The Irish Government have published their Data Protection Bill 2018, which is intended to legislate for the areas of the General Data Protection Regulation (Regulation 2016/679/EU) which allow for Member States to define their own rules, and is also intended to transpose into Irish legislation the Data Protection Directive for Law Enforcement (Directive 2016/680/EU).
This should be a generally straightforward thing.
After all, the bulk of the GDPR has been democratically negotiated over the course of four years by the EU Commission, the EU Parliament, and the Council of Ministers. There are a few narrow areas for local variation in the GDPR (about 50), and there is a body of EU case law on the concepts of necessity and proportionality and the concept of subsidiarity of Member State law. And the Law Enforcement Directive is actually rather prescriptive of the things that Member States need to have in place in order to ensure law enforcement processes respect fundamental rights to data privacy.
So, how has the Irish Government performed so far in doing the relatively simple thing? Well, after 132 pages of rivetting reading (my third pass through at this stage), I am of the view that I will need to buy a cat so that I can find something practical to use the pile of litter tray liner I've just read through. As Simon McGarr has put it on Twitter:
Suddenly thinking about buying shares in LuxAir, the only provider of a direct flight from Dublin to the CJEU.
I see a major expansion in their future.
— Simon McGarr (@Tupp_Ed) February 9, 2018
Bluntly: if passed in its current form, the Data Protection Bill guts the Office of the Data Protection Commissioner, effectively strips citizens of their rights, creates a bizarre set of exemptions and exclusions from processing, and permits the processing of special categories of personal data for the purpose of "electoral activities", a term that is helpfully NOT defined in the Bill, or in the Electoral Acts, or anywhere else for that matter (I know, we did a Privacy Impact Assessment for a political party a few years ago where we had to look at this... the ODPC was unwilling to push the question of definition then or provide any specific guidance, preferring to defer to an Oireachtas committee on electoral reform).
This is on top of the proposal (opposed by the ODPC, Digital Rights Ireland, and a range of sane people) to exempt Public Bodies from administrative sanctions under the GDPR. But just in case that doesn't work:
With these sections, and the exemption from administrative fines proposed in the legislation, seems to be an attempt by the government to carve itself out of any meaningful liability or accountability for upholding data privacy rights and ensuring that those rights are upheld in the processing activities of public sector bodies.
This is legislation that the draft scheme of which was published in May of last year and which has done the rounds in Government Departments since for "observations". Input from civic society organisations appears to have been ignored. As has, it seems, the fundamentals of EU law. And common sense.
Amendments have to be tabled by this coming Tuesday, so very little time to do anything at this stage. The need to have the legislation passed by the 6th of May further constrains the timeframe to fix the flaws in this deeply flawed Bill.
My sense is that this legislation, if enacted in its current form, will be a boon for lawyers and for LuxAir, but will be a bad thing for data subjects who will have their rights infringed and taxpayers who will foot the bill for any litigation against the State.
Next time I'll try to find some good things in the draft Bill. (But I don't hold out much hope).