Select Committee on Justice and Equality debate -
Wednesday, 2 May 2018

I move amendment No. 1:

In page 11, between lines 19 and 20, to insert the following:

“ “scientific research purposes” means scientific research carried out by research staff who have full autonomy in determining both the object of study and the methods of inquiry;”.

Section 39 provides general permission for the processing of personal data for a range of what might be called historical purposes, subject to suitable and specific measures being taken to safeguard the data, which measures are outlined in another section. Section 51 takes that slightly further, saying that so long as the processing is necessary and proportionate and also subject to suitable and specific measures, special categories of personal data, which we are going to be discussing a lot, about ethnic origin, political opinions, health, sexual orientation and so on, can be processed for research, historical and archiving purposes. What these sections mean at the most basic level is that using someone's data without his or her consent for research or scientific purposes is allowed. Section 58 then restricts the type of research or archiving processes. Some of the rights that people have in regard to their own data under the GDPR, for example, may be the right to have inaccurate data about them corrected, the right to object to processing and so on. In general, all that is fine because there are strong public interest reasons for doing research and archiving. Certainly in the case of archiving, it may literally be impossible to get consent because the data involved may belong to somebody whose whereabouts are not known.

However, there is a slight concern that "scientific research purposes" are not defined in the Bill. In other countries, Germany for example, there is a tradition of requiring research to be completely independent of any corporate influence in order to be considered scientific. Independence is generally understood as the research staff having full autonomy in determining both the object of the study and the methods of inquiry. In Germany, therefore, corporate research and analytics are unlikely to constitute "scientific research" within the meaning of the GDPR.

Our concern is that, particularly in the context of very sophisticated multinationals operating in Ireland, while we do not have this traditional understanding of scientific research, we do have a traditional deference to multinationals. This could give rise to a broad interpretation of what "scientific research" constitutes. Particularly because we are talking about the most protected types of personal data, we have to make sure this does not happen.

We think this is a small amendment. We want to make sure the data being exempted in these circumstances are being used for truly scientific purposes, in order to serve the public interest and make the world a better place. In such cases, using data without permission is fine. However, if data are being used with a view to manipulating us more efficiently through marketing dressed up as scientific research, I do not think it should be included. We think it is a minor amendment but very important nonetheless.

Not really. We will try to avoid duplication as much as we can. Without a definition, the use of the term "scientific research" is a bit loose and could be open to abuse where the processing of data can be justified on the basis of compromised or biased research that is not fully autonomous or independent, or where the co-called scientific research is not really research at all but a disguised excuse for the processing of data.

I should have said at the outset that I am accompanied this morning by my officials, Mr. Seamus Carroll and Ms Noreen Walsh. I acknowledge their ongoing work in this regard.

I mentioned the issue regarding the GDPR itself. I cannot accept the definition of "scientific research purposes" proposed by Deputy Daly. While it does appear in several articles of the GDPR, the term is not defined there. It would not be appropriate for us here to elaborate on such a definition. However, there is a strong likelihood that there will be guidelines from the European Data Protection Board on this precise issue. That is where the definition is most likely to be produced and it would be more appropriate for it to come from there. I am not in a position to accept the amendment. While Deputy Daly considers it to be a minor amendment, it could have significant consequences. The more appropriate course of action is to wait for the guidelines from the European Data Protection Board.

Taking sections 39 and 40, if we are to define scientific research purposes, we should also define historical research purposes, statistical purposes, academic, artistic or literary expression. One cannot have just one definition of one type of exemption. A court which looks at it will know what scientific or historical research is. If it is the data commissioner, they should be aware of it in order to exclude any fake research purposes which are not really scientific. On balance, I do not favour having a definition of scientific research only if we are going to leave out specific definitions of the other.

If that is the objection. I think that it is an important point, albeit a small one. We cannot be cavalier about data. Let us remember that what we are talking about here is the most private, red flag, data. We know there are huge amounts of money to be made here. These are very serious issues. These are big money interests and we need to be careful.

I move amendment No. 2:

In page 12, line 2, to delete “shall be deemed” and substitute “shall, other than for the purposes of sections 103(3) and 139(2) and (3), be deemed”.

The purpose of this group of amendments, which are technical in nature, is twofold. First, the amendments to subsections 1 and 2 of section 3 provide that where, as permitted by section 3, an appropriate authority under the Civil Service Regulation Act 1957 designates a civil servant as its controller, any action taken by a data subject to seek compensation for a data protection infringement and any administrative fine imposed by the data protection commission, shall be taken against or imposed on the appropriate authority rather than the designated civil servant. This is the purpose of amendments Nos. 2 to 4, inclusive, 134 and 185. These changes arise largely because of the acceptance by the Seanad of my proposal to permit the imposition of fines of up to €1 million on public authorities and bodies. In the case of administrative fines and compensation claims, the recipient will be the public authority concerned rather than the individual acting as its data controller.

Secondly, the purpose of amendment No. 4 is to insert a new subsection 3 into section 3 of the text which is carried over from section 13(c) of the 1988 Act.

I move amendment No. 3:

In page 12, lines 8 and 9, to delete “shall be deemed” and substitute “shall, other than for the purposes of sections 103(3) and 139(2) and (3), be deemed”.

I move amendment No. 4:

In page 12, between lines 10 and 11, to insert the following:

“(3) For the purposes of this Act and the Data Protection Regulation—

(a) where a designation by the relevant appropriate authority under subsection (1) is not in force, a civil servant in relation to whom that authority is the appropriate authority shall be deemed to be its employee and, where such a designation is in force, such a civil servant (other than the civil servant the subject of the designation) shall be deemed to be an employee of the last mentioned civil servant,

(b) where a designation under subsection (2) is not in force, a member of the Defence Forces shall be deemed to be an employee of the Minister for Defence and, where such a designation is in force, such a member (other than the officer the subject of the designation) shall be deemed to be an employee of that officer, and

(c) a member of the Garda Síochána (other than the Commissioner of the Garda Síochána) shall be deemed to be an employee of the Commissioner of the Garda Síochána.”

I move amendment No. 5:

In page 12, to delete lines 35 to 38, and in page 13, to delete lines 1 and 2 and substitute the following:

“(2) Every regulation made under a provision of this Act, other than under sections 48, 57 and 70 shall be laid before each House of the Oireachtas as soon as may be after it is made.

(3) Either House of the Oireachtas may, by a resolution passed within 21 sitting days after the day on which a regulation is laid before it under subsection (2), annul the regulation.

(4) The annulment of a regulation under subsection (3) takes effect immediately on the passing of the resolution concerned, but does not affect the validity of anything done under the regulation before the passing of the resolution.

(5) A regulation may be made under section 48, section 57, and section 70 only if—

(a) a draft of the proposed regulation has been laid before the Houses of the Oireachtas, and

(b) a resolution approving the draft has been passed by each House.”.

This amendment is fairly self-explanatory. It is designed to provide checks and balances and an extra layer of protection for any future legislation or regulations introduced by a Minister. The Bill, like most Bills, gives the Minister considerable power to introduce future regulations. It is hard not to be concerned about what this Government or another Government might introduce via statutory instrument given recent attitudes to data rights, which have not been great. We feel that introducing these protective measures is common sense.

Amendment No. 5, with consequential amendments Nos. 74 - which is not in this group for some reason - 96 and 111, to sections 48, 57 and 70 are absolutely crucial in our opinion. In discussing them, I will touch on some of the more controversial issues in this area. While my introductory remarks might be somewhat lengthy, that will not be repeated across the afternoon. I want to raise some general points now, which will save me from making them later, because they are key.

In all the debate around the Bill, the power of the Minister to make regulations after the fact, with no Oireachtas oversight, governing the processing of personal data or special categories of data, and restricting people's data rights has probably generated the most controversy, and is much more important than the age of consent in its implications.

At present, section 48 allows a Minister, or effectively a Department, to do the following: to designate some purpose - essentially anything - as being in the substantial public interest and make regulations allowing someone - presumably anyone - to take information about people's sexual orientation, sex life, political opinions, trade union membership and so on, as well as their genetic and biometric data and to do who knows what with it for the purpose of fulfilling some substantial public interest that we do not yet know about.

Section 57 proposes that the basic rights in the GDPR contained between Articles 12 to 22, and Article 34 can all be restricted for the purposes of what is called the general public interest. Section 57 contains a list of things relating to what the general public interest might be but it is not exhaustive and any Minister can designate by regulation basically anything as being in the public interest.

With regard to section 70 and the reason we tabled those amendments, let us look at section 48 as an example. This section allows for the processing of special categories of data such as health, sexual orientation and so on by whichever entity the Minister decides on for reasons of public interest so it could be, for example, that the Department of Employment Affairs and Social Protection decides it is going to create a database of people's ethnicity in order to combat fraud. It comes up with some sort of internal policy paper that links ethnicity and social welfare fraud and relates higher levels of fraud among some ethnic groups. The Minister then designates the prevention of social welfare fraud as being a substantial public interest and the Department comes up with regulations, gives a nod to the section, the Minister signs off and lo and behold, we have racial profiling and it is legal. A database is created about the riskiest ethnic groups who are targeted for invasive procedures. It might sound dramatic but that would be lawful at the moment.

I know the Minister will tell me that the provisions in subsection 5 would protect against this but there is a problem with that. The problem is the Irish State's record of data protection. We know it from the public services card and the primary online database. We know it not just from international problems but internationally. We must put this discussion in context. We do not have a good reputation for data protection. In 2015, the former German federal commissioner for data protection put it bluntly when he told The New York Times why Internet businesses go to Ireland. He said:

Of course Facebook would go to a country with the lowest levels of data protection. It's natural they would choose Ireland.

We have also seen how our data retention regime has been the subject of significant legal issues going back more than ten years with Digital Rights Ireland cases; the constitutional challenge; having our data retention laws struck down in national constitutional courts in Germany, Bulgaria and Romania; the Tele2 case; and the Murray judgment. We must look at our record in this issue because the State continues to fight on it. Not only that, when we were presented with the Communications (Retention of Data) Bill as late as last year, it fell short of the Murray recommendations and the requirements in European law in the form of Tele2 and the European Convention on Human Rights so that is the context in which we must look at this Bill.

Our proven approach to this issue involves trundling along until we are forced by the European Court of Justice to derogate from that. Our proposal simply says that against this backdrop, and this is what all these amendments are about and we really see them as one of the most important bits, it is necessary that the Oireachtas has some kind of rules around the processing of the most sensitive types of data because that is what we are talking about. We need to have some democratic oversight and not a Civil Service free-for-all. Therefore, our very reasonable proposal is that when a Minister wants to make regulations under section 48 allowing the processing of the most sensitive kinds of data, they must ask the House to approve it. I do not think that is dramatic.

Our proposal in respect of section 70 is similar. That deals with the processing of sensitive data by competent authorities and other bodies specified in law for criminal justice purposes. The last section where we think this positive resolution procedure should apply is section 57. I mentioned earlier that section 57 allows for the restriction of rights under Articles 12 to 22 and Article 34 for what is called the general public interest. It lists 14 indicative objections of the general public interest. These are investigating ethics breaches in regulated professions, identifying assets derived from crime, ensuring the effective operation of immigration and so on. Look at the 14 objectives and in two seconds, one will be able to name the lobby group in each case which argued for the inclusion of its own objective in terms of this section. In the case of each of the 14, the Minister is allowed under the section to make regulations restricting rights under Articles 12 to 22 and Article 34. Under this section, any Minister is also allowed to designate new objectives as being of general public interest. All of this restricting and designating will take place behind closed doors with no democratic oversight or accountability. This section essentially means that Government Departments will be the judges of what rights individuals should have against them and their agencies without any need for legislation. These are rights people have under European law and the GDPR.

When we were here during pre-legislative scrutiny, the chair of Digital Rights Ireland, Dr. T.J. McIntyre, put forward the idea of a positive resolution being necessary before any regulations are passed in the more controversial sections as one of the ways to mitigate against many of the wrongs in this Bill. This is exactly what we are doing with this group of amendments. At a previous meeting of the committee, Mr. Simon McGarr said, "I do not think we should allow for an unqualified right of a Minister to provide for exemptions from European law at the stroke of a pen by way of a statutory instrument regardless of whether that is attractive to the Executive as a method of providing for regulatory activity." Contrary to how much of the media focus has been around this Bill, this is actually one of the key provisions in it and we take it very seriously, which is why I took the extra time in making my introductory remarks.

We will be supporting the amendment in the name of Deputies Daly and Wallace. Like Deputy Daly, I will make some points to which I will refer after the fact rather than repeat in respect of various amendments because they apply to a number of them.

One of the primary criticisms of this Bill is the length of it and the extent of the exemptions and the scope for regulation. In a general sense, the principles of the GDPR are quite strong and represent progress in terms of data protection in Europe, although I am sure the general public is sick and tired of the GDPR, emails and so on.

This legislation has been the subject of significant criticism for a number of reasons. At the outset, the Minister said that the GDPR generally has direct effect and that it would create problems where the Irish legislation will come into conflict with it. I would say that the legislation as currently drafted, and very likely some of the Minister's amendments, are in conflict with the GDPR and there will be contradictions at the behest of the Government between the GDPR and the Data Protection Bill. This will result in litigation, which is very problematic in itself because it will create a lack of certainty regarding data protection.

However, I would also be very concerned about the very substantial and wide discretion the Minister is being allowed in the creation of regulations. That is the reason we put forward and had amendments passed in the Seanad about seeking impact assessments of the proposed processing of special categories of personal data. I recognise that some progress was made regarding the qualification that it be necessary and proportionate as opposed to simply being necessary, which was the previous provision. That is a step forward but the potential categories of exemptions are still very wide and allow the Minister too much discretion.

I made the point on Second Stage that the Bill uses the term "public interest" in excess of 20 times but there is no definition of public interest. There is a definition in the GDPR. Article 9.2(g) states that the public interest should "respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject." The fact that this area is not defined in this Bill is a problem, particularly where the public interest is referred to so many times as the basis for exceptions and scope for regulation.

In a general sense I have a problem with the Bill's approach that something "shall be lawful, except where...", whereas in the GDPR the approach is that something "shall not be lawful, except where..." The presumption is in the opposite direction. I have concerns about numerous sections. I am likely to oppose sections 37, 45 and 57 on these and other bases.

I will try not to repeat those points. I thought it would be useful at the outset to outline the basis for that. Safeguards, such as the proposed positive resolution by the Houses of the Oireachtas, are important to safeguard people's data protection rights, and to reduce the impact of the numerous exceptions and substantial discretion the legislation gives the Minister.

