I thank the Chairman and the joint committee for this opportunity to participate in the pre-legislative scrutiny of the general scheme of the Data Protection Bill. I am Seamus Carroll from the civil law reform division of the Department of Justice and Equality, and I am accompanied today by my colleagues, Ms Noreen Walsh and Mr. Conor O’Riordan, from that division.
Before entering into detail, I should perhaps outline briefly the background to the draft Bill. Following four years of intensive negotiations, the Justice and Home Affairs, JHA, Council and the European Parliament reached agreement on updated EU data protection standards in December 2015. The texts of two new EU data protection instruments were published in May 2016. The first was a regulation containing general data protection rules while the second was a directive containing rules applicable to competent bodies involved in the prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties. The regulation enters into force on 25 May 2018. The directive must also be transposed into national law by May 2018. While the introduction of a single EU instrument containing all data protection rules would have been simpler and possibly more efficient, the European Commission decided to propose both a regulation and a directive and it was, despite some misgivings, accepted by the JHA Council and the European Parliament.
The introduction of new, higher EU data protection standards at this time can be justified for the following reasons. First, there is the introduction of a new legal basis for data protection standards in Article 16 of the Treaty on the Functioning of the European Union, TFEU, together with the introduction of the right to data protection in Article 8 of the EU Charter of Fundamental Rights. Second, there is the fact that existing data protection standards, which derive from the EU’s 1995 data protection directive and predate technological advances - such as hand-held Internet access and access to services, social networking and big data, as well as new business models such as cloud computing - are inadequate and ineffective to meet the challenges of the digital economy. Third, there is the rapidly developing case law of the Court of Justice in relation to the protection of personal data. Finally, there is the need for more consistent interpretation and application of general data protection rules across the EU pointed towards the need for a more detailed, directly applicable regulation rather than a directive.
From the outset, Ireland supported the broad thrust of the European Commission’s reform proposals, which sought to ensure that data protection rights and safeguards kept pace with developing technologies and new business models. Otherwise, there would be insufficient citizen and consumer trust in the digital economy and its innovation, growth and jobs potential would not be realised. Broadly speaking, both the regulation and the directive seek to strengthen individuals’ data protection rights - referred to as data subjects - and to specify in more detail than at present the obligations placed on entities in the public and private sectors that process personal data, known as data controllers and data processors.
More concretely, both instruments place increased emphasis on the following. First is transparency. The regulation states that personal data must be processed lawfully, fairly and in a transparent manner. Information must be provided to data subjects in a concise, intelligible and easily accessible form, using clear and plain language. The current access request fee of €6.35 will be abolished. Second, there is also an emphasis on accountability. Both the regulation and directive make it clear that data controllers shall be responsible for, and be able to demonstrate compliance with, data protection standards. Data controllers must have written arrangements with any data processors acting on their behalf. Third, there is an emphasis on security. Personal data must be processed in a manner that ensures appropriate security standards, that is to say, technical and organisational measures must be put in place to ensure a level of security appropriate to the risks involved. In future, all data breaches must be reported to the Data Protection Commission.
I will turn now to the general scheme of the Data Protection Bill 2017. As already mentioned, we are faced with a generally applicable data protection regulation which sets out data subject rights and controller obligations with limited flexibility for the member states, and a directive that focuses specifically on the law enforcement and criminal justice area. The broad objectives of the Bill, therefore, are as follows. First, it aims to give further effect in national law to the regulation where permitted by the regulation. Second, it aims to transpose the directive into national law. Third, it aims to establish a Data Protection Commission to replace the Data Protection Commissioner and to equip that commission with the mechanisms required to perform its tasks and exercise its powers in an effective manner.
Part 1 contains a number of standard provisions. With regard to repeal of existing data protection law as set out in the Data Protection Acts 1988 and 2003, the matter is still under consideration. While the regulation and directive will largely supersede these Acts, a potential difficulty arises from the fact that Article 2.2 of the regulation specifies that its provisions do not apply to the processing of personal data in the course of an activity that falls outside the scope of EU law. Recital 16 makes it clear that such activities include national security.
On Part 2, the entry into force of the regulation and this Bill, when drafted and enacted, in May 2018, will have significant implications for the workload of the Data Protection Commissioner. The workload is likely to increase, and investigations will become more complex, especially those with cross-border aspects. Both the regulation and the directive confer a broader range of tasks and powers, including investigative powers, corrective powers, authorisation and advisory powers, on the commissioner. In preparation for the coming into force of the regulation and directive in 2018, the resources of the Office of the Data Protection Commissioner have been increased to €7.526 million for 2017, up from €1.9 million in 2014. The additional funding has facilitated the recruitment of additional staff, including legal, technical and investigative experts. It is expected that the office will have almost 100 staff by the end of this year. The issue of any further resource requirements for 2018 will be considered in the context of the Estimates for 2018.
