Seanad Éireann díospóireacht -
Friday, 6 Nov 2020

I move:

That Seanad Éireann approves the following Regulations in draft:

Data Protection Act 2018 (section 60(6)) (Central Bank of Ireland) Regulations 2020,

a copy of which was laid in draft form before Seanad Éireann on 28th October, 2020.

I bring the motion to the House to seek a resolution to agree the draft Data Protection Act 2018 (section 60(6)) (Central Bank of Ireland) Regulations 2020, as provided for under section 6(5)(a) of the Data Protection Act 2018. Senators will have gathered from the gist of this that it is a technical matter. I have a detailed script but perhaps the best thing I can do is to explain what this is about in simple English.

These regulations were prepared a number of years ago and involved the Data Protection Commissioner, the Department of Finance and the Central Bank. All parties agreed. A full consultation took place. The statutory instrument was agreed by both Houses of the Oireachtas and it was signed by the Minister as approved by both Houses.

It subsequently transpired, a couple of months later, when somebody was working on the printed copy of the statutory instrument that it did not fully tally with what had been passed, approved and signed by the Minister. An error occurred at the printing stage as a result of which some sub-paragraphs were indented after a particular line rather than before it. It could have resulted in a different interpretation of the regulations because the indentation of three sub-paragraphs happened in the wrong place.

The Department of Finance obtained legal advice and felt it was better to check the matter out. It was agreed that it would be better to redo the statutory instrument to be sure, to be sure. However, because it involved data protection legislation, it required to come before both Houses for approval. It is unusual that the correction of a statutory instrument has to come back before the House through a motion of approval before the Minister can get the printed version of it corrected.

That is the beginning and the end of it. There was a printing mistake but because it involves data protection, it requires a motion of both Houses to amend the statutory instrument. It is an unusual one. It is a minor but significant issue. I will perhaps pre-empt some questions when I say that when we went back through the process a second time, to get it right this time, we again consulted the Data Protection Commissioner, the Central Bank and the Department of Finance. They are all happy with what is in front of us today. It requires the approval of the House.

I thank the Minister of State for coming to the House and explaining, in an honest and clear way, the hallmark of the way in which he operates, that this is simply a technical issue to correct a printing error. I am aware from the notes, but I would be grateful if he would put it on the record of the House that no individual has been adversely affected as a result of this. That is particularly important.

On the question of data breaches by financial institutions and the area to which this legislation relates, I continue to have particular concerns regarding the capacity of the Data Protection Commissioner to address some of the challenges relating to data breaches in our financial institutions. Three of the top four companies or organisations listed for complaints with the Data Protection Commissioner at the moment are financial institutions, namely, Bank of Ireland, Permanent TSB and AIB. The record is clear that there are serious concerns around data breaches by financial institutions.

This is an issue that I have raised previously in the context not only of the staff in the Data Protection Commission, DPC, but also the levels of expertise of those staff to be able to address these issues. As we continue to develop and data become the new currency of this century, to the great benefit of Ireland and public policymaking in general, the DPC is going to have an increasingly important role in protecting people's data. That has to be central to any policy work we do in this area. I have no doubt that as we see digital banks such as Revolut and others emerge, there will be more challenges. Unlike domestic banks, these institutions will be based all over the world and it is going to be even harder to regulate in that area. I would like to know what guarantees we are going to have as we move towards digital banking on the role of the Data Protection Commissioner and the role for Ireland. That will be particularly relevant if some of the social media giants start to move into the provision of financial services. We must ensure that we have the necessary legislation to address data protection and that the DPC or any other agency is sufficiently resourced to be able to address it.

The fact that so many complaints are being raised about data breaches shows that there are challenges for our domestic banks. They have questions to answer in that regard. Our responsibility, as a State, is to ensure that the State agencies charged with this can do their jobs properly. This is a technical motion and I am fully supportive of it but it does speak to that broader issue, including the adequate resourcing of the DPC.

I welcome the Minister of State to the House and thank him for setting out the matter simply. We can get caught up in the technicalities of issues. It is great that the Legislature showed foresight in requiring this to come back to both Houses. That is good in a democracy.

The Minister of State had a prepared script that he did not read into the record. I just want to make a few brief points on this motion to change the format of the 2019 statutory instrument, which contains three indentation errors, as he confirmed. We understand that this instrument allows for the Central Bank to restrict the GDPR. That is a concern, as the previous speaker touched on. The GDPR rights of citizens are necessary and important. We need to know about defending against improper conduct, which can be an issue, particularly in the financial services industry. The issue relates to GDPR, people's rights and what protections they have.

