Data Protection Package: Discussion with the Office of the Data Protection Commissioner

In this part of our meeting we will have a discussion on the data protection package. I welcome Mr. Billy Hawkes, Data Protection Commissioner, and Mr. John O'Dwyer, deputy commissioner, and thank them for attending. They are invited to make an opening statement of about five minutes in duration, which will be followed by a question and answer session with members.

Witnesses are protected by absolute privilege in respect of their evidence to the joint committee. However, if they are directed by it to cease giving evidence on a particular matter and continue to do so, they are entitled thereafter only to qualified privilege in respect of their evidence. They are directed that only evidence connected with the subject matter of these proceedings is to be given and asked to respect the parliamentary practice to the effect that, where possible, they should not criticise or make charges against a person or an entity by name or in such a way as to make him, her or it identifiable.

Members are reminded of the long-standing parliamentary practice to the effect that they should not comment on, criticise or make charges against a person outside the Houses or an official, either by name or in such a way as to make him or her identifiable.

I invite Mr. Hawkes to make his contribution.

Mr. Billy Hawkes

I thank the joint committee for inviting me to address it on the data protection package being negotiated at EU level. Members have already heard from the Minister for Justice and Equality, Deputy Alan Shatter, on the main features of the legislative package and the considerable progress achieved by him and his officials during the Irish Presidency of the Council of Ministers. Whether this progress will be sufficient to have the proposals approved by the Council and the European Parliament in advance of next year's European elections remains uncertain.

Data protection has become an increasingly important issue in the European Union following the entry into force of the Lisbon treaty. The draft regulation, as put forward by the Commission, reflects the increased importance in a number of ways. It accepts that the core principles set out in the 1995 data protection directive remain sound but need to be strengthened and updated in order to better protect the individual right to data protection and make clear to organisations the heavy obligations they take on when they gather and possess the personal information of individuals.

The regulation also addresses the importance of uniform application of the law within the European Union, not least in order to ensure the free movement of data. The individual right to protection of personal data that each of us enjoys is rightly at the heart of the Commission's proposals. Regarding the somewhat bewildering online world, the regulation insists on the need for much greater transparency about what information is being collected from us and how it is being used. As is appropriate for what is now a fundamental individual right, the proposals aim to give each of us greater control over what happens to our data and the related rights to have the minimum data collected, to have access to our data and to have it corrected, if necessary.

Let me turn to issues of direct relevance to data protection authorities such as mine. The proposed one-stop shop for multinational companies, be they European or non-European, is the subject of significant discussion. The idea of having a single regulator responsible for oversight of a multinational company is obviously attractive for companies. Our experience of dealing with multinational companies here suggests it makes sense for a regulator to become very familiar with the business of a particular company, knowing its data protection policies inside out and ensuring these are in compliance with the law. If the concept is to be acceptable, it is essential that all data protection authorities be willing to rely on the relevant data protection authority to vindicate the rights of all EU citizens, not just those of its own member state.

For this, it will be essential that the proposed “consistency mechanism” work as intended to ensure uniform application of the law.

This issue is of particular importance to us in Ireland for two reasons. First, many companies providing services for Irish residents, for example, telecommunications and banking services, are European multinationals based in other EU member states. Under the proposed regulation, oversight of their data protection practices would in future be primarily the responsibility of the data protection authority where they have their main establishment. Second, many non-EU multinationals, especially US multinationals, have chosen Ireland as a base from which to provide services throughout the European Union. Under the proposed regulation, oversight of their data processing activities would mainly be the responsibility of our office.

It will be essential that data protection authorities have the resources necessary to carry out their broader European oversight responsibilities. This is a key issue for us owing to the large number of multinational companies handling personal data that have substantial operations in Ireland. The Minister for Justice and Equality, Deputy Alan Shatter, has responded by providing additional staff and funding for our office and given a commitment to keep the resourcing of the office actively under review to ensure additional necessary resources will be made available.

I am sure companies will welcome the removal of most routine notification or registration requirements. This is in exchange for a very strong focus on the responsibility placed on organisations to show to customers and regulators that they are willing to be accountable and demonstrate this through privacy impact assessments, a privacy by design approach, allocating sufficient resources to deal with privacy issues and notifying data breaches when they occur.

