Léim ar aghaidh chuig an bpríomhábhar
Gnáthamharc

Joint Committee on Justice and Equality díospóireacht -
Wednesday, 21 Jun 2017

General Scheme of Data Protection Bill 2017: Discussion (Resumed)

Apologies have been received from Deputy Clare Daly and Senator Frances Black. I ask everyone present to switch off their mobile phones because such devices can interfere with the sound recording system. The purpose of today's meeting is to continue our pre-legislative scrutiny of the general scheme of the Data Protection Bill 2017. I welcome Mr. Denis Kelleher, who is a barrister and author on data protection law in Ireland. On behalf of the committee, I thank him for his attendance at today's meeting to discuss this important legislation. The format of the meeting is that I will invite Mr. Kelleher to make an opening statement, to be followed by a question and answer session with the members of the committee.

Before we begin, I want to draw Mr. Kelleher's attention to the situation in relation to privilege.

Witnesses are protected by absolute privilege in respect of the evidence they are to give to the committee. However, if they are directed by it to cease giving evidence on a particular matter and continue to so do, they are entitled thereafter only to qualified privilege in respect of their evidence. They are directed that only evidence connected with the subject matter of these proceedings is to be given and asked to respect the parliamentary practice to the effect that, where possible, they should not criticise or make charges against any person or an entity by name or in such a way as to make him, her or it identifiable.

Members should be aware that, under the salient rulings of the Chair, they should not comment on, criticise or make charges against a person outside the Houses or an official, either by name or in such a way as to make him or her identifiable.

I invite Mr. Kelleher to make his opening statement.

Mr. Denis Kelleher

I thank the Chairman. I will not read through my statement which I realise is quite lengthy but will instead highlight some of the salient points.

Data protection law will become extremely complex in the next few years. Currently, we have one single data protection Bill, with a general data protection regulation, GDPR, which is to apply to the State from May next year and to which, with the data protection directive, we will see further layers of complexity being added. In addition, we will have a residual domestic regime and many other items of legislation coming through the system, as well as the privacy regulation. Rules may also come from the European Union about foreign and security policy. One of the key points to make is that data protection is no longer being settled at a legislative level. There are many rulings coming from the European Court of Justice. They will change significantly what data protection is and this will have a big implication for the State also.

I make five submissions on the five headline comments, namely, the role of the Data Protection Commissioner; whether the existing Data Protection Acts should be repealed, replaced or amended; the role of identification services under the general data protection regulation, GDPR; the role of the Oireachtas under the GDPR; and damages.

I will make some submissions on the role of the Office of the Data Protection Commissioner. The main point to take into account is under existing law that the Data Protection Commissioner is fully independent. It is important to realise the European Commission has prosecuted Austria, Germany and Hungary for failing to have a properly independent data protection commissioner. We can assume from this that it has examined intensively the independence of the Data Protection Commissioner and is satisfied that she is independent in accordance with the current law. However, I have some queries about the legislation. One issue I wish to flag is the delegation of functions under the Civil Service Acts. In terms of what is happening, many of the Irish drafting conventions provide for issues such as the delegation of Ministers' functions to the Data Protection Commissioner; but that is open to being misconstrued. Perhaps the phraseology should be "... should delegate the functions". There are a few such technical changes. Somebody who is well versed in the Civil Service Acts and the way civil servants are controlled and disciplined by the State understands the importance of the independence of staff not being interfered with, but it would be wise to change the drafting to ensure there would be no appearance of bias in that regard.

Depending on how the Data Protection Commissioner uses her office, she may not need a seal. It is adding a layer of bureaucracy to the process that may not be needed.

The provision in the Bill dealing with the prohibition on the unauthorised disclosure of information is very good. It is a clever provision. On the other hand, I question whether we need to insert "gateways" to ensure the Data Protection Commissioner will be able to properly share information with other public bodies such as the Garda if it wants to bring a prosecution, the Director of Corporate Enforcement and so on.

I make a detailed submission on the imposition of fines on public authorities. I am aware that it has been controversial, but the Data Protection Commissioner is strongly of the view that she should have powers to impose fines on public authorities. I have sympathy for that view. On the other hand, one needs to question whether the imposition of a fine is an effective deterrent for a public authority because if we think about it, both the Data Protection Commissioner's office and the public authority are funded by the State. If the commissioner imposes a fine, it will go back into the general fund from where the money for the public body came. Essentially, all we are doing is creating a circular transaction. An issue I have with it is that it detracts from the real deterrence for public bodies which is twofold. One concerns claims for damages. They may be sued by a member of the public. The other major concern for public bodies is that they may be found to be processing personal data in breach of the Data Protection Acts. They may be found to be processing personal data illegally, which will mean that any decision they have made in processing that personal data may be invalid. That is a big concern. There is limited awareness in the public sector of how significant an issue this may be in the future because if personal data are processed without a proper legal basis, under Irish law, it will be done illegally. That raises a range of issues about whether penalties can be imposed on a person on the basis of personal date possibly being processed illegally.

