Data Protection Bill 2018: Report Stage (Resumed) and Final Stage

Amendment No. 24 not moved.
Government amendment No. 25:
In page 29, to delete lines 14 to 23 and substitute the following:
"Processing of personal data revealing political opinions for electoral activities and functions of Referendum Commission
43. Subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects, the processing of personal data revealing political opinions shall be lawful where the processing is carried out—
(a) in the course of electoral activities in the State for the purpose of compiling data on peoples' political opinions by—
(i) a political party, or
(ii) a candidate for election to, or a holder of, elective political office in the State,
and
(b) by the Referendum Commission in the performance of its functions.".
Amendment agreed to.
Amendments Nos. 26 and 27 not moved.

I move amendment No. 28:

In page 29, between lines 23 and 24, to insert the following:

"44. The processing of any special category of personal data by a private or commercial company for political or electoral purposes shall be prohibited without explicit full and informed consent of the data subject.".

I second the amendment.

Amendment put:
The Seanad divided: Tá, 13; Níl, 19.

  • Bacik, Ivana.
  • Black, Frances.
  • Conway-Walsh, Rose.
  • Gavan, Paul.
  • Higgins, Alice-Mary.
  • Kelleher, Colette.
  • Mac Lochlainn, Pádraig.
  • Mullen, Rónán.
  • Nash, Gerald.
  • Ó Céidigh, Pádraig.
  • O'Sullivan, Grace.
  • Ruane, Lynn.
  • Warfield, Fintan.

Níl

  • Burke, Colm.
  • Burke, Paddy.
  • Butler, Ray.
  • Buttimer, Jerry.
  • Byrne, Maria.
  • Coffey, Paudie.
  • Coghlan, Paul.
  • Conway, Martin.
  • Feighan, Frank.
  • Hopkins, Maura.
  • Lombard, Tim.
  • McFadden, Gabrielle.
  • Mulherin, Michelle.
  • Noone, Catherine.
  • O'Donnell, Marie-Louise.
  • O'Mahony, John.
  • O'Reilly, Joe.
  • Reilly, James.
  • Richmond, Neale.
Tellers: Tá, Senators Paul Gavan and Alice-Mary Higgins; Níl, Senators Gabrielle McFadden and John O'Mahony.
Amendment declared lost.
Amendment No. 29 not moved.

I move amendment No. 30:

In page 29, between line 23 and 24, to insert the following:

“44. Processing of data on people’s political opinions by a political party, a candidate for election to, or a holder of, elective political office in the State under section 43 must relate solely to persons who are members or former members of the political party or persons who have regular contact with the political party, candidate for election or holder of political office in connection with their purposes.”.

Has the Senator a seconder?

I second the amendment.

Is the amendment being pressed?

Amendment put and declared lost.

I move amendment No. 31:

In page 29, to delete lines 33 to 37, and in page 30, to delete lines 1 to 4.

This amendment relates to the processing of data on social welfare and employment policy. I will not be pressing it. I have concerns that some of the data controllers dealing with social welfare and employment policy processing may be employers. I was seeking some more safeguarding around that, but I am happy for that to be teased out in the Dáil, and I am sure it will teased out by the Select Committee on Justice and Equality. Therefore, I will not press it.

Amendment, by leave, withdrawn.

Amendment No. 32 is in the names of Senators Ó Donnghaile, Conway-Walsh and others. Amendments Nos. 32 to 35, inclusive, and amendment No. 48 are related. If amendment No. 32 is agreed, amendments Nos. 33 to 35, inclusive, cannot be moved.

I move amendment No. 32:

In page 30, to delete lines 5 to 31.

I remind the Senator that the amendment must be seconded.

I indicate that I will second the amendment.

To short-circuit matters, the two amendments in this grouping that we want to press are amendments Nos. 35 and 48. They are both to the same section, is that not right, a Chathaoirligh?

On amendment No. 35, we believe the Minister may have granted himself a bit too much discretion at this point. Our amendment gives more power to the data protection commission, something to which the Government has paid lip service. We would like to see this amendment succeed.

Amendment No. 48 is to facilitate and legislate for an impact assessment of the regulations under this section of the Bill. The data protection commission is the most capable body to do that. This is appropriate and allows us to assess the impact of the Bill before its impact is felt on a practical level. The Bill must be in line with the general data protection regulation, GDPR, when it is passed. I would encourage the Minister to do all within his power to ensure that the areas known to us to not be compliant are addressed as this will save us time in the future. As stated within the amendment, if the Minister fails to comply with the recommendations of the Data Protection Commissioner, he must inform both the Members of this House and the wider public as to why this is the case and publish the reasoning. This is a reasonable request and one that would enhance the democratic nature of this Bill.

Senator Conway-Walsh indicated she would second this amendment and I ask her to formally do so.

I second the amendment.

I have a number of amendments in this grouping. One of them chiefly relates to the issue of ensuring that we do not only test for the necessity of data processing but also for proportionality. I acknowledge the Minister has brought proportionality tests into a number of other areas of the Bill, and I would like it included in this area of the Bill. However, I will not press that amendment at this point and neither will I press my other amendments because I want to focus my support on amendments Nos. 35 and 48, proposed by Sinn Féin, which reflect concerns that have been articulated by others across this House, including Independent and Fianna Fáil Members.

Amendment No. 35 seeks to ensure that when we are processing those special categories of personal data, that extra sensitive data we discussed previously, for reasons of substantial public interest, and where the Government is making regulations to allow that sensitive data to be processed for reasons of public interest, that the Minister would allow the Data Protection Commissioner to conduct an impact assessment of what those regulations might mean and, as has been described already, that where there is a differentiation between what the Data Protection Commissioner advises and what the Minister intends to proceed with in terms of regulations, that the Minister would give a rationale to the House on that.

Amendment No. 48 is similar but it addresses the section covering situations in which the exercise of an individual's data rights might be restricted, and regulations to allow for that restriction. It simply provides that we should ensure that the data protection commission has a clear specific role in that and that when a Minister is deviating from the advice of the data protection commission that we would have that laid before the Houses.

These are both sensible amendments. They are better drafted in that they add an impact assessment as well as the transparency dynamic in my own amendments. Therefore, I will withdraw my amendments that deal with this issue.

