I move: "That the Bill be now read a Second Time."
The primary purpose of this Bill is to give effect to the provisions of Directive 95/46/EC of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data. It will do so by amending the Data Protection Act, 1988.
It is no exaggeration to say that globalisation and the development of information systems and technologies have a profound impact on the way we work and live today. One dimension of this process of change is reflected in the extent to which personal data are used increasingly for commercial, leisure and learning purposes. Another is the speed and ease with which such information can be processed, passed on to others or used for purposes for which it was never intended.
Mobility of data is, of course, beneficial in many ways but it is also true that recent developments have once again raised fears about a possible erosion of privacy and other fundamental personal rights. What is required, therefore, is an appropriate set of safeguards that protects the privacy interests of individuals while at the same time facilitating the processing of personal data for legitimate and beneficial uses.
Directive 95/46 sets data protection standards for the European Community to ensure a consistent level of protection across all member states. These standards are intended to facilitate and encourage the free movement of personal data in the Internal Market. The objective of this Bill is to transpose them into our domestic law. The Bill amends the Data Protection Act, 1988, which gave effect to the Council of Europe's 1981 Data Protection Convention. In particular, it specifies conditions for processing personal data, including more stringent conditions regarding "sensitive personal data". It strengthens individuals' rights with regard to the processing of their personal data and extends data protection rules to certain categories of manual data. It sets out new rules governing the transfer of personal data to countries and territories outside the European economic area or EEA, that is, outside the EU member states, Iceland, Norway and Liechtenstein. The Bill also contains a number of amendments to the 1988 Act that are not directly related to the EU directive but are intended to improve the functioning of the Act.
It can be asked why it was considered necessary to adopt a data protection instrument at European Union level when all member states were already members of the Council of Europe and had ratified the convention. The answer is that the directive builds on the provisions of the convention but is a more extensive and detailed instrument. The aim is to ensure a common set of data protection standards with a view to improving the functioning of the Internal Market as well as promoting international flows of personal data. The additional features of the directive when compared with the convention include the following: it extends the mandatory application of data protection rules to certain categories of manual data; it establishes a right to object to the processing of personal data in certain cases, including where the data may be processed for the purposes of direct marketing; decisions based solely on automatic processing of data that have a legal effect or impact in a significant way on a data subject are prohibited; detailed provisions are set out relating to the conditions under which personal data may be transferred to countries and territories outside the European economic area; the supervisory authorities in each state are required to establish a system of "prior checking" of processing that may present specific risks to individuals' rights and freedoms; and the development of codes of practice is to be encouraged and facilitated.
Before moving on to deal with the detailed provisions, I will explain the situation regarding implementation of the directive. Measures to implement the directive were required to be in place by October 1998, with member states having a further three years to ensure full conformity with its provisions. I regret that transposition of the directive has been delayed. This was due to a combination of factors, including the need to consult widely, pressure of other work and, not least, the complexities arising in this particular context. I understand that Ireland is one of a number of member states that have experienced such difficulties.
However, many of the directive's provisions have been implemented in the Data Protection Act, 1988. These include provisions relating to the establishment of a supervisory authority; liability, remedies and sanctions; and codes of conduct. Moreover, on 19 December last the then Minister for Justice, Equality and Law Reform, Deputy O'Donoghue, signed the European Communities (Data Protection) Regulations, 2001. These regulations, which entered into force on 1 April last, give effect to certain additional provisions of the directive.
The regulations are an interim measure pending enactment of the Bill. They deal in particular with transfers of personal data to countries and territories outside the European economic area. In short, they provide that such transfers may only take place where adequate standards of data protection are deemed to exist.
Regarding the detail of the Bill, following publication of the Bill and its passage through the Seanad earlier this year, a number of concerns have been raised with the Department. Submissions and representations have been received from several sources proposing or suggesting possible amendments. Having reflected on these matters, while bearing in mind that the primary purpose of the Bill is to give effect to the EU directive, I will be bringing forward a number of amendments on Committee Stage and I will refer briefly to some of these when I come to the sections concerned.
