2018 Financial Statements of the Office of the Data Protection Commissioner

Ms Helen Dixon (Commissioner for Data Protection), called and examined.

We are resuming in public session. I draw the attention of our guests to the fact that by virtue of section 17(2)(l) of the Defamation Act 2009, witnesses are protected by absolute privilege in respect of their evidence to the committee. However, if they are directed by the committee to cease giving evidence on a particular matter and they continue to so do, they are entitled thereafter only to a qualified privilege in respect of their evidence. They are directed that only evidence connected with the subject matter of these proceedings is to be given and they are asked to respect the parliamentary practice to the effect that, where possible, they should not criticise or make charges against any person, persons or entity by name or in such a way as to make him, her or it identifiable. Members are reminded of the long-standing parliamentary practice to the effect that they should not comment on, criticise or make charges against a person outside the House or an official either by name or in such a way as to make him or her identifiable.

Members of the committee are reminded of the provisions of Standing Orders that the committee shall also refrain from inquiring into the merits of a policy or policies of the Government or a Minister of the Government, or the merits of the objectives of such policies. While we expect witnesses to answer questions asked by the committee clearly and with candour, witnesses can and should expect to be treated fairly and with respect and consideration at all times in accordance with the witness protocol.

I invite the Comptroller and Auditor General to make his opening statement.

Mr. Seamus McCarthy

The activities in 2018 of what is now the Data Protection Commission are, exceptionally, accounted for in two sets of accounts, covering the five-month period from 1 January to 24 May 2018, and the seven-month period from 25 May to 31 December 2018. Two sets of accounts were required because the legal structure of the Commission changed as a result of the passing of the Data Protection Commission Act 2018 and the commencement of relevant sections of the Act on 25 May 2018, coinciding with the beginning of the general data protection regulation, GDPR, regime on that day.

The format of the accounts is similar for the two periods of account and was previously applied by the former Office of the Data Protection Commissioner. The accounts are prepared on a cash basis and transactions are recognised in the period they occur rather in the period to which they relate. The results for the period of account are presented in a receipts and payments account. There is no balance sheet, but some accrual information is included in a note to each account. The commission relies on the Department of Justice and Equality for its payment and accounting system. As the Chairman mentioned earlier, it is planned that the commission will have its own Vote from 1 January 2020, and from then on the commission will report financially in the appropriation account format.

The commission’s activities in 2018 were funded through Oireachtas grants totalling just over €8 million. This was applied in paying staff costs totalling €4.9 million; accommodation and equipment costs of €1.1 million; operational costs of €371,000; and legal and professional fees of €1.7 million.

Expenditure of the commission has increased in recent years, as the staffing and activity levels have grown. The increase in expenditure between 2017 and 2018 was around 30%. Up to 24 May 2018, certain data controllers and data processors were required to register with the Office of the Data Protection Commissioner, and to pay registration fees. The registration fee receipts were remitted to the Department of Justice and Equality and recognised in the Vote for justice and equality as appropriations in aid. The registration and fee regime ended with the coming into force of the 2018 Act. I issued clear audit certificates in respect of both sets of accounts.

I thank the Comptroller and Auditor General and invite Ms Dixon to make her opening statement.

Ms Helen Dixon

I thank the Chairman and members for the opportunity to address the committee on the 2018 financial statements of the Office of the Data Protection Commissioner and the Data Protection Commission. As the Chair mentioned, I am joined by a number of my colleagues from the Data Protection Commission. I am going to refer to the Data Protection Commission as the DPC from now on. The colleagues I am joined by are deputy commissioners Anna Morgan, John O’Dwyer and Graham Doyle and the DPC’s professional accountant Graham Geoghegan, who has been a welcome new addition to our team in 2019.

The DPC is fully funded by the Exchequer currently through a subhead of Vote 24 of the Department of Justice and Equality. As the Comptroller and Auditor General just indicated, this latter arrangement will change in 2020 when the commission is to be allocated its own individual Vote. At that point, I, as currently the sole Commissioner for Data Protection, will become the Accounting Officer in line with section 25 of the 2018 Act. In this context, the DPC appreciates this early opportunity to engage with the committee as it will provide useful direction in terms of an exploration of the accounts of the DPC, particularly as the budget allocation of the DPC has increased considerably in recent years and as the authority now takes on many additional new and direct responsibilities in the areas of accounting, HR, ICT and procurement.

The committee is aware that the DPC is the national independent supervisory authority responsible for monitoring and enforcing the application of EU data protection law. The GDPR, the e-privacy regulations, the Irish Data Protection Acts 1988 to 2018 and the law enforcement directive all provide the main legal frameworks under which the DPC regulates. There are in the region of 20 other items of legislation under which the DPC must perform particular supervisory functions assigned to it. The Credit Reporting Act 2013 is one such example.

The provision that the data protection authority in each EU member state is independent in the performance of its functions is fundamental to the GDPR. Article 52 of the GDPR prescribes that each member state shall ensure that the supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and the exercise of its powers. Currently, based on figures produced by the European Data Protection Board, the DPC in 2018 was the eighth largest in the EU in terms of both employee numbers and budget, slotting in behind, for example, the UK with 513 staff and a 2018 budget of over €51 million and France with 199 staff and a budget of over €17 million.

The DPC operates in a very specific context at an EU level in that it is the lead supervisory authority in the EU under the GDPR for most of the world’s largest technology companies, given their headquarter locations here in Ireland. This brings considerable additional volumes of work, complexity and scrutiny but also grants the privilege to the DPC of handling cutting-edge cases in this important area of law.

It is worth recalling that 2018 was a historic year in terms of data protection. The 2018 Act was the first comprehensive piece of national data protection legislation enacted in the State since 2003 and it gave further effect to the GDPR in Ireland and transposed the law enforcement directive.

The core functions of the DPC under the GDPR and the 2018 Act include handling complaints from individuals on potential infringements of their data protection rights. In excess of 4,000 complaints were received in the calendar year 2018, which represented a 56% increase over the figure received in 2017. A total of 3,366 of those complaints were concluded in 2018. Some of the complaints are easily resolved with intervention by the Irish DPC. For example, an organisation might fail to provide an individual with a copy of their personal data, and when the DPC intervenes, the data may be immediately forthcoming. Other cases can be far lengthier and complex, particularly where many different laws are in play. This has been especially the case with complaints, for example, about receiverships and liquidations and about cases involving disputes between employers and employees.

