Data Protection Bill 2018: Report Stage

I move amendment No. 1:

In page 15, between lines 20 and 21, to insert the following:

“ “scientific research purposes” means scientific research carried out by research staff who have full autonomy in determining both the object of study and the methods of inquiry;”.

I wish to make some brief points. Section 39 provides general permission for the processing of personal data for a range of what might be called research or historical purposes subject to suitable and specific measures being taken to safeguard the data. These measures are outlined in section 35. Section 51 takes this idea somewhat further. It provides that as long as the processing of data is necessary, proportionate and subject to suitable and specific measures, then the special categories of personal data, including data about ethnic origin, political opinions, health, sexual orientation and so on, can be processed for research, historical or archiving purposes. We are going to hear a great deal about these categories in the coming days. At the most basic level these sections mean that using a person's data without consent for research or scientific purposes is allowed.

We discussed this on Committee Stage. We know that section 58 restricts some of the rights that people have with regard to their own data under the general data protection regulation, GDPR, in the context of the relevant type of research, archiving or processing. For example, it includes the right of a person to have inaccurate data corrected, the right to object to processing, the right of access and so on. In general, that is fine but, as we said on Committee Stage, we have something of a concern that the concept of a scientific research purpose is not defined in the Bill. In other countries there is a tradition of requiring research to be completely independent of any corporate influence to be considered scientific.

I understand the points made by Deputy O'Callaghan during Committee Stage. He said that defining scientific research within the context of the Bill without providing similar definitions for archiving or statistical purposes might not be ideal. That is fair enough but we remain of the view that the potential for data exploitation for an undefined scientific research purpose could be problematic, especially in a country like Ireland which has proven itself to be utterly deferential to multinationals.

We were keen to make the points again. We are not going to make a major deal out of it. We are keen, however, to hear an assurance from the Minister that when regulations are being drawn up under the relevant sections to outline the ways in which data can be used for scientific purposes, some consideration is given to mandate that the relevant purposes come as close as possible to what most of us would recognise as truly scientific research. Such research should be independent and have in mind the public interest and so on. The purpose should not allow for market research, business intelligence and so on. Such endeavours might follow scientific methods and processes but clearly they serve the corporate rather than the public good. If there was some assurance in the regulations, we would not press it but we are keen to make the points again because we believe there is potential for exploitation.

I am unsure of the extent to which I can short-circuit the debate. We have 150 amendments and we are going to have some intense debate in the coming days.

In response to Deputy Clare Daly's invitation to provide her with an assurance, I cannot give her an assurance in the form of a guarantee. However, I can say that while there is not an absolute or clear definition in the general data protection regulation, GDPR, it is my strong expectation that an agreed European Union definition will emerge. It is important that this take place because a definition is needed to facilitate the type of co-operation we have seen, particularly international and cross-border co-operation in the field of scientific research. I expect such a definition to be agreed to.

Again, while I cannot give an assurance, Deputy Clare Daly and other Deputies can take it that we will encourage that this issue be addressed at EU level for reasons the Deputy put forward. While I cannot accept the amendment, I give her an assurance that we will raise the issue with a view to having it resolved in a way that will meet her concerns.

I appreciate that one can never say never. That the European Union may agree a definition is fine, but we are legislating in this Parliament. Germany has been able to produce a definition. I sought an assurance, insofar as is possible, that the issue would be examined. The Minister's response is on public record and he has been warned. If he does not heed our warning, the State may be exposed to potential litigation. We will accept his assurance for now and hope he will act on it.

I am not sure I gave the Deputy an assurance.

In the interests of expediency, the Minister should not draw me into further debate.

We will certainly have the issue raised with a view to finding a solution. However, it is not within the immediate control of the Government. I am not in a position to accept the amendment because there is not an appropriate definition in the GDPR, but that is not to say I disagree with the point raised by the Deputy.

Amendment, by leave, withdrawn.

Amendments Nos. 2, 17, 19, 20, 62, 64, 79 to 82, inclusive, 84 and 85 are related. Amendment No. 20 is a physical alternative to amendment No. 19. The amendments may be discussed together.

I move amendment No. 2:

In page 17, to delete lines 13 to 25 and substitute the following:

“(2) Every regulation made under this Act, other than under section 50, 59 or 72, shall be laid before each House of the Oireachtas as soon as may be after it is made.

(3) Either House of the Oireachtas may, by a resolution passed within 21 sitting days after the day on which a regulation is laid before it under subsection (2), annul the regulation.

(4) The annulment of a regulation under subsection (3) takes effect immediately on the passing of the resolution concerned but does not affect the validity of anything done under the regulation before the passing of the resolution.

(5) Regulations may be made under section 50, 59 or 72 only if—

(a) a draft of the proposed regulations has been laid before each House of the Oireachtas, and

(b) a resolution approving the draft has been passed by each House.”.

