Data Protection Bill 2018 – Seanad Second Stage
8 February 2018
Address by Charlie Flanagan, T.D, Minister for Justice and Equality
I am very pleased to have the opportunity today to launch the Data Protection Bill 2018 in Seanad Eireann. I look forward to hearing your contributions, and I hope you will support this important Bill. My officials are here with me today and they are available to any Member who wants to have a detailed briefing on the technical aspects of this legislation. I want to thank the members of the House that undertook the pre-legislative scrutiny work in their capacity as Members of the Joint Oireachtas Committee on Justice and Equality.
In a nutshell, this legislation will introduce stronger rules on data protection. People will have more control over their personal data and businesses will benefit from a level playing field.
Members of this House will no doubt be aware of the General Data Protection Regulation, generally referred to as “the GDPR”, of which there has been a great deal of debate both in Ireland and across the European Union. The GDPR regulates the processing by an individual, a company or an organisation of personal data relating to individuals in the EU. It does not apply to data processed by an individual for purely personal reasons or for activities carried out in a person’s home, provided there is no connection to a professional or commercial activity.
The GDPR is a significant Regulation and this Bill will give further effect to the GDPR as well as transposing the accompanying law enforcement Directive into national law. Furthermore, it will establish the Data Protection Commission to replace the Office of the Data Protection Commissioner. The GDPR enters into effect on 25 May next and the Directive must be transposed into national law by early May. Accordingly, I am hopeful that with the support of both Houses, this Bill will be signed into law and enter into force in May next, alongside the GDPR. I believe that the GDPR and this legislation will serve to make our data protection laws fit for purpose in the digital age.
I am conscious that many people may be inclined to switch off at the mention of data protection because they see it as a technical issue, as an issue that does not concern them directly. That would be a mistake for the simple reason that the updated data protection rules entering into force in May next will affect all of us in one way or another. It will affect each of us as individuals, because it will increase our control over the manner in which, and the purposes for which, our own personal data are used. It will affect businesses – whether large, medium or small – because it will require them to review, and update, the manner in which they collect, use or store the personal data of their customers and their clients, or any other individual whose personal data they retain. The same applies to Government Departments and public bodies.
The simple fact is that data protection law has not kept pace with the many technological advances and new business models, such as cloud computing, that have emerged in recent years. Our current data protection law, based on the EU’s 1995 Data Protection Directive, predates mass internet usage, hand-held devices, apps and games, social networking, and data analytics, all of which involve the collection and processing of our personal data, often for purposes that are opaque and largely unknown to us. The basic data protection principles set out in the Data Protection Acts 1988 and 2003 will remain largely unchanged following the entry into force of the GDPR in May next. However, the GDPR’s provisions will strengthen our control over our own personal data and the purposes for which it may be used.
Increased transparency is essential to increased control. In future, all information must be provided in a concise, transparent, intelligible and easily accessible format, using clear and plain language. It will no longer be acceptable to direct users to terms and conditions written in legal jargon.
The obligations placed on companies and public sector bodies that collect, use and store personal data are set to increase, but will do so in a measured and proportionate manner. The compliance burden will increase for some, but that will be proportionate to risks for the rights and freedoms of individuals arising from any accidental or unlawful loss or disclosure of, or access to, their personal data. By proportionate, I mean that for SMEs for which data processing is not a core part of the business and where the company’s activity doesn't create risks for individuals, then some obligations of the GDPR will not apply (for example the appointment of a Data Protection Officer ('DPO')).The new obligations will inevitably pose a greater challenge for bodies, whether in the public or private sectors, that specialise in data processing and for those handling, for example, customers’ financial data or patients’ sensitive health data.
While large companies have been gearing up for entry into force of the GDPR for some time, it is likely that the SME sector and micro-enterprises will continue to require assistance and support during the coming period of adjustment. Awareness raising activities have been under way for the last year and a half, involving conferences, seminars and workshops, and those activities will continue. Minister Pat Breen, who has special responsibilities in this policy area, has been very active in promoting awareness of the changes to come and I know he has an ambitious schedule planned for the coming months. Practical guidance is also vital and I strongly recommend the Data Protection Commissioner’s web page “gdprandyou.ie”. It contains a wealth of useful information and practical guidance for both business and individuals.
High data protection standards are in everyone’s interests, including the interests of business. The harmonised rules set out in the GDPR and the Data Protection Bill will ensure that the same data protection safeguards will operate across the EU. This will provide a level playing field for businesses, especially those involved in the cross-border provision of goods and services. In this context, it is worth remembering that exports are a critical aspect of our strong economy. Enhanced data protection standards will also be beneficial to the increasing numbers who avail of the Government’s online services.
