Tuesday, 22 October 2002
Dáil Eireann Debate
The primary purpose of this Bill is to give effect to the provisions of Directive 95/46/EC of the European Parliament and the Council on the  protection of individuals with regard to the processing of personal data and on the free movement of such data. It will do so by amending the Data Protection Act, 1988.
It is no exaggeration to say that globalisation and the development of information systems and technologies have a profound impact on the way we work and live today. One dimension of this process of change is reflected in the extent to which personal data are used increasingly for commercial, leisure and learning purposes. Another is the speed and ease with which such information can be processed, passed on to others or used for purposes for which it was never intended.
Mobility of data is, of course, beneficial in many ways but it is also true that recent developments have once again raised fears about a possible erosion of privacy and other fundamental personal rights. What is required, therefore, is an appropriate set of safeguards that protects the privacy interests of individuals while at the same time facilitating the processing of personal data for legitimate and beneficial uses.
Directive 95/46 sets data protection standards for the European Community to ensure a consistent level of protection across all member states. These standards are intended to facilitate and encourage the free movement of personal data in the Internal Market. The objective of this Bill is to transpose them into our domestic law. The Bill amends the Data Protection Act, 1988, which gave effect to the Council of Europe's 1981 Data Protection Convention. In particular, it specifies conditions for processing personal data, including more stringent conditions regarding “sensitive personal data”. It strengthens individuals' rights with regard to the processing of their personal data and extends data protection rules to certain categories of manual data. It sets out new rules governing the transfer of personal data to countries and territories outside the European economic area or EEA, that is, outside the EU member states, Iceland, Norway and Liechtenstein. The Bill also contains a number of amendments to the 1988 Act that are not directly related to the EU directive but are intended to improve the functioning of the Act.
It can be asked why it was considered necessary to adopt a data protection instrument at European Union level when all member states were already members of the Council of Europe and had ratified the convention. The answer is that the directive builds on the provisions of the convention but is a more extensive and detailed instrument. The aim is to ensure a common set of data protection standards with a view to improving the functioning of the Internal Market as well as promoting international flows of personal data. The additional features of the directive when compared with the convention include the following: it extends the mandatory application of data protection rules to certain categories of manual data; it establishes a right to object to the processing of personal data in certain cases, including  where the data may be processed for the purposes of direct marketing; decisions based solely on automatic processing of data that have a legal effect or impact in a significant way on a data subject are prohibited; detailed provisions are set out relating to the conditions under which personal data may be transferred to countries and territories outside the European economic area; the supervisory authorities in each state are required to establish a system of “prior checking” of processing that may present specific risks to individuals' rights and freedoms; and the development of codes of practice is to be encouraged and facilitated.
Before moving on to deal with the detailed provisions, I will explain the situation regarding implementation of the directive. Measures to implement the directive were required to be in place by October 1998, with member states having a further three years to ensure full conformity with its provisions. I regret that transposition of the directive has been delayed. This was due to a combination of factors, including the need to consult widely, pressure of other work and, not least, the complexities arising in this particular context. I understand that Ireland is one of a number of member states that have experienced such difficulties.
However, many of the directive's provisions have been implemented in the Data Protection Act, 1988. These include provisions relating to the establishment of a supervisory authority; liability, remedies and sanctions; and codes of conduct. Moreover, on 19 December last the then Minister for Justice, Equality and Law Reform, Deputy O'Donoghue, signed the European Communities (Data Protection) Regulations, 2001. These regulations, which entered into force on 1 April last, give effect to certain additional provisions of the directive.
The regulations are an interim measure pending enactment of the Bill. They deal in particular with transfers of personal data to countries and territories outside the European economic area. In short, they provide that such transfers may only take place where adequate standards of data protection are deemed to exist.
Regarding the detail of the Bill, following publication of the Bill and its passage through the Seanad earlier this year, a number of concerns have been raised with the Department. Submissions and representations have been received from several sources proposing or suggesting possible amendments. Having reflected on these matters, while bearing in mind that the primary purpose of the Bill is to give effect to the EU directive, I will be bringing forward a number of amendments on Committee Stage and I will refer briefly to some of these when I come to the sections concerned.
Section 2 of the Bill amends section 1 of the 1988 Act in several important respects. In the first place, it adds several new definitions, including “automated data”, “manual data” and “sensitive personal data”, while replacing certain existing  definitions, including “personal data” and “processing”. For data protection purposes, “manual data” is defined in the Bill as information that is recorded as part of a “relevant filing system”. The latter is defined in turn as any set of information relating to individuals that is structured by reference to individuals or criteria relating to individuals, in such a way that specific information in relation to a particular individual is readily accessible. This means that for data protection provisions to apply, data processed manually must comply with the following four criteria. The personal data must be part of a set; the set must be structured; the structure must refer to individuals or to criteria relating to individuals; and specific information relating to a particular individual must be readily accessible. If any of these criteria is not met, the manually processed data concerned will not be covered. This is in line with the directive's provisions.
“Personal data” is defined as data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller. The Department's consultation process revealed no demand to extend data protection coverage to deceased persons, which appears to be possible under the directive, and it has been decided, therefore, to retain the existing 1988 provision which refers to living persons only. The reference to other information that is in, or likely to come into, the possession of the data controller is designed to cover categories of data – lists of identity or registration numbers, perhaps – that could be processed with the aid of a decoding key.
The new definition of “processing” set out in this section is not based on technical or technological processes but encompasses a broad range of functions such as the collection, recording, storage, retrieval, etc. of data. This section is also important in so far as it clarifies the scope of data protection law in line with the provisions of Article 4 of the directive. A new subsection, 3B, to be inserted in the 1988 Act provides that it will apply to data controllers established in the State who process data in the context of that establishment and to data controllers who are neither established in the State nor within the EEA, but who make use of equipment located in the State for processing purposes. Section 23 of the 1988 Act is being repealed as a consequence of the new provisions. These two provisions – addition of the new subsection 3B and the repeal of section 23 – have been given effect in the regulations that I mentioned earlier which took effect on 1 April last.
In the new subsection 3C an exemption from data protection rules is provided for in cases where data is processed solely for the purpose of historical research. This complements the exemptions already provided for in the existing subsection (4). Subsection (4)(b) contains an exemption for personal data consisting of information that  the person keeping the data is required by law to make available to the public. The Bill proposes to insert a new subsection (5) which would mean that this exemption would not apply where such data are processed for a purpose other than the purpose for which they were collected. Since the Bill was considered in the Seanad, concerns have been expressed that this new provision could unintentionally restrict the use of certain information in a manner that would not serve the public interest, for example, in the area of company law. I intend to introduce an amendment on Committee Stage to address this problem.
The collection, processing, keeping, use and disclosure of personal data is dealt with in section 3, which amends section 2 of the 1988 Act. In particular, it replaces subsection (1) with a restatement of data protection principles as enunciated in Article 6 of the directive. Exemptions from certain principles for personal data used for statistical, research or other scientific purposes are retained but may be made subject to prescribed requirements.
The text of the existing subsection (7), which deals with direct marketing, is to be replaced with a new text that will allow a person, in accordance with Article 14(b) of the directive, to request a data controller, prior to processing, not to process personal data for the purpose of direct marketing. A new subsection (8) provides that individuals must be informed of their right to object. These provisions are not intended to discourage the practice of responsible direct marketing, which is an important commercial activity, but rather to raise awareness of the right, and give individuals the opportunity, to opt out of receiving direct marketing material if they so wish.