Deputies will recall that section 6 was amended during Committee Stage proceedings. The section now requires that a resolution approving draft regulations under sections 50, 59 and 72 be passed by each House of the Oireachtas before the regulations can be made under the sections by the appropriate Minister. This excessively heavy procedure will give rise to some difficulties, especially where the making of urgent regulations is necessary, important and urgent. However, I do not propose its deletion from the Bill and accept the position agreed to on Committee Stage. Amendment No. 2 replaces the text of the Committee Stage amendment to bring it into line with the language of the Bill. The substance of the amendment is fully in line with the amendment introduced by the Opposition which was ultimately accepted by the select committee.

Arising from the existing reference in section 6 to section 72, there is no longer a need for subsection (7) of section 72 and amendment No. 85 will, accordingly, delete the subsection. For the same reason, there is no need to insert a similar subsection in sections 50 and 59, as proposed in amendments Nos. 62, 79 and 81. For this reason, I am unable to accept the amendments. I am sure I will have an opportunity to discuss the amendments in this group in the names of Deputies Clare Daly, Mick Wallace and Donnchadh Ó Laoghaire when they are moved.

It is important to recall that on Committee Stage the select committee did something novel when Deputies decided to introduce a provision in the Bill that would-----

I beg the Deputy's indulgence, but I seek clarity on the procedure as some of us are a little confused.

The Minister has moved amendment No. 2 which is being discussed with a number of other amendments. Deputies who wish to contribute on any of the amendments in the group must do so now.

I do not mean any disrespect to Deputy O'Callaghan, but Deputy Wallace and I have tabled some of the amendments in the group.

The Deputy may speak first, if she wishes. That is not a problem.

Which amendments in the group are in the names of Deputies Mick Wallace and Clare Daly?

We have tabled amendments Nos. 20, 62, 79 and 81.

The amendments will not be moved until later.

Should Deputies speak to their amendments in the group now?

Yes, there will not be another opportunity to do so.

As we stated on Committee Stage, amendment No. 20 in this group advocates a small but possibly significant change. It appears from the current wording of section 37(4) that the processing of personal data in the public interest would be possible without being specified in regulations made by a Minister. In such circumstances, who would decide what constituted the public interest and who would process the data in the public interest? This is a significant point as the understanding of what constitutes the public interest is important to several sections of the Bill. The amendment is an attempt to make processing in the public interest explicitly dependent on regulations. We advocate changing the word "may" in subsection (4) to "shall" to avoid any confusion; in other words, ministerial regulations would be mandatory for this type of data processing.

On amendment No. 62, as a result of amendments agreed to on Committee Stage in both the Dáil and the Seanad, section 50 has changed somewhat. At one point, the section, as amended in the Seanad, would have required that the Data Protection Commissioner to undertake an impact assessment before a Minister could introduce a regulation. We accept that this requirement would have compromised the independence of the Data Protection Commissioner. To maintain the independence of the commissioner, the amendments we introduced on Committee Stage proposed that the data protection officer in the relevant public authority should instead conduct an impact assessment. As the amendment was defeated, we have introduced another proposal in amendment No. 62 similar to the proposals we introduced on Committee Stage which met with some success. This is an important section as it provides for the processing of special categories of personal data, for example, political opinion, ethnicity and sexual orientation, and doing so in the name of a substantial public interest. We should have a very high threshold for invoking this type of processing.

Amendment No. 62 is designed to provide checks and balances for future regulations. Like most legislation, the Bill gives the Minister considerable power to introduce future regulations. It is difficult not to be concerned about what this or another Government might introduce via regulations given the Government's recent attitude to data rights.

Amendment No. 81 is self-explanatory and intended to achieve a similar outcome. It is an attempt to introduce a proportionality clause to section 59, given the nature of the section in permitting the restriction of the rights of data subjects for the objectives of the general public interest.

With amendment No. 79 we are trying to establish a requirement that the Minister provide a written rationale should he or she seek to introduce restrictions to the rights and obligations to which the section refers.

Of course, I understand that such restrictions may be necessary in certain circumstances, but it is a reasonable request and would not be unworkable that such a written rationale would be put before the Houses. We are talking here only about the so-called important objectives of general public interest, other than those listed in paragraphs (a) to (n), inclusive, of subsection (7).

I refer to amendments Nos. 2 and 82, which is the only one of the amendments of mine in this grouping.

On amendment No. 2, I welcome the fact that the Minister is recognising the view that existed in the committee. One of the most significant amendments that was made to the Bill was the requirement that there would be prospective approval of such regulations as pertain to that section. Much of the commentary that related to this Bill, particularly from experts and lawyers who are active in the area of data protection, aside from the fact that there was the possibility of conflict between the GDPR and the Bill and the potential for litigation in that regard, related to the issue of the significant scope that the Minister was allowing himself and his successors to draw up regulations for special categories of data to be processed and the circumstances in which that would be allowed. It was a positive move that the committee decided that should be a prospective process. I am glad, assuming I understand it correctly, that this amendment preserves that and changes the language. That is a positive development. It is an important safeguard.

