Joint Committee on Children, Equality, Disability, Integration and Youth díospóireacht -
Tuesday, 2 Nov 2021

Apologies have been received from Deputies Cathal Crowe, Dillon and Ward. Before we begin, I need to go through a few housekeeping matters. I ask any member or witness participating remotely who experiences any sound or technical issue, to let us know through the chat function. Otherwise, we will proceed. I advise everybody that as this is a public meeting, the chat function on Microsoft Teams should be used only to advise participants of any technical issue or urgent matter and should not be used to make general comments or statements. I remind members participating remotely to keep their devices on mute until they are invited to speak, and when they are speaking, I ask that, where possible, they have their cameras switched on and be mindful we are in public session.

In addition, I remind members of the constitutional requirement that they must be physically present within the confines of the place in which Parliament has chosen to sit, namely, Leinster House, to participate in public meetings. I will not permit a member to participate where he or she is not adhering to this constitutional requirement. Therefore, any member who attempts to participate in the meeting from outside the precincts will be refused.

Members participating in the meeting from the committee room are asked to exercise personal responsibility in protecting themselves and others from the risk of Covid-19. They are strongly advised to practise good hand hygiene. They will notice that every second seat has been removed to facilitate social distancing. I urge people not to move any chair from its current position and always to maintain an appropriate level of social distance during and after the meeting. Masks, preferably of medical grade, should be worn except, obviously, when people are speaking. I ask for co-operation in this matter.

We are in the first of two sessions of our public meeting today. I welcome Mr. Simon McGarr of McGarr Solicitors and Dr. Fred Logue, principal of F.P. Logue Solicitors. The purpose of this afternoon's meeting is to engage with them on the pre-legislative scrutiny of the general scheme of the birth information and tracing Bill and any general data protection regulation, GDPR, concerns.

Before I invite the witnesses to speak, I need to give this advice on parliamentary privilege. As all of the witnesses are appearing before the committee virtually, I need to point out there is uncertainty if parliamentary privilege will apply to their evidence from a location outside the parliamentary precincts of Leinster House. Therefore, if the witnesses are directed by me to cease giving evidence about a particular matter, it is imperative they comply with any such direction.

Each of them will be allocated five minutes' speaking time. Due to the time constraints this afternoon we need to try as best we can to stick to that timeframe. We will have time for questions and answers after the witnesses have spoken, with each member also allocated five minutes.

I now invite Mr. McGarr to deliver his opening statement.

I thank the Chair and the members of the committee for their kind invitation to speak on this proposed legislation. I do not intend to presume on the members' time by doing a line-by-line reading of the proposed heads of Bill. However, I think it is worthwhile addressing some specifics by way of illustration of what I think is a common error of approach throughout.

To start, we should recognise that this Bill represents a proposal for a change in how the State addresses the rights of adopted people. As recently as 2001, the Irish State was proposing to create criminal penalties as part of access to adoption records, should the records be used in a way the State did not approve of.

The intent in this latest effort to bring the State in line with international human and fundamental rights is described as recognising the importance of a person knowing her or his origins and to achieve this through the provision of access to certain data related to them. In itself this is a welcome, if belated, change in approach and aims.

If I am to be of service to the committee, it is likely to be in examining the proposed heads of Bill through the lens of the rights acknowledged under EU law by the general data protection regulation. Therefore, while again acknowledging the improvements of intention and policy this legislation represents, I am afraid I will attempt to make the most of our time by focusing on areas where I think further improvements are still needed to bring it in line with EU law. I will also discuss some of the legal consequences of passing national legislation which is at odds with the GDPR and the administrative risks and consequences that will inevitably bring.

The first point to make is that this Bill seeks, in part, to legislate for a legal right which is already in existence. Head 2 goes to great length to attempt to define the documents and data to which it intends to provide access in the rest of the legislation: birth certificate, birth relative information, care information, early life information, and medical information.

Of course, all of this is simply covered by the definition of personal data set out in Article 4 of the GDPR, as subsequently defined, widely and most helpfully, by the Court of Justice of the European Union, CJEU, in the Breyer case. If personal data means "any information relating to an identified or identifiable natural person (‘data subject’)", as it is defined in Article 4.1 of the GDPR, then each of those defined categories of data or records is simply a subset of the general set of all personal data relating to an adopted person. If a relevant body holds records or personal data relating to a person, and that person makes a request for that data, there is no gap in the current law that is required to be filled. The GDPR requires that request is granted within a month, as matters stand now. Failures to comply with the law are failures of administration, not failures of legislation. Thus, head 12 of the proposed Bill’s attempt to legislate away the right of access to birth certificate data of an adopted person is simply not legal under the GDPR. It would inscribe into national law a restriction on the Article 15 GDPR right of access to personal data, without demonstrating in law any necessity or proportionality for that restriction.

This also goes for the requirement to attend a meeting before a person’s data will be provided, as described in the heads of the Bill. In the case of Gebhard, the CJEU set out the test for any national law which sought to interfere with a fundamental right or freedom of EU law. The court stated:

... national measures liable to hinder or make less attractive the exercise of fundamental freedoms guaranteed by the Treaty must fulfil four conditions: they must be applied in a non-discriminatory manner; they must be justified by imperative requirements in the general interest; they must be suitable for securing the attainment of the objective which they pursue; and they must not go beyond what is necessary in order to attain it ...

There is a long line of case law that has grown up around this concept of necessity and proportionality. There is no legislative provision setting out what the purpose of this restriction would be, as it is acknowledged that the record will be granted in all cases. It appears to be conflating the process of accessing personal data with the process of initiating potential contact with a birth parent. It would therefore fail on the requirements of necessity and proportionality.

For the same reason, the attempt in heads 5 and 6 to create a list of elements of personal data to which a person would have a right of access is a dead letter, as the general right to all their personal data set out in Article 15 of the GDPR precedes and supersedes it. Similarly, the restriction in head 7 on the requirement for the provision of birth information to specified relevant bodies is also non-compliant with the State’s duties under Article 15 of the GDPR. It cannot restrict where data is to be requested from. Any entity, including any State entity, must provide any personal data it holds to a requester on receipt of an Article 15 subject access request. The same objection holds for heads 8 and 9. It also holds for head 10, but with the additional issue that head 10 seeks to also refuse to provide information directly to the requester, but instead provide it to a medical practitioner. This is an additional layer of illegality, in that there is no basis for this interference in the right of access provided for in the statute. Therefore, it fails the necessity and proportionality test outright by itself. The final, most extreme example of an attempt to try to legislate away the individual’s GDPR rights can be found in head 40, which grossly misapplies Article 23.1(i) to try to set this Irish national law above the EU rights of access derived from the Charter of Fundamental Rights and the GDPR.

I thank the committee for its time. I have delivered my speech in what I consider to be record time. I apologise that I do not have more to say initially but that means there will be more time for questions, which might be useful in itself.

I thank the Chair. I will be quick as Mr. McGarr went over some of the matters I have addressed in my opening statement. I have a law practice and we act for quite a few adopted people trying to access their information, so we have some experience of the practicalities and what it is like for them at the moment. My first thought when I read the draft heads of the Bill was that it was starting from the wrong place. It is a classic case of "If I was going there, I would not start from here". The heads are drafted from the point of view of giving people a new right that they do not already have. As Mr. McGarr has said, that is misconceived because there is an existing right of access to one's personal data, including adoption information. Even leaving aside GDPR, birth certificates are open documents. Anyone can go in and get any birth certificate. These are public documents. The problem for adopted people is that the barriers to access are not legal but practical. They do not have enough information about themselves, such as their actual dates of birth and their mother's maiden name, to identify their birth certificate. That being said, many adopted people can and do get their birth certificates so they are already being accessed.

In addition, the GDPR gives adopted people a right of access to their personal information, including from private and public data controllers, the Adoption Authority of Ireland and Tusla. However, in these cases access is being blocked, unlawfully in my view, by what I consider to be an unwritten or de facto policy to deny access to most adoption information, and certainly information that would help adopted people find out the identity of their parents and other relatives. This is achieved through misinterpretation of European law and a policy of applying national law above European law. Combined with weak enforcement by the Data Protection Commission, the result is that individuals do not have an effective way of enforcing their rights of access to their information. The point I am trying to make is that these rights exist and will continue to exist irrespective of the legislation because they are EU rights. There is a risk, however, that if this legislation is passed in this format, it will create a limited parallel system that will create confusion and lead to it being preferred over the GDPR rights.

