Skip to main content
Normal View

Seanad Éireann debate -
Wednesday, 24 Apr 2002

Vol. 169 No. 21

Order of Business. - Data Protection (Amendment) Bill, 2002: Second and Subsequent Stages.

Question proposed: "That the Bill be now read a Second Time."

The primary purpose of the Bill is to give effect to the provisions of Directive 95/46/EC of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data. It may appear on the surface to be a technical measure, not least because it seeks to amend existing rather technical legislation, the Data Protection Act, 1988. While that may be so, it actually contains important provisions that will enhance the fundamental rights and freedoms of individuals in the State.

It is no exaggeration to say globalisation and the development of information systems and technologies – most notably the Internet – are having a profound impact on the way we work and live today. One dimension of this process of change is reflected in the extent to which personal data are used increasingly for commercial, leisure and learning purposes. Another is the speed and ease with which such information can be processed, passed on to others, or used for purposes for which it was never intended. This mobility of data is beneficial in many ways, but it is also true to say recent developments have once again raised fears about a possible erosion of privacy and other fundamental personal rights. What is required, therefore, is an appropriate set of safeguards that protects the privacy interests of individuals while, at the same time, facilitating the processing of personal data for legitimate and beneficial uses.

Directive 95/46 sets data protection standards across the European Union in order to ensure a consistent level of protection across member states and a set of rules that facilitates the free movement of such data in the internal market. The objective of the Bill is to transpose those standards into our domestic law.

As indicated in the Title, the Bill amends the Data Protection Act, 1988. In particular, it establishes conditions for processing personal data, including more stringent conditions in relation to sensitive personal data, and strengthens individuals' rights with regard to the processing of their data. It also extends data protection rules to certain manual data relating to living individuals recorded as part of a relevant filing system and contains a set of new rules relating to the transfer of personal data to countries and territories outside the European economic area, EEA, that is, outside the EU member states, Iceland, Norway and Liechtenstein.

A number of amendments to the 1988 Act not directly related to the directive are intended to improve the operation of the Act. The existing Data Protection Act, 1988, transposes Convention 108 of the Council of Europe into Irish law.

There are three key features of the data protection convention which establish protection for individuals with regard to their personal data, of which the first is the set of data protection principles set out in chapter II which has been transposed into our law by section 2 of the Data Protection Act, 1988. It includes the following provisions: personal data undergoing automatic processing must be obtained and processed fairly and lawfully; they must be stored for specified and legitimate purposes and not used in a way incompatible with these purposes; they must be adequate, relevant and not excessive in relation to these purposes; they must be accurate and, where necessary, kept up to date; and they must be preserved in a form that permits identification of the persons concerned for no longer than is required for the purpose for which the data are stored. Moreover, appropriate security measures must be taken to protect such data from unauthorised access and accidental loss or destruction. There are certain exemptions, subject to adequate safeguards, where, for example, the data are used for statistical, research or other scientific purposes.

Second, the convention establishes a set of safeguards for individuals with regard to their personal data. The term "data subject" is coined in the convention to mean an individual, the subject of personal data. A data subject has the right to establish the existence of personal data, a description of the data and the purposes for which they are kept. A data subject also has a right, subject to certain restrictions, of access to such data, as well as a right to rectification or erasure of the data in certain circumstances.

Third, the convention provides, in Article 10, for the establishment of appropriate sanctions and remedies for violations of the law giving effect to the principles and safeguards. While the convention does not strictly require the appoint ment of a supervisory authority, the 1988 Act made provision for a data protection commissioner with both investigatory and enforcement powers. The commissioner has the power to investigate individual complaints, but also has an important awareness raising and information role. The commissioner's enforcement powers, as set out in the 1988 Act, include the issuing of information notices, enforcement notices and prohibition notices. I am pleased to take the opportunity to express my appreciation of the work of successive data protection commissioners in vindicating the rights of data subjects with regard to the processing of their personal data and developing an awareness of data protection rules and requirements.

The question may be raised as to the reason it was considered necessary to develop a data protection instrument at European Community level when all member states were already members of the Council of Europe and had ratified the convention. The main reason was a feeling at Community level that the scope of data protection law should be widened and existing safeguards strengthened, particularly in relation to the transfer of personal data to countries without data protection safeguards.

The directive builds on the provisions of the convention but is a more extensive and detailed instrument. The additional features of the directive include the following: it extends the mandatory application of data protection rules to certain categories of manual data; it establishes a right to object to the processing of personal data in certain cases, including where the data may be processed for the purposes of direct marketing; decisions based solely on automatic processing of data that have a legal effect or impact in a significant way on a data subject are prohibited; detailed provisions are set out relating to the conditions under which personal data may be transferred to countries and territories outside the European economic area; member states are required to establish one or more independent supervisory authorities with investigative and enforcement powers; the supervisory authorities in each state are required to establish a system of "prior checking" of processing that may present specific risks to individuals' rights and freedoms; the development of codes of practice is to be encouraged and facilitated.