It has long been a complaint from those concerned with data protection that data protection authorities do not have the teeth to enforce the rights of individuals. It has often been put to me that when cold commercial decisions have to be made on issues such as marketing, the bottom line question is what it is going to cost companies if they do not comply. The answer - €1 million euro or 2% of worldwide turnover - should cause even the most hardened CEO to have second thoughts about taking risks in this area.

It is important, of course, that such powers be used sparingly so as not to discourage organisations from seeking guidance from data protection authorities. In our office we always make it clear that we prefer to help companies to comply rather than have to deal with the consequences of non-compliance. For the same reason, we have always asked that we be consulted on new laws in order that we can ensure due account is taken of data protection when issues such as data sharing are being considered. While I am sure companies will be happy with the less prescriptive approach taken in relation to advance notification of processing, they will need to realise that this shifts responsibility squarely onto them, which is where it properly lies. The regulation is clear that failure to live up to these responsibilities will attract heavy penalties.

Of course, there are points that may need to be further clarified as the package goes through the legislative process. There has already been much debate, for example, on issues such as the definition of personal data and the restrictions on the use of consent. The issue of international transfers of personal data has also recently been to the fore.

I will now deal briefly with the draft directive dealing with law enforcement which is part of the legislative package. A harmonised set of basic rules applying to the activities of police forces across the European Union has much to commend it. We must also acknowledge that some exemptions from data protection requirements are necessary to permit the police to do its work in the public interest. This is already reflected in the exemptions granted to An Garda Síochána in our own data protection legislation which otherwise fully applies to the area of law enforcement. Getting data protection law right is important in order to give concrete expression to the right to protection of our personal data and to do so in a way that does not inhibit innovation in the rapidly changing Internet world in which we live.

I hope these comments are of assistance to the committee. I am very happy to answer questions members may have.

I thank Mr. Hawkes for his very informative presentation. I have a number of short questions. Does he foresee any data protection issue arising in the context of the use of biometric passports? How can data on European citizens be protected at a European level from digital fraud and theft?

Mr. Hawkes referred to the controversy over the level of surveillance of European citizens by intelligence services. I understand officials from the European Commission recently met US diplomats to discuss this issue. However, it is not solely a matter for the United States, as there are other countries involved, too. At the recent Dublin summit MEPs were almost unanimous in expressing their concern that data harvesting had been conducted on EU citizens who were not involved in any criminal activity. Does the Data Protection Commissioner have views or observations on these issues in the context of EU law?

Mr. Billy Hawkes

I thank the Deputy for his very pertinent questions. On the question regarding biometric passports, the collection of biometric identifiers is an important issue in the context of data protection. It comes down to the core issue of the extent to which the State is entitled to demand personal data from us in order to pursue or ensure a particular public interest. In the case of passports, the argument for using biometric data is to improve the quality of passports in terms of avoiding people presenting false passports or tampering with them. There have been some well-documented cases of Irish passports being misused in different contexts. This is particularly important in the context of preventing people from crossing borders to commit crime or engage in terrorist activity. There is an obvious wish to try to ensure, as far as possible, that the document presented by an individual is genuine and is not being used by someone to cross a border to commit a serious crime, in the worst case scenario, or, in other cases, to evade legitimate immigration controls. There is a proposal in the draft regulation to treat biometric data as sensitive personal data deserving of special protection. That is something which many of us would support.

The second question posed by the Deputy relates to digital fraud and the very legitimate concerns about the amount of fraud and crime being committed, particularly on the Internet. It is an area in which there is a constant struggle between increasingly sophisticated criminals and our much put-upon law enforcement authorities. The international effort to combat such crime is underpinned by the Convention on Cybercrime which quite a number of EU member states have ratified, although I gather it is still under consideration by Ireland. Crucially, it involves an effort to combat some of the most sophisticated criminals operating and to provide law enforcement authorities with the tools required to deal with such crime, but to do so in a way that does not interfere excessively with the rest of us who are not committing crimes on the Internet.

To some extent, this issue relates to the Deputy's third question about the mass surveillance of individuals in the pursuit of law enforcement and anti-terrorism objectives. While that issue has arisen most recently in the context of US Government activity in this area, it is important to remember that it is also very much a European issue. There is, for example, at European level, a data retention directive to which each member state has been obliged to give effect. It obliges all telecommunications companies to retain details of mobile phone calls and their location.