It seems clear that the Deputies are trying to draw a distinction between regulations made under sections 48, 57 and 70, and those made under other sections of the Bill. In the case of regulations made under sections 48, 57 and 70, it is proposed that draft regulations be laid before the Houses and would not take effect until they have the approval of both Houses. Deputy Clare Daly described it as a bit dramatic. I do not believe that such a heavy approval procedure for regulations is justified. We see here a proposal to depart from the accepted practice and procedure for the purposes of drafting regulations in accordance with our legislative programme. I do not believe it is either necessary or proportionate to depart from accepted procedure.

In all cases, as is made clear by the relevant sections, the regulations will permit data processing only insofar as necessary and proportionate to the aim sought to be achieved. I draw members' attention to the threshold we have set out clearly in sections 48(6), 57(10) and 70. Any processing must be necessary for reasons of substantial interest.

It might be useful to look at some of the examples under the 1988 Act, which have been introduced over the years. I refer particularly to SI 426/2016, which was made to permit the processing of sensitive personal data by the Garda Commissioner for the purposes of assisting the Northern Ireland historical institutional abuse inquiry. Shortly thereafter SI 427/2016 was made to permit the processing of sensitive personal data by the Garda Commissioner for the purposes of the coroner's inquest in Northern Ireland into the death of Arlene Arkinson. Earlier SI 240/2015 was made to permit the processing of sensitive personal data by the Garda Commissioner in order to provide assistance to the coroner's inquest in Northern Ireland into the death of ten people at Kingsmill in County Armagh. SI 486/2011 was made to enable sensitive personal data to be disclosed and processed by the committee chaired by former Senator Martin McAleese to establish the facts of the State involvement in the Magdalen laundries.

Any regulations made under section 48 must be lawful, necessary and proportionate. Adherence with these thresholds will be overseen by the Office of the Attorney General when providing legal advice, as that office does to all Departments on the matter of the drafting of the content of regulations. In all cases the Departments concerned will be required to consult with my office and also with the Data Protection Commission.

I believe we have sufficient safeguards. I am not convinced that the onerous and cumbersome procedure outlined in the amendment is either necessary or justified.

The problem is that what the Minister refers to as sufficient safeguards come from the same Department. That is not personalising it. Anybody who believed that our other data protection legislation was also sufficient when we have been found to be hugely wanting and acting unlawfully for a number of years needs to see this discussion in that context. The Minister is basically saying this would be too cumbersome and we do not need it, and it would be too difficult to have that type of-----

We think it is utterly necessary. There are ways of dealing with this very comprehensively. We have to see it in context. We are talking about the most sensitive data in most instances. These are the data covered under equality legislation and so on, all the categories on which a person could potentially be discriminated against. That is why it is particularly important that they are given extra protections and so on.

We can look at what happens in other countries. We need to consider the time implication of an oversight role for committees or the Dáil, which might be onerous. One answer to that might be to consider setting up an Oireachtas data protection committee to scrutinise regulations made under this Act. The UK has a digital affairs committee and Germany has a similar one. Nothing is stopping us from creating one given our position as data regulator now for most of Europe because of all the major technology companies having their headquarters here. It is incredible that we do not have a data protection committee and that should be considered.

Depending on how it falls, we will also support Sinn Féin's proposal to oppose the section completely. We see this as a halfway house that would be a better solution.

It is important to remember that when a Minister makes a regulation, he is making law. We refer to it as being secondary legislation, but in effect any Minister when signing a statutory instrument is changing the law. It is common in every Act that a Minister may make regulations pursuant to the purposes of the Act.

Deputy Daly's amendment is not enormously controversial. The first part proposes the system, which operates consistently under our laws, whereby a regulation introduced by a Minister by way of statutory instrument can, by a vote of the Oireachtas, be reversed if it does so by resolution within 21 days. That feature is contained in so much legislation because it gives a legislative basis and a justification to what the Minister is doing. I am sure if it was challenged in the courts that a Minister is making law and is not entitled to make law when, in fact, the Oireachtas is the body that makes law, the argument would be made that there is an ability within the legislation for the Oireachtas to set aside that law. There is nothing unusual about that. The first three parts of Deputy Daly's amendment are consistent with what operates in other legislation.

It differs in identifying in respect of sections 48, 57 and 70 a slightly different method of Oireachtas approval of any statutory instrument.

Oireachtas approval requires that a draft of the regulation must be laid before the Houses of the Oireachtas, and a resolution approving it must be passed by the House. Instead of retrospective disapproval, it is prospective approval. No matter what it is, the Oireachtas must have a role in any statutory instrument that a Minister issues. The Oireachtas must have an ability to set it aside. I see no difference in the Oireachtas having an ability to approve it in advance. I listened to the contribution from the Minister. The Minister's contention is that he is not convinced that this onerous obligation that would be placed to the Oireachtas is necessary or proportionate, that it is not justified. I do not look at it that way. The Oireachtas is the law-making body within the State. The Oireachtas stands in a position of supervision over statutory instruments that are issued by a Minister. There can be situations where there is retrospective disapproval, as exists already. Why not put in a system of prospective approval? I think we need to recognise something. I am not aware of any time in the history of the State when a statutory instrument was reversed by resolution of the Oireachtas, so maybe we should be looking at a more prospective method of approval of statutory instruments. On the basis of what I have heard, I will be supporting the amendment.

To my mind, if I followed what just happened there, we have fundamentally thrown away the book on how a Minister makes a statutory instrument. Effectively it will be the Oireachtas that will have to give prior approval to statutory instrument. As such, the system of statutory instruments as we now understand it, with a review capability for the Oireachtas, will be gone. The ability to use statutory instruments in the manner in which they have been used right across the board will actually be replaced. We must think about the reality of what happens, which is that committee time must be found, processes must be in place and time within the Oireachtas must be found. We are taking out a process that was designed to enable a sometimes quite speedy reaction. We are replacing that with what will effectively be a legislative process through the Oireachtas. I would like clarity on whether I am correct in that. We are making a very major change to statutory instruments. What are the implications of that for all statutory instruments right across the board?

I wish to respond to that. It is not directly analogous, but every year there is a resolution to renew the Offences Against the State (Amendment) Act 1998 and the Criminal Justice (Amendment) Act 2009. There are regularly resolutions on the transposition of European legislation and on the approval of conventions. Some of those motions are taken with debate, some are taken without debate. I think it would be reasonable that many regulations the Minister would seek to make under this legislation would be put to the House without debate, but there are very many exceptions. I refer to situations where the implications for the public could be very considerable and would justify debate. To a lot of people this may seem dry and in many situations it is, but it has very serious potential implications. It has been well outlined. Relevant information may include people's political opinions, their sexual orientation, their background, their history, all that kind of stuff. That information is very important and personal to people and needs to be guarded safely and securely. As such, I do not think it is unreasonable, where the Minister is seeking to make regulations that might have such significant impact, that such a resolution should be put to the House and debated before being passed.

I think the Deputies are overstating the position. Under law the Oireachtas has a power and authority at any time to overturn, reject or set aside any regulatory framework. I do not have figures on the number of times that has been exercised against a Government over the years. In fact, it may not have happened at all. I merely want to assure the committee that the process is there. Whether at some future time the Houses of the Oireachtas decide to introduce new committees is entirely a matter for the Oireachtas. We can see the manner in which the whole committee system has evolved in recent years. In accordance with this piece of legislation, there will be an element of interaction between Government and committees in the normal course. There is already a process which will involve the Oireachtas and enable it to exercise appropriate scrutiny and exercise power and authority to reject, overturn or set aside. My difficulty here is that I believe the safeguards already enshrined in law and already included in this piece of legislation are sufficient to allow for the level of engagement that Deputy Daly and Deputy Wallace seek. The amendment, however, seeks a positive resolution, which from time to time can be particularly onerous. It is not necessary in the circumstances, having regard to the manner in which instruments are drawn up, agreed by Government on the advice of the Attorney General, laid before the Houses of the Oireachtas and dealt with here, as I am sure this committee has, within the statutory period of 21 days. My point is that I see a sufficient body of safeguards there. I am not convinced that we need to introduce a new mechanism in the form of a positive resolution, which may from time to time prove to be unduly heavy in the matter of regulation under these sections.

I move amendment No. 6:

In page 13, line 17, to delete “The enactments specified” and substitute “Subject to subsection (4), the enactments specified”.

Amendments Nos. 6, 7 and 8 are essentially drafting amendments to sections 7 and 8 of the Bill. I do not believe they require elaboration.

I move amendment No. 7:

In page 13, to delete lines 19 and 20 and substitute the following:

“(4) The repeals and revocations effected by this section shall not apply for the purposes of subsection (2) of section 8.”.

I move amendment No. 8:

In page 13, lines 22 to 24, to delete all words from and including “(1) Subject” in line 22 down to and including line 24 and substitute the following:

“(1) Subject to subsection (2), the Act of 1988 shall, on and from the date on which this section comes into operation, cease to apply to the processing of personal data other than the processing (within the meaning of that Act) of such data for the purposes of safeguarding the security of the State, the defence of the State or the international relations of the State.”.

I move amendment No. 9:

In page 15, between lines 5 and 6, to insert the following:

"(3) The Commission is designated for the purposes of Chapter IV (Mutual assistance) of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data done at Strasbourg on the 28th day of January 1981.

(4) The Minister may, following consultation with the Commission, make any regulations that he or she considers necessary or expedient for the purpose of enabling Chapter IV (as referred to in subsection (3)) to have full effect.".

Amendment No. 9 proposes to insert new subsections (3) and (4) in section 12 to ensure the existing obligation in section 15 of the 1988 Act, which provides for mutual assistance under the Council of Europe's data protection convention, to other non-EU parties to the convention will continue to be undertaken by the new data protection commission. The provision was overlooked during the initial drafting process. Amendment No. 248 amends the Long Title of the Bill to include reference to the convention.

I move amendment No. 10:

In page 15, to delete line 37 and substitute the following:

"(4) Any and all investigations ongoing or commenced by the Data Protection Commissioner shall continue under the aegis of the Data Protection Commission as of the establishment day without interruption.".

There is a slight drafting error in the amendment and I am not sure it will be possible to press it. Rather than a proposal to delete section 14, it should appear as a new section 14(4). It might be necessary to reintroduce the amendment on Report Stage albeit it is a slight matter. I will elaborate on the amendment which in any event is a minor one. The intention is to ensure that any open cases do not fall and for the avoidance of any doubt that all powers will be transferred from the existing commissioner to the new data protection commission. Any ongoing investigations would be preserved and not lapse.

I move amendment No. 11:

In page 16, to delete lines 14 to 16, and substitute the following:

"(5) Subject to subsections (6) and (7)*, the Public Appointments Service shall recommend a person for appointment as Commissioner following an open selection competition held by the Service for that purpose.".

There are two amendments in my name in the grouping, namely amendments Nos. 11 and 14, both of which concern section 15 of the Bill dealing with membership of the commission. I commend the Minister on having a commission of only three people rather than 17. It makes sense to have a small commission. My specific proposal relates to section 15(5) which currently provides that one of the three commissioners will be appointed following a selection process. I propose that we will have an open selection competition. It mirrors in many respects the provision contained within the Garda Síochána (Amendment) Act in respect of a Garda Commissioner. I am interested to hear what the Minister has to say in respect of the proposed introduction of a competition process. I am not irreversibly wedded to it but will look to hear what the Minister has to say.

Amendment No. 14 proposes a requirement that one of the members of the selection panel selecting the commissioners should be nominated by the chair of the European Data Protection Board. It is important to recognise that the function of the commission means commissioners must have strong expertise given the issues of data protection with which they will be dealing.

I could not share all of my light moments with the Chairman. The purpose of our amendments is to introduce openness and transparency in the recruitment process for the position of commissioner. We seek to ensure that the appointment involves an open competition. Our proposed section 15(7), in particular, is intended to introduce expertise from the European Data Protection Supervisor to the selection process so that the commissioner might be appointed by someone with expertise in the field. Deputy O'Callaghan's amendment No. 14 makes the same suggestion.

Our amendments are similar to Deputy O'Callaghan's except that we add two further criteria to the process of appointing a Data Protection Commissioner. Deputy O'Callaghan's wording in amendment No. 11 is better than ours in amendment No. 12. As such, we will not press our amendment No. 12 but will rather support his amendment No. 11. They are trying to achieve the same end.

The amendments propose to make it an explicit requirement that an open competition for the position of data protection commissioner would be held. For the purpose of the process, we propose that the PAS must appoint someone from the European Data Protection Supervisor to the selection panel. Deputy O'Callaghan's proposal is more or less the same except that he proposes it should be someone nominated by the European Data Protection Board, which, when it is formed, will consist of the heads of the data protection authorities in each member state. We are somewhat agnostic as to which body would be better placed to nominate someone to sit on the selection panel. However, we have a concern that if it is someone from the EDPB, it could be just the incumbent Irish Data Protection Commissioner rather than an outsider. We are trying to get an outsider onto the selection panel. That is not a matter of disrespect to anyone in Ireland, but is rather to get some fresh blood and fresh thinking into the appointments process. That will be particularly important for this role. A similar provision exists in the Irish Human Rights and Equality Commission, IHREC, legislation around the appointment of members. I presume that was inserted because of the huge importance of the organisation which deals with issues with a European and international context. We have to see this in the context of the unique importance of the job given the number of companies located here which we will have to monitor.

The other two amendments are on the detail of advertising vacancies and a provision that no one should be appointed unless the Public Appointments Service and the Government agree he or she is suitably qualified for such an appointment by reason of possessing such relevant experience, training or expertise as is appropriate having regard in particular to the functions conferred under this Act. We presume it is intended to advertise vacancies publicly, but the fact that is not specified is a concern.

There are eight amendments in the group, one of which is gone. Section 15 deals with the membership of the proposed Data Protection Commission. My amendments Nos. 16, 17 and 18 merely insert a new paragraph on the matter of the retirement age of a commissioner under subsection (9). As regards the appointment of commissioners, section 15 allocates the task of making a recommendation for appointment as a commissioner to the Public Appointments Service. Indeed, committee members will be aware that PAS acts independently of Government and is responsible for the preparation of job specifications, advertising competitions, screening applicants and assembling interview boards.

It is fair to say that the service discharges these tasks in a most efficient manner. With regard to the process to appoint the current commissioner, I understand that efforts were made successfully to attract suitable applicants from outside the State. I believe a high-ranking member of an external data protection authority was involved in the final selection process. Deputy O'Callaghan suggested that an open selection competition be held. As I understand it, that is the normal modus operandi of PAS. With regard to the proposal that the chair of the European Data Protection Board, EDPB, should nominate a member of the selection panel, it is not clear if the Deputy has inquired as to whether this is a task that that chair might, in the circumstances, be willing to undertake. It would be unusual and, I dare say, impolite at the least, if we were to impose a task on the chair of the European Data Protection Board without consulting about the matter or indeed reaching agreement with that office beforehand.