Towards the end of 1997 my Department launched a consultation paper in connection with the transposition of the directive into our law as part of the process of preparing the new legislation. The aim was to raise awareness of the directive's additional requirements and elicit the views of interested parties on how best to implement these provisions where member states have been given a margin of flexibility and discretion. The outcome of this consultation process was taken into account in framing the Bill before us today.

I will mention some of the areas of flexibility and discretion when I come to the detailed pro visions of the Bill. Before moving on to deal with them I want to explain the situation regarding implementation of the directive. Measures to implement it were required to be in place by October 1998, with member states having a further three years to ensure full conformity with its provisions. I very much regret that transposition of the directive has been delayed due to a combination of factors, including the consultation exercise that I outlined, pressure of other work and, not least, the complexities arising in this particular context. I understand Ireland is one of a number of member states which have experienced difficulties in this regard.

In this context, many of the directive's provisions, some of which I have outlined, have already been given legal effect in the Data Protection Act, 1988. These include key provisions such as those relating to the establishment of a supervisory authority, liability, remedies, sanctions and codes of conduct. Moreover, on 19 December last the Minister for Justice, Equality and Law Reform, Deputy O'Donoghue, signed the European Communities (Data Protection) Regulations, 2001, which gave effect to certain additional provisions of the directive included in the Bill before us today, with effect from 1 April 2002. These regulations are intended as an interim measure, pending enactment of the Bill. They deal, in particular, with an area no longer adequately covered by the provisions of the 1988 Act – transfers of personal data to countries and territories outside the European economic area. The regulations provide that such transfers may only take place where adequate standards of data protection are deemed to exist. I will mention the provisions that have entered into force by means of these regulations when I come to the sections concerned.

Turning to the detail of the Bill, I draw attention to a number of particular aspects. Section 2 amends section 1 of the 1988 Act in several important respects. First, it adds new definitions, including "automated data,""manual data" and "sensitive personal data," while replacing certain existing definitions, including "personal data" and "processing". For data protection purposes, "manual data" is defined as information recorded as part of a relevant filing system.

The term "relevant filing system" is defined as any set of information relating to individuals that is structured either by reference to individuals, or criteria relating to individuals, in such a way that specific information in relation to a particular individual is readily accessible. This means that to enjoy the cover of data protection provisions, data processed manually must comply with the following four criteria: first, the personal data must be part of a set; second, the set must be structured; third, the structure must refer to individuals or to criteria relating to individuals; and, fourth, specific information relating to a particular individual must be readily accessible. If any of these criteria are not fulfilled, the manually pro cessed data concerned will not be covered. While some might say this is an unnecessarily restrictive approach, it is consistent with the aim of the directive since the manual processing of data does not present the same risks to personal privacy as automated processing. The Department drew attention to this issue in the consultation paper and it elicited no alternative approaches to defining manual data.

The term "personal data" is defined as data relating to a living individual who is, or can be, identified either from the data, or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller. It is also worth noting that the new definition of "processing" set out here is not based on technical or technological processes but encompasses a broad range of functions such as the collection, recording, storage, retrieval, etc, of data.

This section of the Bill is also important in so far as it clarifies the scope of data protection law in line with the provisions of Article 4 of the directive. It provides, as set out in a new subsection (3B) to be inserted in the 1988 Act, that the Act will apply to data controllers established in the State who process data in the context of that establishment and to data controllers who are neither established in the State nor within the European Union, but who make use of equipment located in the State for processing purposes. Section 23 of the 1988 Act is being repealed as a consequence of the new provisions. These two provisions – the addition of the new subsection (3B) and the repeal of section 23 – have been given effect in the regulations I mentioned earlier and are already in force since 1 April 2002.

In the new subsection (3C), an exemption from data protection rules is provided for in cases where data is processed solely for the purpose of historical research. This complements the exemptions already provided for in the existing subsection (4). However, while the existing subsection (4)(b) contains an exemption for personal data consisting of information that the person keeping the data is required by law to make available to the public, a new subsection (5) provides that the exemption will not apply where such data is processed for a purpose other than the purpose for which it was collected.

The collection, processing, keeping, use and disclosure of personal data is dealt with in section 3. It amends section 2 of the 1988 Act. In particular, it replaces subsection (1) with a restatement of data protection principles as enunciated in Article 6 of the directive. Exemptions from certain principles for personal data used for statistical, research or other scientific purposes are retained but may be made subject to prescribed requirements.

The text of the existing subsection (7), which deals with direct marketing, is to be replaced with a new text that will allow a person, in accordance with Article 14(b) of the directive, to request a data controller, prior to processing, not to process personal data for the purpose of direct marketing. A new subsection (8) provides that individuals must be informed of their right to object. These provisions are not intended to discourage the practice of responsible direct marketing, which is an important commercial activity, but rather to raise awareness of the right, and give individuals the opportunity, to opt out of receiving direct marketing material if they so wish.

Section 4 is a substantial provision and it inserts no less than four new sections – sections 2A to 2D – in the 1988 Act. The new section 2A deals with the processing of personal data and takes account of the provisions of Article 7 of the directive. It provides that, subject to satisfying the conditions already set out in section 2, personal data can only be processed where one of the listed conditions is satisfied.

