The primary purpose of the Bill is to give effect to the provisions of Directive 95/46/EC of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data. It may appear on the surface to be a technical measure, not least because it seeks to amend existing rather technical legislation, the Data Protection Act, 1988. While that may be so, it actually contains important provisions that will enhance the fundamental rights and freedoms of individuals in the State.
It is no exaggeration to say globalisation and the development of information systems and technologies – most notably the Internet – are having a profound impact on the way we work and live today. One dimension of this process of change is reflected in the extent to which personal data are used increasingly for commercial, leisure and learning purposes. Another is the speed and ease with which such information can be processed, passed on to others, or used for purposes for which it was never intended. This mobility of data is beneficial in many ways, but it is also true to say recent developments have once again raised fears about a possible erosion of privacy and other fundamental personal rights. What is required, therefore, is an appropriate set of safeguards that protects the privacy interests of individuals while, at the same time, facilitating the processing of personal data for legitimate and beneficial uses.
Directive 95/46 sets data protection standards across the European Union in order to ensure a consistent level of protection across member states and a set of rules that facilitates the free movement of such data in the internal market. The objective of the Bill is to transpose those standards into our domestic law.
As indicated in the Title, the Bill amends the Data Protection Act, 1988. In particular, it establishes conditions for processing personal data, including more stringent conditions in relation to sensitive personal data, and strengthens individuals' rights with regard to the processing of their data. It also extends data protection rules to certain manual data relating to living individuals recorded as part of a relevant filing system and contains a set of new rules relating to the transfer of personal data to countries and territories outside the European economic area, EEA, that is, outside the EU member states, Iceland, Norway and Liechtenstein.
A number of amendments to the 1988 Act not directly related to the directive are intended to improve the operation of the Act. The existing Data Protection Act, 1988, transposes Convention 108 of the Council of Europe into Irish law.
There are three key features of the data protection convention which establish protection for individuals with regard to their personal data, of which the first is the set of data protection principles set out in chapter II which has been transposed into our law by section 2 of the Data Protection Act, 1988. It includes the following provisions: personal data undergoing automatic processing must be obtained and processed fairly and lawfully; they must be stored for specified and legitimate purposes and not used in a way incompatible with these purposes; they must be adequate, relevant and not excessive in relation to these purposes; they must be accurate and, where necessary, kept up to date; and they must be preserved in a form that permits identification of the persons concerned for no longer than is required for the purpose for which the data are stored. Moreover, appropriate security measures must be taken to protect such data from unauthorised access and accidental loss or destruction. There are certain exemptions, subject to adequate safeguards, where, for example, the data are used for statistical, research or other scientific purposes.
Second, the convention establishes a set of safeguards for individuals with regard to their personal data. The term "data subject" is coined in the convention to mean an individual, the subject of personal data. A data subject has the right to establish the existence of personal data, a description of the data and the purposes for which they are kept. A data subject also has a right, subject to certain restrictions, of access to such data, as well as a right to rectification or erasure of the data in certain circumstances.
Third, the convention provides, in Article 10, for the establishment of appropriate sanctions and remedies for violations of the law giving effect to the principles and safeguards. While the convention does not strictly require the appoint ment of a supervisory authority, the 1988 Act made provision for a data protection commissioner with both investigatory and enforcement powers. The commissioner has the power to investigate individual complaints, but also has an important awareness raising and information role. The commissioner's enforcement powers, as set out in the 1988 Act, include the issuing of information notices, enforcement notices and prohibition notices. I am pleased to take the opportunity to express my appreciation of the work of successive data protection commissioners in vindicating the rights of data subjects with regard to the processing of their personal data and developing an awareness of data protection rules and requirements.
The question may be raised as to the reason it was considered necessary to develop a data protection instrument at European Community level when all member states were already members of the Council of Europe and had ratified the convention. The main reason was a feeling at Community level that the scope of data protection law should be widened and existing safeguards strengthened, particularly in relation to the transfer of personal data to countries without data protection safeguards.