With regard to the amendments of Deputies Daly and Wallace, similar considerations apply. They suggest that the European Data Protection Supervisor, rather than the chair of the EDPB, should nominate a member of the panel. It is not clear if there has been any consultation or agreement on the matter of such involvement. I welcome the principle of external participation. I am concerned about what would happen if the positions of the chair of the European Data Protection Board or European Data Protection Supervisor were vacant for a period. Such vacancies would be outside our control. Presumably, it would mean that the selection of a commissioner cannot proceed until that European position is filled. I have the impression, which I think is fair and reasonable, that the filling of these positions may take some time because of the involvement of the various institutions of the community. We have experience of that from the past. The proposed subsection (10) as tabled by Deputies Wallace and Daly would appear to require the Government to satisfy itself that the Public Appointments Service nominee is suitably qualified and has the necessary experience, expertise and training. I am concerned about any undue interference or suggestion that we are revisiting the PAS process after the event. We all know about the difficulties of perceived politicisation of these appointments. I am not sure if this is a desirable step. I would have a difficulty with it. I would also add to that difficulty that it is in conflict with the GDPR in any event. I have a problem with amendment No. 15 but I am willing to look at amendments Nos. 11 to 14, inclusive. I will look at the overall content of section 15 but I ask members to give careful consideration to the points that I make.

I support the tenor and principle of all those amendments. They are valuable. My preference, between amendments Nos. 14 and 15, would be for the European Data Protection Supervisor as opposed to the European Data Protection Board. Will the Minister clarify in what regard No. 15 is contrary to the GDPR?

We are discussing the appointment of three people to be commissioners on the Data Protection Commission. It goes without saying that they have to have expertise and to be people who are suitably qualified and understand the whole area of data protection. I know in certain areas of life and indeed government, there is a tendency to try to get away from expertise but expertise is required in this situation. I will press amendment No. 11. I think it will be of benefit if there is an open selection competition because it is an issue where expertise is required. I have not heard a convincing argument from the Minister as to why amendment No. 11 should not be pursued. I am sort of agnostic between amendments Nos. 13 and 14, the European Data Protection Board and the European Data Protection Supervisor. On balance, I would go for the amendment from Deputies Daly and Wallace, No. 13, so I will withdraw my own amendment No. 14.

On Deputy Ó Laoghaire's point, looking at amendment No. 15 where Deputy Daly has stated, "A person shall not be recommended for appointment by the Government under this section unless the person is, in the opinion of the Service and the Government agrees, suitably qualified", I am not so sure about the agreement of the Government. On balance, I think it is best left as is. I am not sure of the extent to which we should second-guess the independent Public Appointments Service by seeking further agreement.

I move amendment No. 13:

In page 16, between lines 16 and 17, to insert the following:

“(6) The Service shall, subject to subsection (7), appoint a selection panel.

(7) Of the members of the selection panel, one of them shall be nominated by the European Data Protection Supervisor.”.

As the full membership of the committee is not present, under Standing Orders we are obliged to wait eight minutes or until full membership is present before proceeding to take the division.

I welcome Deputy Shortall.

I move amendment No. 16:

In page 16, line 34, to delete “and”, where it secondly occurs.

I move amendment No. 17:

In page 16, line 36, to delete “business.” and substitute “business, and”.

I move amendment No. 18:

In page 16, between lines 36 and 37, to insert the following:

“(d) cease to be a Commissioner on reaching the age of 70 years, but where the person is a new entrant (within the meaning of section 2 of the Public Service Superannuation (Miscellaneous Provisions) Act 2004) the requirement to cease to be a Commissioner on grounds of age shall not apply.”.

I move amendment No. 19:

In page 18, between lines 17 and 18, to insert the following:

“Acting Commissioner

18. (1) Where one Commissioner only stands appointed for the time being under section 15, the Minister may authorise a member of staff of the Commission to perform the functions of a Commissioner during any period when that Commissioner is absent from duty or absent from the State or is, for any other reason, unable to perform the functions of a Commissioner.

(2) Where a vacancy occurs in the office of Commissioner and no Commissioner stands appointed for the time being under section 15, the Minister may authorise a member of staff of the Commission to perform the functions of a Commissioner during the period of that vacancy, but an authorisation under this subsection shall cease upon the appointment of a Commissioner under section 15 whether or not such appointment was made for the purpose of filling that vacancy.

(3) An authorisation under subsection (2) shall not remain in force for a period of more than 6 months unless the Minister is satisfied that it is not reasonably practicable for an appointment under section 15 to be made within that period, in which case he or she may extend that period by such further period as he or she is satisfied is a period within which it is reasonably practicable for an appointment to be made under that section.

(4) The Minister may at any time terminate an authorisation under this section.

(5) A member of staff of the Commission in respect of whom an authorisation under this section is in force may perform the functions of a Commissioner under this Act, and, for that purpose, references to a Commissioner in this Act (other than in sections 15(3), 17(2) to (8) and 22) shall be construed as including references to such member of staff.”.

Section 18, dealing with the issue of an acting commissioner, provides for the appointment of a member of staff of the commission as an acting commissioner for the duration of any period of absence or incapacity by the commissioner. This could arise where there is only one commissioner.

Amendment No. 19 will replace the entire text of section 18 with more detailed provisions. Subsection (5) provides that while an acting commissioner may generally perform the functions of the commissioner under this Act, this will not apply in the case of certain excluded provisions.

Amendment No. 20 inserts a revised text of section 20 which concerns staff currently assigned to the Office of the Data Protection Commissioner. It assigns such staff to the Data Protection Commission on the day of its establishment and will permit the formal transfer of staff to the commission at a future date. I expect that such transfer will coincide with the designation of the commission as an appropriate authority under section 2 of the Civil Service Regulation Act 1956, as provided for elsewhere in the Bill. Amendments Nos. 21 to 24, inclusive, are minor drafting amendments to section 22.

I move amendment No. 20:

In page 19, between lines 26 and 27, to insert the following:

“Assignment and transfer of staff to Commission

20. (1) Every civil servant who, immediately before the establishment day, stands assigned to act as a member of staff of the Data Protection Commissioner shall, on the establishment day, stand assigned to act as a member of staff of the Commission.

(2) The Minister may, as he or she considers appropriate, designate in writing such and so many persons who stand assigned under subsection (1) to act as members of staff of the Commission to become and be members of staff of the Commission on and from such date as the Minister may specify in the designation (in this section referred to as the “effective date”).

(3) A member of staff designated in accordance with subsection (2) shall become and be a member of staff of the Commission on and from the effective date.”.

I move amendment No. 21:

In page 20, line 10, to delete “a scheme under subsection (1)” and substitute “a scheme made under subsection (1)”.

I move amendment No. 22:

In page 20, line 13, to delete “a scheme under subsection (1)” and substitute “a scheme made under subsection (1)”.

I move amendment No. 23:

In page 20, line 16, to delete “A scheme under subsection (1)” and substitute “A scheme made under subsection (1)”.

I move amendment No. 24:

In page 20, line 22, to delete “A scheme under subsection (1)” and substitute “A scheme made under subsection (1)”.

I move amendment No. 25:

In page 21, between lines 5 and 6, to insert the following:

“(3) Subject to subsections (4), (5) and (6), subsections (1) and (2) shall cease to have effect on the date of the coming into operation of section 165.

(4) The Commission shall, in respect of the period specified under subsection (6), prepare final accounts of the Commission.

(5) The Commission shall submit the final accounts prepared under subsection (4) to the Comptroller and Auditor General for audit not later than 3 months after the date of the coming into operation of section 165.

(6) For the purposes of subsection (4), the Minister may specify a period that is longer or shorter than a financial year of the Commission.”.

The provisions of section 23 relating to annual accounts of the Data Protection Commission will no longer be appropriate when the commission has its own separate Vote. That will happen in due course under the later section 170 and later amendment No. 206.

Amendment No. 25 is a technical amendment which inserts a number of new subsections in section 23. The new subsection (3) will discontinue the application of subsections (1) and (2) of this section on the entry into force of section 170 as set out in the later amendment No. 206. Subsections (4) to (6), inclusive, incorporate provisions relating to the final accounts of the commission for the period prior to it obtaining its own Vote.

I move amendment No. 26:

In page 23, between lines 14 and 15, to insert the following:

“Data-harvesting, micro-targeting and profiling of children for financial gain

30. It shall be an offence under this Act for any company or corporate body to collect, collate, or store data pertaining to a child as defined by section 29, for the uses of profiling or micro-targeting, for the purposes of financial gain. Such an offence shall be punishable by an administrative fine under section 139.”.

There are a number of similar amendments in this group so we will have to decide on the best approach. The intention behind each amendment is similar. We are discussing two elements: the age of digital consent and the area of micro-targeting of children. Children are defined in this legislation as persons under the age of 18. The general data protection regulation, GDPR, allows for some discretion as to whether 13 or 16 is the digital age of consent. There will be consensus on the fact that there are enormous risks and dangers in terms of the cynical professional targeting of children by corporations. They seek to take advantage of children to sell them goods and services. Many of these products and goods are harmful, either in general or when taken to excess. There are huge dangers and there are many young people in particular who are not aware of the extent to which their data is being gathered, the profile that is being built up on them and the way it is being used to exploit them. It is reasonable to say that people under the age of 18 should not be micro-targeted in this way and they should be protected from that form of advertisement, which is often very cynical and exploitative.

I will be supporting amendment No. 27 with some degree of hesitancy. I take a contrary view to the Ombudsman for Children and the Irish Society for the Prevention of Cruelty to Children, ISPCC, with some trepidation. It is quite a complex area and is much broader than some of the discussion we have had hitherto which has focused on the area of predatory behaviour, which is not necessarily relevant to this. This area is focused very much on data protection and the protection of children from the exploitation and manipulation of their data. There is also a considerable body of opinion and expertise which has outlined the manner in which children are put at risk simply by the micro-targeting and the fact that at that age they will be in a position to give their consent to the giving away of their data.

I am supporting the amendment, but I believe we should keep it under review on an ongoing basis. If, as looks apparent, amendment No. 27 is carried, we need to keep a very open mind on it. We must be conscious that it is not a silver bullet. Some people will try to present this as an almost foolproof defence for people under the age of 16. It is vitally important that people are under no illusions as to the fact that people under the age of 16 will still be very vulnerable online, as will the population quite generally, and that there is a need for many additional measures, including the digital safety commissioner, which I have proposed and about which I have been in contact with the Minister for Communications, Climate Action and Environment. I have had a Bill passed on the issue of greater education for parents and children in schools and at home. Issues such as default privacy settings also need to be worked on. There is no digital age of consent at the moment. It will move from 13 to 16. We will support the amendment, but will add a health warning on the strength of that. I believe there is consensus on the micro-targeting aspect, and I urge the Minister to work with all the members of the committee and others outside the committee to ensure that this is done and done properly.

I wish to speak to amendments Nos. 27 and 30 in this grouping. Amendment No. 27 relates to the digital age of consent, which as it stands offers very little protection to children and young people, despite the fact that Recital 38 notes that, "Children merit specific protection with regard to their personal data as they may be less aware of the risks, consequences and safeguards concerned." Article 8 of the GDPR provides very little specific protection for children.

We are talking about a matter of contractual capacity rather than child protection. By lowering the age of consent we are setting the age far below the age we would expect young people to be capable of making informed decisions about their safety. Instead, we are allowing them to enter into an agreement with companies, which in turn will monetise their data and online activity. I believe most people would find that unacceptable. By raising the age we are placing the onus on the companies to introduce more robust age verification procedures and ensuring that parents retain a right to play a role in their children's online activities, however limited that role may be. There is a role for parents in the giving of contractual permission, and it should be retained, in my view, up to the age of 16.

The issue of the harvesting of children's data is much more important. It is covered by amendment No. 30. As the Minister will know, the Article 29 Working Party has clarified that the GDPR does not place an outright prohibition on the use of profiling tactics on children.

Recital 38 of the GDPR notes that specific protections should be put in place to protect children when their data is used for the purposes of marketing. Despite this, neither recital materially affects the text of Articles 8 or 22. We believe this is a significant failing of the GDPR, which should be addressed through our own domestic legislation.

The amendment that I have tabled today aims to achieve the same outcome as those submitted by Deputies Ó Laoghaire, Clare Daly and Wallace. However, Deputy Catherine Murphy and I have chosen to specifically prohibit profiling activity rather than all processing of data to ensure the scope of the amendment is tightly focused. I am not sure how practical it is to talk about prohibiting the processing of data. The other amendments in this regard talk about the processing of data. Data is processed for lots of different reasons and, therefore, there is a need to be more specific, in terms of this legislation, in outlawing the profiling for specific marketing and commercial purposes. That is what this amendment seeks to do.

It is noteworthy that in replies to parliamentary questions that the Minister has consistently stated that the Children's Rights Alliance favours setting the digital age of consent at 13. The group has called for the age limit to be introduced in conjunction with the statutory prohibition on the use of children's data for marketing purposes, which is an important point. We may argue about whether the digital age of consent should be set at 13 or 16 years of age but the more important issue is whether companies can target children's data for the purposes of marketing. The Children's Rights Alliance has been very clear about the matter. It believes that there needs to be a statutory prohibition on the use of children's data in this way. I note that this morning the Ombudsman for Children, Mr. Niall Muldoon, in an interview on "Morning Ireland" made exactly the same point. He argued for the age of consent to be set at 13 years but he said that the profiling of children and harvesting of their data for commercial purposes should be prohibited on a statutory basis.

I draw attention to the fact that the Irish Heart Foundation has called for a ban on the marketing of junk food to children to address the wholly inappropriate level of access, which online companies have through their media platforms. Last month, Mr. Chris Macey attended a meeting of the Oireachtas Joint Committee on Children and Youth Affairs. On that occasion he made a very strong plea when he said:

Junk food brands have achieved a wholly inappropriate proximity to children, pestering them relentlessly in school, at home and even in their bedrooms through their smart phones. It is called "brand in the hand" and it gives marketers constant access to children. Junk food marketing involves the world's best marketing brains in the biggest agencies relentlessly targeting children every single day. The damaging impact of overselling their products has created a market failure that the State must resolve. We know voluntary codes do not work. Sadly, the State's response has been feeble to date.

The Irish Heart Foundation has a specific concern about the relentless targeting of children for the promotion of junk foods. However, many brands and products are promoted. I think that the vast majority of people find it repugnant that online companies can target children in this manner. It is for that reason that the amendment proposes to outlaw the harvesting of children's data up to the age of 18.

The GDPR acknowledged that this sort of marketing is a real issue. In light of the text of Recitals 38 and 71, I believe that this amendment is fully in line with the intent of the GDPR and would significantly strengthen child protection measures in this Bill. I urge the Minister to support my amendment.

I have one amendment in this grouping and it is amendment is No. 27. Similarly to Deputy Shortall, my amendment seeks to change the age of digital consent from 13 years of age to 16 years of age.

