The State shouldn’t get a free pass when Europe’s data law comes into effect

There are only 314 days to go; fewer if you subtract weekends and holidays. On May 25, 2018, the General Data Protection Regulation comes into effect.

This new European Union law, better known as the GDPR, will make fundamental changes to how our information is used and protected, giving greater rights to the individual and creating much more severe penalties for non-compliance.

This tight deadline creates severe pressures for businesses and other organisations such as charities which must completely review how they handle personal information by then.

Some are already in the process of doing this; the majority are scrambling to catch up.

It also puts all parts of the Irish State under significant time pressure.

Although the GDPR is a European law, parts of it require national legislation to implement. The Department of Justice and Equality is responsible for preparing a Bill to give effect to the GDPR in Irish law.

That Bill must then pass the Dáil and Seanad to put in place a new legal framework for enforcement, including a restructured Data Protection Commission. All of this must be done in good time prior to May 2018 to enable planning for the transition.

So far, the Department has produced a draft Heads of Bill, and with commendable speed the Oireachtas Joint Committee on Justice and Equality has already held three hearings examining this draft.

Most of the draft is relatively technical and uncontroversial. But the hearings have exposed aspects which could significantly undermine the position of individuals against the State.

On behalf of Digital Rights Ireland, I gave evidence to the Joint Committee about two of these issues.

The first is that the draft Head 23 proposes to exempt public bodies from fines for breach of the GDPR. The argument for the exemption is that these fines would be circular – that they would merely shuffle money from one public fund into another public fund.

But this ignores the experience in the United Kingdom where fines have been an important deterrent, encouraging public bodies to improve their information security.

The exemption also gives the wrong impression – that the public sector is to be held to a lower standard than others.

And it would be practically unworkable: as a matter of European law, one cannot have a situation where a public body such as a hospital is given preferential treatment over private market competitors. The Data Protection Commissioner, Helen Dixon, has described the exemption as a serious concern and pointed out that it would create a real burden for her office by forcing it to assess, in every case, whether a public body has private competition.

The second issue with the draft is that in Head 20 it gives the power to any Minister to make regulations in any area restricting any individual rights on the basis that this is necessary for any “important objective of general public interest”.

The effect of this is to create an open-ended power to limit the rights created by the GDPR on the basis of a ministerial signature only – with no requirement for any approval from the Dáil or Seanad.

There are, of course, situations where data protection rights should be restricted in the public interest. For example, the right to know what information is held about you does not apply where that would undermine a criminal investigation.

But until now those have almost always been provided for in primary legislation, subject to scrutiny by lawmakers.

An unconstrained power to make new restrictions will in practice mean government departments being the judge of what rights individuals should have against those departments and their agencies.

As with the proposed exemption from fines, the intention is that the state will receive more lenient treatment.

It is worth remembering that shortly before his retirement the last Data Protection Commissioner, Billy Hawkes, summed up his term in office by saying that public bodies had “in too many cases, shown scant regard by senior management to their duty to safeguard the personal data entrusted to them”.

He said that “the state system in general is not paying sufficient attention to its responsibilities for the quantum of data it holds on all of us” and that there was a need for “system-wide action” before “an inevitable crisis” was triggered.

Given this background, and the fact that the state holds so much data on us, it should be held to a higher, not a lower standard.

[This post is an edited version of an opinion piece by TJ McIntyre which ran in the Irish Independent on 8 July 2017]