Data Protection Bill 2018: Committee Stage (Resumed)

SECTION 136
Debate resumed on amendment No. 85:
In page 113, between lines 10 and 11, to insert the following:
“(3) The Commission may decide to impose an administrative fine on a controller or processor that is a public authority or body.”.
-(Senator Niall Ó Donnghaile).

I will speak specifically to Sinn Féin's amendment which is mild. It does not seek to restore the full, large-scale fines under the general data protection regulation, given that they include fines of 4% of income, turnover and all the rest. It would simply give a power to the commission. I do not believe the commission, as established under the Bill, would be acting frivolously if it were to choose to impose an administrative fine on a processor which was a public authority or body. We would not be triggering automatic fines which might be found to relate to private entities under the general data protection regulation. Nonetheless, we are seeking to ensure the commission would have an additional power to impose a fine where a public body or authority was flagrantly disregarding the general data protection regulation and had repeatedly been found to be in breach of it. That would be appropriate. Will the Minister speak specifically to that question? Is there a reason he believes the commission should not have the power to impose an administrative fine on a controller? I am sure caveats that the commission would act in accordance with due diligence and that there would be proportionality, a necessity to do so and all the rest could be added. It could even be seen as a measure of last resort that would be triggered after multiple breaches of data protection rights.

I am also concerned about where public authorities and bodies are considered to be undertakings. The concern is that the private sector should not be disadvantaged where the public sector acts as an undertaking. However, a division has perhaps been inadvertently opened between those public sector bodies which are acting as undertakings and those which are directly delivering public services. We will see some public authorities being held to adhering to a higher standard than others? That is a concern. Will the Minister address these two points?

Senator Alice-Mary Higgins surmised much of what I was going to say to the Minister. It might just be legislative fatigue at this stage, but I did not hear anything from the Minister which convinced me that there would be repercussions for public bodies or other entities in breach of data protection rules, regardless of whether it was a one off or consistent.

I did not hear anything from the Minister that would convince me that there will be repercussions for public bodies or other entities which breach data protection regulations, whether once, numerous times or consistently. What are the incentives that will discourage such entities from repeating the offences? We are not saying this for the craic; there are serious and well known examples of large-scale data protection issues and losses by public and other entities. At the risk of being the most hated man in Seanad Éireann, I am minded to push the amendment, but I would rather hear something from the Minister to ensure the issues raised by Senator Alice-Mary Higgins will be addressed.

There is no question of acting with impunity or any public body or company not being held responsible for its actions, be it a breach or anything else. A civil remedy is available to an injured or complaining party. Preparing or listing penalties and fines in law, in many ways, might accord with the reality of business, but I would like public bodies to apply the highest standards as they are charged with ensuring there is no illegality, breach or injured party. I would be concerned if standards were not applied or breaches were widespread and public bodies which are funded by the taxpayer paid fines such that public services were reduced and people suffered. There is a circular flow of public money-----

Am I correct in saying funds are paid back into the Exchequer?

The Senator can come in after the Minister.

I would like to see a regime in place in the public sector that would ensure the application of the highest standards. That, rather than a list of substantial fines, should be the focus of our endeavours. When public bodies and authorities act as undertakers or engage in private sector competition, there should not be an unfair advantage to the private sector, as evidenced by Senator Alice-Mary Higgins. A fine should be available as a penalty, but the main remedy will be a civil action. For the first time under data protection law, an injured party or complainant will be able to take a civil action and it will be open to the courts to assess damages and make an award against a body in the public sector, in the same way as they might against a body in the private sector.

People might be confused. When fines are paid, they are paid into the Exchequer, as the Minister can confirm. Taxpayers' money is not lost to the public. It may be reissued to the same body but with additional or new conditions attached. While a civil action is one mechanism, it is a very laborious legal route for any individual to take. In many cases, citizens are not looking for large financial compensation. They simply want a poor practice to be addressed in order that in six months' time the same concern will not arise for their neighbour or someone else. It is not appropriate that in all public bodies which are not undertakings we leave the responsibility for ensuring high standards to individuals taking on crusades or challenges in court. Individuals have taken a brave stand in the past, but there is a duty on us, as legislators, to ensure there are mechanisms in place to have proper public penalties. As identified, the commission is the appropriate place. The amendment does not contain a list of administrative fines. It simply insists on it being a measure that could be used. I imagine there will be more amendments on this issue on Report Stage and there are many ways to resolve it. I do not think the answer given is satisfactory.