The drafters of the Bill need to go back to the drawing board and start from the point of view that they are giving greater effect to GDPR rights. Some of these conflicts I have pointed out have already been highlighted. First, the material scope is too narrow and granular. The proposed age limit conflicts with GDPR as there is no age limit on exercising those rights. The proposed fee in head 3 is in conflict with GDPR because there is a right of access free of charge. The mandatory information session is a restriction on the right of access under GDPR. The requirement to give medical information to a medical practitioner is also a restriction. In fact, there is no reference in GDPR to medical information. The correct terminology is "health information". While the non-disclosure aspect of head 13(4) is well intentioned, it will inevitably be interpreted as displacing the right of access. The restrictions are not being applied correctly, particularly the restriction in head 40, which is a kind of catch-all restriction and is completely outside the way such things are supposed to be done under GDPR.

The European Data Protection Board has produced very good guidance on restrictions of rights under Article 23 of the GDPR so I suggest the drafters read that. The attempt to restrict the right of compensation is completely incompatible with GDPR. I am stunned that anyone decided to put that in the heads of a Bill because it is so obviously unlawful. Where there are new registers or new information created as part of the tracing system, there will be a right of access to that as well. To avoid all the issues we are seeing, there should be express provisions for the right of access and if there are to be restrictions on it, they have to be set down in the legislation and they have to meet the requirements of Article 23.

Finally, I do not think the Adoption Authority of Ireland or Tusla should be allowed make guidelines that regulate their obligations as data controllers. There are obvious conflicts of interest there. All substantive provisions must be in the legislation. There should not be substantive provisions in guidelines and if there are to be guidelines they should be adopted by the Minister and not by any of the agencies or other bodies that have to give effect to the rights of access. I thank the committee for allowing me to make this opening statement.

I thank both the witnesses. Their opening statements were very helpful, succinct and concise.

They have really brought clarity to bear on the provisions in the scheme before us. It was refreshing to listen to them.

I was involved as a Senator in the previous Oireachtas in seeking to achieve a workable framework to allow adopted people to access their information. We kept coming up against the same barrier our guests have identified as underlying this scheme, that is, the insistence that information rights would have to be balanced against the privacy rights of natural or birth parents, particularly natural or birth mothers. There was a suggestion that the balancing could only be achieved through the introduction of a somewhat cumbersome process. Mr. McGarr pointed out the criminal penalties at one point. The most recent iteration of the process in this scheme is some improvement but it still starts from the place both our guests have identified, that is, that it is a balancing act. The right to information is not seen as an unfettered right but as something that must be balanced and, in many cases, is overridden by the right to privacy, which is being used against those who are seeking this information. The right to privacy is not something that many birth and natural mothers have necessarily asserted. I thank our guests for their clarity.

I will ask two specific questions. What do our guests have to say about an issue we have constantly come up against, namely, that we cannot legislate for access to information in an unfettered away, apparently according to advice from different Attorneys General because we must balance privacy rights? What do our guests have to say on that matter? That obstacle has been put in our way and, more importantly, in the way of adopted people for far too long.

Given the clarity of the approach our guests are suggesting, how should we, as a committee, proceed in our recommendations at this pre-legislative scrutiny stage? Should we say that there is no requirement - in fact, it is in breach of the general data protection regulation - for us to be erecting these cumbersome bureaucratic obstacles, as I have described them? Should we sweep that away and start with a clean slate in terms of the right to information? I would love to hear our guests' views and I thank them again.

I am going to pre-empt Dr. Logue because I pressed my unmute button before he did. In order to answer the Deputy's first question, let us imagine there is no attempt at national legislation on this issue and the requests for access to information are addressed solely under the GDPR. The regulation provides for the balancing of rights within its framework. It does not require additional legislation to try to legislate for that balancing. The balancing of rights in inherent to the GDPR. We must recognise which rights are being looked at, which rights are being applied and who has rights. A sequence of questions needs to be asked. One needs to know who is alive and who is dead because there are rights under European law which accrue to people who are alive and are lost when a person dies.

Like Dr. Logue, I have been representing people looking for information about their early lives, as adopted people. One of the more odd things I have encountered in the past couple of months has related to the assertion of the rights of dead people and an attempt to read the fact that people who are deceased no longer have data protection rights in such a way as to assert that records relating to dead people are exempt from GDPR, as opposed to the obvious reading, which is that dead people no longer have GDPR rights. Of course, if the records relating to dead people also relate to people who are still living, those records are still amendable to access under the GDPR. I am confident that the Dr. Logue will also have tales to tell on this front. Unfortunately, we have met what sometimes appear to be misguided and occasionally perverse readings of the GDPR in our attempts to try to access information.

The core of my answer to the Deputy's second question is that I think we have an administrative problem. We have all the legislation that is required but we are lacking the administrative guidance that will see the proper interpretation of the GDPR applied by multiple agencies of the State. It appears that this is a classic case of a need for a ministerial circular. A letter ought to be circulated with a guidance note attached which would have a general scheme that could be used by all parties for describing the application of subject access requests for all the records the different entities hold. Attempting to be granular and saying a certain approach would apply to one kind of record while another approach would apply to a different kind of record, which is the approach in the heads of the Bill, seems to be staring in the wrong place, as Dr. Logue said. We must find the right place to start in principle and, from that, derive a scheme of approach to subject access requests, whether from adopted people or other interested parties. That scheme of access must then be applied across all the organisations involved. Only a ministerial direction note will apply there but it does not require legislation or any additional laws. It is simply a guidance note for good administration.

The Deputy mentioned the balancing of rights. It arises from an old case, the I. O'T v. B case, which is being misinterpreted. That was a different issue. I have written a paper with Professor Maeve McDonagh, Dr. David Kenny and a few others that some of the members may be aware of. It sets out why an individual balancing test is not required on a case-by-case basis in any access legislation. I would refer to that.

In nearly every other EU jurisdiction, there is a system of open access to adoption information under exactly the same legislation, namely, the GDPR. That included Great Britain and Northern Ireland before they left the EU. If there is a constitutional issue, the GDPR takes primacy; it does not matter what the Constitution says. The idea is that the Legislature will set the parameters for the balancing in the legislation. There is wide discretion for the legislators. The principle is that the legislators, the democratically elected people who pass legislation, are best placed to conduct that balancing test. That does not require to be done on a case-by-case basis. For example, as I said, we have open access to birth certificates. I am always baffled by the argument. Everyone knows who their mothers and fathers are, more or less. That is true in 99.99% of cases. We do not have privacy as between children and parents, so where does this right to privacy come from? That is the question I would ask. We have an open birth certificate register. I can go in and find out the names of all the members' parents. It is even more bizarre in the case of adoption because it is easier for people who live locally to somebody who gave up a child for adoption to find the birth certificate of the child because they will know the name and date of birth through local knowledge, whereas it is harder for the adopted person to find that information. If a right to privacy genuinely applied to the identity of a person's birth mother, those records would be secret, through legislation.

We must proceed from the basis that this legislation is to give full or further effect to the GDPR rights. We cannot start from a place that assumes this is a new right. If we do not start from that point of departure, there will be a massive conflict between this legislation and the GDPR.

I thank our guests for their clarity. I agree entirely about the misinterpretation of the I. O'T v. B case but, unfortunately, every time we, as legislators, have raised this matter, it has been brought back against us, if you like. The alleged need to balance constitutional rights has been raised. I again thank our guests again for their clarity. Does Mr. McGarr wish to contribute again?

I thank our guests for their contributions. I will hit on similar points to those raised by others, but I may elaborate on them.

I ask that we can be as concise as possible so I can get through the questions within the seven minutes. In Dr. Logue's opinion, in what way do data controllers benefit from restricting adoptees access to their personal data?

My next question is for Mr. McGarr. The Bill states that an adopted person will not be entitled to identifying information about any relative beyond the birth certificate information. For example, head 2 defines birth relative information as only including anonymous information, and it defines care information as not including anything about the parents or guardians care of a person. What does Mr. McGarr think of this and how compatible is it with GDPR? Will Mr. McGarr explain the Court of Justice of the European Union definition of mixed personal data and what that means in relation to this Bill?

I will fail to give the Senator a proper explanation of mixed personal data, so I will hop past that piece for a moment.

To address the first part of the Senator's question, one cannot limit the definition of personal data more narrowly than it is defined in the GDPR. Any attempt to do so is non-functional once it is accepted. It is very clear that the attempt to try to simply legislate away the effect of the GDPR as it clashes with these proposed pieces of legislation in these heads of the Bill is not acceptable. It does not meet the requirements under Article 23, even if we were to say that it met the requirements for necessity and proportionality. Once one accepts that the definition of personal data is as defined in European Union law, which is any data relating to a person, then one can see that any attempt to try to restrict that to only certain data relating to a person, will have to be nullified.

In his submission, Mr. McGarr said that technically any attempt in the Bill to create a list of personal data, to which a person would have right of access, is not compliant with EU and GDPR law, which affords citizens the right to all their personal data. Mr. McGarr has just given us an insight to what that means. In his professional view, will Mr. McGarr explain how the Bill should be amended to comply with GDPR?

