Léim ar aghaidh chuig an bpríomhábhar
Gnáthamharc

Dáil Éireann díospóireacht -
Wednesday, 18 Apr 2018

Vol. 967 No. 5

Data Protection Bill 2018 [Seanad]: Second Stage (Resumed)

Question again proposed: "That the Bill be now read a Second Time."

Privacy is sacred. It is a person's fundamental right to enjoy privacy.

The extent of that enjoyment depends on the level of protection afforded to the individual's personal data to prevent exploitation or their misuse by the State, non-governmental organisations or the private sector.

We are at an impasse as the digital revolution unfolds. Privacy is becoming more and more relevant as exchanges of personal data are carried out more and more online. However, at this rate, we are doomed to play catch-up. For the Legislature, this means doing all that is within its power to prevent the misuse of information and protect individuals from the harm such exploitation can cause, especially when it comes to interactions online. Not only do we need to catch up with the lawlessness and illegal activity carried out in large swathes of the Internet, we also need to protect people's personal data from commercial exploitation. Recent and ongoing developments related to Cambridge Analytica and Facebook harvesting, micro-targeting and manipulating personal information are examples of how we need to play catch-up. Hundreds of millions of people throughout the world have had their data misused. I reckon the figure is far higher than we are aware. What is more alarming is not only were personal data used without consent to maximise profits but they were used to undermine and manipulate democratic systems through third party interference. We saw this unfold in President Trump's election and the Brexit referendum.

My concerns lie with the forthcoming referendum on the eighth amendment, for which the Bill has come far too late. Already those in the online community are seeing the effects of this lawlessness. People have noted fake Facebook profiles, online quizzes and polls disguised as representing one side but revealed to be from the opposite side. This has left their online profiles vulnerable to harvesting, micro-targeting and manipulation for the sake of political and private sector profit. The current lack of transparency enables external third parties to use social media to sway opinion. Some have already called the eighth amendment referendum a post-truth campaign as Facebook algorithms continue to allow highly emotive content to gain prominence. Facebook still allows other countries to target specific groups of voters in Ireland by buying advertisements. Many throughout the world will be watching closely to see to what extent data will be harnessed for political purposes.

We have, rightly, been focusing much of our attention on Russia and cyberwarfare, but the bigger question will be how democracies can protect themselves against interference by foreign interests on all sides and, more importantly, how people's data can be protected from such exploitation. Placing the onus on companies to self-regulate is futile. Efforts to date carried out by large online conglomerates such as Facebook and Google have proved futile. Thus far, we have seen a lack of will on the part of private sector conglomerates to do much to tackle political influence and misinformation. As a consequence, it has been left to us to address the issue. The only way for us to address it is to get the provisions in this Bill right.

I echo the concerns raised in the Seanad about the need to amend section 45 to prevent the likes of Cambridge Analytica and other political consultancy firms from exploiting the loophole in place. The Bill, as it stands, will do nothing to prevent companies such as Cambridge Analytica from being hired by candidates or political parties and giving them permission to harvest and process personal data for the purposes of political interests. I understand the Minister made some amendments to limit the impact of section 45 on other European countries, but he failed to address the remaining loophole. I commend Senator Alice-Mary Higgins for proposing amendments to explicitly prohibit private or commercial firms from processing data on behalf of previously mentioned categories or without explicit consent from data subjects. The amendments would not prevent polling or focus groups as they operate with the explicit consent of an individual, but they would effectively prohibit data mining and targeting firms such as Cambridge Analytica from interfering with an electoral or referendum process.

While I support endeavours to protect personal data across the board, I have concerns about the practical implementation of the general data protection regulation system in the context of public representation. The offices of Deputies lack resources and especially time to review the entirety of our databases and ensure all unnecessary data are deleted. I suggest we look at more modern ways to process, save and store data to help to facilitate the GDPR process. For example, the provision of timely reminders when data must be deleted after two years could help.

One cornerstone of democracy is the ability to access a public representative. Other Deputies and I go to great lengths to facilitate it as best we can. I operate as a public representative in County Donegal. There could be up to 100 miles between my constituency office and Malin Head, for example, from where someone could be contacting me. I would only be able to help such an individual by obtaining verbal consent over the telephone as opposed to written consent. I deal with individuals who have literacy problems or who are not computer literate and do not use emails. The law needs to be clearer on how we can deal with vulnerable adults in our constituencies as public representatives. I understand verbal consent is accepted, but it is not considered to be best practice when it comes to protecting ourselves and our constituents from data breaches. This automatically puts Deputies at a disadvantage because often verbal consent is all we have as we deal with time-sensitive issues or people in crisis. That is why they come to us. Often, they have nowhere else to turn. To start with, that constituents access Deputies for a plethora of reasons is a symptom of a dysfunctional system. Oftentimes people are intimidated or do not understand the workings of the social welfare and health systems. They do not believe the process is transparent enough to trust it. Whether we believe it or otherwise, people trust politicians to navigate through these bureaucratic behemoths on their behalf and hold the Government and Departments to account. Therefore, Deputies deal with a large amount of personal data and we should be held to account in protecting them as they pass through our hands. However, any effort to enforce greater protection of personal data should not inadvertently place barriers for constituents in accessing democratically elected public representatives. I hope, therefore, that there will be clarification of the implications of the Bill for public representation as it progresses.

I understand the Minister for Justice and Equality, Deputy Charles Flanagan, introduced an amendment to section 139 on Report Stage in the Seanad to allow fines on public bodies, with an upper limit of €1 million. If the Government had concerns initially about implementing the GDPR within Government bodies, perhaps it might understand the difficulties to be faced when the GDPR is rolled out in May. I hope that in the latter Stages of the Bill we will be able collectively to look at ways to improve the rolling out of the GDPR in the context of our constituency offices in a way that will not place an unnecessary burden on them, our staff and constituents.

Ireland has a terrible record in holding the private sector to account for white collar crime. We do not bother collecting the tax that is rightly ours. We allow multinationals to avoid paying tax entirely. If we are serious about protecting the right to privacy, we must ensure compliance is monitored and that enforcement will be carried out. Too often legislation passes through this House with grand gestures but with few resources to ensure its effective application. Does the Government intend to increase the resources allocated to the Office of the Director of Corporate Enforcement to ensure compliance in the private sector with the GDPR? Will the Standards in Public Office Commission be provided with the necessary clarification of its remit and awarded the necessary resources to oversee compliance in government and Departments?

I am pleased to have the opportunity to contribute briefly to the debate on this important Data Protection Bill which is both lengthy and comprehensive. I commend Senator Alice-Mary Higgins and other colleagues for the work they did to try to improve the Bill which was introduced in Seanad Éireann. The Bill will serve to give effect to EU Regulation 2016/679 and transpose EU Directive No. 2016/680.

While we have known that updated EU-wide data protection regulations have been in the works for the past two years, transposition is coming at an opportune time. Mark Zuckerberg recently appeared for questioning before the United States Congress, while this week Facebook executives appeared before the Joint Committee on Communications, Climate Action and Environment. It is great that we are talking about greatly improving data protection for data subjects - for all citizens - and the value of our data to large multinationals. The recent Facebook scandal involved approximately 87 million Facebook users having their data harvested unbeknownst to them. This has thrown the issue of digital data into the spotlight once again. How Cambridge Analytica was allowed to secretly harvest data from the friends of people who had downloaded the This is Your Digital Life app is shocking, as are allegations that harvested data have been sold and used to manipulate the outcome of election results such as those involving President Trump and Brexit. Recent revelations and allegations about serious data breaches at Independent News & Media are also concerning. I echo the calls of Deputies Micheál Martin and Mary Lou McDonald for legislation in this area and greater support for the Office of the Director of Corporate Enforcement. It beggars belief that 19 individuals, including such distinguished journalists as Brendan O'Connor and Sam Smyth, were targeted to allegedly have their emails and records scraped, taken to the United Kingdom and then interrogated by unknown third parties.

In April 2017 the House was presented with an important report by Mr. Justice John L. Murray on the review of the law on the retention of and access to communications data.

Mr. Justice Murray's report highlights the importance to our democracy and society of the confidentiality of journalistic sources and called for legislation to govern access to retain communications data, including the data of journalists. In his reply, the Minister of State might indicate where within this very detailed Bill, which like my colleague, Deputy Pringle, I have studied carefully, is that issue addressed. The report concludes that such legislation should be consonant with a system of communications data retention and disclosure of safeguards laid down by the European Court of Justice in the Tele2 case. That system should include standards and procedures to be observed by service providers to ensure effective protection and security of retained data against the risk of abuse or unlawful access to or use of the data. Will the Minister confirm all the key recommendations of Mr. Justice Murray's report on data retention, particularly on the protection of journalists, will be implemented in the Bill before us or will we have to return to that on Committee Stage?