Section 2 of the Bill amends section 1 of the 1988 Act in several important respects. In the first place, it adds several new definitions, including "automated data", "manual data" and "sensitive personal data", while replacing certain existing definitions, including "personal data" and "processing". For data protection purposes, "manual data" is defined in the Bill as information that is recorded as part of a "relevant filing system". The latter is defined in turn as any set of information relating to individuals that is structured by reference to individuals or criteria relating to individuals, in such a way that specific information in relation to a particular individual is readily accessible. This means that for data protection provisions to apply, data processed manually must comply with the following four criteria. The personal data must be part of a set; the set must be structured; the structure must refer to individuals or to criteria relating to individuals; and specific information relating to a particular individual must be readily accessible. If any of these criteria is not met, the manually processed data concerned will not be covered. This is in line with the directive's provisions.
"Personal data" is defined as data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller. The Department's consultation process revealed no demand to extend data protection coverage to deceased persons, which appears to be possible under the directive, and it has been decided, therefore, to retain the existing 1988 provision which refers to living persons only. The reference to other information that is in, or likely to come into, the possession of the data controller is designed to cover categories of data – lists of identity or registration numbers, perhaps – that could be processed with the aid of a decoding key.
The new definition of "processing" set out in this section is not based on technical or technological processes but encompasses a broad range of functions such as the collection, recording, storage, retrieval, etc. of data. This section is also important in so far as it clarifies the scope of data protection law in line with the provisions of Article 4 of the directive. A new subsection, 3B, to be inserted in the 1988 Act provides that it will apply to data controllers established in the State who process data in the context of that establishment and to data controllers who are neither established in the State nor within the EEA, but who make use of equipment located in the State for processing purposes. Section 23 of the 1988 Act is being repealed as a consequence of the new provisions. These two provisions – addition of the new subsection 3B and the repeal of section 23 – have been given effect in the regulations that I mentioned earlier which took effect on 1 April last.
In the new subsection 3C an exemption from data protection rules is provided for in cases where data is processed solely for the purpose of historical research. This complements the exemptions already provided for in the existing subsection (4). Subsection (4)(b) contains an exemption for personal data consisting of information that the person keeping the data is required by law to make available to the public. The Bill proposes to insert a new subsection (5) which would mean that this exemption would not apply where such data are processed for a purpose other than the purpose for which they were collected. Since the Bill was considered in the Seanad, concerns have been expressed that this new provision could unintentionally restrict the use of certain information in a manner that would not serve the public interest, for example, in the area of company law. I intend to introduce an amendment on Committee Stage to address this problem.
The collection, processing, keeping, use and disclosure of personal data is dealt with in section 3, which amends section 2 of the 1988 Act. In particular, it replaces subsection (1) with a restatement of data protection principles as enunciated in Article 6 of the directive. Exemptions from certain principles for personal data used for statistical, research or other scientific purposes are retained but may be made subject to prescribed requirements.
The text of the existing subsection (7), which deals with direct marketing, is to be replaced with a new text that will allow a person, in accordance with Article 14(b) of the directive, to request a data controller, prior to processing, not to process personal data for the purpose of direct marketing. A new subsection (8) provides that individuals must be informed of their right to object. These provisions are not intended to discourage the practice of responsible direct marketing, which is an important commercial activity, but rather to raise awareness of the right, and give individuals the opportunity, to opt out of receiving direct marketing material if they so wish.
Section 4 is a substantial provision and it inserts no less than four new sections, sections 2A to 2D, into the 1988 Act. The new section 2A deals with the processing of non-sensitive personal data and takes account of the provisions of Article 7 of the directive. It provides that, subject to satisfying the conditions set out in section 2, personal data can only be processed where one of the listed conditions is satisfied. In particular, it replaces subsection (1) with a restatement of data protection principles as enunciated in Article 6 of the directive. Exemptions from certain principles for personal data used for statistical, research or other scientific purposes are retained but may be made subject to prescribed requirements.