If it was to be amended to comply with GDPR it would adopt the phraseology of the GDPR so that we do not have a clash between the texts. For example, instead of trying to define certain categories of data it would simply define personal data as "personal data as defined in the GDPR at Article 4.1". By bringing in the definitions and the textual approach, it would ensure at least that one did not get a clash between definitions under the Irish law and definitions under the GDPR. Unfortunately, primarily the main thing that could be done to bring the Bill into compliance with GDPR would be to excise significant portions of it. Many of the heads of the Bill set out specifically to do things that are intended to be in conflict with the GDPR. Hence, head 40 recognises that a restriction would have to be created on the GDPR if any of this is to be enforceable.

I have one more question for Mr. McGarr, and if I have time I will go back to Dr. Logue to pick up on something he said earlier.

On the data controllers, other than Tusla and the Adoption Authority of Ireland, do the data controllers still have to comply with GDPR because they are not covered by this Bill? Is there confusion there?

There is very clear clarity in the law. Anybody who is a data controller, in the context of information being held and any personal data they are holding, has a duty to provide that data to the individuals if they ask them. One cannot restrict the identities that are allowed to be asked for data and nor can one restrict who may ask for their own personal data. Everyone covered by the GDPR have a right to make an access request to anybody, whether private or State.

One of the foundational principles of EU law is that EU law takes primacy over national law, even national law of a constitutional nature. That has been the case for the past 50 years. This is not radical or groundbreaking jurisprudence. It is well known that this primacy is the case. It is also well known that all public authorities have a duty to disapply any national law that conflicts with EU law. If the Constitution, a judgment of the Supreme Court or a public authority, including the Adoption Authority of Ireland and Tusla, is in conflict with EU law, they must disapply that law and give effect to EU law. This includes subject access requests. No matter what the I. O'T v. B case says, or what the Senator thinks it says, the I. O'T v. B case does not change the GDPR.

I thank both witnesses for outlining the multiple issues with the Bill, including its interpretation of GDPR. Given their expertise and advocacy in this area, the committee would be obliged to include these issues in our report. I will be pushing strongly for that. Let us assume, however, that the Minister does not accept the issues we have raised, which is a very real concern of mine, and that the Bill passes with sections contrary to GDPR. What would happen then? Would the people concerned be in a worse position in some instances with new restrictions being brought in? Will individuals be forced to go to court again to access basic information about themselves, as with the case referred to in the response to Senator Ruane? This question is for both of the witnesses or either.

As Dr. Logue has said, whether or not this Bill passes, if it is in breach of the GDPR the public authorities have a duty to apply the European Union law and ignore this national law, where it is in breach. That is the first step. If the public authority does not recognise that, then it is liable for two things. It is liable to being sued by the individual to get access to his or her rights and is liable to being found in breach of the GDPR by the Data Protection Commission and could be fined up to €1 million per instance. Those are the two administrative responses to a failure by the institutions of the State to follow European Union law.

If the State is in breach of European Union law and refuses to take action, it is also open to citizens to make a complaint to the European Commission about the failure to comply with European Union law. It is open to the Commission to take a case against Ireland and eventually, as we have seen with our environmental issues, the State could end up with fines accruing unless and until such time as Ireland brings itself back into line with EU law.

In our system, generally speaking, an individual would have to take the case to prove the legal point. The principle is that the Legislature will not knowingly pass legislation that is in breach of EU law. This is the primary responsibility. The committee should be quite strong on that and that we should do this properly and not force people to take complaints to the Data Protection Commission or litigate this. Let us just get this right. We have been at this for a very long time. Everyone knows what the issues are so let us just do it properly.

In the interests of transparency, Mr. Logue is representing me regarding a legal action I am taking so he is my solicitor in another context. However, this is separate to the issues we are discussing here today. I have the dubious benefit of being last so many of my questions have already been asked. I thank Mr. Logue and Mr. McGarr for their input. They both spoke about weak enforcement. Is there something we can do to help the Data Protection Commission? What should the Data Protection Commission do differently regarding the difficult role it has been placed in that involves mediating between the Government and the State, which control the information on one side, and the rights holders looking for that information on the other?

The basic principle is that the Data Protection Commission is supposed to be the primary legal remedy or independent adjudicator on disputes over data protection. It is a public body but it is completely independent of the State. Its job is to supervise how the State implements the GDPR. This includes disputes where it is disputed that the legislation is actually valid regarding the GDPR. Similar to the Workplace Relations Commission, the Data Protection Commission has the power to disapply conflicting national law. I have already expressed concerns to another committee about the lawfulness and constitutionality of the procedures. There is no sworn evidence and no hearing. They tend to get bogged down and in many cases, the Data Protection Commission ends up being a middleman between the opposing sides exchanging points of view and finally deciding to go with one or the other. It does not have that characteristic we have for dispute resolution involving a hearing or even exchange of legal submissions. Characteristically, the procedure is very slow. It takes a very long time. It is measured in years whereas it is actually quicker to go to court to litigate because one can move things along. Pre-Covid, one could get a Circuit Court hearing in six months whereas I have cases involving the Data Protection Commission that are over three years old. One is not getting that effective remedy. As the Deputy alluded to, part of the solution lies in making this more efficient. It will make decisions that will be challenged in court. That is part of the legal process. It is through those challenges that the law gets clarified or the legislation is struck down but one needs the feed - the pipeline of Data Protection Commission decisions - so that one can get to court to get that clarity. Everything is stuck at the Data Protection Commission level and is not getting through so that the law can be clarified. That is a major issue but it is outside the scope of the legislation.

It would be better if individuals did not have to take the risk of litigation in order to have their rights upheld but we should look at where the Data Protection Commission has taken action and what has happened with that so far, which concerns the public services cards. There was a decision that the scheme of the public services cards was not compliant with the Data Protection Acts and the GDPR and it was challenged by the Department of Social Protection. That challenge has not yet been heard. We are 18 months on from the decision and are not yet at a hearing stage. Motion after motion has been sought, primarily with the effect - I will not say with the intention - of providing for further and further delay before the matter can be reached at hearing. We have a systemic problem if after an extended period of time of investigation, eventually the Data Protection Commission is in a position to make a decision and makes that decision but we are still looking at years.

This problem does not belong to the Data Protection Commission. This problem belongs to the State. It is the duty of the State to ensure there is an effective remedy for breaches of data protection legislation. A failure to provide for an effective remedy is itself a breach of EU law and can be the basis of complaints to the European Commission and so on. As matters stand, if everyone recognises there is a problem and we are looking for a solution, we should also recognise that the fact that there is acknowledged problem is in itself a breach of people's GDPR rights.

While it may seem slightly beyond the scope of the legislation and the issue we are talking about here, if the issue we are talking about is ultimately the fundamental rights of people to their data, as Mr. McGarr said, they need an effective remedy so the effectiveness of the Data Protection Commissioner ties in directly with the effectiveness of the support for these individual rights holders. As was said earlier, we as legislators have a responsibility to ensure the legislation recognises those rights. We need to acknowledge - it would be good to reflect this in our report - the difficulties with the body that is also tasked with protecting these rights. It is not just about the legislation; it is also about all the other stuff. Yes, we need to get this right, and it would seem from what has been said so far that we are not quite at that point yet, but we also need to get the other protections for people's rights right. It is important that we reflect that.

I thank the witnesses for their attendance here. It is a very interesting session. My questions are for both witnesses as their statements were very similar. Are there any jurisdictions in the EU where the release of mixed personal data to adopted people is done without a domestic legislative framework and sets out the appropriate balance of GDPR rights?

Is it the case that under the GDPR, the Article 16 right of a parent to object to data being processed would not have any impact on adopted people accessing their full information because of this legislation or would it possible without the appropriate balancing of rights set out in this legislation for a parent to prevent that information from being released to an adopted person? That is if there is an objection under Article 16.

Is it also the case that if we get rid of the balancing requirements set out in these heads, each time a request for birth or early life information is made by a data processor, that data processor would have to make its own determination on the balance of rights in accordance with GDPR? There would be a possibility that some or all information would be withheld from the requester.

Is there an example in Ireland that has come before the courts where the GDPR legislation has been tested for birth information? Within the argument here, the witnesses have an opinion on the seminal I. O'T v. B case. The judgment was that neither rights to privacy nor information were absolute and it is weighted to the common good. That is current case law but has there been any updated case law? Is it not right that this legislation would be the framework for a GDPR process whereby people's personal data could be accessed?

I will answer the general question asked at the end of the Senator's contribution, which is whether this provides a framework for accessing information within GDPR. It does not and instead it restricts it and limits it in ways that are not compatible with EU law. In doing so, it is itself not compatible with EU law. That is the kind of general position.