The new section 2B deals with the processing of a new category of sensitive personal data, which is defined earlier. Processing of this data will in future be subject to more stringent conditions in accordance with Article 8 of the directive. It provides for a prohibition on the processing of such data except where, in addition to satisfying the conditions set out in sections 2 and 2A, one of an additional set of listed conditions is also met.

The new section 2C deals with the security of processing operations, as set out in Article 17 of the directive. It provides that data controllers must implement appropriate measures to protect personal data and such measures must ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected. Section 2D takes account of the provisions of Articles 10 and 11 of the directive and it provides that personal data will not be treated as having been processed fairly unless, when personal data is obtained, the data subject is provided with certain information, including where data is obtained directly from the data subject, the identity of the data controller and the purposes for which the data will be processed and, where the data comes from a source other than the data subject, the name of the original data controller.

The important right set out in section 3 of the 1988 Act, that is, the right to establish the existence of data, remains unchanged. However, section 5 of the Bill strengthens the right of access provisions set out in section 4 of the 1988 Act. The new text of subsection (1) builds on the current provisions by providing, in line with the terms of Article 12 of the directive, that where an access request is made under the Act, the applicant must be provided with certain additional information, such as the source of the data and the purpose of the processing.

The new subsection (13) is not related to the directive. It will in future prohibit a person, in connection with the employment of another person, the continued employment of another person or a contract for the provision of services to him or her by another person, from requiring that per son to make an access request under section 4 of the Act or from supplying him or her with personal data obtained on foot of such an access request. This amendment is intended to prevent a type of abuse, known as "enforced subject access", that has arisen in relation to employment under the current right of access provisions.

Section 6 of the Bill takes account of Article 12(c) of the directive and amends section 6 of the 1988 Act in order to give persons an additional right to have incorrect or inaccurate data "blocked", that is, marked in such a way that it is not possible to process it for purposes in relation to which it is marked. This new provision will supplement the existing rights to have data rectified or erased. It also provides that where data have been blocked, there is a requirement to notify any person to whom the data were disclosed in the previous 12 months unless such notification proves impossible or involves disproportionate effort.

Section 7 of the Bill inserts two new provisions in the 1988 Act to take account of Articles 14 and 15 of the directive. The new section 6A extends a person's right to object to the processing of personal data relating to him or her where the processing of such data is considered necessary for the performance of a task carried out in the public interest or where the processing is for the purposes of the legitimate interests of the controller. However, the objection must be on compelling legitimate grounds. The right to object will not apply in certain circumstances such as where the data subject has given consent to the processing; the processing is necessary in the course of entering into, or performance of, a contract; for compliance with a legal obligation; to protect the data subject's vital interests; and the processing is carried out by political parties or candidates for elective office in the course of electoral activities. The new section 6B provides for a general ban on decision making that is based solely on automated processing of data intended to evaluate certain personal aspects where such a decision produces legal effects concerning a person or otherwise significantly affects a person, except in the circumstances outlined in that section and where suitable safeguards to protect the person's legitimate interests are in place.

This Bill also provides in section 8 for certain additional functions for the Data Protection Commissioner. In future, the commissioner will be the supervisory authority for the purposes of the directive and will be responsible for the dissemination of information in relation to "Community findings" regarding the adequacy of data protection rules in countries and territories outside the EEA. The commissioner will also be required to perform any functions in relation to data protection that the Minister may confer on him or her and which would enable the Government to give effect to any international obligations of the State. The commissioner will have a monitoring role for the purposes of Council Regulation 2725 of 2000 – Eurodac.

Section 9 amends section 10 of the 1988 Act to bring it into line with current practice as it has evolved since the entry into force of the 1988 Act. It recognises the possibility that complaints between parties may be resolved in an amicable way and that in such cases no further action by the Data Protection Commissioner may be necessary. An important new provision in the Bill will allow the Data Protection Commissioner to monitor the application of the directive. This proactive role will complement the existing functions of the commissioner in providing advice and dealing with complaints.

One of the key sections of the Bill is section 10 which takes account of the provisions of Articles 25 and 26 of the directive. It deals with restrictions on the transfer of personal data to countries and territories outside the EEA and replaces in its entirety section 11 of the 1988 Act. Almost all this section has been given effect in the regulations that came into force on 1 April 2002.

The new section 11 provides that a transfer of personal data to a country or territory outside the EEA may not take place unless an adequate level of protection is deemed to exist. Subsection (1) lists the factors to be taken into account in any assessment of adequacy. The Data Protection Commissioner is required to inform the European Commission and other member states of any case where he or she considers that a country or territory outside the EEA does not ensure an adequate level of protection. It should, however, be noted that where the European Commission makes a Community finding in accordance with the decision making procedures set out in the directive, in relation to whether an adequate level of protection is ensured in such a country or territory outside the European Economic Area, that decision must be complied with.

A number of Community findings of this nature have already been made. Commission decisions have been taken in relation to Switzerland and Hungary. This means that both countries are considered as having an adequate level of protection for personal data transferred from member states. More recently, a Commission decision has been made in relation to Canada that covers transfers of personal data to recipients who are subject to the Canadian Personal Information and Electronic Documents Act.