I note that a joint class action under the US Stored Communications Act has been launched against Facebook, Cambridge Analytica, SCL Group Limited and Global Science Research Limited by lawyers in the UK and the US. US legislation sets out a minimum $1,000 penalty meaning that damages could be in excess of $87 million, based on the figure Mark Zuckerberg gave to Congress. It seems the majority of the people affected by Cambridge Analytica data breach are in the US - more than 70 million, more than 1 million are in the UK, others are in Australia, India and Canada, and up to 45,000 - those of us who have a page on Facebook - are possibly affected in Ireland.

The Oireachtas joint committee in its prelegislative scrutiny of the Bill recommended that a provision for class actions should be explicitly prescribed in this legislation but the final Bill does not include that. Our always informative Bills digest and our Oireachtas Library and Research Service mentions the Sinn Féin Private Members' Bill on class actions, the Multi-Party Actions Bill 2017, which was referred to the Select Committee on Justice and Equality and it will undergo prelegislative scrutiny. The importance of having such an option for data subjects in Ireland, and many people can be affected, has been clearly evidenced in this matter. I hope that the Multi-Party Actions Bill will be prioritised with the urgency it requires and deserves.

We had the Law Reform Commission Report of 2005 on that matter and it set out a Bill on that issue. I note Deputy Penrose and the Labour Party have produced a similar class action Bill on mass harm. I also supported the important Online Advertising and Social Media (Transparency) Bill 2017 brought forward by the Ceann Comhairle's colleague, Deputy James Lawless, which passed Second Stage. Deputy Lawless's Bill requires online political advertising to fulfil transparency standards and outlaws the use of "bots" to cause misleading online presences directed towards political ends of the type referred to by my colleague, Deputy Pringle.

I agree with the principles of the Bill to give effect to the GDPR, the establishment of the data protection commission with up to three data protection commissioners and the significant administrative fines for private companies. Section 8 of Part 1 provides for certain parts of the Data Protection Act 1988 relating to defence and national security to remain governed by our national legislation. That is an area that might also be explored again in amendments to this Bill. Part 2 of the Bill provides for the changes to the data protection commission and I welcome confirmation that preparation had already been under way to get ready for an increased workload with the increase of staff resources to around 120, up from only 30 in 2013, and with a budget of €11.7 million in 2018. I note, however, that there are no plans to appoint additional commissioners. Like other agencies with which we would be familiar, we should fill the three commissioner posts.

I note some of the comments made by the Minister for Justice and Equality in his opening speech yesterday, including the need for further assistance to small and medium enterprises and the risk-based approach to be taken to data protection. It makes sense that each controller and processor of data will analyse their collection, collation and use of data, assess the risks associated with being responsible for other people's data and then put the appropriate measures in place to comply with the new and improved data protection standards.

Section 29 confirms the definition of a child to mean anyone under the age of 18 years. Section 30(1) specifies the digital age of consent to be 13 years of age. Article 8 of the general data protection regulation, GDPR, allows member states to set the digital age themselves as long as it is between 13 years and 16 years. That provision gave rise to considerable discussion during the debate on the Bill in the Seanad and in the media. I believe a digital age of 16 years would have been more appropriate. I note that leading children’s groups such as the Children’s Rights Alliance and the Irish Society for the Prevention of Cruelty to Children recommended that the digital age of consent be set in line with most of Europe at 13 years. However, given the amount of data which we know are being unscrupulously harvested by social media companies, 13 seems very young for these companies to start taking, manipulating and using their data without consultation with their parents or guardians. I welcome the amendment of section 30 for the review of the digital age of consent within three years, which the Minister agreed to in the Seanad. Section 32 provides for the right to be forgotten for children, as per Article 17 of the GDPR, which is also very important.

The key aspect of this debate is the responsibility of social media platforms. We saw Mark Zuckerberg argue that Facebook and many of its apps are publishers not platforms. Debates have taken place in the US around that, particularly a decision of Congress when there was a great deal of lobbying by the massive IT industry in California in 2015. However, surely Facebook, Twitter, YouTube, Instagram, Snapchat and all the other platforms with which we are familiar are also responsible for the vitriol which is often directed at people. We have seen the publisher apps being used by terrorists on those platforms showing videos of executions. We have seen hate speech broadcast and normalised. We have seen online bullying lead to young people dying by suicide. Why should faceless trolls or sometimes school peers be allowed to target and bully people in this way? We can see it currently with the referendum campaign and those who have had to sign up to Repeal Shield to protect themselves from online attack. Repeal Shield is an online tool which blocks hurtful, abusive and insulting accounts for people contributing to the debate. Why should Twitter, Facebook, Google, YouTube, Instagram, etc., not be responsible for the content that is posted? The argument about just being a publisher is vacuous. As well as being responsible for the data that is held on the users of those and other sites, organisations such as Facebook should also be responsible for abusive content. I welcome this week's news that Ireland will be included in the new advertising transparency measure being piloted by Facebook, which is due to begin on 25 April. That is important, given that many of those companies have their headquarters not very far from this House.

As my colleague, Deputy Pringle, noted the GDPR will profoundly affect our political work and the work of the Oireachtas. We are contacted day in and day out, and 24-7 at times, by constituents and civil society bodies and groups with personal information and needs and it is necessary to hold that information while we are making representations and trying to achieve outcomes for our constituents who turn to us in desperation. I have always believed, however, in keeping all my constituents informed of my work in the House and the constituency and for that reason I have always published a quarterly newsletter throughout my time in this House, but I note that sections 52 and 53 of the Bill will exempt the right to object to direct mailing when it is for electoral purposes. Senator Alice-Mary Higgins has, however, raised concerns that there is nothing in the Bill, as it stands, to prevent political parties engaging the services of a company such as Cambridge Analytica. Perhaps that is something to which the Minister for Justice and Equality or the Minister of State would return when replying to this debate. Given that there are indications that the techniques of this company were used to interfere in the Trump presidential election and the Brexit referendum in the UK, the closing of such potential loopholes is important. That is something that might be addressed by the Minister of State when replying to this debate and on Committee Stage.

There are many welcome provisions in the Bill. Section 33, for example, providing for the designation of a data protection officer is important. We were briefed today again by our own legal team on how the GDPR will impact on us and the conditions that we have to fulfil in regard to it and to the Bill.

I also welcome section 83 of the Bill which sets out provisions for dealing with breaches of personal data and the notification of such breaches. Section 83(1) states that the controller shall notify the commission of the breach within 72 hours and if it is longer than 72 hours the controller must include the reason for the delay in notification. However, section 84 seems to state that data subjects do not always have to be notified of data breaches; as per subsection (2), if data has been encrypted and was unintelligible, the controller is not obliged to inform data subjects. With the massive developments in IT and media platforms in recent years, as my colleague, Deputy Pringle, said, we are always chasing to catch up with the latest developments.

I do not believe that many people understood why the Minister was going to exempt Government and public bodies from regulatory fines for breaches of data protection rights. Following the excellent work of Senators, there will now be fines of up to €1 million for breaches and this is far lower than the €20 million, or 4% of global annual turnover, which will be directed against other organisations.

The Data Protection Commissioner, Ms Helen Dixon, told the Oireachtas committee last year that the proposed exemption from fines by public bodies was of concern to her and something that we should not have done.

I will support the Bill. I hope that the rights of data subjects, which we all are, will be reinforced and respected from now on.

From the Rural Independent Group, I call Deputies Michael Collins, Danny Healy-Rae and Mattie McGrath, who are sharing 20 minutes.

I am only sharing with Deputy McGrath.

I welcome the opportunity to contribute on this important legislation. As technology advances, the laws protecting our private information and data must keep up with that change. We have seen an unprecedented rise in the popularity of the Internet, social media and data issues in the past 30 years since the first data protection laws were introduced in Ireland.

As proposed, the Bill appears to be extremely technical and specific, but I wish to make a few points about it. I welcome the Minister's clarification that the restrictions proposed by the GDPR about restricting the work of public representatives on behalf of their constituents will not be introduced in Ireland. I will support that amendment, as it allows us to continue our work in using data on behalf of our constituents upon their request. This is part of our job and we should not be restricted in that regard.

It is necessary that we protect information and that citizens who share data online are assured that their information will be kept safe and private. Recent news surrounding Cambridge Analytica, Facebook, Google and others keeping information and selling it on is worrying and must be addressed. I hope that the new public services card will be subject to some of the proposed regulations. Many people are not keen on sharing all of their private information with the Government for this unnecessary card.

I hold concerns surrounding the regulations that will now face small businesses that are already struggling to keep their heads above water. This extra task will cause a great deal of stress and cost, especially where there is no legal mind within the business. The same concern exists for community groups and charities in terms of restrictions on using existing mailing lists and contacting current volunteers and supporters.

I welcome the opportunity to contribute on this Bill, which proposes to give further effect to the EU's GDPR and to transpose the 2016 directive on data protection in terms of law enforcement functions.

Aspects of the GDPR that are dealt with in the Bill include the rights of data subjects, the establishment of a new data protection commission, the regulation of data controllers and processors and enforcement by way of regulatory action and the courts. Events happening outside the House make these topics even more timely than they would normally be. I am referring, of course, to the extraordinary events surrounding the data breaches at Independent News & Media and the manner in which the Director of Corporate Enforcement has been personally singled out for performing his statutory function by individuals who wield enormous but unelected influence in the State. That did not just happen today or yesterday either.

