Saturday 21 October 2017

The State shouldn't get a free pass when Europe's data law comes into effect

Data Protection Commissioner Helen Dixon has described the public bodies exemption as a concern and said it would force her office to assess, in every case, whether a public body has private competition
Data Protection Commissioner Helen Dixon has described the public bodies exemption as a concern and said it would force her office to assess, in every case, whether a public body has private competition

TJ McIntyre

There are only 320 days to go; fewer if you subtract weekends and holidays. On May 25, 2018, the General Data Protection Regulation comes into effect.

This new European law, better known as the GDPR, will make fundamental changes to how our information is used and protected, giving greater rights to the individual and creating much more severe penalties for non-compliance.

This tight deadline creates severe pressures for businesses and other organisations such as charities which must completely review how they handle personal information by then.

Some are already in the process of doing this; the majority are scrambling to catch up.

Less obviously, it also puts the Irish State under significant time pressure.

Although the GDPR is a European law, parts of it require national legislation. The Department of Justice and Equality is responsible for preparing a Bill to give effect to the GDPR in Irish law.

That Bill must then pass the Dáil and Seanad to put in place a new legal framework for enforcement, including a restructured Data Protection Commission. All of this must be done in good time prior to May 2018 to enable planning for the transition.

So far, the Department has produced a draft Heads of Bill, and with commendable speed the Oireachtas Joint Committee on Justice and Equality has already held three hearings examining this draft.

Most of the draft is relatively technical and uncontroversial. But the hearings have exposed aspects which could significantly undermine the position of individuals against the State.

Earlier this week Digital Rights Ireland gave evidence to the Joint Committee about two of these issues.

The first is that the draft proposes to exempt public bodies from fines for breach of the GDPR. The argument for the exemption is that these fines would be circular - that they would merely shuffle money from one public fund into another public fund.

But this ignores the experience in the United Kingdom where fines have been an important deterrent, encouraging public bodies to improve their information security.

The exemption also gives the wrong impression - that the public sector is to be held to a lower standard than others.

And it would be practically unworkable: as a matter of law, one cannot have a situation where a public body such as a hospital is given preferential treatment over its private counterparts. The Data Protection Commissioner, Helen Dixon, has described the exemption as a serious concern and pointed out that it would create a real burden for her office by forcing it to assess, in every case, whether a public body has private competition.

The second issue with the draft is that it gives the power to any Minister to make regulations in any area restricting any individual rights on the basis that this is necessary for any "important objective of general public interest".

The effect of this is to create an open-ended power to limit the rights created by the GDPR on the basis of a ministerial signature only - with no requirement for any approval from the Dáil or Seanad.

There are, of course, situations where data protection rights should be restricted in the public interest. For example, the right to know what information is held about you does not apply where that would undermine a criminal investigation.

But until now those have almost always been provided for in primary legislation, subject to scrutiny by lawmakers.

An unconstrained power to make new restrictions will in practice mean government departments being the judge of what rights individuals should have against those departments and their agencies.

As with the proposed exemption from fines, the intention is that the state will receive more lenient treatment.

It is worth remembering that shortly before his retirement the last Data Protection Commissioner, Billy Hawkes, summed up his term in office by saying that public bodies had "in too many cases, shown scant regard by senior management to their duty to safeguard the personal data entrusted to them".

He said that "the state system in general is not paying sufficient attention to its responsibilities for the quantum of data it holds on all of us" and that there was a need for "system-wide action" before "an inevitable crisis" was triggered.

Given this background, and the fact that the state holds so much data on us, it should be held to a higher, not a lower standard.

Dr TJ McIntyre is a lecturer in the UCD Sutherland School of Law, chair of Digital Rights Ireland and consultant with FP Logue Solicitors.

Irish Independent

Also in Business