Data Protection Act 2018 (section 60(6)) (Central Bank of Ireland) Regulations 2020: Motion

I move:

That Dáil Éireann approves the following Regulations in draft:

Data Protection Act 2018 (section 60(6))(Central Bank of Ireland) Regulations 2020,

a copy of which was laid in draft form before Dáil Éireann on 28th October, 2020.

I bring this motion before the House today to seek a resolution to agree the draft Data Protection Act 2018 (section 60(6)(Central Bank of Ireland) Regulations 2020, as provided for under section 6(5)(a) of the Data Protection Act 2018. Members may gather already that we are dealing with quite a technical issue. In October 2019, the draft Data Protection Act 2018 (section 60(6))(Central Bank of Ireland) Regulations 2019, SI 537 of 2019, known as the 2019 regulations, were agreed by both Houses of the Oireachtas. However, due to the incorrect formatting of the agreed text at printing stage, regulations 3, 7(1) and 7(2) were formatted and indented incorrectly. The incorrect indentation change in respect of the Roman numerals below regulation 3(c) meant that the qualification set out in the Roman numerals applied only to subparagraph (c) and not to subparagraphs (a) and (b).

I will conclude soon. I have a long script but, essentially, there was an error at the printing stage only and everything came through this House before that. The regulation was agreed by the Central Bank, the Data Protection Commissioner and the Department of Finance after full consultation, was passed by the Houses of the Oireachtas and was signed by the Minister. Everything was correct, but when it came off the printing press, there was a mistake in the indentation of three of the subparagraphs which meant it may have been possible to come to a different legal interpretation of those paragraphs because of the way the regulation was printed, not because of how it was when passed by the House and signed by the Minister. In simple English, it is necessary to seek a motion through the House to correct this mistake because the regulation relates to data protection. Normally, when there are errors in a statutory instrument, a Minister would have the authority to re-sign it, but because of the data protection issue, it is necessary to bring it back to the House to correct what is essentially a printing error.

This came to our attention early this year. The Department of Finance got legal advice and felt it was necessary to clarify the regulation and redo the statutory instrument. That involved a full consultation between the Central Bank, the Data Protection Commissioner and the Department of Finance. All of that has been done and a motion is now required in the House to approve the regulation.

We have checked if any adverse effects might have occurred due to the error in the printing since the original statutory instrument was signed, and the Department of Finance has absolutely confirmed with the Central Bank, whose data protection regulation this relates to, that in no case was there any untoward or unforeseen circumstances as a result of the printing error. People would have relied on the printed document, which was not quite the version that passed through the House. I will conclude a very long technical speech by giving it to Members in straightforward English. We are here to correct a printing error. We have redone the entire process and we are back here seeking the approval of the House.

As we are seriously running over time and this is a technical matter, perhaps we can deal with it relatively expeditiously.

The motion relates to regulations which came into operation on 30 October 2019. The Data Protection Act 2018 (Central Bank of Ireland) Regulations 2019 were introduced to permit the rights of data subjects under Articles 12 through 22 and 34 and controllers' obligations under Article 5 of the general data protection regulation, GDPR, to be restricted to the extent necessary and proportionate to allow the Central Bank to perform certain functions. The motion before us today does nothing to change the substance of these regulations whatsoever. In fact, it does nothing more than correct an indentation error which was made in the printing process of the regulations which came into effect in October of last year.

The regulations themselves apply to personal data, in respect of which the Central Bank is a controller and which are processed by the Central Bank, in pursuit of what is defined as a "relevant objective" and pursued by the Central Bank in carrying out a "relevant function". This is defined as an important objective of general public interest, as referred to in the Data Protection Act 2018. These relevant objectives include avoiding obstructions to any official or legal inquiry, investigating or prosecuting breaches of ethics for regulated professions, and taking any action for the purposes of investigating a complaint made to a regulatory body. Under the regulations, the restriction of data subjects' rights or controllers' obligations must be necessary and proportionate. As we all know, the restriction of data is a serious issue which must be justified and justifiable. Are these regulations, which permit the restriction of data access in prescribed circumstances, monitored to ensure the restriction is both necessary and proportionate?