Amendment No. 32 seeks to delete section 46. The purpose of that section is to set up a mechanism for giving effect to Article 9.2(g) of the GDPR. It simply replaces section 2B(1)(xi) of the 1988 Act, which gives effect to a similar provision in the 1995 data protection directive. Article 9.2(g) permits the processing of special categories of personal data for reasons of substantial public interest subject to three conditions: that it must have a basis in EU or national law; that it must be proportionate, which was a point raised by Senator Higgins and I thank her for those comments; and it must be subject to a suitable and specific safeguarding regime in respect of the fundamental rights and interests of the data subject. All these conditions are met in subsections (1) to (5) of section 45. I take the view that the section, as drafted, is fully compliant with Article 9.2(g) of the GDPR.

The House may wish to be aware of some of the statutory instruments made under the corresponding section 2B(1)(xi) of the 1988 Act. I refer specifically to SI 426 of 2016, which was an important regulation to permit the processing of sensitive personal data by the Garda Commissioner for the purposes of assisting the Northern Ireland historical institutional abuse inquiry; and SI 240 of 2015 which was made to permit the processing of sensitive personal data by the Garda Commissioner in order to assist with the coroner’s inquest in Northern Ireland into the horrific attack and cold-blooded murder of ten people at Kingsmill in County Armagh on 5 January 1976.

I trust that the House will agree that these are issues of crucial importance which, in effect, necessitated the making of regulations in order that in certain circumstances and subject to certain safeguards sensitive personal data could be processed for these important purposes.

The provisions of section 46 will permit the making of similar regulations in future, where that is warranted for reasons of substantial public interest such as those that I have mentioned.

As regards amendment No. 33, I do not believe the insertion of the words "and proportionate" is entirely appropriate here because subsection (5)(b) of section 46 already provides that any regulations made under subsection (2) shall, "enable processing of such data only in so far as is necessary and proportionate to the aim sought to be achieved".

I have a difficulty with amendment No. 33, but that is not to say I will not revisit it in the Dáil should we be in a position to reach an appropriate compromise. I cannot accept amendment No. 34 for the reasons I outlined.

Amendment No. 35 seeks to insert a new section 46(4), while amendment No. 48, the one mentioned by Senator Alice-Mary Higgins, proposes to insert the same provisions into a new section 55(11), which is the reason we are discussing the amendments together. I accept what the Senator has said that, of the group, amendments Nos. 35 and 48 are the two that are attracting her attention to the greatest extent. Any imposition of a statutory duty on the Data Protection Commission to conduct an impact assessment of possible regulations under sections 46(3) and 55(11) would be in conflict with Article 36.4 of the GDPR. It is clear that a member state’s data protection authority, like the Data Protection Commission we are setting up here, must be consulted on proposals for any measure in legislation to be adopted by a national parliament or a regulatory measure based on such a legislative measure related to data processing. It does not require a mandate or a data protection impact assessment to be carried out by the supervisory authority. The imposition of an obligation to carry out an impact assessment would not only have resource implications of a wide nature, it would also conflict with the condition of complete independence of the supervisory authority required under Article 52 of the GDPR. I acknowledge the importance of resources and point to the significant additional resources we have allocated for the Data Protection Commission in recent times. It is a budget that has increased threefold in the past few years and that will continue to receive resources from the Government. I reject any assertion made that the Data Protection Commission has in some way been short-changed. That has not happened under the Government and will not happen on the basis of its importance. We can point to the very satisfactory record in that regard.

The GDPR imposes a clear obligation on certain controllers and processors that carry out data protection impact assessments, but there is no such obligation on the authority. It is always open to the Data Protection Commission to request a controller, whether it be a Department or another public authority, with regulation-making powers, to conduct such an assessment when consulted on proposed legislative changes. The carrying out of a data protection impact assessment is an obligation on controllers and processors under Article 35 of the GDPR, but it is not a task for supervisory authorities under Article 57. For these reasons, I differ from Senator Alice-Mary Higgins, but it is an issue that will be the subject of further debate. I ask that the distinction I have drawn be carefully considered by Senators in the context of the current debate on amendments Nos. 35 and 48.

Amendment, by leave, withdrawn.
Amendments Nos. 33 and 34 not moved.

I move amendment No. 35:

In page 30, between lines 18 and 19, to insert the following:

“(4) (a) Such regulations shall be referred to the Data Protection Commissioner before their enactment, who shall conduct an impact assessment, undertaken by the Data Protection Commission.

(b) The impact assessment shall have the purpose of ascertaining whether the proposed processing of special categories is—

(i) necessary,

(ii) proportionate,

(iii) in compliance with subsection (5)# of this section,

(iv) in compliance with the GDPR.

(c) The impact assessment shall be returned to the Minister within three months of the Minister’s referral, and it shall make recommendations as to whether the proposed processing of special categories is in compliance with the criteria laid out in paragraph (b) and shall recommend any changes necessary to the regulation to ensure compliance, or may recommend that the Minister not proceed with the regulation.

(d) In the event that the Minister does not follow the recommendation of the Data Protection Commission, the Government shall—

(i) publish in Iris Oifigiúil a reasoned written explanation of the decision of the Government not to follow the recommendation of the Commission,

(ii) cause to be laid before the Houses of the Oireachtas a statement containing a reasoned written explanation of the decision of the Government not to follow the recommendation of the Commission.”.

I second the amendment.

Amendment put:
The Seanad divided: Tá, 19; Níl, 16.

  • Ardagh, Catherine.
  • Black, Frances.
  • Clifford-Lee, Lorraine.
  • Conway-Walsh, Rose.
  • Daly, Paul.
  • Dolan, John.
  • Gallagher, Robbie.
  • Gavan, Paul.
  • Higgins, Alice-Mary.
  • Horkan, Gerry.
  • Kelleher, Colette.
  • Lawless, Billy.
  • Mac Lochlainn, Pádraig.
  • Nash, Gerald.
  • Ó Céidigh, Pádraig.
  • O'Sullivan, Grace.
  • Ruane, Lynn.
  • Warfield, Fintan.
  • Wilson, Diarmuid.