We have seen instances of this control, threats and fear being imposed on journalists and many other people before. We made our bed and now we must lie in it. The Minister of State, Deputy Breen, has heard me speaking in the House previously on issues of big business, including the banks, and the small cohort of people who wield enormous influence, be it in the beef or wider food industry, or in spin. The Government invested €5 million in spin but only got a short spin. It spun out of control. Mr. Eddie Jordan was not driving it anyway. It crash-landed somewhere in a dustbin. The spin is now in the bin, which is the right place for it. Governments have been too cosy with big business and allowed it to wield influence, and to hell with the duine beag. The small people do not matter anymore. We are only in the way.

The Minister of State is a west Clare man and an Teachta Michael Collins and I are from two rural constituencies, but when we start talking about rural issues, the Government switches off. We are a nuisance and an irritant to it now. If the Government had a can of spray like one can buy for beetles, it would get rid of us. Deputies over there would have used it already. They are using it and getting away with it.

We must wake up. We have made our bed, and now we must lie in it or else jump out and do something.

Go raibh maith agat. Tá an Bille anseo. I am on the Bill.

Is the Deputy sure? I thought he was on a different Bill.

No, I am not. I am being deadly serious. The Minister of State knows all of this as well as I do. The issue of powerful people having such sway in the media has been a problem for some considerable time, not just today, inné nó an tseachtain seo caite. Tá sé ag fás le a lán blianta. It was happening long before the reality of online communications and emailing emerged, as Deputy Michael Collins mentioned, and I suspect it will continue for a long time after the Bill is passed. If the Director of Corporate Enforcement can be intimidated and threatened in this way, it is scandalous. I have said it countless times in the House that we have regulators, directors of enforcement and agencies, but they are all toothless, useless and fruitless. They are just being swept aside. They are very active when it comes to the little people and the ordinary small farmer or business person, but they can be bullied out of the way in other cases with the threat of legal people being wheeled in, court challenges and God knows what.

In recent months, we have seen how companies have captured and used personal data on a global scale. We have also seen how much of the blame for that has been shifted onto research companies like Cambridge Analytica, which was a disingenuous tactic. To mind the powerful, blame has been shifted around. It is a moveable feast. Once the main players are protected, they can get what they want.

Even the head of Facebook, Mr. Mark Zuckerberg, acknowledged when he was hauled before the US Congress in the past fortnight that there were major issues with how we protect our data online.

The House just swiftly debated a Bill with the Minister for Transport, Tourism and Sport, Deputy Ross. I spoke on it a few weeks ago when we discussed criminal information being shared across the EU. That is important, but we were slow. It took the Minister eight months to get the Bill from there to here. It will now be sent back to the Seanad.

I was happy to read that the European Parliament has decided to invite Mr. Zuckerberg to appear before three of its parliamentary committees to answer questions on just how the data of as many as 2.7 million Europeans could have ended up in the hands of Cambridge Analytica. Deputies Michael Collins and Broughan referred to this matter. It is covered in section 2, Articles 13 and 14. Every other day, the Minister of State and I as public representatives and Teachtaí Dála - messengers of the people - receive replies from State institutions saying that they cannot discuss this matter or that with us. "Data protection" is a great excuse, so I am glad that the Government seems to be grappling with this issue now, given that what happens is often a shocking abdication of duty. The citizen is further sidelined, abandoned, punished and written out of the equation because of data protection. It suits institutions when they want to act as the heavy arm of the law coming down on ordinary people. We might only be talking about a mere request. This is the case among housing officers and in planning offices and everywhere else. We cannot ask any question or get any answer because of data protection. Senior officials are doing what they like and are accountable to no one, elected by no one, peer reviewed by no one and have jobs for life. Up along the ladder is where they want to go and to hell with the people. "We are all right, Jack."

I hope that the European Parliament will get some answers when Mr. Zuckerberg appears before it, but I wonder whether this Parliament and its committees will ever have the nerve to do something as bold as that. The amber sign is up to say that we should not go there because it is dangerous territory and we should not bring those people in here. We have agencies, such as the Office of the Director of Corporate Enforcement, the Competition and Consumer Protection Commission and so on, but they are useless. I do not particularly want to name any of their officials, but they are not effective. They do not have the necessary resources. We see that they are ineffectual everywhere. The Land Commission is long gone. We have had a conglomerate in Tipperary buying every perch of land that has come up for sale for the past ten years.

The previous and current Governments cosied up to them and let them off. They got rid of the small farmer. To hell or to Connacht. That is the way it has gone. I wonder if they would ever have the nerve to come in here and suspect not. That is because so much of what we say about robust enforcement and punishing things like white-collar crime or data protection breaches are just hot hair. Thankfully, the temperature has risen after the awful winter and spring. There is a lot of hot air in here, however, even when the temperature is -4° Celsius or -12°Celsius and any Members are blowing around.

We talk a lot about the importance of privacy and the importance of protecting data but then we allow and even encourage a culture where the balance of power is all one way. If the Minister of State was being honest, he would accept that. That is the way it is. I do not mean it as a reflection on the Minister of State. He is doing his best. Allow me to give one example. In recent years, I have been dealing with hundreds of cases of families in serious mortgage arrears. I am sure the Acting Chairman and many other Deputies, including the Minister of State, have as well. When I asked some of these asset companies to provide simple things like a contact email address, they would not do it. The wall is up and they will not do it. It is just arrogance. They demand all the personal data in the world from these families and individuals but then surround themselves in a veil of almost impenetrable secrecy when the families ask for similar information. It is all one-way traffic and it is disgraceful. The arrogance of them. Deputies Michael Collins, Michael Healy-Rae and I went into two banks six weeks ago and asked for meetings with the chief executives on behalf of people who need mercy and need to be treated with some modicum of respect. We barely got an acknowledgement from one bank when we asked for a meeting. They are too busy. Why would they meet us? They are waiting until July comes and the floodgates open for repossessions for the major banks, which we bailed out in this House. The Minister of State and I voted for it, to our eternal shame.

They demand more and more personal data and information from those people. They keep asking for stuff. It is just a game. They are traumatising people and imposing enormous expense with consultants, accountants and everybody else trying to help them out. Why is this allowed to happen? It is going on day in, day out as sure as night follows day. These families tell me when they ask for records of the number of times they have called or tried to make contact with the mortgage or asset management companies they get stonewalled. They are really just playing a big game with them and dangling them at the end of a string, like the game we used to play with the chestnut at the end of a piece of twine in a lake. That is what they are doing. They are just dropping families into it. We have seen many suicides and many people with mental health issues. We have seen families burst up and all kinds of stress and difficulties but no one has put manners on these people.

I note also the Bill seeks to introduce penalties for those giving false information online. This is an area that can cause horrific outcomes in terms of the grooming of children for sexual abuse. It is a very important area. I raised it with the Taoiseach yesterday but I might as well have been talking to Petticoat Loose as talk to the Taoiseach about a number of children from Clonmel and the surrounding areas with mental health issues who are in hospital there. They have serious self-harming issues and all the Taoiseach will say is he cannot comment on a personal issue. I am not asking him to do that; I want him to provide beds for these people. They are holding up beds in paediatric wards, which are not suitable for them. These are 13 year olds and 14 year olds. It is awful and we must investigate why all this is happening. There are no services, however, and we have no mental health beds in Tiobraid Árann, not even ceann amháin. It is all relevant to the Bill and what we are doing about data protection for children. We are aware of the grooming of children for sexual abuse. We are aware that such predators pretend to be someone they are not and lull the child or adolescent into a false sense of security, often with desperately tragic outcomes for those children such as suicide or self-harm. It is happening in their bedrooms and their kitchens. There is no shelter or hiding place. Email and Facebook can penetrate into their homes, their living rooms and their schools.

I welcome any move or provision within the Bill that will make it more difficult to engage in such absolutely contemptible behaviour. There should be severe sanctions imposed for that type of online activity. If they are caught, they should not be in a cosy prison where the victim is forgotten about. They are inside to serve their time and with good behaviour they are out and looked after. There must be effective penalties and remedies in order that they will not be inclined to do this again. The punishment must fit these heinous crimes. The destruction of a child or adolescent's physical and mental health is the most heinous crime. As far as I am concerned, it is as bad as murder because it destroys the young person, their family and siblings. Consider the trauma of those families when a mother must sit night and day at the hospital bed for nine weeks, as one woman from my parish did, waiting for a bed in Cork. The other siblings were at home with their father who was trying to work. It is awful. We let this racket go on.