As we are all aware, under the GDPR each country is given leeway as to what age it wishes to set the digital age of consent. Let us remember that it can be between 13 years and 16 years. There are arguments on both sides. Fianna Fáil has come down, on balance, in favour of setting the digital age of consent at 16 years. I shall give an overview as to the party's thinking on the matter. Obviously the Internet provides children with very many great benefits. It provides them with benefits in terms of their ability to access information. Even by using applications, or apps, it provides great advantages to children and helps them to keep in touch with groups such as football teams and allows them to co-ordinate their communication online. It is very beneficial.

The Internet also has very negative consequences such as children obsessively using the Internet and mobile phones. These are issues that go beyond the parameters of what is contained within the Bill that is before this committee today. We must recognise the fact that children are growing up exposed to levels of intrusion and information that none of us here was exposed to when we were growing up. There is a huge responsibility on parents when it comes to their children accessing information on the Internet and their use of social media apps. There is also a responsibility on legislators. We can play some role in respect of that and the digital age of consent in this legislation.

The premise from which we need to start is that generally in law a child cannot enter a contract until he or she reaches the age of 18, which is the age at which he or she is no longer a child. In certain instances children can enter a contract such as to purchase life's necessities, buy food in shops and similar issues. In general, the principal is that children cannot enter into contracts until they are 18 years of age.

Section 30 refers to what age children can consent to giving access to their data. The view of Fianna Fáil is that 13 years of age is too young and the age of consent should be increased to 16 years of age. The reason is that we want to ensure that children are protected from data profiling and commercial targeting. What happens, as we can now see from our increased knowledge of large social media companies, is that individuals are commodified into groups and that information then becomes something which is marketable. An individual is not marketable but an individual who is part of a larger group is a commodity because that group is a commodity and, therefore, can be used for the purpose of generating commercial gain for that social media company.

Fianna Fáil believes that we should put further obligations on the social media companies to ensure that when children consent that there is an understanding as to what they are consenting to. It is difficult for children of 13 years of age to recognise the extent to which they are consenting.

One of the problems with people's interaction with social media, and social media apps online, is that sometimes when one first joins one's status is frozen from that time onwards. So a person joins at a young naive age and he or she may have particular interests or objectives in terms of online searches. That information can sometimes be frozen within a social media company and the child is presented as somebody who is always of these views.

One of the biggest dangers we have from social media in general is the threat it poses to individualism. As I said in the Dáil about two weeks ago, the objective of social media is to put people into groups and then people think that they must think in accordance with what their group believes as opposed to what their individual thoughts are. Sometimes people have different views to people with whom they have similar thoughts on other matters. Unfortunately, the weakness of this commodification of individuals into groups is that there is a tendency to merge people into groups thus generating groupthink. I also think this practice is anti-intellectual in the long run.

I am sure members will legitimately turn around and say that Deputy O'Callaghan was a member of this committee, as was Deputy Ó Caoláin, that produced a pre-legislative report on the Data Protection Bill, which raised without demur or objection that the digital age of consent should be set at 13 years. That is correct, we did do that.

When I am dealing with issues on a committee basis, I am not running back up to the fourth floor to the Fianna Fáil offices to find out the Fianna Fáil view on this. Deputy Chambers and I are Fianna Fáil Deputies but we are working as part of the committee. At a meeting of the Fianna Fáil Front Bench we had a very thorough and detailed engagement on this issue and there is genuine concern that not enough is being done to protect children who are accessing information online. It was thought that the least we could do is to try to put more of the obligation on social media companies as opposed to on the parents and on the individual child and set the digital age of consent at 16 years. For that reason, I will be pressing amendment No. 27.

We believe that digital safety should not be about creating a nanny state and should be about empowering young people to be aware of the pitfalls and the downsides as well as the benefits of the online world.

One can tell young people not to have sex, not to drink alcohol or use prohibited drugs, but we are more in favour of educating young people about these matters rather than telling them what they can or cannot do. We will be supporting the Government's section 30, which sets the age of consent of children with regard to information society at 13 years of age. We think this is the right way forward. We, as were all the committee members, very impressed by Dr. Geoffrey Shannon when he appeared before the committee. Let me remind people of what he said at that meeting. He said that Ireland should take the opportunity now to designate the lowest permissible age, namely 13, as the age of digital consent for this jurisdiction. This lower digital age of consent has also been recommended by children's organisations, such as the Children's Rights Alliance.

He also said that prior to the committee he took the opportunity to discuss the issue with the Ombudsman for Children who supports his view that the age of digital consent should be set at 13 years of age. I know that Deputy Shortall has raised points around that but members will see from amendment No. 29 in the names of Deputies Clare Daly and Mick Wallace that we have dealt with the harvesting of children's data, which has been raised.

A variety of competing children's rights and practical realities support the argument that the appropriate age, having regard to the permissible age range delineated by the GDPR, should be the lowest age possible. He went on to say that the right of the child to participate and be heard in proceedings concerning him or her is a fundamental principle of international children's rights law and is enshrined by Article 12 of UN convention on the rights of the child. and in Article 24 of the EU Charter of Fundamental Rights. He states that the importance of the voice of the child and the child's right to participate in all matters have been promoted recently in this jurisdiction when the Irish people voted in a referendum on children's rights, which must mean something. He also states that freedom of expression and freedom of assembly are very important. The right to freedom of expression is a human right that is not confined in its remit to adults. The UN Convention on the Rights of the Child, UNCRC guarantees a child's enjoyment of freedom of expression in Article 13. Further related rights under the UNCRC include the right to access appropriate information provided in Article 17 and the freedom to assemble peacefully, such assembly may take place in the context of an online environment. We need to realise that the world has changed and that these basic human rights are as relevant in the online world as they are in the world to which we are accustomed. That needs to be acknowledged in our legislation. These rights are often exercised by children through their use of information and communication technology.

We have tabled three amendments to this section. Our amendment No. 28 proposes that Tusla maintains a register of preventative or counselling services for the purposes of section 30 of the Bill. There is a later related amendment, No. 246, to amend section 8(1) of the Child and Family Agency Act 2013.

Section 30 relates to the consent of a child in relation to information society services, which is clearly a positive thing. Information society services are essentially online shops, live or on-demand streaming services such as Netflix or Spotify that need to be paid for. So-called preventative or counselling services are exempted here, these might include Childline, the Irish Society for the Prevention of Cruelty to Children or groups that offer advice to children about mental health or drug or alcohol abuse. Under the GPDR, data controllers do not need to get the consent of parents or guardians when they are processing a child's data, when that data is related to preventative or counselling services offered directly to the child. This amendment is proposing that to prevent abuse of this exemption, Tusla should maintain a register of such preventative or counselling services to safeguard against abuse of the exemption. One concern in the Bill is that it does not provide a definition of preventative or counselling services. Is it safe therefore not to have a register of such services? The amendments that we are proposing, that Tusla maintains a register of these services, seems like a sensible provision.

In amendment No. 29, in the name of Deputies Claire Daly and Wallace, which is similar to amendments tabled by other Deputies, we are repeating the wording of an amendment tabled by Senator Lynn Ruane in the Seanad. I respect and accept the opinion of Dr. Geoffrey Shannon on setting the digital age of consent at 13 years and I think the age of consent should remain at 13 years, as stated in the Bill. I understand and appreciate some of the arguments for raising the digital age of consent to closer to 16 years, that certain Senators and Deputies have made, however, including a prohibition on profiling and direct marketing to children under 16 years would surely go a long way to addressing the fears that people have on the digital age of consent being set at 13 years. This is not an unreasonable request. It should not be possible and legal to track a child's progress online and be able to create a detailed digital profile of that child and then specifically micro target him or her based on the profile created. This kind of digital marketing is incredibly powerful and it would surely be a progressive step to shield children from it. The parents of Ireland would thank us for doing that.

In the second part of amendment No. 29, we propose to insert a new subsectrion (4). This adheres to Senator Ruane's Seanad amendment and is a reasonable attempt to protect parents being profiled and targeted via their children's online activity, though arguably Articles 6 and 9 of the GDPR prohibits this kind of profiling. Will the Minister clarify that issue?

I thank the Chairman for the opportunity to speak on amendment No. 27. WhatsApp is going to ask new users to confirm that they are aged 16 years, Facebook will ask children between 13 years and 15 years to nominate a parent or guardian to grant permission, children who do not have parental permission for Facebook will see a generic version of Facebook that is not customised, based on their personal data. This shows that children will continue to have access to the Internet, but their data will not be exploited. Setting the digital age at 16 years will not mean that a 13 year old cannot use Facebook, which I am using as an example, however, it will mean that Facebook cannot use the 13 year old. The child will be protected from targeted advertising derived from personal data. This is not so different from the rules placing a ban on advertisements targeted at children in the offline world, including broadcasting. The point is that while people may make the argument that no matter whether the age of digital consent is set at 13 years or 16 years, the technology is not yet available to check age verification at this stage and that a young person of 13 years could pretend to be older.

We are putting an onus on social media companies to ensure they are adhering to a clear legal guideline; they are not allowed to exploit the data of somebody within that age cohort for commercial purposes. That is the protection we are seeking to put in place.

We all agree with the arguments of prominent people like Dr. Geoffrey Shannon on the issue of child protection. One could argue that the drafters of the UN Convention on the Rights of the Child could not possibly have foreseen companies like Facebook and WhatsApp, commercial companies that can exploit children and use their information. They can use their name, address and date of birth and geotag them; they know exactly where they are and have access to all of their photographs. They can use that information for nefarious purposes and most definitely drive their bottom line.

What we are seeking to do in putting forward this amendment is to keep in line with many other European countries that are also in this space. Those states are interpreting the regulation from the European Union. We are also seeking to ensure we do not have a situation where children aged 13 to 16 years are being exploited and their information is being used to commercial advantage. We wish to put the onus back on social media companies. I repeat that WhatsApp and Facebook have already announced their intention to adopt a uniform approach in line with that taken in other European countries in how they use data. They are putting protocols in place to that effect. I, therefore, ask the Government to accept a digital age of consent of 16 years on the basis that the market seems to be moving in that direction. Social media companies are moving in that way and we should not be behind the curve in how we interpret the regulation. We should at least be on it, if possible.

This is a group of amendments that has attracted a lot of interest. In some ways, that is disappointing. Issues are being conflated. To me, the concentration on the digital age of consent is a little like focusing on a fly on the wall when there is a giant elephant in the room about which no one is even talking. All of the other provisions in the Bill are of far greater consequence. Setting the digital age of consent at 13 years is not going to do what some Deputies fear it is going to do. For example, in response to the last speaker's points about Facebook, I note that this is a proposal that has already been made by it. The Oireachtas setting the digital age of consent at 13 years will have absolutely no bearing on it whatsoever, whereas our protective measures regarding micro-targeting in amendment No. 29 would cover that point. we are conflating issues incorrectly.

It would be very remiss of us not to take the advice of people like Dr. Geoffrey Shannon, the Ombudsman for Children and all of the children's rights organisations which have stated very clearly that the digital age of consent should be set at 13 years. We fully support that advice. It is separate from the other measures and I will park that issue. I will not repeat points made on it. Deputy Mick Wallace is right. Not dealing with it is a little like the old approach to under-age sex - just do not do it - rather than the modern thinking that providing progressive sex education is better. This is the same. Educating young people and putting the onus on providers is a far better way forward. Setting the age at 16 years seems good. It sounds like a protective measure but actually it is not. As has been pointed out, it subjects young people to abusive parents, for example. It puts another responsibility on parents with which, in many instances, they may not be capable of dealing. The onus should be put on service providers. That is what our other amendment tries to do.

I will address some of the simpler amendments first just to get them out of the way. I refer to amendment No. 28. As Deputy Mick Wallace said, we know that the general data protection regulation, GDPR, exempts preventive and counselling services from the general provisions on the digital age of consent. In other words, children under the digital age of consent will be allowed to access these services without parental consent. The question is how they are identified. My fear is that a register would be needed. In the absence of a register services could deny services to a child under the digital age of consent to be on the safe side. It might be a service a child needs. In the worst case scenario a service could be taken to court by an abusive parent who finds out that his or her child has been using the service and decides to take revenge by burying it in litigation. Good services that are helping children should not be targeted in that way. We think Tusla is best placed to draw up such a register. It would not be an onerous job for it to do so. It should be quite easy for it. That would be a helpful measure and require minimal work.

I will also address amendment No. 29 which concerns the issue of protecting children, in common with amendment No. 28 in the name of Deputy Donnchadh Ó Laoghaire, amendment No. 30 in the name of the Social Democrats and amendment No. 34 in the name of the Minister, about which I would like to make a few points. This is about the micro-targeting of children. I have a slight concern that amendment No. 26 in the name of Deputy Donnchadh Ó Laoghaire might be a little too narrow and difficult to enforce. It is a little like the argument about the prohibition in civil legislation on groups accepting donations that the donors intend to be used for political purposes. Historically, the Standards in Public Office Commission, SIPO, has found it impossible to enforce and has said so repeatedly. It is hard to prove a reason someone is collecting data. The amendment really just states they cannot use the data for marketing purposes. I am open to arguments, but we have a concern about Deputy Donnchadh Ó Laoghaire's wording and think ours is better. However, clearly the intention behind the two is the same. The Social Democrats' amendment is also a little similar, but I do not see the necessity of using the word "profile". The word "process" is just fine and captures everything it needs to do. Again, I think that amendment might be slightly narrow.

The Minister's amendment is about the idea of preventing children from being targeted in marketing. He is proposing a code of conduct which the commission will encourage companies to draw up. It is not bad, but our amendment is stronger. However, I am open to being persuaded. The second part of the amendment, with which Deputy Mick Wallace dealt, needs less explanation. It sets the digital age of consent at 13 years and requires parents to engage with companies and give their consent for their child to access services online. The quid pro quo must be the assurance that their data will not be harvested for something like marketing, profiling or whatever else. I know that issue is generally covered under the GDPR, but there would not be any harm in making it explicit. I will not repeat the points made by Deputy Mick Wallace, but we are taking on board the amendments brought forward by Senator Lynn Ruane in the Seanad. They strike a better balance in protecting children in their Internet usage.

I will not repeat points made by Deputies Mick Wallace and Clare Daly. However, as a committee member, it is appropriate to state we did work on this issue as a committee. There is a process in which committees engage. It is a vital part of drafting and putting together the approach to be taken to legislation. We looked at the issue; brought people in and listened to them and made a judgment, particularly with reference to Deputy Jim O'Callaghan's contribution. The judgement was well thought out and made having listened to experts give voice to all sides to the argument. It is not easy to make up one's mind on this issue. It is regrettable, having gone through that process and looked at the issue as a committee and made our decision, that it is now being revisited.