Part 2 contains proposals that will establish a Data Protection Commission to replace the Data Protection Commissioner. Head 9 provides that the commission will consist of at least one member and not more than three members. This means that the appointment of additional commissioners in response to an increased future workload will be possible without the need for amending legislation. To be clear, this does not represent an immediate change but will permit further appointments if needed in the future as a result of increasing workloads. Commissioners are required to have the qualifications, experience and skills needed to perform the duties and exercise the powers of the commission. The opportunity is also being taken to update the funding and financial control mechanisms applicable to the commission in order to underpin the complete independence that the commissioner already enjoys under current law.
The regulation contains what has become known as a one-stop-shop mechanism that is intended to streamline the handling of alleged infringements of data protection standards across the EU. It is based on the concept of a lead supervisory authority, that is the data protection authority of the member state in which an entity’s main establishment, or indeed only establishment, within the EU is located. It means that where a data controller’s main, or only, EU establishment is located in this jurisdiction, all complaints relating to that controller’s data processing activities that are not exclusively local in nature must be investigated by the Data Protection Commission irrespective of the member state of origin of the complaint. The commission may request mutual assistance from the supervisory authorities of other member states for investigation purposes. However, the decision as to whether or not an infringement has occurred, or is occurring, will, in the first instance at least, be that of the commission. Committee members will immediately appreciate the significance of this in light of the large number of international ICT companies with their EU headquarters located in this jurisdiction.
Before arriving at any final decision in such cross-border cases, the commission will be required to submit a draft decision to the so-called “consistency mechanism”. In practice, this means that any proposed action arising from an investigation or inquiry must be circulated to other relevant supervisory authorities for their views. The commission will then be required to have regard to any objections received from them and if there are any remaining objections to the proposed course of action, the commission will be required to trigger referral of the case to the European Data Protection Board for further consideration. The board, which will comprise representatives of all supervisory authorities across the EU, will consider outstanding issues and may then take a binding decision by majority vote. Any binding decisions of the board may be appealed to the Court of Justice in Luxembourg.
The data protection regulation is somewhat unusual in so far as it provides a certain margin of flexibility for member states, especially in respect of data processing activities undertaken by their public sectors. That gives rise to the need for implementing national law.
Part 3 seeks, therefore, to give further effect in national law to various articles of the regulation that allow a margin of flexibility. Head 16, which is blank for the present while awaiting a specific Government decision on the matter, will provide for the digital age of consent. Article 8 of the regulation requires the holder of parental authority to consent to the provision of information society services to a child under 17. However, member states may provide by law for a lower age as long as it is no lower than 13 years. Following completion of a consultation process, it is expected that the Government will take a decision in respect of the age threshold that will apply in this jurisdiction in the coming weeks.
Head 17 makes provision for the making of regulations permitting the processing of sensitive personal data for reasons of substantial public interest. A similar provision is found in section 2B(1)(xi) of the 1988 Act, as amended. Head 19 makes provision for the processing of personal data relating to criminal convictions and offences for specified purpose. Such processing must be subject to appropriate safeguards for the rights and freedoms of the individuals concerned. Head 20 provides for the making of regulations to restrict the exercise of data subject rights in order to safeguard important objectives of general public interest as permitted under Article 23 of the regulation. This would, for example, be used to protect investigations of alleged professional misconduct or incompetence from access requests for the duration of the investigation. Any such restrictions must, however, respect the essence of the individual’s fundamental rights and be a necessary and proportionate measure in a democratic society.
Head 23 makes provision, exceptionally, for the possible imposition of administrative fines on public authorities and bodies when acting as undertakings. This will help to ensure fairness in cases in which both public and private bodies are providing similar goods and services. Head 24 seeks to give effect to Article 85 of the regulation, which recognises that it is a matter for member state law to reconcile the right to the protection of personal data with the right to freedom of expression and information, both of which are rights included in the EU Charter of Fundamental Rights. In recognition of potential conflicts between these rights in specific cases, subhead 3 will permit the Data Protection Commissioner to refer any question of law to the High Court for determination.
Before moving on, I should also say that the regulation requires that all public authorities and bodies must designate a data protection officer, DPO. The DPO, who will act as a contact point for data subjects and the Data Protection Commission, must be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practice. He or she must be given the resources required to act in an effective and independent manner, free from conflicts of interest and will report directly to the highest management level of the public authority or body concerned.
