Dáil Éireann Debate, Tuesday - 27 March 2018
288. Deputy Willie Penrose asked the Minister for Justice and Equality his plans to bring forward appropriate legislation to hold technology companies accountable for the protection of data and requiring the timely removal of data when children and young persons are bullied and or exploited; his further plans to ensure a child's rights to be forgotten online; and if he will make a statement on the matter. [14107/18]
Amharc ar fhreagraThe position is that the General Data Protection Regulation (GDPR), which comes into force on 25 May, generally provides for higher standards of data protection for individuals (data subjects), and imposes increased obligations on bodies in the public and private sectors that process personal data (data controllers and processors). It also increases the range of possible sanctions for infringements of these standards and obligations. At the heart of the GDPR is a “risk-based” approach to data protection. This means that each data controller and data processor is required to put appropriate technical and organisational measures in place in order to ensure – and to be able to demonstrate – that their processing of personal data complies with the new data protection standards.
The GDPR also imposes an obligation on data controllers and data processors involved in high risk processing to carry out a data protection impact assessment (DPIA) prior to the commencement of processing operations. Where the DPIA indicates that risks identified in relation to the processing of personal data cannot be mitigated, the controllers and processors will be required to consult with the Data Protection Commission before engaging in the processing.
Part 3 of the Data Protection Bill 2018 gives further effect to the GDPR in a number of areas in which the GDPR gives Member State a margin of flexibility. During Seanad Report Stage, I tabled amendments to insert new sections 31 and 32 in the Bill, which will provide for increased protections for the personal data of children. Section 31 provides that the Data Protection Commission will encourage the drawing up of codes of conduct intended to contribute to the proper application of the GDPR with regard to the following:
(a) the protection of children,
(b) the information to be provided by a controller to children,
(c) the manner in which the consent of the holders of parental responsibility over a child is to be obtained for the purposes of Article 8 of the GDPR, and
(d) integrating the necessary safeguards into processing in order to protect the rights of children in an age-appropriate manner.
Section 32 introduces a specific “right-to-be-forgotten” for children. This will strengthen the rights of children to erasure of any personal data collected during the provision to them of information society services referred to in Article 8.1 of the GDPR.
Matters relating to possible future establishment of an Office of Digital Safety Commissions are being considered by the Minister and Department for Communications, Climate Action and the Environment. In a related context, the European Commission is expected to announce proposals arising from its monitoring of online platforms' compliance with its Communication on Illegal Content Online later this year.