Another point I discuss in some detail concerns the possible repeal of the existing Acts. This is a very interesting question. I agree with the Data Protection Commissioner that “... a patchwork presentation of the new Irish law in the form of a 2018 amendment Act rather than a completely new stand-alone Act does not create the impression of a new, modernised regime”. That is correct. On the other hand, my concern about repealing the old Acts in their entirety is that they deal with the processing of personal data for national security purposes. We are very fortunate in Ireland that we do not need to engage in much processing for that purpose.

My concern about the repeal and replacement of the legislation relates to timing. The Data Protection Bill has to be on the Statute Book by May next year. It is an enormous item of legislation. As members know, these are just the heads. There is an absence of detail which will be added by the Parliamentary Counsel. If we were to try to do these two things at the same time, namely, set out the residual regime which potentially is still significant and the new GDPR regime, I question whether the Oireachtas would be able to allocate the proper length of time to debate the legislation. That is the reality.

Could the Parliamentary Counsel deal with this issue and, for example, leave what one might term the rump regime in order that we would have an entirely new Data Protection Act? We would leave behind the rump regime in order that the State could return to it at some stage in the future and deal with the residual regime. In reality, there are very small areas of processing in Irish life that would be subject to the rump regime, but I understand we need a residual regime in that regard. I agree that it does not give the right impression by phrasing the new data protection Bill as a sequence of amendments to the existing Data Protection Acts. It would be better from the point of view of perception and for people who have to deal with this legislation on a day to day basis to have an entirely new data protection Bill. I hope that could be dealt with as a drafting issue.

The next issue might be the most controversial. It concerns identification services. Many queries have been raised about the processing by the State of identification data. The reality is that under the GDPR such data will have to be processed. Social media providers and persons engaged in profiling will have to be able to distinguish between children and adults. That is a legal obligation. They are subject to onerous fines and open potentially to very serious claims for damages if they process the data of children where they are not supposed to do so. Social media providers, fintech firms and so on will have to be able to identify who is and is not a child. This raises the question of who will be involved in the identification. Essentially, there are two choices. The default position is that that identification will be made by the market. The market will provide a solution and it is already doing so. I would prefer, however, if that was not the solution. I would prefer if the State provided a solution. As a public servant, I have a bias towards the public sector, but it is better to have the Government providing the identification service. Where there is access to remedies, fair procedures and rights and the ability to see clearly what is happening with my data, it would be better if the State was providing that service.

The important point is that the GDPR will require identification services to be provided. There is no avoiding it. The question is who will provide them. If a decision is taken that the State will not provide them in the future - the State is not in a position to provide them at present - there is the default position and we will have to use social media or some specialist provider to provide identification services.

I do not believe that is good, but that is my opinion.

On the role of the Oireachtas under the GDPR, I wish to flag a couple of points. One is that it is going to take into account the fact that the Data Protection Commissioner will have a significant role in the future. The commission will have to be consulted on data processing and the legislative amendments that provide for the processing of personal data. That will significantly increase the workload of the commissioner. I suggest some mechanism to take into account these submissions. Given the level of data processing one will see in the State in the coming years across a range of functions, one must ascertain whether it is appropriate to continue in an ad hoc way? Should some framework be set out in order that one can consult in early course? Obviously, it is highly desirable for the State and the Oireachtas to consult the Data Protection Commissioner as early as possible in order that issues can be identified and dealt with.