On the question of mixed personal data, there are two kinds of ways of looking at this. Frequently we see people referring to information about one person or another. It is referred to as a document with mixed personal data or mixed information relating to two different people. That is if the information only relates to each of them. There may be circumstances where the information relates to them both. The most famous example is that there cannot be information telling me who is my mother without it also being her information. It is both of our personal data and we both have it. It is not two different people with different rights on one document. One would redact the information not related to the person to whom it was being given; in this case it is related to the person to whom it is being given. It is not the concept of two different people's data on one document and how we can relate to that but rather information that is the personal data of both persons. It is the combination of the information that is critical because it overlaps.

The question was whether there should be a veto with such cases over the release of information by people if the information relates to them. The answer is "No" and no party has a veto. There is no absolute right to refuse information to be released. Again, this comes down to an administrative response and giving guidance. This can happen, as Dr. Logue suggested, by way of activity by the Legislature - the Oireachtas - or, as I have suggested, via an administrative response guided by the principles of the GDPR to allow for a common framework for the application of the GDPR. A decision tree might be presented, for example, and I know the Department of Children, Equality, Disability, Integration and Youth has engaged experts for this purpose and to give it advice on the GDPR and its application in respect of the mother and baby homes documentation.

These are not problems that are impossible to solve but they would be impossible to solve if we did not correctly recognise and determine what must be done. Unfortunately, with the proposed heads of Bill, the approach is not only not helpful to that outcome, but it will actively run contrary to what is legal.

There are different interpretations of the I. O'T v. B case. The Department's legal advice should be published so we can see what it is. That is instead of using the I. O'T v. B case as the magic words and that being the end of it. We should understand that I. O'T v. B is first about constitutional rights and not EU law rights. The context in which it took place was one in which there was not a framework and the only way to do it was an individual balancing test. That does not mean it must be an individual balancing test. I refer again to the paper with Dr. Maeve O'Rourke and Dr. David Kenny, who is from Trinity College Dublin. I am firmly of the view the Legislature can strike the balance in the legislation without it having to be a case-by-case balancing test.

I am not sure about other jurisdictions but most of them had given this right even before data protection rights came along. They would have pre-existing legislation anyway, particularly in the UK. That deals with the questions asked but this boils down to us seeing the advice on I. O'T v. B so we can have a look at it. It is very hard to answer that question without seeing what advice has been given to the Department. Based on past experience, the advice could be quite conservative or overly conservative. It would be good to have a debate about that.

Under GDPR, a person can instruct not to give information relating to himself or herself. It was mentioned that European law trumps the Constitution. If we do not have the framework from this legislation providing for clear detailing of what people can and would get access to, would it be better to scrap the legislation, as mentioned, so we could move to GDPR and let Europe judge all these cases? If a mother was raped as a child and does not want to be contacted or traumatised by past events, is she able to use that article of GDPR relating to the common good, and say she does not want the information out there? This legislation would ensure a birth certificate would be provided if it works within GDPR.

If we scrap this legislation and work off GDPR, as it would be adequate, why is there not case law relating to GDPR just yet? We have spent much time working and challenging ourselves with a really important piece of legislation. It is a pity this has not been tested in the courts. If we leave it to GDPR, would Article 12 allow access to information an a case-by-case basis to be challenged? The legislation indicates it cannot.

I think the Senator is talking about Article 21, which is the right to object. That is not a veto on data processing and it only applies in limited circumstances. In particular, if there is a legal obligation to process the information, there is no right to object. There is a kind of misconception that a person can object to or prevent data from being processed but that is not correct.

If the legislation says it can be given out, it can be given out. For example, as I have said many times now, I could get the Senator's birth certificate tomorrow and there is nothing she could do about it. That will tell me the name of her mother and possibly her father, their occupations, her date of birth and things like that. This idea that we have this kind of privacy or that parents can hide their identities from their children is, therefore, quite alien to our system.

The second thing is that contact is being mixed up with access to information. I have no idea where that is coming from. Adopted people want their information. Nobody is saying that, in all cases, they want this information to trace their parents. If the issue is contact or tracing, and a risk of this can be identified and demonstrated through objective studies, we can guard against this in a way that does not restrict people's data protection rights. It can be done in another way. There are lots of cases where there are issues between parents and children in which the parents may not want the children to be able to contact them. An example would be an abusive parent outside of an adoption context. However, in those circumstances, we do not say such children cannot know who their parents are. There are other laws out there to protect people from unwanted contact from other people. It does not have to be a secrecy law; it can be something else. You have to think about what the risk is and what the most proportionate way to protect against it is.

It is not about a veto. I am just talking about slowing up the process. We are all on the same page here. We want to give access to birth information to everybody. That is why we are pushing this legislation. It is not about a veto. I am just afraid that what Mr. Logue is suggesting could actually hold up the process.

It is not about mixing up tracing. This legislation makes sure that all of that early-life information is available. I see that the witness disagrees. It is clearly laid out in the heads that the legislation makes sure that early-life information is available. If the GDPR applied, could that be vetoed or challenged?

That right is available through the GDPR. If the legislation is passed, it may only be read in compliance with the GDPR. If this is available under the GDPR and this legislation, it was available under the GDPR alone. There is no additional benefit in passing a restricted right when a general right already exists.

Yes. I am in my office. I thank the two witnesses for the brevity and clarity of their responses. I have a few questions. I have to admit that, as a layman, I did not realise the enormity of the powers of the GDPR. It makes me wonder whether the GDPR legislation obviates the need for any legislation by this Parliament at all. On that question, are the general views the two witnesses have offered the received and accepted views of their peers in law or do they hold these views because they represent people who are seeking data and information and are therefore more aware of these issues? Are the witnesses' views in line with the general thinking on the issue?

While I cannot impute views to my colleagues, I will say that the primacy of European law is so generally accepted that when it was recently challenged by the courts of Poland, that was recognised as a profound challenge to Poland's continued following of the rule of law. It is generally accepted that European law is superior to all national legal provisions in the areas where European law applies, such as the area of data protection. It is fair to say that we are presenting the committee with the mainstream opinion.

I believe there needs to be legislation to give greater effect or more detailed effect to the pre-existing right. If there have to be restrictions for either the adopted people or the parents, they should be laid out in legislation and done correctly. At the moment, the GDPR is being misinterpreted in a way that involves reading into it a balancing test that is not really there. Even if it was there, it can only be there if given effect through legislation. This is resulting in chaos. I have sympathy for the Adoption Authority of Ireland and Tusla. They have inherited a bunch of files from a whole load of religious orders and other institutions that they really do not know anything about. They do not know anything about the people and are presented with a dilemma as to what to do. There is no guidance in legislation. They therefore take the most conservative approach, which is to give out as little as possible. I can understand that. Contrary to the impression I may have given, I believe it is essential that there be clarifying legislation. It should start from the pre-existing right of access and work back from that point rather than assuming there is no right of access and then creating one. That is the key takeaway from my presentation.

Yes, I got that point. I have a few other brief questions. I am a bit puzzled. Heads 38 and 39 deal with restrictions on the right to compensation. In his document, Dr. Logue says that this is "fundamentally incompatible with GDPR". I cannot understand why GDPR should apply in respect of restrictions on rights to compensation. Surely someone has to cap people's rights to compensation. After all, we have a budget to live with.

The way to protect the budget is not to breach people's rights. Again, GDPR is primary EU legislation and gives people a right to pecuniary and non-pecuniary damages. That relates to the traditional damages for negligence but also damages for distress. The right to compensation is not limited to damage caused through actions in bad faith. That is not in the GDPR. We cannot pass a law that narrows GDPR. That would actually create a risk that compensation will have to be paid rather than narrowing the risk. I do a lot of litigation against public bodies and the way to prevent litigation and damages is to make good administrative decisions. That is the sure-fire way to protect budgets.

The Minister said that the legislation is to guarantee the release of information that might not be subject to full release under the GDPR where there might be mixed personal data involved. My colleague, Senator McGreehan, has already mentioned this. Who is going to guarantee the rights and freedoms of others and other points of view the witnesses may not represent?

That is how the GDPR works. There is a general right of access which can only be restricted by legislation that complies with Article 23. It is up to the legislature to define how that works. It is not appropriate for individual data controllers to have to do that balancing test. That is not actually in the GDPR. The idea of mixed personal data is also not in the GDPR. The European Court of Justice has clarified that people have the same right of access to non-mixed personal data as to mixed personal data. By mixed, I mean personal data that is yours and somebody else's at the same time. There is no real distinction between those in the GDPR. It has been made up to try to limit the right of access.

It is just wrong. I cannot put it more bluntly.