Section 4 is a substantial provision and it inserts no less than four new sections, sections 2A to 2D, into the 1988 Act. The new section 2A deals with the processing of non-sensitive personal data and takes account of the provisions of Article 7 of the directive. It provides that, subject to satisfying the conditions set out in section 2, personal data can only be processed where one of the listed conditions is satisfied. In particular, it replaces subsection (1) with a restatement of data protection principles as enunciated in Article 6 of the directive. Exemptions from certain principles for personal data used for statistical, research or other scientific purposes are retained but may be made subject to prescribed requirements.
The text of the existing subsection (7), which deals with direct marketing, is to be replaced with a new text that will allow a person, in accordance with Article 14(b) of the directive, to request a data controller, prior to processing, not to process personal data for the purpose of direct marketing. A new subsection (8) provides that individuals must be informed of their right to object. These provisions are not intended to discourage the practice of respon sible direct marketing, which is an important commercial activity, but rather to raise awareness of the right, and give individuals the opportunity, to opt out of receiving direct marketing material if they so wish.
The new section 2A provides that, subject to satisfying the conditions set out in section 2, personal data can only be processed where one of the listed conditions is satisfied. I will not enter into the detail of these conditions except to say that the main condition is that the data subject has given his or her consent to the processing concerned. The text of the Bill requires explicit consent on the part of the data subject. A number of representations have been received by the Department, including from the direct marketing industry, pointing out that requiring explicit consent in the case of non-sensitive data goes beyond what is required by the directive and suggesting that the Bill be amended. Having reflected further on this, I accept that the directive does not require explicit consent in relation to non-sensitive data and I will be introducing an appropriate amendment on Committee Stage.
The new section 2B deals with the processing of a new category of “sensitive personal data” which is defined earlier. Processing of this data will in future be subject to more stringent conditions in accordance with Article 8 of the directive. It provides for a prohibition on the processing of such data except where, in addition to satisfying the conditions set out in sections 2 and 2A, one of an additional set of listed conditions is also met. The giving of explicit consent is one of these conditions.
The new section 2C deals with the security of processing operations, as set out in Article 17 of the directive, and it provides that data controllers must implement appropriate measures to protect personal data and such measures must ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected. The security obligation also extends to any person in the employment of the data controller or indeed anyone else who has access to the workplace. The provisions of this new section have also been given effect in the regulations that I mentioned earlier.
Section 2D takes account of the provisions of Articles 10 and 11 of the directive and it provides that personal data will not be treated as having been processed fairly unless, when personal data is obtained, the data subject is provided with certain information, including: where data are obtained directly from the data subject, the identity of the data controller and the purposes for which the data will be processed; where the data come from a source other than the data subject, the name of the original data controller. There are important exemptions included here which mean, for instance, that the obligation to inform does not apply when data are processed for statistical, historical or scientific  purposes where the provision of such information would involve disproportionate effort or where the information is required by law.
The important right set out in section 3 of the 1988 Act, the right to establish the existence of data, remains unchanged. However, section 5 of the Bill strengthens the right of access provisions set out in section 4 of the 1988 Act. The new text of subsection (1) builds on the current provisions by providing, in line with the terms of Article 12 of the directive, that where an access request is made under the Act, the applicant must be provided with certain additional information such as the source of the data and the purpose of the processing. My Department has become aware recently of concerns that the disclosure of the data source could in certain circumstances run counter to the public interest. This matter is being examined at present and I may wish to table an amendment that addresses this issue on Committee Stage.
I wish to mention the new subsection (13) which is not related to the directive. It will in future prohibit a person, in connection with the employment of another person, the continued employment of another person, or a contract for the provision of services to him or her by another person, from requiring that person to make an access request under section 4 of the Act or from supplying him or her with personal data obtained on foot of such an access request. This amendment is intended to prevent a type of abuse, known as enforced subject access, that has arisen in relation to employment under the current right-of-access provisions.
Concerns have been expressed that in the absence of a comprehensive and fully-functioning vetting system, an existing, albeit imperfect, mechanism would no longer be available to employers in sensitive areas. I am reflecting at present on how best to deal with this with a view to addressing it on Committee Stage.
Section 6 takes account of Article 12(c) of the directive and amends the 1988 Act to give persons an additional right to have incorrect or inaccurate data “blocked”, that is, marked in such a way that it is not possible to process it for purposes in relation to which it is marked. This new provision will supplement the existing rights to have data rectified or erased. It also provides that where data have been blocked, there is a requirement to notify any person to whom that data were disclosed in the previous 12 months unless such notification proves impossible or involves disproportionate effort.
Section 7 inserts two new provisions into the 1988 Act to take account of Articles 14 and 15 of the directive. The first of these is a new section 6A which extends a person's right to object to the processing of personal data relating to him or her where the processing of such data is considered necessary for the performance of a task carried out in the public interest or where the processing is for the purposes of the legitimate interests of the controller. However, the objection must be  on compelling legitimate grounds and the right to object will not apply in certain circumstances set out in the section.
The second provision, a new section 6B, provides for a general ban on decision-making that is based solely on automated processing of data intended to evaluate certain personal aspects where such a decision produces legal effects concerning a person, or otherwise significantly affects a person except in the circumstances outlined in that section and where suitable safeguards to protect the person's legitimate interests are in place.
In section 8, the Bill provides for certain additional functions for the Data Protection Commissioner. In future, the commissioner will be the supervisory authority for the purposes of the directive and will be responsible for the dissemination of information on Union findings relating to the adequacy of data protection rules in countries and territories outside the EEA. The commissioner will also be required to perform functions in relation to data protection that the Minister may confer on him or her and which would enable the Government to give effect to international obligations of the State. The commissioner will have a monitoring role for the purposes of Council Regulation 2725 of 2000.
Section 9 amends section 10 of the 1988 Act to bring it into line with current practice as it has evolved since the entry into force of the 1988 Act. It recognises the possibility that complaints between parties may be resolved in an amicable way and that in such cases no further action by the Data Protection Commissioner may be necessary. An important new provision in the Bill will allow the Data Protection Commissioner to monitor the application of the directive. This proactive role will complement existing functions such as providing advice and dealing with complaints.
One of the key sections of the Bill is section 10, which takes account of the provisions of Articles 25 and 26 of the directive. It deals with restrictions on the transfer of personal data to countries and territories outside the EEA and replaces in its entirety section 11 of the 1988 Act. Almost all this section has been given effect in the regulations that came into force on 1 April 2002.
The new section 11 provides that a transfer of personal data to a country or territory outside the EEA may not take place unless an adequate level of protection is deemed to exist. Subsection (1) lists the factors to be taken into account in any assessment of adequacy.
The Data Protection Commissioner is required to inform the European Commission and other member states of any case where he or she considers that a country or territory outside the EEA does not ensure an adequate level of protection. However, where the European Commission makes a Union finding in accordance with the decision-making procedures set out in the directive in relation to whether an adequate level of protection is ensured in such a country or terri tory outside the European economic area, that decision must be complied with.
Commission decisions have been adopted recognising the adequacy of the data protection rules in Switzerland and Hungary. These countries are considered as having an adequate level of protection for personal data transferred from the member states. More recently, a Commission decision has been made in relation to Canada that covers transfers of personal data to recipients that are subject to the Canadian Personal Information and Electronic Documents Act.