The second point I wish to make is about the legal basis. There is a rather technical debate under way on the extent to which one needs a legal basis and how far it goes. As I said, I can leave that issue to one side. I made submissions to the Oireachtas Joint Committee on Public Expenditure and Reform which has referred the matter to the Oireachtas legal service, but there is a significant point of discussion about the extent to which, if the State is to process personal data, that needs to be called out in legislation. I suggest it may be dealt with to some extent in legislation. Certainly, one could bring forward amendments. One could have an amendment that would enable a Minister or another relevant body to make regulations setting out the criteria the GDPR required a law to display. It could require that laws providing for the processing of personal data identify factors such as the purpose of the processing and the retention period. If the Minister were to take the view that an existing provision that allowed for the processing of personal data such as in the payment of a grant were not sufficiently detailed to meet our obligations under the GDPR, a power would then be granted to make regulations setting out the detail required. That might be useful. There was a discussion the last day about whether one needed to make a specific provision in the GDPR for the award of damages. I am not sure one does. It is a drafting issue. I personally do not believe a specific provision is needed for the award of damages. The GDPR plainly provides for the award of material and non-material damages. I understand the preference at European level is that unless we definitely need to make an adaptation of national legislation, we should not do so. I do not see the need to make that amendment now. The provision in the GDPR that may allow for the taking of class actions and the bringing of actions for damages before the courts is very interesting. It is very significant, given the nature of data processing. The data processing system processes everyone's data in the same way. What would occur in compliance with the GDPR in the case of one person would occur in the cases of a large number. One of the key issues the GDPR does appear to address is whether one can bring class actions. It states one can bring group actions where provided for by member state law. As members know, Irish member state law does not provide for class actions. It does cover representative actions. Certainly, on the basis of discussions with my legal colleagues, I believe there would be no surprise if people were to seek to bring class actions or rely on this provision. It is only the Irish rules of court that prevent class actions from being taken. There is an argument made that these rules of court should be adapted to allow for class actions. This poses the question as to whether it would be appropriate. If one believes it is, how would one manage them? That is very significant.

People become very focused on the issue of penalties. The penalties are not as important. There are two points to be considered in this regard. With regard to the public sector, the main point concerns the illegality. It will be very difficult for the public sector to operate. If it processes personal data in breach of the GDPR, it will have a big problem with illegality. Many of its functions will have to be stopped until it can process personal data legally. The second point concerns damages which are a very real prospect and a very real deterrent. Obviously, data subjects who can claim damages will obviously prefer to get damages directly into their pockets rather than have fines awarded. The imposition of a fine on a public body or private sector entity may give a subject some satisfaction, but the award of damages will obviously give them money. Being what they are, people would prefer to opt for the money, not the satisfaction attached to the imposition of a fine. If anything is to change in the enforcement and status of data protection law in Ireland, it is the latter point on damages. It is very significant and will have a significant impact on budgets. If a public body makes an error in the processing of personal data and faces a large claim for damages, it is a problem. As we know, the State has faced very significant claims for damages, amounting to hundreds of millions of euro. There is a great danger that if it does not get the processing of personal data right, it could face similar claims for damages in the future.

I thank Mr. Kelleher. I appreciate both his written submission and his oral expansion on it.

I thank Mr. Kelleher for attending and sharing his expertise with us. I have a couple of questions for him. Is he concerned about the way the legislation applies to State entities? I am thinking, in particular, of the fact that it requires data sharing to be carried out in accordance with law, but the law seems to be slightly extended. Am I right in saying it includes issues such as those concerning memoranda of understanding?

Mr. Denis Kelleher

An issue arises with data sharing. There was a separate committee and there is a separate data sharing Bill. My main concern about this legislation is the scenario in which all data protection legislation is moving towards circumstances in which one will need a great deal of precision in how processes personal data. Therefore, the law does have to call out a lot of these issues. On the one hand, if a Minister has power to process a grant application, there is an implicit power to process personal data in respect of the application. On the other hand, there is much data sharing within the State sector on the basis of the Supreme Court's judgment dating from 1990 in the case Desmond v. Glackin.

With regard to a Minister processing a grant application, under the draft legislation, does it come within the definition of "in accordance with the law"? Is Mr. Kelleher's concern that if it is not set out in legislation, it could fall foul of the regulations?

Mr. Denis Kelleher

That is precisely the concern. Many data subjects will not object to the processing of their personal data for the purpose of being paid a grant, obviously, but if they do not get it, they may object. There are, under Article 6.3 of the GDPR, some specific elements that have to be within the law. There is a debate on whether the provision needs to be in every item of legislation that provides for the paying of a grant. In that regard, I suggest this issue be addressed by the GDPR essentially setting out that Ministers can create statutory instruments, perhaps, to include relevant elements, if they consider it necessary to do so, to allow themselves flexibility, reserving a position that where there is a general power to pay out money or process people's personal data in a particular way, one can do so. The issue of data sharing arises in that the structure of the State is such that each Minister is in charge of his or her Department. Each Minister is, therefore, a data controller. The classic example involves the transfer of data from the Department of Health to the Department of Social Protection. Section 8 of the Health (Alteration of Criteria of Eligibility) Act 2013 which is quite obscure providers for the Revenue Commissioners or the Department to go to the Department of Social Protection to access information and vice versa. Where one provides for the payment of a disability grant from the Department of Social Protection, for example, that Department could access the systems of the Department of Health and Revenue to identify a person's health records to ascertain whether he or she is really disabled and his or her income to determine whether he or she should receive the grant. That is the power needed in the sharing of data. One needs to consider the complexity of the data sharing and the impact on individuals. What the GDPR is doing is bringing a layer of complexity to these decisions.

