The Data Protection Bill and Data Sharing Bill

The Irish Government has this week published the draft of the Data Protection Bill 2018. This legislation purports to give effect to the General Data Protection Regulation, but it contains extensive carve outs and exemptions for Public Sector organisations and Public bodies, not least the proposal to exempt such organisations from the administrative fines proposed under the GDPR (see .

It also grants Minister’s powers that I can only term the “L’oreal approach”, because they seem to suggest Ministers can over-rule fundamental principles of EU jurisprudence in the area of Data Protection “because they’re worth it”,. The legislation seems to ignore the need to judge the necessity and proportionality of the measures (see Section 32 and Section 34 of the Bill). However, it is not the only piece of data management legislation in the Irish Government’s to-do list.

There is also the Data Sharing and Governance Bill which has been in incubation since 2014 and which we have commented on previously. This legislation purports to create an umbrella framework under which government agencies could share data about individuals without the need to consider primary legislation. When we reviewed the Data Sharing and Governance bill in 2014, we essentially commented that it was very heavy on the sharing and oddly light on the governance. Back then, there wasn’t even a definition of what they meant by “sharing” in the legislation.

There is a common thread in the development of both the Data Protection Bill and the Data Sharing and Governance Bill. In both cases, the views of the Data Protection Commissioner appear to have been largely ignored.

In the Data Protection Bill, the DPC has consistently objected to Public Bodies being exempted from administrative fines, and one would imagine they would have some concerns over the apparent curtailment of their independent powers under Section 104 of the Bill. They might also be concerned by the apparent lack of understanding in the Bill that the test in EU law is “necessary and proportionate”, not just “because we fell it is necessary”.

With the Data Sharing Bill, there was extensive and public disagreement at the Oireachtas Committee that heard briefings on the Data Sharing and Governance Bill between the Data Protection Commissioner and the Department of Justice about what the Bill actually was intended to do. The Department hold the view that it was an umbrella piece of legislation that would allow widespread data sharing without the need for specific primary legislation in the future, but rather ministerial orders or Statutory instruments would suffice. The Data Protection Commissioner hold the opposite view, that such an umbrella piece of legislation clashes with fundamental principles of data protection law.

So, what does this all mean? Well, the Irish Government appears to have decided to get around the Data Protection issues raised by the Data Sharing Bill to allow widespread data sharing by effectively gutting the GDPR in the context of Irish Public bodies and weakening the authority of the DPC. The DPC will have limited enforcement tools to use against Public Bodies.

• It means that, when push comes to shove, the Government will rely on a variant of the “L’Oreal” defence when considering the fundamental rights of individuals – less “because we’re worth it”, more “because you (or at least your rights) are worthless”.
• It means that charities providing services on behalf of the State could find themselves punished for doing things with the data of people that a State body has forced them to do under a Ministerial Order or on pain of being defunded which infringe the data privacy rights of those vulnerable people, resulting in enforcement action against the Charity. For simply trying to meet two conflicting obligations.
• It means that data will potentially move willy nilly between Government agencies with minimal oversight and control, and negligible sanctions where things go wrong.

To draw an analogy from the Hitchhiker’s Guide to the Galaxy, the interplay between the Data Protection Bill as drafted and the Data Sharing and Governance Bill as it is proposed will be akin to a Vogon Construction Fleet arriving at Planet Earth to destroy it to make way for the hyperspace route.

The plans and information will all have been on display somewhere and we citizens should have taken the time to go and find it out ourselves. There will be no consequence for the Vogon Captain/Government Minister/Civil Servant who decides to obliterate the planet to deliver on the planned route.

There are some significant missed opportunities in both pieces of legislation. But the sum of the parts is increasingly disconcerting and suggests that the Irish Government doesn’t *get* data protection and data management at a fundamental level.

Unlike the Planet Earth in the Hitchhiker’s Guide to the Galaxy, there are things that we can do now – contact your local TD and let them know you are concerned that the Government wants to give themselves extensive data sharing powers with one hand and remove constraint, restraint, and sanctions with the other.

That is not a good “Grand Bargain”, and the Infinite Improbability Drive tells us that inevitably there will be people hitchhiking to the CJEU to have these laws tested.