I have a quick question for both witnesses. Listening to this discussion, it feels like we have been in a somewhat parallel universe on this for some time. We have been told for so long we simply cannot legislate to give unfettered access rights to information, despite many of us arguing for years that I. O'T. v. B. had been misinterpreted, over-interpreted and so on. The witnesses are saying the minimum base is the GDPR, our legislation must simply give effect to GDPR rights and anything more restrictive than GDPR will simply not be valid. It is really helpful for us to hear that. Is it an accurate summary?

My apologies; I was speaking in the Dáil. There is confusion here. Legal right of access already exists yet there are huge barriers to accessing this information. Will this legislation create further barriers to information? What specific rights may be restricted? Having listened to Senator Seery Kearney, I am now more confused. We all work with the GDPR every day. If someone comes into our office and we are trying to find something, we must go through the proper channels and get paperwork signed and so on, which is fine. We must get this right because access and how we get access for the families who want it is going to be important. From listening to this discussion, I believe changes are needed in order that families who want access can get it and do not face barriers. There always seems to be some sort of a barrier. This question may have been asked but do the witnesses believe this legislation would create further restrictions? What do we need to do to make this right?

I can answer that. Again, the starting point is that people have a right of access to their file. If there are to be restrictions, they must meet a general interest objective, as set out in Article 23, and they must be necessary and proportionate. That means there must be an objective link between the restriction and the objective and it cannot be more than is actually necessary to achieve that objective. Information and studies are needed on what is the actual harm in giving adopted people access to their files. We cannot have the anecdotalism - people saying they know somebody - that seems to have polluted the discourse for the past ten years. Somebody needs to find out what the actual problem is. I say that because we have open access almost everywhere else in Europe and there is not chaos over there. Adopted people are not turning up and murdering, attacking or harassing their parents. We need to know why we in Ireland are so special we cannot let adopted people find out the names of their birth mothers or give them their birth certificates. What is so bad in Ireland that we need to have this swingeing restriction on people's fundamental rights? That question has never been answered and if it cannot be answered, then adopted people should get all their information - end of.

The timescale is very important. Families and individuals who have been trying to access their information have come up against barriers. We must ensure this is right. We all want to do it right but timing is of the utmost importance here and is a priority for me. If there are issues with this legislation, they need to be addressed. Now is the time to ensure we have proper legislation. People might not want to access their information but people who do want their information should be able to access it without facing barrier after barrier.

I will put it this way. The only barrier I ever hear is I. O'T. v. B., which is a legal barrier. Under the GDPR, the barrier to exercising one's rights must be a practical one, as in something bad will happen to somebody else if a person exercises his or her rights. People cannot just throw out the argument that I. O'T. v. B. is the reason. There is not actually a legal barrier. If nobody can come up with a practical barrier, we should pass legislation that provides that everybody can have access to his or her own file. It could be on one page and that would be the end of it.

The legislative process, even with the best will in the world, is not speedy.

Coming from a litigation lawyer, that is quite saying something. We live in a very slow moving world but there is room for interim activity to ensure those barriers people are meeting right now are addressed without the need for legislation. As I said, this is an administrative, not a legislative, problem. There is no legislative gap we currently need to fill to allow people to get access to their information. Rather there is a problem at the administrative level in giving effect to the legislation that is already in place. Passing more legislation does not address the problem, which is to get the administration correct.

I want to ask Dr. Logue to retract the statement he made about adopted people coming up to murder their parents. It was a disgusting thing to say. That is not what mothers are afraid of. It is not what they want to protect themselves against. They do not want protection against their children murdering them. Dr. Logue should apologise for having made that comment and he should retract it. It is not the basis of what this legislation is about. It is about a balancing of rights and trying to look after the mothers this State abused for decades. It is also about giving effect to legislation to make sure the children this State ignored for decades get access to their records. It is crass and unfair that Dr. Logue would make that comment both about what mothers fear and about adopted people.

I am happy to retract that. I am glad the Senator accepts there is no issue between adopted children and their parents. I would put the question again to demonstrate what harm is attempting to be protected by restricting adopted people’s rights. That has never been identified. If it cannot be identified, then there is no issue to access.

My point is exactly the same. People are listening to these sessions of the committee who have lived their lives very vulnerably and very hurt. To trivialise or in any way be disrespectful and use terminology such that they might show up to murder their parents is unacceptable. There are people who gave birth who were minors and if they were members of particular communities, it was later important they were virgins when they got married. I have received a plethora of texts from people who are deeply offended by the terminology that was used. We can make a legal point. My personal standing on GDPR is that it overturned the IO'T ruling absolutely and unequivocally. However, it is not reasonable for any witness who comes before this committee to use trivial terminology or throw-away remarks with regard to something that is people’s lived experience and very serious.

I apologise. Let me say one thing about that in my own defence. I have clients who are trying to access and find their parents whose parents are dying because of administrative delay and blockages. They are highly traumatised as well. Adopted children's rights have to be respected. The clock is ticking for these people. As I said, I am glad members of the committee recognise there is not really an issue between parents and children. There is no harm in letting adopted children find out their identities.

Sorry, Senator, we are out of time. I ask people to have a bit of respect for the person who is chairing this meeting. I gave everybody additional time in good faith but, unfortunately, we have run out of time. I understand this is an emotive topic and there are many different views. In fairness, the comment has been retracted. We must also accept that. Unfortunately, we do not have additional time for any other questions or for the witnesses to make any closing remarks. I do not like to conduct a meeting in circumstances where there is not time for that. I thank our two witnesses for coming here today, for their opening statements and for answering the questions.

We will move on to the next session. I propose we suspend the meeting for five minutes until the next session starts. I ask members to ensure they exit from the link to this meeting and join the next meeting.

I welcome from the Data Protection Commission, DPC, Mr. Dale Sunderland, deputy commissioner and Mr. David Murphy, assistant commissioner. Once again I note that the purpose of this meeting is to engage with witnesses on the pre-legislative scrutiny of the birth information and tracing Bill 2021 and on any GDPR concerns with the provisions of the Bill. I acknowledge that this is the witnesses' second appearance before the committee as during their last appearance before the committee on 13 July, members were advised that the Data Protection Commission had recently received the data protection impact assessment, DPIA, from the Department and it was therefore suggested at the last meeting that the committee engage with the commission once again following detailed consideration of the impact assessment.

Before I call Mr. Sunderland to give his opening statement I need to advise witnesses on the issue of parliamentary privilege. As all the witnesses are appearing before the committee virtually, I need to point out that there is uncertainty if parliamentary privilege will apply to their evidence from a location outside of the parliamentary precincts of Leinster House. If they are therefore directed by me to cease giving evidence in respect of a particular matter, it is imperative that they comply with any such direction.

Witnesses will be allocated five minutes of speaking time and unfortunately, we need to stick strictly to this limit due to time constraints. We will then have question-and-answer sessions with each joint committee member. I invite Mr. Sunderland to deliver his opening statement and thank him again for his attendance today.

I thank the committee for the invitation to contribute once again to its continuing scrutiny of the general scheme of the birth information and tracing Bill. I acknowledge the important and sensitive public policy issues at play here and I am happy to contribute to these deliberations.

Since our last appearance before the joint committee in July, we have continued to engage with the Department of Children, Equality, Disability, Integration and Youth on the matters raised in our preliminary observations on the general scheme of the Bill, which we presented to the committee in July and discussed at that time.

As the Chairman has noted, we were able to inform members at the July meeting that we had been provided by the Department with a copy of a data protection impact assessment as part of the statutory consultation process under Article 36 of the GDPR. We have subsequently been in a position to consider the DPIA in full and to provide some observations to the Department. Our overall general comment and view is that the DPIA represents a considered approach to identifying and mitigating any risks to the personal data of individuals arising from the operation of the Bill’s provisions, both in terms of those making requests under the Bill and receiving data and those other persons and third parties to whom these data might relate.

In broad terms, the DPIA sets out the scope of personal data processing required by the legislation and describes the processing operations and any proposed data sharing. It also contains an assessment of the necessity and proportionality of data processing in the context of the Bill and identifies risks and evaluates possible solutions and mitigations for those risks. We are informed by the Department that the DPIA remains under review, which is good practice, as the drafting of the Bill progresses and as ongoing stakeholder engagement takes place regarding the operational aspects of the proposed legislation.

In our previous submissions to the joint committee, we also highlighted the importance of clear guidelines detailing how the legislation is intended to operate in practice for the purpose of providing clarity and certainty to the various bodies such as the Adoption Authority of Ireland, Tusla and various other stipulated organisations that will act as data controllers for the purposes of the legislation. The DPC understands that the Department has commenced a stakeholder consultation on the development of those guidelines and we in the DPC remain available, through our supervision and consultation functions, to input guidance during that process, if requested to do so.

