The Irish Data Protection Bill – Thoughts (part 1)

The Irish Government have published their Data Protection Bill 2018, which is intended to legislate for the areas of the General Data Protection Regulation (Regulation 2016/679/EU) which allow for Member States to define their own rules, and is also intended to transpose into Irish legislation the Data Protection Directive for Law Enforcement (Directive 2016/680/EU).

This should be a generally straightforward thing.

After all, the bulk of the GDPR has been democratically negotiated over the course of four years by the EU Commission, the EU Parliament, and the Council of Ministers. There are a few narrow areas for local variation in the GDPR (about 50), and there is a body of EU case law on the concepts of necessity and proportionality and the concept of subsidiarity of Member State law. And the Law Enforcement Directive is actually rather prescriptive of the things that Member States need to have in place in order to ensure law enforcement processes respect fundamental rights to data privacy.

So, how has the Irish Government performed so far in doing the relatively simple thing? Well, after 132 pages of rivetting reading (my third pass through at this stage), I am of the view that I will need to buy a cat so that I can find something practical to use the pile of litter tray liner I’ve just read through. As Simon McGarr has put it on Twitter:

Suddenly thinking about buying shares in LuxAir, the only provider of a direct flight from Dublin to the CJEU.

I see a major expansion in their future.

— Simon McGarr (@Tupp_Ed) February 9, 2018

Bluntly: if passed in its current form, the Data Protection Bill guts the Office of the Data Protection Commissioner, effectively strips citizens of their rights, creates a bizarre set of exemptions and exclusions from processing, and permits the processing of special categories of personal data for the purpose of “electoral activities”, a term that is helpfully NOT defined in the Bill, or in the Electoral Acts, or anywhere else for that matter (I know, we did a Privacy Impact Assessment for a political party a few years ago where we had to look at this… the ODPC was unwilling to push the question of definition then or provide any specific guidance, preferring to defer to an Oireachtas committee on electoral reform).

This is on top of the proposal (opposed by the ODPC, Digital Rights Ireland, and a range of sane people) to exempt Public Bodies from administrative sanctions under the GDPR. But just in case that doesn’t work:

• Section 34 proposes to introduce a “L’Oreal Defence” allowing Irish Govt to introduce any domestic law or ministerial function to overrule GDPR provisions and the Charter of Fundamental Rights, ignoring a massive body of CJEU case law on the concept of subsidiarity (as baked into Article 29 of the Irish Constitution)
• Section 42 allows for the processing of data relating to political opinions by political parties or candidates for elected office “in the course of electoral activities”. That term is not defined anywhere and, in light of the recent revelations around electoral intereference through analytics, this section needs to be significantly strengthened.
• Section 45 continues the trend of wanting to ignore wider CJEU jurisprudence and the existence of the Charter of Fundamental Rights. The absence of any requirement to ensure the necessity and proportionality of the measures being proposed. The section hangs its hat on the “necessity” portion, but blithely ignores the need for the measures to be proportionate or for any form of documented risk assessment or balancing test to be done. To put that in context, a private sector organisation that seeks to rely on “legitimate interests” will be required to have a documented balancing test completed as part of their data privacy governance, but the Government… nah. Just a bit of an auld law, and secondary legislation at that.
• Section 104(1) is another doozy. It basically says that the ODPC (the independent regulator that everyone is supposed to have a right to complain to when their rights are infringed) will have the option to do nothing in relation to a complaint. There are many who would argue that this is simply putting into law a practice that may or may not exist today. However, what it amounts to is the State legislating to allow compliants to be ignored.

With these sections, and the exemption from administrative fines proposed in the legislation, seems to be an attempt by the government to carve itself out of any meaningful liability or accountability for upholding data privacy rights and ensuring that those rights are upheld in the processing activities of public sector bodies.

This is legislation that the draft scheme of which was published in May of last year and which has done the rounds in Government Departments since for “observations”. Input from civic society organisations appears to have been ignored. As has, it seems, the fundamentals of EU law. And common sense.

Amendments have to be tabled by this coming Tuesday, so very little time to do anything at this stage. The need to have the legislation passed by the 6th of May further constrains the timeframe to fix the flaws in this deeply flawed Bill.

My sense is that this legislation, if enacted in its current form, will be a boon for lawyers and for LuxAir, but will be a bad thing for data subjects who will have their rights infringed and taxpayers who will foot the bill for any litigation against the State.

Next time I’ll try to find some good things in the draft Bill. (But I don’t hold out much hope).