The purpose of this retention is to permit law enforcement authorities to have access to such information when they are pursuing crime. Obviously, there have been some examples in Ireland where the Garda Síochána has successfully prosecuted people based on information obtained on the location of a person when an alleged crime was committed. It is an issue that is being dealt with as a political issue between the European Union and the United States.

There is a question about achieving a proper balance between the right of the majority who do not commit any crime to have their privacy respected and, on the other hand, the challenges facing governments and the pressures on them from their citizens to protect them from terrorists who use the Internet to communicate for nefarious purposes. Where that balance should lie is an issue of much concern to us in Europe, as the data retention directive shows, as it is to the United States. This is quite apart from the well known fact that European intelligence agencies engage in similar practices to those revealed in the United States. From a strictly data protection point of view, it concerns the issue of access by law enforcement authorities or intelligence services to the data of the innocent majority versus the public value of protecting us from terrorism. I do not come to the committee with any solution in this regard. It is essentially a political discussion about where that balance should lie. It is for parliaments to make this decision. The committee will have observed the ongoing extensive discussion in the United States on where the proper balance should lie within its system.

In the case of the data retention directive, there are challenges, including one from Ireland, to the European Court of Justice about the proportionality of the measure. Those of us concerned with data protection hope the recent revelation on the US side will lead to greater public and parliamentary consciousness that there is an issue to be dealt with and a balance to be struck between competing public interests. Many of us consider the balance is being struck on the wrong side of the line in protecting individuals. Ultimately, this is an issue for governments and parliaments to resolve in the interests of their citizens.

I thank Mr. Hawkes for his thorough overview of the directives. What is the likely timeline for the adoption of the package and its implementation into Irish law?

In the context of the surveillance carried out by the United States and EU member states, I am concerned by two aspects of the right to privacy. The first is the right to be forgotten, the right to demand the deletion of data. The proposed regulation states, “controllers have to take reasonable steps to delete data, taking into account available technology and the means available to the controller”. Is this adequately enforceable?

The second aspect is that of consent, a thorny issue. In the new regulation the Commission states that whenever consent is required for data processing, it will have to be given explicitly rather than be assumed. Again, that sounds good, but, in the context of the surveillance we now know about, how is that a real proposition? How can we have confidence that consent would be required in that way?

Mr. Billy Hawkes

The timescale for implementation is in the lap of the political gods. The objective is to have the legislative package approved by next May when the European Parliament elections will take place. The Deputy will be aware from the address by the Minister for Justice and Equality, Deputy Alan Shatter, of the efforts he deployed during the Irish EU Presidency to push the package through and significant progress was made. I am assured by those who know the system, including my colleague Mr. O'Dwyer, the deputy commissioner, who is just back from Brussels, that the challenge of getting this through purely on technical grounds by next May is significant. It will require a significant political push both in the Council of Ministers and the European Parliament to get the package through, taking into account the significant differences that still remain on key issues about the package.

It has always been recognised that the so-called “right to be forgotten” is a slogan. Giving it concrete expression is more challenging. The concept is understood as the idea, particularly in the world of the Internet, that one should have some sense of control over information on oneself. In concrete terms, what this boils down to is, first, a requirement on organisations to limit the collection of data. Clearly, there is written into the regulation, as there is in existing law, an obligation to only collect information that is necessary to deliver a service.

A second issue concerns the retention of data. In other words, one should only retain personal data for as long as is necessary to achieve the purpose for which it was collected in the first place. The third issue concerns the right to request the deletion of data where one believes there is no reason to hold on to it. As the Minister made clear in his presentation, much as one would like it, one does not have the right to have one’s criminal record erased. It will not go that far. However, the Oireachtas will be considering spent convictions legislation which has the objective of giving people the chance to move on after they have met their debt to society. In practice, once one is reported in a newspaper, there will always be a record of what one may have done. The challenges in this area are significant.

A particular challenge is presented by the idea that where the data were originally collected by one organisation but have been replicated across the Internet, how far can one realistically expect action to be taken to delete all traces of them. It is a difficult challenge. Within data protection law it is about maintaining the existing principles of minimising the collection of data, deleting the data when they are no longer required and then making reasonable efforts to respond to requests for deletion of data both by the original organisation and where they may have been replaced.