To make the enhanced protections meaningful, public and private enforcement of data protection law is set to increase. The Data Protection Commission will in future have stronger supervision and enforcement powers, as well as a broader range of sanctions at its disposal, including the possibility of administrative fines. The scope for compensation claims arising from infringements of data protection rules will also increase, resulting in higher levels of private enforcement activity.
This Government is committed to achieving the full potential of the digital economy, and its capacity to promote innovation, to create jobs and to boost economic activity in the State. We already host many of the world’s leading digital companies here and they provide their services well beyond our shores. That number will increase in the future. The GDPR, together with the provisions of this legislation, will ensure that data processing involved in the provision of these services will meet the highest data protection standards, and the establishment of the Data Protection Commission will ensure effective supervision and enforcement of these high standards.
Following protracted negotiations, the GDPR was agreed in early 2016 and will, as I mentioned, enter into force across the EU on 25 May 2018. An accompanying Directive, which establishes data protection standards for the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection and prosecution of criminal offences and the execution of criminal penalties, requires to be transposed into national law by 6 May 2018.
Both the GDPR and the Directive have a legal basis in Article 16 of the Treaty on the Functioning of the European Union, and they provide for significant reforms to current data protection rules based on the EU’s 1995 Data Protection Directive. Both instruments generally provide for higher standards of data protection for individuals, and impose increased obligations on bodies in the public and private sectors that process personal data. They also increase the range of possible sanctions for infringements of these standards and obligations.
The GDPR seeks to provide for a uniform interpretation and application of data protection standards across the EU, thereby providing a level playing field for all those doing business in the EU digital market. The European Data Protection Board, a new entity that will replace the current advisory committee and made up of representatives of the data protection authorities of all Member States, will play an important role in this respect.
At the heart of both the GDPR and Directive is a “risk-based” approach to data protection. This means that each individual controller and processor is required to put appropriate technical and organisational measures in place in order to ensure – and, importantly, to be able to demonstrate – that their processing of personal data complies with the new data protection standards.
I would remind Senators that the terms “controller” and “processor” apply to us too - those of us involved in the handling of constituents’ requests and representations are data controllers, and any operator of an off-site storage facility for files containing personal data is a processor. So this is an issue for the Oireachtas in a very direct way.
For the purposes of assessing the nature, level and likelihood of risks for the rights and freedoms of individuals, controllers and processors, must have regard to the nature, scope, context and purposes of their data processing activities. In certain cases, this will in future require the carrying out of a data protection impact assessment in order to take steps to mitigate such risks. Where mitigation measures are not feasible, prior consultation with the Data Protection Commission will be mandatory.
Both the GDPR and Directive place greatly increased emphasis on the transparency of processing, the responsibility of the controller and processor for compliance with data protection standards, and the need for appropriate security standards in order to protect against data breaches such as unauthorised or unlawful processing and accidental loss, destruction or damage.
Both the GDPR and the Directive impose an obligation on all public authorities and bodies, as well as some private sector bodies, to designate a Data Protection Officer with responsibility to oversee data processing operations, and to report data breaches to the relevant data protection authority.
The GDPR also limits the grounds for lawful processing of personal data by public authorities and bodies. For example, depending on the circumstances, an individual’s consent to the processing of his or her personal data may not provide a reliable basis for such processing by a public authority. The so-called “legitimate interest” ground in Article 6.1(f) of the GDPR will no longer be available to public authorities when acting in their public capacity.
Both the GDPR and Directive provide for increased supervision and enforcement of data protection standards by the data protection authorities of Member States, including the future Data Protection Commission. The GDPR provides for the possible imposition of substantial administrative fines (up to €10 million or €20 million, or 2% or 4% of total worldwide annual turnover in the preceding financial year). I will return to the fines issue shortly.
The liability of controllers and processors will also be broadened to include non-material damage such as distress. In future, an individual who has suffered material or non-material damage because of a breach of his or her data protection rights under the GDPR or this legislation will have the right to seek compensation in the courts.
Purpose and structure of the Bill
The key purposes of the Bill are as follows:
- to give further effect to the GDPR in the areas in which Member State flexibility is permitted;
- to transpose the Directive into national law;
- to establish the Data Protection Commission as the State’s data protection authority with the means to supervise and enforce the protection standards enshrined in the GDPR and Directive in an efficient and effective manner, and
- to enact consequential amendments to various Acts that contain references to the Data Protection Acts 1988 and 2003.