On my amendment No. 82, I had submitted something to that effect before that was put into the Bill, but there is still scope for something to that effect. It would complement it. In such circumstances, as I stated on Committee Stage, such regulations should not be drawn up frequently and should be characterised by being infrequent. There should be scope, however, to have an impact assessment or, as I state in the amendment, for the Data Protection Commissioner to have those regulations referred to him or her for an opinion under the terms of section 100, and then returned to the Minister. There is scope, in drawing up these regulations, to ensure that the Data Protection Commissioner has view of them to assess whether they are proportionate and necessary and whether they are in compliance with the GDPR and with the relevant parts of the Bill. That is right and proper and that is the test that should be passed. There should be consultation with the Data Protection Commissioner to ensure that is the case.

Deputy O'Callaghan?

I will hear what the Minister has to say first.

Amendments Nos. 20 and 79 are not quite the same and I will deal with them separately.

Amendment No. 2 is a redraft by the Government of our successful amendments at committee providing that regulations made under sections 50, 57 and 72 shall be the subject of positive resolution prior to being made. That is fine. We agree with that.

Amendments Nos. 17, 19, 64 and 84 are slight redrafts of our successful amendment providing that a Minister has to seek the advice of the Data Protection Commissioner before drafting amendments under the riskier sections of the Bill, namely, sections 35, 54, 59 and 72. We have a minor qualm with the proposed phrase "significant concern" in the Government's proposal, but as it will be up to the commission to decide on what is significant, we are reasonably happy to accept the Government's proposal on the basis that the commission will not feel that its hands are tied by the word "significant". The Minister might comment on that.

Amendment No. 62 is merely a restatement within the relevant section of the provision earlier in the Bill that regulations under this section require positive resolution. We succeeded at committee with identical amendments to sections 59 and 72, but for some reason the amendment to this section, section 50, did not succeed. I am not sure why. In any case, the Government seemed to take the view that a restatement of this requirement for a positive resolution in each of the relevant sections is not necessary because the Minister proposes to take some of them out. The only point we would make is that the Health and Social Care Professionals (Amendment) Act, which contains similar positive resolution procedure for regulations made under certain sections, restates the requirement in the relevant sections. We want an assurance from the Minister that in not restating the requirement in the text of each section, we are not undermining in any way the requirement for positive resolutions under this section.

Amendment No. 20, as I stated, is a different matter entirely. It is slightly awkward that it is in this group. The amendment is about trying to limit the circumstances in which the exemptions from normal data rules that the Government wants to provide to public and private bodies under section 37 can apply. Those are the circumstances where processing is necessary for the performance of a task carried out in the public interest by a controller or where it is necessary in the exercise of official authority vested in a controller as per the GDPR but the Government wants to give that power to anyone who is administering any sort of non-statutory scheme. That is something that we will talk about in more detail in section 37. Article 6.1, paragraph (e), of the GDPR allows for exemptions from having to abide by the standard rules on the basis of the public interest on official authority. The GDPR also states that member states may maintain or introduce more specific provisions to adapt the application of the rules of this regulation with regard to processing for compliance with point (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing. It is clear the GDPR envisages that in circumstances where paragraph (e) is being relied on, member states will adapt the rules of the GDPR via specific and precise requirements that cover processing where the exemption is being relied on. Despite this, at present there is a broad and vague exemption in this section for the aforementioned purposes with no guarantee that any Minister will pass regulations specifying any rules or limitations on the bodies this section gives an exemption to. One might ask why they would not do that. Maybe it would suit a Minister in certain circumstances.

On Committee Stage, the Minister stated that our tabling of a similar amendment may be based on a misunderstanding since the lawful basis for processing exists elsewhere and it does not need to be detailed in regulations. The Minister's following sentence at committee, However, was that the regulations, for reasons of transparency and legal certainty, specify processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Transparency and legal certainty is exactly what we are trying to achieve here. Our amendment is not based on misunderstanding. It is based on exactly what the Minister said is the purpose of the regulations under this section. There should be an obligation on the Minister to set out the criteria in the public interest rather than it being an optional extra. If the Government wants to give broad powers to the State and non-State bodies not to have to abide by data protection rules that everybody else must abide by, the Minister should set out exactly the limits of that power. It should not be left to section 37. As an absolute minimum, therefore, there should be, as we propose, a requirement for the Minister to set out more precisely the ways and means in which personal data can be processed in the public interest on official authority.

Amendment No. 79 is different again. It relates to section 59. Section 59(7) lists some indicative important objectives of the general public interest for which the basic rights of people under Articles 12 to 22, inclusive, in regard to their data can be restricted. Indicative is the problem here. Fourteen objectives are merely some of the general public interest objectives for which the Minister might decide to restrict people's rights. Any Minister at any time could do that without consulting elected representatives.

We all know that might not be the general public interest. Under this section, there is nothing to stop a Minister restricting people's rights without coming to the House. We propose to restrict this in amendment No. 79. If our amendment passes, a Minister who wants to designate an objective that is not listed in the Bill as an important objective of public interest has to come before the Houses with his or her proposal for a vote to be taken on it. It is a small thing and we think it should be accepted.