The second function of the Data Protection Commission is to conduct inquiries and investigations regarding potential infringements of data protection legislation and to enforce the law as required using corrective measures and, now, administrative fines. In 2018, large-scale investigations that were under way included the investigation into the public services card; a finalised report and findings into non-compliance by the hospitals sector; 32 investigations into surveillance of citizens by the State sector through the use of technologies such as CCTV, body-worn cameras, automatic number plate recognition systems, drones and other technologies; and 15 investigations of a range of issues concerning so-called big tech companies. A final report and set of directions for compliance were also issued to Yahoo! EMEA Limited in respect of infringements relating to what was at the time the largest global data breach ever notified. Further, the DPC in 2018 issued a significant decision against the National Asset Management Agency, NAMA, regarding access to personal data, and details of this decision feature in the DPC's first annual report for 2018. There were also nine sets of District Court prosecutions taken by the DPC, which concluded during 2018. Eight of those concluded successfully, with costs awarded to the DPC and the final case being withdrawn due to compliance by the data controller.

The third function of the DPC is to promote awareness among organisations and the public of risks, rules, safeguards and rights in the processing of personal data. More than 50,000 contacts by email, telephone and web forms were received through the DPC’s information and assessment unit in 2018. A number of campaigns via the DPC website and in the national media were run by the DPC in 2018 to drive readiness for the GDPR. These included the launch of a comprehensive public consultation on children’s data. By the end of the awareness campaigns the DPC ran in 2018, 80% of Irish adults had been reached and, based on an independent survey commissioned by the DPC, 90% of SMEs were aware of the GDPR.

Fourth, we have a function in co-operating with data protection authorities in other EU member states on issues such as complaints and alleged infringements involving multinationals. In excess of 80 European Data Protection Board meetings were attended in Brussels by DPC staff in 2018. As of last year, EU data protection authorities use a shared IT platform to transfer and exchange information on cases, and more than one third of the cases on this IMI platform were assigned to the Irish DPC in accordance with the rules of the one-stop shop. Delivery of a harmonised implementation of the GDPR across the EU is central to the aims of the new law.

The fifth function of the DPC is to assess breach notifications from organisations that now have a mandatory obligation under the GDPR to report to the DPC and to ensure mitigation actions have been taken. A total of 4,740 valid data breaches were notified in the 2018 calendar year, which represents a significant increase over 2017. Each of these breach notifications was individually assessed and engagement with the reporting organisation took place, giving the DPC an opportunity to make recommendations on procedural and security mitigation measures to be put in place.

The funding of the DPC by Government has increased significantly in recent years, from €1.7 million in 2013 to €11.7 million in 2018, which comprised an allocation of €7.3 million for pay and €4.4 million for non-pay expenditure. The allocation was further increased for 2019 with a total allocation of €15.28 million. This commitment of additional budget has allowed the DPC to grow its staff from 27 in 2014 up to 110 at the end of 2018 and now to 138 today.

The majority of expenditure at the DPC relates to salary costs. The outturn on salaries for 2018 was €4.767 million. During 2018, the DPC added an additional 25 staff, all of whom were recruited through specialist competitive recruitment campaigns to ensure the DPC has the legal, technological, investigative and communications staff it requires to deliver on its mandate.

The DPC non-pay expenditure outturn was €3.286 million for 2018. It was composed mainly of office accommodation costs, communications costs, legal fees and costs, and business advisory services to prepare the DPC for GDPR. Legal fees and costs represent the biggest category of non-pay expenditure, and such cases will continue be a feature of the work of the Irish DPC, particularly now as punitive fines and measures can be imposed against organisations. Irish law allows a right of appeal by affected parties against decisions of the DPC. Currently, the DPC has 24 live civil litigation cases active in the courts.

In addition, the DPC initiated what has been one of the most significant data protection cases in the EU when it brought a High Court application in May 2016 seeking a reference to the Court of Justice of the European Union, CJEU, on the validity of an EU legal instrument underpinning personal data transfers in a case involving Facebook and Max Schrems, a data protection activist. The case is of fundamental importance to the determination of core issues of data protection under EU law and has drawn global media coverage and worldwide interest far beyond the data protection community. The outcome of the case potentially will have worldwide ramifications for data transfers out of the EU and is being closely followed by data protection regulators, law makers and the data protection community. A decision of the CJEU is awaited in late 2019 or early 2020.

I hope I can assist the committee further with responses to any questions members may have.

I thank Ms Dixon for her opening statement. She is very welcome on her first appearance before the Committee of Public Accounts.

The lead speaker is Deputy Cullinane, who has 20 minutes, followed by Deputy Kelly, who has 15 minutes. The remaining speakers have ten minutes each in the following sequence: Deputies Catherine Murphy, Munster, Connolly, and MacSharry. They are the ones who have indicated so far.

I welcome Ms Dixon and her team. I am not sure if this is the first time she has appeared before the Committee of Public Accounts.

Ms Helen Dixon

This is my first time at the Committee of Public Accounts, yes.

She is very welcome.

Ms Helen Dixon

I thank the Deputy.

In her opening statement she said that the DPC's main remit is to ensure that the risks, rules, safeguards and rights of citizens in relation to personal data are protected. Does the commission have an oversight role?

Ms Helen Dixon

We have a monitoring and supervision role as well enforcement where we identify infringements.

Is the enforcement side of it underpinned by law? What enforcement powers does the DPC have?

Ms Helen Dixon

Under the GDPR, which is a direct effect regulation, we have a range of corrective measures that we can apply. We can order the cessation of processing. We can require an organisation to bring its processing into compliance based on findings that we issue. In addition to the corrective measures that we can apply, we can impose punitive fines. The intention is that where we do identify infringements under the GDPR, we are obliged to consider the application of the administrative fines and we have to do it in a way that is intended to be a deterrent. It has to be proportionate, dissuasive and effective in terms of its application.

The DPC's reach goes into both the public and private sectors. I imagine those fines potentially apply to Departments and Government agencies.

Ms Helen Dixon

In fact, under the GDPR the fines that are set down, which can be up to 4% of turnover for the previous year for an undertaking or €20 million, apply only to private sector organisations, and member states were left with a choice in their national law in relation to public sector bodies. What has been provided for in the 2018 Act in Ireland is that there can be a fine of up to €1 million in respect of public sector bodies.

And Departments-----

Ms Helen Dixon

Sorry, I should say that may include certain private sector operators that effectively have contracts for the public sector. There is a broader and more expansive definition.

In the context of a large Department, €1 million may be a small amount and may not be a deterrent. On enforcement, can the commission direct a Department to cease doing something? I imagine she can. If it does not cease doing something she has said it should not do, is the only option open to her the fine of up to €1 million?

Ms Helen Dixon

No, we can issue an enforcement notice, which is provided for in the 2018 Act, that will give the organisation 21 days to bring the matter at issue into compliance. We can then-----

In the worst-case scenario, if the Department does not comply, what options does Ms Dixon have?

Ms Helen Dixon

We would have to issue proceedings for failure to comply with the statutory enforcement notice-----

Which would go where?

Ms Helen Dixon

We would go to the Circuit Court.

Is that where the fine of up to €1 million can be applied?

