I thank the Chairman. I will not read through my statement which I realise is quite lengthy but will instead highlight some of the salient points.
Data protection law will become extremely complex in the next few years. Currently, we have one single data protection Bill, with a general data protection regulation, GDPR, which is to apply to the State from May next year and to which, with the data protection directive, we will see further layers of complexity being added. In addition, we will have a residual domestic regime and many other items of legislation coming through the system, as well as the privacy regulation. Rules may also come from the European Union about foreign and security policy. One of the key points to make is that data protection is no longer being settled at a legislative level. There are many rulings coming from the European Court of Justice. They will change significantly what data protection is and this will have a big implication for the State also.
I make five submissions on the five headline comments, namely, the role of the Data Protection Commissioner; whether the existing Data Protection Acts should be repealed, replaced or amended; the role of identification services under the general data protection regulation, GDPR; the role of the Oireachtas under the GDPR; and damages.
I will make some submissions on the role of the Office of the Data Protection Commissioner. The main point to take into account is under existing law that the Data Protection Commissioner is fully independent. It is important to realise the European Commission has prosecuted Austria, Germany and Hungary for failing to have a properly independent data protection commissioner. We can assume from this that it has examined intensively the independence of the Data Protection Commissioner and is satisfied that she is independent in accordance with the current law. However, I have some queries about the legislation. One issue I wish to flag is the delegation of functions under the Civil Service Acts. In terms of what is happening, many of the Irish drafting conventions provide for issues such as the delegation of Ministers' functions to the Data Protection Commissioner; but that is open to being misconstrued. Perhaps the phraseology should be "... should delegate the functions". There are a few such technical changes. Somebody who is well versed in the Civil Service Acts and the way civil servants are controlled and disciplined by the State understands the importance of the independence of staff not being interfered with, but it would be wise to change the drafting to ensure there would be no appearance of bias in that regard.
Depending on how the Data Protection Commissioner uses her office, she may not need a seal. It is adding a layer of bureaucracy to the process that may not be needed.
The provision in the Bill dealing with the prohibition on the unauthorised disclosure of information is very good. It is a clever provision. On the other hand, I question whether we need to insert "gateways" to ensure the Data Protection Commissioner will be able to properly share information with other public bodies such as the Garda if it wants to bring a prosecution, the Director of Corporate Enforcement and so on.
I make a detailed submission on the imposition of fines on public authorities. I am aware that it has been controversial, but the Data Protection Commissioner is strongly of the view that she should have powers to impose fines on public authorities. I have sympathy for that view. On the other hand, one needs to question whether the imposition of a fine is an effective deterrent for a public authority because if we think about it, both the Data Protection Commissioner's office and the public authority are funded by the State. If the commissioner imposes a fine, it will go back into the general fund from where the money for the public body came. Essentially, all we are doing is creating a circular transaction. An issue I have with it is that it detracts from the real deterrence for public bodies which is twofold. One concerns claims for damages. They may be sued by a member of the public. The other major concern for public bodies is that they may be found to be processing personal data in breach of the Data Protection Acts. They may be found to be processing personal data illegally, which will mean that any decision they have made in processing that personal data may be invalid. That is a big concern. There is limited awareness in the public sector of how significant an issue this may be in the future because if personal data are processed without a proper legal basis, under Irish law, it will be done illegally. That raises a range of issues about whether penalties can be imposed on a person on the basis of personal date possibly being processed illegally.
Another point I discuss in some detail concerns the possible repeal of the existing Acts. This is a very interesting question. I agree with the Data Protection Commissioner that “... a patchwork presentation of the new Irish law in the form of a 2018 amendment Act rather than a completely new stand-alone Act does not create the impression of a new, modernised regime”. That is correct. On the other hand, my concern about repealing the old Acts in their entirety is that they deal with the processing of personal data for national security purposes. We are very fortunate in Ireland that we do not need to engage in much processing for that purpose.
My concern about the repeal and replacement of the legislation relates to timing. The Data Protection Bill has to be on the Statute Book by May next year. It is an enormous item of legislation. As members know, these are just the heads. There is an absence of detail which will be added by the Parliamentary Counsel. If we were to try to do these two things at the same time, namely, set out the residual regime which potentially is still significant and the new GDPR regime, I question whether the Oireachtas would be able to allocate the proper length of time to debate the legislation. That is the reality.
Could the Parliamentary Counsel deal with this issue and, for example, leave what one might term the rump regime in order that we would have an entirely new Data Protection Act? We would leave behind the rump regime in order that the State could return to it at some stage in the future and deal with the residual regime. In reality, there are very small areas of processing in Irish life that would be subject to the rump regime, but I understand we need a residual regime in that regard. I agree that it does not give the right impression by phrasing the new data protection Bill as a sequence of amendments to the existing Data Protection Acts. It would be better from the point of view of perception and for people who have to deal with this legislation on a day to day basis to have an entirely new data protection Bill. I hope that could be dealt with as a drafting issue.