Níl

  • Burke, Colm.
  • Burke, Paddy.
  • Buttimer, Jerry.
  • Byrne, Maria.
  • Coffey, Paudie.
  • Coghlan, Paul.
  • Conway, Martin.
  • Hopkins, Maura.
  • Lombard, Tim.
  • McFadden, Gabrielle.
  • Mulherin, Michelle.
  • Noone, Catherine.
  • O'Donnell, Marie-Louise.
  • O'Mahony, John.
  • O'Reilly, Joe.
  • Richmond, Neale.
Tellers: Tá, Senators Rose Conway-Walsh and Paul Gavan; Níl, Senators Gabrielle McFadden and John O'Mahony.
Amendment declared carried.
Government amendment No. 36:
In page 32, line 37, to delete “necessary” and substitute “necessary and proportionate”.
Amendment agreed to.
Amendment No 37 not moved.
Government amendment No. 38:
In page 34, to delete lines 12 to 19 and substitute the following:
“53. For the purposes of the application of Article 21 in the State, the reference to “direct marketing” includes a reference to direct mailing other than direct mailing carried out—
(a) in the course of electoral activities in the State by—
(i) a political party or its members, or
(ii) a candidate for election to, or a holder of, elective political office in the State,
and
(b) by the Referendum Commission in the performance of its functions.”.
Amendment agreed to.
Government amendment No. 39:
In page 34, to delete lines 20 to 28 and substitute the following:
“Restriction on right of data subject to object to processing for election purposes and processing by Referendum Commission
54. The right of a data subject to object at any time to the processing of personal data concerning him or her under Article 21 shall not apply to processing carried out—
(a) in the course of electoral activities in the State by—
(i) a political party, or
(ii) a candidate for election to, or a holder of, elective political office in the State and
(b) by the Referendum Commission in the performance of its functions.”.
Amendment agreed to.

If the question on amendment No. 40 is agreed to, amendments Nos. 41 to 47, inclusive, cannot be moved. Amendments Nos. 40 to 47, inclusive, are related and may be discussed together.

Is that agreed? Agreed. Does Senator Gavan wish to move amendments Nos. 40 and 41?

Amendments Nos. 40 and 41 not moved.
Government amendment No. 42:
In page 35, line 3, to delete “necessary” and substitute “necessary and proportionate”.
Amendment agreed to.

If amendment No. 43 is agreed, amendment No. 44 cannot be moved.

Government amendment No. 43:
In page 35, to delete lines 9 and 10 and substitute the following:
“(iii) for the administration of any tax, duty or other money due or owing to the State or a local authority in any case in which the non-application of the restrictions concerned would be likely to prejudice the aforementioned administration,”.
Amendment agreed to.
Amendment No. 44 not moved.

If amendment No. 45 is agreed, amendment No. 46 cannot be moved.

Government amendment No. 45:
In page 36, to delete line 31 and substitute the following:
“(h) ensuring the effective operation of the immigration system, the system for granting persons international protection in the State and the system for the acquisition by persons of Irish citizenship, including by preventing, detecting and investigating abuses of those systems or breaches of the law relating to those systems;”.
Amendment agreed to.
Amendment No. 46 not moved.

Does Senator Higgins wish to move amendment No. 47?

No, but I commend the Government on amendments Nos. 43 and 45, which reflect the issues I raised on Committee Stage.

Amendment No. 47 not moved.

I move amendment No. 48:

In page 37, between lines 32 and 33, to insert the following:

“(11) (a) Any regulations under this section shall be referred to the Data Protection Commissioner before their enactment, who shall conduct an impact assessment, undertaken by the Data Protection Commission.

(b) The impact assessment shall have the purpose of ascertaining whether the proposed processing of special categories is—

(i) necessary,

(ii) proportionate,

(iii) in compliance with subsection (4) of this section,

(iv) in compliance with the GDPR.

(c) The impact assessment shall be returned to the Minister within three months of the Minister’s referral, and it shall make recommendations as to whether the proposed processing of special categories is in compliance with the criteria laid out in paragraph (b) and shall recommend any changes necessary to the regulation to ensure compliance, or may recommend that the Minister not proceed with the regulation.

(d) In the event that the Minister does not follow the recommendation of the Data Protection Commission, the Government shall—

(i) publish in Iris Oifigiúil a reasoned written explanation of the decision of the Government not to follow the recommendation of the Commission,

(ii) cause to be laid before the Houses of the Oireachtas a statement containing a reasoned written explanation of the decision of the Government not to follow the recommendation of the Commission.”.

Amendment put.
The Seanad divided by electronic means.

Under Standing Order 62(3)(b) I request that the division be taken again other than by electronic means.

Amendment again put:
The Seanad divided: Tá, 17; Níl, 18.

  • Ardagh, Catherine.
  • Black, Frances.
  • Clifford-Lee, Lorraine.
  • Conway-Walsh, Rose.
  • Daly, Paul.
  • Gallagher, Robbie.
  • Gavan, Paul.
  • Higgins, Alice-Mary.
  • Horkan, Gerry.
  • Kelleher, Colette.
  • Mac Lochlainn, Pádraig.
  • Mullen, Rónán.
  • Nash, Gerald.
  • O'Sullivan, Grace.
  • Ruane, Lynn.
  • Warfield, Fintan.
  • Wilson, Diarmuid.

Níl

  • Burke, Colm.
  • Burke, Paddy.
  • Butler, Ray.
  • Buttimer, Jerry.
  • Byrne, Maria.
  • Coffey, Paudie.
  • Coghlan, Paul.
  • Conway, Martin.
  • Hopkins, Maura.
  • Lawless, Billy.
  • Lombard, Tim.
  • McFadden, Gabrielle.
  • Mulherin, Michelle.
  • Noone, Catherine.
  • O'Donnell, Marie-Louise.
  • O'Mahony, John.
  • O'Reilly, Joe.
  • Richmond, Neale.
Tellers: Tá, Senators Rose Conway-Walsh and Paul Gavan; Níl, Senators Gabrielle McFadden and John O'Mahony.
Amendment declared lost.
Amendment No. 49 not moved.

I move amendment No. 50:

In page 55, between lines 2 and 3, to insert the following:

“(2) Where decisions are reached through automatic processing, the data processor must ensure that an appeals mechanism is available to data subjects.”.

I second the amendment.