I still believe the age should be 13, for the reasons that have been outlined and for the reasons the committee originally supported. It is sometimes easy for politicians of all parties and none to see something that looks like a very acceptable and widely supported political solution. However, we have to look at the realities of the situation and find a workable solution, one that I fundamentally believe is in the best interests of the protection of children. We must ensure the proper use of data, control it and not have it used for exploitative purposes. It seems to me that moving the age of digital consent from 13 to 16 is just choosing the easy option, the option that sounds good and which has gained much credibility because people who have not had the opportunity to look at the issue in the same level of detail have moved their position to it. If I had not sat at this committee and looked into the issue, and if I did not have the benefit of hearing from the Ombudsman for Children and reading that report I might have thought that the idea of moving the digital age of consent to 16 was the right idea. Having gone into it at length in this committee, I am firmly of the belief that the best solution is that the digital age of consent should be set at 13.

I listened with great interest to the various contributions of committee members on the current group of nine amendments, including amendments to sections 30 and 31 and a proposed new section, all of which are concerned with the protection of children. Indeed, for that reason we are discussing these amendments as a group. Notwithstanding that, it would be helpful, having regard to the discussion we have had, if I dealt with each amendment separately, commencing with amendment No. 27, tabled by Deputies Sherlock, Shortall, O'Callaghan and Catherine Murphy, proposing a digital age of consent of 16 years in section 30.

The position, of course, is that article 8 of the GDPR specifies a digital age of consent of 16 but allows member states to provide for a lower age not below 13. Article 8 will mean that providers of information society services must make reasonable efforts to obtain the consent of the holder of parental responsibility over the child where such services are offered directly to children below the specified age threshold. I acknowledge the extent and the importance of the discussion we had in the Seanad and elsewhere over the past year or more. I am quite satisfied that there are sincere and strongly held views in favour of both 13 years, as provided for in the Bill, and 16 years, which is the subject matter of amendments.

I want to talk about process here, and acknowledge the importance of the public consultation process that took place before any decision was taken by Government on this issue. I believe that is how legislation should be processed. Indeed, following completion of these consultations carried out by my Department on the Government's data forum, which brings together legal and data protection experts, business representatives, small and medium sized industry, multinationals, sociologists, psychologists and education specialists, the Government decided in favour of a digital age of consent of 13 years. I want to stress that full account was taken of the knowledge of those that responded to the consultation process in reaching the decision, and a careful consideration was given to the expertise of this body of opinion. A majority of respondents, including the Office of the Ombudsman for Children, the ISPCC, the Internet Safety Advisory Committee and the Childrens' Rights Alliance clearly recommended a digital age of consent of 13 years. Moreover, as Deputies Wallace and Clare Daly in particular mentioned, this committee will recall the contribution of the special rapporteur on child protection, Dr. Geoffrey Shannon, who recommended a digital age of consent of 13. That strong recommendation was adopted by the Joint Committee in this room in the Chair's report of last November. I acknowledge the work of that committee. The content of that committee report, and indeed the disposition of committee members, was very much considered in the context of the Government's decision here. I was keen, at all times, that the views of this committee would be taken into consideration in my deliberation with Government colleagues.

Having regard to the due process, the Government considers that a digital age of consent of 13 years does represent an appropriate balancing of the child's right to participation in the online environment and the child's right to safety and protection. These rights are enshrined in the UN Convention on the Rights of the Child. In making that decision, and in choosing the age of 13, Ireland is not out of line with many other EU states. The age of 13 has been adopted by Denmark, Sweden and Finland. These are member states that we often look to as an example of good practice in the area of child protection and child and family support. I can also point to other countries which have opted for the age of 13, including our nearest neighbour, the UK, Spain and Latvia. As we are deliberating here and processing this legislation, other countries are having the same debate.

For many reasons, I am unable to accept amendment No. 27, which seeks to replace 13 with 16. I was struck by the contribution of some Deputies here who said they were reluctantly supporting the amendment or that they were doing so with a health warning. I am not sure that represents good practice, and I am concerned that in many respects there is a move to depart from or abandon what was a programme of good process. I welcomed the discussion in the Seanad and proposed the inclusion of subsection 3 which provides for the review of the operation of the 13 year old threshold within three years. I put that forward to the members here who have indicated that they are conflicted. Article 8(3) of the GDPR provides that the providers of information society services must make reasonable efforts to verify that consent is given or authorised by the holder of parental authority, specifying that available technology must be taken into consideration by the controller, and that it is highly likely that the European Data Protection Board will issue further guidelines in this matter and move towards the identification of best practice, as it is entitled to under article 70.

There are a number of difficulties with amendments Nos. 28 and 246, in which Deputies Daly and Wallace seek to impose an obligation on Tusla to maintain a register of preventative counselling services. The services referred to here are not only those established in this State, so there is no good reason for it. A teenager in a Border county may well be using a counselling service in Northern Ireland; I am sure the Chair can relate to that example. Likewise, there is no good reason to prevent a teenager in Dublin or in any part of Ireland whose native language may be Polish, Lithuanian or any language other than English from taking advantage of a counselling service based in other countries.

We need to acknowledge the practical manifestation of everyday living, the freedom of movement and the fluidity or social mobility in society. The amendment seeks, in effect, to define the scope of the preventative and counselling services referred to in Article 8 of GDPR, which I am afraid would amount to an infringement of GDPR. As I said earlier, we will need to exercise great care in departing from the import of the GDPR itself.

I will briefly turn to children’s personal data - amendments Nos. 26, 29 and 30, tabled by Deputies Clare Daly, Wallace, Shortall, Murphy and Ó Laoghaire, seeking to impose prohibitions on the processing of children's personal data for marketing and for profiling purposes. I have a difficulty with the amendments. Processing personal data for marketing and profiling purposes takes place under the so-called legitimate interests ground in Article 6.1.(f) of GDPR. Recital 47 states specifically that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. It is important to note in that regard that the European Court of Justice addressed the issue of whether national law can impose additional conditions on processing carried on under the corresponding Article 7. (f) of the 1995 directive. In that regard the Court of Justice underlined the importance of free movement of personal data under the 1995 regime. It concluded that member states were not in a position to add new principles or impose additional conditions to have the effect of amending the scope of any of the grounds in Article 7 of the directive. Those grounds are now in Article 6.1.(f) of GDPR. In short, the imposition of prohibitions or limitations in national law on the processing of personal data that is lawful under GDPR is in breach of EU law and that could well have a consequence of exposing the State to infringement proceedings or possible sanctions of a type that we are familiar with.

I wish to go back to the Seanad debate because I think it is very important and informative for what we are doing here. Mention was made by Deputy Wallace of the contribution of Senator Lynn Ruane. It was a very strong contribution. I agree with Deputy Wallace in that regard. Senator Ruane was speaking not only as a Senator but as a mother of teenage children and as somebody who has engaged in children's issues to a very positive extent since she was elected to the Seanad. During the course of the Seanad debate one could see how her positioning evolved in the context of her own practical experience. That was really important. She was very helpful and very positive, as indeed were other Senators. I introduced a new section 31 in the Seanad, which makes specific provision for codes of conduct for the protection of children and I now propose amendments Nos. 32, 33 and 34 in response to Second Stage discussions here, including what was a constructive contribution from Deputy Shortall who joins us this morning. Those amendments introduce protection for children where there is processing of their personal data for the purposes of direct marketing and creating personality and user profiles. I think that is positive and I believe it meets the concern of Deputies. I thank Deputy Shortall for a positive contribution in that regard.

In order to remain compliant with Article 40 of GDPR, section 31 does place an obligation on the supervisory authorities such as the Data Protection Commission to encourage the drawing up of codes of practice. I listened carefully to Deputy Clare Deputy in that regard and I am conscious of her amendment but placing a specific obligation on the commission to draw up such codes would be in conflict with GDPR compliance. The conflict would arise because of the obligation placed on the commission under Article 40.5 to provide an opinion on such a code and to approve it where it finds the code provides sufficient safeguards. If the code is intended to apply in other member states the commission will submit it to the consistency mechanism for approval then by all member states. I think that is what will happen. In that regard I am unable to accept the proposals from Deputies Clare Daly and Wallace as far as amendment No. 31 is concerned, to replace "encourage" with "require" but I very much acknowledge the points Deputy Clare Daly made and I am in agreement with the overall point she made, but there is a limit to how we can mandate the supervisory authorities.

I shall briefly give my views on the other amendments because I do not think I did when I spoke earlier. In respect of amendment No. 26 in the name of Deputy Ó Laoghaire, it is a bit vague to put in a reference to "for the purposes of financial gain" so I will not support the amendment. In respect of amendment No. 28, which is proposed by Deputies Clare Daly and Wallace which would limit the counselling services to those maintained on a register of Tusla, I listened to the Minister and I think he made some very valid points to the effect that Tusla could have names which do not extend outside of the jurisdiction. Because of what the Minister said I will not support amendment No. 28. In terms of amendment No. 29, my inclination was to support that but the Minister has now said that if we introduce it we will be in breach of European law because it goes beyond what is contained within the GDPR, and that it would expose Ireland to enforcement proceedings. If a Minister says that to me and that is the advice of the Department and that is the legal advice he has received, I am afraid I have to responsibly listen to that as I do not want to expose the country to enforcement proceedings which may arise. The same argument was made by the Minister in respect of amendment No. 31, in terms of changing the wording from "encourage" to "require".

In terms of the amendment to change the digital age of consent from 13 years to 16 years, I listened very carefully to the contributions and ultimately it is a political choice. We have very limited powers to a certain extent when we are bringing in the GDPR but we do have the power to determine whether we set the age at 13 or as much as 16. That is a political choice. I have not heard any real argument here today as to why the capacity of children to contract should be changed in such a fundamental way whereby now they will have the capacity to contract in respect of their personal data at the age of 13.

I wish to come back on a couple of points. First, on the age of consent, there are two reasons I proposed to raise that to 16. The first is in respect of contract law. The minimum age for participation in a contract is 16. Equally, the age to give consent for a medical procedure is 16, and it makes sense to bring it into line with that. Whether it is 13 or 16 I do not think people should be lulled into any false sense of security here in relation to the safety of children on the Internet. The difficulty many people have with the actions of online companies is that kind of relentless targeting of children, the harvesting of their data, the profiling of children and their families and then targeting them for commercial or marketing purposes.

The Minister has not given his own opinion on whether he believes that is an acceptable practice. We know that it is happening on a widespread basis at the moment. What is his view on that? Does he think it is acceptable that our children are subjected to that kind of marketing? Neither did the Minister respond to the issue I raised earlier on the age of consent although he quoted the Children's Rights Alliance and the children's Ombudsman in respect of the age of consent.

The Minister has not responded on the more important issue, the need to introduce, in conjunction with this, a statutory prohibition on the use of children's data for marketing purposes. What is his response to the statement made by both bodies?

I expressed the view that the amendments from Deputies Mick Wallace and Clare Daly were too wide insofar as there were issues related to market research, legitimate activities in that respect and demographic analysis of activities online. They are legitimate activities. For that reason, I would be more in favour of a prohibition on the profiling of children's data. That is in line with Sinn Féin's amendment.

The Minister talked about encouraging voluntary codes of conduct. We know that voluntary codes of conduct do not work with online companies and that they have only taken action where they have been found to be doing something that they should not be doing. We also know that originally in the general data protection regulation, GDPR, prohibiting the profiling of children's data was raised. We also know that there was much pressure exerted by online companies and it continues. I have been contacted by companies, as I am sure others have. Online and digital companies do not want a prohibition on the profiling of children's data. They want to have a free hand to harvest children's data and use them for their own commercial purposes such as direct marketing. Most people find this unacceptable and the Minister has not provided a strong case for not prohibiting that practice. Let us forget about voluntary codes of conduct and encouraging companies. It will only happen if companies are precluded by domestic law from engaging in this practice. We have an opportunity to do so to protect childhood from the relentless targeting that happens for marketing purposes.

This is a much more significant issue than the digital age of consent and many recognised bodies are calling for it to happen. Children deserve to be allowed to live their childhood without their data being used for marketing purposes. The Minister should heed what is being stated by the Children's Rights Alliance, the Ombudsman for Children, the Irish Heart Foundation and many other organisations that have children's interests to the fore.

Three of the amendments are relatively similar. I will echo the point made by Deputy Róisín Shortall, that the right call is being made about the digital age of consent. A great deal more is needed to ensure the safety online of children and the population at large which I have said in passing as it is not just children who are at risk online. There are advantages and disadvantages for us all. We all need to be more careful online, as well as enjoying the benefits of the online experience.

Three amendments deal with micro-targeting and data harvesting for the purposes of targeting young people. It is a vitally important and massive issue and it is welcome that the Minister has moved towards improving the obligation to have codes of conduct in that respect. There is a general issue about children on which we are all in agreement, that there is a need to ensure this exploitation and cynical targeting is brought to an end and that it will be an offence to engage in it. As I said, there are disadvantages and advantages for all of us and they need to be refined on Report Stage. It would probably be better to focus on profiling, but I take the point made about engaging in such practices for the purposes of financial gain. I will press my amendment and will support the others.

The Minister has outlined the conflict with the GDPR which Deputy Jim O'Callaghan has accepted to a large extent. Everyone has to take serious cognisance of the possibility of fines or regulatory action by the European Union. We have to take that issue seriously, but it is not enough to flag it in general. It is not clear to me how it could be in conflict with the GDPR. There are areas in which the legislation is in conflict with the GDPR where ostensibly they provide for very similar provisions, but there are differences in wording. As I said, there are conflicts in that regard and I will oppose sections on that basis. I do not see it stated anywhere in the GDPR that countries cannot make it an offence to profile children's data and create fines. There is nothing in the principles, letter or recitals of the GDPR that makes it apparent to me that there would be a problem in doing so. If there would be, we need some further detail.

I received some correspondence yesterday from a Dr. James O'Higgins Norman, associate professor of sociology at Dublin City University, DCU. He says that as an international and Irish academic working in the field of child Internet safety with an holistic knowledge and understanding of how children engage online, he firmlys believe setting the age of digital consent at 13 years offers the best defence for children's safety and data protection. He says calls for the age to be set higher, at 16 years, for example, are misguided and not endorsed by child protection professionals and those working with children. He says that, under such a system, children aged 13, 14 and 15 years would need parental consent to allow their personal data to be processed by this information society service and that, all the while, there is a general acceptance that current systems of age verification are weak and generally easy to bypass. He asks what unintended safety and protection consequences will this have, saying attempting to change the behaviour of 13, 14 and 15 year olds by 25 May is not practical. He says the Internet and being online are a fundamental part of most children's lives today and that, to support children's safety, they need digital literacy education, that parents need support and the industry needs to be regulated.