Mr. Kelleher has mentioned his concern that a breach of data protection regulations by a State entity could expose the State to either a class action or the award of considerable damages.

As Mr. Kelleher mentioned, the State has obviously faced representative actions before. The most serious, for example, were from women infected with damaged blood products. They received significant awards. Would Mr. Kelleher not agree, however, that a breach of data protection would be unlikely to result in a significant award of damages? I do not know if there are international examples of this.

Mr. Denis Kelleher

The only judgment we have on this case is Collins v. FBD. Mr. Collins was a painter whose van was stolen. He made a claim but his insurance company did not pay out. The van eventually showed up and he withdrew his claim. While he was claiming from the insurance company, however, he made a data protection access request which the insurance company ignored. The Circuit Court awarded him damages of €15,000 in respect of that ignored data protection access request. That is a significant amount of money. The case then went to the High Court, which took the view that he was not entitled to non-material damages. He got €15,000 then simply for the failure to process his access request in a situation where he could not show any actual damages because he had got his van back and had withdrawn his insurance claim. The sum of €15,000 for a reward-----

If there were a lot of these kinds of awards, it would be significant.

Mr. Denis Kelleher

Yes. If one had a Department with a system that was failing to process some quite basic access requests it is easy to see how one could get 1,000 such claims. We would then be into €15 million. It is a significant issue. With regard to claims in the past, it is difficult to say. Claims have been settled in the past for figures of €10,000 for things like failure to secure a CCTV, for example. There are currently differing views as to how much claims would settle for. It is likely, however, that they would be significant.

Mr. Kelleher also mentioned that he did not think that fines for public authorities were sufficient because the money is just going around in a circle. What else would he consider an appropriate penalty for a public authority?

Mr. Denis Kelleher

The very real penalty faced by the public authorities is the illegality of processing data illegally. We have seen recent examples of people failing to follow proper procedure and cases then being struck out. There is a very real issue here where public bodies that fail to process data in accordance with the data protection acts will effectively be processing that data illegally.

What is the consequence for them, however, in terms of a penalty? They are informed that what they are doing is illegal.

Mr. Denis Kelleher

They are then unable to perform their statutory functions. If, for example, the Data Protection Commissioner was to impose a fine on a Department of €1 million, as a result that Department has to either stop providing services to citizens or alternatively get an emergency allocation of €1 million to make up that loss. The fine does not go to the Data Protection Commissioner, it goes into the general funds. In a sense then there is a circular transaction. I am going to state, in the classical lawyer fashion, that this depends on which direction one wants to follow. The preference in this State is that public bodies not fine other public bodies because that is seen as a circular transaction. This has been the convention to date in this State.

In my view, the very real penalty that would be imposed on public bodies would be twofold. First, they would not be able to do their job and consequently would have a problem there. Second, if the DPC decides that a public body is processing personal data illegally then the data subject in question would be able to bring claims for damages against that body. That may be a very real penalty on them.

One final question before I hand over to my colleagues. The witness mentions that he would prefer if the identification or processing of data were the responsibility of the State rather than that of the social media providers. Realistically speaking, is this market too big for the State to effectively regulate?

Mr. Denis Kelleher

No, I do not think it is a question of regulation.

Or of identification?

Mr. Denis Kelleher

There are plenty of example of European states providing effective identification services. I realise that this is quite controversial in the context of the current debate on the public services card in Ireland. The difficulty here comes down to the question as to who one wants to process one's personal data or be responsible for one's identification. If the State is responsible for this then the individual has many protections through such things as judicial review and fair procedure. If a social media company is doing that identification then the individual's ability to get protective oversight is much lower. The individual then either brings an action before the courts him or herself or else uses his or her rights of access and goes to the Data Protection Commissioner. I understand that there are, for historic reasons, good arguments as to why the provision of identification services by the State is controversial. On the other hand, however, we have to look at the reality of today, which is that the alternative to the State identifying individuals is that this be done by a private sector body.

How many members of staff might the State require to fulfil this identification function?

Mr. Denis Kelleher

I do not know.

Would it be considerable?

Mr. Denis Kelleher

It is a question of where the State would go with this. There is an issue in the Department of Public Expenditure and Reform as to how it can either provide identification or identify people. The reality is that the State is making a choice here. If the State does not provide identification services, the market will.

We are just handing it over to the private sphere if the State does not get involved.