This is to ensure we do not have situations which I believe the Bill does not protect against at the moment where, for example, we would have social welfare payment decisions for vulnerable persons that might be made on an automated basis. It says that an appeals mechanism must be clearly available for data subjects in that regard. My amendment is possibly too mild and I would like if we could move towards a position where people were offered a clear alternative if they did not want to move through an automated decision-making process if they felt that they had sensitive information. Every single person in this House will have worked with people who have had difficulties in accessing their entitlements and supports and will know the potential dangers that might be there in an automated decision-making process. As I believe a stronger amendment than my amendment might be needed, I will not press it. I urge those who take this forward in the Dáil to address the potentially very serious impact on very vulnerable people without much cushion with regard to resources if they find themselves, for example, automatically rejected for a key payment which they are relying on. I know there are other examples of how this is used, but my specific concern relates to the area of social protection because I am on that committee and have seen these practices in place in other countries.

I respect that Senator Higgins is not pressing the amendment. I briefly want to give a reason I cannot accept it. I think it is based on something of a misunderstanding. Section 72 of the Bill, which is in Part 5, directly transposes Article 29 of the directive. It sets out a detailed list of security measures required for an automated processing system. The section does not directly relate to automated decision-making, which is section 52. Section 52 indicates the general data protection regulation, GDPR, and section 85 indicates the directive. I feel we might be at cross purposes. I know the Senator is withdrawing the amendment but I am making the point for the record in case this reappears.

I accept that it might be better placed.

Amendment, by leave, withdrawn.

I move amendment No. 51:

In page 63, after line 37, to insert the following:

“(9) Should a data subject request information in relation to a personal data breach which affects them they have the right to be provided with all the pertinent information in respect of that breach and nothing in subsection (2), (4) or (6) shall place a restriction on their access to that information.”.

I second the amendment.

Amendment No. 51 is one of the most important amendments and I will have to press it. There is a large section of the Bill relating to the communication of a personal data breach to a data subject. These are situations where people's personal data have been breached.

These are situations where people's personal data have been breached, that is to say that improper or wrong use of their data has happened. Cases might include the situation in which people's data were sold in Donegal by a social protection officer to private insurance agencies, situations where HSE files were left in the street, and other such situations. These are data breaches, cases where a person's data have been improperly breached. A number of circumstances are set out in section 82 in which a public body or other data controller might not have to tell someone that his or her data have been breached. There are a number of circumstances set out in which it is considered acceptable not to inform somebody that his or her personal data has been breached.

My amendment, which I believe to be quite modest, addresses a couple of those circumstances including circumstances in section 82(2) which relates to cases in which there has already been a response and appropriate technological steps have been taken in terms of dealing with the issue so that it might not happen again, in section 82(4), which has regard to situations in which it is considered to involve disproportionate effort for a controller to inform someone that his or her data have been breached, and in section 82(6), which has regard to situations where there has already been action under the commission. My amendment does not seek to unwind this section completely. It leaves it intact. However, it adds the caveat that if a data subject directly requests information in respect of a personal data breach which affects him or her, he or she will have the right to be provided with that information and that nothing in section 82(2), 82(4) or 82(6) shall place a restriction on that access to information. For example, under section 82(7), a controller who is directly asked can refuse to give an individual that information if there are reasons of substantial public interest, but he or she would not be able to refuse an individual that information on the basis of it requiring a disproportionate effort to tell it to that individual or on the basis that other organisational reforms are under way. It basically says that if I go to a data controller and ask whether I am one of the individuals whose data were sold to an insurance company in Donegal, or if my data were involved in any other leak of information, I will be entitled to know unless there is a substantial reason of public interest in not telling me.

Again, this is an important amendment which will improve the Bill. I hope that it will be supported by the Minister and by others in the House.

I am not disposed to accepting this amendment, which would insert a new section 82(9) on the matter of the communication of personal data breaches to data subjects. Under this section there is already a clear obligation on a controller to inform a data subject if and when there is a high risk to the rights of the data subject and to his or her freedoms arising from a data breach. In such a case, the data subjects have to be notified by the controller in clear and plain language of the nature of the breach and its likely consequences, and a description of the measures taken or proposed to be taken to mitigate any possible adverse impact or effects must be given.

The amendment proposed by Senators Higgins and Ruane refers to a data breach "which affects" a data subject, that is to say, that it must affect a subject. It is not clear what this is intended to mean. Under both the law enforcement directive and the GDPR, the thresholds for informing the Data Protection Commission of a data breach and for informing the data subjects whose data protection rights are breached are defined in terms of the risk arising from the breach. What is the nature of the risk? What is its extent? If a data breach involves a high risk for a data subject, he or she must be provided with all relevant and appropriate information and has the power to request further information if he or she is not happy. If, on the other hand, the breach involves little or no risk, the data subject might not become aware that there has been a breach at all. We thrashed this out in some detail on Committee Stage. I am a bit concerned that the amendment would introduce a level of uncertainty which would give rise to some confusion. I am really not prepared to accept the amendment on that basis. I am concerned about the term "which affects" and the nature or manner of such an effect. I am more comfortable with the wording as it stands in the Bill and in the directive.

Is the Senator pressing amendment No. 51?

Yes. I think the key question is that, in most instances, it would be the data controller - the public body or others - which would decide that question of risk. That is how it is provisionally. My amendment specifically addresses situations where somebody chooses to say that he or she is concerned about whether he or she is affected by a data breach. It is appropriate to give the power to somebody to request that information and to ensure that there are not technical and administrative reasons for not giving such a person that information. It is fair enough not to give a person that information when there is a really substantial reason of public interest, but when the reasons not to share that information are, for example, because it would require undue effort on the part of a body to have to communicate to an individual, such reasons do not stand up when an individual has gone to the trouble of trying to identify whether he or she has been affected. While I appreciate that the Minister may prefer to make small changes to the language to bring it more in tune with language he has used elsewhere, this amendment is constructive, it stands up and it will strengthen the process in respect of data breaches, so I will press it.

I know it is Report Stage but I wish to come back in again because an issue has been brought to my attention. I can wait until the Bill returns to the Dáil, but perhaps I can have a minute now.

I thank the Cathaoirleach. Another issue has been brought to my attention. It is that the Senator's proposal will not actually cover data breaches under the GDPR but only those under Part 5 because we are strictly speaking about that Part. Even if the Senator's amendment is carried, it will not have the consequence she anticipates. The provisions will only refer to breaches under Part 5, which actually transposes the law enforcement directive. For example, this would include a breach by the office of the Director of Public Prosecutions. It would not cover the type of scenario which the Senator has raised in any event. That is a further reason I would not accept the amendment. I do know that the matter will be the subject of debate in the Dáil, but I understand that Senator Higgins is going to press the amendment in any event. I merely wanted to add that point, which I did not really make clear the first time I spoke.

