This meeting has been convened to consider the Communications Regulation (Postal Services) (Amendment) Bill 2015, the purpose of which is to ensure the public interest is satisfied with regard to the undertaking of legitimate postcode activities in order that the processing of any personal data in postcode-enabled databases is in compliance with the Data Protection Acts. I welcome the Minister for Communications, Energy and Natural Resources, Deputy Alex White, and his officials to the meeting.
Communications Regulation (Postal Services) (Amendment) Bill 2015: Committee Stage
Section 1 agreed to.
SECTION 2
Amendments Nos. 1 and 10 are related and may be discussed together.
I move amendment No. 1.
In page 7, to delete lines 19 to 21 and substitute the following:
"(2) A person who breaches the Act of 1988 in relation to postcodes shall be liable in damages in tort.".
I have concerns when data protection measures are inserted in primary legislation, as is the case with this Bill, because the legislation will depend on close linkages with the principal Data Protection Act. I have identified some specific omissions in the Bill before us. For example, enforcement will not be possible under this legislation and the text does not refer to penalties. I do not see how its provisions can be enforced outside Ireland, certainly outside the European Union, and, as such, no one will be under any compulsion to obey them.
If a person's privacy is breached, he or she will not be able to obtain compensation unless damage can be proved, which will be difficult, if not impossible, to achieve. I fail to see where the Bill provides additional privacy protection in practical terms. Furthermore, I do not believe it can be implemented in the absence of an enforcer and specific consequences for breaches of its provisions. I am probably straying a little into the discussion of amendments Nos. 2 to 10, inclusive.
As the amendment is being discussed with amendment No. 10, the Deputy may wish to speak to both amendments.
There are risks in having a postcode contractor perform some of the duties that a data protection commissioner would perform under data protection legislation. This sets a dangerous precedent, which could have unintended consequences.
It is good that the Minister has introduced this Bill as without it, data protection would not be possible. My amendments, Nos. 1 and 10, are required to make the legislation effective and enforceable not only in Ireland and the rest of the European Union, but throughout the world.
As we are discussing amendments Nos. 1 and 10 together, I will address both amendments. Section 66C(2) clarifies that section 6A of the Data Protection Act 1988, in other words, the principal Act, which relates to the processing of personal data that is likely to cause damage or distress, which is the issue Deputy Colreavy raises, does not apply where the processing is necessary to undertake a legitimate postcode activity. This would cover, for example, a case where an owner or occupier of a property disagrees with the matching of his or her address to an Eircode, in particular, the routing key element of the Eircode, despite the accuracy of any such matching. Section 66C(2) is, therefore, an essential provision in the Bill.
To address directly the issue raised by the Deputy, section 7 of the main Data Protection Act already provides that data controllers and processors owe a duty of care to data subjects, which duty relates to the collection of and dealings with personal data. The provisions of the principal Act apply in respect of breaches of the rights contained therein. Section 30 of the Data Protection Act provides that the Data Protection Commissioner may bring summary proceedings for an offence under the Act, while section 31 of the Act provides for penalties for offences under the Act.
It is neither appropriate nor necessary to provide for offences here, new offences as it were, for breaches of data protection rights when such provisions already exist in the Data Protection Act. It is not a case that we are omitting enforcement provisions because what we are putting into the Act, if the committee agrees to the amendments, are new provisions, which will have, as it were, the protection of the enforcement provisions that are already in the 1988 Act. We do not need new enforcement measures or new penalties to cover breaches of the new provisions we are putting into the legislation because breaches of those new provisions will still fall to be dealt with under the original Act. Therefore, if a citizen is aggrieved in respect of some breach of these new provisions, they will still have the benefit of the enforcement mechanisms that are already included in the principal Act. There have never been any issues raised, of which I am aware, in regard to the adequacy of the enforcement measures in the Data Protection Acts that made the principal Acts. It is always open to the Oireachtas and to the Deputy to raise the issue of whether the enforcement measures in the general Data Protection Acts are sufficient and adequate. That could be an issue in the future if the Deputy or anyone else believed they were not adequate but no one has ever raised the issue that the existing enforcement mechanisms are not adequate.
In regard to the Deputy's second point, which relates to the contractor and the complaints procedure, a code of practice has been put in place and the contractor has had good contact with the Data Protection Commissioner about it and the commissioner has had an opportunity to have an input into the new code of practice dealing with the complaints procedure under this amendment Bill. As I understand it and as I have been advised, the Data Protection Commissioner has given her input into that code of practice and on the basis and understanding that her input is incorporated into the code of practice by the contractor, the Data Protection Commissioner will be amenable to agreeing to that code of practice.