The text of the existing subsection (7), which deals with direct marketing, is to be replaced with a new text that will allow a person, in accordance with Article 14(b) of the directive, to request a data controller, prior to processing, not to process personal data for the purpose of direct marketing. A new subsection (8) provides that individuals must be informed of their right to object. These provisions are not intended to discourage the practice of respon sible direct marketing, which is an important commercial activity, but rather to raise awareness of the right, and give individuals the opportunity, to opt out of receiving direct marketing material if they so wish.
The new section 2A provides that, subject to satisfying the conditions set out in section 2, personal data can only be processed where one of the listed conditions is satisfied. I will not enter into the detail of these conditions except to say that the main condition is that the data subject has given his or her consent to the processing concerned. The text of the Bill requires explicit consent on the part of the data subject. A number of representations have been received by the Department, including from the direct marketing industry, pointing out that requiring explicit consent in the case of non-sensitive data goes beyond what is required by the directive and suggesting that the Bill be amended. Having reflected further on this, I accept that the directive does not require explicit consent in relation to non-sensitive data and I will be introducing an appropriate amendment on Committee Stage.
The new section 2B deals with the processing of a new category of "sensitive personal data" which is defined earlier. Processing of this data will in future be subject to more stringent conditions in accordance with Article 8 of the directive. It provides for a prohibition on the processing of such data except where, in addition to satisfying the conditions set out in sections 2 and 2A, one of an additional set of listed conditions is also met. The giving of explicit consent is one of these conditions.
The new section 2C deals with the security of processing operations, as set out in Article 17 of the directive, and it provides that data controllers must implement appropriate measures to protect personal data and such measures must ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected. The security obligation also extends to any person in the employment of the data controller or indeed anyone else who has access to the workplace. The provisions of this new section have also been given effect in the regulations that I mentioned earlier.
Section 2D takes account of the provisions of Articles 10 and 11 of the directive and it provides that personal data will not be treated as having been processed fairly unless, when personal data is obtained, the data subject is provided with certain information, including: where data are obtained directly from the data subject, the identity of the data controller and the purposes for which the data will be processed; where the data come from a source other than the data subject, the name of the original data controller. There are important exemptions included here which mean, for instance, that the obligation to inform does not apply when data are processed for statistical, historical or scientific purposes where the provision of such information would involve disproportionate effort or where the information is required by law.
The important right set out in section 3 of the 1988 Act, the right to establish the existence of data, remains unchanged. However, section 5 of the Bill strengthens the right of access provisions set out in section 4 of the 1988 Act. The new text of subsection (1) builds on the current provisions by providing, in line with the terms of Article 12 of the directive, that where an access request is made under the Act, the applicant must be provided with certain additional information such as the source of the data and the purpose of the processing. My Department has become aware recently of concerns that the disclosure of the data source could in certain circumstances run counter to the public interest. This matter is being examined at present and I may wish to table an amendment that addresses this issue on Committee Stage.
I wish to mention the new subsection (13) which is not related to the directive. It will in future prohibit a person, in connection with the employment of another person, the continued employment of another person, or a contract for the provision of services to him or her by another person, from requiring that person to make an access request under section 4 of the Act or from supplying him or her with personal data obtained on foot of such an access request. This amendment is intended to prevent a type of abuse, known as enforced subject access, that has arisen in relation to employment under the current right-of-access provisions.
Concerns have been expressed that in the absence of a comprehensive and fully-functioning vetting system, an existing, albeit imperfect, mechanism would no longer be available to employers in sensitive areas. I am reflecting at present on how best to deal with this with a view to addressing it on Committee Stage.
Section 6 takes account of Article 12(c) of the directive and amends the 1988 Act to give persons an additional right to have incorrect or inaccurate data “blocked”, that is, marked in such a way that it is not possible to process it for purposes in relation to which it is marked. This new provision will supplement the existing rights to have data rectified or erased. It also provides that where data have been blocked, there is a requirement to notify any person to whom that data were disclosed in the previous 12 months unless such notification proves impossible or involves disproportionate effort.