Following protracted negotiations between the European Commission and the US authorities, a Commission decision has been taken on the adequacy of protection provided by a set of so-called "safe harbour privacy principles". Personal data may, therefore, be transferred to organisations that have unambiguously and publicly disclosed their commitment to comply with these principles and are subject to the statutory powers of a government body that is empowered to investigate complaints and to obtain relief against unfair or deceptive practices as well as redress for individuals.

There are circumstances in which transfers of personal data to countries and territories outside the European Economic Area may take place without Community findings in relation to the adequacy of the data protection arrangements. These are set out in the new subsection (4).

In addition, the commissioner is required to inform the European Commission and other EEA states of any such authorisations and must comply with any decision of the European Commission in relation to such authorisations. The commissioner must also comply with any Commission decisions that certain contractual clauses offer sufficient safeguards for the transfer of personal data. Two such decisions have been taken to date: one dated 15 June 2001 contains a set of standard contractual clauses and one dated 27 December 2001 contains a set of standard contractual clauses adapted to cover the transfer of personal data to data processors located outside the EEA.

Before moving on from this section, I want to draw attention to an important provision in subsection (6). It provides that where personal data are transferred with the protection of contractual clauses, the person to whom the data relate shall have the right to enforce the terms of that contract as if he or she were a party to it.

Subsections (7) to (15) are provisions of the existing section 11 of the 1988 Act and they allow the Data Protection Commissioner to prohibit a transfer of data to a place outside the State and set out the administrative procedures to be followed in connection with such a prohibition. In determining whether to prohibit a transfer of personal data, the commissioner must also have regard, as heretofore, to the desirability of facilitating international transfers of data.

Section 11 provides for the insertion of a new section 12A in the 1988 Act. Taking account of Article 20 of the directive, it makes provision for a system of "prior checking" by the Data Protection Commissioner of processing operations likely to present specific risks. A processing operation which is the subject of a prior check may not take place until the checking procedure has been completed. An appeal can be made against the result of any such prior check.

While the 1988 Act already contains provisions relating to codes of practice, section 12 amends these provisions in order to take account of Article 27 of the directive. The revised provisions will allow the Data Protection Commissioner to consider, and approve as appropriate, draft codes of practice submitted by trade associations or other bodies representing categories of data controllers or to prepare such codes in consultation with relevant interests. A new subsection (6) provides that approved codes of practice may be taken into account by the courts in relation to the settlement of disputes.

Section 14 contains another important amendment of the 1988 Act. It extends current registration requirements, in accordance with Article 18 of the directive, to almost all data controllers and data processors. A limited number of exemptions are provided for, an example of which is where the sole purpose of processing is the keeping of a register that is intended to provide information to the public and is open to consultation, or the processing is carried out by a non-profit seeking body in relation to the members of the body or those that have regular contact with it. Certain categories of data processing may also be specifically exempted from registration requirements by means of regulations where the processing in question is unlikely to affect the rights and freedoms of data subjects. These categories will be prescribed by regulations made by the Data Protection Commissioner with the consent of the Minister for Justice, Equality and Law Reform.

Section 18 contains another important set of provisions that have regard to the special importance of the public interest in freedom of speech. A new section 22A to be inserted in the 1988 Act provides that personal data that are processed only for the purposes of journalism or artistic or literary purposes will be exempt from certain provisions of the Act once such processing is either undertaken solely with a view to the publication of any journalistic, literary or artistic material or the data controller believes that such publication would be in the public interest, and where the data controller believes that compliance with those provisions would be incompatible with journalistic, artistic or literary purposes.

The provisions in the Act referred to here include the sections that deal with processing of personal data; processing of sensitive personal data; fair processing of data; the right of access; the right to rectification; the right to object; and restrictions on decisions based on automatic processing. The possibility of developing codes of practice under section 13 of the Act for approval by the Data Protection Commissioner is referred to in subsection (3 ). Such a code could set out guidelines for determining whether publication of material would be in the public interest.

In accordance with Article 32 of the directive, automated data will be brought into conformity with the Act two months from the date of its passing. Annual data will come within the scope of the Act at the same time, with one exception – manual data already held in filing systems need not be brought into conformity with sections 2, 2A and 2B of the Act – Articles 6, 7 and 8 of the directive – until 24 October 2007. However, the right of rectification, erasure or blocking of data that are incomplete, inaccurate or stored in a way that is incompatible with the legitimate purposes pursued by the data controller will apply progressively to such manual data during that period, in particular where a person makes an access request under section 4 of the Act.

The Bill before us today is designed to bring our domestic data protection law into line with the requirements of the EU directive and make certain improvements to existing arrangements in the light of experience gained since 1988. In doing so it seeks to establish an appropriate balance between the protection of the privacy of data subjects and the need to facilitate the international flows of data that are an essential feature of today's information society. Providing protection for data subjects in this way will encourage greater support for and participation in efforts to reap the full benefits of the information society, whether by way of e-commerce or e-government.