The concept in Europe is that we have the right to control the collection of our personal data. The issue of consent goes to the heart of the fact that data protection is a fundamental right. What it means in different contexts is a difficult issue. On the one hand, one wants to have the right respected by giving us full control over what data are collected and used in important issues. On the other, there are other cases where, if one insisted on data protection being used in dealing with Internet advertising or website pop-ups that occur every second, data protection would become more unpopular than it already is in some circles. There is a balance to be struck in this regard, recognising that there are other interests involved. For example, the State has a right to collect information on one’s income, regardless of whether one likes it. Accordingly, there is no issue of consent when dealing with the Revenue Commissioners.

There is an increasing tendency for the State to insist on its right to access data. That is a balance issue for parliamentarians rather than for me to consider. It is a difficult issue.

The new resolution maintains the idea that consent is a very important legal basis but not the only one. It also maintains that there can be a legitimising of data collection when there is a public interest involved, as when the law lays down that one must give details of one's income to the Revenue Commissioners, one must give relevant details to the State if one seeks means-tested benefits, etc. Although it is controversial, there is also a recognition in the new law, as there was in the existing directive, that an organisation can also assert that it has a legitimate interest in using one's information to pursue its own commercial interests, but there is a balancing test, so the legitimate interests of an organisation are balanced against one's right to data protection.

Stepping back from the details of the law, data protection has always been a set of principles to be applied in particular contexts. That situation will not change, although we are now dealing with the regulation that is to be applied uniformly across the EU. There will still be large areas for interpretation and for how the law should be applied in particular contexts, which will mean that my successors and I will continue to be in work for some time to come.

Is Senator Bacik happy enough?

I thank Mr. Hawkes and the Chairman. There are concerns about the potential transfer of data between the EU and the US and other third countries given that the data protection frameworks in those countries might have less protection or fewer rights. Could Mr. Hawkes elaborate on some of the concerns that have been aired? The Irish Congress of Trade Unions, ICTU, has expressed concerns on the rights of workers and the exchange of data between employers. In its document it refers to the right to establish a workplace data protection committee. There are issues such as the analysis of social media data and the use of GPS to see where workers are. Some of that may be legitimate and some may not. ICTU has a very serious concern about the use of automated data in profiling for employment. What are Mr. Hawkes's thoughts on those matters?

Mr. Billy Hawkes

On the issue of international transfer of personal data, the EU asserts that it has stronger data protection than any other region of the world. Arising from that, it asserts the right to insist that when the data of European citizens is transferred outside the EU it should continue to be protected. Various mechanisms are provided in both the existing law and the planned law to provide for that. There is a balance to be struck in this area because, again, in the Internet world in which we operate our data tends to flow all around the place. At one moment it could be in a data centre in Ireland but ten seconds later it could be in a data centre in Japan or the US.

This issue has come very much the fore regarding the issue Deputy Seán Kenny raised, because in recognition of the significant economic relationship between the EU and the US, a special deal was done when the original data protection directive entered into force, called safe harbour. This provides that the EU will recognise that data transferred to the US is adequately protected if the company concerned signs up to the safe harbour principles, which are essentially EU data protection principles. By doing that they bring themselves under the jurisdiction of the US Federal Trade Commission, which has very strong enforcement powers and has taken enforcement action against a number of major companies because, inter alia, they have not complied with the obligations they signed up to under safe harbour.

From an Irish perspective we recognise particularly the number of US multinationals we have here and the importance to their business that there be a free flow of data between their Irish subsidiaries and US headquarters, balanced against the rights of Irish and European citizens to insist that their data be protected. From our experience the majority of companies take their responsibilities under safe harbour very seriously. Signing up to safe harbour involves a careful examination of a company's data protection practices across its different activities and subsidiaries. For those companies that treat it seriously it is a demanding issue for them. In general we find the US multinationals we deal with have a very strong approach to compliance and their obligations under safe harbour.

Whereas there is pressure on the safe harbour system because of the fact of access by US intelligence and law enforcement to some data, there is the opposite economic argument in terms of free flow of data. The new regulation tries to maintain this balance between the need to protect the rights of European citizens when data goes outside the country - various mechanisms are proposed for that which are very similar to the existing mechanisms - and recognising that in the Internet-driven world data must flow for commercial reasons.

