State ‘on collision course’ with EU court over data sharing

Final submission to Oireachtas committee on proposed Bill to implement EU regulation

An example of the public services card.

An example of the public services card.

 

The State appears to be on a “collision course” with European law over its handling of major projects involving personal data, an Oireachtas committee has heard.

Pre-legislative scrutiny of the general scheme of the Data Protection Bill 2017 concluded at the Joint Committee on Justice and Equality on Wednesday.

The proposed legislation must be in place by May next year to give effect to the new European Union general data protection regulation and an associated directive on sharing data for law-enforcement purposes.

Legal experts have been making submissions to the committee over several sessions with a view to shaping the draft legislation. The office of the Data Protection Commissioner has also given its views.

Law lecturer and chair of Digital Rights Ireland (DRI) Dr TJ McIntyre, and the organisation’s solicitor Simon McGarr appeared before the committee on Wednesday.

Views

Independents 4 Change TD Mick Wallace asked the delegation’s views on a number of issues, including oversight of state surveillance, and the rollout of the public services card project here.

He also asked if the new legislation squared with the ongoing health identifiers project being rolled out by the Health Service Executive, which will assign each citizen a number that will track them “from birth to death”.

Mr McGarr said the card needed to be considered as part of the wider question of judgment by the Court of Justice of the European Union, known as the Bara judgment.

In that 2015 case, the Romanian government was found to have acted unlawfully by transferring a citizen’s personal data from one public body to another without notifying the citizen first.

Mr McGarr said the State had taken “a lot of concrete steps in recent years” to build not merely an ID database, of which the public services card was merely the physical manifestation, but also to build a series of national databases.

If it was the case that the legislation underpinning the health identifiers did not comply with European law following the Bara judgment, every single resident of the State would have a claim on the State if their rights had been breached, even if they had suffered no financial loss.

Fines

“I think that the risk that the IHI [Individual Health Identifier] database poses to the exchequer and also again to the relationship of trust between the State and its citizens is such that it would be very valuable for the matter to come under extremely close scrutiny between now and the implementation of the GDPR [General Data Protection Regulation] in May 2018,” Mr McGarr said.

Independents 4 Change TD Clare Daly said she believed Mr McGarr’s comments were a polite way of saying: “We’re on a collision course really and we’re out of kilter with the rest of Europe on some of these issues.”

DRI shared concerns also voiced by the Data Protection Commissioner that the proposed Bill would seek to exempt public bodies from substantial fines provided for in the regulation.

It suggested explicit recognition of the right to compensation for both material and non-material damages should be written into the Bill, and also said the Government should implement an option that would allow individuals nominate not-for-profit bodies to take a single action on their behalf where their data had been abused.