Perhaps I should just add that in the area of law enforcement, and even in terms of the McCabe trial and others, we have seen the importance of persons being able to know how their data have been used in the judicial context. I appreciate the Minister's point that similar clauses may need to go into other Parts of the Bill. I appreciate that. It is to be hoped that this might provide a template or example which could be improved upon, built upon and used in other areas.

Amendment put:
The Seanad divided: Tá, 17; Níl, 18.

  • Ardagh, Catherine.
  • Black, Frances.
  • Clifford-Lee, Lorraine.
  • Conway-Walsh, Rose.
  • Daly, Mark.
  • Daly, Paul.
  • Gallagher, Robbie.
  • Gavan, Paul.
  • Higgins, Alice-Mary.
  • Horkan, Gerry.
  • Kelleher, Colette.
  • Mac Lochlainn, Pádraig.
  • Nash, Gerald.
  • O'Sullivan, Grace.
  • Ruane, Lynn.
  • Warfield, Fintan.
  • Wilson, Diarmuid.

Níl

  • Burke, Colm.
  • Burke, Paddy.
  • Butler, Ray.
  • Buttimer, Jerry.
  • Byrne, Maria.
  • Coffey, Paudie.
  • Coghlan, Paul.
  • Conway, Martin.
  • Lawless, Billy.
  • Lombard, Tim.
  • McFadden, Gabrielle.
  • Mulherin, Michelle.
  • Noone, Catherine.
  • O'Donnell, Marie-Louise.
  • O'Mahony, John.
  • O'Reilly, Joe.
  • Ó Céidigh, Pádraig.
  • Richmond, Neale.
Tellers: Tá, Senators Alice-Mary Higgins and Lynn Ruane; Níl, Senators Gabrielle McFadden and John O'Mahony.
Amendment declared lost.

In terms of the result of the vote, this happens quite frequently. Bíonn níos mó rírá, caint agus ruaille buaille sa Teach seo.

I think the machines can be verified. I wish to make it clear to Senator Conway that the problem does not lie with the machine. The original result was displayed on screen and showed the figures of 17 and 16. The amended version, for those who neglected to vote, is now as follows: Níl, 18; Tá, 17. Therefore, the amendment is lost. As a matter of fact, five times today votes have had to be redone. The reason is that people do not pay attention during the vote.

On a point of order, a Chathaoirligh.

It is not a point of order.

No. On a point of order, I can categorically state that both Senator Colm Burke and myself pressed the buttons. I believe there is something wrong with the machine.

The machines are checked and the machines verify otherwise. Leaving out what Senator Conway has said, when the votes are called and the bells ring everybody is chatting and talking.

Inevitably, in every third vote somebody forgets to vote, which is not on.

I have only forgotten to vote once in seven years.

Forgetting to vote happens two or three times every time there is a vote.

I ask Members who are not staying for the debate to leave the Chamber and for the rest to resume their seats.

I welcome the Minister for Justice and Equality back to the House. Amendment No. 52 is in the names of Senators Ó Donnghaile, Conway-Walsh, Gavan, Mac Lochlainn and Warfield.

I move amendment No. 52:

In page 65, between lines 6 and 7, to insert the following:

“Protection of Data Protection Officers

84. (1) The Data Protection Commission shall provide a protection, whereby Data Protection Officers may seek the assistance of the Data Protection Commissioner, due to the fact that the Data Protection Office is not in a position to carry out their role fully, due to inappropriate interference from the Data Controller, or duress, harassment or victimisation.

(2) Where the Commission receives a complaint under subsection (1), it shall, in addition, make a decision—

(a) as to whether a corrective power should be exercised in respect of the controller or processor concerned, and

(b) where it decides to so exercise a corrective power, the corrective power that is to be exercised.

(3) The Commission, where it makes a decision referred to in subsection (2)(b), shall exercise the corrective power concerned.”.

It is our opinion that this amendment, as proposed, will afford protections against the attempted suppression of information in the instance that the data controller wishes to prevent a data protection officer from publishing information that the data controller is unhappy with being published, despite that information being in the public interest. That is very clear, is it not?

I second the amendment.

Does any other Senator wish to comment? No.

While I understand the reasoning behind this proposed new section, I regret that I cannot accept it. The section seeks to deal with the risk that a data protection officer may encounter non-co-operation, duress, harassment or victimisation in the workplace and, as a result, is no longer in a position to perform his or her duties under the GDPR and under this legislation.

Since our earlier Committee Stage discussions, I have had the opportunity to consider this proposal. I have reached the conclusion that an effective remedy is already available to data protection officers under the Protected Disclosures Act 2014. As Senators will be aware, a disclosure of relevant information is protected if, in the reasonable belief of a worker, it tends to show a relevant wrongdoing and it came to his or her attention in connection with the worker's employment. Relevant wrongdoing, as defined in section 5(3) of that Act includes “that a person has failed, is failing or is likely to fail to comply with a legal obligation”. In my view, this would include all obligations on a controller under the GDPR and this Bill, including the controller's obligations towards the data protection officer.

Section 7 of the Protected Disclosures Act 2014 provides for protected disclosures to an external person who has been prescribed in an order made by the Minister for Public Expenditure and Reform. I refer to SI 339 of 2014 whereby the Minister for Public Expenditure and Reform has prescribed a range of persons that, by reason of the nature of their statutory responsibilities or functions, appear appropriate as persons to be recipients of protected disclosures. The Data Protection Commissioner has been prescribed as a recipient of disclosures in respect of all matters concerning compliance with data protection law. As I have said, I believe that this provides an effective remedy where a data protection officer is experiencing difficulty in the performance of his or her duties, or in the matter of any of his or her functions. A further advantage, which is an important aspect to be taken into account, is that any data protection officer making such a protected disclosure would enjoy the extensive protections against dismissal, victimisation and any detriment provided under Part 3 of the Protected Disclosures Act 2014.