Ms Helen Dixon

No, we make a decision. The Data Protection Commission decides and adjudicates on the fine and the court has a function in confirming fines if there has been no appeal.

Ms Dixon mentioned earlier that the commission publishes various reports, one of which was the final investigation report into the public services card. We examine the issue from a value-for-money perspective, although that is not Ms Dixon’s remit and I have questions for her about the process and the report. The Committee of Public Accounts has dealt with this issue previously, as was mentioned in the commission's report. A chapter in the report of the Comptroller and Auditor General examined the business case, or lack thereof, that underpinned the public services card on its conception. There were also issues with the tendering process. Mr. McCarthy might recall when the report was published.

Mr. Seamus McCarthy

I published the report in September 2016. It related to the 2015 year of accounting.

At the time questions were raised about a renegotiation of the contract, which was based on the publication of 3 million cards. Until 2016, only 2.1 million cards had been published and as part of the renegotiation, the State had to pay approximately 50% of the difference between how many cards had been produced and how many had been intended to be produced.

Mr. Seamus McCarthy

I have not prepared in depth on that matter, but there was an expectation that if a target was not reached, the full amount of the payment would have to be made.

We do not have the up-to-date figures for 2017 or 2018.

Mr. Seamus McCarthy

I do not have them.

I recall that Mr. McCarthy stated at the time that there was an estimated cost of €60 million.

Mr. Seamus McCarthy

I was projecting. It was projected that up to the end of 2017, the cost of the project would be of the order of €60 million.

I raise the matter because we will put the questions to the Department but they are not for Ms Dixon. Can we write to the Department and seek up-to-date figures in advance of representatives of the Department appearing before the committee? I refer to figures on the cost up to the present day.

That is agreed to by the committee. We will write to the Department of Employment Affairs and Social Protection seeking an up-to-date report and the current figures, not only those until the end of last year, for which appropriation accounts will be published next week. We will state we had covered the matter in a recent periodic report with the Department last year. The cost was approximately €60 million at that point but we want an up-to-date figure from the Department.

I do not wish to take up our guests’ time but we might return to the subject later in order that we can determine what we will ask the Department, given that there are other relevant issues.

That is fine. We will log the issues.

Turning to the report, it was a significant aspect of the commission's work this year. People will have concerns about some of the findings, which have been very much in the public domain. There were a number of high-level findings, such as that there was no lawful basis for the Department to rely on the SAFE 2 register, that the Department has not complied with the data retention principle and that it has not delivered sufficient transparency to the public. What did Ms Dixon instruct the Department to do as a consequence of her findings?

Ms Helen Dixon

When I issued the final report to the Department on 15 August, I also issued a letter of directions, which it has since published. On foot of the findings, I directed the Department, first, to cease processing, in terms of SAFE 2 and the issuing of public services cards, where the processing was for the purposes of an individual engaging in a transaction with a specified body. To translate that into English, the Department was to cease processing where it was for the purposes of anything other than a social welfare benefit claim.

The second action I directed the Department to take was to prepare an implementation plan in respect of findings Nos. 3 to 8, inclusive, which are the findings the Deputy referenced that relate to data retention and transparency. I proposed a period of 49 days to the Department by which it would set out an implementation plan for how it could bring itself into compliance with the findings. It struck me that on the retention issue, and on the order that the Department was to delete the data and the supporting documentation it was retaining, there could be procurement issues for it or unforeseen consequences I would not be able to identify from the distance I was at. I gave the Department time to propose an implementation plan with timelines on which we would engage with it. They were the directions issued to the Department.

As is common between State bodies and regulators or people who have a supervisory role, there were professional differences of opinion between Ms Dixon and the Department on some of the core elements of her report. Is that a fair statement?

Ms Helen Dixon

I think the response the Department has published and the public commentary it has made would certainly support that statement, yes.

In the preparation of the report, I imagine that Ms Dixon had to rely on legal opinion. One of the core issues was a difference of opinion on the legal underpinnings of the card and its workings. Did Ms Dixon rely on in-house legal advice or was she obliged to purchase an external legal opinion? If the latter, what was the cost?

Ms Helen Dixon

To give a brief outline of the process, as the committee will know we launched the investigation in October 2017. It was a broad-ranging investigation, given the volumes of data processing at issue. We identified a number of issues we would investigate around legal basis, retention and transparency, as well as security and biometric personal data processing. Over the months we conducted the investigation, we identified that we would have to narrow the scope of the investigation and corresponded with the Department to that effect. We limited the first part of the investigation to legal basis retention and transparency.

In advance of issuing the draft report to the Department in August 2018 with our provisional findings, we had identified we did not have sufficient information on all the areas we were examining to make preliminary conclusions. When we issued the draft report, we made preliminary inclusions in 13 areas and made 17 requests for further information to the Department. To answer the Deputy's question, before we issued the draft report we sought some legal advice because it was already clear in the responses we had received from the Department that issues of legal interpretation were being raised, as were assertions that we might be erring in law. As a result, we obtained legal advice in advance of issuing the draft report. The legal advice, which was obtained from a junior counsel in 2018, cost €10,000.

That was not bad. In a reply to a parliamentary question on the issue and on Ms Dixon's report, the Minister, Deputy Regina Doherty, stated:

The Department sought to meet the DPC on two occasions since receipt of the report with a view to outlining the basis for its conclusions and seeking to clarify a number of matters of concern relating to inconsistencies both within the DPC's report and between the report and the accompanying letter from the DPC. The request for a meeting was declined on both occasions.

The Minister is speaking on behalf of the Department here. Essentially, she stated Ms Dixon's commission refused to meet the Department, despite two requests being made. Will Ms Dixon outline the rationale for why that was the case?

Ms Helen Dixon

I appreciate that many people will not have had the time to read the correspondence that was published by the Department, but what the correspondence indicates is that in response to the first request to meet, which was in a letter addressed to me by Jacqui McCrum, the deputy secretary general at the Department, I responded to that letter from Jacqui McCrum on 22 August indicating in the affirmative that I was willing to meet and that a meeting could indeed be useful once the Department had tabled the implementation plan, which I directed in the letter of 15 August. In fact, Deputy Cullinane will see from the correspondence on 22 August that I was open to meeting once that implementation plan was tabled. I did not hear anything further about a meeting until correspondence from the Secretary General on 3 September. The correspondence issued to me after a press statement had issued from the Department earlier that day and the Minister had done some rounds of media, all of which indicated that the findings of the Data Protection Commission were to be rejected and that the findings were to be challenged. By the time the correspondence of 3 September landed, which confirmed that the Department did not intend to comply with any of the directions that had been issued, it was out of the question that a meeting would be appropriate. I will quote accurately from the correspondence of 3 September from the Department:

However, given the strong and sincerely held differences in opinion between your Office and both Departments, [it is referring to the Department of Public Expenditure and Reform] (based on the advice received from the Office of the Attorney General), as to the correct interpretation ... of the relevant legal text and ... the import of this difference in interpretation not just for the PSC and SAFE 2 and the organisations and citizens that rely on them.