The directive builds on the provisions of the convention but is a more extensive and detailed instrument. The additional features of the directive include the following: it extends the mandatory application of data protection rules to certain categories of manual data; it establishes a right to object to the processing of personal data in certain cases, including where the data may be processed for the purposes of direct marketing; decisions based solely on automatic processing of data that have a legal effect or impact in a significant way on a data subject are prohibited; detailed provisions are set out relating to the conditions under which personal data may be transferred to countries and territories outside the European economic area; member states are required to establish one or more independent supervisory authorities with investigative and enforcement powers; the supervisory authorities in each state are required to establish a system of "prior checking" of processing that may present specific risks to individuals' rights and freedoms; the development of codes of practice is to be encouraged and facilitated.
Towards the end of 1997 my Department launched a consultation paper in connection with the transposition of the directive into our law as part of the process of preparing the new legislation. The aim was to raise awareness of the directive's additional requirements and elicit the views of interested parties on how best to implement these provisions where member states have been given a margin of flexibility and discretion. The outcome of this consultation process was taken into account in framing the Bill before us today.
I will mention some of the areas of flexibility and discretion when I come to the detailed pro visions of the Bill. Before moving on to deal with them I want to explain the situation regarding implementation of the directive. Measures to implement it were required to be in place by October 1998, with member states having a further three years to ensure full conformity with its provisions. I very much regret that transposition of the directive has been delayed due to a combination of factors, including the consultation exercise that I outlined, pressure of other work and, not least, the complexities arising in this particular context. I understand Ireland is one of a number of member states which have experienced difficulties in this regard.
In this context, many of the directive's provisions, some of which I have outlined, have already been given legal effect in the Data Protection Act, 1988. These include key provisions such as those relating to the establishment of a supervisory authority, liability, remedies, sanctions and codes of conduct. Moreover, on 19 December last the Minister for Justice, Equality and Law Reform, Deputy O'Donoghue, signed the European Communities (Data Protection) Regulations, 2001, which gave effect to certain additional provisions of the directive included in the Bill before us today, with effect from 1 April 2002. These regulations are intended as an interim measure, pending enactment of the Bill. They deal, in particular, with an area no longer adequately covered by the provisions of the 1988 Act – transfers of personal data to countries and territories outside the European economic area. The regulations provide that such transfers may only take place where adequate standards of data protection are deemed to exist. I will mention the provisions that have entered into force by means of these regulations when I come to the sections concerned.
Turning to the detail of the Bill, I draw attention to a number of particular aspects. Section 2 amends section 1 of the 1988 Act in several important respects. First, it adds new definitions, including "automated data,""manual data" and "sensitive personal data," while replacing certain existing definitions, including "personal data" and "processing". For data protection purposes, "manual data" is defined as information recorded as part of a relevant filing system.
The term "relevant filing system" is defined as any set of information relating to individuals that is structured either by reference to individuals, or criteria relating to individuals, in such a way that specific information in relation to a particular individual is readily accessible. This means that to enjoy the cover of data protection provisions, data processed manually must comply with the following four criteria: first, the personal data must be part of a set; second, the set must be structured; third, the structure must refer to individuals or to criteria relating to individuals; and, fourth, specific information relating to a particular individual must be readily accessible. If any of these criteria are not fulfilled, the manually pro cessed data concerned will not be covered. While some might say this is an unnecessarily restrictive approach, it is consistent with the aim of the directive since the manual processing of data does not present the same risks to personal privacy as automated processing. The Department drew attention to this issue in the consultation paper and it elicited no alternative approaches to defining manual data.
The term "personal data" is defined as data relating to a living individual who is, or can be, identified either from the data, or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller. It is also worth noting that the new definition of "processing" set out here is not based on technical or technological processes but encompasses a broad range of functions such as the collection, recording, storage, retrieval, etc, of data.
This section of the Bill is also important in so far as it clarifies the scope of data protection law in line with the provisions of Article 4 of the directive. It provides, as set out in a new subsection (3B) to be inserted in the 1988 Act, that the Act will apply to data controllers established in the State who process data in the context of that establishment and to data controllers who are neither established in the State nor within the European Union, but who make use of equipment located in the State for processing purposes. Section 23 of the 1988 Act is being repealed as a consequence of the new provisions. These two provisions – the addition of the new subsection (3B) and the repeal of section 23 – have been given effect in the regulations I mentioned earlier and are already in force since 1 April 2002.
