that they do not wish to receive direct marketing calls of faxes. Subscribers can request this opt-out from their service provider. Moreover, the additional consent of subscribers is required for automated direct marketing calls. The Data Protection Commissioner and the Director of Telecommunication Regulations are responsible for the monitoring and enforcement of these regulations.
A further directive dealing with the processing of personal data and the protection of privacy in the telecommunications sector was agreed in June. This new directive replaces the 1997 directive and the regulations which transpose that directive will be made in due course by the Minister for Communications, Marine and Natural Resources. They will also address the issue of unsolicited electronic mail, text messages, etc. The net effect of these measures together with the provisions in the Bill is that there will be a comprehensive set of legal rights available to people in relation to unwanted e-mail and other forms of communication. I admit that solving the problem of unwanted communications on a national level is difficult by its very nature, given the global nature of the Internet and telecommunication technologies.
Deputy O'Dowd's suggestion that international instruments may be required in this area is worthy of further consideration. I share the Deputy's regret at the closing of smaller banks in rural towns and the loss of personal contact which this will inevitably entail. That is strictly outside the ambit of this legislation. I have also noted his other point on bank customers and pressure but that is outside the ambit of the legislation.
Deputy Durkan mentioned the possibility of having to revisit the directive itself. The position is that the European Commission has undertaken a review of the operation of the directive across the member states and will present a report in due course. It will then consider what further community action, if any, is needed. The Commission has already indicated that it is aware of a number of concerns about the operation and implementation of the directive and may decide to address these in the context of future action. It is unlikely that the Commission will propose any significant reform of the directive in the short-term. Moreover, any medium term proposals would take several years to negotiate into an act at member state level.
This is not just a piece of technical legislation but a Bill which aims to establish an appropriate balance between potentially conflicting policy objectives and rights. We have to ensure that personal data is not used for purposes for which it was never intended, while at the same time encouraging e-commerce and facilitating international trade. We must reconcile personal privacy requirements with a need for historical research, statistical information and scientific discovery. We must also protect personal privacy while recognising the special importance of the public interest in freedom of expression. In the information society in which we now live huge quantities of data, including personal data, can be stored and processed with an ease which was unimaginable a few years ago.
The information age brings many benefits in its wake, including possibilities for improved communications and services. There are also obvious risks. We must address legitimate concerns to reap the full benefit of these new possibilities. I believe the additional safeguards in this Bill will further enhance confidence in e-commerce and e-government for the benefit of consumers and citizens. I again thank Deputies for their contributions and for raising very important issues. We will return to those on Committee Stage. I appreciate hearing the Deputies' views on the subject which we all agree affects every one of us in our daily lives. I commend this Bill to the House.