At our previous attendance before the joint committee, we also discussed a concern regarding the disclosure of medical information of birth relatives on the basis of an assumption that the data had been anonymised. I can inform the committee that the Department has taken on board our concerns and it is now accepted that this information should not be considered as being anonymous when processed by any of the various data controllers. It should be treated as special category personal data, that is, data concerning health at all stages of processing up until disclosure to the relevant person. This is an important clarification, as it will facilitate an approach that will provide medically or genetically relevant information to adopted persons in a manner where suitable safeguards apply and it is in the interests of all parties concerned that the data would be treated as personal data and subject to the full protections of the GDPR.

On a related note, at the July meeting of the joint committee a reference was made to the Data Protection (Access Modification) (Health) Regulations 1989 in terms of the release of medical information. We are aware that a process to replace these regulations has been commenced by the Department of Health under section 60(5)(a) of the Data Protection Act 2018 and we have been formally engaged in consultation as part of that process, which is at its early stages at this point. We welcome this development and recommend that the Department of Children, Equality, Disability, Integration and Youth should take account of the development of these replacement regulations in any further reworking of the provisions of this Bill regarding the release of medical information. In other words, those sections of the Bill that refer to the release of medical information should evolve as the Department of Health updates that 1989 statutory instrument to modern-day requirements and to a more suitable set of regulations to meet the context for which they are necessary today, as opposed to perhaps in 1989.

One of the principal areas of concern raised by the DPC in our preliminary observations on the general scheme of the Bill was the broad approach adopted in head 40 to the restriction of data subject rights. I can inform the joint committee that the Department has accepted the DPC’s concerns and has committed to conducting an in-depth analysis of the circumstances in which specific rights may be restricted, including the necessity and proportionality of such restrictions, which will underpin the ongoing development of the legislation. We welcome this approach, which aligns with our published guidance note, Limiting Data Subject Rights and the Application of Article 23 of the GDPR, which also aligns with the recently published guidelines of the European Data Protection Board.

I hope that these comments will be of assistance to the joint committee and I am very happy to answer the questions members may have and I thank the Chairman.

I thank our two witnesses. I hope the committee can hear me, as there is some background noise with bells ringing in Leinster House.

I refer back to the earlier session we had with Dr. Fred Logue and Mr. Simon McGarr to ask whether the witnesses had the opportunity to hear their testimony and the discussion we had. They put forward a clear and succinct account informing us that the fundamental right to information already exists under the GDPR provisions and that whatever legislative framework we introduce should not restrict those rights in any way that is in conflict with those rights. I am conscious that I was not a member of this committee when Mr. Sutherland and the Data Protection Commission gave evidence earlier but I was involved in a previous iteration of this legislation and I put it to the previous witnesses that we were always up against an obstacle where we were told that the Attorney General's advice required restrictions being placed on the right of adopted persons to access their birth information. Many of us contested that interpretation by the Attorney General and indeed Fred Logue, Conor O'Mahony and a number of other lawyers drafted an opinion that was widely publicised two years ago saying exactly what Simon McGarr and Fred Logue have told this committee today, which is that GDPR provides a right of access and that our legislation should recognise adopted persons' right to information and should facilitate access to that birth information.

What is the DPC's position on that perspective, which is, as I said, a widely shared legal perspective but one which, unfortunately, has never, it seems, been shared by successive Attorneys General and is at odds with what we have been told by successive Ministers on foot of legal advice they received? They keep referring us to a constitutional right to privacy that they say, in accordance with the I.O'T. case, supersedes or restricts the right of access to information. I lay that out because it seems to me that Fred Logue's and Simon McGarr's approach, which is widely shared by legal experts I have consulted and accords with my legal view, has never been recognised sufficiently by the drafters on the Government side. We need to reconcile that and to ensure that our legislation recognises the right of adopted persons to information and that we give effect to GDPR rights. I am just frustrated that we have never been able to get the same clarity on that as we heard in the earlier session. I would love to hear the witnesses' views. I am sorry for the lengthy question.

There are a number of issues there. We acknowledge that this issue is complex and long-running and that there are issues above and beyond data protection and the understanding of it. Having listened to what various speakers said, including even before this meeting, I believe the long-running issue has been these competing rights. The I.O'T. case was referred to. We are not constitutional experts either, but our understanding is that each of those rights, including the right to know about your origins vis-à-vis the right to privacy, might be constrained by the weight of the other as well as by the common good. This is the complex situation we are in. It is perhaps somewhat beyond the role of the commission to comment on those constitutional matters in respect of the balancing of rights.

What I can comment on is the question of the right of access, on which the GDPR and the Constitution are ad idem, in our view. The right of access is the objective. Then it is a matter of making sure it is not overly prejudicial to the rights and freedoms of others. I heard some of the previous contributions and there was a discussion about issues of the balancing of rights and its place within the GDPR.

That brings me to Article 15 of the GDPR, which we discussed at the committee's previous meeting, and specifically Article 15.4, which states that the right of access is not absolute and that the right to obtain a copy of personal data "shall not adversely affect the rights and freedoms of others". Inherent in Article 15, therefore, specifically Article 15.4, is a balancing test that has to be carried out. It is quite clear that Article 15, relating to the right of access, provides for a really important and fundamental right. It is one of the core rights under the GDPR. The DPC is very active in vindicating that right, but it is not an absolute right. The GDPR recognises that. There may be occasions when that right has to cede because of the impact on another person. The text is specific that the right of access or the right to obtain a copy of personal data "shall not adversely affect the rights and freedoms of others".

At the last meeting I suggested that our understanding was that the proposed Bill is seeking to acknowledge the right of access and that the view of Minister and the Department was that the right of access was to be given while ensuring that a framework was put in place to allow that to be done in a coherent and clear way whereby there would be a common approach across all the relevant bodies, perhaps as opposed to individual data controllers seeking to attempt this right of balance or to ensure that these rights were given proper effect. I suggested that certain safeguards in the proposed Bill could be an effective measure to support the balancing that needs to happen under Article 15.4. It appeared to us that, in the general scheme, issues such as the information session and other such proposed measures were the Department's means by which to ensure that the right of access can be fully respected and can mitigate any adverse impact on the rights of others - for example, the rights of the birth parent, in this case the birth mother. That is not to say the DPC is saying that the general scheme of the Bill and how it is proposed provides all the appropriate solutions, but the intention is that the provision of a suite of safeguards allows for that assessment under Article 15. The proposed Bill codifies that in legislation in outlining how that Article 15.4 requirement can be met and respected. That is the DPC's view.

We believe there are complex issues at play here. The right of access is paramount but needs to be seen in the context of the GDPR and the requirement to ensure that the right of access does not adversely impact the rights and freedoms of others. Of course, one of those rights and freedoms is the right of privacy, and there are also all the rights that come into play under the European Union Charter of Fundamental Rights. The Deputy may wish to drill down a little further on aspects of my response, and I can reply further, but I will stop at that for now.

I thank the witnesses for the submission and their contributions. I have just two questions. In his submission, Mr. Sunderland mentions that developments have been made on the release of medical information. Will the witnesses speak to that progress? We heard in earlier submissions about the restrictions surrounding access to medical information and how they gravely contravene the GDPR. Will Mr. Sunderland comment on the developments in that area?

The primary place of action in that respect is the updating of the 1989 statutory instrument, which required that health data be provided to an individual's medical practitioner. This has given rise to complications, of course, in the context of access to records held by the Department of Children, Equality, Disability, Integration and Youth. We understand - we consulted on this at a very early stage - that good progress is being made on the updating of that statutory instrument and that this would involve a broad range of stakeholder engagement. I cannot really speak to that any further than that today, given that it is the Department of Health's responsibility and it is for that Department to propose what the updated legislative solution is to be. Certainly, however, it is acknowledged that there were complications arising from that 1989 statutory instrument, which inhibited the right of access, and that it needed to be updated. The Data Protection Act foresaw that in that section 60 provided that the 1989 statutory instrument would continue in force until such time as it was updated by the relevant Minister. We welcome that this work has started. Our key point, for the purposes of the draft Bill before the committee, is that we see that the Department should take into account any changes being made under that statutory instrument and make any according changes to the provisions of the proposed Bill in order that there be a synergy between the updated law in respect of that statutory instrument and what is ultimately provided for in this Bill.

I thank Mr. Sunderland. I am thinking about Aitheantas, which presented its Adoptee Voices report and survey to an earlier committee. Its report outlined the roles State agencies play in the gatekeeping of access to personal data. Could the witnesses comment on what type of regulation and oversight there is over State agencies that are responsible for information and tracing, such as the Adoption Authority of Ireland and Tusla?

The draft Bill proposes a framework for the roles of those various agencies. Of course, each one that holds data in its own right is a data controller and is and will continue to be subject to all the requirements of the GDPR.