A further disadvantage with this amendment is that it would apply only to data protection officers appointed by competent authorities operating under Part 5 of the Bill. In the same way, I felt that the earlier amendment tabled by Senator Higgins was weak because it would only have the effect of making a change or alteration to Part 5. Similarly, this is confined to Part 5 and would not, therefore, protect the data protection officer operating under the GDPR. All data protection officers, whether operating under the GDPR or Part 5, as we are now discussing, will in any event have the protection and the remedies available under section 7 of the Protected Disclosures Act, as elaborated upon and further developed in SI 339 of 2014.

I know from where the Senators are coming, but I do not accept the amendment as being an effective remedy, having regard to the fact that what we have already, between this Bill and the Protected Disclosures Act 2014, covers any issue Senators might have in terms of fear or weakness.

I have heard what the Minister has said, but I still wish to pursue this issue.

Amendment put and declared lost.

I move amendment No. 53:

In page 66, line 8, after "data" to insert ", and the procedure and mechanisms for so doing".

I second the amendment.

This amendment relates to cases in which individuals are trying to access personal data related to them that has been processed. There are a number of points in section 87 in which it is clear that the data controller must set out information detailing the right of the data subject to lodge complaints or request information. It should not need to do so, but the reality is it may need to specify procedures. People are informed that they have the right to complain or request and my very small amendment would simply suggest they also be informed of the procedures by which they make a request. They are more or less the rights someone has. It is really about making the GDPR usable for individuals and so forth. I am not pressing the amendment at this point, but I am asking that it be borne in mind and looked at. We need to watch out for cases in which people are simply told that they have a right but not told about the mechanisms by which they can access the right through procedures. I know that under the overall GDPR, there is a requirement for clarity and clear communication. It is really almost trying to send a signal down the line to controllers. I will not press the amendment now, but I trust the Minister understands the reasoning behind it.

Amendment, by leave, withdrawn.
Amendment No. 54 not moved.

Amendments Nos. 55 and 56 are related and may be discussed together.

I move amendment No. 55:

In page 81, between lines 6 and 7, to insert the following:

“(2) The Commission shall maintain a guideline list of data controllers and processors regarded as preventative and counselling services under section 30.”.

I second the amendment.

These amendments relate to the earlier debate on Committee Stage about how we can ensure the preventive and counselling services we have available in Ireland, some of which are very small, can be assured that they will not be inadvertently considered to be in breach of the directive. There is a guideline as to what is a preventive and counselling service, given the special exemption under section 30 of the Bill. There is a little concern on the part of some of those who provide preventive and counselling services about this provision. They are often small organisations which deal with young people with specific issues such as eating disorders, questions about their sexual orientation and others. We should assure them that these well meaning services can be sure they are meeting requirements and will not find themselves inadvertently being considered to be in breach of the directive or not categorised as preventive and counselling services. This is an attempt to ensure there would be a guideline list, although it would not be exclusive, for those who genuinely intend to be as transparent as possible. They want the imprimatur in order that they will not find their qualification as a preventive and counselling service tested in the courts. That is the kind of thing that could prove prohibitive or that could potentially have a chilling effect on some very worthy preventive and counselling services.

I will not move amendment No. 56 as I recognise that the Minister has brought forward measures for a code of conduct. We have already discussed our concerns that it is a code of conduct, rather than statutory guidelines. However, in acknowledging that this is a work in progress, I will not press the amendment as there is no point in having two approaches to the same problem in the same Bill. I encourage others in the Dáil to try to push a requirement rather than encouragement into the code of conduct when it reaches that point.

I acknowledge what Senator Alice-Mary Higgins said about amendment No. 56 and appreciate her disposition. However, I have a difficulty with amendment No. 55 which seeks to insert a new subsection into section 98 to impose an obligation on the Data Protection Commission to maintain a list of data controllers and processors which are regarded as providing preventive and counselling services for children. Section 98, in Part 5 of the Bill, deals with the functions of the Data Protection Commission with respect to bodies in the criminal justice system. Preventive and counselling services do not arise in that context. We are back to the earlier point of amending Part 5 which would not have the broad effect intended by the Senator in her amendment. I am concerned about any proposal to impose a requirement on the Data Protection Commission. I acknowledge the earlier votes and we will have an opportunity to discuss this matter again in the Dáil. There is a fundamental issue at stake - the Legislature providing in law for requirements on or mandating the Data Protection Commission in certain matters. It would not be appropriate for us to in any way have an impact on what is an independent statutory body. Imposing requirements on the commission could be problematic. Furthermore, I am not sure the commission would have the appropriate expertise to carry out vetting. As we all know, in the case of children, it would go well beyond the matter of data protection. Therefore, I am not comfortable with and will not accept the amendment. I know that the Senator will ensure the matter is aired considerably in Dáil Éireann. I will be happy to revisit the matter at that stage.

The Minister has made one point that I consider valid and that I might challenge a little. There is an overall problem with Part 5 that needs to be tackled. It is particularly in the areas of health and education that concerns such as this arise. However, the argument about imposing a requirement on the Data Protection Commission does not stand up. This is the section in which we are setting out the functions of the office. It is a brand new body that is being set up. We could go through every line setting out a function of the new commission and say it was imposing on it. This is the moment at which we say what the commission will be able to do and what its functions will be. That is why I explicitly seek to include this measure as a function of the commission. There is no reference to Ministers or the Government. This would simply be another function of the commission to allow it to perform to best effect. I should be clear that it would not be an additional requirement imposed by a Minister but a function of the commission. It would be as credible and good a function as many of the others set out by the Government.

The matter will arise again in the Dáil. It passed without a remark when we discussed questions about the code of conduct, etc., but I recognise positively that the Minister inserted the capacity of the commission to consult those it sees fit to consult, including, for example, a digital safety commissioner. It was inserted into the Bill at that point.

As the capacity was provided in the Bill at that point, perhaps, similarly, it could be provided in this instance to allow the commission, as one of its functions, to set out the list and consult those it sees fit to consult. However, I will not press the amendment, given the concerns about section 5 and the fact that this issue will no doubt be aired and the Bill improved in the Dáil.

Amendment, by leave, withdrawn.
Amendment No. 56 not moved.

Amendments Nos. 57 to 59, inclusive, are related and may be discussed together, by agreement. Is that agreed? Agreed.

I move amendment No. 57:

In page 106, line 5, to delete “report.” and substitute the following:

“report,

(d) the total and proportionate number of data subjects to file complaints against a controller or processor.”.

I second the amendment.

