Public body fine exemption sends the wrong message
The Government has published the Data Protection Bill 2018, which gives effect in legislation to the General Data Protection Regulation.
There are a number of points of note in the bill, one of which is reform of the office of the Data Protection Commissioner. The office will be reformed as the Data Protection Commission and will be headed by up to three commissioners for data protection, each of whom shall be appointed for terms of four to five years. The Minister Justice will be responsible for appointing one commissioner to be the chairperson with a casting vote.
“A noteworthy point was an exemption for “a public authority or body” from administrative fines, unless it is acting as a data controller or processor is acting in competition with a private body, under the provision of the Competition Act 2002”
The other noteworthy point was an exemption for “a public authority or body” from administrative fines, unless it is acting as a data controller or processor is acting in competition with a private body, under the provision of the Competition Act 2002.
This is despite the Data Protection Commissioner Helen Dixon, before an Oireachtas committee in June of last year on Justice and Equality, expressing “serious concern” over such a proposal.
“The purpose of the punitive fines provided for in the new law,” said Dixon, “is to act as a deterrent to all types of organisations, and we see no basis upon which public authorities would be excluded, particularly given that arguably higher standards in the protection of fundamental rights are demanded of those entities.”
“Additionally, the workload proposed for the DPC in making assessments of whether public bodies are engaged in activities that would compete with equivalent private sector bodies takes us away from our substantive role in data protection terms.”
Despite these comments, the bill states, in chapter 6 “Administrative Fines”, section 136, part 3:
“The Commission may decide to impose an administrative fine on a controller or processor that is a public authority or body only where the authority or body acts as an undertaking within the meaning of the Competition Act 2002.”
It is not clear what other sanctions or measures would be available to the new Data Protection Commission in the instance of public authority or body being responsible for a data breach with, or misuse of, personal information.
However, a spokesperson for the Department of Justice gave the explanation for this as such a fine would only be taking money from the public purse.
While there is a certain amount of sense in not fining a public body in such cases, there should be clear powers to in some way sanction them to ensure that there is, as the commissioner points out, “a deterrent to all types of organisations”.
Given the appalling record we have in this country of not holding civil servants to account, this is a worrying move that could mean there is effectively little done in the case of a breach.
It also gives fuel to the anti-public services card lobby, who will no doubt see this as a licence for public bodies to misuse data under the regulations. The fears of databases being compiled without the knowledge or permission of data subjects, re-use, cross-use and general suspicion of motives, will not in any way be alleviated by this move.
Again, despite the commissioner’s remarks regarding the “arguably higher standards in the protection of fundamental rights” that “are demanded of those entities”, many will see this exemption as tacit approval of government use of data in anyway it sees fit, without regard to the data subject.
Overall, this is a very disappointing step. While some level of discretion might have been a good idea, an exemption has not been well received, Though it makes sense in some ways, it is defeating the purpose in many more.