One can see the Bill as a means to provide a core framework for how it is proposed to deal with issues in this space, but they will still retain and have obligations as data controllers. This Bill in no way diminishes those, unless there is to be restrictions imposed on the rights of data subjects, which will have to be explicitly stated and legislated for in the Bill. That is one of the issues I have already addressed. The guidance under the Bill that is to be prepared and published should ensure all of the bodies are identified as data controllers. It is an opportunity to call out, again, the explicit obligations they have to ensure they carry out their role in accordance with the legislation and they meet their obligations as custodians and data controllers for the personal data of the persons concerned. I hope that has answered the Senator's question.

I thought when I was reading the AONTAS report and I do not know whether I am misrepresenting the report, that it thought it would be on the individual person to say if somebody was not upholding or acting as gatekeepers to information. I was curious as to what oversight can or does exist to ensure legislation is adhered to, without it being the responsibility of the person trying to request information to shed a light on whether he or she is not getting the adequate information under the law, or whether there would be general oversight on whether people were adhering to the legislation.

There is a role for the line Department to ensure the Bill or the Act, if it gets to that stage, is functioning as intended. There are means by which, for example in a data protection context, a statutory code of conduct can be developed to further define the data protection responsibilities for the handling of personal data. There are tools in the GDPR that may support that overall effort. Of course, it is not the role of the individuals the Senator mentioned to oversee the operation of data controllers in respect of their responsibility and adherence, but there is the right of an individual to make a complaint to the Data Protection Commission, DPC, which will be fully dealt with and an outcome reached in respect of that complaint. That is an option, as is recourse to the courts.

I was out for Deputy Bacik's contribution so I hope I am not overlapping. We have heard from previous witnesses, including earlier today, that the Bill in its current form is contrary to GDPR according to some experts; the mandatory information session constitutes a restriction on the right of access and is incompatible with the GDPR. Can Mr. Sunderland provide his perspective on this key issue? Head 40 sets out to restrict rights and obligations under the GDPR. Is Mr. Sunderland confident such a blanket exclusion is compliant with Article 23 of the GDPR? We have also heard how head 2 of the Bill has a list of excluded information, including care provided by a parent or guardian, or the adoptive parent of a child, and that the only information permitted on relatives is whether one has a relative, the sex of the relative and whether the relative is older or younger. From a GDPR perspective, what are Mr. Sunderland's views on those points?

Head 40 is one of the points I tried to cover in my opening statement in that the Department has accepted the concerns raised by the DPC that the proposed head was inadequate on any restrictions that might be imposed. In the context of Article 23 of the GDPR, we said in July, what was proposed did not meet that standard. The Department has acknowledged that and is now working to remedy that problem. It would conduct a deep analysis as to the GDPR rights it proposes to restrict, why that is necessary, how it is proportional and necessary to do so and to do so in a way that meets the requirements of Article 23. It will revert to us on that.

I also envisage that such restrictions continue to be a feature of the Bill, that it will be a very different head by the time the Bill is formally published. That is positive and we welcome the Department's hearing our views on that. The right of access is not an absolute in respect of information sessions and I have referenced Article 15(4) of the GDPR in that the right of access cannot adversely impact the rights and freedoms of others. That is where we understood the concept of an information session. The DPC is not casting judgment one way or another whether an information session is the appropriate solution, but it was the mechanism by which we understand the Minister and the Department are trying to ensure the rights of others are not adversely affected in order that the right of access does not need to be restricted. Ultimately, it was intended to facilitate the full right of access in order that this balancing of rights could happen in an appropriate way under Article 15. That is our understanding and I am not passing judgment on the policy choices within that, but from the GDPR perspective, that is the intention of providing for that framework.

There is not much more I can say on that matter, unless the Deputy wishes to put a further specific question to me. The Deputy had a third part to her question, which I have forgotten. I would be grateful if she could remind me.

I would be interested to know if there is an example of another scenario where one is entitled to information, but there is something like a mandatory information session one can do in advance or if this is an outlier. I would be interested to know if that is a common practice. Head 2 of the Bill has a list of excluded information, including care provided by a parent, guardian or an adoptive parent of a child. The only information permitted regarding relatives is whether one has a relative, the relative's gender and whether that relative is younger or older. What are Mr. Sunderland's views on that from a GDPR perspective?

I am not aware of any other such examples of information sessions, but that is not to say it is inherently problematic. I am not passing judgment one way or another. It is simply from the perspective of trying to ensure the right of access is fully respected, in that the rights of other individuals are not adversely affected and then a controller, or in this case, the Department and the Minister are proposing there should be safeguards in place. One of the safeguards identified is an information session. It is not to say some other safeguard would not provide an equally appropriate means by which to ensure Article 15(4) is respected.

With regard to the point under head 2 and the exclusion of certain categories of data, if that is to be seen as a restriction of a data subject's rights, and acknowledging the GDPR provides for the restriction of rights, it has to be justified as such. I would like to reflect on it again, hearing some of the comments earlier, but in principle, the balancing of what the Department is trying to achieve here is feasible once the requirements of Article 23 are adhered to. If something is not explicitly restricted in the Act or the proposed Bill, the GDPR still provides and the rights still stand. If there are elements of data, other rights or other areas of activity by each of those controllers which have not been explicitly restricted in the Bill and there is no other explicit legislative restriction in either primary or secondary legislation, the GDPR still applies in full to those other areas.

A concern was raised that if there is a restriction in the Bill or if something is captured in the Bill, that would mean controllers are free of other rights. That is not the case, if it is not explicitly provided for.

I would like to briefly make one further point in response to the comments from Deputy Cairns. Part of the question under head 2 is whether the data is personal data, and that is part of the consideration here. Some information about family members may not necessarily be what is termed "mixed data" and a relevant body may hold information about family members that is not personal data of the adopted person. That is a consideration in play in head 2 which gives some rationale for the exclusion of some data.

I thank the witnesses for the presentation, which is very interesting and worthwhile. I am glad to hear the Data Protection Commission has been working with the Department and there has been very positive feedback from the Data Protection Commission, which is welcome.

I do not have many questions. We heard from previous speakers that this legislation is unnecessary. Do the witnesses think the legislation is unnecessary or is it a useful framework to ensure individuals get that access to information? If we did not pass this framework, is there a situation within GDPR legislation that could work to hinder, extend or restrict that access to information? I have a further question. We heard in previous contributions that this legislation is contrary to and restricts GDPR and is anti-EU law. In the opinion of the witnesses, is that the case or is it actually complementary legislation that works within GDPR?

In brief, we think the legislation can operate to give full effect to and a framework for facilitating those rights, as the Senator said. As Mr. Sunderland said, it is not the necessarily the role of the Data Protection Commission to make that decision as to the necessity of legislation on the basis of constitutionality. What we have been looking at is whether the heads of the Bill, and the Bill as may be enacted, will conflict with or restrict the rights afforded by GDPR. Essentially, to answer the question, in our view, the role of this legislation is to give full effect to the rights that have been determined to exist for adopted persons. It is for us to ensure, in our guidance to the Department under the consultation process under Article 36 of the GDPR, that we do not find anything in the provisions that conflicts with those rights or restricts them in an inappropriate, unnecessary or disproportionate manner.

My apologies, the equipment works nine times out of ten. I thank Mr. Murphy for jumping in there. I want to concur with what he said. What we have seen in practice, as the previous session highlighted, is lots of complexity and uncertainty in regard to how data requests and the right of access were to be dealt with in this challenging and complex area. Therefore, we see the Bill as providing some of that clarity and certainty, as long as it is done in a way that respects the primacy of EU law and adheres to EU law, in particular in regard to the restriction of any rights.

The Senator asked what may happen absent this legislation. What will happen is what will continue to be the case, that is, each controller will be responsible for assessing access requests under Article 15 and they will each have to turn to Article 15(4) and ensure the rights of others are not adversely affected. Therefore, there is in theory and in practice, as we have seen already, some scope for divergence in terms of how requests are being handled. The Bill clarifies a lot of issues. It provides in favour of access but with safeguards, and that is the key point that appears to us from our look at the proposed heads.

I thank the witnesses for coming in. Access for all is the main concern in regard to this Bill and whether people who want to access information can do so. Mr. Sunderland referred to restrictive access. When we talk about access and restrictions, it is important that we know what they will be. While we are all delighted to see legislation coming, we have to make sure this legislation is proper and that people who want to access the proper information can get it. The witnesses know that we sometimes pass something but, then, when someone makes an inquiry, there is a barrier, for example, with regard to GDPR. I am always careful about GDPR when I am looking for information for people or trying to access something in my different roles. Will there be any restrictions and can the witnesses commit that there will not be? Do they see any issues arising that may be of concern?