As regards the United States, following protracted negotiations between the European Commission and the US authorities, a Commission decision recognising the adequacy of protection provided by a set of safe harbour privacy principles has been adopted. Personal data may, therefore, be transferred to organisations which have unambiguously and publicly disclosed their commitment to comply with these principles and are subject to the statutory powers of a US Government body empowered to investigate complaints and obtain relief against unfair or deceptive practices as well as redress for individuals.
There are circumstances in which transfers of personal data to countries and territories outside the EEA may take place without Community findings in relation to the adequacy of the data protection arrangements. These are set out in the new subsection (4).
The Data Protection Commissioner must also comply with any Commission decisions that certain contractual clauses offer sufficient safeguards for the transfer of personal data. Two such decisions have been taken to date. A decision dated 15 June 2001 contains a set of standard contractual clauses for general use while a decision dated 27 December 2001 contains a set of contractual clauses adapted to cover transfers to data processors located outside the EEA.
Before moving on from this section, I draw attention to an important provision in subsection (6) which provides that where personal data are transferred with the protection of contractual clauses, the person to whom the data relates shall have the right to enforce the terms of that contract as if he or she were a party to it. Subsections (7) to (15) re-enact provisions of the 1988 Act and allow the Data Protection Commissioner to prohibit a transfer of data to a place outside the State and set out the administrative procedures to be followed in connection with such a prohibition. In determining whether to prohibit a transfer of personal data, the commissioner must, as heretofore, also have regard to the desirability of facilitating international transfers of data.
Section 11 provides for the insertion of a new section 12A in the 1988 Act. Taking account of Article 20 of the directive, it makes provision for a system of prior checking by the Data Protection Commissioner of processing operations likely to present specific risks. A processing operation  which is the subject of a prior check may not take place until the checking procedure has been completed. An appeal can be made against the result of any such prior check.
While the 1988 Act already contains provisions relating to codes of practice, section 12 amends these provisions in order to take account of Article 27 of the directive. The revised provisions will allow the Data Protection Commissioner to consider, and approve as appropriate, draft codes of practice submitted by trade associations or other bodies representing categories of data controllers or to prepare such codes in consultation with relevant interests. A new subsection (6) provides that approved codes of practice may be taken into account by the courts in relation to the settlement of disputes.
Section 14 contains another amendment of the 1988 Act. While extending current registration requirements, it also makes provision for exemptions – for example, where the sole purpose of processing is the keeping of a register intended to provide information for the public and which is open to consultation or where the processing is carried out by a non-profit seeking body in relation to the members of the body or those who have regular contact with it.
Certain categories of data processing may also be specifically exempted from registration requirements by means of regulations where the processing in question is unlikely to affect the rights and freedoms of data subjects. These categories will be prescribed by regulations.
Concerns have been expressed concerning the proposed extension of registration requirements and the burdens that this might entail. I will reflect further on this aspect also in advance of Committee Stage.
Section 18 contains another important set of provisions that have regard to the special importance of the public interest in freedom of speech. A new section 22A to be inserted in the 1988 Act provides that personal data processed only for the purposes of journalism or artistic or literary purposes will be exempt from certain provisions of the Act once such processing is either undertaken solely with a view to the publication of any journalistic, literary or artistic material or the data controller believes that such publication would be in the public interest and where the data controller believes that compliance with these provisions would be incompatible with journalistic, artistic or literary purposes.
The provisions in the Act referred to here include the sections that deal with processing of personal data; processing of sensitive personal data; fair processing of data; right of access; right to rectification; right to object; and restrictions on decisions based on automatic processing. The possibility of developing codes of practice under section 13 of the Act for approval by the Data Protection Commissioner is referred to in subsection (3). Such a code could set out guidelines for determining whether publication of material would be in the public interest.
In accordance with Article 32 of the directive, automated data will be brought into conformity with the Act two months from the date of its passing. Manual data will come within the scope of the Act at the same time, with one important exception. Manual data already held in filing systems need not be brought into conformity with sections 2, 2A and 2B of the Act – that is, corresponding Articles 6, 7 and 8 of the directive – until 24 October 2007. However, the right of rectification, erasure or blocking of data that are incomplete, inaccurate or stored in a way that is incompatible with the legitimate purposes pursued by the data controller will apply progressively to such manual data during that period, in particular when a person makes an access request under section 4 of the Act.
The Bill is designed to bring our domestic data protection law into line with the requirements of the EU directive and to make certain improvements to existing arrangements in the light of experience gained since 1988. In doing so, it seeks to establish an appropriate balance between the protection of the privacy of data subjects, the public interest and the need to facilitate the international flows of data that are an essential feature of today's information society. Providing protection for personal data in this way will encourage greater support for and participation in efforts to reap the full benefits of the information society, whether by way of e-commerce or e-government.
Since they build on the existing data protection infrastructure established under the 1988 Act, the additional requirements in the Bill should not involve or impose undue additional burdens. Neither should they serve to unnecessarily restrict transfers of personal data to destinations within the State, nor to destinations outside the European economic area. On the contrary, the enactment of the Bill will ensure that agreed European Community level standards of data protection will operate here to the benefit of individuals, commercial and other interests and international operators.
This is a technical Bill and there may be aspects which Deputies may wish to have clarified. If so, I shall endeavour to do so when replying today or on Committee Stage. Careful consideration will be given to questions raised or suggestions made during our debate today while bearing in mind that the primary purpose of the Bill is to give effect to the provisions of a European Community directive. I commend the Bill to the House.
Mr. Deasy: I agree with the Minister of State in regard to the technical aspects of this Bill. Some of us would agree it is better to deal with this Bill in committee in that there are many aspects to it which should be dealt with in that way and which will not be sorted out in the House today.
I welcome the Bill which is touted as one which enhances fundamental rights and freedoms of individuals in the State, but wonder if there is a  glaring contradiction. Some have raised concerns that the Bill gives security forces and surveillance agencies, in particular, a back door to data and information assembled, not only in this country, but also throughout Europe. It is right for people to object to the processing of data if it causes them distress and the Bill strengthens the position in that it carries conditions for the processing of personal data. It also limits the use of automated decision-making in that computers will be limited in making important decisions about people. Spam e-mails are increasingly destructive as are viruses. I understand it costs the European Union somewhere in the region of €10 billion to deal with this issue.
While there are good aspects to the Bill, there are questions which arise. The question of how the legislation will affect CCTV has arisen. If there is a CCTV camera in a washroom, for example, and a tape is made, that tape will be put on file after a certain length of time. Is it right for an employee to feel aggrieved if a tape is made of their movements in a washroom? Would they have the right to sue as a result? That is a concern which has been raised by the public.
Most of the concerns have centred around e-commerce. This country has strong privacy laws in regard to data, but will this legislation allow secret surveillance of e-mails and Internet and telephone usage? Will this legislation outweigh the State's very strong e-commerce laws? Our laws strongly favour encryption and many e-commerce businesses come to the country for that reason. Many are US companies which are pioneering in this area, and they have raised concerns as to whether this legislation will weaken existing laws.
Many Internet service providers and phone companies will have to keep data on subjects and people, for years in some cases. I understand we are living in a new world after 11 September, but I am not so sure that people in this country understand the almost Orwellian aspects of this Bill, or how much of their private data will be subject to surveillance as a result of its passage. Has the Government really considered the ramifications for the e-commerce industry?
I would also like to raise the issue of the Data Protection Commissioner. As I understand it, the legislation would allow data flows outside the EU. At present the Data Protection Commissioner is able to prohibit a transfer of data to a country the EU deems unsuitable. Would that change under this legislation? Even if the commissioner felt a country was not suitable, would he be mandated under this legislation to allow the transfer of data? That is another concern being raised.