All of the amendments relate to how the commission functions and ensuring its effective functioning. The concerns have been well aired in this House and I am sure they will be in the Dáil about the fact that the Data Commissioner may not take up individual cases that have been filed. He or she has the right not to proceed with individual cases or to dismiss them. There is a concern that when there is a large number of individual complaints which may or may not be taken up by the commission, there may be a pattern where there are multiple individual complaints about a specific data controller. While I recognise that the commission has the power to initiate a report, what I am trying to insert with this suite of amendments is, first, transparency in order that patterns will emerge and we will see "the total and proportionate number of data subjects to file complaints against a controller or processor". If 600 or 1,000 complaints are made against a data controller - a private company or a public body - or where 60% of those in contact with the data controller all complain, the Data Commissioner should have the power to initiate a report and ask questions and this would make the pattern apparent. For example, if there were two or three data controllers in the same sector, that is, two or three companies operating in the same field, we would be able to see if company A had 40 complaints made against it and company B of a similar size had 150 against it. That would give rise to concern and allow us to identify a pattern at an early stage.

I am not going to press amendment No. 58. Amendment No. 59 is a mechanism to try to instigate an almost automatic triggering of a request for a report where the Data Commission receives complaints about a specific data controller - a specific company or public body - from 400 or more individuals. The intention is to try to ensure that where there is a significant concern emerging, it would automatically trigger a response. This issue is a source of concern. Currently, every individual can take a case to the European Court of Justice, but not every individual will do so. This is to try to ensure each of the individual complaints would add up. There are precedents in other areas for the taking of test cases. The intention is there would be a collective response. Many individuals, when they make a complaint, do not necessarily want to push ahead and look for compensation in the courts system, rather they simply want to know that their complaint has been noted and that it will add to the pressure to have a bad practice addressed. That is what I am trying to do with this suite of amendments. As I said, I will not press amendment No. 58, but I am very interested in hearing the Minister's thoughts on how these issues should be addressed.

Section 131 gives the Data Protection Commission the power to require a controller or a processor to provide a report for it on matters specified by it. The report would be produced by an independent expert, not the controller or the processor or the commission. The intention is that this enforcement mechanism will be used in important cases, for example, the deployment of new processing technologies, for the purposes of proper and effective monitoring of the application of the GDPR, in so far as the Bill and relevant regulations made under it give further effect to it.

The section does not relate to the carrying out of investigations by the commission into possible infringements of the GDPR. Therefore, the number of data subjects to file complaints against a controller or a processor and the likely benefit to complainants of providing a report would not be relevant factors to be taken into account in deciding whether to require the controller or the processor to provide a report for the commission under the section.

I am not sure whether the points raised by the Senator could even be achieved by the amendments. We are really at cross-purposes, having regard to the construct of the section. However, I note her comments on amendment No. 58. That is fine. However, I am concerned about the proposal made in amendment No. 59 to require the commission to provide the Oireachtas Joint Committee on Justice and Equality, or any committee of the Dáil and the Seanad, with a written rationale for a decision not to seek a report. Again, we are back to an assertion I would make about possible interference with the independence of the commission. That is something we need to avoid in this legislation, bearing in mind that it is a requirement under the GDPR. I have a difficulty with amendments Nos. 57 and 59 and accept that amendment No. 58 is being withdrawn, but I do not really see how, under the current framework, the amendments would produce the result she would regard as being applicable or feasible.

I believe it would be beneficial. Acceptance of amendment No. 57 would mean that the commission would be deciding whether it should simply request a report, not necessarily an investigation. It would, of course, then be in the armoury of tools available to it. I presume it would not automatically trigger an investigation. It would be the first stage - the requesting of a report. It would be recognised that a consideration for the commission in deciding whether it should ask for an independent report, as the Minister correctly described, would be the total and proportionate number of data subjects who were filing complaints against a controller or a processor. The Minister is correct that complaints may not be filed directly with the commission, that they may be filed with the data controller, but to ensure transparency the data controller should let us know what is the volume of complaints.

Amendment No. 57 would be useful, but I will not press it for now. I have indicated that I will not press amendment No. 58, but I do wish to press amendment No. 59 because it would dealing with the specific question of where the commission was receiving complaints about a data controller from 400 or more individual data subjects. It would then investigate matters. This is where we are setting out the functions of the commission and I do not believe this would constitute undue interference. It would simply indicate how the commission would function and build in this mechanism. This the appropriate point at which to do so when we are establishing the new commission. It would be very useful.

On the question of written rationale, again, we know that there are powers of compellability. I will only press the amendment to a voice vote, but it is something that needs to be done to ensure an automatic triggering where a large volume of complaints have been filed. That would benefit all of us because we do not want to see huge volumes of individual cases going through the courts. We want patterns to be identified. Perhaps the Minister might come up with another way to address the issue within the functions of the commission.

Amendment, by leave, withdrawn.
Amendment No. 58 not moved.

I move amendment No. 59:

In page 106, between lines 5 and 6 to insert the following:

“(4) Where the Commission receives complaints in respect of a specific data controller or processor from 400 or more individual data subjects then the Commission will—

(a) give note for a report under subsection (1), or

(b) provide the Oireachtas Committee on Justice and Equality with a written rationale for a decision not to give notice for a report under subsection (1).”.

I second the amendment.

Amendment put and declared lost.

Amendments Nos. 60 to 64, inclusive, are related. Amendments Nos. 61 and 62 are physical alternatives to amendment No. 60, while amendment No. 62 is a physical alternative to amendment No. 61. Therefore, amendments Nos. 60 to 64, inclusive, may be discussed together, by agreement. Is that agreed? Agreed.

Government amendment No. 60:
In page 113, to delete lines 11 to 13 and substitute the following:
“(3) Where the Commission decides to impose an administrative fine on a controller or processor that—
(a) is a public authority or a public body, but
(b) is not a public authority or a public body that acts as an undertaking within the meaning of the Competition Act 2002, the amount of the administrative fine concerned shall not exceed €1,000,000.”.