In the new subsection (3C), an exemption from data protection rules is provided for in cases where data is processed solely for the purpose of historical research. This complements the exemptions already provided for in the existing subsection (4). However, while the existing subsection (4)(b) contains an exemption for personal data consisting of information that the person keeping the data is required by law to make available to the public, a new subsection (5) provides that the exemption will not apply where such data is processed for a purpose other than the purpose for which it was collected.
The collection, processing, keeping, use and disclosure of personal data is dealt with in section 3. It amends section 2 of the 1988 Act. In particular, it replaces subsection (1) with a restatement of data protection principles as enunciated in Article 6 of the directive. Exemptions from certain principles for personal data used for statistical, research or other scientific purposes are retained but may be made subject to prescribed requirements.
The text of the existing subsection (7), which deals with direct marketing, is to be replaced with a new text that will allow a person, in accordance with Article 14(b) of the directive, to request a data controller, prior to processing, not to process personal data for the purpose of direct marketing. A new subsection (8) provides that individuals must be informed of their right to object. These provisions are not intended to discourage the practice of responsible direct marketing, which is an important commercial activity, but rather to raise awareness of the right, and give individuals the opportunity, to opt out of receiving direct marketing material if they so wish.
Section 4 is a substantial provision and it inserts no less than four new sections – sections 2A to 2D – in the 1988 Act. The new section 2A deals with the processing of personal data and takes account of the provisions of Article 7 of the directive. It provides that, subject to satisfying the conditions already set out in section 2, personal data can only be processed where one of the listed conditions is satisfied.
The new section 2B deals with the processing of a new category of sensitive personal data, which is defined earlier. Processing of this data will in future be subject to more stringent conditions in accordance with Article 8 of the directive. It provides for a prohibition on the processing of such data except where, in addition to satisfying the conditions set out in sections 2 and 2A, one of an additional set of listed conditions is also met.
The new section 2C deals with the security of processing operations, as set out in Article 17 of the directive. It provides that data controllers must implement appropriate measures to protect personal data and such measures must ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected. Section 2D takes account of the provisions of Articles 10 and 11 of the directive and it provides that personal data will not be treated as having been processed fairly unless, when personal data is obtained, the data subject is provided with certain information, including where data is obtained directly from the data subject, the identity of the data controller and the purposes for which the data will be processed and, where the data comes from a source other than the data subject, the name of the original data controller.
The important right set out in section 3 of the 1988 Act, that is, the right to establish the existence of data, remains unchanged. However, section 5 of the Bill strengthens the right of access provisions set out in section 4 of the 1988 Act. The new text of subsection (1) builds on the current provisions by providing, in line with the terms of Article 12 of the directive, that where an access request is made under the Act, the applicant must be provided with certain additional information, such as the source of the data and the purpose of the processing.
The new subsection (13) is not related to the directive. It will in future prohibit a person, in connection with the employment of another person, the continued employment of another person or a contract for the provision of services to him or her by another person, from requiring that per son to make an access request under section 4 of the Act or from supplying him or her with personal data obtained on foot of such an access request. This amendment is intended to prevent a type of abuse, known as "enforced subject access", that has arisen in relation to employment under the current right of access provisions.
Section 6 of the Bill takes account of Article 12(c) of the directive and amends section 6 of the 1988 Act in order to give persons an additional right to have incorrect or inaccurate data "blocked", that is, marked in such a way that it is not possible to process it for purposes in relation to which it is marked. This new provision will supplement the existing rights to have data rectified or erased. It also provides that where data have been blocked, there is a requirement to notify any person to whom the data were disclosed in the previous 12 months unless such notification proves impossible or involves disproportionate effort.