The next issue might be the most controversial. It concerns identification services. Many queries have been raised about the processing by the State of identification data. The reality is that under the GDPR such data will have to be processed. Social media providers and persons engaged in profiling will have to be able to distinguish between children and adults. That is a legal obligation. They are subject to onerous fines and open potentially to very serious claims for damages if they process the data of children where they are not supposed to do so. Social media providers, fintech firms and so on will have to be able to identify who is and is not a child. This raises the question of who will be involved in the identification. Essentially, there are two choices. The default position is that that identification will be made by the market. The market will provide a solution and it is already doing so. I would prefer, however, if that was not the solution. I would prefer if the State provided a solution. As a public servant, I have a bias towards the public sector, but it is better to have the Government providing the identification service. Where there is access to remedies, fair procedures and rights and the ability to see clearly what is happening with my data, it would be better if the State was providing that service.
The important point is that the GDPR will require identification services to be provided. There is no avoiding it. The question is who will provide them. If a decision is taken that the State will not provide them in the future - the State is not in a position to provide them at present - there is the default position and we will have to use social media or some specialist provider to provide identification services.
I do not believe that is good, but that is my opinion.
On the role of the Oireachtas under the GDPR, I wish to flag a couple of points. One is that it is going to take into account the fact that the Data Protection Commissioner will have a significant role in the future. The commission will have to be consulted on data processing and the legislative amendments that provide for the processing of personal data. That will significantly increase the workload of the commissioner. I suggest some mechanism to take into account these submissions. Given the level of data processing one will see in the State in the coming years across a range of functions, one must ascertain whether it is appropriate to continue in an ad hoc way? Should some framework be set out in order that one can consult in early course? Obviously, it is highly desirable for the State and the Oireachtas to consult the Data Protection Commissioner as early as possible in order that issues can be identified and dealt with.
The second point I wish to make is about the legal basis. There is a rather technical debate under way on the extent to which one needs a legal basis and how far it goes. As I said, I can leave that issue to one side. I made submissions to the Oireachtas Joint Committee on Public Expenditure and Reform which has referred the matter to the Oireachtas legal service, but there is a significant point of discussion about the extent to which, if the State is to process personal data, that needs to be called out in legislation. I suggest it may be dealt with to some extent in legislation. Certainly, one could bring forward amendments. One could have an amendment that would enable a Minister or another relevant body to make regulations setting out the criteria the GDPR required a law to display. It could require that laws providing for the processing of personal data identify factors such as the purpose of the processing and the retention period. If the Minister were to take the view that an existing provision that allowed for the processing of personal data such as in the payment of a grant were not sufficiently detailed to meet our obligations under the GDPR, a power would then be granted to make regulations setting out the detail required. That might be useful. There was a discussion the last day about whether one needed to make a specific provision in the GDPR for the award of damages. I am not sure one does. It is a drafting issue. I personally do not believe a specific provision is needed for the award of damages. The GDPR plainly provides for the award of material and non-material damages. I understand the preference at European level is that unless we definitely need to make an adaptation of national legislation, we should not do so. I do not see the need to make that amendment now. The provision in the GDPR that may allow for the taking of class actions and the bringing of actions for damages before the courts is very interesting. It is very significant, given the nature of data processing. The data processing system processes everyone's data in the same way. What would occur in compliance with the GDPR in the case of one person would occur in the cases of a large number. One of the key issues the GDPR does appear to address is whether one can bring class actions. It states one can bring group actions where provided for by member state law. As members know, Irish member state law does not provide for class actions. It does cover representative actions. Certainly, on the basis of discussions with my legal colleagues, I believe there would be no surprise if people were to seek to bring class actions or rely on this provision. It is only the Irish rules of court that prevent class actions from being taken. There is an argument made that these rules of court should be adapted to allow for class actions. This poses the question as to whether it would be appropriate. If one believes it is, how would one manage them? That is very significant.
People become very focused on the issue of penalties. The penalties are not as important. There are two points to be considered in this regard. With regard to the public sector, the main point concerns the illegality. It will be very difficult for the public sector to operate. If it processes personal data in breach of the GDPR, it will have a big problem with illegality. Many of its functions will have to be stopped until it can process personal data legally. The second point concerns damages which are a very real prospect and a very real deterrent. Obviously, data subjects who can claim damages will obviously prefer to get damages directly into their pockets rather than have fines awarded. The imposition of a fine on a public body or private sector entity may give a subject some satisfaction, but the award of damages will obviously give them money. Being what they are, people would prefer to opt for the money, not the satisfaction attached to the imposition of a fine. If anything is to change in the enforcement and status of data protection law in Ireland, it is the latter point on damages. It is very significant and will have a significant impact on budgets. If a public body makes an error in the processing of personal data and faces a large claim for damages, it is a problem. As we know, the State has faced very significant claims for damages, amounting to hundreds of millions of euro. There is a great danger that if it does not get the processing of personal data right, it could face similar claims for damages in the future.