The proposed legislation aims to enshrine in law a right to access birth certificates, birth and early-life information for those with questions on their origins.
Representatives from the Data Protection Commission (DPC) will also address the committee.
Committee cathaoirleach Kathleen Funchion said that the two solicitors had vast experience and knowledge of data protection, and would discuss the GDPR impact on the bill.
Simon McGarr’s statement referred to a “common error of approach” in the heads of the bill.
“As recently as 2001, the Irish State was proposing creating criminal penalties as part of access to adoption records, should the records be used in a way the State did not approve of,” he said.
He said the State was now taking a welcome, if belated, effort in recognising the importance of an adopted person knowing her or his origins, through data access.
However, changes were needed to bring the planned legislation into line with EU law, he said, warning of legal consequences of passing a piece of national legislation at odds with the GDPR.
The bill seeks to legislate for a legal right which is already in existence, he said, since the data and documents described were already covered by the definition of personal data set out in article 4 of the GDPR.
“If a relevant body holds records or personal data, and that person makes a request for that data, there is no gap in the current law that is required to be filled,” he said.
The GDPR requires that the request be granted within a month. Failures to comply with the law are failures of administration, not failures of legislation, he said.
Right of access
“Thus, head 12 of the proposed bill’s attempt to legislate away the right of access to birth-certificate data of an adopted person is simply not legal under the GDPR.
“It would inscribe into national law a restriction on the article 15 GDPR right of access to personal data, without demonstrating in law any necessity or proportionality for that restriction,” McGarr added.
This also applies to the requirement to attend a meeting before a person's data will be provided, which appears to conflate the process of accessing personal data with the process of initiating contact, he said.
“It therefore fails on both a requirement of necessity and proportionality,” he said.
McGarr added that the attempt in heads 5 and 6 to create a list of elements of personal data to which a person would have a right of access is a ‘dead letter’, as the general right to all personal data, set out in article 15 of the GDPR, both precedes and supersedes it.
Similarly, the restriction in head 7 on the requirement for the provision of birth information to specified ‘relevant bodies’ is similarly non-compliant with the State's duties under article 15 of the GDPR.
The State cannot restrict the location from which data is requested, he pointed out.
Any State entity must provide any personal data it holds to a requestor, on receipt of an article 15 subject access request, he added.
The same objection holds for heads 8, 9 and 10 – but with the additional issue that head 10 seeks to refuse to provide information to the requestor, but instead to a medical practitioner.
“This is an additional layer of illegality, in that there is no basis for this interference in the right of access provided for in the statute and, therefore, it fails the necessity and proportionality test outright,” McGarr said.
He concluded that the final and most extreme example of an attempt to legislate away the individual’s GDPR rights could be found in head 40, which sets Irish national law above EU rights of access derived from the Charter of Fundamental Rights and the GDPR.
Solicitor Fred Logue said there was a risk if the legislation were passed in its current format that a confusing parallel system of rights would emerge.
“I think the drafters need to go back to the drawing board,” he said.
Adopted people already have rights to access birth certificates, he said, but face practical difficulties in retrieving information, rather than any limit to their legal rights.
Under questioning, McGarr said that the bill should ideally adopt the phraseology of the GDPR, in order not to have a clash between definitions.
To bring the bill into compliance, significant portions should be excised, he said.