Mr. Denis Kelleher

Yes. That is the choice. I am not advocating one or the other but that is the choice we are making and we have to be realistic.

I thank the Mr. Kelleher for his presentation. This matter seems to be growing more complicated by the day.

Mr. Denis Kelleher

I know it is, yes.

I think I know less about it now than I thought I knew at the start. On the last point, the argument seems to be on whether Big Brother is an element of the State or of the private sector. It is a difficult choice.

Mr. Denis Kelleher

Yes.

I suspect that the Irish State will not want to do this and will probably be happy to leave it to the private sector.

Mr. Denis Kelleher

Yes.

I would probably be more comfortable with the State doing this. For all the concern I might have about this, I would have more concerns about the private sector because it obviously has an ulterior motive. The private sector makes money and it makes its decisions and does what it does in order to maximise earnings. That would be the driving force for the private sector if it were to get involved in this area. Does Mr. Kelleher not think it absolutely imperative that the State takes on this role?

Mr. Denis Kelleher

My personal preference is that the State take on this role. This is a policy decision for the Oireachtas and for the State as to which road we go down. There is a tendency to phrase this in such a way that the only identification mechanism available is one run by the State and that if the State does not provide this then we will not be identified by anyone. In reality, of course, the general data protection regulation will force social media providers to identify who is and is not a child. The question then is: who is going to do this? The social media providers undoubtedly have the capability to do this at the moment. Somebody like myself and many other people might not like to be clearly identified by a social media provider or private sector company. We would prefer to have the State be in the position to do this. There are obviously risks attendant to that. There will also be costs.

At a guess, what kind of costs? Does the witness have any idea what the cost would be to the State if it were to take on this responsibility?

Mr. Denis Kelleher

I do not. There is a whole issue around the running of information systems across the State. If we were to have an identification system then the most efficient way to run that and to lower the cost would be to pool all of the data into one giant database. We would then get into other data protection concerns, of course. This is not a risk-free outcome either. We have to compare it to the alternative, however, which would be a private sector monopoly on the provision of these services. The reason the GDPR is so blasé about the need to identify someone as either an adult or a child is because most other European member states do this as a matter of course. As members know, people living on the Continent must have their ID cards on them at all times.

If a policeman asks a person to identify himself or herself, he or she has to produce ID. If the person does not, the policeman can arrest him or her, bring him or her to the police station and hold him or her there until he or she identifies himself or herself. For historic reasons, they have a quite different regime from ours. It is a very significant policy change for us to say that the State would be in a position to definitively identify all its citizens. The problem is that is happening anyway. Everyone in this room, I assume, has a mobile phone. We all are effectively identified by that anyway. It is quite easy to track our movements across Dublin at any stage through our mobile phones and then to track our conversations, etc. Effectively, we are being identified anyway. We are being identified through our faces. If a person walks through the streets of London, they have facial recognition technology which will track him or her from one point to another. The question is who is going to do this identification. Is it going to be the State or is it going to be the private sector? Is it going to be the market providing the solution or will it be the State? It is a significant question. It is a question that the GDPR was going to force us to answer, one way or another. If we do not answer, it will just default to the social media companies.

Mr. Kelleher started off talking about how important it is that the Data Protection Commissioner is truly independent.

Mr. Denis Kelleher

Just to be clear, she is truly independent. It is just the perception. I do not mean to interrupt the Deputy, but she is absolutely independent at the present time. There is no question about that.

There have been three challenges to the independent data protection commissioners in Europe - in German, Austria and Hungary. I guarantee that when those three member states were being prosecuted before the Court of Justice, there would have been a review undertaken of breaches of other member states' independence and clearly the Irish regime passed. One can say it definitively. I would have reviewed it. One will see a reference. She is independent at present. The question I would have is about perception of independence and whether the drafting need to be tweaked away from current Irish conventions of drafting to make clear that such independence is there.

If the Government decides on a yearly basis how much funding she will have access to, does that not limit her independence?

Mr. Denis Kelleher

Frankly, it is clearly an issue. The point to be made there is that it is the GDPR and the European Legislature that have decided on the funding mechanism. There is no provision within the GDPR for the Data Protection Commissioner to be self-funded. I believe there was a debate within the European Legislature, within the European Union, as to whether or not one could create a self-funding mechanism. They have not gone down that route. Instead, what they have preferred is that she has to be funded by the State. There have to be protections in there around her funding but she has to be funded by the State. The State, whether one likes it or not, has no option about that.

Obviously, there is the question of what sort of safeguards one can build into the legislation in relation to that. According to the heads of the Bill, that is still being discussed. However, the reality is there is no other funding mechanism available to the State in relation to this. For example, there is no mechanism for the Data Protection Commissioner to impose levies or fees in any way.

