It is critical that the state does not compound an administrative error being made by the Commission of Investigation into Mother and Baby Homes and Certain Related Matters, in failing to take account of its duties under the Charter of Fundamental Rights and GDPR to set aside any national provision which would conflict with the rights of access and other data protection rights.
The Commissions of Investigation Act 2004 has been superseded by the GDPR and the Data Protection Act of 2018. Its provisions providing for secrecy cannot be applied by any emanation of the state where they conflict with either Article 15 rights of access or Article 18 rights of the data subject to restrict any proposed processing.
In addition, the proposal to ‘seal’ the archive of documents to be presented to the Minister for 30 years is simply impermissible under EU law. Even where national legislation allows for restrictions on data subjects’ rights, those restrictions must be tightly limited and necessary for an overriding purpose of national importance.
The collective body of all the data protection authorities, the European Data Protection Board (EDPB) has, on the 2nd June 2020, issued a policy document setting out the limits of permissible national legislation restricting GDPR rights (see EDPB, ‘Statement on restrictions on data subject rights in connection to the state of emergency in Member States’, adopted on 2 June 2020, https://edpb.europa.eu/our-work-tools/our-documents/autre/statement-restrictions-data-subject-rights-connection-state_en).
The EDPB confirmed:
“Any restriction must respect the essence of the right that is being restricted. Restrictions which are general, extensive or intrusive to the extent that they void a fundamental right of its basic content cannot be justified. If the essence of the right is compromised, the restriction must be considered unlawful, without the need to further assess whether it serves an objective of general interest or satisfies the necessity and proportionality criteria.
The processing of personal data should be designed to serve humankind and, within this context, one of the main objectives of data protection law is to enhance data subjects’ control over their data.”
The EDPB described the limits of national restrictions:
“In line with the GDPR and the case law of the Court of Justice of the European Union and of the European Court of Human Rights, it is indeed essential that legislative measures’, which seek to restrict the scope of data subject rights, are foreseeable to persons subject to them, including with regard to their duration in time. In this regard, in particular where restrictions are adopted in the context of a state of emergency to safeguard public health, the EDPB considers that restrictions, imposed for a duration not precisely limited in time, which apply retroactively or are subject to undefined conditions, do not meet the foreseeability criterion.
Furthermore, restrictions are exceptions to the general rule and, as such, should be applied only in limited circumstances. As laid down in Article 23 of the GDPR, restrictions must be a necessary and proportionate measure in a democratic society to safeguard an important objective of general public interest of the Union or of a Member State…”
“It follows from the principle of primacy of EU law, as interpreted by the Court in the case-law referred to in paragraphs 35 to 38 of the present judgment, that bodies called upon, within the exercise of their respective powers, to apply EU law are obliged to adopt all the measures necessary to ensure that EU law is fully effective, disapplying if need be any national provisions or national case-law that are contrary to EU law. This means that those bodies, in order to ensure that EU law is fully effective, must neither request nor await the prior setting aside of such a provision or such case-law by legislative or other constitutional means.”
It is therefore both the Commission’s duty to uphold the EU law principle that they should ‘enhance the data subject’s access to their personal data’ , and the Minister’s duty not to compound, repeat or exacerbate the Commission’s errors in failing to do so.
This is not merely a matter of policy – though the moral case is unanswerable.
It is a matter of EU law, and a direct duty on Ireland and all the emanations of the state to uphold those rights.
As the EDPB notes in the close of its June 2020 statement:
“The EDPB recalls that the European Commission, as Guardian of the Treaties, has the duty to monitor the application of EU primary and secondary law and to ensure its uniform application throughout the EU, including by taking actions where national measures would fail to comply with EU law.”
It would be a perverse legacy for the government to legislate to deprive people of data they so sorely wish to access about themselves and open Ireland up to the risk of fines on foot of enforcement by the European Commission in order to do so.