Speech by Minister Dara Murphy TD at the Digital Rights Europe Conference, Grand Canal Hotel, Dublin 2, 15th April 2015

 

As Minister with responsibility for Data Protection, I am delighted to have the opportunity to speak to you today at the first annual Digital Rights Europe Conference. Go raibh míle maith agaibh le haghaidh an cuireadh agus tá fáilte roimh go léir.

I would specifically like to thank Digital Rights Ireland and, in particular, TJ McIntyre for the invitation to speak with you.

I would like to speak with you today about protecting the rights of, and empowering, the individual. This is achieved through good law, efficient regulation and effective policy, each of which I will address in turn with you today.

I wish to begin by discussing the law surrounding this area in Ireland. As you will be aware, the current law is based on the Data Protection Acts 1988 and 2003, which incorporated the 1995 EU Directive into national law. However, you will also be aware that there is currently a new EU Data Protection Regulation under negotiation.

As you may suspect, the Regulation has been a key priority of mine since I took up duty and will continue to be.

Last month, I attended a Justice and Home Affairs Council meeting where the Regulation was discussed in detail. I am pleased to tell you that great strides have been made towards a resolution that will see Europe well placed to take advantage of technological developments while putting the rights of the citizen at the heart of everything we do.
The Regulation will provide numerous benefits for the citizen.

It will establish the One-Stop-Shop mechanism which will make it easier for EU citizens when it comes to enforcing their rights across the 28 countries of the European Union. As you know, under the Regulation, any EU citizen will be able to go to their national data protection authority for complaints covering breaches anywhere in the European Union. This provides the citizen with the convenience of dealing with one law and one data regulator across the entire European Union.

A higher standard of consent will be established. There will be a need for explicit consent in relation to the processing of certain items of personal data.

The Regulation places considerable emphasis on transparency. It provides that personal data must be processed lawfully, fairly and in a transparent manner. It also provides a mandatory obligation on data controllers to notify security breaches without undue delay to the Data Protection Commissioner and, an important new step, notifying the individuals at risk as a result of any such security breach.

The Regulation will make it necessary for the public sector and private sector companies who process large volumes of your data to appoint a Data Protection Officer.

It creates a new obligation on data controllers to carry out data protection impact assessments where the processing may involve particular risks for individuals concerned.

The Regulation will ensure that each business has data protection policies in place, that they are easily accessible, transparent and use clear and plain language.
It will create a new principle of data security where the data controller will be responsible for ensuring that personal data is processed in a manner that ensures appropriate security of personal data.

There will be an obligation on data controllers to take a risk-based approach to implementing appropriate measures and they will need to be in a position to demonstrate compliance with the Regulation.

All of this will provide citizens with greater control over their personal data and facilitate more effective exercise of their rights. It will in turn provide individuals with greater confidence in the companies who handle their data and facilitate greater engagement. This will provide the platform for innovation to flourish, which in turn will provide for economic growth and job creation, to the benefit of everyone.

I believe there is a need for Government and companies to place people in control of their data by integrating privacy into our policies and practises. The new Regulation will provide for this approach, known as ‘Privacy by Design’, which will see privacy friendly default settings become the norm.

The ‘Privacy by Design’ approach will result in more care being given to privacy related issues at the outset and this will provide an overall better outcome for the citizen.

Significant progress has been made in relation to the negotiations on the Regulation; however more work is still needed between now and June when the Latvian Presidency hopes to see the negotiations concluded.

There are a number of significant areas which will be discussed over the coming months; the right to be forgotten and profiling are both complex areas and raise questions in relation to the balancing of rights. The issue of fines and sanctions for breaches of the regulation also remains to be agreed.

I will continue to engage intensively with EU partners and stakeholders in relation to the ongoing negotiations to ensure the best possible outcome for Ireland.

Let me now turn my attention to the enforcement of such law. You will be aware that data protection law is enforced in Ireland by our independent regulator, the Office of the Data Protection Commissioner.

Ireland operates a robust data protection regime, with ongoing audits and reviews of both national and international businesses.

It is testament to the Government’s commitment to the area of Data Protection that the resources allocated to the Data Protection Commissioner were substantially increased this year, with the budget allocation being doubled.

This has allowed the Commissioner, Helen Dixon, to begin the process of hiring an additional 18 staff to her team.

This additional funding will also allow the sourcing of a second office for the DPC, which will be based in Dublin and will complement the Portarlington office.

I would like to take this opportunity to share with you some other important developments that demonstrate the Government’s commitment to the area of data protection.

These result from a Government decision last October, which approved a series of measures in the data protection area.

Another recent key development has been the establishment of an inter-departmental committee on data protection issues.

The Committee brings together the key person in each Government Department with responsibility for the data protection area. Two meetings of the Committee have already been held, with the third scheduled for next month.

The Committee will serve as a forum for sharing good practise across Government, assist in the delivery of more effective public services through the improved use of data as well as providing a whole of Government perspective on data related issues.

The Committee will also assist with ensuring that data protection policies across Government are of the very highest standard.

I am delighted with the very high level of engagement and enthusiasm being shown by all participants.

A key objective for us is to ensure that Government leads a dialogue with civil society and business on societal issues arising from the continuing growth in personal data usage and technology.

Since my appointment last year, I have been engaging in dialogue with a range of representatives from academia, industry and civil society. In fact, a number of you present here have met with me or officials from the newly established Data Protection Unit in the Department of the Taoiseach over the last few months.

This engagement will shortly be formalised with the establishment of a Data Forum, which I will chair.

The Forum will consider the opportunities, challenges and issues arising from the use of data in the 21st Century. We are all familiar with the changes that technology has brought to our lives. We benefit from apps that make our lives easier, but which also have implications for us given the amount of data that is now generated and the use to which this is put. The Forum will create a platform for open discussion and debate on these issues.

These changes also bring about additional responsibilities. While there is an onus on Government to provide effective legislation, on the Regulator to ensure enforcement and compliance, on companies to ensure that their privacy terms and conditions comply with legislation and are clear and easily understood, I believe that there is also an onus on us as users to educate ourselves. What does it mean when you sign up to terms and conditions? The citizen cannot be a passive actor when signing up to a service; we need to make sure that we are fully aware of what we are signing up to, and what will happen to our data as a result.

Looking at the agenda for the rest of your day, many of these are issues that will be considered by you here today.

Many thanks for your attention and I hope you enjoy the rest of the Conference.

Go raibh míle maith agaibh.