We are not supplanting the role of the Data Protection Commissioner, Someone could still make a complaint to the Data Protection Commissioner under the Data Protection Acts. We are not hollowing out any powers from the Data Protection Commissioner. At the initial phase, if that is an accurate way of describing it, one will be able to make a complaint under this new complaints procedure, but that will not take away one's right to make a complaint in the normal way to the Data Protection Commission. Those are my responses to the Deputy's comments.
Is Deputy Colreavy pressing the amendment?
May I respond to the Minister's points?
Yes.
I understand what the Minister is saying but corporate lawyers will have great fun with this one. The precedent that is being established in setting up contractors who are replicating the role of the Data Protection Commissioner is a dangerous one. The Minister said this has never been a problem up to now but in regard to the dissemination of information the facility to target specific addresses is not easily available either. There could be a potential mushrooming of unwanted data being sent to people's houses and the processing could take place in China or India rather than in Dublin or Mullingar. The precedent of contractors making decisions that would normally be within the realm of the Data Protection Commissioner is a dangerous one. It needs to be thought out much more. Will that practice be expanded into other areas? I will be pressing the amendments as this is a dangerous precedent.
Does the Minister wish to respond?
I repeat the point that I must respectfully disagree with Deputy Colreavy's suggestion that the complaints procedure here would be, to use his phrase, replicating the role of the Data Protection Commissioner. That is not true. It is simply not the case. The Data Protection Commissioner's powers under the principal Act remain and they are considerable. Absolutely nothing is being taken away or nothing is being done in this amendment Bill which will in any way reduce the existing powers that the Data Commission has under the primary legislation. Arguably, one could say that this is an additional layer and provides an additional opportunity for an aggrieved person to make a complaint. A robust complaints procedure is being inserted in the legislation which can be availed of by individuals who feel aggrieved for any of the reasons the Deputy mentioned or others, but they will also still have the right to go the Data Protection Commissioner in the event of a breach of the Data Protection Acts.
In regard to the extra-territorial effect of this legislation, it is a difficult issue as to whether legislation not only in this area but in any area could have extra-territorial effect. If the breach is taking place within the jurisdiction, then the rights that an individual citizen has to make or pursue a complaint are there. The Deputy is right in that if a breach takes place abroad and if it is in regard to data here, an activity here, or an address or personal data here, then all the rights that would be associated with any individual citizen are open to be exercised by him or her.
I hesitate to say that I do not think the concerns the Deputy has raised about complaints procedures are valid because I do not want to criticise him in that sense, but I do not think there is an issue here. A complaints procedure is being put in place for the protection of individuals but people still also have the right to go to the Data Protection Commissioner and that right is not being supplanted by this provision in any way.
Is the Minister specifying that within this legislation because that provision is not set out under the complaints procedure measure?
I do not understand the Deputy's point.
There is no section in the legislation that points out the right of a person to go to the Data Protection Commissioner. It is not stated in the Bill.
The answers to the Deputy's question is that, as stated in the Title, this is a Bill entitled An Act to amendment the Communications Regulation (Postal Services) Act 2011; and to provide for related matters. Section 1 states: "In this Act [the] "Principal Act" means the Communications Regulation (Postal Services) Act 2011." That is what we are amending here but all of the existing data protection remains in place. The Act of 1988 is referred to here as meaning the Data Protection Act 1988 and so on. It cannot be said that because we are introducing new legislation it in any way removes or lessens the impact of the existing legislation; the existing legislation continues to have full force. If one were to state that in legislation, it would give rise to all kinds of problems in regard to all kinds of legislation where one would have to include wording in a new Bill that these other Acts still apply. The presumption is that other Acts still apply because they are the law of the land.
I would be much more assured about this if such a reference were included in this Bill.
Does the Deputy wish to press the amendment?
Amendment put and declared lost.
Amendments Nos. 2 to 9, inclusive, are related and will be discussed together.
I move amendment No. 2:
In page 7, line 23, to delete "postcode contractor" and substitute "Data Protection Commissioner".
We have more or less covered the debate on this issue and the Minister probably understands my concern in this respect.
I will be pressing a vote on the issue.