The two other questions related to the rights of trade union members. They are very valid points. European data protection law gives workers rights in the workplace. We are regularly involved in the vindicating those rights, including in the specific areas the Deputy mentioned, particularly GPS tracking. Our website provides guidance that GPS tracking is for tracking vehicles, not individuals. In the workplace one continues to have rights under European law, so in the case of social media use, for example, it is important that workers know exactly what the limits are, whether they are not allowed to use social media and the extent of those limits.

The Deputy mentioned profiling, which the new regulation addresses specifically. There is a need to be careful about the profiling of individuals to avoid putting people into boxes where they may not belong.

I welcome Mr. Hawkes. In his presentation Mr. Hawkes spoke about data protection authorities having teeth and the example of a CEO being potentially fined €1 million. Mr. Hawkes also said he liked to work with companies. I am getting a mixed message. I am specifically zooming in because of our experience with the banking industry and the crisis that was caused by senior bankers across the EU. Is there a mixed message there? I hope it is not a question of light touch regulation for such people, because white collar crime is not taken seriously enough. If a Minister or a senior garda is proven to have passed private Garda information to someone, what action can the Commissioner take and what are the consequences?

Mr. Billy Hawkes

On the question of whether we could be accused of soft touch regulation, in Ireland we have a culture of talking to people. That translates into explaining clearly to companies and organisations what is expected of them. Data protection is a set of principles that must be applied in particular circumstances. It is not always easy to interpret those so we see it very much as part of our duty to set out our expectations to companies and organisations. We expect them to comply with them. Organisations are left in no doubt that if they do not comply we will take enforcement action. Our law does not give us direct fining powers.

It gives us the power to order organisations to stop doing things with personal data. We use this power when we believe it is justified to do so. We also have the power in certain areas to bring companies to court, for example, for spamming, and we use it extensively. I recognise the issue raised and the importance of being seen to be a firm regulator. Culturally, as an Irish person, we have a tradition of speaking to people. The Garda Síochána is not armed, which is something I am sure all committee members support. It means a different approach vis-à-vis the State and the citizen which the committee probably wants to retain.

On the passing of data, we have been involved in the issue and it is a clear breach of data protection law. We are engaged in a detailed audit of the Garda Síochána in which this issue, among others, is being considered. We continue to have a very significant focus on high standards of data protection in the Garda Síochána because of the amount of sensitive information it holds. We show this by the detailed nature of the audit we are carrying out and regularly have contact with the Garda Síochána with a view to ensuring its obligation to protect data is fully understood and respected throughout the force. We continue to insist on this as we carry out our work.

We do not have the power to fine the Garda Síochána, but we do have the power to take enforcement action, if necessary. If we were to find a blatant example which it was not correcting - this has not happened to date - we could order it to take actions with which it would have to comply. To be fair to it, at a corporate level, it understands its responsibilities in this area. We understand the challenges in having to deal with an organisation with 13,000 members and trying to get them all into line. We are most focused on getting across to the culture of the organisation that it is not in order to pass on private information outside the force.

Is Deputy Finian McGrath happy?

I know, but I mean happy with the responses.

I am not happy about the issue.

Mr. Hawkes has addressed the substance of the question I was going to ask. When the audit is completed, will he come back to the committee to give us a presentation on the outcome?

As this is the Oireachtas Joint Committee on Justice, Defence and Equality, issues of justice are very much of interest to us.

Will Mr. Hawkes explain a little more the household exemption proposal in Article 2(2)(d)? Is the Data Protection Commission working on the challenge of protecting data against the ability which has developed minute by minute to hack into various State agencies?

Mr. Billy Hawkes

The household exemption is already provided for in law and states that when one operates as a private individual in dealing with family or personal issues, data protection law, in terms of the responsibilities of an organisation to give access to data and only collect the minimum amount, should not apply. In a family circumstance one does not ask one's child whether one can take a photograph and vice versa. There are issues about its extent and how far it should go. The general view is that people operating on social networks are covered by the household exemption and, therefore, do not take on the obligations under data protection law, even though the social networks have certain obligations.

Security is a bottom line issue in data protection law and is strengthened in the new law in terms of the obligations on organisations to ensure they have the appropriate security measures in place to protect the data given to them. This is strengthened in the form of an obligation on organisations to report security breaches to regulators and the individuals affected. We already have this in Ireland, on the basis that it is compulsory for telecommunication companies under European law. As a type of soft law, we have a code of practice which states one should report such breaches to the commission and the individuals affected. It is a bottom line issue in data protection law. It is challenging because of the sophistication of those attacking information systems and it is certainly an issue on which we focus very strongly in audits.

