Check Against Delivery
Data Protection Bill 2018 – Dail Second Stage
17 April 2018
Address by Charlie Flanagan, T.D, Minister for Justice and Equality
I am very pleased to have the opportunity today to commence Second Stage of the Data Protection Bill 2018 in this House. I look forward to hearing your contributions, and to obtaining your broad support for the contents of this important Bill.
At the outset, I want to draw the House’s attention to the fact that the Bill was amended during its passage through Seanad Eireann. A number of new provisions have been added to it and I will draw attention to these in due course. The Explanatory Memorandum, which accompanies the Bill, has been updated to reflect the Seanad amendments.
The primary purpose of the Bill is to give further effect to the General Data Protection Regulation (GDPR), to transpose the accompanying law enforcement Directive into national law and to establish the Data Protection Commission to replace the Office of the Data Protection Commissioner. The GDPR enters into effect on 25 May next and the Directive must be transposed into national law by May.
I am hopeful that with the support of the House, this Bill will be signed into law and enter into force in May next, alongside the GDPR. I am confident that the GDPR and this legislation will serve to make our data protection laws fit for purpose in the digital age.
The updated data protection rules entering into force next month will affect all of us in one way or another. It will affect each of us as individuals, because it will increase our control over the manner in which, and the purposes for which, our own personal data are used. It will affect businesses – whether large, medium or small – because it will require them to review, and update, the manner in which they collect, use or store the personal data of their customers and their clients, or any other individual whose personal data they retain. The same applies to Government Departments and all public bodies.
The simple fact is that data protection law has not kept pace with the many technological advances and new business models – such as social media and cloud computing – that have emerged in recent years. Our current law, based on the EU’s 1995 Data Protection Directive, predates mass internet usage, hand-held devices, apps and games, social networking, and data analytics, all of which involve the collection and processing of our personal data, often for purposes that are opaque and largely unknown to us.
The basic data protection principles set out in the Data Protection Acts 1988 and 2003 will remain largely unchanged following the entry into force of the GDPR. However, GDPR rules will strengthen our control over our own personal data and the purposes for which it may be used.
Increased transparency is essential to increased control. In future, information to users must be provided in a concise, transparent, intelligible and easily accessible format, using clear and plain language. It will no longer be acceptable for service providers to direct users to opaque terms and conditions written in legal jargon.
The obligations placed on companies and public sector bodies that collect, use and store personal data are set to increase, but will do so in a measured and proportionate manner. The compliance burden will increase for some, but it will be proportionate to risks for the rights and freedoms of individuals arising from any accidental or unlawful loss or disclosure of, or access to, their personal data. This will inevitably pose a greater challenge for those bodies – whether in the public or private sectors – that specialise in data processing and for those handling, for example, customers’ financial data or patients’ sensitive health data.
While large companies have been gearing up for entry into force of the GDPR for some time, it is likely that the SME sector and micro-enterprises will continue to require assistance and support during the coming period of adjustment. Awareness raising activities have been under way for the last year and a half, involving conferences, seminars and workshops, and those activities will continue. Practical guidance is also vital and I strongly recommend the Data Protection Commissioner’s web page “gdprandyou.ie”. It contains a wealth of useful information and practical guidance for both business and individuals.
I believe that high data protection standards are not anti-business, and they will not reduce competitiveness. The harmonised rules set out in the GDPR and the Data Protection Bill will ensure that the same data protection safeguards will operate across the EU. This will provide a level playing field for businesses, especially those involved in the cross-border provision of goods and services. Enhanced data protection standards will also be beneficial to the increasing numbers who avail of the Government’s online services.
Public and private enforcement of data protection law is set to increase. The Data Protection Commission will in future have stronger supervision and enforcement powers, as well as a broader range of sanctions at its disposal, including the imposition of administrative fines. The scope for compensation claims arising from infringements of data protection rules will also increase, resulting in higher levels of private enforcement activity.
