(The Irish Times) The State does not have a good reputation for data protection. In 2015 the former German federal commissioner for data protection, Peter Schaar, put it bluntly when telling the New York Times why internet businesses came to Dublin: “Of course Facebook would go to a country with the lowest levels of data protection. It’s natural they would choose Ireland.”
Unfortunately, the new Data Protection Bill 2018 will reinforce that view.
The Bill is needed to apply the EU General Data Protection Regulation (better known as the GDPR) in Ireland. The GDPR is a new EU law which aims to strengthen privacy rights for individuals. It applies throughout Europe, but needs national laws to give it full effect and allows member states flexibility in deciding how to apply it. The Department of Justice has taken every inch of that flexibility, and considerably more again, to produce a Bill which will undermine privacy rights in the Republic.
One example has already made headlines. The Bill proposes to exempt public bodies from fines for breaches of data protection rights, leaving no effective sanction for negligence or deliberate wrongdoing. This is directly contrary to the recommendation of the Data Protection commissioner, Helen Dixon, who has pointed out that higher standards should be expected from public bodies and the deterrent effect of the law will be lost if they are excluded.
Shortly before his retirement the last data protection commissioner, Billy Hawkes, said that senior management in State bodies had often shown “scant regard to their duty to safeguard the personal data entrusted to them”. It is unacceptable the Bill aims to take away the regulator’s teeth when it comes to those same bodies.
In addition to exempting public bodies from fines, the Bill in several places severely restricts the substance of individuals’ rights as against the State. For example, the Bill gives any government minister the power to make regulations limiting any data protection rights of the individual where this is deemed necessary for any “important objective of general public interest” – a vague term which is left deliberately open-ended.
In practice, this means that government departments will be the judges of what rights individuals should have against them and their agencies, without any need for legislation.
Another provision allows any personal data, collected for any reason, to be disclosed for the purposes of “preventing a threat to national security, defence or public security” or “preventing, investigating or prosecuting criminal offences”. There is no requirement for a warrant or other independent approval before this takes place, nor any test of proportionality.
The impact will inevitably be that individuals are denied a remedy in cases which don’t fit the regulator’s priorities
Will the citizen have an effective remedy against breaches of data protection rights? Under the current law there is a statutory right to have a complaint determined by the Data Protection commissioner. Under the Bill, however, this right is taken away – the regulator will be able to dismiss complaints without making a formal decision on them. The aim is to reduce the workload involved; but the impact will inevitably be that individuals are denied a remedy in cases which don’t fit the regulator’s priorities.
Several of these issues were flagged by the Oireachtas Joint Committee on Justice and Equality, which held extensive hearings on the Heads of Bill last summer and issued a cross-party report in November 2017. But that report has largely been ignored by the Department of Justice.
The Bill was introduced on January 30th and is being rushed through the Seanad and Dáil. The haste is understandable – the Bill must be passed by May 6th. But it is not an excuse to steamroller through bad law. The GDPR was finalised on April 27th 2016. The Department of Justice cannot rely on its own delay to avoid scrutiny.
This isn’t just a local issue that only affects Irish residents. Ireland’s data protection system will determine how most of the non-US world’s data is treated and whether individuals can have their rights vindicated.
The Irish government has spent much of the last four years trying to change the perception of Ireland as a soft touch when it comes to data protection. The Data Protection Commissioner has finally been given adequate funding and staff to carry out her functions. This Bill largely undoes that good work and if enacted as it stands will undermine Ireland’s reputation as a credible regulator.
Original article by TJ McIntyre on The Irish Times