I will find the relevant section.

The Minister wishes it to be known that she is anxious that her officials and officials from the Department of Public Expenditure and Reform should engage in discussions with your office to determine if there are any measures that can be agreed, without prejudice to our respective positions, that might address the Commission's concerns and negate the requirement for any Enforcement proceedings.

It was entirely inappropriate that we would engage in a meeting where we had issued finalised findings and clear directions as to what was required to bring it into compliance.

I accept that. I just wanted Ms Dixon to put that on the public record because I think that is important. I used the phrase "professional disagreement" earlier. When I read the report I think it goes a bit further than that because I am looking at the sections that talk about when Ms Dixon had a draft report and a reply was sought from the Department. What we are looking at is process and how Ms Dixon's office interacts with Departments. The office has a very clear role and it is statutorily independent. We would expect that there would be a professional level of co-operation with Ms Dixon's office. I am concerned when I read this and I see that there was, first, issues in relation to the Department seeking an extension to its response to the draft report in the first instance. Second, what seems extraordinary to me is that when the Department first responded that it sent 470 scanned pages that were unpaginated. From her perspective, does Ms Dixon think that is an acceptable level of co-operation from a Department?

Ms Helen Dixon

I think we indicated in our correspondence, which is now in the public domain, that we did not think the threat of legal proceedings by the Department to us at the point where it sought a further extension was warranted. In terms of a 470-page submission that was not searchable and was not paginated, which ultimately we resolved with the Department when it made a further submission at our request, I could certainly say it is not the norm in terms of what we would anticipate in a response to the report that we issued.

I know Ms Dixon has to be diplomatic, but to say it is "not the norm" is an understatement. I can imagine what I would do if I was in her position and I got 470 scanned pages. I imagine that what she was looking for was a formal, intelligible response and what she got was 470 scanned pages. Was there a follow-up to that? Did Ms Dixon write back to the Department and say that was not acceptable and she needed the response to come in a different format?

Ms Helen Dixon

That is correct. After trying to utilise what had been supplied to us, we ultimately contacted the Department and obtained a resolution when it resubmitted a submission that was searchable and paginated.

Page 22 of the report states the Department was responding to the report. It says, however the Department of Employment Affairs and Social Protection objects to the DPC's use of such language in this regard. That was to describe the evolution of the card in the first place and considers that it is "pejorative and sensationalist". Again, that strikes me as not being fully co-operative, in that a Department was essentially saying the commission's office was being sensationalist. How did the office respond to that?

Ms Helen Dixon

How we responded to it is now on the record in terms of the report that we finalised. We show how we treated those particular arguments from the Department, taking them into account but, ultimately, in that section of the report we rejected the assertions from the Department. In part, the response was indicative of quite entrenched and strongly held views on the part of the Department in relation to the public services card.

Departments can have entrenched and strongly held views but they also have to fairly co-operate with Ms Dixon's office, as anybody does, because as I said earlier, the Data Protection Commission's reach is into both the public and private sector. We must have regard when we receive correspondence, as we do, to data protection. We must do it as individuals and as Members of the Oireachtas. Departments have a responsibility to take the lead. Perhaps it is a bit strong; but was there a pushback from the Department in co-operating with Ms Dixon's office? It might be strong to say "pushback", but when I read the report in its entirety on the process from when Ms Dixon's office first started engaging with the Department up to its conclusion, it did not jump out at me that the Department was co-operating in a fair way with the office. Was that engagement an outlier or unusual in terms of how other Departments or organisations have engaged with Ms Dixon's office?

Ms Helen Dixon

As a starting point, if we look at co-operation with the process, there was co-operation with the process in that the Department acknowledged the commencement of the investigation, it assigned a correspondent with the investigators at the DPC and, notwithstanding that it sought extensions, and the terms in which it sought those extensions, it did make its submissions and it did respond and engage. The Department co-operated with the process. Deputy Cullinane asked if there was pushback. In terms of the response the Department has published to the report and the responses the Deputy can see reflected in the final report, it clearly is resistant to the legal analysis and the findings of the Data Protection Commission. There is little doubt about that.

This is my final question. I am aware that other members want to contribute as well. I thank Ms Dixon for her responses. A number of Departments were using the card, namely, the Departments of Transport, Tourism and Sport, Education and Skills, Justice and Equality, Foreign Affairs and Trade, Children and Youth Affairs and Employment Affairs and Social Protection. Following the publication of the commission's report, how many Departments have ceased using the card and in Ms Dixon's view, are Departments still using the card outside the law?

Ms Helen Dixon

I cannot answer today how many Departments are using the card because our investigation ended when we issued the report to the Department on 15 August, but as part of the directions that we issued to the Department, we did require the Department to contact all of the specified bodies and inform them of the findings in the report and the directions that we issued. It is clear that the Department has opted not to do that.

It has been reported that the Department of Transport, Tourism and Sport has in some areas ceased using the card. From Ms Dixon's knowledge - I know she cannot speak about what she does not know - which Departments have changed their practice? She has given a direction. Are Departments still operating outside the law from her perspective? They might have a different perspective on the interpretation of the law, but Ms Dixon is the one who issued a report and a directive. Are there any Departments, in her view, still operating outside of the law in respect of the PSC and, if so, which Departments?

Ms Helen Dixon

What I can state from direct knowledge, because we have corresponded with the Departments on complaints we have on hand from individuals about the PSC, is that the Passport Office is no longer requiring the PSC on a mandatory basis for the categories of passport application or renewal that previous to this it was requiring. Again, to the best of our knowledge, the Department of Transport, Tourism and Sport is not requiring the PSC on a mandatory basis. As far as we understand from the press statement issued the other day by the Minister, Deputy Zappone, the Department of Children and Youth Affairs appears to be pressing ahead with a requirement that individuals use a PSC to apply online for the new childcare scheme. The only alternative option that appears to be offered is a manual, paper-based application that will not be ready until the new year and will not provide back payments. Clearly, this is completely at odds with the findings of our report and the directions we have issued.

The question I put was partly related to that but also to Ms Dixon's view that some Departments are still operating outside of the law. Her findings were that there was no legal basis for the card beyond the Department of Employment Affairs and Social Protection and that data were held by the Department in a way which was potentially illegal, from her analysis. Is that still the case today?

Ms Helen Dixon

That is still the case, to the best of our knowledge.

That is then subject to this appeals process or enforcement process.

Ms Helen Dixon

That is correct.

Where is that at the moment? What is the timeframe for when will there be some conclusion to that?

