Exercising my unearned privilege, on Monday 12th February I sent this letter to the three senators that represent the university I attended way back in the last century.
Dear Senator [NAME]
I’m a constituent of yours and I’m writing to express my concern and indeed alarm at the draft Data Protection Bill currently before the Seanad. I have some experience in this area and as far as I can tell my alarm is shared by the majority of legal experts and practitioners in the field.
The Bill’s purpose is to transpose into Irish legislation the General Data Protection Regulation, Regulation 2016/679/EU, (GDPR) and create new data protection legislation in areas where member states are permitted to write their own.
The overarching aim of the GDPR is to rebalance the relationship between individual citizens and large, powerful and well-resourced organisations in respect of control over personal and in some cases highly sensitive information. Individuals are given increased rights by the Regulation to allow them to exert far more more control over what the private and public sector entities which process their personal data can do with that data.
Minister Flanagan mentioned this in his address to the Seanad on Thursday 8th February – “People will have more power over their personal information”.
Contrary to the minister’s assertion, the draft Bill appears to me to take a systematic approach to undermining the spirit, aim and principles of the Regulation. While there are egregious examples of this scattered throughout the pages of the surprisingly lengthy bill – one would almost think the state had interpreted the GDPR as a Directive rather than a Regulation, given the number of attempts to create sweeping exemptions – I’ll focus on just a few for the sake of brevity.
There’s been some media coverage of the decision to exempt public sector bodies from administrative fines except in certain narrow instances, which appears in Section 136 (3). In removing the ability of the regulator to impose meaningful sanctions for infringements of individuals’ fundamental rights, against the advice of an array of legal experts and the regulator herself during pre-legislative scrutiny of the Bill, the draft legislation does not provide any encouragement or incentive for public sector bodies to change their behaviour. This makes Minister Flanagan’s remark at the launch of the draft Bill that the State would lead by example ring rather hollow.
Section 104 creates an ability for the Data Protection Commission to ignore a complaint received from an individual about a data breach, a facility that is rightly not available to the current incarnation of the regulator, the Office of the Data Protection Commissioner. This extraordinary decision leaves individuals without recourse except through the courts and hampers their ability to exercise the rights which the GDPR is supposed to grant to them.
It is only slightly more than a decade since this country experienced the consequences of encouraging a light-touch regulation regime in financial services. The digital economy, which runs on personal data, is now just as intertwined with the livelihoods, wellbeing, and freedoms of all citizens as the financial services industry was then.
Personal data related to people’s political beliefs is categorised as sensitive data and must be treated with even greater care than other personal data. The use of profiling for political purposes in both the Brexit Referendum in the United Kingdom (June 2016) and the presidential election in the United States (November 2016) is currently the subject of parliamentary inquiries on both sides of the Atlantic. There is extensive ongoing media coverage worldwide. The scale on which sensitive personal data pertinent to people’s political beliefs has been used to subvert democracy by permitting external actors to exert disruptive influence is still being uncovered. This scale increases with each news story.
Yet in the midst of this we find the draft Data Protection Bill attempting to explicitly legislate for this type of processing of sensitive personal data in Section 42, allowing political profiling and targeting of individuals based on this profiling. Farcical and reckless are the words that come to mind.
As I said above, there are numerous further examples throughout the draft Bill of attempts to render null and void the rights of citizens, and their ability to exercise those rights. Some more detail is provided in the link below.
The Irish Data Protection Bill – Thoughts (Part I), Daragh O’Brien, Castlebridge Associates
I would very much appreciate if you could raise these concerns on my behalf before the draft Bill finishes its passage through the Seanad.