I appreciate the need to give people a certain amount of freedom, but I am trying to get my head around the challenge to protect people's data while protecting others from them. As far as I am aware, one can establish anonymous profiles on social media networks. Is it right that this should be the case? I can see the reason for it in some jurisdictions, but in others I can see it being abused in ways we would not have foreseen. Facebook, Twitter and other sites have benefits, but there is another element which is very negative, distressing and disturbing. Has the commission explored this? Will it be affected by what is being done?

Mr. Billy Hawkes

That is a very interesting question. I know the context in which it has arisen, with the tragic cases of suicide linked with bullying activity on a particular social network which allowed anonymous use. We have been challenged because, as part of our audit of Facebook which comes under our jurisdiction, we have accepted that it is entitled to insist on a real names policy, but this approach was challenged in another member state which took the opposite view because of the right in its law to operate anonymously. I do not have a solution. All I can say is we were perfectly happy and upheld Facebook's right to insist on a real names policy and accepted its argument that it limited, somewhat at least, the potential for the bullying of people. It is a debate which will probably go on. It is not affected as such by the new regulation, except I suspect that there may at some stage be a formal ruling on whether there is a right to anonymous use of the Internet, or whether, as Facebook asserts, it is entitled as a matter of its terms and conditions to insist on a person using his or her real name.

If somebody does something unlawful under the cloak of anonymity, can he or she be tracked through GPS?

Mr. Billy Hawkes

As I understand it, in principle one can be tracked. A person cannot really operate anonymously in the sense that if a court order is directed to a social network to identify an anonymous person, it can be done. There have been many cases where this has happened. People who thought they were anonymous ceased to be anonymous and legal action was taken against them.

There is comfort in that.

Mr. Billy Hawkes

Yes.

I apologise on behalf of members who must leave, but the Dáil and the Seanad are now in session. We are in the middle of dealing with the Gambling Control Bill and last week a number of operators and interested bodies and parties came before the committee. The Remote Gambling Association spoke about how European data protection legislation prevented the sharing of personal and private information between operators. It arose with regard to gamblers wanting to self-exclude themselves from betting. Using Denmark as an example, it is the view of the organisation that the proposed office for gambling control in Ireland, or the body appointed by the regulator, would be permitted under current data protection law to collect information from operators to compile a central database.

The database could then be accessed by operators to check whether an individual had self-excluded from a competitor. The importance is obviously that if somebody has self-excluded from one operator, it is in his or her own interest not to engage with another and start gambling again. Would it be possible to do something such that, say, if I were to self-exclude from Paddy Power online, that information would be provided for a central operator and shared with all other operators? Then, if I were to decide to go to another operator, the central operator could point out that I had self-excluded from another operator and could not use its services either.

Mr. Billy Hawkes

That comes back to a point raised by Senator Ivana Bacik. Once a person consents to it, for example, by saying, "I wish to exclude myself from gambling because I have a compulsion in this area and I am happy to be excluded from all gambling sites", he or she is giving consent and there is not an issue in that regard.

Is it technically and organisationally possible for that to happen?

Mr. Billy Hawkes

I do not see why not. If I understand the question correctly, somebody who is a compulsive gambler, who wants to stop gambling and the temptation to engage in it, who essentially says, "Stop me from gambling", and who wants this to be known to all gambling sites, has given his or her consent. There is no issue from a data protection point of view, at least that I can see, in having such persons registered on a central database to which every operator would have access.

Some of the operators had a different view last week when they said they were not sure. It is useful, therefore, that this issue has been clarified for us. Mr. Hawkes might keep an eye on it because it is something we will be working on as the legislation goes through. Members are interested and the operators also wanted to engage on it, having seen it as a stumbling block. I thank Mr. Hawkes for that clarification.

On another issue, does a company have the right to demand personal data? For example, if I telephone a company to look for spare parts, can it ask for my name, address, telephone number, date of birth and so on? Can I refuse to give them? Very often one goes online and companies look for all of this information. What do they need it for?