The main conflict here is between the touting of this legislation as increasing the fundamental rights of people as they relate to private data, and the fact that people have raised concerns that this would allow a back door to security services to look at every piece of private data available on them. The European cyber-crime convention  monitors the online activities of citizens, partly because of the threat of global terrorism, but we also have to take into consideration our e-commerce laws and how this would affect them. We must consider how it would affect the Electronic Commerce Act, 2000, which is intended to give Ireland a competitive advantage in e-commerce by strictly protecting the privacy of encrypted data and Internet communications.
These questions have not been answered fully. I understand this is a directive and that we are one of the last two countries in Europe to deal with it, but some of the more intricate parts of this Bill need to be explained more in terms of how they affect ordinary citizens, which has not happened so far.
Aengus Ó Snodaigh: Ba mhaith liom mo chuid ama a roinnt leis an Teachta Cuffe agus an Teachta Gregory. Cuireann fás agus cumhacht na nuatheicneolaíochta, na teicneolaíochta ríomhaireachta go háirithe, leis an bhuairt intuigthe atá ardaithe ag an phobal mar gheall ar cheart an phríobháideachais agus an eagla atá ar an phobal go mbainfidh eolas fúthu áit mícheart amach. Tá luas na bhforbairt theicneolaíochta go mór chun tosaigh ar an phróiseas pharlaiminte, cuma chomh éifeachtach agus atá sé. In ainneoin go bhfuil buairt orm faoi roinnt mír sa Bhille, aithním gur iarracht dáiríre é tabhairt faoi chosaint dáta ó 1988 ar aghaidh.
The Bill begins by introducing certain new definitions and altering older ones. The range of subjects classed as sensitive personal data needs to be broadened further. I am puzzled as to why there is a division of data into personal and sensitive categories. Financial details such as bank records, credit ratings and purchasing patterns do not seem to be considered sensitive under this definition, but I think the Minister would agree that the vast majority of people would certainly see information about their household budgets or spending habits as both sensitive and personal. I therefore ask the Minister to consider amending the Bill on Committee Stage in order to correct what I assume is an oversight.
While the definition of sensitive personal data is not wide enough, a broad array of powers are drawn up in section 4 dealing with the processing of both personal data and sensitive personal data. Elements of this section allow for the data to be processed without the permission of the subject in a wide variety of cases. The Bill would waive the consent requirement designed to prevent injury to a subject where obtaining the subject's permission would cause injury to the subject's interests. This seems a most bizarre idea. In what circumstances could obtaining a person's permission damage the person's interests? It needs to be more specific.
This is just one part of section 4 with which I have problems. Other circumstances in which the right to consent are eliminated are all too broad and ill-defined, such as “for the administration of  justice” or “for the performance of any other function of a public nature performed in the public interest by a person.” I want to see these definitions made more specific on Committee Stage so that the legislation can give better direction.
Section 6 of the Data Protection Act, 1988, required the data controller to contact any person on whom data was disclosed in the previous 12 months to inform them that the data had been modified or erased at the request of the individual concerned. This was an important protection for the rights of the individual, making it less likely that false information would be in circulation, but the Bill before the House changes this, allowing the data controller to shirk responsibilities. The Bill states it is not necessary for him or her to do so if it would require “disproportionate effort.” This is another extremely vague term which could be subject to very wide and differing interpretations. It undermines the very concept of the right to rectification or amendment of data as it opens the possibility of inaccurate and misleading data being allowed to circulate. This is another area where the definition could be further specified on Committee Stage.
Regarding section 7 which deals with the rights of data subjects, I welcome many of the proposed changes allowing individuals to prevent people processing data or information on them where it might be harmful to them. However, subsection (3) states that this right is lost once the explicit consent of an individual has been granted.
Nach bhfuil seans ann go n-athróidh duine éigin a aigne tar éis dó cead a thabhairt roimhe sin? Is gá cinntiú de gur féidir leis seo a dhéanamh agus go gcuirfear freagracht ar an cheannasaí data ina leith seo. Ní mhaith liom bheith go hiomlán diúltach maidir leis an Bhille seo os ár gcomhair. Tá sé tábhachtach go bhfuil curtha leis an cheart maidir le príobháideachas agus fáiltím roimh na gnéithe sin atá sa Bhille. Is ceart bunúsach é ceart an phríobháideachais agus gur féidir smacht bheith againn ar an eolas atá ar fáil fúinn, gur féidir linn teacht air agus é a athrú más gá chun é a cheartú. Tá gá ann go gcuirfí an Rialtas an ceart seo ag saoránaigh agus go gcosnóidh sé é. Dúirt an Breitheamh Chúirt Uachtarach na Stáit Aontaithe, Louis Dembitz Brandeis, “Privacy is the most comprehensive of all rights and the right most cherished by citizens of a free nation”.
I strongly welcome the elements of this legislation which give greater power to the data commissioner and put greater and stricter controls on data retention processing and security. Indeed I hope the Data Protection Commissioner will go further in educating the public about their rights in this area and about the modes of redress available under the law.
People need to understand their rights in order to exercise them. I hope the few concerns I have raised will be dealt with on Committee and Remaining Stages and that the Bill will not be rushed through as in the Seanad. Full protection of the right to privacy is a serious matter and  deserves adequate deliberation to ensure it is exactly right in the legislation.
I note from the legislative programme published several weeks ago that the Government plans to introduce the Telecommunications Retention of Traffic Data Bill in 2003. This planned data retention Bill will undermine many of the necessary protections provided for in the Data Protection (Amendment) Bill which is before the House. The data retention Bill will oblige licensed operators to retain records of traffic data for specific periods as necessitated by the terms of an EU directive. All telecommunications companies, including mobile and Internet service providers, will be compelled to retain records of personal communications including all telephone calls, faxes, e-mails and website visits and not just for billing purposes as at present. Under an EU directive, this information, known as traffic data, will be centralised and made available to all EU governments for surveillance purposes. Authorities will not need a warrant to get this information. This is a move away from targeted surveillance to universal surveillance and as such represents a violation of protected rights. This is what the planned data retention Bill will import into Irish law. I submit that this cannot but undermine the rights of Irish citizens that the Data Protection (Amendment) Bill seeks to defend.
Given all the fine words spoken about protecting the right to privacy and given the stated opposition of the data protection commissioner and civil rights groups to that EU directive, I am astounded the Government has acquiesced to bring this contradictory legislation forward so quickly. I am astounded also that only one Irish MEP, Nuala Ahern, voted against this EU directive. That is a disgrace.
Mr. Cuffe: When I look at a Bill that comes before the House I often find it confusing and difficult to fathom its detail. Then, with a touch of relief I pick up the explanatory and financial memorandum which gives me a precise and clear understanding of the issues involved. Regrettably, on this occasion, I am still slightly perplexed as to the exact requirements and details of the Bill before the House. As the previous speaker pointed out, my colleague, Nuala Ahern, in the European Parliament, voted against the EU directive. She did so for very real concerns that the State, the European Commission and other bodies are assuming widespread powers once they begin to regulate the flow of electronic information. There are circumstances where it is necessary to regulate, intervene, intercept and look in detail at electronic information flows but I am not convinced that the Bill, as drafted, is the perfect medium for doing so. To begin with, the general public, the users of services, need to have a plain language explanation of what is going on when electronic information is being sorted, collated or stored. The recent example where the Bank of Ireland said it would store data on us centrally and would pool the various information  made available to it about its account holders was a classic example of a failure to communicate in plain English about the use of information. I certainly found confusing the small leaflet which came from one of our larger banks. On the second reading it became even more confusing. When an elderly relative rang and asked if I could explain it to her, I was unable to do so. In this new world of greater electronic information there is a need for clear explanations as to what is being done with this information.