Since they build on the existing data protection infrastructure established under the 1998 Act, the additional provisions of the Bill should not involve or impose undue additional burdens on operators. Neither should they serve to unnecessarily restrict transfers of personal data to destinations within the State or outside the European Union. On the contrary, the enactment of the Bill will ensure agreed European Union level standards of data protection will operate here in the best interests of individuals, commercial and other interests and international operators.

As I said, this is a rather technical Bill. As there may be aspects which Senators may wish to have clarified, I shall endeavour to do so when replying, or on Committee Stage. Careful consideration will be given to questions raised or suggestions made during the debate today, while bearing in mind that the primary purpose of the Bill is to give effect to the provisions of a European Union directive.

I welcome the Bill which, as the Minister of State said, is very technical and detailed. It is an update and improvement upon the Data Protection Act, 1988, and based upon an EU directive. We are adopting more and more EU regulations, rightly so, given that we are part of the European Union. One really has to examine the Bill in detail to discern exactly what purpose it serves. Companies are now in a position where they will be required to possess more details and information regarding their employees. They will have to seek this information. There will be a mutual obligation upon employers and employees to provide each other with information.

This is all fine in theory, but we must consider the details of the measure which I can understand, but many others may not. The word "consent" is rightly used a lot in the Bill. It is an important one. I do not believe there is a consensus regarding information about individuals available to financial institutions, in particular. I wonder whether we are now moving to a situation where nobody will be allowed to seek data or information about individuals without consent as regards personal business. That is not the current situation. I find very frightening, particularly for those involved with financial institutions, the amount of information these organisations have on particular individuals. They possess a large amount of information which they can pass on to others, whether former employees, security organisations, private investigators or whoever. It is only right that agencies such as the Department of Justice, Equality and Law Reform or the Garda Síochána should have access to relevant information on people who live in this State but I am worried by the ease with which security organisations and private investigators can access personal information on private citizens held by large businesses and financial institutions.

From a European point of view, the Data Protection (Amendment) Bill, 2002, is very important. Protection of European citizens in their everyday lives is an important issue. Now that we have freedom of movement between the 15 member states, it is understandable that the relevant authorities must have access to information on people who travel throughout Europe. It is the only way we can guard against another act of terrorism such as that which took place in America last September. However, I am concerned about the issue of consent, as raised by this Bill.

In Britain, potential employers are permitted to access police files to see whether someone whom they wish to hire has a criminal record. Will this also be the case in Ireland and, if so, does the Minister think that such a situation should be allowed to prevail? I do not think so. I carry no flag for those who break the law. However, I do believe that, when someone has served their time in prison, their crime should not hang over their heads for the rest of their lives. Organisations other than the Garda Síochána should not have access to that sort of information about a person. It could prevent a person from getting a job, somebody who is making an effort to get on with their lives and make good their past errors.

I am also against the sharing of information between financial institutions. This is unfair to individuals who seek credit from such institutions. A person's circumstances may change over a period of time and a credit record that is five years old may no longer reflect their financial situation.

This is a very technical Bill, but I would appreciate it if the Minister would re-examine the notion of individual consent when it comes to the availability of personal information. I understand that there is a need for a Bill such as this and I congratulate the Minister on her work in this area. I do not think that the Data Protection Bill, 1987, was detailed enough and I hope this new legislation marks an improvement in this area. For a long time, I have felt that financial institutions have had too great a level of authority over individuals. That must be brought to an end.

We must make sure that financial institutions from other European countries are allowed to do business here, giving a greater choice to consumers. For too long, the same few institutions have had too much authority over people. This stifled the potential of some people who wished to run their own businesses. Data protection worked against these individuals, who were denied access to certain kinds of information that would have helped them to succeed in their endeavours.

Our membership of the EU has proven to us that we are all equal and are entitled to equal treatment. Information that is passed between financial institutions should not be given without the written consent of the person in question. The Central Bank now has the authority to ensure that insurance brokers, accountants and banks stay in line with regulations. Such authority is relevant to data protection. The Central Bank can decide what sort of information about any individual can be issued to the financial institutions. This gives a certain degree of protection to the individual. It proves that it is possible for the State to exercise a similar authority over the dissemination of personal information to various businesses or organisations. Such authority must be exercised – the EU has indicated that it believes our legislation is out of line.

I accept that anyone who has appeared before the courts or is known to the police should be on a file to which the relevant authorities across the EU have access. It is frightening that there could have been people in this country who assisted the al-Qaeda terrorists in the 11 September attacks. The French authorities have discovered that it has many such people living there, as has Britain. Nobody ever thought that could happen. Any information relevant to such people and organisations must be made available to all member states.

I welcome this Bill. I do not agree with everything it contains but I understand what it is about. I congratulate the Minister on her hard work. This Bill allows for us to protect each other and create a better society.

I welcome this very technical legislation whose main purpose is the updating of the Data Protection Bill, 1997. I have no doubt that, in another five years, the Bill with which we are dealing will have to be updated. With current advances in technology, it is difficult to keep ahead of the posse.

It is vitally important that personal information relating to any individual is protected. Provision must be made for people to give their consent before such information can be issued. I particularly welcome that part of the Bill which "extends data protection rules to certain manual data relating to living individuals, which is recorded as part of a relevant filing system".