I also note that the GDPR also deals with the digital age of consent for children and allows member states to legislate an age below which parental approval is required for offering information society services to a child. The Bill provides for a minimum age of 13 years. I raised this in the Dáil a few weeks ago. Most other countries in Europe, as far as I am aware, have raised it to 16. Who are we codding? I may not be right on the facts and figures but an awful lot of them have done so. Why are we putting our head into this cul-de-sac? We are putting our heads into a canvas sack and ignoring this. Any of us who have children know - I think the Minister of State has some - that 13 is way too young. It should be a minimum of 16. It will be reviewed after two or three years. In two or three years' time, hundreds of children may have been destroyed. We have to talk seriously. Why are we the first to jump up with Europe and follow Europe in most things, including the banking issues I spoke about and then, when it comes to issues like this, stubbornly resist raising the digital age of consent to 16? It is vital. If we raised it even to 14 and did it incrementally, it would be one thing, but to just blankly refuse to do it is mind-boggling to say the least. The damage is instant, continuous, despicable and ever-growing. These people are not afraid. I am calling for it. I do not want to wait two or three years for it because many other European countries have it. Many countries all over the world have it. Why are we so slow off the mark here? Who are we protecting? What are we doing? Surely to God the people we must protect, under the Constitution, are our children. Most of the House, although not the Minister of State, are pushing to bring in abortion to kill unborn babies. Surely to God, they can protect the children who are alive or have we gone that way? That is what we are dealing with.

The Minister of State will be aware the proposal to keep the digital age of consent at 13 has been severely criticised by experts in this area such as cyberpsychologist, Dr. Mary Aiken. We will not even listen to her. She is a woman of world renown. A Deputy mentioned the agencies that are in favour of this. I wonder what the vested interest of those agencies is. These are the quangos I am talking about. We will have more, including the Children's Rights Alliance and God knows what. I cannot understand why they would be opposed to this if they are protecting children. I cannot understand it. My knowledge of the area is limited but I am experienced. I have eight kids and four grandchildren and many nephews and nieces and God know what else. I meet constituents every day of the week. I have experience from the university of life. A young girl took her own life in Carrick-on-Suir only a few weeks ago. I believe her mother will feature on TV3 tonight. Those issues are horrific.

Dr. Mary Aiken, who is a cyberpsychologist, at her recent briefing which I attended in the audiovisual room, went so far as to explicitly state that many of those advocating for children's rights in this State and who support the 13 year old threshold are woefully ill-informed and confused. Dr. Aiken said that in this very building, next door in the audiovisual room. We have to dig deeper into that. They are paid agencies. People are being paid and we have to ask questions about this. Why could Dr. Aiken's talent, experience and knowledge be dismissed and many of these so-called experts accepted as right? Dr. Aiken's criticism is not one that can be lightly dismissed.

We have to ask why. It is like with the HPV vaccine, which showed the might of the pharmaceuticals and their power to ride roughshod over legislation. One cannot criticise them. I ask the Government and Government agencies to attend a conference in Dublin next Saturday about what is going on all over the world in this area, to which we are blind. We are told by the CEO of the HSE that the parents of those sick children are emotional terrorists. He is now retiring on a gold-plated pension and the Minister, Deputy Harris, says he was right. That is outrageous behaviour.

Mar fhocal deiridh, it is my sincere hope that we can address these matters in the very near future. I acknowledge that the Bill before us has some worthwhile merits and I hope it will find some support. Big is not always wonderful. We need to shake off the cobwebs, look at what is going on and try to make some changes.

If Deputy Fitzpatrick wishes to share time, I will do so. This is very important legislation. It is being driven by a consensus in Europe. It is time for significant change for all of us in the area of data protection. Everybody who deals with people's data needs training in the subject, whether they are in the public or private sectors.

As politicians, we deal every day with data from people who come into our offices. We write letters and send correspondence and emails on their behalf. What is important for me is not that there is no data protection but that the same protocols are in place across State agencies with which Deputies and other public representatives deal. When a constituent comes into a Deputy's office they are, by their very presence, giving consent by imparting data in the form of their address, their date of birth which I do not often like to ask for but sometimes have to depending on the organisation being dealt with and a PPS number. I rang a public body recently with all this information to hand about a gentleman who was in front of me. I told them he was in the office and that he wanted to discuss an issue with them but the person on the other end of the phone would not talk to him or me, because they needed his consent in writing to me speaking on his behalf. That was impossible because the poor man could not read or write, which is one of the reasons he was with me to assist him. I asked the wonderful person on the other end of the phone if we needed to get a solicitor to swear an affidavit or what we would have to do. The bureaucracy was being unreasonable and unfair and it distressed this poor unfortunate person.

We need the sort of protocols we have on Louth County Council. A person is taken on good faith if he or she is a public representative. One gives a name and address and some personal data, such as a PPS number. Because we are dealing with people we know, that system works well. At other times a public body may look for a date of birth. There were difficulties relating to SUSI because an adult student seeking a grant may have parents who have split up and one may not know what the other person is earning. I accept that, in such cases, it is appropriate and proper that both parents or guardians have to give their consent for assessment of income. We need to sit down with the HSE, with county councils and with the bodies with which we deal most frequently to put in place efficient, effective, common protocols so we avoid the embarrassment for constituents which I had recently.

I acknowledge that the Department of Employment Affairs and Social Protection is the best Department. It has an excellent relationship with the public and with public representatives and the data it looks for is the PPS and address. When I ring about cases the person is always in my office so common sense is required. We also need to have vigilance about how data are kept, whether they are stored in paper form or stored digitally. If there is a data leak such as that we are reading about currently - I will not comment on the court case - and it enters the public domain and is part of a person's personal data, it is a hugely important issue and can create huge difficulties. There are legal cases on these things.

The penalties for a private company which does not protect its data which is then abused in some way or other are quite severe. There is due process and a fine at the end of the process and a significant chastisement. It is hugely important that the HSE and other such bodies face financial and administrative penalties when personal data has repeatedly been leaked. In two or three cases, personal data have come out of the Lourdes Hospital and been found floating around on the streets of Drogheda. The data is about people's medical conditions and their health, which should never be allowed out of a hospital or even kept in paper form. It is beyond me how this happens. Notwithstanding the entreaties of public representatives and pressure from the community to protect data, they have not adequately done so. I do not know if the Minister proposes to apply a penalty for such breaches but if it is not in the legislation, it ought to be. I know the Minister is consulting widely with public representatives on this issue. There must be no division in accountability or responsibility between public bodies and private entities in the case of data that is not properly respected and which is released into the public domain. There are many things one would not mind being leaked such as one's water bill etc., but private health, the operations one has had or the medication one is on are more serious matters. Therefore, in terms of the HSE, health records are particularly sensitive and there should be a special penalty for their misuse or abuse, even inadvertently, or the release of records onto the streets of Drogheda and other places. I urge that there be a significant penalty.

The argument is made that if one hits the HSE for €5,000, it comes off its budget. It should not come from the operational budget but by God it should come from the administrative budget or the budget for non-front-line services. We should be able to put in a significant deterrent which does not affect front-line services but would soften the cough of those who treat the private data of people so carelessly and improperly.

The situation which arose in Drogheda was silly. Data left Lourdes Hospital and lay on a public street. A person picked the material up because they did not know what to do with it. They brought it to a radio station and the radio station reported it. In theory, the radio station could be fined for having the document in its possession while the Lourdes Hospital got off scot free. The Lourdes Hospital is an excellent hospital and it does fantastic work. It is one of the best hospitals in the country in terms of the improvements it has made but we have to come down extremely hard on the failure to protect data.

It is important that we are increasingly aware of data protection, of the security it must entail and of data being released over the Internet without a person's knowledge.

If Deputy Peter Fitzpatrick is ringing me, his app might be telling Senator Ged Nash he is doing so. I am only joking when I say that but what I am saying is that we do not know what the apps on our phones are doing when we are ringing people. How many of these damned apps, for playing games or looking at football matches, are listening to one? A considerable issue arises concerning the use of apps on a mobile phone. We do not know whether they are recording or using one's data without one's consent, or perhaps doing so with one's implied consent. I do not believe anybody reads all the conditions to which one must consent when signing up to an app. They go on forever. We need to adjust and make sure there is a very simple, clear message in large font stating what is actually happening to one's data in the context of access and the transfer of data to others because of silent listeners to every telephone conversation or any communication we may have.

Now that my colleague, Deputy Peter Fitzpatrick, is here, I am happy to hand over to him.

The Data Protection Bill 2018 proposes to give further effect to the general data protection regulation, GDPR, and to transpose the 2016 directive on data protection in regard to law enforcement functions. It will enter into force across the European Union on 25 May 2018. An accompanying directive, which establishes data protection standards for the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection and prosecution of criminal offences and the execution of criminal penalties, is also required to be transposed into national law by May 2018.

Both the GDPR and directive provide significant reforms to current data protection rules based on the EU's 1995 data protection directive. Both instruments generally provide for higher standards of data protection for individuals and data subjects, and impose more detailed obligations on bodies in the public and private sectors that process personal data, controllers and processors. They also increase the range of possible sanctions for infringements of these standards and obligations.

The Bill comprises 162 sections and three Schedules, with multiple cross-references to the GDPR and directives. The GDPR creates a harmonised system of data protection rules that will apply across the EU. It also applies to EU residents' personal data that is transferred or processed outside the EU and to businesses that offer goods or services to EU residents.