Much stronger protection is needed. Protection is needed particularly for the weaker in society who are often vulnerable in regard to the use and possibly the abuse of information. I am concerned at the staff resources that will be needed. I note that in 1989 the Data Protection Commissioner had eight full time staff. As I understand it, today the commissioner has seven full time staff. There is an immediate and pressing issue regarding finance and staff for the data protection commissioner to satisfactorily perform his duties. Unless this issue is addressed there is little hope of the Bill being used effectively.
I am concerned about how it will apply to telecom authorities. In recent years, there have been examples of increased usage of electronic information by the law enforcement agencies and, a successful use in regard to apprehending criminals and obtaining convictions. As consumers of these services we need to know in plain English what is going on. Who will store this information? Why it is being stored and what it is intended to do with it? It is important that this information is made available in clear language.
Other Members raised the issue of the use of closed circuit television cameras. I am concerned at the way in which that information might be used. Members of the public, walking on the streets of our towns and cities, are often monitored by Garda closed circuit television but we cannot automatically obtain the necessary information to know what is being done with the footage, whether it is being stored, who is looking at it or whether it is being used. It is important that strict controls are put in place. I understand that the local authority cameras used by the Garda in central Dublin can be looked at not only by the local authority, Dublin City Council and the Garda Síochána, but they can be used by CIE, Dublin Bus, who can control the cameras, zoom in and focus on particular events as they take place. It is important that the public is aware of this. It is important also that there is clear criteria regarding its use.
My party believes it is important that the consumer knows what is intended and what the data will be used for. Further information is needed to ensure the rights of consumers and that the general public are protected. We need this information from the Irish authorities and also from those who are using data at European level we need to look at their motives for using such data.
My party will oppose the Bill. We need a clearer explanation of the issues raised and need to  know that the genuine concerns of member of the public are being dealt with through the new legislation.
Mr. Gregory: I admit I lack the expertise to fully appraise the Bill and do not make any bones about stating that. Whether we are in favour of the bulk of the Bill or against it, as the Green Party is, there is no doubt but that it is a timely measure. The Bill confronts a matter that is highly complex and unfamiliar to many and I count myself among those. An EU directive which aims to establish standard levels for the protection of personal data has been in place since 1995. This Bill, with its comprehensive provisions, attempts to meet the requirements of that directive. In that context I take this opportunity to state my approval of the creation of the Information Society Commission in November of last year because it demonstrates our commitment to issues that are relative newcomers in terms of State responsibility. No longer is it appropriate to leave issues relating to the technology revolution strictly to the experts. Much of what is contained in this Bill is one of what I expect will be many steps the Government will take to meet the challenges of such a dramatic transformation in our everyday lives. Though the State has been criticised for its delay in following through with the EU data protection directive, the intervening time has brought with it experience that should enhance the value of this legislation.
One notable change in the climate surrounding questions of technology is the increased level of public awareness and interest. We are all aware of the overwhelmingly technical nature of such legislation but we must be mindful of the impact it will have on citizens throughout the State. It is only in the past several years that members of the public, as they continue to discover the conveniences afforded by new technology, have also developed a sensitivity towards issues of privacy and personal rights. Undoubtedly, these concerns have rendered many people reluctant to make the transition to e-commerce, e-banking and such like and it is vital, therefore, that the Government should not only maintain an active role in regulating information technology but also attempt to keep individuals informed of their rights in regard to personal data.
Following my initial reading of the Bill, I believe with some reservations, that it may strike a fair balance between personal rights and the public good. On the subject of direct marketing, for example, the Bill requires that individuals be informed of their prerogative to keep their personal data from being abused. It is important that provisions such as these set the tone in what is described as the age of Big Brother. Individuals must retain a sense of control in the face of often mind-boggling technology that permits the rapid transmission of information on a global scale. The Bill encourages that feeling of individual security  and encourages the use of personal data in ways that benefit both the individual and society.
The Bill promises to reconcile the need to safeguard the individual while promoting free exchange of data for approved purposes, but the practical implications have not been fully tested. The State must remain vigilant on behalf of personal rights as these issues are explored in the future. I trust we will never go down the road of what I understand to be current practice in the United States where personal details can be bought and sold. In that context, the one element of the Bill that causes me great concern is the transfer of data to non-EU countries, including the United States. I am sure the Minister, when considering the contributions to the debate on the Bill, will respond to that concern. I am aware it has been referred to in some detail in the contributions on the Bill in the Seanad and I trust the Minister has taken note of those remarks.
Regardless of where technology takes us from here, the Bill will provide the State with the means to gain public trust in this technology. By bringing us into line with the EU, the Bill will also help to restore popular faith in information technology, some of which was called into question after last year's dotcom meltdown. We should view this legislation as a restatement of the Government's interest in the future of technology, to which its pioneering work in areas such as e-government is testament. Our enthusiasm for remaining on the front lines of technological developments might have visibly wavered following the wake-up call delivered by the failure of several key dotcom enterprises, but the debate on this Bill has proved that matters of technological relevance are as pressing today as they were before the losses suffered that year.
The language of technology might be unfamiliar to some but we can all appreciate the beneficial effects some aspects of the Bill will have on a society that is increasingly reliant on this technology. While dedicated data protection commissioners have been in place since the 1988 Act, the update of the existing legislation to European Union standards signals our renewed interest in information technology. Popular awareness and confidence are what we have to gain by raising the standards set by the 1988 Act. Our transformation to an Internet dependent society is not yet complete but it has reached the stage where the public will also welcome the proposed amendments in this Bill.
Mr. Rabbitte: As I understand it, the transposition of directive 95/46/EC is a number of years late although, given its complexity, apparently some latitude in terms of full conformity was allowed. Nonetheless, it is an indicator of the way the Government has slackened its commitment to the information society, or this same combination of parties, compared to the position taken up five or six years ago in terms of developing Ireland's role in the information society. It exposes the fact that our administrative and political system finds  it difficult to keep pace with the transposition of EU directives and regulations.
This is an important directive, even though it is opaque and difficult for the lay person to understand, for the reasons outlined by previous speakers and we appear to be having considerable difficulty in bringing our speedy implementation into Irish law of the EU directives up to date. The Minister conceded that in his contribution but as in the Seanad, where his predecessor took the Bill, we have no information about, for example, the number of other EU states which have not yet complied with this directive. I would like the Minister to tell us more about the character of consultation that has taken place, and with whom consultation has taken place prior to the framing of the Bill. The Minister gave as one of the explanations for the delay, the wide nature of consultations that had to take place. This is almost identical to what he said during the Seanad debate on this Bill – the word processor was at work again. He says, as a reason for the delay:
Mr. Rabbitte: There is no need to explain why consumers ought to be interested in the contents of this Bill. Irish consumers unfortunately do not have many vehicles for giving expression to their fears and needs but the consumers' association is one such organisation. I would be interested to hear whether the Minister spoke with its members. Did the Irish Council for Civil Liberties have the opportunity of making a submission? That organisation should have views on these measures for the reasons adverted to, for example, by Deputy Cuffe. I raise these questions because there are a number of pet organisations with whom all Departments have relations and the Departments seem very reluctant to go outside those. I would therefore like the Minister to tell us the organisations that delayed him in the framing of the Bill and with whom he has had consultations.