The Bill also sets out conditions for processing personal data, including more stringent controls in respect of sensitive personal data such as that relating to physical or mental health, trade union membership, political opinions or religious beliefs and racial or ethnic origin. This is an extremely important area because such information relates to particular individuals who have the right to ensure it is protected. Nobody, through computers or any other means, should have a right to pass on information of that kind without the prior consent of the person to whom it relates.

The Bill will strengthen individual rights and will protect people's right to be informed about the processing of data relating to them. I am familiar with a number of decent people who, some years ago, were refused hire purchase finance on their cars on foot of outdated data which showed that they had not made their repayments on loans from 20 years before. The banks and hire purchase companies refused to give them finance as a result of this data. When I was in the motor trade I had to argue the point with the financial institutions and ask whether they believed that people could change. One of the men in question owned a house and property, but when he was in his late teens he purchased a car and was not ready for the financial responsibility that entailed. It is not fair that is held against people for their entire lives.

If, as Senator Cregan stated, a person falls foul of the law and either pays a fine or serves a sentence, they have paid their debt to society and there is no way it should be left hanging over them. The only exception I would make is in regard to what has become an awful problem for society, namely, paedophilia. I must admit that I did not know the meaning of that word ten years ago. Data relating to people such as paedophiles who are a danger to others should be made available, but this must be done carefully and it should only be distributed, where necessary, to the Garda, legal representatives, etc. Such information should not be available on the Internet where people can just download it from a computer and make it public. That would be very dangerous.

Data protection is more important now than ever because our world is becoming smaller on foot of globalisation, etc. In the area of business, it has often happened that an individual might invent something but another person, who came into possession of information relating to that invention, developed a similar product which had only been slightly modified. Data must be protected. We live in a competitive world and if a business is dealing with a wholesaler or manufacturer, the information it provides must be protected and it cannot be allowed to be passed on to its competitors. That would be grossly unfair. This type of information could not be given out in the past because business was carried out through the sending of letters or by telephone and methods of communication were not as fast. Now, however, people can send messages by computer or mobile phone to New York, Russia or any other part of the world which arrive seconds after they are transmitted.

This is an extremely important matter and we must protect data, particularly that which can be used for commercial, criminal and a host of other purposes. The Bill is an important legislative development. While many of the technicalities it contains would go over the heads of many lay people, everyone is familiar with its fundamental principle, namely, to protect individuals, companies and businesses and data relevant to them. I welcome the fact that before anyone can seek data on a person, they will be obliged to approach that person and obtain their signed approval. Before now, that protection did not exist and banks, for example, could obtain information on people. If they do so now, however, it will be a criminal offence. Individuals will also now be aware if people are seeking information on them. That was not the case in the past.

I welcome the Bill, which brings us into line with the EU. I commend it to the House.

I welcome the Bill, although I do not understand the logic of introducing it on the eve of the dissolution of the Dáil. I am not sure what is the purpose of that because it is difficult to see the Bill being enacted.

The European approach to data protection differs greatly from that of the United States. My daughter was in America last year and she wanted to rent an apartment. She phoned home to say that the landlord required a guarantee from someone who earned $80,000 per year. I contacted a friend who I thought was well off – I did not mention the $80,000 – and stated that my daughter required someone to act as a guarantor for her. He said he would be happy to oblige and, when I asked for it, he provided me with his social security number. However, he was turned down because apparently he does not earn $80,000 per year. I subsequently rang another individual who was approved.

I did not realise that the kind of information to which I refer is available to anyone in America. I had assumed that protection and individuality were valued in that country but, as Senator Cregan and Senator Farrell both stated, the Americans take a different approach to this matter. In America, personal data is not considered personal in any real sense as we understand it. One can buy access there to an extraordinary range of personal information that people in Europe would consider private. It is the objective of Directive 95/46/EC to protect such information.

This is a practical issue and it arises in cases where companies operating in Europe want to transfer data to the American jurisdiction. This happens all the time because an increasing number of companies, particularly those that are important to our economy, work seamlessly on a worldwide basis. What happens when two different philosophies regarding personal information clash with each other? Who wins? It is clear that the American way wins. Under the directive, data can be transferred to any country that is deemed by the EU to operate safe practices and the US is deemed to be such a country. It is worth pointing out that this arrangement, however useful it may be in business and commerce, is essentially a political arrangement. Europe and the US confronted each other on this issue and Europe blinked first. The result is that a coach and four is being driven through the protections set out in the Bill and we must be aware of that.

It is interesting that whenever an issue arises concerning personal freedoms such as the question of carrying compulsory identity cards, which has again arisen as a result of the crime situation in this country, the spectre conjured up is that of Big Brother. In my opinion it is not so much the State about which we should be concerned in this area, but rather other entities that will not be bound by the regulations or principles that usually constrain the behaviour of the State. It seems to me to be a shocking invasion of privacy that details of a person's police record can be bought on the open market in the United States.