We will go back to the Minister who has exhausted his seven minutes.

I will be very brief.

The Minister will have two minutes and then, at the conclusion, since he moved the amendment, he will have a further two minutes. Others may intervene after the Minister.

With regard to amendment No. 20, Deputy Clare Daly's own words are that it appears awkward. I still maintain it is unnecessary on the basis that the legal basis for such regulation exists in Article 6(1)(e) of the GDPR. They will clarify that the processing being carried out in certain cases is necessary for the performance of the task.

Deputy Ó Laoghaire's amendment No. 82 will require the data protection commission to carry out a detailed impact assessment. It will be a matter for the data protection commission itself to carry it out and to decide how best it might deal with concerns. I am concerned about setting mandates in legislation that might be interpreted as a form of infringement.

In respect of the earlier amendments, acknowledging the fact that amendments were carried on Committee Stage, there is no need to have similar subsections in sections 50 and 59 as proposed in Deputy Clare Daly's amendments Nos. 62, 79 and 81. I confirm that the Office of the Attorney General has stated that if the resolution mechanism is in section 6 as it is, there is no need for a specific mention in sections 50, 59 and 72. I think that meets the Deputy's concern.

We are debating a series of amendments. We need to go back to what happened on Committee Stage when we made the novel decision that instead of having a situation whereby regulations could be retrospectively disapproved of, we put a provision into the legislation whereby statutory instruments would have to be prospectively approved. It is a novel approach. It was a worthwhile approach for the Oireachtas to take. We need to remember that when a Minister issues a statutory instrument, he is making law. The Constitution says the sole and exclusive power for making laws rests in the Oireachtas. Under our system, we recognise that secondary legislation is permitted for convenience sake so that statutory instruments can be issued and signed by Government Ministers. They, however, become law. To have supervision and in order that there is Oireachtas involvement, in general each statutory provision introduced includes a provision that a resolution of the Houses of the Oireachtas can revoke such a statutory instrument if that resolution is passed within 21 days.

I note what the Minister is doing in amendment No. 2. He is simply trying to tidy up what was agreed on Committee Stage. We will agree to that amendment. We then go forward to amendment No. 17 which is in a similar format. It is another tidying-up exercise and I am supportive of it. Amendment No. 19 is much in the same way as the previous ones I discussed.

With regard to amendment No. 20, I note the intention of Deputies Clare Daly and Wallace. They say that when regulations will be issued in respect of a processing carried out in the public interest or in the exercise of official authority, it should be mandatory and the Minister should be required to issue regulations if there is going to be processing of personal data which is necessary for the performance of a task carried out in the public interest by a controller or which is necessary in the exercise of official authority vested in a controller. At present there is a discretionary power given to the Minister whereby he may issue regulations in respect of that matter.

I am conscious this is the final Stage on which amendments can be tabled. We need to look to see how it will read if Deputy Clare Daly's and Deputy Wallace's amendment is passed. It will state that these personal data performances shall be specified in regulations made by the Minister provided the Minister has consulted such other Minister of the Government as he or she considers appropriate. My concern about the way it would end up after that is it may mean a Minister would not have to issue regulations if it was the case he or she had not consulted such other Ministers of the Government as he or she considers appropriate. It may be the case he would not have to issue regulations if he or she had not consulted and sought the advice of the data protection commission. It may sound like a lawyer's point but when it comes to interpreting legislation, unfortunately, it is the case that in the main instance lawyers are the first people to interpret it. If it is drafted with the amendment, it would mean the Minister could get around issuing any regulations if he decided not to consult a Minister of the Government in advance or if he decided not to consult the commission. It is an unintended consequence and because of that I will not support that amendment.

That brings us on to amendment No. 62. I do not think this amendment is necessary. In fairness to Deputies Clare Daly and Wallace, while they came up with the novel proposal of having prospective approval, it is contained within the Act, so we do not need to repeat it on numerous occasions, and amendment No. 62 is therefore not necessary.

Amendment No. 64 is a similar tidying-up exercise by the Minister and I will support it. Amendment No. 79 is unnecessary. I will have a look at it in more detail before it comes up for a vote. Amendment No. 81 by the Minister is appropriate. It is the same as two previous amendments. I make the same point in respect of amendment No. 81 it is not necessary because it is clear in the legislation that certain regulations will require prospective approval by the Oireachtas.

In respect of Deputy Ó Laoghaire's amendment No. 82, while I note the intention and the objective, I tend to agree with the Minister that those matters are for the Data Protection Commissioner and the Office of the Data Protection Commissioner. It is not necessary for such amending to be included in the Bill.

I had not mentioned amendment No. 81 which Deputy O'Callaghan has just mentioned. It is our amendment which we tabled because we spotted that the provision on regulations under section 59 to respect the essence of the right to data protection and to restrict the exercise of data subject rights only insofar as is necessary or proportionate was accidentally deleted by the committee. The fact the Government is reinstating this as part of its larger amendment in amendment No. 80 is a better thing and we support it. We are happy to withdraw that at this stage in support of the Government's amendment No. 80.

