I move: "That the Bill be now read a Second Time."
I thank the Ceann Comhairle and the House for the opportunity to present this Bill here today. This is a specialised and technical Bill, which is necessary in order to meet obligations entered into by Ireland under EU measures known as the Prüm decisions. These decisions are named after the town in Germany where the principles behind them were originally agreed, and address the need to share certain kinds of information between member states to combat terrorism and other serious crime. They require member states to share DNA, fingerprint, and vehicle registration data. Legislation to share DNA and fingerprints, which is the responsibility of the Department of Justice and Equality, was passed in 2014. This Bill will provide for the sharing of vehicle registration data.
The Prüm decisions were originally reached in 2008. At that time member states had a choice of whether to opt into them and Ireland did so, by votes of both Houses of the Oireachtas. Once we opted in, the decisions became mandatory for us under EU law. Compliance with the decisions means not only passing the necessary legislation. We are not deemed to be compliant until we actually begin sharing information with other member states. Under an agreement reached by the EU in 2009, data will also be shared with Iceland and Norway under the decisions.
The legislative aspect of giving effect to the decisions has proven to be very complex. The legislation to give effect to the sharing of DNA and fingerprint information was passed in 2014, six years after the decisions. As this constituted the major part of the decisions, legislation for sharing of vehicle registration data was to be dealt with only after the DNA and fingerprint legislation. A number of legal difficulties had to be resolved, and it is only now that we are in a position to bring forward the necessary legislation to allow for exchange of vehicle registration data as required by the decisions. Due to these delays, as well as technical delays to the sharing of DNA and fingerprint data, the EU has begun the initial stages of action against the State for possible infringement of EU law. I understand that the technical processes necessary for arriving at actual sharing of DNA and fingerprint data are well advanced, with the crucial stage of EU evaluation visits to assess readiness being completed in February, in the case of fingerprinting, and scheduled for April in the case of DNA. Vehicle registration data cannot be shared under the decisions until the Bill is passed.
Once this Bill is passed, we will proceed to the sharing of data under it as quickly as possible. We are in a fortunate position for rapid implementation in one respect. Vehicle registration data is already being shared with other member states under a separate EU instrument dealing with the investigation of serious road traffic offences. This is being done over the same network as will be used for Prüm so that the technical measures required to implement the Bill are mostly in place. Speedy implementation will enable us to end EU infringement proceedings and avert the risk of reputational damage and financial penalties which the State might incur in the case of being found to have infringed EU law. With regard to reputational damage, Prüm is rightly regarded as an important law enforcement tool by our EU partners, and particularly by those who have suffered in recent years from terrorism. I need hardly stress the importance of retaining goodwill at an EU level in the present climate of negotiations on Brexit.
Before I set out the details of the Bill I will explain what we are talking about in practice. Imagine that a car involved in a serious crime in France such as a terrorist incident or an armed robbery, for example, was registered in Ireland. Under the Prüm decisions, it would be possible for the French authorities to send an electronic request to check Irish records to see who was the registered owner of the vehicle. Equally, if a French-registered vehicle was used in a serious crime in Ireland, An Garda Síochána would be able to find out the identity of the registered owner by checking the French data.
The contents of this Bill may be described as falling into four areas: general provisions for sharing of vehicle registration data under the decisions; specific provisions for sharing Irish vehicle registration data with other member states; specific provisions for Ireland to access vehicle registration data held by other member states; and data protection provisions.
The decisions require each member state to designate a national contact point for the sharing of vehicle registration data under the decisions. As the statutory holder of the information in question is the Minister for Transport, Tourism and Sport, the Bill will name the Minister as the national contact point for the purposes of sharing this data. The decisions also require that persons involved in the actual processing of data exchange under the decisions should be authorised, named individuals. The Bill will allow me, as Minister, to designate individuals as the authorised persons to process data under the decisions. These may be either officials of my Department - the people who already manage the data - or members of An Garda Síochána.
The second area in the Bill sets out specific measures relating to access to Irish data for the national contact points of other member states. In line with limits and safeguards set out in the decisions, a search of the Irish data may be made only with a full registration number or a full vehicle identification number, VIN. The purpose for which a search may be made is limited to prevention and investigation of criminal offences. The Bill also sets out the content of any reply, and limits its use by the receiver to the purpose for which it was supplied and to keeping records of data sharing under the Prüm decisions. The keeping of such records is a requirement to enable examination and verification that data protection rules are being respected.
The third area of the Bill involves searches by Ireland of vehicle registration data held by other member states. It applies much the same rules; conduct of searches by full registration or VIN and use of the data solely for the purpose for which it was supplied or for keeping records of data-sharing. In this case, as we consider searches which are part of investigations of crimes in Ireland, the Bill allows the sharing of the data with the courts, An Garda Síochána and the Director of Public Prosecutions, or other appropriate bodies but only with the consent of the State, which supplied the data. As will be clear to anybody who looks at the Prüm decisions, data protection must be at the heart of any process such as this. Those familiar with EU data protection law will be aware that the current EU legislation on data protection - reflected in Irish law under the Data Protection Act 1988 - is due to be replaced in May of this year by a new legal framework. This new framework consists of the general data protection regulation and the Policing Directive. As Prüm is a law enforcement measure the Policing Directive is the part of the new legislative framework which would naturally apply. In preparing the new legislation, however, the EU decided specifically to exclude Prüm from the new framework and require the continued application of existing data protection law. The Policing Directive, therefore, explicitly states that it does not apply to Prüm and that existing legislation will continue to apply. The practical effect is that the Bill must and does state that the provisions of the Data Protection Act 1988 apply to data sharing under Prüm. This is not all. The Prüm decisions themselves impose specific obligations on the data protection authorities of member states. These relate to monitoring of data sharing under the decisions and to processing of complaints from individuals who may believe that their data should not have been shared or that data shared may have been inaccurate.
Additional measures include the requirement on the national contact point to maintain records of data sharing under the decisions for two years and then delete such records, to carry out random checks on those records, and to produce the records of such checks on request by the Data Protection Commissioner, DPC. There are specific provisions for the correction of inaccurate data and the deletion of data which should not have been supplied. The DPC is also given specific responsibility for monitoring data sharing under the decisions and for carrying out random checks on such data sharing. Individuals may ask the DPC to investigate the legality of the sharing of their data, and the DPC is also empowered to engage with the data protection authorities in other member states to ensure proper investigation of complaints, whether those complaints emanate from within the State or from another member state.
The provisions of this Bill have been carefully examined and drafted to ensure that they meet the requirements of EU law, both in terms of the decisions made and in the context of data protection. We need to pass this Bill into national law to enable compliance with EU law and to proceed to data-sharing under the decisions and thereby avoid being found to have infringed EU law. I appreciate that this short Bill does not make for easy reading. It is a Bill, however, that will be beneficial to law enforcement in Ireland, as well as in the rest of Europe, and it is important for that reason. It is a requirement of EU law and is something our EU partners are eager to see completed. I thank the House again for its consideration and I would appreciate the passage of this Bill as soon as possible in order to enable us to comply with Ireland's EU obligations.