The Deputy is correct that this reflects on some of the discussion we have already had. The complaints procedure set out in the Bill refers to the process that owners or occupiers of property can follow with a postcode-related complaint. The complaints procedure is set out in the postcode contractor's code of practice and, as I indicated earlier, the postcode contractor has consulted the Office of the Data Protection Commissioner in the drafting of the code of practice, and that office has made a number of observations and recommendations, which the postcode contractor is happy to accept. The Office of the Data Protection Commissioner has stated that it will approve the code of practice once these changes have been incorporated.
Furthermore, the Data Protection Act provides powers for the Data Protection Commissioner to investigate complaints and enforce compliance with the Act. I made the point earlier about the powers of the Data Protection Commissioner. The provisions of the Data Protection Acts apply to any postcode-related complaints which the commissioner may receive. I emphasise that there is nothing to prevent persons complaining to the Data Protection Commissioner where there is a perceived breach of the Data Protection Act in the context of the postcodes project. It is therefore neither necessary nor appropriate to set out investigative functions for the Data Protection Commissioner in this Bill, given that there is a statutory regime already in place. The Office of the Data Protection Commissioner has been consulted extensively during the drafting stages of the Bill and has at no stage indicated that the provisions set out in the 1988 Act are inadequate, as I noted earlier. I trust that the Deputy will accept, for the outlined reasons, that I am unable to accept the amendment.
Was a privacy impact assessment done during these discussions?
Yes. It is on our website and was put there some time ago.
Does the Minister refer to the assessment?
Yes, it is the privacy impact assessment that I directed should take place. There is no statutory requirement to do it but the Deputy is correct in that it is good practice in a development like this.
Amendment put:
The Committee divided: Tá, 2; Níl, 7.
Tá
- Colreavy, Michael.
- Moynihan, Michael.
Níl
- Griffin, Brendan.
- Harrington, Noel.
- Kenny, Seán.
- Maloney, Eamonn.
- O'Donovan, Patrick.
- O'Mahony, John.
- White, Alex.
Amendment declared lost.
It was a little like Leitrim in Croke Park.
They were there anyway.
I move amendment No. 3:
In page 7, line 28, to delete "postcode contractor" and substitute "Data Protection Commissioner".
Amendment put and declared lost.
I move amendment No. 4:
In page 7, line 32, to delete "postcode contractor" and substitute "Data Protection Commissioner".
Amendment put and declared lost.
I move amendment No. 5:
In page 7, line 35, to delete "postcode contractor" and substitute "Data Protection Commissioner".
Amendment put and declared lost.
I move amendment No. 6:
In page 7, line 36, to delete "postcode contractor" and substitute "Data Protection Commissioner".
Amendment put and declared lost.
I move amendment No. 7:
In page 7, line 38, to delete "postcode contractor" and substitute "Data Protection Commissioner".
Amendment put and declared lost.
I move amendment No. 8:
In page 8, line 1, to delete "postcode contractor" and substitute "Data Protection Commissioner".
Amendment put and declared lost.
I move amendment No. 9:
In page 8, line 3, to delete "postcode contractor" and substitute "Data Protection Commissioner".
Amendment put and declared lost.
I move amendment No. 10:
In page 8, line 24, to delete "its terms."." and substitute the following:
"its terms.
66F. (1) The use of the postcode to breach the data protection rights of a data subject is an offence.
(2) A person who commits an offence under this Part is liable on summary conviction to a fine not exceeding €1,000,000, or in the case of a body corporate, whichever is the greater of €1,000,000 or 2 per cent of the global turnover of that company or where that company is owned by another company, 2 per cent of the global turnover of the ultimate parent company.
(3) Where a person does outside the State an act that, if done in the State, would constitute an offence under this section he or she shall be guilty of an offence and he or she shall be liable on conviction to the penalty to which he or she would have been liable if he or she had done the act in the State.
(4) Where an offence under this Part is committed by a body corporate and is proved to have been committed with the consent of or to be attributable to any neglect on any part of any person, being a director, manager, secretary or other officer of the body corporate or a person who was purporting to act in such a capacity, that person, as well as the body corporate, commits an offence and is liable to be prosecuted against and punished as if he or she were committing the first mentioned offence.
(5) Proceeding for an offence under this Part may be brought and prosecuted by the Data Protection Commissioner.”.”.
Amendment put and declared lost.
Section 2 agreed to.
Section 3 agreed to.
Title agreed to.
Bill reported without amendment.
I thank the Minister and officials for attending and I thank the members of the committee for considering the Bill.