I thank Deputies because we are dealing with a number of amendments in this group. It seems to me that agreement has been reached on my amendments Nos. 2, 17, 19, 64, 80, 84 and 85. I acknowledge the comments of Deputy O'Callaghan. He speaks of a novel approach to the concept of the positive resolution. As well as being novel, it is also burdensome and onerous.

Nevertheless, it was a decision that was taken on Committee Stage and Government will certainly live with it.

It seems that Deputy O'Callaghan and I are ad idem on amendments Nos. 62, 79 and 81. I repeat to Deputy Clare Daly that I do not see the necessity for her proposal, particularly given the existing reference in section 6 to section 72. The same obtains for sections 50 and 59 as they relate to the proposals in amendments Nos. 62, 79 and 81. I have mentioned the Attorney General and I have already dealt with amendment No. 82. I agree that we need to ensure that it is entirely a matter for the commission itself to decide what issues are of significant concern to it. Where any Minister is proceeding with regulations, notwithstanding such concerns, the justice committee must be informed in any event.

Amendment agreed to.

Amendments Nos. 3 to 6, inclusive, and 83 are related and will be discussed together.

I move amendment No. 3:

In page 18, line 7, to delete “subsection (2) of section 8.” substitute “subsections (1)(b), (2) and (3) of section 8.”.

I wish to express my appreciation to Deputy Ó Laoghaire for amendment No. 6 and for drawing attention to the need for the data protection commission to complete investigations already commenced by the commissioner. I am not going to accept amendment No. 6 because it seems to inadvertently delete subsection (4) from the section. I ask Deputy Ó Laoghaire to acknowledge my amendments Nos. 3 to 5, inclusive, which will achieve the objective in any event, resulting in the situation where the Bill makes it clear that all investigations commenced by the commissioner must be completed by the commission.

Amendments Nos. 4 and 83 serve another purpose. The new paragraph (b) in section 8(1) will mean the 1988 Act provisions will continue to apply to the Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 and the recently enacted Vehicle Registration Data (Automated Searching and Exchange) Act 2018, which deal with the Prüm measures are not affected by the law enforcement directive which is referred to in Article 60 and Recital 94 and is adequately dealt with.

I am happy to listen to the concerns of Deputy Ó Laoghaire but our amendments deal with the import of his amendment No. 6. I acknowledge that this amendment goes a little bit further than the Deputy may even have intended himself.

This was a variation on an amendment submitted on Committee Stage and intended to ensure that the data protection commission can continue with any investigations or actions currently being undertaken by the Data Protection Commissioner. I thought we had made a slightly better effort in drafting it on this occasion but, in any event, I am satisfied that the amendments the Government has brought forward deal with my intention and I am glad the issue has been flagged.

I was going to speak in defence of Deputy Ó Laoghaire's amendment but, as he has withdrawn it, I would appear to be wasting my time.

The Deputy may speak to the group of amendments.

I will listen to the Minister first.

I welcome the Deputy's support but he can give it by just rising in his seat without making a contribution.

There is some merit in Deputy Ó Laoghaire's proposal. We know that the Data Protection Commissioner has opened a section 10 investigation into the public services card and the single customer view, which is one of the biggest data sharing projects in the history of this State. As I understood it, the Office of the Data Protection Commissioner is also investigating the use of CCTV cameras, which we mentioned on Committee Stage, such as the proposed scheme in Limerick which is funded under the community-based CCTV scheme of the Department of Justice and Equality. It is important that these investigations are allowed to be completed and they should not be interrupted or halted. Perhaps the Minister's amendments allow this but I did not hear that clearly the first time it was discussed. During the Seanad debates, the Minister was not totally convincing in explaining to Senator Higgins that such investigations as are already under way would continue following the transition to the new data protection commission, which the Bill provides for. If the Minister's earlier amendments cover this point, that is grand. If not, perhaps I will ask Deputy Ó Laoghaire to put his amendment back on the paper.

Deputy Wallace is playing the role of Deputy Ó Laoghaire and I will now try to play the role of the Minister. In amendment No. 4, subsection (3) states that an investigation under section 10 of the Act of 1988 that was begun but not completed before the commencement of this section shall be completed in accordance with that Act. It is virtually identical to what is sought in Deputy Ó Laoghaire's amendment so I do not think we need to spend a huge amount of time debating it.

For clarity, it is my belief that, having regard to my amendments, the Bill makes it perfectly clear that any and all investigations which have been commenced by the commissioner must be completed by the commission.

Amendment agreed to.

I move amendment No. 4:

In page 18, to delete lines 9 to 19 and substitute the following:

“8. (1) Subject to this section, the Act of 1988 shall, on and from the date on which this section comes into operation, cease to apply to the processing of personal data (within the meaning of that Act) other than—

(a) the processing of such data for the purposes of safeguarding the security of the State, the defence of the State or the international relations of the State, or

(b) the processing of such data under the Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 or the Vehicle Registration Data (Automated Searching and Exchange) Act 2018 to the extent that the Act of 1988 is applied in those Acts.

