It is a “serious matter of concern” that legislation proposed by the Government seeks to exempt public bodies from fines where they breach data protection rights, the Data Protection Commissioner has said.
Helen Dixon and two deputy data protection commissioners attended the Joint Oireachtas Committee on Justice and Equality on Wednesday for pre-legislative scrutiny of a new data protection Bill.
The general scheme of the Data Protection Bill 2017 outlines legislation that would give effect to the new EU General Data Protection Regulation (GDPR), as well as an EU directive on the sharing of personal data for law enforcement purposes.
Fines of up to €20 million or 4 per cent of annual worldwide turnover may be imposed on bodies that breach the regulation, depending on the circumstances.
The regulation, along with a new electronic privacy regulation protecting communications by phone and email and electronic means will take effect across the union from May 25th next year.
Ms Dixon said that in general terms, her office welcomed the new legal regime for data protection law in Europe and the important additions to her "toolkit" as an enforcer.
“It’s undoubtedly the case that there will be investigations where a punitive fine is warranted in order to deter organisations from failing to invest in compliance and to deter them from creating risks for consumers and individuals,” she said.
The very purpose of punitive fines provided for in the new EU law was to act as a deterrent to all types of organisations, Ms Dixon said.
Her office saw “no basis on which public bodies or authorities would be excluded, particularly given that arguably higher standards in the protecting of fundamental rights are demanded of those entities”.
The heads of the Bill as published propose that public bodies would only be subject to administrative fines where they were acting as undertakings, namely where the services they were providing were in competition with other bodies in the private sector.
Ms Dixon said the workload proposed for the DPC in making assessments of whether public bodies were engaged in activities that would compete with the equivalent private sector bodies would take her office away from its substantive role in relation to data protection.
Her office, she said, occupied a "unique position" as a supervisory authority in Europe as its remit covered the largest global internet companies that had their European bases in Ireland.
A comprehensive toolkit as an enforcer was “a necessity”.
Ms Dixon noted the new EU regulation was intended to represent a “clean slate” with regard to data protection legislation in Europe, and yet there was no guarantee that the existing Irish data protection acts of 1988 and 2003 would be repealed.
She said her office considered that their retention, and a “patchwork presentaiton” of Irish law, ran the risk of creating legal uncertainty in terms of precisely which provisions of the law would apply, and in what circumstances, after May 2018.
The commissioner also raised an issue regarding the handling of complaints from individuals under the GDPR, noting it introduced changes in relation to the manner in which supervisory authorities must deal with complaints from individuals about alleged infringements of their rights. She said it was important to note in this context that the supervisory authority was required to investigate a complaint to the extent “appropriate”.
“Our aims in these circumstances will be to ensure that our resources are deployed in a way that maximises them, pursues investigations in cases of the most grave or enduring infringements on an objective and priority basis,” she said.
Independents 4 Change TDs Clare Daly and Mick Wallace raised concerns about Government projects such as Public Services Cards and Individual Health Identifiers and whether the manner in which they were being rolled out was compatible with EU law.
Seamus Carroll of the civil law reform division in the Department of Justice and Equality said he did not want to be drawn on the details of health legislation which was being considered separately.
But he said that for the future, there must be a lawful basis for the processing of personal data and there must also be “greatly increased transparency”.
Ms Dixon will address the Data Summit hosted by the Department of the Taoiseach at the Convention Centre in Dublin on Thursday morning.
It will be opened by newly elected Taoiseach Leo Varadkar, with an introduction by Minister for European Affairs, the EU Digital Single Market and Data Protection Dara Murphy.
The event spans Thursday and Friday and is supported by a range of partners, including all the main multinational data firms in Ireland, Enterprise Ireland, IDA Ireland, Science Foundation Ireland and the American Chamber of Commerce Ireland.