Ms Helen Dixon

I cannot give the Deputy a precise timeframe but it will be imminent enough. Regarding the final report we prepared on foot of the investigation, the direction letter we issued and the correspondence since with the Department, they are not enough to constitute an enforcement notice, which is prescribed in a particular format. There is a process of delivering on the format required for that, which we are engaged in currently.

I thank Ms Dixon.

I very much welcome each and every one of the witnesses. Well done to them on their work to date. It is incredibly important in the times we live in. My questions concern three different areas. I have some questions about the PSC; some questions about finance and funding, which I have concerns about, scale being the big issue; and then some questions about aspects of the Data Protection Commission's work relating to its position as the lead supervisory authority in the EU and current cases that have impacts in many ways on the way in which we live.

Regarding the PSC, I thank Ms Dixon for the information in response to the previous speaker. Obviously, she has her own independent advice, etc. Does the nub of the issue come down to the interpretation of the Social Welfare Consolidation Act 2005? We all remember back then getting those white public services or social welfare cards. I think I ended up with two by accident at one stage. It was a requirement under that legislation - and I ask the witnesses to tell me if I am wrong because I am not legally qualified - to produce the card but it was not mandatory for anyone to get one. Does the nub of the issue come down to how that legislation is interpreted versus our requirements under European law?

Ms Helen Dixon

That is a fair summation of the nub of the issue. The Deputy is referring to section 263(3) of the 2005 Act.

It contains approximately 25 words.

Ms Helen Dixon

Yes, 23 words, allegedly. It states that a person shall produce his or her public services card if requested to do so. The real nub of the issue is around the Department of Employment Affairs and Social Protection processing personal data where the necessity test has not been met. Typically, under data protection law, for a government department, legislative underpinning will be an element of lawful basis, and there are certain provisions in the Social Welfare Consolidation Act, but it is not the only condition for lawful basis; the necessity for the processing also has to be borne out. The issue, therefore, does in part centre on the subsection the Deputy has mentioned because under section 263(1), the Minister has an enabling power that allows her to issue a PSC. What is at issue, looking at the analysis we have conducted, is that a number of provisions in the Social Welfare Consolidation Act relate to social welfare benefit payments. Under section 241, a person is required to satisfy the Minister for Employment Affairs and Social Protection as to his or her identity when obtaining a benefit. Section 242 sets out that there are two means by which identity can be satisfied, one of those being by means of the PSC. In addition, section 247 sets out consequences of failing to satisfy the Minister in this regard. There are, then, a range of provisions specific to social welfare payments that ultimately, on a fine balance, led us to a conclusion that the necessity for the processing regarding social welfare claimants is set down-----

But not for everything else.

Ms Helen Dixon

-----but that those provisions are absent regarding why there is a necessity for the Minister for Employment Affairs and Social Protection to process personal data in respect of transactions with specified bodies.

That is quite clear and explained precisely. My next question is to the most senior witness from the Department. I do not know who that is but perhaps it is Mr. Fallon. The Office of the Data Protection Commissioner is independent but until next year the parent Department is the Department of Justice and Equality. That is the parent relationship rather than funding and day-to-day matters. Does the Department 100% accept the findings of the commissioner?

Mr. Richard Fallon

Obviously, we start from the point that the role of the Data Protection Commissioner and her office is fully independent of Government. This is a requirement of GDPR, backed up by the relevant case law. The Government, in consultation with the Attorney General, has obviously decided to challenge the findings of the commissioner's report, so I do not think this course of action is interpreted or meant to be interpreted as a criticism of the commissioner or her office or mandate. What it points to is the importance and the need to get legal clarity on the findings of the report.

Mr. Fallon is dancing around the edge, so I will ask the question again. Does the Department of Justice and Equality accept fully the findings of the Data Protection Commissioner on this issue?

Mr. Richard Fallon

This is a matter that has been before Government, in consultation with the Attorney General, and it is the Government's position as to how it is responding to the report. These are matters of the application of legislation and the interpretation of law that are for resolution in the appropriate fora, and it is not for me today to make an arbitrary finding on my own behalf as to what the outcome of those proceedings will be.

I am not asking Mr Fallon to do that. I presume, however, that he would have anticipated this question when preparing to come before the committee.

Mr. Richard Fallon

We have just had a discussion on the findings in the report and the ongoing proceedings. That is where these issues stand.

Is the following statement inaccurate? The Department of Justice and Equality does not accept the findings of the Data Protection Commission on this issue. It is a "Yes" or "No" answer.

Mr. Richard Fallon

I did not say that. What I said is-----

I am asking whether that statement is inaccurate.

Mr. Richard Fallon

The Deputy cannot make a statement on behalf of the Department-----

Let me rephrase that.

Mr. Richard Fallon

-----and he is putting words in my mouth essentially as to what-----

I am not asking Mr. Fallon to do that. It is my interpretation of the answers given by him that the Department does not accept the findings of the Data Protection Commissioner on this. That is a statement of my view.

Mr. Richard Fallon

That is fair enough.

What I am asking Mr. Fallon is whether it is inaccurate.

Mr. Richard Fallon

What I am saying is that the Deputy is entitled to his view. However, I can say that, in the context of my Department and on foot of the earlier discussions with Deputy Cullinane who raised the issue of how Departments are responding to the report, the public services card is not required in order for people to make a citizenship applications, that the relevant application forms have been amended to this effect and that our website is being updated. We are responding to the report but this is all in the wider context of the interpretation of the application of data protection law and the Government's position as one of those stakeholders that come under its remit.

I thank Mr. Fallon for that comment because it is helpful. With regard to the wider aspects of the Department's work - it is the parent Department and that is why I am asking these questions - I presume it will not be requiring the public services card to be used for anything it is responsible for administering.

Mr. Richard Fallon

My understanding is that the example I have given of citizenship is the only area where it was at issue.

To go back to the Data Protection Commissioner, it was very interesting to hear a previous speaker pose a question I was going to ask about meeting the Minister. Great clarity has been provided today to the effect that the Data Protection Commissioner was willing to meet the Minister prior to her issuing a response. Is this fair to say?

Ms Helen Dixon

Prior to the correspondence from the Department and the statement clarifying that there was no intention to comply with the findings.

It would not be appropriate after that. I accept that. At any point did Ms Dixon or the people working with her feel pressure from a Department regarding this issue? The independence of the office is absolutely paramount. At any point did Ms Dixon feel her independence was in any way being affected or challenged? I hope the answer is "In no way at all".

Ms Helen Dixon

No.

What about during the investigation?

Ms Helen Dixon

No, what I would say is that at times we wondered whether there was now, and only now, an emerging understanding of what our independence means and perhaps a failure to fully appreciate the role of the independent supervisory authority.

That is very interesting.

Ms Helen Dixon

At no point did we feel pressure.