Would there be any merit in Europe deciding just how much she should get on an annual basis?

Mr. Denis Kelleher

It is hard to see how. That would be conceding some sort of budgetary control. There is no mechanism by which one could do that at present.

In terms of how they have set out the legislation, they have done it in an interesting way. Instead of social media firms and persons who process personal data funding the Data Protection Commissioner's office, every significant data controller in the State has to hire his or her own data protection officer, who is like his or her own mini-supervisor. That person is somebody who will effectively review, I suppose one could say, data protection within that organisation. That is how they are funding that. Otherwise, if they did not go down that route, one of the concerns is one would end up with an enormous data protection commissioner's office with thousands of staff. At present, I am not aware of any proposal that the funding would be set at a European level, but under the legislation she has to receive sufficient funding to allow her to do her job.

For my last question, Mr. Kelleher was talking about how one would deal with those in public bodies which infringe people's data protection rights. He states that if it would be fines, it would be merely a circular movement and the money would just go around.

Mr. Denis Kelleher

Yes.

Is it a problem if there is no real deterrent for officials to be careful in how they are doing it?

Mr. Denis Kelleher

There is a deterrent. The question of illegality is significant.

What does that amount to?

Mr. Denis Kelleher

That amounts to a public body not being able to do its job, for instance, public bodies bringing prosecutions and enforcement actions against those they regulate and having those actions struck out because their process on personal data breaches the general data protection regulation.

Is Mr. Kelleher saying charges of illegality would be brought against the individual responsible rather than the body?

Mr. Denis Kelleher

It would be brought against the body. The body would have processed personal data in breach of the Data Protection Acts which would then have a knock-on effect on that public body's ability to use that information. That is one deterrent. The other big deterrent is the potential that the subjects whose data has been processed illegally will be able to bring damages claims against that public body and it looks like they may be able to combine into class actions, and those claims may be quite significant.

It is really a policy decision for the Oireachtas as to how data protection would be enforced against public bodies. There is a range of options. It is a question of which is the most effective and whether one imposes finds or just says it will be left to a matter of legality plus the potential of damages claims to ensure that public bodies process personal data appropriately.

Mr. Kelleher states it is likely that the people would be able to bring a class action. Given that it is not possible in Ireland at present, how will that happen?

Mr. Denis Kelleher

Representative actions are possible. The group of people could get together and say that they would bring one representative action forward. The Deputy will have seen that, for instance, in the Army deafness case, with big sets of actions where one saw individuals going forward with their claims being set. That is one option. The other option is that the rule against class actions, as I understand it, is basically set out in the rules of the superior courts and court judgments. I would be surprised if one does not see lawyers bringing forward claims stating that they want to bring forward a class action and testing elements of that, and stating under Article 80 of the GDPR they are entitled to bring forward class actions and they want to bring forward those class actions. Then the issue for the Oireachtas is that one can bring class actions, as stated in the GDPR, where provided for by member state law. In a sense, does the Oireachtas want to govern that process or does one allow actions before the courts and decisions of the superior courts rules committee, which is, I suppose, where the action will move to otherwise if the Oireachtas does not consider that point? One way or another, one will find oneself with some sort of representative or class action being brought the courts.

I thank Mr. Kelleher.

Apologies that I missed Mr. Kelleher's presentation. Deputy Wallace raised a valid point around the individual within the State organisation and the body getting the effective punishment in law. Is there any real deterrent for a public body? Is there an element of moral hazard on the individual within the body. Would it be better, in a legislative context, to place much more responsibility on those working within that body within the law?

Mr. Denis Kelleher

No. I am sorry to interrupt the Deputy. The way the data protection regulation is set up is it is on the controller. In that case, typically, in a Department, the controller would be the Minister or, alternatively, another public body.

What if there is a data breach specific to an individual within an organisation?

Mr. Denis Kelleher

One's concern there would be twofold. First, the obligation there is on the controller.

Who is responsible in that context?

Mr. Denis Kelleher

Certainly, there would be a concern there. If, for example, where staff have taken social welfare data such as PPS numbers, one is looking at whether or not one should be able to prosecute staff for breaches is a matter, I suppose, for each Department's legislation to look at the Department's confidential information. It is the obligation of the public body to control its confidential information and have effective controls in place.

In terms of members of staff who would breach that, on a statistical basis there will always be individual members of staff who are willing to break the law where there are financial incentives. The first obligation has to be on the data controller to ensure he or she protects against that obvious risk. Then if one is looking into that, one can ask, if somebody breaches the obligations of confidentiality, is there an effective deterrent against them?