The GDPR introduces and updates extensive rights for data subjects, including the right to be forgotten, which requires data controllers and processors to erase data that are inaccurate, obsolete, improperly held, or to whose processing the data subject no longer consents.

The regulation also deals with the consent of children and allows member states to legislate for a digital age of consent below which parental approval is required for offering "information society services" to a child. The Bill provides for a minimum age of 13 years.

The GDPR requires member states to appoint a supervisory authority to oversee the implementation of data protection rules under the GDPR. Part 2 of the Bill provides for a new data protection commission, comprising up to three commissioners. It transfers to the new commissioner the personnel and responsibilities of the current Data Protection Commissioner under the Data Protection Act 1988.

As an EU regulation, the GDPR is directly applicable, meaning that its provisions take effect in member states without the need for transposition. However, many of its provisions oblige member states to adopt legislation — for example, in regard to the operation of the official bodies — or to adopt provisions of the GDPR in their legal systems.

The GDPR allows member states a margin of appreciation in how or whether they adopt some of its provisions. The Bill therefore contains provisions regulating the exercise of certain rights in regard to processing or setting restrictions on them in defined circumstances. It also provides for ministerial regulations to govern data processing of particular types, such as archiving for historical, scientific or statistical purposes, or where data are to be transferred outside the states in which the GDPR applies, namely, the member states of the EU, Iceland, Norway and Liechtenstein.

The Bill makes provision for the enforcement of the GDPR by means of complaints to the new data protection commissioner, investigations, information and enforcement notices, court action and a new feature under the regulator, administrative fines. The data protection commissioner may impose administrative fines on controllers or processors that infringe the GDPR up to a maximum of 4% of worldwide turnover, or €20 million, whichever is higher.

The directive deals with data protection for the purpose of law enforcement, including police, prosecution and prison functions. Directives must be transposed into member states' law. Therefore, Part 5 of the Bill enacts the directive's provisions. In doing so, Part 5 provides for data protection in terms broadly similar to those of the GDPR but with adaptations appropriate to law enforcement purposes. It provides for rights of data subjects to information about the processing of their personal data, to complain to the data protection commissioner about breaches and to see remedies in court through the commission. Neither the GDPR nor the directive applies to the courts or judges when acting in their judicial capacity. Nevertheless, the Bill addresses the issue of data protection in the courts by providing for a judge to be nominated by the Chief Justice, who is to act as a regulatory authority for judges. The judge is to promote data protection and awareness of the rights under the GDPR and will handle related complaints.

The Bill does not repeal the Data Protection Act 1988. Instead, it restricts its application to areas in which the EU does not have competence, such as defence and national security, and repeals provisions of the legislation that are not relevant to these areas.

The GDPR retains many of the key components of existing data protection law, including the data protection principles that underlie the rights of data subjects and the responsibility of data controllers.

The principal changes introduced by the GDPR include: a uniform data protection regime in all member states; increased territorial scope; the establishment of a European data protection board; transfers and processing of personal data outside the EU; a risk-based approach whereby data processors are responsible for assessing the potential effect of their operations and planning suitable protection accordingly; strengthened provisions on consent; provisions dealing specifically with children; rights to access and data portability; the right to be forgotten; privacy by design; supervisory arrangements; compliance procedures; breach notifications; and penalties and compensation.

I am sharing time with Deputy Mick Wallace.

I listened to the debate last night. Many colleagues laid out many of the gaps and issues associated with the Bill so I will certainly not repeat some of them. I want to take some time, however, to put in context why data protection and privacy are such important matters and why the GDPR is such a significant regulation to which we must all pay considerable attention.

It can sometimes be hard to explain the significance of data protection to people. Some people just have a gut aversion to data being hoovered up and their privacy being invaded. Others have the attitude that if one has nothing to hide one should have nothing to worry about. Others really do not care or have not paid enough attention to the issue. Therefore, it is important for us to outline why data protection is important and what the real-world implications are if one's private data are not protected.

Last year in the United States, data on 143 million Americans was stolen from the credit check company Equifax.

The data included dates of birth, social security numbers, bank account numbers, driver licence numbers and so on. The hackers got in through a side door using a simple web app. It was not difficult and it was not like they were trying to get into Fort Knox. However, the problems that caused for individuals were immense. In one case, a woman's identity was stolen 15 times. Her credit rating was wrecked and she could not get a mortgage. She spent hours trying to untangle herself from this. Every person in the US who had taken out a loan in the previous few years had his or her data stolen because of the sharing of information and not only the people who had dealings with the company. That is a good example to highlight the importance of the data protection principles underpinning the GDPR. Data must be kept secure and only the minimum data necessary should be collected for a particular purpose. The example demonstrates how easy it can be for data to be stolen if it is being shared and the major consequences of losing control of personal data. It is possible for companies and organisations people have never heard of to have huge wads of information about them.

Let us imagine a world where most, if not all, of people's daily activities are constantly monitored and evaluated, including what they buy in shops and online, their location at any given time, who their friends are and how they interact with them, how many hours they spend watching television, what they read and what they skip over when they are reading, how long they sleep and the bills and taxes they pay. However, that is the world we live in now thanks to organisations such as Google, Facebook, Instagram and health tracking apps such as Fitbit. If in this world there is a system where these activities and behaviours are rated as positive and negative and distilled into a single score according to the rules set by the government, that creates a citizen score and tells everyone where people are trustworthy with their rating publicly ranked against the entire population and used to determine their eligibility for a mortgage or a job, where their children can go to school, how much they must pay for flights and even whether they are allowed to take train or taxi journeys. Again, we do not have to imagine this. This is happening right now in China where the government is developing a social credit system to test the trustworthiness of its 1.3 billion citizens. The scheme is voluntary for now but it will become mandatory by 2020 and the behaviour of every citizen will be rated and ranked whether they like it. Sadly, that is the world we live in and there is surveillance of our every move and desire and almost our every thought. They are all visible to some private company. When all that data are put together with a government that has a big interest in controlling its citizens, that gives us China's social credit score. There is no escape or opt out. If people opt out, they get a low score, which means no mortgage, job, travel or education.

We have the beginnings of that here with employers monitoring Facebook profiles and landlords trawling thorough Twitter feeds. It is not a huge leap from that to the situation in China and that is the backdrop to this debate. It is enormously important and we all have to, not only as Members but as citizens, wake up to this issue because the technical ability to implement full-scale, 24-hour surveillance on every citizen in Ireland, Europe and most of the world is in place. Many of us have for years willingly signed up to this surveillance of our lives by various private companies, which, in many cases, know as much, if not more, about us that we do ourselves. That is why the GDPR is important. We have become anaesthetised to giving up our data to private companies to manipulate and profit from. In 1996, for example, the hugely underrated Silicon Valley commentator, Paulina Borsook, warned about the dangers of corporate America's hunger to exploit our data for profit. We could and should have done something about this 15 years ago but it is better late than never. We must look at the devil in the detail but whether the GDPR goes far enough to protect us is an open question, as many people have pointed out. I generally side with their fears that it does not go far enough.

We will examine the Bill in more detail on Committee Stage. The justice committee has prioritised it and has said we will sit for however long it takes to get it through that Stage and to make it fit for purpose within the deadline the Government has set for us to have signed up and have the legislation enacted. It is clear that the Government has set out on a path to grab for itself the maximum flexibility to maintain as far as possible the privacy compromising status quo. That is not a surprise when it comes to data protection. It is difficult to accept the State as an honest broker in this regard. One only has to consider the public services card, individual health identifiers project, CCTV projects in Limerick, wide-ranging Garda surveillance powers and powers to access phone records, and a data retention regime, which according to a former Chief Justice amounts to mass surveillance of the entire population. We have witnessed a great deal of intransigence, carelessness and intrusiveness on the part of the State and a wilful disregard for people's fundamental right to privacy. We have to take cognisance that this is the backdrop.

The individual health identifiers project is steaming ahead regardless, despite the fact that it is on a shaky legislative foundation. There is minimal public knowledge and understanding of it, let alone people consenting to be part of it. While there may be legitimate reasons for creating databases that can contribute to public safety and public health, there must be a level of trust and understanding. Clarity on what the databases will and will not be used for and how people can opt in and opt out is needed. We do not have any information on that in the context of this project. Last summer, solicitor and data expert, Simon McGarr told the justice committee that it is likely following the Barr judgment that the health identifiers Act does not even comply with European law, something that would open the State up to damages claims from every person in the database, which means every person in the State. We have no idea what is going on with it. The project is rolling ahead and the HSE's interim chief information officer giddily told Silicon Republic about the possibility of linking Apple Watch to people's electronic health records as a mechanism of patient empowerment, which is ludicrous. Empowerment was one of the buzz words used by Google and Facebook in the early days and look at where all that ended up. It is not a stretch to imagine a scenario where information on people's blood pressure, heart rate, sleep patterns and blood-alcohol level is fed into a gadget such an Apple Watch and passed on to health insurers which will then charge higher premia to people who are not living right or behaving properly, with the upshot being that the unhealthy will be cut off from health care in its entirety. As the HSE's chief information officer said, "It is not science fiction anymore".