Deputy Donnchadh Ó Laoghaire made a point about amendment No. 29. I accept the points the Minister made about amendment No. 28, at which we will have to look again with reference to the register maintained by Tusla. On amendment No. 29, the Minister said that if we were to go down that path, we would contravene the GDPR. We do not know enough about it to know whether that is definitely true, but we will have to examine it because we believe it would be a positive move to have amendment No. 29 in the Statute Book. It would make sense. It is disappointing if the GDPR has moved away, under pressure, from this position, but we will certainly look at it.

On amendment No. 28, I know that the issue of the maintenance of a register was discussed in the Seanad. The Minister made some good points about the limitations of our proposal. We thought it was an alternative in dealing with the limitations mentioned in the Seanad about the Data Protection Commissioner being the person to maintain a register. That proposal was shot down on the grounds that the commissioner might not have the expertise to do so. Children being able to access relevant and important preventive and counselling services without parental consent is important, particularly for vulnerable children in cases where the parent is the abuser. We have to take this into account because, in that context, if we do not define what they are and have a register, a devious, abusive parent could come down heavily on a service provider or a child might not be able to access information that would otherwise be useful.

Will the Minister have a look at this? Is there another way we can come up with some type of register that would give protection to children? We will withdraw the amendment for now but I call on the Minister to look at that aspect of it.

Deputy Shortall made a point about profiling and processing with regard to our amendment. We have to be clear on this point. The word "profiling" has a particular definition under the general data protection regulation, as distinct from processing. In particular, "processing" is the word used for analysing, that is to say, using data for a particular process. In other words, we use processes in order to profile rather than starting with profiling. That is why it is important that the word "process" is used. It is for legal reasons and it gives far greater protection in that regard.

We have proposed amendment No. 29. I am unsure about the level of protection of rights under the GDPR. The regulation refers to the rules being equivalent and an obligation on member states to apply rules consistently. I am unsure. We cannot state categorically that what we have put forward will guarantee that the legislation goes beyond the GDPR. Certainly, there is a risk that it could possibly so do. If it were too onerous, some companies could say it does, but there is no guarantee that it will.

Deputy Ó Laoghaire's point is a little rich because the Government is taking far greater risks with things that are clearly not compatible with the GDPR, but he does not have a problem with them. Yet, now he is saying that this measure goes beyond it. That does not really wash with me.

People are confusing different issues. Deputy Wallace read out a letter. The key point for the committee to register is that these 13 experts and organisations have circulated their views online. It is almost unprecedented. The Ombudsman for Children said that we are making a mistake. People are conflating issues rather than understanding them. Deputy Sherlock comments represented the best example. It is a pity he is not here because I would have no problem saying it to his face. What he was proposing and looking for simply does not add up. He talked about WhatsApp going to 16 years. That simply makes what we are proposing, a digital age of consent, easier to maintain. It has nothing to do with it. The last line in the letter from the experts refers to how the digital age of consent is a data protection issue and not a child safety issue. Using data protection law to achieve an online safety effect is misguided. Almost every expert in the area of child protection is saying as much and we cannot be blind to that.

This goes back to the point I made earlier. The other example given by Deputy Sherlock is utterly ludicrous and irrelevant. Facebook has begun to make a change for people under 16 years. That is exactly what we should be encouraging. Setting the age of consent at 13 years is irrelevant for those purposes.

Deputy Daly referred to the GDPR and the manner in which we might consider departing from it.

Article 47 states clearly that processing of personal data for direct marketing purposes may be regarded as carrying out processing for illegitimate interest. I have a difficulty in departing from that.

Deputy O'Callaghan has questioned the matter of the legal advice. It is not my legal advice or the advice of the Department of Justice and Equality. I wish to state for the benefit of the committee member that we engaged on the issue raised by Deputy O'Callaghan with the Office of the Attorney General. The advice appeared clear. I am reluctant, therefore, to depart from the advice of the Attorney General.

I wish to address the amendments referred to by Deputies Daly and Wallace. I too have the letter that both Deputies referenced. There is considerable drawing down on expert opinion, experts and the status and influence of experts. I do not disagree with any of the points that have been raised. One of the signatures of the letter is Professor Mona O'Moore, who would be known to members of the committee. She has years of experience in the area of children's issues.

I accept the fact that there are differing views. I am keen to acknowledge the importance of the process and the report of the committee, wherein you stated, Chairman, in the foreword:

The General Data Protection Regulation will grant significant rights to all citizens in Ireland, but will provide particular protections to children. The Committee has recommended that an appropriate digital age of consent for children is set, and that this age be reviewed as technology evolves.

This is exactly what we are doing in the context of the Bill. We are setting the age at 13 years in accordance with the recommendations of the committee and others and allowing for a review at a future date.

I did not say earlier that consideration was also given by my Department and Government with regard to how a digital age of consent of 16 years would be difficult to monitor and enforce. I am speaking as a father of two girls now in their 20s. They grew up in an age when youngsters were far more tech-savvy than I was. I assure the committee from my experience at home that children aged 13, 14 and 15 years of age have a great deal of knowledge and information technology literacy. Whether we like it, they are in a position to circumvent requirements for parental consent and requirements relating to advices, regulation or whatever. They can do so with relative ease because we do not have age verification methodologies. This is also important in the context of setting ages.

I put it to Deputy Shortall that the matter of child protection is one that can be validly associated with this legislation. It is not that the GDPR is directly involved in child protection matters but there are consequences. One of the consequences is the putting together of an EU-wide code of conduct. I see that as being a great advantage in providing protection for children irrespective of where the child is, where the controller is or where the processor is. That is why the role of the Data Protection Commissioner, once given the power in this legislation to make a submission, is important. I am quite satisfied that encouragement from this office and influence or authority from the office in Dublin will have the effect of playing into and participating in a European data protection board and code of compliance. That will deal with many of the issues put forward in terms of child protection.

I am satisfied that amendment No. 34 will add a greater level of strength to our debate. I am concerned about any departure from the strict reading of the GDPR for obvious reasons. I have heard what Deputy Shortall has said, but she is not long out of government and she was not long in government either, as it happened. It is simply not practically possible to put forward amendments that would have the consequence of bringing about infringement proceedings against Ireland.

I ask the Deputy to accept that on the basis of facts that are within her own knowledge by virtue of having been a Member of Parliament for a long time. Her party supports Ireland's membership of the EU and is familiar with EU law. We cannot dip in and out of EU law in the manner the Deputy would like us to believe we can.

We are not convinced. We are withdrawing amendment No. 28 in the hope that the Minister will come up with a better proposal than our proposal with regard to counselling services. We are withdrawing amendment No. 29 because it is going to fail, but we will come back to it. We will get our own advice on it.

I will examine this matter again. I believe in the principle of my amendment. I have not seen anything in the main articles of the GDPR that prevents what I am proposing. I will examine the recital. I will press this amendment. If I am satisfied between now and Report Stage that there is an issue with what I am proposing, I will reconsider the matter on Report Stage. I am pressing amendment No. 26 because I believe in the principle of it.

I move amendment No. 27:

In page 23, line 16, to delete "13 years" and substitute "16 years".

I move amendment No. 28:

In page 23, line 19, after “services” to insert “, listed in the register maintained by Tusla for the purposes of this section”.

I move amendment No. 29:

In page 23, between lines 19 and 20, to insert the following:

"(3) It shall not be lawful for a data controller to process the data of a child for marketing purposes, when the child is under the age of 16.

(4) It shall not be lawful for a data controller to process data in relation to the parents, guardians or family members of a child, without the consent of the person to whom the data pertains, save for age verification purposes, when the child is under the age of 16.".

I move amendment No. 30:

In page 23, between lines 23 and 24, to insert the following:

"Profiling of children

31. It shall be unlawful for a data controller to profile the data of a child for marketing purposes when that child is under 16 years of age.".

I move amendment No. 31:

In page 23, line 25, to delete "encourage" and substitute "require".

I move amendment No. 32:

In page 23, line 31, to delete "and"

I move amendment No. 33:

In page 23, line 33, to delete "Article 25." and substitute "Article 25, and".

I move amendment No. 34:

In page 23, after line 33, to insert the following:

"(e) the processing of the personal data of children for the purposes of direct marketing and creating personality and user profiles.".

I move amendment No. 35:

In page 25, lines 2 to 4, to delete all words from and including ", and" down to and including "subsection" in line 4.

This amendment relates to the designation of data protection officers. We are concerned that the essence of the GDPR and the rights of data subjects might be offset or undermined by the invocation of costs as an excuse. For that reason, we are proposing to delete section 33(3)(d) of the Bill, which refers to "the costs of implementation of any requirement". Data protection officers will be appointed under the GDPR. All public authorities and bodies, including Government Departments, will need to have a data protection officer. Large-scale data processors or organisations that have as a core activity the processing of special categories of data, such as health data, will also be required to have data protection officers. Such officers are an important part of the GDPR's compliance framework. They are supposed to support the compliance of organisations with the GDPR. They should have independence and expert knowledge of data protection.

Section 33 of the Bill, which relates to the designation of data protection officers, provides for the possible introduction of regulations that would require additional categories of controllers or processors to appoint data protection officers in accordance with Article 37(4) of the GDPR. Section 33(3) sets out the policies and principles that would apply for the purposes of underpinning any such regulations, including, in section 33(3)(d), "the costs of implementation of any requirement if it were imposed under" section 33(1). I cannot accept the deletion of this provision, as proposed in amendment No. 35. It is an appropriate and legitimate provision. In requiring the cost of implementation to be taken into account when additional obligations are being determined, especially with regard to the needs of small and medium-sized enterprises and microbusinesses, it is fully compliant with the GDPR. Articles 25 and 32 of the GDPR acknowledge the relevance of the cost of implementation as a factor to be taken into account when determining the obligations of controllers and processors. I cannot accept amendment No. 35 on this basis.

My clear understanding is that the GDPR does not require this to be done. Our amendment merely proposes the removal of "the costs of implementation" as something that the Minister must consider in deciding whether a private body should be required to appoint a data protection officer. We are saying that by including this provision in the Act, the Minister is proposing to elevate the cost issue to a status that is too high. The acceptance of our amendment would not preclude the Minister from considering the cost. He would still be entitled to take cost into account in this context, but it would not be at an equal level with the other protections that exist. It is important to draw that distinction in light of the seriousness of this matter. We do not want a health insurance body that should be considered in this context to be in a position to argue that given that the Minister has to take account of cost, it is not obliged to have a data protection officer. We think the question of cost is being given too high a position in the hierarchy of requirements. Our amendment would not prevent the Minister from taking account of any cost issues that might exist. The GDPR does not require this to be done.

There may be something of a misunderstanding here.

The section does not apply to the data protection officers appointed under Article 37 of the GDPR where designation is compulsory. In this section we are only talking about the extension of compulsory categories. Even if the amendment were passed, I am not sure it would have the consequence Deputy Daly believes it would have.

We are talking about some small business that may be required to engage in some obligations. If we look at Article 37 on the designation of the data protection officer, we are dealing with cases other than those referred to in the section. Examples are associations and bodies that might represent controllers or processors, and micro-businesses.

The earlier sections deal with the compulsory obligations. Under this section we are dealing with additional categories of controllers, not those who are required to undertake obligations compulsorily under the legislation. It deals with cases in which there will not be obligations immediately under the Act where the State at some stage may wish to extend the application of the Act to associations or bodies that represent controllers or processors. It does not deal with ones that come under the Act at present.

What we are asking for is that we do not codify this requirement to take cost into account in legislation because to do so gives sanction to the idea that the cost of private business is as important as protecting against risks to fundamental rights and freedoms. We do not believe that. We think fundamental rights and precedents are more important. Even if our amendment were passed, it would not preclude the Minister from taking cost into account and from being practical about the situation. In the context of lobbyists and all the rest, it is not a good idea to put it into law.

I move amendment No. 36:

In page 25, line 12, after “include” to insert “in particular the following”.

I will deal with a couple of the amendments and Deputy Daly will deal with the others. Amendment No. 36 is part of a bigger structural adjustment to this part of the Bill. The insertion of the phrase "in particular the following" is intended as an extra layer of precaution for what is one of the more important sections of the Bill in that it functions as what the Minister might call a toolbox for many other sections. Many other sections refer back to this section and the phrase "in particular the following" is used elsewhere in the Bill to stipulate extra protections or precautions, so it is not unreasonable to insist on its inclusion here. Amendments Nos. 37 and 38 depend on each other. The inclusion of the phrase "subject to suitable and specific measures" also appears many times in the Bill and points us back to section 35. Section 35 and the suitable and specific measures contained therein are important for the most part and are lifted from various parts of the GDPR, but the way section 35 is organised in the Bill renders optional very important aspects of data protection.

The issue of explicit consent is something we will come back to on section 45. I understand why explicit consent needs to be optional in section 35 as the GDPR provides for exemptions to explicit consent. As we understand it, the GDPR does not provide for exemptions with regard to section 35(1)(b) and (c). I do not understand why limitations on access to personal data that are processed in the workplace should not be a mandatory measure in section 35. The same applies to the issue of imposing time limits for the erasure of personal data and mechanisms to ensure these time limits are adhered to. The purpose of our amendments is to rearrange section 35, delete some of the so-called suitable and specific measures, such as explicit consent, which is a necessity of the GDPR, and to separate others as mandatory, hence the use of "shall" instead of "may" in page 26, line 14, in amendment No. 42.

I will skip some of the following amendments because Deputy Daly will deal with them. Amendment No. 43 should be taken together with amendment No. 47 to section 37. They are essentially the same amendment. The central point in this amendment is the requirement for the Minister to provide a written rationale should he or she proceed to introduce regulations that go against the advice of the data protection commission. The amendment was proposed by Senator Alice-Mary Higgins in the Seanad and it seems to me to be entirely reasonable. It seems sensible and entirely workable and appropriate that such a written rationale would be put before the Committee on Justice and Equality. I do not see how it would compromise the independence of the commission. The point is to ensure heightened accountability for the Minister when creating regulations.

There are a number of State projects about which the Data Protection Commissioner has concerns. The commissioner has opened a section 10 investigation into the public services card and the single customer view which is one of the biggest data sharing projects in the history of the State. It is almost unprecedented.

It is highly unusual and should set off alarm bells for the Government, yet the Department of Employment Affairs and Social Protection, which claims it is the data controller for the public services card project, continues to double down on the expansion of the project even though it knows that the coming into force of the GDPR is just around the corner. We have an example of the Department and the Minister ignoring the advice of the Data Protection Commissioner and ploughing on regardless.

This is a very important grouping but, unfortunately, it is cumbersome and deals with many issues, some of which are similar but not identical. It is an important group of amendments for us and I will break them down because some are more interconnected than others.