Section 7 of the Bill inserts two new provisions in the 1988 Act to take account of Articles 14 and 15 of the directive. The new section 6A extends a person's right to object to the processing of personal data relating to him or her where the processing of such data is considered necessary for the performance of a task carried out in the public interest or where the processing is for the purposes of the legitimate interests of the controller. However, the objection must be on compelling legitimate grounds. The right to object will not apply in certain circumstances such as where the data subject has given consent to the processing; the processing is necessary in the course of entering into, or performance of, a contract; for compliance with a legal obligation; to protect the data subject's vital interests; and the processing is carried out by political parties or candidates for elective office in the course of electoral activities. The new section 6B provides for a general ban on decision making that is based solely on automated processing of data intended to evaluate certain personal aspects where such a decision produces legal effects concerning a person or otherwise significantly affects a person, except in the circumstances outlined in that section and where suitable safeguards to protect the person's legitimate interests are in place.
This Bill also provides in section 8 for certain additional functions for the Data Protection Commissioner. In future, the commissioner will be the supervisory authority for the purposes of the directive and will be responsible for the dissemination of information in relation to "Community findings" regarding the adequacy of data protection rules in countries and territories outside the EEA. The commissioner will also be required to perform any functions in relation to data protection that the Minister may confer on him or her and which would enable the Government to give effect to any international obligations of the State. The commissioner will have a monitoring role for the purposes of Council Regulation 2725 of 2000 – Eurodac.
Section 9 amends section 10 of the 1988 Act to bring it into line with current practice as it has evolved since the entry into force of the 1988 Act. It recognises the possibility that complaints between parties may be resolved in an amicable way and that in such cases no further action by the Data Protection Commissioner may be necessary. An important new provision in the Bill will allow the Data Protection Commissioner to monitor the application of the directive. This proactive role will complement the existing functions of the commissioner in providing advice and dealing with complaints.
One of the key sections of the Bill is section 10 which takes account of the provisions of Articles 25 and 26 of the directive. It deals with restrictions on the transfer of personal data to countries and territories outside the EEA and replaces in its entirety section 11 of the 1988 Act. Almost all this section has been given effect in the regulations that came into force on 1 April 2002.
The new section 11 provides that a transfer of personal data to a country or territory outside the EEA may not take place unless an adequate level of protection is deemed to exist. Subsection (1) lists the factors to be taken into account in any assessment of adequacy. The Data Protection Commissioner is required to inform the European Commission and other member states of any case where he or she considers that a country or territory outside the EEA does not ensure an adequate level of protection. It should, however, be noted that where the European Commission makes a Community finding in accordance with the decision making procedures set out in the directive, in relation to whether an adequate level of protection is ensured in such a country or territory outside the European Economic Area, that decision must be complied with.
A number of Community findings of this nature have already been made. Commission decisions have been taken in relation to Switzerland and Hungary. This means that both countries are considered as having an adequate level of protection for personal data transferred from member states. More recently, a Commission decision has been made in relation to Canada that covers transfers of personal data to recipients who are subject to the Canadian Personal Information and Electronic Documents Act.
Following protracted negotiations between the European Commission and the US authorities, a Commission decision has been taken on the adequacy of protection provided by a set of so-called "safe harbour privacy principles". Personal data may, therefore, be transferred to organisations that have unambiguously and publicly disclosed their commitment to comply with these principles and are subject to the statutory powers of a government body that is empowered to investigate complaints and to obtain relief against unfair or deceptive practices as well as redress for individuals.
There are circumstances in which transfers of personal data to countries and territories outside the European Economic Area may take place without Community findings in relation to the adequacy of the data protection arrangements. These are set out in the new subsection (4).
In addition, the commissioner is required to inform the European Commission and other EEA states of any such authorisations and must comply with any decision of the European Commission in relation to such authorisations. The commissioner must also comply with any Commission decisions that certain contractual clauses offer sufficient safeguards for the transfer of personal data. Two such decisions have been taken to date: one dated 15 June 2001 contains a set of standard contractual clauses and one dated 27 December 2001 contains a set of standard contractual clauses adapted to cover the transfer of personal data to data processors located outside the EEA.
Before moving on from this section, I want to draw attention to an important provision in subsection (6). It provides that where personal data are transferred with the protection of contractual clauses, the person to whom the data relate shall have the right to enforce the terms of that contract as if he or she were a party to it.
Subsections (7) to (15) are provisions of the existing section 11 of the 1988 Act and they allow the Data Protection Commissioner to prohibit a transfer of data to a place outside the State and set out the administrative procedures to be followed in connection with such a prohibition. In determining whether to prohibit a transfer of personal data, the commissioner must also have regard, as heretofore, to the desirability of facilitating international transfers of data.