I am somewhat concerned about this. I am more concerned about the number of safeguards. The Central Bank will be obliged to notify the data subject. I had a glance over the Minister of State's speech and he mentions this. The Central Bank will also have to provide reasons, and complaints may be lodged with the Data Protection Commission. I am interested to hear about the safeguards. The Minister of State speaks about the considerable safeguards provided for in the regulations. Perhaps when he is winding up, he might touch on them because they are the key issues. What safeguards are in place? I thank the Minister of State for recognising there was an issue with this, and for being open and frank and, more importantly, setting out in very simple terms with great clarity what the motion amounts to. Perhaps the Minister of State might put on the record of the House the issue with regard to safeguards for data protection and the obligations of the banks.

I welcome the Minister of State to the Chamber to discuss this issue. As he has said, this is a technical tidy up due to an error and it is right and proper that we provide every safeguard and where mistakes are made that they are rectified and come to the Houses. I acknowledge that in his speech the Minister of State said the Data Protection Commission has identified no matter of significant concern in the proposed regulations and that the Minister for Justice has acknowledged her agreement with the proposed regulations. It is an issue that could have a very real effect as the regulations are vital to the Central Bank to investigate whether individuals and regulated financial service providers have committed wrongdoing to customers and to record where it has found breaches by individuals so they can be prevented from taking on similar roles in the future. These are very important areas that must be protected. Has the motion come before the finance committee? Has it had sight of it? Is there a need for this under the regulations? I thank the Minister of State for his attendance.

I thank the Minister of State for bringing this before the House. We very much welcome the regulations as necessary. We understand the reason the motion has been brought forward today is because of a very technical ground relating to a formatting error, but this should not stop us from commenting on the purpose and implementation of the regulations. As was so eloquently articulated by Senators Byrne and Boyhan, there are very real concerns with regard to the appropriate safeguards put in place and the resourcing of the Data Protection Commissioner. In order to restrict individual access rights under GDPR, which is a very serious undertaking and matter, there needs to be a proportionate response by the Government in providing these assurances with regard to safeguards, and in resourcing the Data Protection Commission to make individuals aware that they have recourse to the Data Protection Commission in the event of a complaint and to process complaints. This is very important in terms of ensuring there is confidence in the banking sector.

Senator Byrne spoke about the revolution - and I do not want to use the name of one of the competitors - that is happening in financial services at this point in time in this country and throughout the industrialised world. It is very important that we send a very strong signal to consumers that protections are in place because my sense from speaking to people who have various grievances against the banks is that the power is very much stocked with the bank and against the individual. We need to send a clear signal that individuals can be empowered to make a complaint and that it will be processed. Whether the complaint is with merit or not is beside the point but there should be confidence that it will be processed in a timely and appropriate fashion.

It is good to see the Acting Chairman, Senator Pauline O'Reilly, in the role. I welcome the Minister of State to the House. As has been mentioned, the motion does not change the substance of the regulations. In fact, it does nothing more than correct an indentation error made in the printing process in the regulations that came into effect in October last year. The regulations themselves apply to personal data in respect of which the Central Bank is the controller and which are processed by the Central Bank in pursuit of what is defined as a relevant objective and pursued by the Central Bank in carrying out a relevant function. This is defined as an important objective of general public interest and is referred to in the Data Protection Act 2018.

Under the regulations, the restrictions of data subjects' rights or controllers' obligations must be necessary and proportionate. As we know, the restriction of data is a serious issue that must be justified and justifiable. As there is an opportunity to do so, I want to ask the Minister of State whether these regulations that permit the restriction of data access in prescribed circumstances are monitored to ensure they are necessary and proportionate. The regulations also provide that where data subjects' rights or controllers' obligations are restricted, the Central Bank must notify them in writing, except in very limited circumstances. It also gives the data subject the right to submit a complaint to the Data Protection Commission.

Will the Minister of State provide an update on the number of such complaints lodged with the Data Protection Commission since the regulations came into force last year? The motion before us is not one of substance but rather a technicality. It is, in fact, a formatting issue. I understand the Central Bank policy unit in the Department of Finance identified an indentation error in regulations Nos. 3 and 7, which were published last year. The effect of the indentation is quite significant. Due to an indentation error, financial services legislation would not relate to the operation of the central credit register. This was an error in the regulations that the motion before us today seeks to address, specifically by reformatting regulations Nos. 3 and 7. Sinn Féin sees no issues with these changes but I ask the Minister of State whether the Central Bank, as a result of this indentation error, restricted data subjects' rights in a way that was in contravention of the regulations published last year and, as a consequence, could the Central Bank be open to legal challenge?

