Culture of Compliance

So, Phil Hogan believes that the vast majority of people in Ireland want to be compliant with legislation, specifically the Household Charge. Perhaps a first step to ensuring that compliance would be for the Minister to ensure that the Household Charge is being implemented in a manner that is compliant with the Data Protection Acts. That would have meant

1. Early consultation with the Data Protection Commissioner to identify and mitigate Data Protection risks in the Household Charge legislation
2. Early consultation with the Data Protection Commissioner to ensure that appropriate mechanisms for data sharing were given effective legislative support within the Household Charge legislation
3. Ensuring clarity about the current and proposed future uses for the (significant) amount of data which is being gathered as part of the registration process
4. Ensuring that the use of PPS Numbers as part of the registration process was clearly and demonstrably being approached in a manner that complies with the requirements of the Social Welfare Consolidation Act 2005
5. Ensuring clarity about who the Data Controller is for the Household Charge scheme (it appears to be de facto the Department at this point, despite the text on the Privacy Statement on their website).
6. Communicating early and often with the public about the charge, its legal basis, the purposes to which data that is being collected will be put to etc. etc.

Instead we have a Minister announcing on national radio that the Government is backing him in reviewing all relevant legislation, including the Data Protection Acts, to allow the Household Charge to be collected. Thankfully the Data Protection Commissioner’s rebuttal of that utter nonsense has been getting more air time since, but I thought it might be worth a quick examination of why the Minister’s comments were total poppycock.

 

1. The right to Personal Data Privacy, and the existence and role of the Data Protection Commissioner is actually required under Article 16 of the Lisbon Treaty. Since 2008 this has been the basis for the right to personal data privacy which is supported by the Data Protection Acts. Any change to the Acts would need to take in to account the fact that A16 of Lisbon has written these rights (and the role of the Data Protection Commissioner) in to our Constitution. So tinkering with the Data Protection Acts could actually give rise to a constitutional or EU Treaty obligation issue if it’s done carelessly.
2. The Data Protection Acts were not thought up by the Mandarins of the Dept of Justice. The 1988 Act was our enactment of obligations under a European Convention (aka Treaty 108) governing the protection of privacy of personal data and allowing for cross border flows. The 2003 Amendment Act gave effect to Directive 95/46/EC. It gave affect 5 years late. Ireland actually faced sanction by the European Commission for being so late implementing the Directive into national law.

So, in making changes to the Data Protection Acts (which the Data Protection Commissioner rightly says are NOT needed) to make it easier for the Government to comply with the Acts (by removing the tricky bits that basically require joined up thinking, forward planning, and robust governance and controls I suspect), the Minister risks breaching our obligations under an EU Directive (95/46/EC) at a time when the European Commissioner responsible (Vice President of the Commission Vivane Reding) is pushing the boat out on the newly proposed EU Data Protection Regulation which contains further measures to strike appropriate balances between the rights of the individual to privacy and the entitlement of companies and Governments to process personal data.

Unless Minister Hogan is proposing to implement pre-emptively the protections and provisions of the EU Regulation I would suggest that tinkering with the Data Protection Acts would be a costly and embarrassing #FAIL for the the government.

1. It would risk breaching of the obligations under Article 16 of the Lisbon Treaty if the legislation was to be invasive of personal data privacy.
2. It would make a nonsense of the Government’s arguments put forward by Sean Sherlock TD during the #sopaireland debate that the State is bound to implement fully EU Directives. Tinkering with the Data Protection Acts to weaken their protection of personal data privacy flies in the face of the Directive. The Government’s policy needs to be consistent otherwise it will be apparent that the #sopaireland SI had nothing to do with implementing a European Directive, if Directives can be ignored for national reasons (interestingly the scale of variation in national laws for Data Protection is the reason why the Commission has proposed a regulation this time around – direct effect, so no tinkering allowed).
3. Any weakening of Personal Data Protections would be open to question by the Commission on the grounds that there is a clear policy statement from the Commission on Personal Data Privacy in the form of the proposed Regulation, and it is not going the way of a dilution of the individual’s rights. The changes Minister Hogan alludes to (which, I must stress ARE NOT NEEDED and have not actually been set out as a proposal other than as part of a response to a question to the Minister) would actually need to increase the governance and controls over sharing of personal data and ensuring compliance with the new “transparency” requirements under the new Regulations to avoid being viewed as a retrograde step in Ireland’s compliance with a well established EU Directive. Any other form of change to a legal framework that is working (albeit with room for improvement) and which does not prevent the Government doing things if they actually plan for them and put them in a proper Governance framework of process, protocols and correct joined up legislation, would be a hard sell to the Commission (for that read ‘Fricking impossible sell’), at a time when we have other things to be spending diplomatic efforts on, particularly given the philosophical and historical roots of EU Data Privacy policy.

Frankly I think Minister Hogan should stop trying to change the laws that are working and doing their job and focus on ensuring that the laws he is responsible for work and do their job and that the necessary processes, governance, joined up legislation, and controls to make sure that the execution of Government policy happens in compliance with the relevant legislation.

It would be an easy reach for me to pose the question of how the citizens should feel when a Minister in a right of centre party is seriously contemplating diluting fundamental rights to personal data privacy that have their ultimate roots in the actions of a previous right of centre political movement in Europe. But I won’t, because Minister Hogan obviously isn’t seriously contemplating anything of the kind, given the very real barriers that would be in place to such a course of action. He obviously mis-spoke on the radio yesterday but hasn’t had a chance to correct his mistake yet.

What I would hope he does is ensure that the next steps of the Household Charge and any subsequent policies and legislation are enacted in a way that avoids the overworked and under-resourced Office of the Data Protection Commissioner having to field calls and queries from concerned citizens. Designing Privacy controls and respect for personal data rights into the processes from the beginning is the way to achieve this.

In short:

• The Data Protection Acts don’t need to be changed (but other legislation might need to be improved – so DP concerns should be considered at drafting stage in future)
• Changing the Data Protection Acts, unless its to bring things in line with the proposed Regulation early, would create potentially significant legal and political challenges for the Government given the specific rights to Personal Data Privacy in the Lisbon Treaty and the fact that the Data Protection Acts implement EU Directives.
• Minister Hogan was not seriously proposing a dilution of the rights to data privacy of the individual which are enshrined in the Lisbon Treaty. He must have misspoken.
• Privacy by Design is a good way for Minister Hogan to avoid creating expensive calls on the Office of the Data Protection Commissioner and free up resources in the DPC to deal with policing other processors of personal data with their small number of staff (22) and their small budget (€1.2 million).