There are certain kinds of information that it is right for the State to possess, but these should not be accessible to anyone else. Telephone companies know a great deal about people, credit card companies know where they spend their money and supermarkets know whether their children are boys or girls, whether they drink much wine or whether they own a dog. Members will recall the case of the nominee for the Supreme Court in the United States and the fact that on the day before he was to appear in the Senate, details of all the videos he had rented for the previous five years were published. I do not remember whether there was a scandal about this, but it is a matter of concern that such personal information is readily available in the US. There appears to be an uneasy compromise that allows the free transfer of data from Europe to the United States and I hope this will not come back to haunt us in the future.

The Bill is the last of a fairly short list of legislation relating to information society matters introduced by the Government during the past five years. When I consider that period, I cannot help but be struck by the way the drive to make Ireland a world leader in the information society has been lost. In 1996 I noticed a sudden upsurge of interest in this area, which is one I had been championing for some years. Overnight it became the conventional wisdom that the information society offered Ireland a unique opportunity to wipe out the structural and geographical constraints and obstacles which stood in our way for centuries because of our position on the periphery of Europe. We appeared to embrace the prospect of a new industrial revolution in which, this time, Ireland could play a full role because of modern communications.

I am not decrying the progress to date but, while I acknowledge we have achieved a great deal, it is not nearly enough. For instance, it was a correct and very imaginative stroke for the State to get into the business of bringing broadband capacity here and acting as a wholesale distributor of this capacity in the initial years. Unfortunately, however, the initiative was not carried through to the equally vital task of distributing broadband capacity around the country. Only now, very late in the day, are we trying to play catch up in this area. I am not sure it is fully realised that having broadband available throughout the country is not sufficient given that its potential will never be realised unless it is sold cheaply enough to enable universal access. If it is too expensive, people will not use it. Therefore, it should not become a niche market restricted only to businesses which can afford it. If we are really serious about becoming a world leader in the information age, we must regard broadband as a tool of mass communication.

Those of us with children will realise that youngsters – indeed, anybody under the age of 40 – never write letters. They text and e-mail each other using poor yet understandable English. Recently, I was in Singapore which, a couple of years ago, in recognition of the fact that it was set to become an e-commerce hub, decided to give every citizen an e-mail address. While I am sure An Post still has a bright future, I would not like to be in my old position of chairman as I would be hoping that people would continue to write letters in the traditional manner. Like Singapore, we should aim to give every household an e-mail address.

Another area in which we have made useful progress is e-government. A recent survey showed that Ireland leads the European Union in this respect, which is a tremendous and worthwhile achievement. Even in embryo form, the two websites which bundle Government services – Oasis and Basis – are doing an excellent job. They demonstrate that the real potential of the information age is not just one of productivity. The gain from e-government is not just efficiency, but also effectiveness; it works and makes it possible for Government to reach out to more people more quickly than ever before. This is the reason that I and other Members of the House have proposed that matters which must be published in newspapers should also be published on the Internet. E-government gives citizens a measure of control over the way in which they do business with Government in a way that never existed before.

It is a pity we have not yet done enough to seek out the benefits of the information society in regard to the political process, about which this House should be so proud, as opposed to the administration of Government services. New technology offers us dramatic opportunities to draw citizens into the process of law making. If we really believe in democracy, we should be rushing to embrace the opportunity to do everything we possibly can in this area. We wring our hands and bemoan the apathy and cynicism that permeate our society in regard to the political process and complain about not getting thanks for the work we do. This is akin to talking about the weather in that we never do anything about it. However, unlike the weather, this is a challenge we can do something about.

This Bill has implications right across the board, for us as individual citizens and for every business enterprise operating here. It is in the latter area that I feel most steam has gone out of our earlier drive to become a world leader in the information age. We have lost a great deal of early enthusiasm. Somewhere along the way the Government appears to have lost a grip on the vision it had five years ago. It seems to have receded from being an urgent priority to being just one of a list of platitudes. Perhaps it lost some faith in the project when the dotcoms collapsed about a year ago. Collapse may be too strong a word for what happened, but if it led to a revision of Government thinking, as I am suggesting, or a lessening of its interest in the area of the information age and Ireland's opportunities in it, the mistake should be speedily rectified. The setback experienced by the dotcoms was nothing more than the sort of shake up and shake out which inevitably happens when there is a new technology or development. Invariably too many people get involved and while some fail, others succeed. The experience merely cleared the decks so that real development could begin under more realistic circumstances, which is, I suggest, possible.

The fact that this Bill implements an EU directive which has been in operation, as the Minister of State informed us, since as far back as 1995, is an indicator of the way in which the steam has gone out of the Government's approach to the information age. I hope the new Government, whatever its shape or hue, will rediscover this opportunity and run with it as fast as possible. I welcome the Bill.

I will begin with the points made by Senator Quinn on the drive to become a world leader in the information age. The Taoiseach announced the appointment of a new Information Society Commission on 27 November last, chaired by the former president of DCU, Dr. Danny O'Hare. The commission will act as an independent advisory body to the Government, drawing on high level representation from the business community, the social partners and the Government itself. It will report directly to the Taoiseach and the secretariat to support its work is being provided by the Department of the Taoiseach.