It is self-evident that the citizens of an ideal society in the information age ought to be interested in the measures being enacted in this Bill. The truth, I am afraid, seems to be that the average citizen is quite unaware of the legislation. I have listened to many complaints over recent weeks about the supposedly obscure and secret manner in which the European Union does its business, but in reality the democratic deficit is  here. This is a good example of how important legislation is processed here.
I admit, like Deputy Gregory, on whose interesting contribution I am still reflecting, that I came late to this Bill. My attention has been more than usually outside the Dáil in recent days. I was advised that I was fortunate: all I had to do was refer to the debate on the Bill, which originated in the Seanad, and the less hard-pressed public representatives in the more reflective Chamber would put so much wisdom my way that I would not need to do any homework myself. I resorted to that, a Cheann Comhairle, and having read the debate I could not find a great deal of evidence of all this reflective wisdom in the Upper House. The learned Senators could argue that the manner in which the Minister sneaked in the Bill on the eve of the general election was sufficient excuse for their not being as reflective as they would normally be.
The manner in which this was done, with all Stages taken at one sitting, is a funny way to make law and certainly does not put us in this House in a strong position to complain about how business is done in Brussels. It also emphasises that departmental bureaucracies frequently do not require legislation on data protection themselves because they need no encouragement to withhold as much information as they can for as long as possible from elected public representatives. Nor do I see a great deal of evidence of the Minister responding to the points, such as they were, made in the Seanad. Senator Quinn is an exception in terms of his attention to the Bill but I see little sign of the Minister taking heed of this. It is interesting, in the light of criticism of the manner in which the EU does its business, to compare the enactment of legislation here with the initiation and preparation of a directive in the EU. Suffice it to say that the process in Europe is often more open, more transparent and, dare I say, more democratic than practice in the Oireachtas, where a Bill is conceived and prepared in secrecy and then landed on one or the other House, in this case on the eve of a general election.
Senator Quinn focused on a number of relevant issues, including the different approaches to the issue of data protection in Europe and the USA. It was the Senator's contention, not replied to by the Minister, that the USA regularly drives a coach and four through the safeguards provided for in the EU directive. His point was that, as we have seen in the area of intellectual property, when it comes to a confrontation between Europe and the USA, the USA usually wins. In the USA one can buy access to the kind of personal data that would cause outrage in Europe. This point made by Senator Quinn is important from the point of view of the professional objective of both the Bill and the directive, which is to protect private information on data storage and filing systems.
The Bill fails, as does the Directive, to deal with the problem in one crucial respect. In  Europe we recognise privacy and data protection as a principle and give it recognition in law with regard to electronically stored information of a private nature. In the USA there is no similar concept. Anyone who knows anything about anybody can sell that information. For example, supermarkets that operate loyalty card schemes, telephone companies and cable TV firms, through their billing systems, can learn a great deal about us. In the USA these companies may sell this information to anyone under the sun. In Europe this cannot legally happen. From this point of view it is impossible to understand how we can recognise the USA as conforming to our high standards in respect of commercially trading information about people, but we do. Europe tried to resist the lobbying of the USA to be recognised as having standards that were acceptable to Europe, but the US won and Europe lost. Whatever the Bill and the directive secure by way of legal privacy in respect of State-held information, the reality is that what it does in the private commercial sphere is little more than a ball of smoke as a result of our caving in to US commercial interests.
There is now, in respect of the security organs, an enormous pressure to legalise State snooping into our private lives. Other Deputies have spoken about getting the right balance, control, supervision, safeguards and CCTV monitoring and surveillance. What are the safeguards that exist with regard to the surveillance that is sometimes necessary for reasons of maintaining public order, monitoring criminals and so on? How do we know what the information is being used for? Can it be accessed in any circumstances? How do we know it is used only for a relevant purpose? It seems we do not know. This is together with the private sector snooping for commercial purposes, which is facilitated by the cave-in to US commercial interests.
The new agenda, what I call the State snooping agenda, is being sought as part of the war against terrorism, drugs and international crime, in other words anything to buttress the arguments of the Securitate types for more money, more equipment and more power to simply engage in snooping for its own sake. Of course the needs of security on the one hand and the need to effectively combat international drug trafficking and crime on the other require efficient exchange of relevant information. However, current practices go way beyond what is relevant and it is unlikely the Bill will do anything to safeguard the privacy of law abiding citizens. As part of this development, the private sector is also being pressed into being an arm of the security state. Phone companies, etc. are being forced to hold on to detailed private information to be made available to the men in trench coats who have a penchant for talking up their sleeves. Not only is the pressure on to accommodate the passions of our own natives in trench coats, but the international union of trench coat operatives is insisting that all  members be facilitated on a global basis in their professed pursuit of our protection.
I would like the Minister to reply to these questions because adequate replies were not given in the Seanad. It seems the delay involved in transposing this measure into Irish law means this law will be even more ineffective than was intended. The pace of developments and the clash of cultures referred to by Senator Quinn are such that the law will be again partially out of date and partially overridden. The sponsoring Minister who introduced the Bill in the Seanad conceded the extent of our trade and commercial links with the US where reliance on a mix of legislation, regulation and self-regulation is the norm and as a result of which problems arise in countries such as the US, which takes a sectoral approach to data protection. The Minister seems to acknowledge this, but apparently we cannot do a great deal about it. For years the commissioner has drawn matters to our attention that have not been addressed and some of them are not addressed in this Bill.
Notwithstanding his apologising for the delay in transposition, the Minister states that many of the directive's provisions have been implemented in the Data Protection Act, 1988. I do not know whether this is true; there are a few. The Minister is not saying the directive was in gestation since 1988, therefore, when the 1988 Bill was being framed the directive was not contemplated. The Data Protection Act, 1988, is based on the convention that was in existence at that time. To what extent can the Minister claim the 1988 Act has already enshrined the provisions of the directive? I think it is to a very minor extent.
The Minister referred to the new subsection (5) which will mean the exemption will not apply where such data are processed for a purpose other than the purpose for which they were collected. He also states that since the Bill was considered in the Seanad, concerns have been expressed that this new provision could unintentionally restrict the use of certain information in a manner that would not serve the public interest. Will he give us some more information on that provision? The instance in the script is company law. What exactly is being said here? Is the Minister saying that company law might be trammelled in terms of how it might be used if this exemption were to go ahead? Is he saying it would mitigate the legitimate imposition of company law on corporates to comply with good practice or that some investigations contemplated under the company law code might not be feasible if this was enacted? I am not sure I understand the particular point he is making.
I want to express my interest in the question raised by Deputy Cuffe about how effectively this measure applies to the telecom authorities in terms of the range of data in their possession and how efficiently they supervise the use to which that data can be put. It is a matter of bewilderment to most average citizens the range of junk mail they get through the post, about which they  know nothing, as a result of what they thought was private data being made available to organisations. If one applies to become a subscriber to a magazine in London, one will find that four or five different magazines have one's name and address and will send fliers to subscribe to their magazines. It is extraordinary and more painful that one's personal financial information, which one thought was private, and one's creditworthiness seems to be made available to other commercial organisations who can mail shot one as a result of their confidence that one may or may not be a good hit for their particular product. There is a growing concern that we are beginning to go the American way and that any information capable of being sold is being sold and bought for commercial interests and the privacy of citizens is very much of secondary consideration. I would like to hear the Minister express his confidence, if he is confident, that this will give better protection to citizens.