Section 7 inserts two new provisions into the 1988 Act to take account of Articles 14 and 15 of the directive. The first of these is a new section 6A which extends a person's right to object to the processing of personal data relating to him or her where the processing of such data is considered necessary for the performance of a task carried out in the public interest or where the processing is for the purposes of the legitimate interests of the controller. However, the objection must be on compelling legitimate grounds and the right to object will not apply in certain circumstances set out in the section.
The second provision, a new section 6B, provides for a general ban on decision-making that is based solely on automated processing of data intended to evaluate certain personal aspects where such a decision produces legal effects concerning a person, or otherwise significantly affects a person except in the circumstances outlined in that section and where suitable safeguards to protect the person's legitimate interests are in place.
In section 8, the Bill provides for certain additional functions for the Data Protection Commissioner. In future, the commissioner will be the supervisory authority for the purposes of the directive and will be responsible for the dissemination of information on Union findings relating to the adequacy of data protection rules in countries and territories outside the EEA. The commissioner will also be required to perform functions in relation to data protection that the Minister may confer on him or her and which would enable the Government to give effect to international obligations of the State. The commissioner will have a monitoring role for the purposes of Council Regulation 2725 of 2000.
Section 9 amends section 10 of the 1988 Act to bring it into line with current practice as it has evolved since the entry into force of the 1988 Act. It recognises the possibility that complaints between parties may be resolved in an amicable way and that in such cases no further action by the Data Protection Commissioner may be necessary. An important new provision in the Bill will allow the Data Protection Commissioner to monitor the application of the directive. This proactive role will complement existing functions such as providing advice and dealing with complaints.
One of the key sections of the Bill is section 10, which takes account of the provisions of Articles 25 and 26 of the directive. It deals with restrictions on the transfer of personal data to countries and territories outside the EEA and replaces in its entirety section 11 of the 1988 Act. Almost all this section has been given effect in the regulations that came into force on 1 April 2002.
The new section 11 provides that a transfer of personal data to a country or territory outside the EEA may not take place unless an adequate level of protection is deemed to exist. Subsection (1) lists the factors to be taken into account in any assessment of adequacy.
The Data Protection Commissioner is required to inform the European Commission and other member states of any case where he or she considers that a country or territory outside the EEA does not ensure an adequate level of protection. However, where the European Commission makes a Union finding in accordance with the decision-making procedures set out in the directive in relation to whether an adequate level of protection is ensured in such a country or terri tory outside the European economic area, that decision must be complied with.
Commission decisions have been adopted recognising the adequacy of the data protection rules in Switzerland and Hungary. These countries are considered as having an adequate level of protection for personal data transferred from the member states. More recently, a Commission decision has been made in relation to Canada that covers transfers of personal data to recipients that are subject to the Canadian Personal Information and Electronic Documents Act.
As regards the United States, following protracted negotiations between the European Commission and the US authorities, a Commission decision recognising the adequacy of protection provided by a set of safe harbour privacy principles has been adopted. Personal data may, therefore, be transferred to organisations which have unambiguously and publicly disclosed their commitment to comply with these principles and are subject to the statutory powers of a US Government body empowered to investigate complaints and obtain relief against unfair or deceptive practices as well as redress for individuals.
There are circumstances in which transfers of personal data to countries and territories outside the EEA may take place without Community findings in relation to the adequacy of the data protection arrangements. These are set out in the new subsection (4).
The Data Protection Commissioner must also comply with any Commission decisions that certain contractual clauses offer sufficient safeguards for the transfer of personal data. Two such decisions have been taken to date. A decision dated 15 June 2001 contains a set of standard contractual clauses for general use while a decision dated 27 December 2001 contains a set of contractual clauses adapted to cover transfers to data processors located outside the EEA.
Before moving on from this section, I draw attention to an important provision in subsection (6) which provides that where personal data are transferred with the protection of contractual clauses, the person to whom the data relates shall have the right to enforce the terms of that contract as if he or she were a party to it. Subsections (7) to (15) re-enact provisions of the 1988 Act and allow the Data Protection Commissioner to prohibit a transfer of data to a place outside the State and set out the administrative procedures to be followed in connection with such a prohibition. In determining whether to prohibit a transfer of personal data, the commissioner must, as heretofore, also have regard to the desirability of facilitating international transfers of data.