As has been pointed out, the motion corrects an error but it points to several other key issues and I want to pick up on several of them. One is with regard to the points made by Senator Byrne. There is a concern about financial institutions and the quite disproportionate level of concern about data breaches with regard to financial institutions. I recognise the motion will make it easier to make appropriate investigations and act on them but it raises a related issue which, unfortunately, we will not be able to discuss in any great length when the Investment Limited Partnerships (Amendment) Bill comes through the House. I tabled an amendment which sought to ensure there would be a data protection impact assessment on how the register of beneficial owners would be used but I have just been informed that it has been ruled out of order. I have no doubt there is an intention to have a data protection impact assessment on how the register of beneficial owners might be used. It could be used in an inappropriate way. I have a particular concern because the register is being made a specified body under the Social Welfare Act 2004 and it is very important we would not have any inappropriate access to the single customer view data set, except for particular purposes which are important and necessary, such as investigation by Revenue and checking the confirmation of ownership. It is an example of how we need rigour with regard to all of the architecture of financial transparency. It has to intersect in a constructive and very transparent way with the architecture of data protection. This is an opportunity for the Minister of State to give assurance in this regard even though the amendment was disallowed.

As regards a slightly wider issue, this is a reminder that it is possible to amend the Data Protection Act. Specifically, it is possible under the procedure being laid before both Houses to amend regulations made under that Act. I want to highlight that because sometimes the data protection rules are seen as very stationary but in fact, as has been recently discussed, there is quite a lot of power of interpretation. Under the Data Protection Act 2018, Ministers have the power to make regulations relating to the processing of personal data where necessary and proportionate in the public interest. We have talked a lot about Article 15 rights and people's rights to seek their own data but a Minister might also have powers, for example, relating to data on burials, deaths and so forth, and where that is in the public interest, regulations might be made. I am just pointing out that we have a system for this. Section 198 of the Data Protection Act, which is the section that amended section 39 of the Commissions of Investigation Act, may need review in the future.

Senator Ruane and I successfully inserted a few different sections into the Data Protection Act 2018. One of those was section 30, which relates to the microtargeting and profiling of children. As I understand it, we are dealing with a technical error here. There was a technical concern around the definition of "company or corporate body" within section 30 and, as a result, it has never been commenced. I emphasise that because we have the capacity under the Bill and through the statutory instrument process to apply a relevant definition of "company or corporate body" to section 30 which would then allow it to be commenced. It is a crucial issue. It is a question of the extent to which companies can profile children, as they are defined in section 29 of the Data Protection Act, and specifically target or even microtarget them. That section was a useful contribution. It may not have been perfect, much as section 60 may not have been perfect, but this is a useful reminder that motions could be brought by the Minister of State or another relevant Minister to fix this section in order that it can be commenced. It is an important issue and it has not been addressed in any other way since 2018.

I appreciate that this is a technical motion, but while the Minister of State is here, I will use this opportunity to raise a concern based on my experience over a number of years. I work with many families on a pro bono basis, assisting them when they have been done out of tracker mortgages, restoring them and going through that with various financial institutions. One of the provisions of the GDPR is transparency and modalities, meaning that data subject access requests should be responded to in the most convenient and quickest way possible. However, in my experience it takes a lot of work and many letters to ensure that transparency is put in place. To be fair, the Data Protection Commission is fantastic in supporting people and being very clear about this. The threat of recourse to the Data Protection Commission is always a paragraph within my letters. First, one gets the data on a disc or in some other form but it is programmed by the financial institution so that it cannot be unpacked or accessed. Then when one writes to the institution again, it provides a package to access the disc on one's own computer. By the time one goes back to it to talk about the provision for transparency and modalities in the GDPR, it is six months down the road. During that time people will still have been paying their mortgage or been caused hardship by not paying, and so there is an increase of arrears and further things to negotiate and talk about. We get there in the end but I wanted to put on the record the fact that we have that process at all. I would appreciate if the Minister of State could exert some influence on that process if the opportunity arises.