This Government is committed to achieving the full potential of the digital economy, and its capacity to promote innovation, to create jobs and to boost economic activity in the State. We already host many of the world’s leading digital companies here and they provide their services well beyond our shores. That number will increase in the future. The GDPR, together with this legislation, will ensure that data processing involved in the provision of these services will meet the highest data protection standards, and the establishment of the Data Protection Commission will ensure effective supervision and enforcement of these high standards.
Following protracted negotiations, the GDPR was agreed in early 2016 and will, as I mentioned, enter into force across the EU on 25 May next. An accompanying Directive, which establishes data protection standards for the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection and prosecution of criminal offences and the execution of criminal penalties, also requires transposition by May.
Both the GDPR and the Directive have a legal basis in Article 16 of the Treaty on the Functioning of the European Union, and they provide for significant enhancements to current data protection rules based on the 1995 Data Protection Directive. Both instruments generally provide for higher standards of data protection for individuals, and impose increased obligations on bodies in the public and private sectors that process personal data. They also increase the range of possible sanctions for infringements of these standards and obligations.
The GDPR seeks to provide for a uniform interpretation and application of data protection standards across the EU, thereby providing a level playing field for all those doing business in the EU digital market. The European Data Protection Board, a new entity that will replace the current advisory committee and made up of representatives of the data protection authorities of all Member States, will play an important role in this respect.
At the heart of both the GDPR and Directive is a “risk-based” approach to data protection. This means that each individual controller and processor is required to put appropriate technical and organisational measures in place in order to ensure – and, importantly, to be able to demonstrate – that their processing of personal data complies with the new data protection standards.
I would remind the House that the terms “controller” and “processor” are not esoteric concepts; for example, those of us involved in the handling of constituents’ requests and representations are data controllers, and any operator of an off-site storage facility for files containing personal data is a processor. I will return to the former point about the work of elected members later in my remarks.
For the purposes of assessing the nature, level and likelihood of risks for the rights and freedoms of individuals, controllers and processors, must have regard to the nature, scope, context and purposes of their data processing activities. In certain cases, this will in future require the carrying out of a data protection impact assessment in order to take steps to mitigate such risks. Where mitigation measures are not feasible, prior consultation with the Data Protection Commission will be mandatory.
Both the GDPR and Directive place greatly increased emphasis on the transparency of processing, the responsibility of the controller and processor for compliance with data protection standards, and the need for appropriate security standards in order to protect against data breaches such as unauthorised or unlawful processing and accidental loss, destruction or damage.
Both the GDPR and the Directive impose an obligation on all public authorities and bodies, as well as some private sector bodies, to designate a Data Protection Officer with responsibility to oversee data processing operations, and to report data breaches to the data protection authority.
The GDPR also limits the grounds for lawful processing of personal data by public authorities and bodies. For example, depending on the circumstances, an individual’s consent to the processing of his or her personal data may not provide a reliable basis for such processing by a public authority. The so-called “legitimate interest” ground in Article 6.1(f) of the GDPR will no longer be available to public authorities when acting in their public capacity.
Both the GDPR and Directive provide for increased supervision and enforcement of data protection standards by the data protection authorities of Member States, including the future Data Protection Commission. The GDPR provides for the possible imposition of substantial administrative fines (up to €10 million or €20 million, or 2% or 4% of total worldwide annual turnover in the preceding financial year). I will return to the fines issue shortly.
The liability of controllers and processors will also be broadened to include non-material damage such as distress. In future, an individual who has suffered material or non-material damage because of a breach of his or her data protection rights under the GDPR or this legislation will have the right to seek compensation in the courts.
Purpose and structure of the Bill
The key purposes of the Bill are as follows:
- to give further effect to the GDPR in the areas in which Member State flexibility is permitted;
- to transpose the Directive into national law;
- to establish the Data Protection Commission as the State’s data protection authority with the means to supervise and enforce the enhanced protection standards enshrined in the GDPR and Directive in an efficient and effective manner, and to enact consequential amendments to various Acts that contain cross-references to the Data Protection Acts 1988 and 2003.