(2) The Act of 1988 shall apply to—

(a) a complaint by an individual under section 10 of that Act made before the commencement of this section, and

(b) a contravention of that Act that occurred before such commencement.

(3) An investigation under section 10 of the Act of 1988 that was begun but not completed before the commencement of this section shall be completed in accordance with that Act and that Act shall apply to such an investigation.”.

Amendment agreed to.

I move amendment No. 5:

In page 20, lines 20 and 21, to delete “, in so far as it relates to a function transferred by this section,”.

Amendment agreed to.
Amendment No. 6 not moved.

Amendments Nos. 7 and 8 are related and will be discussed together.

I move amendment No. 7:

In page 21, to delete lines 1 to 13 and substitute the following:

“(5) Subject to subsection (7), the Public Appointments Service shall recommend a person for appointment as Commissioner following an open selection competition held by the Service for that purpose.

(6) The Public Appointments Service shall appoint a selection panel to assist it in holding an open selection competition.

(7) The Public Appointment Service shall ensure that a person is recommended under subsection (5) for appointment only if it is satisfied that the person has the

qualifications, experience and skills necessary to enable the Commission to effectively perform its functions.”.

I refer to a number of Opposition amendments concerning the method of appointment of a commissioner, which were carried on Committee Stage. My amendment No. 7 will replace subsections (5) to (9) with a redrafted text that takes account of all but one of the proposals on that occasion. Subsection (5) includes a requirement for an open selection competition while subsection (6) provides for the appointment of a selection panel as proposed in the Opposition amendments.

However, the amendment does not provide for the nomination of a member of the selection panel by the European Data Protection Supervisor, EDPS, for the following reasons. Following completion of Committee Stage, my officials drew the attention of the European Data Protection Supervisor to the subsection that would require him to nominate a member of the selection panel for recommending a candidate for the appointment of commissioner. The response to my Department by the supervisor's deputy stated that, despite its deep understanding of the good intentions of, and appreciation for, the European approach, EDPS wanted to express its reservations about the idea. It stated that it was aware of some precedents as far as the involvement of the fundamental rights agency executive director was concerned but thought that it did not fit with the system of international co-operation of data protection authorities. EDPS, being the supervisor of EU institutions bodies and agencies, as well as the provider of the secretariat for the European Data Protection Board, had to stay neutral and impartial in all appointment procedures in national jurisdictions.

This is something we did discuss, and it was flagged in anticipation of our representations and submissions. Taking account of the views of the European Data Protection Supervisor, I have not provided for a nomination of a member of the selection panel by the European Data Protection Supervisor in my amendment to replace subsections (5) to (9). However, as I mentioned during Committee Stage discussions, it is already the practice of the Public Appointments Service to seek external participation in selection boards. I understand the head of another data protection authority already participated in the selection process that recommended the current Data Protection Commissioner to the Government for appointment to that position. I state this for clarity purposes, being further information that is now provided that we did not have on Committee Stage.

As regards amendment No. 8, in the names of Deputies Daly and Wallace, I am advised it is not necessary to make provision for the filling of a vacancy on the commission because the process for appointing a commissioner will apply in the case of all vacancies in any event as of course.

The Minister's amendment No. 7 obviously removes what we put into the Bill. I was going to ask the Minister that if he was going to object to our provision whether he had contacted the office of the European Data Protection Supervisor in the meantime about us placing an obligation in law for its involvement. He has done so, and it nails the argument. There is nothing more we can do on that. The point about external involvement is still important, but I take the point that the office of the European Data Protection Supervisor feels this is not a role for it. On that basis we cannot really press ahead with it.

With regard to amendment No. 8, this is the same as what we presented on Committee Stage, to insert a requirement that vacancies for the role of the Data Protection Commissioner would be advertised publicly, along with details of the criteria for the filling of the vacancy. I know the Minister has said this is not necessary and that an open competition presumes a public advertisement, but does it entirely? We can have an open competition that is not actually open because nobody knows about it. We just want to know whether it is explicitly guaranteed that the vacancies will be advertised, along with the specific list of criteria for people who might want to take up the positions.

To respond very briefly to Deputy Daly, it will be a public process. It will be a full process and it will be conducted by way of public advertisement for anyone who is interested in making an application.

Amendment agreed to.
Amendment No. 8 not moved.

Amendments Nos. 9 to 12, inclusive, are related and will be discussed together

I move amendment No. 9:

In page 26, line 9, to delete (in subsection (2) referred to as annual accounts")".

Sections 23(3) to 23(6), inclusive, deal with the annual accounts of the data protection commission. These were inserted into section 23 on Committee Stage, and the amendments make a number of minor and technical adjustments to these provisions. I do not see any controversy involved.

Amendment agreed to.

I move amendment No. 10:

In page 26, line 13, to delete Annual accounts" and substitute Accounts".

Amendment agreed to.