I am glad to hear that but I would like to tease the matter out further. In layman's terms, for the benefit of the members of the public watching, who have taken a huge interest in this, and to expand on what Ms Dixon just said, was the feeling in the organisation that as the investigation evolved there was greater awareness or clarity among the Departments regarding the independent nature of the Data Protection Commissioner and the capacity of how her decision on this could impact?

Ms Helen Dixon

That is still emerging. I made the comment because it arises, in particular, when we hear commentary to the effect this is all a little difference of opinion, or perhaps a big difference of opinion.

It is a bit more than that.

Ms Helen Dixon

We think this mischaracterises the nature of the independent office, the conduct of the statutory investigation, the making of findings and the powers we then have to-----

Ms Dixon is a little bit more than an annoyance in other words.

Ms Helen Dixon

I am sure all sorts of language is used-----

Ms Helen Dixon

-----that I am unaware of.

I found some of the language used inappropriate. I found it somewhat disconcerting. I also found that some of the language used did not recognise the independence of the office and the scale of importance of this issue. This was reflected to some extent in the discourse that emanated and the way in which the Department reacted once it went public on what it would do. Was Ms Dixon alarmed at some of the commentary?

Ms Helen Dixon

We are on the record as stating we were disappointed by it. I have to say that we were also somewhat surprised by the response to it. We were conditioned to be surprised because it is an unusual reaction in terms of all of the entities we supervise. The process we followed in respect of the Department did not differ from the manner of investigations we have conducted in other areas and the directions for voluntary compliance we have issued to other organisations. We were surprised at the response.

What is the cost of the investigation?

Ms Helen Dixon

It is difficult to add up fully the internal cost of the investigation in terms of resources applied to it. A lead investigator who heads up our special investigations, Tony Delaney, led on the investigation side. He used resources from throughout the organisation in the various strands of the investigation. There was significant involvement from Anna Morgan's team. She heads up the legal division of the Data Protection Commission. Certainly in the months prior to the report being issued two staff were working full-time on it.

May I make a suggestion because this has to be collated. Will Ms Dixon write to the Chairman?

Ms Helen Dixon

We will try to estimate the staff costs and the external legal advice.

I know it is labour intensive.

Ms Dixon can give her best estimate.

I want to clarify something. There has been much commentary on this and it is somewhat confusing to some people. Is biometric data being collected as part of the public services card process? If so, at what scale and when did it commence?

Ms Helen Dixon

The SAFE 2 registration process involves taking a high-quality photo on site by the Department of Employment Affairs and Social Protection. The purpose of taking a high-quality photo is that an arithmetic template is generated by the Department, taking measurements from the face in the high-quality photo. These templates are then used to perform a photo-matching function on the system. The arithmetic template is biometric data per the definition in the GDPR. The question as to whether it is collecting biometric data-----

That is the real question.

Ms Helen Dixon

Perhaps it is not collecting it. It is taking a photo but it is generating, storing and processing biometric data.

That was my next question. I fully understood what Ms Dixon stated because I come from an IT background. What is the scale of the collation of that data?

Ms Helen Dixon

It is 3.2 million persons per the statement made by the Minister in the Dáil last week.

What is the scale of the actual individual components of that data? I know it is 3.2 million people but what is the capacity of that data to be used? That is what the concern is.

Ms Helen Dixon

The capacity for the data to be used and the stated purpose at present is for photo matching by the Department of Employment Affairs and Social Protection to ensure individuals do not register twice.

The potential for its use for purposes beyond that is unlimited but clearly not underpinned by law.

That is where I wanted to go on that.

It is obvious that there will be some form of mass actions, multi-party actions or whatever regarding the commission's findings. That brings me to my second topic. I have a genuine concern but in a positive way. I admire and know the work that is necessary in terms of what the commission does. However, in terms of the scale of its work into the future, and my third point will elevate what I am saying, a range of actions will be requested of the commission as a result of this finding. While the commission's resources have increased over the years, will this be a issue? As an outcome of all of this, that could be a positive development which may help the commission. Will it be an issue in the year ahead?

The Deputy's time is-----

I have one more question after this one.

Ms Helen Dixon

To respond briefly, we have made a detailed submission to the Department of Public Expenditure and Reform via the Department of Justice and Equality for budget 2020. We believe we need to keep increasing our resources. The increases we have made to date have reflected and absorbed the capacity reality and the reality of limitations of the recruitment process through the Public Appointments Service. We have grown as quickly as we can and have been allocated a budget to do so but that cannot stop now because, as the Deputy correctly stated, the scale of the work we have to do is only going to increase.

There are a number of provisions in the GDPR that should assist us in terms of the scale of the work we have to do. Accountability is required on the part of all organisations and accountability of those organisations directly to the public. Data protection officers have now been appointed in 1,200 organisations in Ireland. These should be assisting in raising the standards of data protection in those organisations.

There are many other areas of the GDPR, such as codes of conduct and joint operations, that remain to be fully unlocked and which will also drive compliance. We will always have to take a risk-based approach and at the moment there are risks across a very significant number of areas that we are looking at.

This is the last issue I will raise. The Data Protection Commission received 4,113 complaints in 2018, which was a 56% increase on 2017. This indicates that this is moving in a certain direction. After the commission's findings it will require additional resources, and I support resourcing the commission's work.

With regard to the European Data Protection Board, the Data Protection Commission is the lead authority in a number of areas. These include issues related to data involving all the multinational companies located here; the Privacy Shield agreement between the US and the EU; Article 47 of the EU charter and where one of them meets and the other or does not; the processing and transfer of data and the use of that data in the US; and the case the commission was involved in with Facebook and Mr. Max Schrems. The Schrems case which, in terms of scale, has received worldwide attention. I have deep concerns about the potential for other cases of similar scale given the geographical area the commission has to cover. I share Ms Dixon's concerns but, while I would love to do so, we will not have time to get into data-specific issues. I will, therefore, zone in on the position from a legal findings point of view into the future. We have to look at organisational process, etc. The Data Protection Commission is the lead European authority and has jurisdiction over various companies. These cases can go on for years and can have dramatic impacts in our modern world. I support the work the commission does but these cases can be highly costly. Who picks up the tab for them? Is it the Irish taxpayer or is it shared across Europe in all cases? I have read the cost is shared but is that always the case? Obviously, there is a lead cost given that we have such jurisdiction. To open up a can of worms, if we lost one of these cases, who would pay? Do we pay collectively or is there a potential issue for the Irish taxpayer? This could be something to protect the commission into the future. Ms Dixon might give some clarity on that whole area.

We will hear a brief response.