Part 4 seeks to give effect to the data protection directive. As outlined in head 27, it applies to the processing of personal data by a competent authority for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. Competent body is defined in head 26 as a public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, or any other entity authorised by national law to exercise public authority and public powers for the same purposes.
It should be noted that certain public authorities and bodies will be subject to both the regulation and the directive depending on the processing concerned. In the case of a local authority, for example, routine data processing activities such as payroll, human resources and so forth will be subject to the rules of the regulation, while data processing in the context of the prosecution of offences under the Fire Services Act will be subject to the directive’s rules. Similarly, prosecution activities of other bodies such as the Health and Safety Authority will fall under the directive’s rules.
Many of the data subject rights and data controller obligations in the directive are broadly similar to those in the regulation. However, as regards the former, the grounds for non-compliance with a data subject request for access to personal data or for rectification, erasure or restriction of processing, which are set out in head 37 are, as might be expected, more extensive. These provisions give effect to Articles 13.3, 15 and 16.4 of the directive. However, where head 37 applies, an individual may instead seek verification or review of the lawfulness of any processing by the commission. The commission will, in due course, inform the individual that verification or review has taken place and inform the individual concerned of his or her right to a judicial remedy.
In Chapter 3, head 40 imposes a risk-based approach on competent authorities. This means that each such authority must adopt and implement appropriate technical and organisational measures in order to ensure and be able to demonstrate compliance with the directive’s data protection standards. Obligations to carry out data protection impact assessments, report data breaches, engage in consultation with the Data Protection Commission and designate a DPO are also contained in this chapter.
Chapter 4 contains provisions governing the transfer of personal data to third countries, while Chapter 5 makes provision for remedies, liability and penalties. In accordance with Article 56 of the directive, head 58 clarifies that a person who suffers material or non-material damage because of data processing that infringes data protection law may seek compensation for the damage or distress suffered. This extension of liability to non-material damage under the directive is significant and is broadly similar to that in Article 80 of the regulation. Chapter 6 contains provisions that specify the tasks and powers of the Data Protection Commission. In particular, head 61 proposes to confer a range of corrective powers on the commission.
Part 5 contains provisions governing the exercise by the Data Protection Commission of its supervision and enforcement powers. Some powers are carried over from the current Acts, for example, the information and enforcement notices, while others are new, for example, the power to seek a High Court order to suspend or restrict data processing or data transfers to a third country or the power to require submission of a report. Both the regulation and the directive require that the exercise by supervisory authorities of their powers be subject to appropriate procedural safeguards, including judicial review and due process. A number of safeguards, therefore, have been included in this part. First, the investigative functions under heads 74 to 76 and the adjudicative functions under heads 77 and 78 of the commission will be structured and managed separately. This is in line with Article 6 case law of the European Court of Human Rights. Second, provision is being made not only for appeals against administrative fines, under head 79, but for confirmation of fines by the Circuit Court in the event that they have not been appealed, as per head 80. In the latter case, the role of the court will be to confirm that due process has been observed.
Moving on to Part 6, without prejudice to the right to lodge a complaint with a supervisory authority, both the regulation and the directive require that data subjects have the right to an effective judicial remedy. Provision for this is made in head 91. Recourse to the courts is necessary in any event in those cases in which a data subject claims compensation for material or non-material damage suffered as a result of a breach of data protection law. Head 90 makes provision for the appointment of a supervisory authority to supervise the processing activities of courts when acting in their judicial capacity. Article 8 of the Charter of Fundamental Rights provides that compliance with its rules shall be subject to control by an independent authority.
Before concluding, I should say that there have been extensive consultations with Departments, public authorities, representative bodies and the Data Protection Commissioner during preparation of the general scheme of the Bill. However, a number of policy issues are still under review and consultations with the European Commission, the Attorney General’s Office and the Data Protection Commissioner are continuing. These relate to matters such as compensation claims, processing of conviction-related data and other sensitive data, and direct marketing activity by those seeking election to political office. Nevertheless, in view of the very tight timeframe in which we are working, it has been necessary to proceed with the general scheme in advance of final resolution of these issues. The intention is to publish the Bill in the autumn, which will allow sufficient time for detailed consideration of its contents prior to enactment.
Implementation of updated EU data protection standards involves a complex interplay between the data protection regulation which has direct effect but which allows, at the same time, a margin of flexibility for member states, and a directive which must be transposed into national law. The future decision-making role of the European Data Protection Board and the evolving case law of the European Court of Justice will help to ensure that data protection will remain an active and challenging area of law in the years ahead. I hope that I have provided the committee with some clarity on the content of the Bill and the background to it. We are happy to respond to any questions that members may have and I thank them for their attention.