Section 11 provides for the insertion of a new section 12A in the 1988 Act. Taking account of Article 20 of the directive, it makes provision for a system of "prior checking" by the Data Protection Commissioner of processing operations likely to present specific risks. A processing operation which is the subject of a prior check may not take place until the checking procedure has been completed. An appeal can be made against the result of any such prior check.
While the 1988 Act already contains provisions relating to codes of practice, section 12 amends these provisions in order to take account of Article 27 of the directive. The revised provisions will allow the Data Protection Commissioner to consider, and approve as appropriate, draft codes of practice submitted by trade associations or other bodies representing categories of data controllers or to prepare such codes in consultation with relevant interests. A new subsection (6) provides that approved codes of practice may be taken into account by the courts in relation to the settlement of disputes.
Section 14 contains another important amendment of the 1988 Act. It extends current registration requirements, in accordance with Article 18 of the directive, to almost all data controllers and data processors. A limited number of exemptions are provided for, an example of which is where the sole purpose of processing is the keeping of a register that is intended to provide information to the public and is open to consultation, or the processing is carried out by a non-profit seeking body in relation to the members of the body or those that have regular contact with it. Certain categories of data processing may also be specifically exempted from registration requirements by means of regulations where the processing in question is unlikely to affect the rights and freedoms of data subjects. These categories will be prescribed by regulations made by the Data Protection Commissioner with the consent of the Minister for Justice, Equality and Law Reform.
Section 18 contains another important set of provisions that have regard to the special importance of the public interest in freedom of speech. A new section 22A to be inserted in the 1988 Act provides that personal data that are processed only for the purposes of journalism or artistic or literary purposes will be exempt from certain provisions of the Act once such processing is either undertaken solely with a view to the publication of any journalistic, literary or artistic material or the data controller believes that such publication would be in the public interest, and where the data controller believes that compliance with those provisions would be incompatible with journalistic, artistic or literary purposes.
The provisions in the Act referred to here include the sections that deal with processing of personal data; processing of sensitive personal data; fair processing of data; the right of access; the right to rectification; the right to object; and restrictions on decisions based on automatic processing. The possibility of developing codes of practice under section 13 of the Act for approval by the Data Protection Commissioner is referred to in subsection (3 ). Such a code could set out guidelines for determining whether publication of material would be in the public interest.
In accordance with Article 32 of the directive, automated data will be brought into conformity with the Act two months from the date of its passing. Annual data will come within the scope of the Act at the same time, with one exception – manual data already held in filing systems need not be brought into conformity with sections 2, 2A and 2B of the Act – Articles 6, 7 and 8 of the directive – until 24 October 2007. However, the right of rectification, erasure or blocking of data that are incomplete, inaccurate or stored in a way that is incompatible with the legitimate purposes pursued by the data controller will apply progressively to such manual data during that period, in particular where a person makes an access request under section 4 of the Act.
The Bill before us today is designed to bring our domestic data protection law into line with the requirements of the EU directive and make certain improvements to existing arrangements in the light of experience gained since 1988. In doing so it seeks to establish an appropriate balance between the protection of the privacy of data subjects and the need to facilitate the international flows of data that are an essential feature of today's information society. Providing protection for data subjects in this way will encourage greater support for and participation in efforts to reap the full benefits of the information society, whether by way of e-commerce or e-government.
Since they build on the existing data protection infrastructure established under the 1998 Act, the additional provisions of the Bill should not involve or impose undue additional burdens on operators. Neither should they serve to unnecessarily restrict transfers of personal data to destinations within the State or outside the European Union. On the contrary, the enactment of the Bill will ensure agreed European Union level standards of data protection will operate here in the best interests of individuals, commercial and other interests and international operators.
As I said, this is a rather technical Bill. As there may be aspects which Senators may wish to have clarified, I shall endeavour to do so when replying, or on Committee Stage. Careful consideration will be given to questions raised or suggestions made during the debate today, while bearing in mind that the primary purpose of the Bill is to give effect to the provisions of a European Union directive.