Ms Helen Dixon

It is a very interesting question. I will mention administrative fines before I turn to the Deputy's question, which is about the opposite costs. Once the Irish Data Protection Commission, DPC, starts administering fines and sanctions, there has been a debate about whether all of that goes to the Irish Exchequer or whether it is shared across the EU member states. It is our understanding that it goes to the Irish Exchequer. Already, therefore, there is an opposite debate to the question the Deputy is raising as to whether it is fair, if Ireland supervises most of these big technology companies-----

It is a real issue.

Ms Helen Dixon

-----and there are infringements and fines, that Ireland would get to keep the fine. That is an open question that has been raised a number of times.

Regarding the costs, it is well possible that the Irish taxpayer will end up, by virtue of these companies being headquartered here, incurring costs. The Irish taxpayer has incurred costs already in the case the Deputy referenced that is before the Court of Justice of the European Union on transfers of data because it arose from a complaint by Max Schrems against Facebook Ireland. Facebook Ireland being located here means that we are responsible. However, under this co-operation and consistency mechanism that now operates around the one-stop shop in the EU, I have to circulate a draft decision on any of these cases that concern multinationals to my fellow EU data protection authorities. If, ultimately, they have a different view that I cannot reconcile into my findings, I institute a dispute resolution mechanism before the European Data Protection Board and it may take over the decision-making. If a company affected by that decision disagrees with it, it takes an annulment action to the Court of Justice of the European Union. There would be a certain number of cases that may end up being taken out of Ireland's hands because of disagreement between data protection authorities. The European Data Protection Board will then have to bear the cost of defending those cases before the Court of Justice. Undoubtedly, the effect of having the multinationals headquartered in Ireland will give rise to costs for Ireland in terms of the supervision and enforcement of data protection law.

It is an interesting topic. We might return to it again.

We will return to it again.

In her opening statement, Ms Dixon said that in 2018, the Data Protection Commission was the eighth largest national data protection agency in the EU and she cited the British and French agencies. She will have looked for resources from the Department. What did she look for and what did she get?

Ms Helen Dixon

For 2019 or 2020?

Ms Dixon might give us the figures for both. If the commission is to become wholly independent, where it starts from will be incredibly important. The lead supervisory role obviously imposes additional obligations. Ms Dixon said the commission was the eighth largest of the data protection bodies in the EU. In what positions are the UK and France bodies?

Ms Helen Dixon

If it is okay, Deputy, we will submit information afterwards to you on where France and the UK are now.

Ms Helen Dixon

The reason we quoted the 2018 figures is not just because the committee is examining the 2018 accounts today. It is because the European Data Protection Board had confirmed them up to that point but we will get the latest figures.

Ms Helen Dixon

In terms of 2019, we obtained most of the budget demand that we had submitted to the Department of Public Expenditure and Reform for 2019. So already, over and above 2018, our total budget had increased to €15.28 million for this year. So, it was €11.669 million for 2018 and it increased to €15.28 million for 2019.

We have made a very considerable demand to the Department in terms of the 2020 budget. We have sought a total of €5.9 million to bring our annual budget to €21.1 million. In particular, we are seeking extra funding of €4.74 million. We have made a lengthy submission to the Department setting out how our experience of the first year of operation of the GDPR has demonstrated to us that the volumes and the complexity, and the nature of the role that we have, is such that we remain significantly under-resourced.

To which Department did the office make its demand?

Ms Helen Dixon

We make the submission, currently, via the Department of Justice and Equality, to the Department of Public Expenditure and Reform.

The Department of Public Expenditure and Reform launched the public services card and the Department of Employment Affairs and Social Protection, primarily, rolled it out. Is that case?

Ms Helen Dixon

That is the case. The Department of Employment Affairs and Social Protection has indicated in their response to us that it is the Department of Public Expenditure and Reform that led the policy around expansion of the use.

So the commission is making an application for funding to the Department. I shall leave the matter there and we will make our own notes on same.

I have questions on the publication of the report. We received a response from the commissioner and she was anxious that the report on the public services card was published. I know that there was a freedom of information response, from the Department, that said if the report was published it would "have a serious, adverse effect on the ability of the Government to manage the national economy and the financial interests of the State". Did the Department indicate to Ms Dixon, in any of her dialogue with the Department, that this issue would be of such a magnitude?

Ms Helen Dixon

No. At no point did they make any indication to that effect.

Right. If the commission is really independent why would it be, when there is non-compliance within a specific period, and the commission relies on the Department to give permission to publish the report? Is there an inadequacy there in terms of process that needs to be addressed? Clearly, there is a public interest in this matter.

Ms Helen Dixon

In fact that has been addressed. Now, under section 149 of the 2018 Act, we have a very broad power of publication, which includes publication in relation to any matters that we think are in the public interest. Had we conducted this investigation under the 2018 Act we would have been capable of publishing it when we concluded the findings regardless of whether the Department wished to publish it or not. The issue here is that we commenced this investigation in October 2017, pre-dating the 2018 Act and the 2018 Act does not stretch to cover, retrospectively, the publication of a report that was commenced.

Am I correct to say that the DPC has two further investigations on biometrics and the Department's own data controller, which are due? Are they under that same Act? Are they under the old Act as opposed to the 2018 Act?

Ms Helen Dixon

Those issues around biometric processing, security and the processing of free travel data are being completed under the old Acts. That is because it is clear, in section 8 of the 2018 Act, that if we had commenced the investigation prior to the 2018 Act coming into force we have to complete it under the old Acts. We had written to the Department to indicate that regarding the other areas that remain for examination around MyGov.ie - certain issues relating to the public sector data set, and the single customer review database, which we have a particularly interest in looking at - because we had not commenced the investigation work on those areas that a new investigation under the 2018 Act and GDPR would cover those, and that is still the plan.

In terms of the fines, or potential fines, I shall use this one as an example. There are three different investigations so, in theory, a fine could attach to the three for non-compliance. What way does that work?

Ms Helen Dixon

Because we are conducting this first report we issued the second report on biometrics, etc. They are under the old Acts and fines were not applicable under the old regime.

A total of 4,113 complaints was received in 2018. Is there a rough breakdown on what areas they primarily fell into? If the information is not to hand the commissioner might send it on to us.

Ms Helen Dixon

Yes, we can certainly send on the analysis that we included in the second annual report for 2018 that we published in February of this year. From memory, the private sectors that give rise to the most complaints are the banking and telecommunications sectors but there are a number of public sector bodies, including the Department of Employment Affairs and Social Protection, that feature in the top five most complained against organisations.

What prompts the DPC to do a full investigation? Do resources dictate what can and cannot be done?

Ms Helen Dixon

There is a resourcing reality, clearly, to everything we do but it is not the starting point. The starting point is that we take a risk-based approach in terms of deciding where to allocate resources. We look at the number of complaints around a certain type of processing that we might receive. We may see media reports in relation to certain types of processing, particularly issues with multinationals that we may want to look into.