Section 11 provides for the insertion of a new section 12A in the 1988 Act. Taking account of Article 20 of the directive, it makes provision for a system of prior checking by the Data Protection Commissioner of processing operations likely to present specific risks. A processing operation which is the subject of a prior check may not take place until the checking procedure has been completed. An appeal can be made against the result of any such prior check.
While the 1988 Act already contains provisions relating to codes of practice, section 12 amends these provisions in order to take account of Article 27 of the directive. The revised provisions will allow the Data Protection Commissioner to consider, and approve as appropriate, draft codes of practice submitted by trade associations or other bodies representing categories of data controllers or to prepare such codes in consultation with relevant interests. A new subsection (6) provides that approved codes of practice may be taken into account by the courts in relation to the settlement of disputes.
Section 14 contains another amendment of the 1988 Act. While extending current registration requirements, it also makes provision for exemptions – for example, where the sole purpose of processing is the keeping of a register intended to provide information for the public and which is open to consultation or where the processing is carried out by a non-profit seeking body in relation to the members of the body or those who have regular contact with it.
Certain categories of data processing may also be specifically exempted from registration requirements by means of regulations where the processing in question is unlikely to affect the rights and freedoms of data subjects. These categories will be prescribed by regulations.
Concerns have been expressed concerning the proposed extension of registration requirements and the burdens that this might entail. I will reflect further on this aspect also in advance of Committee Stage.
Section 18 contains another important set of provisions that have regard to the special importance of the public interest in freedom of speech. A new section 22A to be inserted in the 1988 Act provides that personal data processed only for the purposes of journalism or artistic or literary purposes will be exempt from certain provisions of the Act once such processing is either undertaken solely with a view to the publication of any journalistic, literary or artistic material or the data controller believes that such publication would be in the public interest and where the data controller believes that compliance with these provisions would be incompatible with journalistic, artistic or literary purposes.
The provisions in the Act referred to here include the sections that deal with processing of personal data; processing of sensitive personal data; fair processing of data; right of access; right to rectification; right to object; and restrictions on decisions based on automatic processing. The possibility of developing codes of practice under section 13 of the Act for approval by the Data Protection Commissioner is referred to in subsection (3). Such a code could set out guidelines for determining whether publication of material would be in the public interest.
In accordance with Article 32 of the directive, automated data will be brought into conformity with the Act two months from the date of its passing. Manual data will come within the scope of the Act at the same time, with one important exception. Manual data already held in filing systems need not be brought into conformity with sections 2, 2A and 2B of the Act – that is, corresponding Articles 6, 7 and 8 of the directive – until 24 October 2007. However, the right of rectification, erasure or blocking of data that are incomplete, inaccurate or stored in a way that is incompatible with the legitimate purposes pursued by the data controller will apply progressively to such manual data during that period, in particular when a person makes an access request under section 4 of the Act.
The Bill is designed to bring our domestic data protection law into line with the requirements of the EU directive and to make certain improvements to existing arrangements in the light of experience gained since 1988. In doing so, it seeks to establish an appropriate balance between the protection of the privacy of data subjects, the public interest and the need to facilitate the international flows of data that are an essential feature of today's information society. Providing protection for personal data in this way will encourage greater support for and participation in efforts to reap the full benefits of the information society, whether by way of e-commerce or e-government.
Since they build on the existing data protection infrastructure established under the 1988 Act, the additional requirements in the Bill should not involve or impose undue additional burdens. Neither should they serve to unnecessarily restrict transfers of personal data to destinations within the State, nor to destinations outside the European economic area. On the contrary, the enactment of the Bill will ensure that agreed European Community level standards of data protection will operate here to the benefit of individuals, commercial and other interests and international operators.
This is a technical Bill and there may be aspects which Deputies may wish to have clarified. If so, I shall endeavour to do so when replying today or on Committee Stage. Careful consideration will be given to questions raised or suggestions made during our debate today while bearing in mind that the primary purpose of the Bill is to give effect to the provisions of a European Community directive. I commend the Bill to the House.