As T. J. McIntyre said about the PSC, it is not an aberration but it exemplifies a systematic disregard for privacy and data protection throughout the State. It is instructive to note that under sections 115 and 126 the Government has not chosen to implement the optional provision in article 80 of the GDPR to allow non-profit organisations and other activist organisations to seek damages for breaches. However, I will table a hell of a lot of amendments on Committee Stage.

One could be forgiven for suspecting that the Government and some Departments simply either do not understand privacy and data protection issues or choose to ignore them.

I say this because some things the State has been up to for the last years in the knowledge that the GDPR is on its way, including the public services card, PSC, the single customer view, CCTV schemes and the Health Identifiers Act, have been extremely surprising. I will address a remarkable statement made by the Minister in the Seanad on Committee Stage about proportionality. The Minister claimed we cannot have references to proportionality in the Bill because it would make certain schemes already in place and operational illegal. That is a remarkable statement. Necessity and proportionality is already the law in Ireland in this context and the Minister's statement suggests that the Government wants to continue to ignore the huge problems with schemes like the public services card and certain CCTV schemes after the GDPR comes into force and that the Data Protection Bill is an attempt to carve out exemptions to the GDPR rather than honour its terms and spirit.

Article 4 of the GDPR defines consent. Consent must be freely given and cannot be coerced. Recital 42 of the GDPR gives us further guidance on how we should interpret this definition of consent. It says "Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment." Withholding a pension payment from an elderly woman for 18 months because she refused to register for a public services card is a form of State coercion. Forcing people to get a PSC to get a passport or driving licence is forced, coerced consent. Coerced consent has never been legal but surely in the light of the GDPR and its own Data Protection Bill, the Government will be obliged to act on one of the biggest data sharing projects in the history of the State, namely, the single customer view and the related public services card.

I obtained correspondence between the Office of the Data Protection Commissioner and the Department of Employment Affairs and Social Protection about the PSC a few months ago, under freedom of information, FOI, provisions. The assistant data protection commissioner wrote to the then Department of Social Protection in August 2017 about a data sharing agreement between the Department of Social Protection and the Road Safety Authority, RSA. The assistant commissioner's email asked if the Department would confirm that no processing of personal data has taken place to date, that is, data shared by the Road Safety Authority to the Department of Social Protection and matched to the Department's record to identify individuals who do not have a PSC but are SAFE authenticated. The assistant commissioner is referring to the fact that in August 2017, the Department of Social Protection started to invite people who had obtained a driving licence to complete SAFE 2 registration by post and get a public services card. More specifically, since August last year, the RSA has been sharing personal data with the Department of Employment Affairs and Social Protection without the consent of the data subjects. In other words, the Department gets the names, addresses etc. from the RSA in order that it can then contact these people but without any consent being given to the RSA by its customers to share these data. The assistant commissioner's email indicates that he had serious reservations about this. In response to questions I submitted to the Minister for Employment Affairs and Social Protection, she claims that legal basis for this data sharing is provided in the Social Welfare Consolidation Act 2005. The Minister in this case is either ignoring or simply does not understand the 2015 Bara judgment by the European Court of Justice.

However, even leaving the Bara judgment aside, it is very hard to understand why the Government has continued to plough ahead with this kind of data-sharing when it surely knows the GDPR prohibits it. These concerns are clearly reflected in the assistant commissioner's correspondence to the Department. He sent two emails to the same high-ranking official in the Department of Social Protection on 31 August 2017. The FOI documents received by my office worryingly do not contain any replies to his questions. His second email stated that he sought confirmation as to whether this was a consultation of a proposed data-sharing arrangement or whether the arrangement already was operational, and that the status of the data-sharing project was important and potentially would affect how the Office of the Data Protection Commissioner would manage its engagement with the Department of Employment Affairs and Social Protection. We know from these FOI emails that the Department told the Office of the Data Protection Commissioner in July 2017 that the Department would write to those whose data it received from the RSA, asking for their consent to use these data to update the Department's records and to complete the registration process for a PSC. The phrase "provide their consent" is bolded in the email, indicating that the Department has some understanding of the importance of consent with regard to data-sharing. Yet the Department completely fails to understand the problem of the RSA sharing data with the Department of Employment Affairs and Social Protection without the RSA's own clients' consent, even though the assistant commissioner clearly flagged this issue in emails in August 2017. The Data Protection Commissioner has since opened and indeed extended a near-unprecedented formal section 10 investigation into the public services card. To not at the very least pause or suspend the expansion of the PSC and single customer view pending this investigation and the introduction of the GDPR is madness. The State is likely to face enormous fines and compensation payments relating to the PSC under the GDPR.

Section 31(d) of the Garda Síochána (Policing Authority and Miscellaneous Provisions) Act bestows responsibility to publish guidelines in respect of CCTV cameras on the Policing Authority. I wrote to the Policing Authority this month about the use of automated numberplate recognition and facial recognition cameras as part of the Department of Justice and Equality's community-based CCTV grant aid scheme. The Policing Authority confirmed that, rather strangely, the authority has not yet issued any guidelines under section 38 of the Act and that neither had the Department issued guidelines before the authority was established. The Policing Authority also stated in its reply to me that the authority has no role relating to the technical specifications of the CCTV camera. Neither the Minister nor the authority seem to have any responsibility for this. Section 2 of the existing Data Protection Act requires that data are "adequate, relevant and not excessive" for the purpose for which they are collected. In other words, data collected should be proportionate. I do not dispute that CCTV can be useful in detecting and preventing crime and antisocial behaviour and I understand why rural communities in particular might feel safe with them in place. However, CCTV systems must be able to pass a proportionality test as otherwise, they simply amount to surveillance and are fundamentally illegal. According to the guidelines issued by the Data Protection Commissioner, under the principle of proportionality, the Office of the Data Protection Commissioner would expect that a data controller would have carried out detailed assessments as to how the use of CCTV would meet proportionality requirements, including carrying out a privacy impact assessment. Privacy impact assessments will be a legal necessity under the GDPR.

I submitted an FOI request recently to Limerick City and County Council, looking for the council's privacy impact assessment for its CCTV scheme, funded by the Department of Justice and Equality, as part of the community-based CCTV scheme. CCTV camera installations, including automated numberplate and facial recognition cameras, began in Limerick in November last year and the CCTV scheme is due to go live by the end of this month. My FOI request was refused only two weeks ago on the basis that the privacy impact assessment was not yet finalised and was still in draft form. Publicly available information on the Limerick scheme shows proposals for what is known as deep learning and artificial intelligence to be overlaid on a network of cameras that count footfall, keep a record of the registration of every passing car 24 hours a day, and can recognise faces and patterns. Section 38 of the Garda Síochána Act clearly specifies that CCTV schemes should only be authorised for securing public order and safety in public places, yet Limerick City and County Council has publicly stated that its scheme will go much further than that. The Limerick solicitor and digital rights expert, Rossa McMahon, has said of the scheme, "It is not an exaggeration to say that the Council is installing technology used by authoritarian police states like China." The council tendered for the scheme over a year ago and has already bought numerous high-specification cameras and related equipment for 14 locations in the county. The GDPR dictates that data protection safeguards must be designed into products and services from the earliest stage of development.

Limerick City and County Council's privacy impact assessment now can only be a box-ticking exercise and in that sense will be utterly pointless. This is a €500,000 scheme and sets a dangerous precedent on disregard for proportionality with regard to data sharing. As I mentioned already, the Minister claimed in the Seanad debate on this Bill that we cannot have references to proportionality in the Bill because it would make certain schemes already in place and operational illegal. It is hard not to conclude that the Minister wants to continue to turn a blind eye to already existing problems and to use the Bill to undermine the rights of data subjects under the GDPR.

In the past few weeks, we have all seen how important it is to have robust data protection and to ensure that we have those measures in place right across society. Be it through the GDPR or domestic legislation, they are now a vital component of everyday life.

The Bill does not go far enough in terms of providing specific protections to young people generally and children in particular. I wish to concentrate my contribution on that issue. Having read the contribution of the Minister, Deputy Flanagan, in the Seanad, it is clear that he is aware of the issues in respect of how the EU has chosen to frame article 8. By structuring the additional protections for children's data in terms of a set age limit and parental consent, the onus of responsibility has been shifted from data processors to parents, which, in my view, is not right. During the drafting phase of the general data protection regulations, GDPR, some countries instead proposed including clear restrictions on marketing activities that specifically target children, which would have provided far more robust protections. It is very regrettable that that course was not taken. The move to a digital age of consent, which does not appear to have been set with any clear evidence base, is a major failing of the GDPR that we must work on addressing before passing the Bill.