I welcome the witnesses. I know they have all had incredible engagement with the different Departments, as has been said and I will not repeat that. However, due to the concerns raised at the other meeting, I feel that to have this legislation done properly and to ensure we get it done 100% right is very important. As I said at the other meeting, timing is another issue that we need to address as quickly as we can.

I thank the Deputy. First, the intention, as we understand it, is that the full right of access would be respected. Any of those other matters which we have discussed already, such as the information session, are for the purpose of trying to provide safeguards in ensuring this balancing of rights takes place in a way that allows for the fullest of access to the personal data concerned. We obviously have yet to see in greater detail what the Department proposes as a further development of head 40 and the restriction of rights. Our understanding at this stage is that, with regard to those further restrictions of data subject rights, it is not intended to restrict the right of access but rather to maybe restrict the rights of others to ensure that the right of access can proceed and is fully facilitated. As I said, we need to see further details from the Department in that respect. As it stands, head 40 is intended to facilitate the right of access to the information encompassed by the Bill rather than to restrict it further.

I think that on balance, from where we stand, and obviously we are not really central to this, it is necessary for the reasons I have already outlined, in that there are huge complexities around this balancing of rights. From our perspective and from a data protection perspective, there is a lot of uncertainty and lack of clarity around what the right of access means in this specific context.

There is a choice when the Government proposes legislation and the Legislature ultimately enacts it. There is a choice not to have a Bill, of course, but from our perspective, it does provide further clarity and certainty around how personal data in the scenario which is the subject of the Bill is to be dealt with. It can be done in a way that is aligned with EU law and that ensures any restrictions meet the requirements of EU law in Article 23. It can also be done in a way that addresses the bigger context of the long-challenging issues around the constitutional requirements and judgments of the Supreme Court. The Bill tries to grapple with a very complex matter. The DPC is not saying that all of the policy choices and safeguards in the Bill are the right ones, but we acknowledge that they are seeking to address a complex issue, namely, the facilitation of the right of access to the fullest extent possible while taking account of the other issues that need to be taken into account vis-à-vis Article 15.4 in particular, which I have referenced already.

It is our absolute desire that individuals have access to all of their birth information, to their identities and to identifying information. That is everyone's objective but in that there is obviously the person who gave birth and the person who has an entitlement to information. When we look at the other rights under the GDPR, not the subject access right but the right of restriction, can the birth mother restrict the right of access in the absence of this legislation?

There is a right to object to processing. In the absence of legislation, the balancing test under Article 15.4 would still have to be carried out but it would be done absent of any legislative framework or any reference to such a framework. Each controller would have to do it individually, which may give rise to nuances and inconsistencies in terms of how each controller sees their obligations and their understanding of the rights of the various parties. It is also the case that any restriction of rights by a data controller needs to be set down in law so any potential restriction of the right to processing on behalf of a data subject that the controller wishes to implement would have to be done through some other legislative means. It is complex and is not completely clear cut because many aspects of the GDPR come into play, depending on the lawful basis that is being relied on for the processing. Processing in the public interest is probably the context here. Setting it out in law sets out the public interest to be achieved by the restriction. Generally, it is always more advantageous that all of the issues are set out in primary legislation under one Bill rather than having disparate pieces. Obviously, however, Article 15 stands on its own and will continue to stand. Any restrictions that the Bill might bring forward will have to be done in that context. EU law, and its primacy, still stands and the Bill cannot run contrary to it. Policymakers and the Legislature have to ensure that what is in the Bill respects EU law and from what we have seen so far, that is certainly what they are trying to achieve here.

My concern when I read Article 15.4 is that if it is left to the discretion of an individual controller and it is not codified, then the balancing of complex issues becomes more difficult. Article 15.4 will then become a defence to non-disclosure where disclosure is being pursued by an individual entitled to that information. In that context, we need legislation to take it out of the hands of individual controllers so that there is a basis upon which litigation can occur if disclosure is not made. We do not want it to become an impediment. I see Article 15.4 as covering an entitlement to information but also acting as a defence not to disclose. Quite often the GDPR is used and abused so as not to disclose and we want to avoid that. By codifying it, we are taking it out of the hands of any individual controller and are creating a basis on which litigation could occur and removing that defence, as such.

In the previous session, I asked if I can restrict the processing of my data if it is relates to giving birth to a child. I was informed that I cannot restrict anything that is data belonging to another person. I would not have considered it to be that absolute.

The way I would come at that in the context of the right of access is via the concept of mixed data. While it is not referenced in the GDPR, it is a reality that comes into play in scenarios where a birth certificate contains information about more than one person. The rights of the other person have to be taken into account. One cannot say that a person cannot have access to one's own data because there is an equality of rights for both data subjects. This is what Article 15.4 is also trying to get around in order to ensure that there is some mechanism by which the risk of an adverse impact on another person is taken into account. In the context of the proposed Bill, as we understand it, the constitutional requirements and also commitments given to mothers in the past all have to be taken into account in trying to strike the right balance. That is what the proposed Bill is trying to achieve. It is trying to avoid adverse impacts and that section of the Article 15 requires that balancing test to be conducted. That is the context in which I would view it. An individual cannot tell a data controller that he or she must never release anything about that individual, even if it is contained in a birth certificate. The controller has to look at that in the round. The controller will consider the wishes of the individual, determine whether there are adverse impacts and then decide if the provision under Article 15.4 restricts in any way the right of access. Some of these issues should be developed further under head 40, where there are other restrictions being imposed including, for example, restrictions related to the rights of third parties. If there is an intention to restrict their data subject rights, that will have to be fully addressed, explained and worked out in the proposed Bill under head 40.

Yes that is one mechanism but whatever way it is done, it must be provided for by legislative means. I have also seen examples where powers are given to the Minister to implement statutory instruments. In that way, one could put on a statutory footing certain aspects of how the right is to be further restricted.

The DPC's general point of view is that it is preferable this would be included in the primary legislation. As was said, it would be possible then to use a code of conduct to set further practical standards for its operation and to ensure all data controllers implementing the restriction do so in the right, common and standardised way.

I thank the witnesses for their engagement. From listening to the other questions, there still seems to be a difference of views. We heard clear testimony from our earlier witnesses that some of the provisions in the proposed legislation, such as the proposed age limits in heads 3 and 5 and the mandatory information session, were incompatible with GDPR rights and were too cumbersome a restriction on the right of access to be proportionate in accordance with the provisions of GDPR. The witnesses may not wish to stray into that level of detail, but do they have views on that aspect? I ask this question because I think there is a difference of view between what we heard earlier and what we are hearing now in respect of what would be necessary and proportionate as a restriction on the right of access. Very different views have emerged in this regard from the two sessions.

From a general perspective, we see the intent of the proposed Bill and we know further work has to be carried out on it. This does not fully answer the Deputy's question, but some elements must be worked out further. Therefore, we are satisfied they do meet the proportionality and necessity requirements under EU law. An information session is identified as a safeguard under the proposed legislation. As I referred to already, it is not inherently or necessarily repugnant to the GDPR. It is just one of the solutions or options the Department has chosen and the Minister is proposing to allow for that balancing of rights under Article 15(4), and that may be quite appropriate.

The age limit for this framework does not stop an access request from a minor in other circumstances. Unless the legislation explicitly restricts all access requests from a minor, the right of access under GDPR still stands. Further rights to request access may exist outside of this framework, but the proposed Bill is trying to implement a framework to allow these issues to be addressed and done in a coherent and consistent manner. I do not have anything further to add on the issues the Deputy has raised other than to say that, from our assessment at this stage, there does not appear to be anything that is overly problematic here, but we are still reviewing the proposed legislation. We did raise issues with the Department and we will want to see a further iteration of the Bill before we would be happy to say one way or another that there are no concerns from a data protection perspective.

One last observation is that from an objective reading it seems requirements like the mandatory information session are cumbersome and pose a practical obstacle to the accessing of information. Having listened to the earlier witnesses, it seems hard to justify such requirements or to see how they could be justified under GDPR, which of course takes priority over the Constitution. That is where I am coming from on this issue. An approach is still evident in the heads of this Bill that is unduly deferential to an assertive privacy right rather than taking the starting point as the right to have information, whereas GDPR requires the starting point to be the right to information.

No, I think we have covered everything we possibly can now. I reiterate we are happy to have had the opportunity to have engaged with the committee again, and if there is anything further in which we can support the committee, we are available to do so. I wish the committee every success in the completion of its report.

I wish to clarify, because there was no time earlier, that when I was speaking to Mr. Sunderland, the point I was making regarding the information concerning the care of a person was that information is the personal information of the person concerned, even if it is relevant to somebody else. Information on the care of a person is that person's personal information, and that was what I was asking about. I just wanted to clarify that was what I was getting at, and to thank the witnesses.