The regulations also provide that where data subjects' rights or controllers' obligations are restricted, the Central Bank must notify them in writing, except in very limited circumstances. It also gives the data subject the right to submit a complaint to the Data Protection Commissioner. Will the Minister of State provide an update on the number of such complaints lodged with the Data Protection Commissioner since these regulations came into force last year?

The motion before us today is not one of substance but rather a technicality. It is a formatting issue. Having spoken to the Central Bank policy unit in the Department of Finance, I understand that there was an indentation in regulations 3 and 7 of the regulations published last year. The effect of the indentation is quite significant. For example, due to the indentation error, financial services legislation would not relate to the operation of the Central Credit Register. This is the error which the regulations before us today seek to address, specifically by reformatting regulations 3 and 7. I see no issue with these changes but I have some questions for the Minister of State. Has the Central Bank, as a result of this indentation error, restricted data subjects' rights in a way that is in contravention of the regulations published last year? As a consequence, could the Central Bank be open to legal challenge?

While I have the opportunity to speak about issues relating to the Central Bank, I also raise the second private motor insurance report, published as part of the national claims information database. Its findings are clear and lay bare the price-gouging activities of the insurance industry. Since 2009, insurance premiums have risen by 35%, despite the cost of claims falling by 9% and the number of claims made falling by 45%. Today's report confirms what we in Sinn Féin have been saying for some time. Premium costs for consumers have gone up while the cost of claims for insurance companies has fallen. Last year alone, the insurance industry recorded profits of €142 million. The Government has failed to rein in the industry and consumers cannot afford inaction any longer.

In the next months, my colleague, Deputy Pearse Doherty, will introduce legislation to ban the practice of dual pricing by the industry. What will the Minister of State do about this?

I appreciate that this is a technical matter but I would like to have my views on the matter recorded. The Minister of State is welcome this evening and, on behalf of the Labour Party, I welcome this move. I thank the Minister of State's officials for the briefing afforded to my colleague and I on the matter yesterday. We understand that these measures are required, and certain identified restrictions on GDPR rights may be imposed with the approval of these Houses to safeguard important Central Bank-related objectives of public interest.

The draft regulations cannot and should not impose blanket restrictions. That would be problematic and go against the letter, intention and spirit of laws about the right of access to information. Any approach to the issues at hand today has to be proportionate. That is a word that peppers much of the commentary about these kinds of issues. When deciding on restrictions of this nature, account must be taken of the extent to which the exercise of the right or compliance with the obligation would prejudice the achievement by the bank of a relevant objective, the essence of the right to data protection of the data subject and the risks to the rights and freedoms of the data subject which might result from such a restriction. I note that data subjects in the context of these regulations more generally are to be notified of restrictions arising from this and of their right to complain to the Data Protection Commissioner in a concise, intelligible and easily accessible form, using clear and plain language. It is important that data subjects know where they stand. Their rights and entitlements in this complex area must be made crystal clear and obvious to them at all times.

I am by no means an expert on data law or data matters but I believe, from the advice I have received, that the right balance has been struck and that once used responsibly and proportionately, these measures can serve as another important protection for the State and the taxpayer against the scourge of white-collar crime. We have seen, on too many occasions over the years, many cases where powerful individuals take refuge behind such instruments as the recent GDPR to delay and deny the course of justice. We must guard against that. These particular restrictions are balanced and proportionate, and we are happy to support the Minister of State's approach and proposition this evening.

I welcome the opportunity to speak briefly on this matter and to say we will support the amendment the Minister of State has tabled. I understand the complexity here is that the Minister of State has to come back before the House for its approval before the statutory instrument can be enacted. It would be useful if the same mechanism could be used regarding some of the Covid-19 regulations, some of which have contradicted themselves and the comments and information on the Government's own websites.