Senator Alice-Mary Higgins has said all I wanted to say about fines. I agree with the Minister that we all want to see the highest standards implemented by public bodies to ensure data protection. For all of the reasons outlined by the previous speaker, nothing in the amendment would prohibit organisations from adopting the highest standards of data protection protocols and directives. It has the potential to complement and enforce them in a practical and tangible way.

In the event that the House will divide on the amendment, I am prepared to reconsider it on the basis of what the Senators have said, but I do not want to see a circular flow of public money as conceded by Senator Alice-Mary Higgins. Let us see what we can do between now and the next Stage.

In keeping with the charitable spirit of the night and because I have every faith in the Minister, I will withdraw the amendment and reserve the right to resubmit it on Report Stage.

Amendment, by leave, withdrawn.
Amendment No. 86 not moved.
Section 136 agreed to.
Sections 137 and 138 agreed to.
SECTION 139
Government amendment No. 87:
In page 114, line 22, to delete “5 years, or both” and substitute "5 years or both".
Amendment agreed to.
Section 139, as amended, agreed to.
SECTION 140
Government amendment No. 88:
In page 115, line 4, to delete "5 years, or both" and substitute "5 years or both".
Amendment agreed to.
Government amendment No. 89:
In page 115, line 10, to delete “5 years, or both” and substitute “5 years or both”.
Amendment agreed to.
Section 140, as amended, agreed to.
Sections 141 to 143, inclusive, agreed to.
SECTION 144

I move amendment No. 90:

In page 116, between lines 25 and 26, to insert the following:

“(2) (a) In addition to the publication requirements contained in section 144(1), the Commission shall publish details of public authorities or public bodies that have been found to have contravened the Act.

(b) Subsection (2)(a) shall not apply to a public authority or body where the authority or body was acting as an undertaking within the meaning of the Competition Act 2002.

(c) The publications under subsection (2)(a) shall be in at least one national newspaper and in a publication circulating in the area in which the public authority or public body guilty of the contravention is situate and/or operates from.”.

I will speak briefly. My amendment seeks to ensure that in respect of a public body the publication aspect is strengthened and admonishment is put in place for a public body which is found to be in breach of the legislation. I am interested in hearing the Minister's thoughts and whether he would consider accepting the amendment.

There is merit in the amendment It is constructive and worthy of further consideration as an alternative to the imposition of administrative fines. In effect, this is a form of public naming and shaming. With the assent of the Senator, I will come back to the amendment. I would certainly be willing to revisit the matter on Report Stage and have a look at the wording. We can revisit the amendment in a way which ensures that the point raised by the Senator is reflected in the final Bill.

Amendment, by leave, withdrawn.
Section 144 agreed to.
Sections 145 to 147, inclusive, agreed to.
SECTION 148
Government amendment No. 91:
In page 120, line 29, to delete “personal data,” and substitute “personal data, and”.
Amendment agreed to.
Section 148, as amended, agreed to.
Sections 149 to 154, inclusive, agreed to.
SECTION 155
Government amendment No. 92:
In page 123, line 7, to delete “advisers,” and substitute “advisers, or”.
Amendment agreed to.
Section 155, as amended, agreed to.
Section 156 to 162, inclusive, agreed to.
Schedules 1 to 3, inclusive, agreed to.
Title agreed to.
Bill reported with amendment.

When is it proposed to take Report Stage?

Report Stage ordered for Tuesday, 13 March 2018.

When is it proposed to sit again?

Ar 10.30 maidin amárach.

The Seanad adjourned at 9.05 p.m. until 10.30 a.m. on Wednesday, 7 March 2018.