Mr. Billy Hawkes

The basic principle of data protection is that a company should only collect the minimum information it needs to deliver a service to a person. To take the example given by the Chairman, if he rings to look for spare parts, presumably the company needs his name and address and, depending on how he pays for them, his credit card details. That should be it. Companies should make it clear that if they want other information for marketing and so on, they must ask the customer whether it is okay to give the information. Responsible websites make this clear and there will be an asterisk beside the parts one has to fill in while the rest will be optional. That is what data protection law calls for.

What are "big data"?

Mr. Billy Hawkes

"Big data" are among those buzzwords where there are large collections of data, whether in the State or the private sector. It is usually mentioned in the context of the capacity to analyse that data. For example, to take the information available from traffic cameras on the flow of cars through a city, one can analyse the data to better figure out where to build new bridges or provide traffic lights. In the case of states, there is the analysis of patterns. An example would be the big data held by the Revenue Commissioners and the Department of Social Protection, the biggest data holders in the State. This operates in analysing patterns of behaviour to detect wrong behaviour, where people might be evading tax in the case of Revenue, or where they might be defrauding the system in the case of the Department of Social Protection. That is what it means in general. Its relevance to data protection is the extent to which there should be a right to access data for other purposes, particularly when it is accessed in a way that is going to harm a person.

Let me give an example. If a person is in receipt of a social welfare payment and, separately, the Department of Social Protection, as it has a right to have, has information from the Private Security Authority that the person concerned has a licence to be a doorman, an inspector may turn up on his or her doorstep and ask why he or she is not working. It would be a fair cop if the person was, in fact, cheating the system. However, if he or she is genuinely unemployed and cannot find a job, one can imagine how he or she might feel. That is the negative side of it. Overall, "big data" is a generic term where there are large databases and there is the capacity to use them for good and evil.

I assume that if we could have Ireland as a hub for data storage, it would be of benefit to us also in EU terms. I understand that is happening, too. On another issue, what are pseudonymous data?

Mr. Billy Hawkes

They are personal data which have been made less personal by removing some of the identifying points. There are various levels of pseudonymisation. Again, it is a discussion point as to whether we can have totally anonymous data. Given the amount of data available on us in the world, people have proved that something we might think is totally anonymous can, in fact, be linked with an individual. Pseudonymous data are somewhere between anonymous, where they cannot be linked with a person, and personal, which can definitely be linked with a person. Again, it is a whole can of worms on its own.

This whole area is fascinating. "Privacy by design" are other buzzwords. What do they mean?

Mr. Billy Hawkes

It is saying that when one is developing a product or service, one should think about the privacy implications and try to build privacy protections into either the product or the service.

My question is slightly outside what we are discussing in terms of regulation of this proposal. I have been hearing a lot of talk lately about the dark net and the fact that there is another Internet running in parallel or below the Internet and to which certain individuals have access. I would have thought this would be of concern to the Data Protection Commission. Is it something it intends to look at?

Mr. Billy Hawkes

No. To be fair, the dark net is a matter for the police and outside our remit. Again, it is one of the things that can be viewed as positive or negative. As I understand it, one use of the dark net is where political activists in countries where such activity is suppressed would use it to try to operate anonymously, which one might regard as positive. The negative side is where it is used by people like child pornographers and so on to pass their data. This is very much within the area of police activity and, again, shades into the earlier discussion of what is the correct balance in the extent to which law enforcement agencies should have access to people's data. It is not an easy one.

My final question concerns the storing of information on smart cards, although I am not sure whether it comes under this package. I note that across Europe there has been a move to try to put more and more information on cards, for example, health identification, social security information and so forth. Are there guidelines on not having too much information on one card, for example, having all social security and health information on one card? What is Mr. Hawkes' view?

Mr. Billy Hawkes

Done properly and with the full consent of the person concerned, it can be very positive to have a card which facilitates access to services. Again, it is down to how it is used, what protections are in place and what degree of control there is. This is an issue that will come before the Houses by way of proposals for a new health identification card. We already have it in the public services card. It is an area in which we are actively following the issue with a view to ensuring people's rights are respected, that they have the maximum control over what is included in such a card and, in particular, that there is proper security for the data contained on such a card.

I have found this a fascinating discussion. As we talk about the dark net and so on, there are shades of "Star Trek". It is moving into a new realm which we are coming across more and more. I thank Mr. Hawkes and Mr. O'Dwyer for engaging with us. No doubt we will meet again in the not too distant future to discuss other issues.

Sitting suspended at 10.50 a.m. and resumed at 2.10 p.m.