The Data Protection Bill 2018, which is both lengthy and complex in nature, comprises the following Parts:
- Part 1 (sections 1 to 8) contains a number of standard provisions, e.g. citation, commencement and definitions. Section 7 makes provision for repeals, while section 8 defines the residual scope of the Data Protection Act 1988.
- Part 2 (sections 9 to 27) establishes a Data Protection Commission to replace the Data Protection Commissioner as the State’s data protection authority. Its primary task will be to act as the supervisory authority for the purposes of the GDPR and the Directive. Establishment of the Commission – comprising at least one commissioner and not more than 3 – is a future-proofing provision to allow, should the need arise in future, for the appointment of additional commissioners in response to an increased Commission workload.
- Part 3 (sections 28 to 55) gives further effect to the GDPR in a number of areas, mainly affecting the public sector, in which the Regulation gives Member State a margin of flexibility. In certain cases, this involves the creation of a regulation-making power that will permit the making of more detailed regulations in due course.
- Part 4 (sections 56 to 62) contains a number of provisions that are consequential on replacement of the Data Protection Commissioner with a Data Protection Commission. The intention is to provide for a smooth and frictionless transition from current arrangements to the new structure.
- Part 5 (sections 63 to 99) transposes the law enforcement Directive’s provisions in national law.
- Part 6 (sections 100 to 151) contains provisions dealing with enforcement of the obligations and rights set out in the GDPR and Directive by the Data Protection Commission. The intention is to ensure effective supervision and enforcement mechanisms, together with the necessary procedural and due process safeguards.
- Part 7 (sections 152 to 157) contains a number of miscellaneous provisions, mainly concerning the application of data protection rules to the courts and a number of related legal matters.
- Part 8 (sections 158 to 162) contains consequential amendments to a number of Acts.
As regards substance, the Explanatory and Financial Memorandum that accompanies the Bill contains much detail, and I do not intend, therefore, to delve into all the Bill’s provisions. I want, however, to take the opportunity to highlight a number of issues, and to refer to Part 5, which transposes the law enforcement Directive into national law.
Repeal of Data Protection Act 1988
Sections 7 and 8 of the Bill contain provisions concerning the Data Protection Acts 1988 and 2003.
While Article 2.2(a) of the GDPR provides that its provisions do not apply to the processing of personal data in the course of an activity falling outside the scope of EU law, there has been considerable uncertainty about the scope of that exclusion in light of evolving Court of Justice case law. A detailed analysis of relevant Court of Justice case law by the Attorney General’s Office has concluded that this exclusion is essentially limited in practice to data processing in the context of national security, defence and the international relations of the State.
While national security and defence lie outside the scope of EU law, the Council of Europe’s 1981 Data Protection Convention (Convention 108) contains provisions that apply to data processing for these purposes. The process of updating and modernising this Convention is under way at present in Strasbourg, but that process has not concluded to date. Pending the updating of Convention 108, section 8 proposes to confine the scope of the Data Protection Act 1988 to data processing in the context of national security, defence and the international relations of the State. On completion of that process, it will be possible to update the content of this legislation by means of an amending Act and to repeal the 1988 Act. All key data protection standards will then be found in a single consolidated Act.
Consistency mechanism (One-Stop-Shop)
The GDPR contains a ‘consistency mechanism’, or so-called ‘One-Stop-Shop’, which is intended to streamline the handling of data protection infringements and complaints across the EU. For this purpose, it employs the concept of a “lead’ supervisory authority, i.e. the data protection authority of the Member State in which a controller’s “main” or only EU establishment is located. It means that complaints will be investigated by the data protection authority of that Member State irrespective of the Member State of origin of the complaint. That data protection authority may request assistance from other authorities for investigation purposes, but the initial decision as to whether or not an infringement has occurred, or is occurring, will be the responsibility of the lead authority.
Before arriving at any final decision in cross-border cases, the lead authority must submit a draft decision to the other data protection authorities that have an interest in the case for their views, and must have regard to any objections received from them. If there are any remaining objections to a revised draft decision, it may trigger referral of the case to the European Data Protection Board – comprising representatives of all supervisory authorities – for a binding decision. The EDPB may take a binding decision by majority vote, which may or may not coincide with the (revised) draft decision of the lead supervisory authority.
This mechanism has, of course, a special significance for Ireland since many multinational companies that provide digital services across the EU and beyond have their headquarters here. This means that the Data Protection Commission and its handling of cross-border complaints will be the focus of particular and sustained attention across the EU.
This is the backdrop to the proposals in Part 2 of the Bill to establish a Data Protection Commission, with at least one but not more than three Commissioners.