Amendments Nos. 36 to 41, inclusive, involve tweaking what we call suitable and specific measures and how we get around that. We have to see it in the context of section 35 which deals with these suitable and specific measures for processing data. In general throughout the Bill, these measures apply to the processing of special categories of data and are used as a substitute for getting a person's consent to process his or her most sensitive data. What is contained in these sections is significant. Under Article 9 of the GDPR, processing of these categories is strictly prohibited unless one of ten conditions apply. The first of those conditions is that the person has to give explicit consent. That is fairly clear. The other nine categories involve matters such as processing being legal if it is necessary to protect the vital interests of the data subject, for the purpose of public health, cross-border threats to health and other such matters. Most of the conditions allowing special categories of data to be processed, apart from the one on explicit consent, have some aim to protect either the data subject's interests or the public interest.

Suitable and specific measures, which is the term we are examining, are used as an alternative to the obligation to get explicit consent. That is contained in sections 39, 43, 45 to 47, inclusive, 49, 50, 54 and 65. They will apply in many circumstances. This is a significant part of the Bill for processing sensitive data in the context of employment and social welfare law, scientific or other research purposes, pensions, if the Government gets its way, getting a mortgage, and in the context of a substantial public interest, which we discussed previously. The idea of suitable and specific measures is that they are technical and organisational safeguards such as limiting access by staff to sensitive data and so on. We all remember the fellow who was selling the data in the then Department of Social Protection for €23 a throw and all the rest.

In the Bill as it stands, there is a list of measures that might be in section 35(1) but none of them is mandatory. In the case of the first one, consent, there is a reason they cannot be mandatory in every case. For example, for statistical purposes it might not be viable for somebody from the Central Statistics Office, CSO, to get consent to process statistics on the number of people of a particular religion in Ireland or whatever. There are others, the ones that are subject to our amendment No. 38, that face no obstacle in terms of being mandatory. Those are limitations on access to prevent unauthorised consultation, alteration or disclosure of this most sensitive data by staff, time limits on the length of time an organisation can hold on to data and targeted training for people who will be handling the data.

We believe it is reasonable that when suitable and specific measures are being used to give carte blanche to organisations or public bodies to access and process sensitive data, access limits, time limits for storage and training should be mandatory. That is our key concern. Also, the Government clearly envisages situations where measures to safeguard data should be mandatory in some instances. We are saying we should not leave it to the individual Ministers but make it somewhat clearer now. I will not go into a huge amount of detail but we want to have safeguards implemented to stop invasion. We want that to be obligated rather than a minimum standard to apply. That is the purpose of amendment No. 38.

Amendment No. 36 simply seeks to add the words "in particular" before a list of possible, suitable and specific measures. The phrase "in particular" is used elsewhere in the Bill. It is also used in the GDPR and the shorthand for it is that we should look at the measures first before we go looking for any others because the list of possible suitable and specific measures spelled out in section 35(1) are in part taken from the GDPR itself. As they are important and potentially strong technical measures to safeguard people's privacy, we believe they should be considered first, in particular the measures that are being either implemented or laid out in the regulation.

In terms of amendment No. 37, the idea is to add to the list of measures that might be included among the suite of suitable and specific measures. The ones we are proposing are modelled on the German law which incorporated the GDPR but seek to add other options such as testing the effectiveness of technical, organisational and security measures regularly to ensure the confidentiality, integrity, availability and resilience of processing services and systems related to the processing of personal data, including the ability to restore availability and access rapidly in the event of a physical or technical incident. It could be the case that a given Minister might specify additional measures such as these in regulations. I accept that could happen but it appears to us that it would be far better and more useful to have a reminder in the legislation about, first, the importance of mandating organisations to test their safeguarding measures regularly rather than just putting them in place and realising ten years later that they are not fit for purpose and have leaked a great deal of data and, second, to keep their security systems up to date and ensure they cannot lose a pile of sensitive data just because there is a power cut or whatever. That is perfectly reasonable. That is the first grouplet. I know this is difficult, technical and monumentally boring stuff, but as the amendments have been grouped in this way, we have to persevere.

Regarding amendment No. 42, if our amendments Nos. 37 to 41, inclusive, succeed, this one can probably be withdrawn because we have provided something similar in the previous amendments. We are proposing in this amendment that, first, any regulations made under the section either to identify suitable and specific measures or specify that some of those measures are mandatory shall first identify different measures for different categories of personal data, different categories of controllers and so on and, second, specify that at least one of the measures set out in the list in section 35 is mandatory. Regulations in regard to suitable and specific measures are a requirement in many different processing situations throughout the Bill. They are crucial to safeguarding people's rights on their data, and because of that they should be granular and detailed. They take into account the kinds of data being processed, by whom and the types of processing actions that are being taken. It is important that at least one, but ideally more, of the measures listed in section 35 is made mandatory if the Minister is going to the bother of drawing up the regulations.

Our last amendment, No. 43, is another backstop. We are placing an obligation on the Minister to seek the advice of the Commission before drawing up regulations under section 35 on suitable and specific measures. If he decides to go ahead and ignore the advice of the commission, that will be his prerogative but he will have to give a statement to the Committee on Justice and Equality outlining the reason. It is just another backstop.

It is a little like amendment No. 5 to section 6, which the select committee passed, in that it provides for greater oversight by the Oireachtas. It would not impose a significant burden on the Minister to seek the advice of the data protection commission and he may choose not to adopt this advice, provided he informs the joint committee of his reason for not doing so.

I hope that, having heard my contribution, she will withdraw some of the amendments in this group. I will start with the good news, however. Having regard to the Deputy's contribution and the content of the amendment, I will accept amendment No. 36. However, I am not in a position to accept the other amendments and I will set out the reasons for my decision.

On section 35, which deals with suitable and specific measures for processing, we are establishing a package or toolbox of suitable and specific measures to be applied in the context of data processing under certain later sections of the Bill. I strongly advise that we read this section in conjunction with sections 43, 45, 46, 47 and 50 because all of these sections make the use of suitable and specific measures mandatory. The choice of which measure from the toolbox is to be used will depend on the individual circumstances of the processing.

While I agree with Deputy Daly that this is important, I stress that the safeguards we are discussing are in addition to, and not a substitute for, the technical and organisational measures under the risk-based approach in Article 24 of the GDPR. These additional measures are justified by the fact that they will apply to special categories of personal data under Article 9. In some cases, encryption of the personal data concerned might be highly desirable but in other cases the appointment of a data protection officer by the controller might in essence be more effective and practical. In this context, I draw attention to section 35(4), which will permit the specification of compulsory safeguards with respect to certain types of data processing.

I cannot accept the amendments proposed by Deputies Daly and Wallace because they would impose a disproportionately heavy or difficult burden on many controllers in circumstances where such burdens would not be necessary. Amendment No. 38, for example, proposes to make all measures in subsection (2) mandatory in all cases. This would impose additional and highly disproportionate obligations on, for example, trade unions handling membership data, schools and voluntary organisations handling health data of pupils or members. In the case of a school, for instance, this could relate to information about allergies to which certain children are susceptible or perhaps religious groups or practices. Such obligations and duties would be onerous and heavy in circumstances where the ordinary running of the organisation or school may not give rise to any type of disproportionate obligation or mandatory work that might be regarded as excessive.

The amendments, in particular, amendment No. 38, would place a high burden on elected representatives making representations on behalf of constituents, especially where issues arise concerning medical treatment. Public representatives deal with such matters daily, for example, in respect of the fair deal scheme, on which we make representations and seek information and services on behalf of constituents. This is part of the routine work we do. It is important to note, in the context of reading this legislation, that this is much more than a theoretical exercise. It imposes real and practical obligations which must be enforceable, including on Oireachtas Members and our colleagues on local authorities. It also extends to clubs, organisations, societies, trade unions, schools and health organisations. While it is important that there is compliance with the legislation and the GDPR as we enter this new era, it is also important that we do not make matters so burdensome and onerous as to become unworkable. This is a difficulty with amendment No. 38.

Amendment No. 37 is largely based on subsection (1) of section 35 but it incorporates provisions from Article 32(1)(b)(c) and (d) of the GDPR, which are already applicable. It is not necessary to go further because this article of the GDPR is clear and is being transposed.

Similarly, amendment No. 43 seeks to impose a heavy procedure in respect of any regulations made under the section. If I understand Deputy Daly correctly, it seeks to impose an obligation on the data protection commission to provide advice in response to every consultation and an obligation on Ministers to inform the relevant Oireachtas committee in cases where the advice is not followed. I remind members of Article 57 of the GDPR, which allows the data protection commission to inform Oireachtas committees directly of any concerns it may have following consultations on proposed amendments. This will enable the relevant committee to monitor any regulations made subsequently. This approach is much more practical and also carries the import of which Deputy Daly spoke.

I do not want a circumstance to arise in which we or bodies across society are faced with a heavy procedure and onerous and burdensome obligations. Section 35, as it stands, establishes an appropriate and balanced package of measures. It sets out a mechanism where specific measures are made mandatory in certain cases. On balance, it is proportionate and deals with circumstances satisfactorily. It is against this background and the need for balance between protection and safeguards, on the one hand, and obligations, on the other, that I am unwilling to accept the amendments, other than amendment No. 36. My amendment No. 44 proposes to delete subsection (7) from the section.

Like the Minister, I will start with the easy part by agreeing with his decision to accept amendment No. 36.

Amendment No. 37 proposes to delete paragraphs (b), (c) and (d) from section 35(1). However, it would simply move them to section 35(2). Amendment No. 38 which would insert the three paragraphs dealing with limitations and access to personal data, strict time limits and specific targeted training proposes a new section. However, it would be mandatory and no longer discretionary.

The legislation is torturous and will torture people throughout the country. It will set up an industry for individuals who will call themselves data protection officers. They will become the supremos in their organisations. I regret that I am certain that it will become a lawyer's holiday. The Bill is complicated and virtually impenetrable in parts and has us stuck in a committee room for 3 hours and 40 minutes. Members of the public have to be able to navigate legislation. Legislation has to be comprehensible to them, but this is not. I acknowledge Deputy Clare Daly's intention, but my concern is that the amendment would worsen the torture by providing for even more requirements under the legislation. If we always had large data controllers who were controlling the data of individuals and there was a divergence in power between large data controllers and the individual, I would support all of these measures, but we must recognise that small numbers of individuals who come together will also be data controllers and we are imposing huge obligations on them. It is not the case that we are dealing with Facebook and a couple of individuals whose rights we want to protect; we are dealing with small groups of people who come together to process data and they will have to read the legislation and understand it. The Minister mentioned trade unions. I was concerned about the impenetrability of the Bill before we commenced and while I acknowledge that Deputies Clare Daly and Mick Wallace are well intentioned in their amendments, we need to simplify the legislation. It is not the case that there is a big, bad data controller on one side and the individual on the other. Most individuals will be unfortunate enough to find themselves in a scenario where they are also data controllers or data processors. On balance, I would stick with sections 35 and 36, as drafted.

We have to put this matter in context. The legislation is torturous and complex not only for the committee but also will be for all organisations in society from now on. That is the reality with which we are dealing. The GDPR is being incorporated into domestic law, but the legislation does not implement it. Even if we did nothing, the GDPR would come into effect on 25 May. It is directly applicable and will supersede Irish law. We are dealing with exemptions, derogations and so on under this legislation. Much of the criticism of the Government has resulted from it trying to exempt itself from provisions and leaving the State open to litigation in other areas. Some of the measures we have proposed are intended to avoid that happening. It is complex and a mess. The addition of Part 5 which is essentially a different Bill in the middle of the legislation does not help either, but that is not the fault of the amendments.

The Minister is accepting amendment No. 36. Amendment No. 37 provides for a model similar to the German model. Mandating organisations to test their safeguarding measures regularly and keep their security systems up to date would not be onerous. A Minister could do it by regulation. It would hardly be a big deal, as it happens in other areas. However, we can revisit the issue. Perhaps it is the lateness of the hour and the complexity of the issues involved, but I was not fully clear on some of the points the Minister made in that regard. It is a mandatory element, but we will revisit the matter on Report Stage. We will withdraw amendments Nos. 38 and 42 on that basis, but with regard to amendment No. 43, I do not see what the problem would be in obliging the Minister to seek the advice of the commission before he drew up the regulations. He would not have to listen to commission officials, but if he did not, he should inform the Dáil as to why not. That provision would not be onerous and should be inserted. It would not make it torturous for the poor residents' associations which will be reading the legislation studiously.

There are a number of elements to this general area. The difficulty with what the State and the European Union are trying to do lies in the conflict between massive organisations and large corporations that handle enormous volumes of data and have great scope to abuse and exploit it, if they so wish, and small organisations that require data for their ongoing day-to-day functions. A distinction could be drawn between them. However, if the data are abused, even in a small organisation, the effect can be just as harmful. The difficulty lies in trying to be reasonable in the treatment of small organisations that are trying to do a great deal on limited resources, while ensuring all organisations, big and small, are careful with data and ensure there are no breaches. The legislation and the GDPR set a high bar and amendments Nos. 37 and 38 would not heighten the bar greatly. They are reasonable proposals and I am inclined to support them, whether on this Stage or Report Stage.

Deputy Donnchadh Ó Laoghaire has said the bar is sufficiently high and that, therefore, we might as well move it a little higher. However, obligations of a serious nature are in place and we need to ensure new obligations under the legislation would be workable and enforceable. If Deputy Jim O'Callaghan says we are running the risk of introducing a lawyer's holiday, I take that-----

I move amendment No. 37:

In page 25, lines 14 to 32, to delete all words from and including “purposes,” in line 14 down to and including line 32 and substitute the following:

"purposes, and

(b) having regard to the state of the art, the context, nature, scope and purposes of data processing and the likelihood of risk to, and the severity of any risk to, the rights and freedoms of data subjects—

(i) logging mechanisms to permit verification of whether and by whom the personal data have been consulted, altered, disclosed or erased,

(ii) in cases in which it is not mandatory under the Data Protection Regulation, designation of a data protection officer,

(iii) where the processing involves data relating to the health of a data subject, a requirement that the processing is undertaken by a person referred to in section 49(2),

(iv) pseudonymisation of the personal data,

(v) encryption of the personal data,

(vi) measures to ensure the confidentiality, integrity, availability and resilience of processing systems and services related to the processing of personal data, including the ability to rapidly restore availability and access in the event of a physical or technical incident,

(vii) technical and organisational measures to ensure that processing complies with the Data Protection Regulation and processes for testing and evaluating the effectiveness of such measures, and

(viii) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.".

I move amendment No. 38:

In page 25, between lines 32 and 33, to insert the following:

"(2) Where a requirement that suitable and specific measures be taken to safeguard the fundamental rights and freedoms of data subjects in processing personal data of those subjects is imposed by this Act or regulations made under this Act, those measures shall include—

(a) limitations on access to the personal data undergoing processing within a workplace in order to prevent unauthorised consultation, alteration, disclosure or erasure of personal data,

(b) strict time limits for the erasure of personal data and mechanisms to ensure that such limits are observed, and

(c) specific targeted training for those involved in processing operations.".