One deterrent is that they can be prosecuted for a criminal offence. The confidentiality provision in these heads is very good, because it does not actually provide for an offence. The primary mechanism that one would want to bring against somebody for something like that is an action for damages, because the burden of proof is much lower. One is then able to say that somebody can be sued for breaching a person's confidentiality. The processes are not as rigorous. There has to be a very high standard of proof to bring a prosecution against a person.

I think this sort of mechanism, whereby one can actually bring an action for damages against an individual who breaches confidentiality in that way, is potentially quite a good remedy. On whether or not people working in public bodies should be subject to prosecution for breaching confidentiality, it is up to each public body to look at how personal data is secured, where the most sensitive pools of personal data are, what sort of operational or administrative protections - such as encryption - can be brought in to ensure the confidentiality of personal data, and whether it is useful to have the possibility of prosecuting people who breach that. It is part of a suite of remedies. I do not think it is sufficient in itself to say that if somebody breached that personal data and confidentiality, that person can be prosecuted. Much more than that is needed. This legislation would have to be very careful to not seem to water down the obligation on data controllers to ensure confidentiality of data that they process. The dishonest employee is just one of a range of risks which they have to guard against.

If there are no other members of the committee with questions, I have a couple of points. There have been a number of questions focusing on local authorities and other public bodies. Does Mr. Kelleher believe that there is a need to upgrade the legislation about this area? I noted his earlier opening remarks where he talked about fines. At the end of the day, it is coming out of the one pot into which it is going to return in any event. It is not about the fine. The fine is a disincentive to bad practice. What other alternatives are there to ensure that the highest standards apply in local authorities? Are there other sanctions that can be considered, other than fines, that would help ensure that the highest standards apply to public data held by public bodies and local authorities? At the end of the day, the fines are academic. Are there any particular sanctions that Mr. Kelleher thinks could be considered in this regard, in the context of this legislation?

Mr. Denis Kelleher

It is difficult to say. As I say, there is the possibility of illegality and damages claims being brought. The main thing about this legislation is that it proposes a very high standard of procedural steps that data controllers like public authorities have to go through, including such things as data protection by design and the thought of appointing a data protection officer, DPO, and engaging in such things as data protection impact assessments. There is a range of processes that they need to go through and to get in place. It is going to be very challenging for them to be in a position to get those in place in the next year.

On the remedies, I take the Chairman's point on public authorities, because they have a particular status in law. How does one impose a sanction on them? It is a question for the legislature as to how it wants to impose that sort of penalty. I can understand how there would be a certain level of unhappiness in a local authority, from people benefitting from services provided by that local authority, if they discover that the money that was going to be spent on their park, for example, is now being transferred back into public funds to pay a fine to the Data Protection Commissioner. That is how it would be perceived even though all that would hopefully happen in that situation is that the money would come back out again. One has to be careful not to get into that issue of perception about what is an effective remedy.

I take the Chairman's point that one has to look very carefully at whether there are effective sanctions. The real risk and concern for the State here is rather than that circular transaction, which might ultimately create some bureaucracy, there may be damages claims being brought. This may then result in people extracting money from the State and budgets being lowered quite significantly because public authorities have to pay out damages claims. That would be my concern.

The other factor that is deserving of mention is that our local authorities are populated by directly elected representatives and by and large they, of all political hues, would be angered about the point that Mr. Kelleher made about moneys earmarked for a local public project having to go back. They are another break on people entrusted and employed within the system, ensuring that the system is fit for purpose and that there is no leak and no transgression relating to data protection. I would have confidence in the overwhelming body of directly elected local representatives that they themselves would be as eager as we would to have the highest standards apply.

On the other matter, I asked the Data Protection Commissioner, DPC, questions here last week. Be it commissioner or commission, as the case might be subsequent to this legislation, it is apparent from her responses and all I have read that she is and would be accountable to all Oireachtas committees as the case might be. Is there not, in the normal situation, and one could identify any number of other public bodies with certain responsibilities, a natural direction with regard to accountability and coming before committees? On head 13, does it need to clarify the Oireachtas committee to which the DPC would be accountable after the passage of the legislation?

Mr. Denis Kelleher

One could certainly make a good case that there are advantages to that, essentially for clarity. Data is now being processed right across the State. If there is a situation where the DPC could be called before any committee, she might find herself burdened with a significant workload, because there is no part of the State where personal data is not now being processed, both in the private and public sector. The only other question that might be raised on that is on expertise. As the Chairman has seen from the legislation, data protection is a particular area of law which requires its own particular expertise. While one may have concerns about whether it might become diffuse, there are obviously benefits to having a single point of contact. The DPC has to be accountable in some way. The question for the Oireachtas is how that accountability mechanism is managed.