- The Data Protection Bill 2018, which is both lengthy and complex in nature, comprises the following Parts:
- Part 1 (sections 1 to 8) contains a number of standard provisions, e.g. citation, commencement and definitions. Section 7 makes provision for repeals, while section 8 defines the residual scope of the Data Protection Act 1988.
- Part 2 (sections 9 to 27) establishes a Data Protection Commission to replace the Data Protection Commissioner as the State’s data protection authority. Its primary task will be to act as the supervisory authority for the purposes of the GDPR and the Directive. Establishment of the Commission – comprising at least one commissioner and not more than 3 – is a future-proofing provision to allow, should the need arise in future, for the appointment of additional commissioners in response to an increased Commission workload.
- Part 3 (sections 28 to 58) gives further effect to the GDPR in a number of areas, mainly affecting the public sector, in which the Regulation gives Member State a margin of flexibility. In certain cases, this involves the creation of a regulation-making power that will permit the making of more detailed regulations in due course.
- Part 4 (sections 59 to 65) contains a number of provisions that are consequential on replacement of the Data Protection Commissioner with a Data Protection Commission. The intention is to provide for a smooth and frictionless transition from current arrangements to the new structure.
- Part 5 (sections 66 to 102) transposes the law enforcement Directive’s provisions in national law.
- Part 6 (sections 103 to 154) contains provisions dealing with enforcement of the obligations and rights set out in the GDPR and Directive by the Data Protection Commission. The intention is to ensure effective supervision and enforcement mechanisms, together with the necessary procedural and due process safeguards.
- Part 7 (sections 155 to 160) contains a number of miscellaneous provisions, mainly concerning the application of data protection rules to the courts and a number of related legal matters.
- Part 8 (sections 161 to 165) contains a limited number of consequential amendments to a number of Acts. At Committee Stage, I intend to table a very substantial amendment to this Part of the Bill in order to incorporate the necessary adjustments to a large number of other Acts of the Oireachtas that contain cross-references to the data Protection Act 1988.
As regards substance, the updated Explanatory Memorandum that accompanies the Bill contains much detail, and I do not intend, therefore, to delve into all the Bill’s provisions. I want, however, to take the opportunity to highlight a number of issues, and to refer to Part 5, which transposes the law enforcement Directive into national law.
Repeal of Data Protection Act 1988
Sections 7 and 8 of the Bill contain provisions concerning the Data Protection Acts 1988 and 2003.
While Article 2.2(a) of the GDPR provides that its provisions do not apply to the processing of personal data in the course of an activity falling outside the scope of EU law, there has been considerable uncertainty about the scope of that exclusion in light of evolving Court of Justice case law. A detailed analysis of relevant case law by the Attorney General’s Office has concluded that this exclusion is essentially limited in practice to data processing in the context of national security, defence and the international relations of the State.
While national security and defence lie outside the scope of EU law, the Council of Europe’s 1981 Data Protection Convention (Convention 108) contains provisions that apply to data processing for these purposes. The process of updating and modernising this Convention is under way at present in Strasbourg, but that process has not concluded to date. Pending the updating of Convention 108, section 8 seeks to confine the scope of the Data Protection Act 1988 to data processing in the context of national security, defence and the international relations of the State. On completion of the updating process, it will be possible to update the content of this Act by means of amending legislation and to repeal the 1988 Act. All key data protection standards will then be found in a single consolidated Act.
Consistency mechanism (One-Stop-Shop)
The GDPR contains a ‘consistency mechanism’, or so-called ‘One-Stop-Shop’, which is intended to streamline the handling of data protection infringements and complaints across the EU. For this purpose, it employs the concept of a “lead’ supervisory authority, i.e. the data protection authority of the Member State in which a controller’s “main” or only EU establishment is located. It means that complaints will be investigated by the data protection authority of that Member State irrespective of the Member State of origin of the complaint. It may request mutual assistance from other data protection authorities for investigation purposes, but the initial decision as to whether or not an infringement has occurred will be a matter for the lead supervisory authority.