Mr. Durkan: I am pleased to have the opportunity to speak on this legislation. Like a number of other speakers, I have some reservations about what it means and who it is likely to affect. When I previously had responsibility in a Department for attempting to get a social services card with a data base attaching to it, various queries were genuinely raised by people who had concerns about the erosion of civil liberties. I recall at the time referring to the amount of data held on almost every citizen without his or her knowledge and how much is processed and handed over to other bodies who have little or no right to it. Nowadays, people get numerous mail shots conveying the impression they have won a prize and will lose their claim to a considerable sum of money unless they respond immediately. What are the sources of information on names and addresses for such purposes? In the context of this Bill, how and by whom is it intended that the information will be made available? This Bill is an attempt to control what is already there and to amend the 1988 Act. With advances in technology in the intervening period, while I accept the Minister of State has indicated there will be amendments on Committee Stage, it is quite clear the Bill is greatly in need of amendment. For example, who has the right of access to stored information? It is easy to say access can only be gained to a database via certain routes but have the person, company or association concerned any rights as to whether information is released? In my view, the answer is “No” because information which can be sensitive is regularly and readily passed on.
In relation to the potential for inter-company surveillance and even sabotage, given the porous nature of computer databases, we need to look carefully at the security of information which could be passed on and used in a manner which may be detrimental to individuals, companies and society at large. The Minister of State has dealt with this issue in some detail. He should consider  the matter carefully and entertain amendments on Committee Stage to a far greater extent than already indicated. The Minister of State's predecessor said submissions and representations had been received from several sources suggesting possible amendments. In his inimitable fashion, he said, having reflected on these matters and bearing in mind that the primary purpose of the Bill is to give effect to the EU directive, he would bring forward a number of amendments on Committee Stage. While he has done that, he has not informed us as to who made representations and with whom he had discussions. That information should be available to us at this stage. I presume it will be made available on Committee Stage.
Financial institutions hold a vast amount of data which can be used sensitively or insensitively, at the whim of the institutions concerned. That can affect individuals or companies and the bigger the operation, the more serious are the implications if sensitive information is released without authorisation. How much control has the Data Protection Commissioner in that regard? For instance, sensitive or potentially embarrassing data could be recorded in relation to a Member of this House without his or her knowledge and such information may be transferred to other agencies for their benefit. The situation is not as simple as it may appear with regard to the holding, processing and transmission of data – a term which encompasses a multitude. In essence, it is the same as handing over the files on an individual or company to a group which will have access to information which represents power and control. Such issues must bear further detailed examination before this Bill is passed. The EU directive which gave rise to this Bill may have to be looked at again if that is deemed necessary.
Section 2 refers to non-sensitive information. Who is to determine whether information is sensitive or non-sensitive? How can we be sure that what purports to be non-sensitive information may not include some sensitive information? The potential for abuse in that regard is far greater than appears to be envisaged at this stage. I hope the Minister of State will consult his colleagues in all Departments to assess the potential impact in the area of data storage and transmission and to establish whether the current proposals are sufficient to meet the needs of individuals and companies. Deputy Rabbitte has already referred to the security issue. On grounds of security of the State, the European Union or a particular institution, access may be gained to any information, under cover of existing and proposed legislation. That is already happening and, with the development of technology, the potential for abuses is constantly increasing.
Data which the holder may not regard as sensitive may well be sensitive to the individual, company or organisation concerned and, if released legally or illegally, may be highly detrimental to the subject of the data. In his deliberations on Committee Stage, the Minister of State should address this very serious issue of unauthorised  release of information. If information is released surreptitiously, that is obviously done for a particular purpose and I am not sure how it can be prevented.
Over recent years, I have asked a series of parliamentary questions with a view to ascertaining the extent, if any, to which unauthorised attempts have been made to access databases in various Departments. It has been tried on numerous occasions. Once or twice the hacker got past the first or second stage to gain access beyond what was normally available. These areas should be re-examined to see if there is adequate protection for the citizen, the community, the common good and the country. It is a very wide issue.
While, traditionally, Irish people are extremely sensitive about information, there is a different attitude in Europe where, for instance, identity cards are a fact of life. It is understandable, however, that we have a different attitude because of our history. However, as time passes we may be moved inexorably towards a system which makes us accept something with which we would not otherwise be happy, but we should not have to accept anything unless we are happy with it and it has been tested adequately. Its porousness should be fully appraised to reassure those affected.
What are the rights of an individual, a company or community, the subject matter of database information? Do they have any rights over access to this information and difficulties created for them as a company, community or an individual? An individual can pay a fee at the Office of the Data Protection Commissioner and find out what information is held on them and to where it has been transmitted. We can find out about information held in credit databases and who has information about the credit rating of anyone else. Theoretically, this information is not supposed to be generally available, as the consent of the subject is required. However, it does not work that way. Commercial companies will readily admit to having access to highly sensitive information which they can obtain easily and regularly do so.
Why is this happening and what is being done about it? What will we do about it in the course of this legislation which, I hope, will take a little longer to pass through Committee Stage than envisaged? It is in the interests of the Minister and the House to examine this legislation carefully because it contains minefields. Notwithstanding that it complies with the European directive, we live in a very sensitive time where the storing and transmission of information is more important than it was ten or 15 years ago. Someone may review the legislation in the future and decide that something would not have happened if certain legislation had not been passed by the Oireachtas. We do not want that to happen. We have had a long and tedious debate about the Nice treaty, which lasted 18 months. We should be certain about what we are pro posing and that our rights as a country, the rights of citizens, companies and the business sector and our civil liberties will be recognised and fully adhered to in the implementation of the legislation. I hope this issue will be further discussed on Committee Stage in which I will take an interest.
Mr. O'Dowd: A friend of mine was driving in Dublin city one evening some months ago when he received a telephone call on his mobile phone asking if he was aware that his mobile phone bill had not been paid. He thought it was strange to receive this call late in the evening and asked the caller for whom he worked. He was told that it was for a national telephone company. When he questioned this, he found out eventually that the caller worked for one of the new call centres in the city which was acting as an agent for one of the national telephone companies. He later contacted me about the matter as he was annoyed that he had not consented or was not aware that he had consented to being telephoned on his mobile phone outside working hours about whether he had paid his mobile phone bill. He had assumed that normal procedures would apply, that he would receive a demand to pay the bill. When I became involved in the case, I discovered that this major call centre in the city centre, which employs over 80 people, was not registered with the Office of the Data Protection Commissioner.
The Bill is an attempt to address an issue about which, like everyone else, I am concerned. Big Brother is out there watching us and everything we do, whether we pay our bills on time. This information is transmitted to agents who work for these national or international companies through call centres or call centres within companies. Like other speakers, I am concerned about the security of personal data held on individuals such as my friend.
If one looks at trends in Irish and international banking, smaller branch offices of national banks are closing down, particularly in rural areas. Competition is very severe. Companies such as the Bank of Scotland have no local branch offices but communicate through the mass media. They have no local base. All of their data is stored on computer files, not necessarily in this country. They have no employees on the ground in the way traditional banks used to have in rural towns. I am concerned about the same issue as my colleague, namely, the security and accuracy of data of such companies in the banking system.