While there are no specific plans at present to increase the number of Commissioners, significant levels of additional financial and staffing resources have been allocated to the Data Protection Commissioner in recent years in order to prepare for the expected workload increases following entry into force of the GDPR and this legislation. Staff resources have trebled from 30 in 2013 to over 90 at present. Additional funding of €4 million in 2018 will bring the overall budget to about €11.7 million, and this will facilitate the recruitment of additional staff (bringing the total to about 140).
In order to underline and further enhance the independence of the Commission, as required by the GDPR and Court of Justice case law, the Commissioner will be the Accounting Officer of a separate financial Vote. This is covered in sections 25 and 156 respectively. Commencement of these provisions will take place when the necessary procedures for a separate Vote are in place.
Article 8 of the GDPR specifies a ‘digital age of consent’ of 16 years but allows Member states to lower it, but not below 13 years.
This means that where information society services are offered directly to children, the processing of a child’s personal data will be lawful only if, and to the extent that, consent is given or authorised by the holder of parental responsibility over the child. In such cases, the service provider must make reasonable efforts to verify that consent is given or authorised by the holder of parental responsibility over the child.
In late 2016, my Department launched a consultation process and invited submissions from interested parties on the ‘digital age of consent’ to apply in this jurisdiction under Article 8. The Government Data Forum, which brings together legal and data protection experts, business representatives from SMEs and multinationals, as well as sociologists, psychologists and education specialists, also carried out a consultation process. A majority of respondents – including the Ombudsman for Children's Office, the Internet Safety Advisory Committee and the Children's Rights Alliance – recommended setting the digital age of consent at 13 years.
When appearing before the Joint Oireachtas Committee on Justice and Equality for the pre-legislative scrutiny of the General Scheme of the Bill in July last, the Special Rapporteur on Child Protection, Dr Geoffrey Shannon, also recommended setting the ‘digital age of consent’ at 13 years. This recommendation was adopted by the Committee in their Report published in November last.
The Government considers that a ‘digital age of consent’ of 13 years represents an appropriate balancing of children’s rights, namely a child’s right to participation in the online environment and a child’s right to safety and protection, rights that are enshrined in the UN Convention on the Rights of the Child. Provision is made for that in section 29.
As regards “preventative or counselling services” provided for children, subsection (2) clarifies that such services are excluded from the scope of Article 8. The legal advice available to the Department points to the risks of attempting any definition of such services. Any inadvertent exclusions could risk the termination of preventative or counselling services already being provided for the benefit of children under 13 years.
I fully support the recommendation of the Joint Oireachtas Committee for consultation of children in relation to data protection measures. Article 57 of the GDPR requires data protection authorities such as the Data Protection Commission to promote public awareness and understanding of the risks, rules, safeguards and rights in relation to data processing, and it states that activities addressed specifically to children must receive specific attention. Adequate consultation with children in relation to the content of such activities will be necessary and appropriate. I also support the Committee’s recommendation that education programmes be implemented to assist children in exercising their data protection and digital rights. In this context, I want to draw attention to the Webwise initiative (webwise.ie) operated by the Professional Development Service for Teachers, which promotes online awareness and safety objectives. My Department provides funding to webwise.ie and I am working with Ministers Bruton, Zappone and Naughten on the broader issue of child safety online.
Restriction on exercise of data subject rights
Article 23 of the GDPR makes provision for possible restrictions on the exercise of data subject rights in order to safeguard important objective of general public interest, some of which are set out in paragraph 1 of that Article. It specifies that such restrictions must comply with three conditions:
The need to apply restrictions on the exercise of data subject rights might arise, for example, where a regulatory body such as the Legal Services Regulatory Authority or the Medical Council is examining a complaint of unfitness to practice or an allegation of improper conduct. It could also arise where the Health and Safety Authority is investigating a workplace accident. The objective in such cases is not permanently to set aside the data protection rights of individuals concerned, but rather to protect the investigation or examination from access requests or requests for rectification or erasure of personal data so that the investigation or examination can be brought to a conclusion and appropriate action can be taken.
Section 54 of the Bill, which provides for appropriate restrictions in order to safeguard a range of important objectives of general public interest, such as avoiding obstructions to any official or legal enquiry, investigation or process. Such public interest objectives also include cabinet confidentiality, judicial independence, parliamentary privilege, and legal privilege.
Any such restrictions must be set out in law or in regulations under subsections (6), (7) and (8) and the regulations must comply with subsection (10), i.e. respect the essence of the right to data protection, and restrict exercise of data subjects’ rights only in so far as is necessary and proportionate in a democratic society. Similar safeguards apply in the case of restrictions on data subject rights under Part 5; these are provided for in section 89.