Before arriving at any final decision in cross-border cases, the lead authority must submit a draft decision to the other data protection authorities that have an interest in the case, and must have regard to any objections received from them. If there are any remaining objections to a revised draft decision, it may trigger referral of the case to the European Data Protection Board – comprising representatives of all supervisory authorities – for a binding decision. The EDPB may take a binding decision by majority vote, which may or may not coincide with the (revised) draft decision of the lead supervisory authority.
This mechanism has, of course, a special significance for Ireland since many multinational companies that provide digital services across the EU and beyond have their headquarters here. This means that the Data Protection Commission and its handling of cross-border complaints will be the focus of particular and sustained attention across the EU.
This is the backdrop to the proposals in Part 2 of the Bill to establish a Data Protection Commission, with at least one but not more than three Commissioners. While there are no specific plans at present to increase the number of Commissioners, significant levels of additional financial and staffing resources have been allocated to the Data Protection Commissioner in recent years in order to prepare for the expected workload increases following entry into force of the GDPR and this legislation. Staff resources have trebled from 30 in 2013 to over 90 at present. Additional funding of €4 million in 2018 will bring the overall budget to about €11.7 million, and this will facilitate the recruitment of additional staff (bringing the total to about 140).
In order to underline and further enhance the independence of the Commission, as required by the GDPR and Court of Justice case law, the Commissioner will be the Accounting Officer of a separate financial Vote. This is covered in sections 25 and 165 respectively. Commencement of these provisions will take place when the necessary procedures for a separate Vote are in place.
Article 8 of the GDPR specifies a ‘digital age of consent’ of 16 years but allows Member states to lower it, but not below 13 years. It means that where information society services are offered directly to children, the processing of a child’s personal data will be lawful only if, and to the extent that, consent is given or authorised by the holder of parental responsibility over the child. In such cases, the service provider must make reasonable efforts to verify that consent is given or authorised by the holder of parental responsibility over the child.
In late 2016, my Department launched a consultation process and invited submissions from interested parties on the ‘digital age of consent’ to apply in this jurisdiction under Article 8. The Government Data Forum, which brings together legal and data protection experts, business representatives from SMEs and multinationals, as well as sociologists, psychologists and education specialists, also carried out a consultation process. A majority of respondents – including the Ombudsman for Children's Office, the Internet Safety Advisory Committee and the Children's Rights Alliance – recommended setting the digital age of consent at 13 years. In June last, the Government approved an age limit of 13 years.
When appearing before the Joint Oireachtas Committee on Justice and Equality for the pre-legislative scrutiny of the General Scheme of the Bill in July last, the Special Rapporteur on Child Protection, Dr Geoffrey Shannon, also recommended setting the ‘digital age of consent’ at 13 years. This was adopted by the Committee in their Report published in November last.
This is the background to the Government’s decision to specify 13 years as the digital age of consent in section 30. As regards “preventative or counselling services” provided for children, subsection (2) clarifies that such services are excluded from the scope of Article 8. The legal advice available to the Department points to the risks of attempting any definition of such services. Any inadvertent exclusions could risk the termination of preventative or counselling services already being provided for the benefit of children under 13 years.
Arising from sincere and strongly-held concerns expressed during Seanad discussions on this matter, the Seanad accepted my proposal for a review clause and that is now contained in subsection (3). It means that the operation of this provision must be reviewed not later than 3 years after its coming into operation.
Section 29, which I also proposed for inclusion in the Bill during Seanad discussions, provides that references to “child” in the GDPR shall be taken to refer to a person under the age of 18 years. This is in line with the definition in Article 1 of the UN Convention on the Rights of the Child. This is important because the GDPR incorporates a number of enhanced protections for the personal data of children. These include the following:
- Article 6.1(f), which generally permits processing of personal data where necessary for the purposes of the “legitimate interests” of a controller, may not be relied upon where such interests are overridden by the interests or fundamental rights and freedoms of a data subject, in particular where the data subject is a child;
- Article 12 imposes high standards of transparency on controllers when providing information to data subjects, in particular for any information addressed to a child;
- Article 17 (Right to erasure) underlines the particular relevance of the right to erasure where processing is based on consent given when the data subject was a child and not, therefore, fully aware of the risks involved;
- Article 40 makes general provision for codes of conduct; specific mention is made to a possible code concerning the provision of information to, and the protection of, children, and the manner in which the consent of holders of parental responsibility over children is to be obtained for the purposes of Article 8;
- Article 57, which requires data protection authorities to promote public awareness and understanding of the risks, rules, safeguards and rights in relation to data processing, states that activities addressed specifically to children must receive specific attention.