I move amendment No. 11:

In page 26, to delete lines 23 and 24 and substitute the following:

(3) Subject to subsections (4) and (5), subsections (1) and (2) shall cease to have effect on the date of the coming into operation of section 173(b).".

Amendment agreed to.

I move amendment No. 12:

In page 26, to delete lines 25 to 31 and substitute the following:

(4) Accounts kept in accordance with this section that relate to the period specified under subsection (5) shall be submitted by the Commission to the Comptroller and Auditor General for audit not later than 3 months after the date of the coming into operation of section 173(b).

(5) The Minister may, for the purposes of subsection (4), specify a period which—

(a) shall end on the date immediately preceding the date of the coming into operation of section 173(b), and

(b) may be longer or shorter than a financial year of the Commission".

Amendment agreed to.

I move amendment No. 13:

In page 28, after line 34, to insert the following:

Micro-targeting and profiling of children

30. It shall be an offence under this Act for any company or corporate body to process the personal data of a child as defined by section 29 for the purposes of direct marketing, profiling or micro-targeting, for financial gain. Such an offence shall be punishable by an administrative fine under section 140.".

This grouping of amendments, amendments Nos. 13 to 15, inclusive, relates to the question of children using the Internet and the desire of everybody in the House to protect children as much as possible while they are using the Internet. There have been many different suggestions of how best to do this and the discussion on Committee Stage centred around two actions. The first was to increase the digital age of consent. A number of people, including myself, proposed amendments in this regard to raise it from the existing 13 years of age to 16 years of age.

The other area in which I and others were interested was that of outlawing the targeting or harvesting of children's data for the purposes of marketing and commercial purposes generally. At the time, one of the amendments I had tabled was to raise the age of consent. I listened to the arguments put on the day and, since then, I have to say, I have done a good bit of reading on this. In particular, I have read some of the correspondence I have received from the Children's Rights Alliance, the ISPCC and Barnardos, and I have changed my mind about raising the digital age of consent.

The instinctive thing about it was we felt it would be better if children had to get permission from their parents and that there would be less danger to young teenagers but, having read the cases made by the various children's NGOs, I accept what they are saying about the false sense of security that raising the age gives. The other point they made is there is an issue about the raising the age to 16 in light of the virtual impossibility of enforcing that age, and a number of concerns set out by those groups relate to child protection.

Everybody is concerned about children getting onto harmful and pornographic websites and the fact it is so easy for children to do this. Basically, they can get onto them in a matter of two or three clicks. As we know, the most recent phenomenon is with regard to young people often sharing personal or inappropriate images of themselves online and through social media. There is general concern about the potential of this in terms of grooming children and online sexual abuse and, obviously, commercial companies selling and exploiting digital profiles of children. There is a whole range of concerns, and the NGOs made the point that out of the blue, the digital age of consent seemed to be just dropped into the general data protection regulation at the 11th hour without any evidence base for doing so. They cited the experience from the US, which shows that to get around this increase in the digital age of consent companies often simply avoid asking children for their age. Most children are, obviously, able to bypass the age verification mechanism. Given the fact that very often children are much more adept at using social media and using the Internet generally, parents have no idea they are able to bypass these mechanisms and, again, have that false sense of security.

The concern is this issue has not really been addressed at EU level, and many agencies are still waiting for this to happen.

The NGOs have drawn attention to the fact that there is a need to put a much stronger political focus on measures that can truly protect children. The NGOs make the following points: Ireland still does not have a digital safety commissioner; there is still no public body with the power to regulate the online world to make children safer; no-one has the power to compel the social media platforms or broadband providers we all use every day to prevent a child from engaging in harmful online content; and no-one has the power to set down codes of conduct for online providers. The NGOs make the case that this is not good enough. We need political leadership at the highest level on this issue, and we need it now. We urgently need politicians of all hues to make the digital safety commissioner a reality. The NGOs say this will make a real difference towards keeping children safer online, and in reassuring parents. The digital age of consent cannot provide this protection. The digital age of consent will be effective when it is thought out properly and when we have proper guidance from the EU, on which we are still waiting.

Putting the digital age of consent up to 16 years of age creates a very false sense of security. We may feel good about it but it actually does very little in protecting children, and it misleads parents. This is why I have not put my name to that amendment again for the Bill on Report Stage. When the Minister made the case for keeping the digital age of consent at 13 years of age, he quoted extensively from the Children's Rights Alliance and from the Ombudsman for Children. I put it to the Minister that both of those bodies said that while they did not believe it was right to raise the digital age of consent, they each felt it absolutely essential for the Minister to put measures in place to prohibit companies from harvesting children's data and from profiling children for marketing and commercial purposes. This is why I put my name alongside Deputies Daly and Wallace to an amendment to outlaw this practice.

In deference to the points I have made on accepting the Minister's arguments on the age of consent, will the Minister also accept the arguments made by the Children's Rights Alliance and the Ombudsman for Children that we absolutely have to protect children from this kind of targeting and profiling around their data? It must be kept safe.

I will call on Members as they tabled amendments.