I want to focus on the responsibility of the Central Bank with regard to this matter. The briefing note provided to us assures us that this is about getting the right balance between the protection of consumers and accessing the information from the banks. My difficulty is that I believe there is a fundamental bias within the Central Bank. That fundamental bias is inherent in every interpretation by the bank on regulating and policing commercial banks in this country. While the Central Bank has a responsibility to protect the rights of consumers, its primary focus is on the stability of the financial system. It is important that we protect the stability of the financial system but the difficulty is that, at times, a call has to be made between the stability of the banks and protecting the rights of consumers. Unfortunately, when push comes to shove, the banks win out. I believe that this has to be addressed.

Up until the last decade, the consumer regulatory arm for financial services was separate to the Central Bank. They were amalgamated a number of years ago and I believe they need to be separated again. The assurances that the Minister of State will provide are undermined by having the consumer protection and banking regulatory aspects within the same organisation. The regulator, which is the Central Bank, stated in March of this year, before Covid-19 broke out, that the banks still lacked a consumer-focused culture. I believe that the culture is lacking not just within the banks, but within the Central Bank itself.

On 8 July, I outlined to the Minister for Finance an example of where consumers are being ignored by the Central Bank. I pointed out to him that a family with a mortgage of €300,000 that took a six-month break as a result of Covid-19 would face an interest bill of €4,300. The commercial banks were telling that particular family, which was struggling as a result of Covid-19, that they had no other choice but to continue to apply the interest rate to their mortgage, when the European Central Bank had said the opposite in that regard. The Central Bank here was behind in enforcing that.

We have seen the same with the headlines this morning with regard to motor insurers making profits of €142 million last year despite the fall in costs of settling claims. Premiums are going up but so are the profits of the insurance industry. We saw the same thing with the tracker mortgage, where the banks have effectively given the two fingers to the regulator. I fundamentally believe that we must separate the consumer protection aspect from the Central Bank and have it with a separate authority, whatever that authority is, so that the Central Bank is not making a judgment call about whether it supports and shores up the banks or protects consumers, because that should be a primary focus of the regulator.

I will respond to a couple of the points made. To provide some information, since the 2019 regulations were made, the Central Bank has received 28 subject rights requests. The regulations were applied in five of these responses. In only one case were the regulations invoked to withhold the entirety of the data request. This was a focused request for three or four specific documents and after a robust evaluation of these few documents, the bank was satisfied that the decision to withhold these data would not result in any disproportionate detriment to the individual concerned.

The Central Bank has a defined evaluation process for dealing with all cases where the regulations are invoked. These processes ensure that the necessity and proportionality requirements are robustly applied. The process also includes engagement with the Central Bank's data protection officer. To date, no complaints have been submitted through the Central Bank, nor is the bank aware of any complaints submitted to the Data Protection Commissioner about these regulations since they were originally passed.

I thank the Deputies for taking the time to address this motion. The issue of motor insurance was mentioned. It is a topic that I will be happy to discuss separately. I concur with Deputies about the profit level in the area. We will come back to that. The Government has a clear action plan for dealing with insurance. Today's report was on private motor insurance. I understand Deputy Naughten's remarks about the rights of customers.

However, the most important right of a customer is that the Central Bank ensures the financial stability of the bank. It is all well and good to have rights, but if the bank has gone bust one has no rights. The first function of the Central Bank is to regulate and protect the stability of the banks. That is the main thing customers want; they do not want to lose their money. I accept the point that there is an issue regarding the same institution having a role in consumer protection.

The Minister of State is making the argument for me. I thank him.

I accept the Deputy's point. These draft regulations allow the Central Bank to use that exemption. Most importantly, they also contain safeguards to ensure the banks apply the restrictions only where necessary and proportionate to the need to safeguard specified important objectives of the general public interest pursued by the Central Bank. This has been accepted by all sides of the House. They also provide that the individual has a right of complaint to the Data Protection Commission. Section 6(5)(a) of the Act provides that regulations may be made only if a draft of the proposed regulations is laid before each House of the Oireachtas and a resolution approving the draft has been passed by each House of the Oireachtas.

I ask the Dáil to approve this today, and I thank the Deputies for their time.

Question put and agreed to.