The current draft of the Bill is a vast improvement on the original. Placing the right to be forgotten on a statutory basis and specifically citing that right in regard to children and young people is an important move. However, I was disappointed that the most significant change made to the Bill in the Seanad is to task the commission with encouraging rather than requiring codes of conduct in regard to how data processors engage with children and handle their data. Such codes of conduct are already prescribed in article 40 of the GDPR. I suspect the Minister has chosen to adopt this wording in an effort to avoid falling foul of the EU. However, the language of the Bill as drafted does almost nothing to impose additional restrictions on the collection of children’s data. Instead, it gives the companies that will be processing such data huge scope in how they collect, use and monetise it. That is why it is important that we are very clear what we are talking about when we refer to the digital age of consent and what it can and cannot achieve.

Over the past few weeks, there has been much wide-ranging comment on and discussion of the digital age of consent. It has been described as being about everything from keeping children safe online to being a question of free speech. That is simply not the case. As Professor Barry O’Sullivan quite forcefully stated at the Joint Committee on Children and Youth Affairs, "the digital age of consent is not about when a child can access the Internet, it is merely the age at which a child can consent to a profiling of their personal data and that is it." The simple fact is the digital age of consent is about money. The type of profiling to which it will allow 13 year old children to consent is at the root of these companies' business model.

In the past few weeks, we have all seen how easily such data can be misused. We need to ask ourselves if we think it acceptable for the data of children to be used in such a manner and whether we can trust large scale data processors such as Facebook, Google, and Snapchat to do so responsibly without being compelled to do so through legal sanction. I do not think we can. Time and again, such companies have proved that they cannot be trusted to act responsibly when it comes to users' data. On repeated occasions, they have acted to tighten privacy controls only when caught or in response to massive public pressure. I do not allege that anything they did or are doing is illegal but, rather, that that reluctance to act is at the core of the problem. The companies may subscribe to the letter of the law but their sole concern is their bottom line. All Members may agree that the harvesting of the personal data of children for marketing purposes is repugnant but if it is not clearly prohibited there is no incentive for these companies to stop that practice.

The marketing strategy of Facebook and other social media companies is to present themselves as a social good. Facebook has often described itself as a social utility. Google’s corporate code of conduct included the retrospectively threatening motto "don’t be evil". Although truly brilliant pieces of marketing, those slogans are completely removed from the business model of those organisations. They do not provide a service for free; the charge is access to our data. They are not a community or a utility but, rather, businesses based on mass surveillance. There is nothing inherently nefarious in that and there is no doubt that there has been positive change as a result of access to these platforms. However, that does not mean that we should ignore their nature or blindly accept their marketing copy. We must approach the manner in which these companies make billions in profit each year with open eyes. We must accept that, like any other resource, this House has not only the right but also the responsibility to regulate how private industry monetises the public’s data, particularly that of children.

Over the past few months, I have tabled several parliamentary questions on the Bill and the digital age of consent. In his replies, the Minister has consistently cited the support of the Children’s Rights Alliance for these proposals. However, that is not a fair or accurate portrayal of the current position of that organisation. In a recent submission to the Minister, it made clear that relying on digital consent as a means of protecting children’s data is not sufficient. It believes that that approach takes the emphasis off the data controller and that if we are truly concerned about children’s data, we should be imposing more restrictions on the use of their data. I hope that the Minister will continue to give the opinions and recommendations of the Children’s Rights Alliance as much weight as he has to date and heed its call that the Oireachtas should legislate to forbid the use of children’s data for marketing or commercial purposes. I understand that proposal was raised with the Minister on Report Stage in the Seanad and that he suggested it would risk breaching the GDPR or interfering with the independence of the commission. However, on that Stage he introduced an amendment to place the rights of erasure referred to in recital 65 of the GDPR on a statutory footing. I see no reason the same could not be done for recital 38, which states: "Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services". At the very least, the Minister must have considered tasking the commission with encouraging steps to remove the data of children from being collected for marketing purposes.

Article 57(1)(c) of the GDPR makes clear that the commission must have the power to advise the Dáil on administrative or legislative measures relating to data processing. Would the Minister accept an amendment seeking a report from the commission on the use of children’s data for marketing purposes? I would rather that we put in place specific legislation to control such behaviour, similar to the current data protection regime in Spain, which prohibits the collection of data from children about their parents and family. However, I understand the Minister is concerned about the compliance of such action with EU law. If that is the case, it is essential that the Minister outline what legal advice he has sought on this area, why he sought it and what his precise issues of concern are. Will he work with the Opposition to find a way to strengthen our domestic legislation as the Bill does not go far enough? There is a unanimous view that it is repugnant for children's data to be used for marketing and commercial purposes. Members may have heard a representative of the Irish Heart Foundation very eloquently talking about that today and discussing the dangers of the very direct marketing to children of very unhealthy foods such as those high in sugar or salt, or both, and so on. There is no disagreement on any side of the House on that objective.

I hope the Minister will give positive consideration to an amendment in that regard on Committee Stage.

Three revolutions are taking place in the world at the moment. The first is the digital revolution, which has been happening now for several decades. In line with Moore's law, technology is operating relentlessly in increasing our capability to process data. There is also a clean energy revolution taking place. We are moving towards renewable power and allowing efficiency in a range of different ways. There is also a transport revolution starting now in terms of allowing for shared access to vehicles and moving away from ownership of vehicles towards hire in a range of innovative ways. I mention all three because they are connected in the sense that the digital revolution is very much influencing the other two. When one starts looking at how to evolve the clean energy revolution, for example, in the roll-out of smart energy meters in a home or electric vehicles, one realises it is the data communications system, the digital systems, that are key. The same is true in terms of how the transport revolution will work. The way we change how we move around cities in particular will require people to be confident about the sharing of data. It is a communications revolution that brings the transport revolution as much as anything else. The three revolutions have certain characteristics in that they involve network systems. They are much flatter, typically horizontal, and less hierarchical structures that are created in industry or in power systems and each one feeds off the other. They are revolutions that will change society as well as those three technological areas.

As a country, we have a real interest in getting the revolutions right. In this city and around the country, we have managed to attract many of the companies at the very cutting edge of the digital revolution in particular and we are good at the clean energy revolution too. It is incredible when one looks at our recent history over the past 50 years that we have moved from importing foreign direct investment in manufacturing, for example, all the semi-conductor industries and biopharmaceuticals, and to our ability in the past 15 to 20 years to attract all the digital industries and the latest social network platforms. That has been an incredible success for this country. More than any other country, we need to get the regulation of it right. The ethical rules around how we govern such a system are critical for this country. We want to gain from the clean energy, digital and transport revolutions. We want to attract the jobs and develop our own industrial capability, but we also want to look after people.

The revolutions are affecting everything in society. They affect the way the education and health systems will work and how the media works. Our financial system is about to be eaten up and completely changed by the digital revolution that is taking place. Today's debate is mission critical for this country given that we are discussing the legislation to regulate that digital revolution. I believe the best approach to it is to start from first principles of the characteristics of the revolution that we want to apply. One of the first principles we should apply is that of privacy and of trying to protect people's privacy in the sharing of all that data and information because if we do not get that right people will not trust us regarding the scale of the way we are going to use it. This revolution is only starting and in the next 20 to 30 years, the applications we will need to apply will require people to trust the data, and the first principle of privacy applies in that regard.

It is difficult because there are other principles that in some ways are equally important although they are slightly conflicting. For example, there is the networked, flat, hierarchical sharing system of open access and transparency among the principles of how this new revolutionary network system works. Similarly, there are principles that we would want to provide in order to allow for payment to content providers, but at the same time we also want to provide for shared fair-use systems so that people can benefit from that characteristic of the network system. The difficulty when it comes to legislating is that one has those different principles that sometimes conflict. In addition, one also has to take into account as the legislator, as well as the principles, the norms of what the technology is doing and try to understand it. Technologically, it is incredibly complex regarding what one can and cannot do in terms of how the digital communications system works, even the way the zeros and ones move along fibres and go through routers and are stored. If one does not understand the technological level of what the revolution is bringing, it is very hard to get the regulation of it right. It is only after one has worked out one's first principles and the norms of what is happening that one gets down to the practical job of legislating, but legislate we must.

For too many years, the political system across Europe and the world has stood back. In Europe, the European Court of Justice, ECJ, has effectively become the legislating arm for the digital revolution because in the absence of political certainty as to how we would do that, the European Court of Justice has stepped into the breach and effectively regulated for the world in the sense that Europe is big enough to set the level of standards that would apply. By and large, it has done a good job but it is not up to the ECJ to legislate, rather it is up to us and the European Parliament. The Bill before the House comes from the European Parliament. It was the Parliament which stood up for the values of privacy, for example, in recent years. Perhaps I am biased because it was colleagues and friends of mine who were responsible. I refer, for example, to Jan Philipp Albrecht, a German Green parliamentarian, whom I found superb in steering the regulation through the Parliament. He was the Parliament's rapporteur for the GDPR.