Mr. Kelleher is not ruling out head 13 being revisited.

Mr. Denis Kelleher

To be fair, I think the Department of Justice and Equality's officials have done an excellent job of drafting these heads, but they are just heads at present. Much detail will have to go into these, and I think it will be necessary to revisit that in detail.

Cognisant of the fact that Mr. Kelleher is here in his wider professional capacity and not with regard to his current direct employment, I nevertheless also asked the Data Protection Commissioner a question last week which reflected on a series of cases that had been referred to me where vexation was clearly expressed where people had taken borrowings from commercial banks for mortgages and house purchases. They found themselves in difficulty over the straitened years, which are hopefully now largely past, and their loans, with a substantial body of others - a loan book, per se - were sold off to a third financial institution, outside the jurisdiction in some cases. People engaging with direct application to a local lender, whether through a local bank branch or whatever the case might be, have developed a relationship and trust, and all the information that they proffer to help secure a borrowing is also transferred, in some cases outside of the jurisdiction, and they are quite unaware of it. I have no doubt that the answer is probably that they ticked a box or signed a contract that provided, in small print, that this can happen.

It is a damnable situation. I am reflecting on grievous upset on the part of a not insubstantial number of people who have referred this issue to me. I do not know if I am being targeted because my background is in the same realm. Colleagues to whom I have spoken have had similar cases referred to them.

Mr. Denis Kelleher

I wish to clarify that I am appearing here in a personal capacity. This issue has been argued before the High Court on several occasions. It has also been argued before the European Court of Justice where somebody has signed a loan. The leading European case is that of Probst v. mr.nexnet. There have been a number of High Court cases in Ireland about this element of either securitisation of the loan of transfer of the loan.

One of the arguments they have made is that they did not consent to this and did not consent to the transfer of their personal data. Typically what happens is that they look into the contract and where the contract allows for the transfer of one's personal data in that way, it just goes ahead. People need to be very careful about the contracts they sign because once a person signs a contract he or she is effectively providing the controller of those personal data with the ability to transfer or process the data for the purposes of the contract. In one case, a lady objected to the securitisation of her loan and the High Court allowed for the securitisation. The only clause they could find in her contract that allowed for securitisation was in fact the data protection clause, which allowed for the transfer of her personal data for the purposes of sale. They read back from that that the contract, itself, allowed for the transfer of the sale of the loan. If the contract allows for the sale of the loan in data protection law, that is sufficient. I realise that it creates considerable upset and there are a large number of cases on this point. It is settled law at this stage that if a person has agreed to it in the contract, the transfer can go ahead and can be processed for the purposes of debt recovery.

In all of the cases of which I have been reminded, people were unaware. People take out these arrangements without going into the fine detail of the small print. It is not in small print for any other reason than to dissuade people from studying it in any great depth and they do not do so. Should there not be an obligation on financial institutions and others to state more prominently the detail relating to data protection in any contract signed whatever the case might be? This needs to be heralded from the outset, not just with taking out a loan with a banking institution but in a much broader sense.

Mr. Denis Kelleher

There are significant obligations in the general data protection regulation about the provision of information. It has to be given in concise clearly understandable form and so forth. There are clear obligations under data protection law and other laws to make it clear to people as to what will happen to them regarding the loan, how their data may be transferred and how enforcement proceedings may be brought against them. The problem is that people tend not to read this. There is the notorious situation of a whole field of people who have put up nonsensical terms and conditions such as agreeing to transferring one's immortal soul or one's first-born child in return for getting access to some social media service. People typically sign these contracts without another thought. People just do not read the terms and conditions.

There are provisions in the DPR trying to force controllers into setting out these terms and conditions in concise form. Notwithstanding that, people do not read them and even when they read them, they seem to disregard them.

That is most disquieting. As a first-born I am feeling very vulnerable.

I thank Mr. Kelleher for appearing before the committee this morning and for his forthright responses to each of the members who participated. I wish him well.

Mr. Denis Kelleher

I thank the Chairman.

We will continue our deliberations on the general scheme of the data protection Bill. We have a gap in our deliberations on the Bill before we resume them on 5 July when Mr. T.J. McIntyre and Mr. Simon McGarr will appear before the committee. We will also have Dr. Geoffrey Shannon before us.

The joint committee went into private session at 10.05 a.m. and adjourned at 10.40 a.m. until 4.45 p.m. on Wednesday, 28 June 2017.
Barr
Roinn