For the sake of expediency and given that we have the right to reintroduce them on Report Stage, I will withdraw amendments Nos. 38 to 42, inclusive.

I move amendment No. 39:

In page 25, line 35, to delete “paragraphs (a) to (e) of subsection (1)” and substitute “subsection (1)(a) and (b) and subsection (2).”.

I move amendment No. 40:

In page 26, line 1, to delete “(a) to (e)” and substitute “(a) and (b)”.

I move amendment No. 41:

In page 26, lines 9 to 13, to delete all words from and including “projects,” in line 9 down to and including line 13 and substitute “projects.”.

I move amendment No. 42:

In page 26, line 14, to delete “may” and substitute “shall”.

I move amendment No. 43:

In page 26, to delete lines 23 to 27 and substitute the following:

“(a) the Minister, provided that—

(i) the Minister has consulted with such other Minister of the Government as he or she considers appropriate,

(ii) the Minister has consulted with and sought the advice of the Commission, and

(iii) the Minister has, if he or she intends to set out regulations which are not in line with the advice of the Commission, laid a written rationale for his or her proposed regulation before the Oireachtas Committee on Justice and Equality and any other relevant committee,

or

(b) any other Minister, provided that—

(i) that Minister has consulted with the Minister and such other Minister of the Government as he or she considers appropriate,

(ii) that Minister has consulted with and sought the advice of the Commission, and

(iii) that Minister has, if he or she intends to set out regulations which are not in line with the advice of the Commission, caused to be laid before the Oireachtas Committee on Justice and Equality and any other relevant committee a written rationale for his or her proposed regulations.”.

I move amendment No. 44:

In page 26, to delete lines 35 to 38.

Amendments Nos. 45 to 49, inclusive, are related and may be discussed together. These amendments are in the names of Deputies Daly and Wallace. Deputy Donnchadh Ó Laoghaire has indicated that the section is to be opposed. I invite Deputies Daly and Wallace, in whatever order, to speak to the grouping.

I move amendment No. 45:

In page 27, to delete lines 27 to 29.

We are interested in listening to the Sinn Féin position on this amendment. We might agree with Sinn Féin in opposing the entire section but for starters, I will set out the position on our amendments.

The section seems to give far too much scope to third party data processing for non-statutory schemes, especially given that the section describes a situation whereby the consent of the data subject will be bypassed. I do not believe it would be too burdensome to simply require the relevant third parties working on non-statutory projects to obtain consent to process personal data.

Amendment No. 46 represents a small change but it could be an important one. Under section 37, as currently worded, it seems that the processing of personal data in the public interest would be possible without being specified in regulations made by the Minister. Who then would decide what constitutes the public interest? Who gets to process data in the public interest? Our amendment seeks to make processing in the public interest explicitly dependent on regulations. In other words, ministerial regulations should be mandatory for such data processing.

Amendment No. 47 is the same as amendment No. 43, which we discussed earlier. Amendment No. 48 attempts to introduce some more detail of Article 23 of the general data protection regulation into the Bill. Article 23 details the restrictions member states can impose on the rights of data subjects for various reasons. These could include reasons of national security. Article 23(2) lists specific provisions that any legislative measure referred to in Article 23(1) shall contain, where relevant. Our amendment is designed to introduce more of these specific provisions into the Bill. It includes a reference to how storage periods for data should be specified in any regulations introduced. Moreover, limitations should be specified as to the purpose of data processing.

Amendment No. 49 represents an attempt to introduce an extra layer of protection that we believe is necessary given the wide-ranging powers conferred on Ministers by section. The lines are taken from elsewhere in the Bill, including section 48, which borrows heavily from the GDPR wording.

I will try to be as brief as possible. There are groupings and mini-groupings. I am open to supporting the Sinn Féin opposition to the section in its entirety.

We are trying to go for a middle road or whatever. At the moment, the Bill proposes that the processing of personal data shall be lawful if it is necessary and proportionate and for it to be done by or on behalf of a controller in order to administer any non-statutory scheme once the legal basis for the administration of that scheme is a function conferred by law on the controller who wants to do the processing. To break that down, it means that because the processing can be done on behalf of a controller - let us call him or her controller A - as long as he or she has a function conferred in law then somebody else - let us call him or her processor B - can process data on his or her behalf without any of the restrictions in the GDPR. It is a significant issue.

Fáilte Ireland, for example, has a statutory function. It could come up with an online marketing campaign for the Wild Atlantic Way to collect emails, place banner and target ads on social media and so on. The marketing company concerned would be administering a non-statutory scheme on behalf of Fáilte Ireland in its statutory function. This is giving such a marketing scheme a wide exemption from consent and the other obligations in data protection which the GDPR is about. Not only is it far too wide and includes large numbers of organisations, it is also unfair on a marketing company which is not working for the statutory organisation which has to comply with onerous data protection guidelines, as appropriate, given its importance. This is an important issue.

Amendment No. 46 is about trying to limit the circumstances in which the exemptions the Government wants to provide under this section can apply. We think it is clear that the GDPR envisages that in circumstances where point E of the regulation applies, which determines more precisely the specific requirements for processing and other measures to ensure lawful and fair processing is being relied on, member states will adopt the rules of the GDPR via specific and precise requirements which cover processing where this data is being relied upon. The exemption is wide and vague. There is no guarantee that any Minister would pass regulations specifying any rules or limitations and so on. If the Government wants to give very broad powers to State and non-State bodies for them to not have to abide by the data protection rules that everybody else has to abide by, which is what we are discussing, then the Government has to set out the limits of those powers. It cannot be left to the vagueness of section 37. At an absolute minimum, therefore, a requirement for Ministers to set out more precisely the ways and means by which personal data can be processed under the public interest official authority exemptions is reasonable.

Amendment No. 47 is like amendment No. 43, in that it asks that the Minister would seek the advice of the commission before drawing up regulations. Again, that is not a significant burden and is in line with the amendments passed earlier.

Amendment No. 48 in this group states that regulations created under section 37 must specify a few things as the Bill stands. Section 37 deals with regulations to allow statutory and, in some instances, non-statutory bodies to be exempt from the rules of GDPR in processing personal data. This is not insignificant. We propose to add a number of things to the list of regulations in the section which the section has to specify. They include how long the data can be kept, what it can be used for and the kinds of processing operations and procedures they can undergo. The additional things we have specified are taken from Article 6 and Recital 45 of the GDPR, which is why we chose them. We feel that is important and in line with the GDPR.

As Deputy Wallace said, the wording for amendment No. 49 has been lifted straight from section 48 which deals with the special categories of data, that is, the most sensitive, and given that fact the protections under this section should be in line with that because section 37 is too vague as it stands.

The difficulties with the section have been well outlined. There are a number of exceptions and qualifications which do not exist in the GDPR. I would be of the view that if we are going to try to have such a detailed piece of legislation it is probably likely to be the case that the legislation need not be as detailed and the GDPR be allowed to have direct effect in many respects. If we are, then the wording should reflect fairly exactly what is in the GDPR. As far as I am concerned, the purposes which are outlined in section 37 are fairly well covered, in particular anything related to the public interest in Articles 6 and 9 of the GDPR. It would be as well to allow them to have direct effect, but where we are trying to mimic them the analogous wording should be used. I am concerned that, as far as I am aware, there is no provision for non-statutory schemes or anything like that in the GDPR. That is a particularly problematic and questionable provision which could be the basis for litigation.

In a general sense, my view is that the section is not necessary. I will support the amendment, but I am not sure it is necessary or even desirable to have this level of exception outlined for so many areas and functions of Government when the direct effect of those sections of the GDPR would cover them.

Before the Minister responds, I would like to give a general overview on section 37. It is appropriate that there is a statutory scheme which deals with the processing of data which is being carried out in the public interest or in the exercise of official authority. I will not support the amendment which seeks to delete paragraph (b) of subsection (1) of that section. One of the consequences of the proliferation of the Internet is the undermining of expertise and, to a certain extent, official authority. The State should try to achieve the objective of trying to do good by the citizen even if it does not always do so. It should try to ensure that issues such as the health of citizens and crimes against citizens are dealt with properly and adequately. We should be open to allowing a statutory provision which recognises that work can be carried out in the public interest. The performance of a function conferred by a person under a statute is a performance of a function which is passed through both Houses of the Oireachtas comprising the elected Members of the people and it should be protected and recognised that is intended to be for the public good.

In respect of any non-statutory schemes, it is frequently the case that the Government will introduce a non-statutory scheme which will have the support of the elected Members. That is deserving of protection.

I am interested in hearing the comments of the Minister in respect of amendment No. 46. If one is going to process personal data for the purpose of the public interest or the exercise of official authority, one should probably do so by way of a regulation. I am interested in hearing whether the Minister is prepared to go for the mandatory requirement, as opposed to the discretionary requirement which is in place at present. I will support amendment No. 47 since it is identical to one we supported previously. Amendments Nos. 48 and 49 introduce further provisions which are not necessary for the purposes of what the section is about, namely, allowing the processing of data when it is in the public interest and being done for official authority. It is not the case that official authority is always bad. It is there primarily to protect citizens.

I will not accept the amendments. The retention of section 37 is not only desirable but it is, to my mind, essential. I thank Deputy O'Callaghan for his support in that regard. This is an area which was the subject matter of some debate in the Seanad.

For the same reasons as then, I am not in a position to accept the amendments now. The purpose of section 37 is to underpin data processing carried out under Article 6.1. Article 6.3 provides that the basis for the processing referred to in Article 6.1 should be laid down either in EU law or national law and, in the case of paragraph (e), shall be necessary for the performance of the task carried out in the public interest or in the exercise of official authority that may from time to time be vested in the controller.

Unlike in some member states, Acts of the Oireachtas that confer functions on public authorities and bodies do not normally provide specifically for the processing of personal data for the purposes of the discharge of their statutory functions. This is implicit. To ensure legal certainty following the entry into force of the GDPR, section 37(1)(a) provides that the processing of personal data shall be lawful to the extent that such processing is necessary for the performance of a function conferred by an enactment or the Constitution. I am back to what we said earlier, about ensuring that the practical outcome of this legislation will not give rise to serious issues from a workability point of view. What this means here is a statutory function must be conferred on the controller and that the processing shall be lawful to the extent that the processing is necessary and proportionate for the performance of that function.

Section 37(1)(b) deals with data processing that arises where non-statutory schemes, programmes or funds are administered by controllers for the performance of a function conferred by an enactment. Let me give a couple of examples. Let us take the Department of Employment Affairs and Social Protection, which operates on a non-statutory basis on an ongoing basis, for example, the free fuel scheme, the free travel scheme, the back to school clothing and footwear allowance, and the school meal programme. All of these schemes necessitate the processing of personal data. This processing is compliant with the GDPR because Recital 41 states that where the GDPR refers to a legal basis or a legislative measure, this does not necessarily require an Act of Parliament each time.

The practical day-to-day reality of this is such that these schemes and other similar non-statutory measures, such as we had recently with the payment that was made by the State to victims of flooding and, even more recently with the fodder shortage, are all beneficial. In many respects they are a response of the State to a certain set of circumstances that often require an urgent response. I would not like to have a body of law or a legal framework where some of these schemes are jeopardised or called into question because of legal uncertainty in respect of data processing, because their continued operation is very much in the public interest.

Subsection (4) allows for the making of regulations to specify the processing of personal data. It is necessary for the performance of a task to be carried out in the public interest by a controller and it is necessary in the exercise of official authority. The need for specification arises here because, as recognised in Recital 45 of the GDPR, it is a matter for national law whether the controller is performing a task carried out in the public interest or in the exercise of official authority should be a public authority or another legal person subject to private rather than public law. The recital recognises that private entities may perform a task in the public interest or in the exercise of official authority, and the purpose of subsection (4) is to ensure transparency as well as legal certainty in such cases. Subsection (5) specifies the conditions.

I am conscious of the time and I am also conscious of the fact we really did go through this in the Seanad in some detail, but it seems the amendments tabled by Deputies Wallace and Daly may well be based on a misunderstanding, because the regulations referred to in subsections (4) and (5) will not create a lawful basis for processing. That already exists elsewhere. Rather, for reasons of transparency and legal certainty, they specify processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The proposal in amendment No. 48, to add paragraphs (c) to (f), inclusive to subsection 5, in many respects cuts across Article 5 of the GDPR and is not, therefore, GDPR compliant. Article 5 principles are directly applicable in all cases without the need for any particular specification of this type. The purpose of the provisions in subsections (2), (3) and (6) is to permit the making of regulations to facilitate the continued operation of the common travel area. Under SI 220 of 30 March 2016, for example, air and sea carriers are already permitted to process personal data for the purpose of the preservation of the common travel area. These subsections will permit the making of new regulations to replace those regulations in due course, but this is even more important in the context of the withdrawal of the UK from the European Union. In short, the retention of section 37 is essential to ensure an element of certainty.

If it were possible that we could complete this particular section it would be a good cut-off point. We have a little bit of leniency in terms of the use of the committee room. The signalled time was 1.15 p.m. but if five or ten minutes would make the difference to have this done when it is fresh in our minds that would be okay.

I agree with the Chairman on that.

Just because we disagree with the Minister does not mean we misunderstand the scheme. We just have a different view of things. All of the schemes the Minister outlined can continue to operate on the basis of our amendments. The Department would just need to get the consent of people to process their data. That is all it is. With section 37 people do not even need to be asked for permission to use their data to administer a whole bunch of schemes and what we are putting forward is not onerous. Given the balance of forces, and it is clear that any vote would be lost now, we will withdraw all of the amendments, except amendment No. 47, with the right to re-enter them on Report Stage.

I move amendment No. 47:

In page 28, to delete lines 8 to 12 and substitute the following:

"(a) the Minister, provided that—

(i) the Minister has consulted with such other Minister of the Government as he or she considers appropriate,

(ii) the Minister has consulted with and sought the advice of the Commission, and

(iii) the Minister has, if he or she intends to set out regulations which are not in line with the advice of the Commission, laid a written rationale for his or her proposed regulation before the Oireachtas Committee on Justice and Equality and any other relevant committee,

or

(b) any other Minister, provided that—

(i) that Minister has consulted with the Minister and such other Minister of the Government as he or she considers appropriate,

(ii) that Minister has consulted with and sought the advice of the Commission, and

(iii) that Minister has, if he or she intends to set out regulations which are not in line with the advice of the Commission, caused to be laid before the Oireachtas Committee on Justice and Equality and any other relevant committee a written rationale for his or her proposed regulations.".

We will conclude for today. We will resume consideration of the Bill tomorrow afternoon in committee room 1. We are a little shy of 50 amendments – we are on amendment No. 49. There are 248 or 250 amendments in the whole thing. We have one fifth of the amendments done. If we find ourselves at that pace tomorrow, we will be in some trouble.