Arising from Seanad discussions, I proposed inclusion of section 31, which makes provision for the drawing up and implementation of codes of conduct intended to contribute to the proper application of the GDPR with regard to the protection of children, as permitted under Article 40 of the GDPR. Subsection (2) provides for consultations with relevant stakeholders, including children and bodies representing their interests, during that process. Section 32 is another new section, which makes specific provision for an enhanced “right to be forgotten” in the case of children in accordance with Article 17 of the GDPR.
Before concluding on the protection of children, I want to express support for the recommendation of the Joint Oireachtas Committee for consultations with children in relation to data protection measures. Article 57 of the GDPR requires data protection authorities such as the Data Protection Commission to promote public awareness and understanding of the risks, rules, safeguards and rights in relation to data processing, and it states that activities addressed specifically to children must receive specific attention. Adequate consultation with children in relation to the content of such activities will be necessary and appropriate.
I also support the Committee’s recommendation that education programmes be implemented to assist children in exercising their data protection and digital rights. In this context, I want to draw attention to the Webwise initiative (webwise.ie) operated by the Professional Development Service for Teachers, which promotes online awareness and safety objectives. Furthermore, I am working with my colleagues, Ministers Bruton, Naughten and Zappone, on the development of a new framework for child safety online.
Restriction on controller obligations and exercise of data subject rights
Article 23 of the GDPR makes provision for possible restrictions on controller obligations and the exercise of data subject rights in order to safeguard important objective of general public interest, some of which are set out in paragraph 1 of that Article. It specifies that such restrictions must comply with three conditions:
- they must be in a legislative measure;
- respect the essence of the fundamental rights and freedoms of individuals;
- not exceed what is necessary and proportionate in a democratic society.
The need to apply restrictions on the exercise of data subject rights might arise, for example, where a regulatory body such as the Legal Services Regulatory Authority or the Medical Council is examining a complaint of unfitness to practice or an allegation of improper conduct. It could also arise where the Health and Safety Authority is investigating a workplace accident. The objective in such cases is not permanently to set aside the data protection rights of individuals concerned, but rather to protect the investigation or examination from access requests or requests for rectification or erasure of personal data so that the investigation or examination can be brought to a conclusion and appropriate action can be taken.
Section 57 of the Bill provides for proportionate restrictions in order to safeguard a range of important objectives of general public interest, such as avoiding obstructions to any official or legal enquiry, investigation or process. Such public interest objectives also include cabinet confidentiality, judicial independence, parliamentary privilege, and legal privilege.
Any such restrictions must be set out in law or in regulations under subsections (6), (7) and (8) and the regulations must comply with subsection (10), i.e. respect the essence of the right to data protection, and restrict exercise of data subjects’ rights only in so far as is necessary and proportionate in a democratic society. Similar safeguards apply in the case of restrictions on data subject rights under Part 5; these are provided for in section 92.
Article 57 of the GDPR confers a broad range of corrective powers and sanctions on the data protection authorities such as the Data Protection Commission. These range from issuing warnings or reprimands, to ordering public or private bodies to facilitate the exercise of data subject rights and to bring their data processing operations into line with data protection law. The Commission will also have the power to impose a temporary or permanent ban on non-compliant processing operations. Data transfers to third countries may also be suspended if data protection standards applicable there are considered inadequate by the EU. All of these corrective actions, including prohibition orders, apply equally to the public and private sectors.
Article 83 of the GDPR provides for the imposition of administrative fines for infringements. It states that each Member State may lay down the rules on whether and, if so, to what extent administrative fines may be imposed on public authorities and bodies. The Bill as initiated made provision for the imposition of administrative fines on public authorities and public bodies when acting as undertakings, i.e. providing goods or services for gain in competition with the private sector. However, arising from discussions in the Seanad, I tabled an amendment to section 139 and it now provides that administrative fines may also be imposed on public authorities and public bodies that are not acting as undertakings, but such fines shall not exceed €1 million.