The remit of the new commission is to highlight the challenges and opportunities presented by information society developments, monitor Ireland's performance in its evolution as an information society both nationally and internationally, identify areas of co-operation with other jurisdictions, including the establishment of links with the Northern Ireland information age initiative, and establish working groups as required to provide expert advice on specific areas of public policy development.

I understand the new commission is in the process of establishing its work programme, including arrangements for setting up the working groups it has decided to establish. It is expected that the commission will play a key role in shaping the public policy framework for the evolving information society here.

As the Senator said, the growth of e-commerce in recent years means that many consumers have already become used to buying goods and services over the Internet and an increasing number of people now do their weekly shopping on-line. Businesses have been choosing to buy services in the same way. A certain amount of personal data will inevitably be collected in the course of such transactions – registration details, for example, including name and address – which creates a risk that it could be used for other purposes without the knowledge or consent of the data subject.

For this reason, the Data Protection Commissioner made regulations last year requiring all Internet access providers – IAPs – to register with his office. The commissioner took this decision because of their extensive databases and the sensitive and personal nature of much of the data they hold. Any company which operates a website is also likely to be a data controller for the purposes of data protection and will also need to register. The registration process requires data controllers to indicate the nature and extent of their processing operations and this safeguard will help to build confidence in e-commerce and encourage consumers to avail of the on-line services that are now emerging.

With regard to the points made by Senators on transfers of personal data to countries and territories outside the European Economic Area, the intention is not to hinder such data flows, but rather to ensure that adequate data protection safeguards are in place in the country of destination. Problems arise in this regard in countries such as the United States which takes a sectoral approach to data protection. There, reliance on a mix of legislation, regulation and self-regulation is the norm and no overarching provisions are in place.

Given the extent of our commercial, trade and other links with the United States, the ability of US organisations to comply with the adequacy requirements of the directive is a matter of concern. The agreement, therefore, worked out during extensive negotiations between the European Commission and the US authorities hinges on a set of data protection principles to which organisations in the United States can voluntarily sign up and which provide the necessary safeguards for data supplied for such organisations. This mechanism is designed not only to facilitate existing data transfers but to encourage international flows of data which operate to the advantage of operators in both the countries of origin and destination. The US Department of Commerce website contains a list of organisations which have informed the Department that they adhere to the safe harbour principles. This does not mean that organisations not on the list do not have privacy data protection policies, but rather that they cannot avail of the benefits of the safe harbour agreement in terms of adequacy of protection.

As regards transfers to other destinations, the standard contractual clauses jointly developed by the European Commission and member states provide the required level of protection. However, if these are considered unsuitable for certain transactions, transfers may be made on terms approved by the Data Protection Commissioner.

Senator Farrell raised some important issues. He said data should not be kept any longer than is necessary. I agree with him. It is an important basic principle of data protection. As regards the point about exceptions made in connection with detecting and combating crime, this is already allowed and not being changed. The Senator was right when he said data protection is relevant to us all. He also referred to the importance of consent enshrined in the Bill.

Senator Denis Cregan was also concerned about the importance of consent. Individual rights are being strengthened in the Bill. The need for consent is recognised. Registration provisions are also being strengthened in the Bill. Holders of data must have approval for all processing. The Senator also referred to enforced access requests. Such requests will be prohibited in future following the enactment of the Bill. It is an abuse of the system which we are addressing. The 1988 Act went beyond what was required at the time. Information technology and the Internet have moved on rapidly in the meantime. While the Bill is technical, it is about the protection of individuals.

The Bill aims to establish an appropriate balance between potentially conflicting policy objectives and rights. We must ensure personal data are not used for purposes for which they were not intended while, at the same time, encouraging and facilitating data flows. We must reconcile personal privacy considerations with the needs of historical research, statistical requirements and scientific discovery. We must protect personal privacy while, at the same time, recognising the special importance of the public interest in the freedom of expression.

We live in a society which is often referred to as the information society in which huge quantities of data, including personal data, can be stored and processed with an ease unimaginable a few years ago. The information society brings many benefits in its wake, including improved communications and delivery of services. However, there are also risks involved. People's legitimate concerns must be addressed if we are to reap the full benefits of new information and computer technologies. I am convinced the data protection safeguards set out in the Bill will serve to further enhance confidence in e-commerce and e-government and yield significant benefits which outweigh whatever additional costs may arise in the context of its implementation.

I thank Senators for their contributions. I appreciate hearing their views on a subject which, we must all agree, affects each of us in our daily lives.

Question put and agreed to.

When is it proposed to take Committee Stage?

It is disappointing when we take all Stages of a Bill on the one day. I gather from what has been suggested that we will take Committee and Remaining Stages today. I will not object to it, but we should avoid doing this. We should not do so in our next session. Is it the intention to take all Stages today?

Acting Chairman

The Chair asked when was it proposed to take Committee Stage and the reply was, "Now". Does the House agree? It was agreed on the Order of Business that Second Stage only would be taken today.

We reluctantly agree to it.

Agreed to take remaining Stages today.

Bill reported without amendment, received for final consideration and passed.
Top
Share