There is now an increasing absence of the customer-bank official relationship which was evident for many years. People are applying and being refused or granted loans solely based on the data kept on them. There is no relationship between many of the institutions and the individual. When I raised this matter with a representative of a major national banking company, I was told that that was the way the world was going. I pointed out that there was no automatic way by  which someone dealing with a bank could be aware of all the data that bank had. If one applies to a bank, one will be given the information on payment of a fee. Financial institutions are relying more and more on such data and the traditional personal relationship which was welcomed by the community is no more. Today a bank does not want to see anyone inside its doors because it expects a person to be able to communicate electronically. I am concerned about that issue as well as the accuracy of the increasing amount of information these companies have about individuals. We would have a ‘Big Brother' society if one could access the data protection commissioner's computer to inquire as to what data is held on a person and for what reason. That may not be practical now but I see no reason it could not be, with major developments in technology. We should be able to find out who has data relating to ourselves at a one-stop-shop so we can apply to have it released having paid a fee.
Many people probably do not realise that the moment they connect to their Internet service provider, ‘cookies' on the computer are recorded. We are being watched from the moment of connection and a record of every website visited during a session is capable of being recorded. Internet service providers have contracts with many companies – often outside one's home country – and we have no knowledge of what is done with that information. In the US, companies can get a profile of each Internet user and having ascertained a person's interests can send offers that relate to, for example, a search in which a person has been engaged for cameras, for instance. That can be useful to someone who is trying to decide which camera, car or television is the best to buy but there is much data relating to us which is kept internationally. It may take an international convention to address the issue properly so that anyone who has been on the Internet can be given a record of what companies have been watching, what information about them they hold and what information they transmit to other companies.
Many people receive unsolicited mail shots though their doors regarding competitions and offers for new cars an so on. While this is an information gathering exercise for direct mail or marketing companies, it is not clear to the casual observer what is going on. People often feel that if they fill in the form they may have a chance of winning, whereas the reality may be that the offer applies to the UK too, diminishing the chance of winning. It should be made very clear at the beginning of any offer or letter exactly what is going on, so that if one consents to the release of the data by ticking a small box in the corner, one is doing so with full knowledge. Innocent members of the public could give away very important personal data on themselves and their families without really understanding what is being sought and what will happen to the information they give.
The Minister of State may inform me later in the debate if it is the case that the addresses for the unsolicited direct mail which comes through the door to all of us come from the register of electors. I understand that Deputy Dempsey – when he was Minister for the Environment and Local Government made a commitment in legislation that there would be some restriction on the use of the register of electors for other than electoral purposes. Perhaps the Minister of State could clarify that for me. I do not see why people should be deluged with material that they do not want or seek. It is a waste of paper. It is important that one's privacy is sacrosanct.
It is easy for companies to collect e-mail addresses and people regularly receive unsolicited e-mail. Does this Act address this? If one sends someone an e-mail, are the addresses being collected and sold as databases? Someone may well sell 1,000 e-mail addresses that relate to a particular geographic area or profession and this will increasingly be the case for marketers.
I understand it is now possible to send 1,000 text messages simultaneously for about €36. Will people find these text messages intrusive? People love to get text messages but perhaps not if they are sent by commercial organisations, as they may be in the future. I do not know if the legislation deals with this area but perhaps the Minister of State could address the issue. This is to protect the individual who, in a relaxed and friendly way, can release information to people who do not have their interests at heart and are out to manipulate them or sell them things they do not want.
Our world is changing rapidly and the protection of personal data for all our citizens is an increasingly difficult task. When people apply for a loan in a bank, they are asked all sorts of important questions such as what their income is and so on. This is all proper, useful and necessary information used by the company to decide whether it will grant the loan. However, there are also questions such as whether the applicant consents to being phoned at home after 5.30 p.m. or at weekends. That is intrusive. Should it be the case that before one applies for a loan one must agree to be phoned at home? This may be the way modern banks communicate with a private citizen but it is intrusive and it is wrong to ask questions like that as a preliminary to the loan. What is important is whether one can pay the loan back and has the income to meet it.
One can be asked whether one consents to information being given to marketing departments for other purposes. In a document as personal and private as a loan application, people may feel they will not be granted the loan if they do not consent and will not be able to buy a car or send their child to college. Under the Data Protection Act, people may not wish to answer these questions but there may be pressure on them to give consent to the use of personal and private information which is not germane to determining whether one can repay a loan.
Good ideas are being discussed during this important debate and I look forward to further discussion on Committee Stage. We need to address these 21st century issues in a new way. The old way of doing business is over and now Big Brother is watching us. We must ensure that we control the information he gets inadvertently or by roundabout means. If this Act makes things safer for the private individual, particularly the individual whose guard is down or who is not sharp enough to know what is going on, it will be good legislation.
Mr. Healy: The last legislation in this area was in 1988. Things have moved on since then and this detailed legislation is timely. I am not particularly competent to deal with the detail of it. It appears that the Bill deals with two broad areas, the storage, security and access to information and the issue of transfer of that information within and between countries. As the Bill is so detailed it demands debate now and more serious debate on Committee Stage.
I welcome the section of the Bill which includes manual information systems as an area for protection. The questions of consent and of notification of individuals are also areas that need to be addressed. I am concerned that security and individual rights are protected in the legislation. The Bill deals with the question of “enforced subject access”. An employer may wish to gather information on individual employees or on the firm and in the past one felt under duress to make this information available. I welcome the section which deals with that.
Public representatives often come across the issue of the length of time information is retained and stored particularly in regard to financial institutions. We are concerned with how they store, retain, use and access information. The information held by financial institutions is often mishandled. For example, I recall occasions where someone would look for a mortgage. In the past that person might have fallen on hard times through redundancy or sickness and possibly defaulted on a month or two of mortgage repayments. That information is retained indefinitely by financial institutions and it becomes impossible for people in those circumstances to get loans. I know other public representatives have experience of such situations also. The sharing of this type of information between financial institutions is not good and is unfair to people who seek credit from them. A person's personal circumstances may change over time and a credit rating that is two, five or ten years old is no indication of and does not reflect the current financial situation of an individual. That area needs to be addressed in the legislation.
The manner in which financial institutions use and distribute information among themselves is of concern. These institutions possess large amounts of information which they can pass on to former employees, security organisations and  private investigators etc. It is right that agencies such as the Department of Justice, Equality and Law Reform and the Garda Síochána should have access to all relevant information on people living in the country. I am worried, however, by the ease with which security organisations and private investigators can access personal information on private citizens which is held by businesses and large financial institutions .
I am concerned too about mail shots which we receive on almost a daily basis. I am particularly concerned that the register of electors is used for that purpose and at recent revelations that it is available for purchase by whoever wants it, including political parties. That is undemocratic. The register should only be used for registering those who are entitled to vote and not for any other purpose. I hope this Bill addresses that and does away with access to the marked register by third parties.
Another area of concern is the transfer of information between countries. This issue was raised by a number of speakers in the Seanad and raised here by Deputy Rabbitte. I am concerned that this Bill will allow transfer of information to non EU countries, particularly countries whose ethos on data protection is not similar to ours. I refer particularly to the United States. The European approach to data protection is very different to that of the United States. Given the extent of our commercial trade and other links with the US, the ability of US organisations to comply with the adequacy requirements of this directive is a matter of concern. In America all sorts of data information can be purchased and sold. Personal data is not considered personal in the way we understand it and people can buy access to an extraordinary range of personal information which, in Europe, would be considered private. This is something about which we should be concerned. We should only transfer information to countries with an ethos and legal situation which resembles our own. In the US, one is dealing with a voluntary regulatory situation rather than a legal one. That is something one should not get into.
|Last Updated: 10/09/2010 17:48:41||Page of 272|