This lower limit, which is compliant with the GDPR, should help to ensure that the imposition of a fine will not adversely impact on the provision of public services by the public authority or body concerned.
In order to ensure fair and equitable trading conditions, section 139 of the Bill provides that administrative fines may be imposed on public bodies when they act as “undertakings”, i.e. when they are providing goods or services for gain in competition with private bodies. This will ensure fair competition between the public and private sectors in the provision of goods and services.
Transposition of law enforcement Directive
Part 5 of the Bill – sections 66 to 102 – transposes the law enforcement Directive into national law. Chapter 1 contains relevant definitions (section 66) and outlines the scope of this Part (section 67). It applies to data processing carried out by public authorities and bodies for the purposes of the prevention, investigation, detection or prosecution of criminal offences, including the safeguarding against, and the prevention of, threats to public security or the execution of criminal penalties. While it will apply in the main to bodies operating within the criminal justice system, its provisions will also apply to administrative bodies such as the Health and Safety Authority and to other authorities such as fire authorities when they are engaged in the investigation and prosecution of offences.
Chapter 2 contains provisions outlining the general principles of data protection (section 68), which are broadly similar to those in the GDPR; the need for adequate security measures (section 69); conditions applicable to the processing of special categories of personal data (section 70), and standards applicable to data quality (section 71).
Chapter 3 outlines the obligations on controllers and processors when acting within the scope of Part 5. These are broadly similar to obligations set out in Part 4 of the GDPR, including the need for appropriate security standards; reporting of data breaches to the Data Protection Commission; the need for contracts with processors; the carrying out of data protection impact assessments; and, in certain cases, mandatory consultation with the Data Protection Commission. Section 79 imposes a specific requirement on controllers and processors to create and maintain data logs, which must record consultation and disclosure of data in automated processing systems. All public authorities and bodies must designate a data protection officer.
Chapter 4 specifies the data protection rights of individuals: they include rights in relation to automated decision-making (section 87); the right to information (section 88); the right of access (section 89); the right to erasure and rectification of personal data (section 90). Section 92 outlines the grounds on which the exercise of data subject rights under this Part may be restricted in whole or in part. Where exercise of a data protection right is restricted, the data subject may seek indirect exercise of that right through the Data Protection Commission (section 93).
Supervision and enforcement
Part 6 of the Bill contains detailed provisions in relation to the supervision and enforcement of the GDPR and the data protection standards set out in Part 5 of this Bill. These include provisions for the handling of complaints received by the Commission, the carrying out of detailed investigations, and the imposition of sanctions.
I want to mention the Report on pre-legislative scrutiny of the draft Bill submitted by the Joint Committee on Justice and Equality. I want to thank the Joint Committee for their work and their recommendations, many of which have been taken on board in the Bill before us today. I also want to take this opportunity to thank all the other stakeholders for their inputs into preparation of the Bill.
Before concluding, I want to mention an amendment that I intend to bring forward at Committee Stage. Deputies will be aware that concerns have been raised that the GDPR and the Bill may impact in an adverse manner on the ability of elected representatives, including members of this House, to make representations on behalf of our constituents and carry out other aspects of their work as elected representatives. I can assure you that I intend to bring forward a Committee Stage amendment to ensure that there is an appropriate legal basis for inter alia the processing of personal data for the purposes of dealing with constituents’ representations and requests. This amendment is being finalised at present.
As I mentioned at the outset, this is a lengthy and complex Bill. That should not blind us, however, to its central purpose, which is to promote and facilitate exercise of our right as individuals to protection of our personal data and to increase our control over it and the uses to which it may be put. Article 8 of the EU Charter of Fundamental Rights provides simply that “Everyone has the right to protection of personal data concerning him or her.” The GDPR and this Bill seek to make that a reality.
I commend the Bill to the House.