Article 57 of the GDPR confers a broad range of corrective powers and sanctions on the data protection authorities, including the Data Protection Commission. These range from issuing warnings or reprimands, to ordering public or private bodies to facilitate the exercise of data subject rights and to bring their data processing operations into line with data protection law. The Commission will also have the power to impose a temporary or permanent ban on mon-compliant processing operations. Data transfers to third countries may also be suspended if data protection standards applicable there are considered inadequate by the EU. All of these corrective actions, including prohibition orders, apply equally to the public and private sectors.
Article 83 of the GDPR provides for the imposition of administrative fines for infringements, including data breaches. It states that each Member State may lay down the rules on whether and, if so, to what extent administrative fines may be imposed on public sector bodies. While the possibility of imposing such fines on Government Departments, public authorities and public bodies could have a deterrent effect, it would also reduce the funds available to such bodies for the provision of important services to the public. Any deficit arising from the payment of fines would be likely to lead to demands for replacement funding by means of a supplementary budget. This could result in a wasteful, circular flow of funding. On the other hand, the Government recognises that non-application of administrative fines could create competition distortions in those areas in which public and private bodies operate in the same market (e.g. public and private hospitals; public and private transport providers).
In order to ensure fair and equitable trading conditions, section 136 of the Bill provides that administrative fines may be imposed on public bodies when they act as “undertakings”, i.e. when they are providing goods or services for gain in competition with private bodies. This will ensure fair competition between the public and private sectors in the provision of goods and services.
Transposition of law enforcement Directive
Part 5 of the Bill – sections 63 to 99 – transposes the law enforcement Directive into national law. Chapter 1 contains relevant definitions (section 63) and outlines the scope of this Part (section 64). It applies to data processing carried out by public authorities and bodies for the purposes of the prevention, investigation, detection or prosecution of criminal offences, including the safeguarding against, and the prevention of, threats to public security or the execution of criminal penalties. While it will apply in the main to bodies operating within the criminal justice system, its provisions will also apply to administrative bodies such as the Health and Safety Authority and to other authorities such as fire authorities when they are engaged in the investigation and prosecution of offences.
Chapter 2 contains provisions outlining the general principles of data protection (section 65), which are broadly similar to those in the GDPR; the need for adequate security measures (section 66); conditions applicable to the processing of special categories of personal data (section 67), and standards applicable to data quality (section 68).
Chapter 3 outlines the obligations on controllers and processors when acting within the scope of Part 5. These are broadly similar to obligations set out in Part 4 of the GDPR, including the need for appropriate security standards; reporting of data breaches to the Data Protection Commission; the need for contracts with processors; the carrying out of data protection impact assessments; and, in certain cases, mandatory consultation with the Data Protection Commission. Section 76 imposes a specific requirement on controllers and processors to create and maintain data logs, which must record consultation and disclosure of data in automated processing systems. All public authorities and bodies must designate a data protection officer.
Chapter 4 specifies the data protection rights of individuals: they include rights in relation to automated decision-making (section 84); the right to information (section 85); the right of access (section 86); the right to erasure and rectification of personal data (section 87). Section 89 outlines the grounds on which the exercise of data subject rights under this Part may be restricted in whole or in part. Where exercise of a data protection right is restricted, the data subject may seek indirect exercise of that right through the Data Protection Commission (section 90).
Supervision and enforcement
Part 6 of the Bill contains detailed provisions that deal with supervision and enforcement of the GDPR and the data protection standards set out in Part 5 of this Bill. These include provisions for the handling of complaints received by the Commission, the carrying out of detailed investigations, and the imposition of sanctions.
Before concluding, I want to mention the Report on pre-legislative scrutiny of the draft Bill submitted by the Joint Committee on Justice and Equality. I want to thank the Joint Committee for their work and their recommendations, many of which have been taken on board in the Bill before us today. I have already referred to a number of areas where it has not been possible to adopt the Committee’s recommendations. I also want to take this opportunity to thank all the other stakeholders for their inputs into preparation of the Bill.
As I mentioned at the outset, this is a lengthy and complex Bill. That should not obscure its central purpose, which is to promote and facilitate exercise of our right as individuals to protection of our personal data and to increase our control over it and the uses to which it may be put. Article 8 of the EU Charter of Fundamental Rights provides simply that “Everyone has the right to protection of personal data concerning him or her.” The GDPR and this Bill seek to make that a reality.
I commend the Bill to the House.