Financial institutions' data protection impact assessments, DPIAs, should be published as well rather than just a privacy notice. The privacy notice is the external mechanism by which the information about how people's data is handled is published and made available. That is not enough when it comes to the necessary and proportionate restriction of data subject rights. The DPIAs of both State entities and financial institutions should be made public. They should be transparent if institutions are going to restrict my rights, the rights of a constituent or anyone else. Generally, by the time people exercise their rights it is because they are engaged in some sort of an argument with the banks. People will not know and will not have looked for their statements because they have not had an argument with them in a while. People in that situation are already vulnerable, so the DPIAs should be made available in order that people like me and others who assist families in such situations have complete transparency. We can then measure expectations rather than having to go through the arduous process of eight months of letter writing before getting to the nub of why we are not getting the information. I thought I would take the opportunity to mention that while the Minister of State was here.

I welcome this opportunity and appreciate all the comments that have been made. As people noted, many of the comments were not specific to this statutory instrument. Data breaches in financial institutions are one big issue that has been mentioned here on a few occasions. Some asked about the resourcing of the Data Protection Commission and whether it has sufficient resources to do the job from both an Irish and an EU perspective. Senator Higgins asked when some of the data protection regulations that have not been implemented to date, as there are issues with definitions, will be commenced. There was also the question of the banks being quite slow and tardy in their method of disclosing information. I have noted everything Senators have said and I will give this information to the Minister for Justice. Everyone here knows this legislation comes under the Department of Justice and I will be happy to pass on all the points that have been made. It is clear that this is very much a live issue.

We are here because of a minor technical issue of data protection which relates only to the Central Bank. It has nothing to do with the commercial banks. I can already tell that there is quite a debate to be had on many of these issues so I am sure the Seanad will take them up again. Resourcing will have to be dealt with in the forthcoming Estimates for the Department of Justice. That is where there should be a detailed thrashing out, and perhaps the Joint Committee on Justice will have a role in it as well. Those are my suggestions on that issue.

A couple of other points specific to these regulations were made. This motion was not discussed at the Joint Committee on Finance, Public Expenditure and Reform, and Taoiseach. It was decided that both sets of measures would be brought separately to the Dáil and the Seanad. The motion went through the Dáil a few days ago and it is now going through the Seanad. It was felt that it was necessary for both Houses to pass the motion in any event because of the data protection implications.

I want to make a point which I think everyone will accept. The right to data protection is not an absolute right. It must be balanced against other values, fundamental rights, human rights or public and private interests. There may be circumstances under which an organisation has grounds to refuse to grant an individual's request to exercise his or her data protection rights. That is enshrined and accepted and there must be procedures in place for it. These regulations are to facilitate that and they are vital to allow the Central Bank to investigate whether individuals in regulated financial services providers have committed wrongdoing to customers. It must be able to record where it has found breaches by individuals in order that it can prevent them from doing the same again in the future. In cases where the bank is processing personal information for a law enforcement purpose, it may withhold information from a requester if it believes doing so is necessary to avoid prejudicing the detection and investigation of criminal offences.

I think everyone would accept that where the Central Bank is involved in a matter in connection with a criminal offence carried out by someone in a regulated institution, it goes without saying that the subject of the investigation cannot rock up to the Central Bank and demand to know what information it holds about him or her. The same applies if the Garda is investigating whether someone committed a criminal offence. The individual in question cannot simply walk into a Garda station and ask for the full file of the investigation. I think we understand that the right to data is not absolute. This provision applies only to those specific types of issues.

Since the 2019 regulations were made, the Central Bank has received 28 subject rights requests. The regulations were applied in five cases and in 23 cases the information was provided. Only in one case were the rules to withhold the entirety of the data requested invoked. That case focused on a request for three or four particular documents. After a robust evaluation of these documents, the Central Bank was satisfied that the decision to withhold the data would not result in any disproportionate detriment to the individual concerned. As such, no harm was done to the individual but it was necessary to withhold the documents because of the ongoing investigation. The Central Bank has a defined evaluation process for dealing with all cases where the regulations are invoked. These processes ensure the necessity and proportionality requirements are being robustly applied. This process also includes engagement with the Central Bank's data protection officer. To date, no complaints have been submitted to the Central Bank, nor is the Central Bank aware of any complaints submitted to the Data Protection Commission relating to the use of these regulations. The Central Bank's data protection officer has reviewed each of the various access requests where the exemption was applied under the 2019 regulation, of which there were five, and is satisfied that there would not have been any different outcome to these requests or to the level of exemptions availed of by the Central Bank if the exemption criteria had been applied according to the correct text of the original legislation compared with the printed text.

I confirm also that there have been no complaints to the Central Bank of the operation of this section. There is no harm done and the Central Bank examined each of the 28 cases. On that basis, I ask the House to approve the motion.