Arising from concerns raised on Committee Stage about the exemption of public authorities and bodies from administrative fines under section 137 of the Bill, I committed to consider the issue further. Having given it careful consideration, amendment 60 provides for the insertion of a new subsection (3) in section 137. It provides that administrative fines of up to €1 million may be imposed on public authorities and bodies, other than those acting as undertakings, to which the higher GDPR limits will continue to apply. The rationale for setting fines on such authorities and bodies at a lower level is that although it will have a punitive effect, with attendant adverse publicity and damaged reputations, it will not imperil the services provided by the public authority or body concerned. This approach is permitted under the general data protection regulations, GDPR, and I understand a number of member states, including Sweden and Denmark, have adopted a similar approach. The amendment means that public authorities and bodies acting as undertakings under competition law will be subject to Article 83, which, in effect, means that they could be liable to fines of up to €10 million or €20 million, depending on the type of infringement involved.

Amendment No. 64 is a consequential amendment. Section 134 provides for an appeal to the Circuit Court or the High Court against a fine imposed by the Data Protection Commission. On appeal, the court may impose a different fine from that imposed by the commission. The amendment imposes a limit of €1 million on the amount of a fine that can be imposed by the Circuit Court or the High Court on a public authority.

Amendment No. 63 is a drafting amendment. As regards amendment No. 61, I note that Senators Alice-Mary Higgins and Lynn Ruane have also suggested a limit of €1 million. They may wish, therefore, to withdraw the amendment in favour of amendment 60. If they do, I give them credit for raising and pursuing the issue in a vigorous manner. I am pleased that there has been a meeting of minds on the issue.

I very strongly commend the Minister, his staff and officials for the amendment. It is an incredibly positive decision. I am grateful that the Minister has listened to the concerns raised by me and other Members and genuinely applaud the amendment because it will make a significant difference in how the Bill will come into effect and the new data protection standards will be rolled out across public bodies. The fines which I accept are not at the full level provided for in the GDPR are sufficient to show a level of seriousness. This approach has been adopted in Sweden and several other countries. The fines are at a level sufficient to act not only as a deterrent to bad practice but , importantly, to help to drive and encourage good practice. They will strengthen the role and voice of a data processor within public bodies, as mentioned by other Senators, and ensure the considerations of data protection are felt and engaged with in such bodies, including in the area of finances. They will ensure a deeper engagement with those responsibilities, drive good practice and, crucially, ensure bad practice, where it occurs, is not engaged in with impunity. I applaud the Minister as the amendment strengthens the Bill. The fines will have to be imposed on some bodies, but there will be positive impacts and careless steps will not be taken because of this important deterrent. I again thank the Minister and commend the amendment. It is one of the most fundamental changes he has made to the Bill and it will stand to us, as legislators, and the State.

I echo the sentiments expressed by Senator Alice-Mary Higgins. I acknowledge that the Minister has listened to Senators and made a significant change. As he is aware, Sinn Féin expressed particular concerns on this issue. We recognise and welcome that he has listened to those concerns. In the light of that, we will be withdrawing amendment No. 62.

Amendment agreed to.
Amendments Nos. 61 and 62 not moved.
Government amendment No. 63:
In page 113, line 26, to delete “subsection (4)” and substitute “subsections (4) and (5)”.
Amendment agreed to.
Government amendment No. 64:
In page 113, between lines 32 and 33, to insert the following:
“(5) Where the decision the subject of the appeal is one to which section 137(3) applies, and the court decides under subsection (3)(b) to impose a different fine, the amount of the fine imposed by the court shall not exceed €1,000,000.”.
Amendment agreed to.
Amendment No. 65 not moved.
Bill, as amended, received for final consideration.
Question proposed "That the Bill do now pass".

I thank the Acting Chairman and Senators-----

I was here for the majority of the Bill's passage.

You were. We have had a good debate and I acknowledge the contribution of Senators on all sides of the House. I thank them for their co-operation. Unlike other legislation passed through the Houses, there is a strict timeframe and deadline for the Bill that, as a state, we should regard as highly important and necessary. I thank all Members for their co-operation in ensuring the Bill was completed in the Upper House before the end of this term. I look forward to continuing the debate and, although Members of this House will not be present in the Lower House, their influence will continue. I particularly acknowledge the contribution of Independent Senator Alice Mary Higgins, with other Senators, and look forward to ensuring the legislation is enacted by both Houses of the Oireachtas and that Ireland, as a member state of the European Union, will be in a position to fully comply with its obligations.

I thank the Minister who has attended for all Stages of the Bill in the Seanad. He is an exceptionally busy man who runs a very important Department that requires significant day-to-day management. Although the legislation is extremely important, I acknowledge that he has been here to deal with it. We may have to consider increasing the number of Ministers of State in the Department of Justice and Equality because the Minister has had to go above and beyond the call of duty to be here for all Stages of the Bill.

I commend Senators for their work on the Bill. I also commend the Minister's officials. The genuine engagement between the Government and Members of the House has strengthened and will strengthen the Bill.

I commend, in particular, Senator Alice Mary Higgins. The Acting Chairman will agree with me that she was determined and that her attention to detail in UCD 25 years ago was as significant as it is now. We are not one bit surprised that her level of detail is particularly significant. Gabhaim buíochas to all.

I thank the Minister for his attendance and engagement. I specifically thank his officials who made themselves available for engagement between Committee and Report Stages. That was really important, very valuable and fruitful as the Bill has been strengthened. However, I have to add the caveat that there is still the specific issue of section 43 and openness with regard to the actions we see unfolding and that will continue to unfold in respect of companies such as Cambridge Analytica and others that will need to be addressed. I, therefore, urge the Minister to look at how the section can be strengthened further. I know that he is looking at the issue. I also commend him specifically for the introduction of fines and, with his officials, for taking on board some of the more detailed points about immigration, public bodies and proportionality. All of the detailed amendments which he has brought forward are very positive and will make a real difference to the lives of individuals. I thank him again and wish him well as moves forward with the Bill.

I thank Senator Alice-Mary Higgins. I do not think there have been too many pieces of legislation for which I have been in the Chair for so much time. There were more than 90 amendments on Committee Stage and a further 65 on Report Stage and I happened to be in the Chair for more of the debate than almost anyone else. That possibly might just have happened by coincidence. At one stage the snow slowed down the Bill a little, but it is good that it has been passed before the recess. I thank all of the participants, particularly the Minister, and all of his staff for their co-operation. It is good that the Bill is now to be brought to the other House where I hope it will be passed in time to meet the deadline which I believe is sometime in May. I again thank the Minister and his staff and all Senators for their co-operation.

Question put and agreed to.