We welcome Deputy Shortall's conversion and we look forward to Sinn Féin, Fianna Fáil and the Labour Party joining in on the issue also. We fought on the Government's side on this issue on Committee Stage so we are repeating an amendment that Senator Lynn Ruane first introduced in the Seanad and which we also proposed during Committee Stage in the Dáil.

We believe that the digital age of consent should absolutely remain as it is in the Bill at 13 years of age. It would be detrimental to do otherwise. Changing it without robust and adequate verification processes in place does not make any sense. Setting it at 16 years of age is the easy option and, as it has turned out in the last weeks, has proven to be a populist one. To do so, however, would be pointless and counterproductive. There are no adequate verification processes currently in place to verify age of consent and there will not be any in place in the next two weeks before the general data protection regulation, GDPR, comes into effect.

On Committee Stage, arguments were made that WhatsApp will ask users to confirm they are aged 16 or over. The argument was built around this, despite the fact that WhatsApp and Facebook had already committed to these changes. Anybody who uses WhatsApp and who had simply to tick a box at the weekend to say they were over 16 will know and understand the pointlessness of setting the digital age of consent at 16. A friend of mine tried this over the weekend and he was able to show me that a child of four could have done so.

There are also fundamental conceptual difficulties with age verification. The processes to do it adequately are themselves considered violations of privacy. Age verification processes that might be adequate are also data harvesting exercises. In that sense, it is important to question why certain people who should really know better - I am not referring to Senators or Deputies - are lobbying for the age of consent to change to 16 years of age. It is also interesting that certain people who have been lobbying Deputies and Senators for the digital age of consent to be set at 16, to my knowledge, have not lobbied at all in relation to our amendment No. 13, which proposes to prohibit the profiling and micro-targeting of children. If a body wants to set the digital age of consent at 16, perhaps it is likely that it wants to be able to harvest the data of parents through the verification process, as well as the children's data once the parents have consented and verified.

Including a prohibition on profiling and direct marketing to children would surely go a long way to addressing people's fears on the digital age of consent being set at 13 years of age. This is not an unreasonable request. The Ombudsman for Children recently made this point also. The ombudsman has argued that the digital age of consent should be set at 13 but that the profiling of children and the harvesting of their data for commercial purposes should be prohibited on a statutory basis. This kind of digital marketing is incredibly powerful. It would surely be a progressive step to shield children from it. I believe that the parents of Ireland would thank us for this.

I acknowledge the Minister’s points during the Committee Stage debate. The Minister mentioned the European Court of Justice ruling that the imposition of limitations in national or member state law on the processing of personal data that is lawful under the GDPR is in breach of EU law. The Minister was referring to Article 7(f) of the 1995 directive, which is now part of Article 6.1(f) of the GDPR. The Minister also referred to Recital 47 of the GDPR, which is a reference to the fact that the processing of personal data for direct marketing purposes may be regarded as carried out for a "legitimate interest" as per Article 6.1(f). I accept that based on their business model, social media platforms like Facebook can presumably claim that the kind of data processing they do is ‘"legitimate interest" processing. I understand that Article 6.1(f), however, makes a special provision for the protection of the personal data of children. Article 6.1 of the GDPR broadly reproduces an equivalent provision in the data protection directive but the need to specifically consider the interests and rights of children is new. At the very least, this should require that data controllers like Facebook ensure that any decision to process data relating to children on the basis of "legitimate interest" is carefully documented and that a risk assessment is conducted.

Even if this amendment does not succeed, the digital age of consent should remain at 13 years of age. My point still stands that without reliable, sufficient and adequate verification procedures in place, setting the age of consent at 16 will not work and will have many damaging and unintended consequences. Setting the age of consent at 16 will not prevent children from being profiled and marketed to, for example, by fast food or junk food companies. If a parent consents for a 13 or 14 year old to use a particular online platform, that 13 or 14 year old will be subjected to the same profiling and micro-targeted marketing. They will be subjected to it also when they inevitably bypass, very easily, the necessity for parental consent.

I shall now turn to amendment No. 15. As I have already said, it is a very bad idea to set the digital age of consent at 16 years of age without the necessary verification processes in place. Any age verification processes that might be adequate are themselves data harvesting exercises and we should ask ourselves why certain so-called experts are advocating for the digital age of consent to be set at the age of 16.

I mentioned a number of points previously. This week saw the strange and worrying situation of the Children's Rights Alliance having to defend itself against an accusation in a Sunday tabloid that its support of 13 years as the digital age of consent was based on Government funding. That is an unfair claim.

Not only has the Deputy's time expired, but it is 9 p.m., so I would ask him to move the adjournment of the debate.

May I seek clarification? I am a party to the amendments in this grouping.

If the Ceann Comhairle or I am present tomorrow evening, we will call Deputies. Deputy Ó Laoghaire has amendment No. 14, after which Deputies Sherlock, O'Callaghan and Thomas Byrne, in that order, will be called. Any other Deputy who wishes to contribute will then be called.

Debate adjourned.