There was cross-party agreement on the privacy directives we developed in recent years, which is one of the most interesting characteristics of the matter. There has been agreement on the left and the right - liberal, socialist, Green, Christian Democrat and every other party - and a fairly broad consensus was reached within the European Parliament. It was the Parliament which steered the Council. The Commission helped, but to my mind the Parliament should be recognised for setting out the broad principles of how to regulate data protection. Now we are translating it into our domestic legislation. This is incredibly complex legislation and it is not easy for us parliamentarians to parse through the details. To understand the details, one has to understand the scale of the revolution, the scale of the technological changes that are occurring and the scale of the complex battle between different principles. I look forward to Committee Stage to try to contribute and participate in the debate on the complex and difficult things we need to do.

I understand the original version of the Bill tried to exempt the public service from the provisions of transparency and openness and I am pleased that was removed. We are starting from a far better place now in that the public service realises it is not exempt from the revolution that is taking place and it must be exemplary in terms of the principles we apply. It is not all about security and protecting the institutions themselves, rather it is about being willing to be open and transparent. I am all the more certain of that after the session we had yesterday afternoon with Facebook where we were trying to tease out some of the immediate issues. We are fortunate here, by and large, as we are well placed to do a good job. We have a strong independent legal system. The judgments that Mr. Justice Gerard Hogan and others gave in recent years show we have real strength in our legal ability. We have a strong regulatory system. I believe we are one of the best countries in Europe in terms of regulatory process. We are not seen in that way at the moment, as the rest of Europe sees us as a soft touch in the regulatory area, but it is possible for us to up our game. The number of staff under Data Protection Commissioner, Helen Dixon, has increased to approximately 100 from 30 four or five years ago, but I think we need to double the number again, if not more, because the scale of the responsibility we have as the home to the digital companies is one that we should take with the utmost seriousness. We have 5,000 civil servants in the Department of Agriculture, Food and the Marine and we have 100 in the Office of the Data Protection Commissioner when the Data Protection Commissioner is pretty much dealing with the entire world in terms of rules on the Internet revolution. That requires a dramatic scale of response and importance in terms of how we get those rules right.

I am pleased the Bill is before the House and I look forward to contributing on behalf of the Green Party on Committee and Report Stages. The Bill is important, and it is important we get the legislation right. I hope the Minister will be open to amendments. The nature of the revolution is that one collaborates, tries to seek consensus and listens to different voices.

If that attitude is taken during the progress of this Bill through the Parliament, it will be the better for it.

I thank all the Deputies who contributed to what was a very interesting and engaging debate on this Bill. As all of the speakers rightly pointed out, this is a very complex Bill that will affect us all. The Minister for Justice and Equality, Deputy Flanagan, and I welcome the broad range of views that have been expressed in both Houses of the Oireachtas. I assure all the Deputies who contributed to this debate that the issues they raised will be considered in the context of possible amendments to the Bill. As Deputy Ryan said, this is about consensus and collaboration.

I will now respond to some of the issues that were raised, although I will not be able to respond to them all. Many Deputies raised the issue of the digital age of consent. The Government acknowledges the concerns expressed by Deputies regarding the digital age of consent. The background to the Government's decision to set the age of digital consent at 13 years, including the consultation process undertaken by the data forum and the Department, has been explained very well in both Houses of the Oireachtas by the Minister for Justice and Equality. In choosing a digital age of consent of 13 years, Ireland is certainly not out of line with other EU member states as Deputy Mattie McGrath suggested in his contribution. In that context, I suggest that he reads the Bill. A digital age of consent of 13 has also been adopted by Sweden, Denmark, the Czech Republic, Finland, Latvia, Spain and the UK. I also remind Deputies that the Joint Oireachtas Committee on Justice and Equality, an all-party committee with members from both Houses of the Oireachtas, recommended 13 years in its report following pre-legislative scrutiny of the Bill. Many other leading experts, including Dr. Geoffrey Shannon, support the decision also. Arising from discussions in the Seanad, a review clause has been incorporated into section 30 of the Bill which will mean that the operation of the section will have to be reviewed not later than three years after coming into operation. That clause was welcomed by many Deputies in this House and by many Members of the Upper House.

Deputy O'Callaghan, who was the first member of the Opposition to speak on the Bill, referred to the need for the Data Protection Commission to be adequately resourced, as did Deputy Ryan. The Government has allocated significant additional resources to the Office of the Data Protection Commissioner since 2013 in order to ensure that it will be in a position to discharge its functions following the entry into force of the GDPR. If one takes a look back at the budget in October, the funding for that office was €11.7 million, putting the Irish Data Protection Commission in the top tier of highly resourced national data protection authorities in the EU 28. We understand the importance of the job of the Office of the Data Protection Commissioner which is why we are providing adequate resources for it and will continue to do so. The Data Protection Commissioner is independent of Government and needs adequate resources because, as Deputies pointed out, so many multinational companies have their headquarters in Ireland.

Deputy Lawless also mentioned the need for the Data Protection Commission to be given sufficient powers to carry out its functions. I assure the Deputy that the Bill will confer extensive supervision and enforcement powers on the commission, including the power to apply, ex parte, to the High Court for an order to suspend, restrict or prohibit data processing or the transfer of data to a third country or an international organisation, where there is a need to act urgently in order to protect the rights of freedom of data subjects.

Deputy Ó Laoghaire raised the issue of the transfer of personal data to the UK following Brexit. He spoke in particular about the need for an advocacy decision. While this is a matter for a first decision by the European Commission, it is worth noting that the UK Government has underlined the fact that it will be compliant with the GDPR on the date of exit from the EU. That has been made quite clear to all EU Ministers. Deputy Ó Laoghaire also suggested that the Bill should provide for criminal penalties that deprive organisations of the profits obtained through infringements of the GDPR. The position is that Article 83 of the GDPR already provides for the imposition of administrative fines of up to €10 million or €20 million or 2% or 4% of the worldwide annual turnover, depending on the nature of the breach. Many Deputies raised that issue in their contributions. That article sets out a number of aggravating and mitigating factors to be taken into account in determining whether to impose a fine and the level of any such fine. One of these factors is the financial benefits gained or the losses avoided directly or indirectly from the infringement.

Deputies Pringle and O'Dowd both mentioned an amendment that the Minister for Justice and Equality intends to bring forward on Committee Stage relating to concerns raised that GDPR may adversely impact on the ability of elected representatives, including Members of this House, to make representations on behalf of their constituents and to carry out other aspects of their work as elected representatives. I assure the House that the Minister intends to bring forward an amendment to ensure that there is an appropriate legal basis for, inter alia, the processing of personal data for the purposes of dealing with constituents' representations and requests. That amendment is being finalised at the moment and will be circulated to all Members at the earliest opportunity.

Deputy Broughan and others mentioned access to journalists' notes and the retention of personal data. Judge Murray's recommendations will be addressed in a separate Bill, the data retention Bill, which will be brought before the House at a later date. The pre-legislative scrutiny report on that Bill is being considered in the Department of Justice and Equality at the moment.

Fines of up to €1 million may be imposed on public authorities and public representatives, including Departments, local authorities and the HSE for data protection breaches, as per section 139 of the Bill. Deputy Ryan has left the House now but yesterday during Leader's Questions he raised the matter of my Facebook page and said that it did not include digital content. I urge Deputy Ryan to follow me on Twitter - @PatBreen1. He does not follow me at the moment so obviously he is not too interested in my digital activities. I would suggest that he do so because all of my work as Minister of State with responsibility for data protection and the single digital market is visible on my Twitter account. Included there are the extensive activities in which I engage as Minister of State, including activities in Brussels last Monday and the declarations I signed on behalf of Ireland on block chain, artificial intelligence and the single digital market. My account also contains information on my interdepartmental activities at the Departments of the Taoiseach and Justice and Equality and refers to the Digital 9 meeting that I am hosting here next month. I want to ensure that Ireland will continue to be a leader in the whole area of the digital agenda and digital technology and that all of us embrace it. Ireland is to the forefront in that respect. That meeting will precede our data summit which will be held in September and I hope Deputy Ryan will take note of all of that.

We hope to have this important Bill enacted by 25 May next in order to comply with our EU obligations and to ensure the new data protection commission has the benefit of the enhanced supervision and enforcement powers set out in this Bill from the outset. The Office of the Data Protection Commissioner is engaging in a very comprehensive campaign around the country currently. In my role as Minister of State with responsibility for data protection, I am involved in a comprehensive campaign that involves many seminars and social media events to ensure everybody will be prepared for the GDPR when it comes into force on 25 May. In particular, I am keen to ensure small and medium-sized businesses, microenterprises, voluntary agencies and charities will comply with the GDPR. It is extremely important this is the case. I will have a round-table meeting with those groups next week to ensure they are compliant. I compliment the many umbrella groups and bodies that are relaying this information to their members to ensure they comply with the GDPR. The Minister, Deputy Flanagan, and I look forward to working with Deputies to make progress with the consideration of this Bill in both Houses to ensure we are GDPR-compliant by 25 May.

Question put and agreed to.

Comhghairdeas, a Aire Stáit. Go hiontach ar fad.

Barr
Roinn