We look at the number of affected individuals of a particular processing operation. So, for example, with the PSC, it clearly could affect every individual in the State because children's data is also processed, in the context of the PSC, given that they have been issued to individuals under the age of 18.

We look at the potential nature of impacts on the rights and freedoms of the individuals whose data is being processed. So could the data processing operations give rise to adverse impacts for individuals where decisions are being made about them in circumstances that are unfair and where they are not on notice in terms of the purposes of use of their data? We bring to bear a range of factors in terms of the risk-based analysis. We now have, under one of the deputy commissioners who is not here today, a process where we convene a committee within the DPC that looks at areas of high-risk, considers the realities of our resourcing, and makes decisions then on the areas that we will pursue for large-scale investigation.

Can the DPC prompt when it sees issues arising? Is there any engagement or reporting mechanism where there are shortcomings in terms of legislation? There is a balance of rights. For example, one Department is rolling out CCTV that communities can take up. One has got some ongoing dialogue with local authorities, for example, and I think it is around who is the data controller.

Clearly, we cannot have gardaí everywhere. In some locations, there is a desire to have CCTV. It is a question of how it is handled. I am using this as an example. Does the commission have the ability to draw attention to changes that should be made to facilitate something that may involve a public good, but lacks legislative safeguards?

Ms Helen Dixon

Is the Deputy asking whether we have the ability to do that outside of an investigation process?

Ms Helen Dixon

To clarify, rather than engaging in ongoing dialogue with the local authorities with regard to community-based CCTV, we are conducting a set of 31 investigations on the matter. We have also examined the deployment of CCTV by An Garda Síochána. One aspect of those 32 investigations is looking at section 38 of the Garda Síochána Act 2005, which provides the legislative basis for CCTV for security purposes in public places. A range of issues will fall out of those investigations. The Data Protection Commission has a dedicated consultation team that can look at other areas. All sorts of organisations seek formal and informal consultations with the commission. If they have something that is at concept stage, they might run it by us to see what data protection issues might arise. Equally, they might consult us on the detail of something that is more advanced. In many instances, organisations are required to have a data protection officer who should be the first line of defence when new things are being implemented. In cases like that referenced by the Deputy, they are required to conduct data protection impact assessments on a mandatory basis. The type of analysis that takes place as part of a data protection impact assessment that is conducted properly will lead to the correct answers and outcomes. We engage with organisations on data protection impact assessments. They are conducting the issues that are arising. In many cases, our consultation team is pointing to an absence in legislative underpinning for various concepts that are brought to us by public sector bodies. We pre-empt those - they often do not proceed and nobody hears anything further about them.

If there is a live feed, I understand completely that the right to privacy of individuals has to be protected. Obviously, there has been quite a few changes in office accommodation. Does the OPW source the commission's office accommodation or does it source it itself?

Ms Helen Dixon

As we are currently in an office under the Department of Justice and Equality, the OPW is mandated to locate a property for us.

Will that change?

Ms Helen Dixon

We hope we are now in the final stages of a process. The OPW is about to enter into lease negotiations on our behalf with regard to a property on Pembroke Row. If that goes to completion, as we hope it will, the lease will be signed by the OPW, which has the expertise in this area. The funding for the accommodation costs will flow through our Vote.

There was a significant increase in the number of complaints following the introduction of the GDPR. Was that the reason for the increase? Can the increase be attributed to heightened awareness of the remit of the office? The degree of public dialogue that goes on when investigations like this come into the public domain helps to increase understanding of the role of the commission.

Ms Helen Dixon

Our analysis is that the increase is associated with all of those things. The GDPR awareness campaigns certainly made people more aware of their rights. It caught their imagination and showed them how they can exercise their rights. People are taking an interest in data protection issues. We certainly saw a surge after the publication of the public services card report, which we did not publish. We see an increase in contacts with the office in such circumstances. The case of Cambridge Analytica and Facebook last year also gave rise to a surge in complaints. Those complaints were not necessarily about Facebook processing. In general, the case brought attention to data protection issues.

Does the commission have a breakdown of how much of its time is being spent on investigating public bodies, as opposed to private entities or individuals?

Ms Helen Dixon

We could probably look to complete some analysis for the Deputy. It is never going to be a static figure. As we take a risk-based approach, it depends on where we identify that issues are arising. As new issues become apparent, we direct our resources to them. We are at the beginning of the long process of driving up the standards of the application of data protection law across the Irish public sector. The GDPR has been in application for approximately 15 months. There is no doubt that the GDPR and the law enforcement directive are not yet fully bedded in. A great deal of work remains to be done. As the investigations conclude over the coming months, the gaps in the standards will start to become clearer.

When the commission decides to conduct a report, is that notified? Does the commission wait until the report is completed before it issues a notification? How can we have any idea of the work that is ongoing within the commission?

Ms Helen Dixon

Typically, we put the information into the public domain. In recent months, each time we have opened a new investigation, particularly into the big tech sector, we have issued a statement to that effect. Clearly, there is global interest in those investigations and in the extent to which people want to be on notice. The Deputy mentioned the investigation into the local authorities, which is already in the public domain. We put it into the public domain that our resources are currently focused on this area. We issue statements. In our annual report, we preview areas that are under investigation.

I will conclude by asking about the local authority investigation. A sponsoring Department is funding the CCTV. Local authorities are the focus where it is rolled out. Would the origin of the funding not be a cause of concern, in terms of what the obligations are at that point?

Ms Helen Dixon

Under data protection legislation, entities are looked at as controllers or processors of data. The legislation specifically looks at the remit not necessarily of a legal entity but of the role of the people who decide the purposes and means of the data processing operation. It is unlikely to be directly relevant to a data protection analysis that we would conduct. The obligations on the controllers remain the same regardless of whether their funding is obtained through a Government grant or allocated from within their own resources.

Okay. I thank Ms Dixon.

On how many previous occasions has the State appealed a Data Protection Commission finding or report?

Ms Helen Dixon

To the best of my knowledge, we have had one appeal of a commission decision. Judgment from the court is still pending in the case in question. It was an appeal by the Courts Service in 2017 of a decision by the Data Protection Commissioner.

In the meantime we have also had a statutory appeal against a decision in 2019 by the Department of Employment Affairs and Social Protection and on the same matter they have also launched judicial review proceedings. It is unusual, but the right of appeal does lie for public sector bodies, as well as the private sector.

In reading through the eight findings made in the final report one can see that they are quite stark. The first thing that jumped out at me was that the Department had really made a pig's ear of it. All one can see is the law being broken.

Ms Dixon said she had instructed the Minister to publish the report within seven days and that this had not been done. It was done after four weeks. Ms Dixon had also requested the Department to delete illegally retained data by 5 September - to my knowledge that has not been done - and to instruct other State agencies to stop processing data. They have failed to do this and seem to be hell bent on continuing to ignore the report's findings. Ms Dixon said the Data Protection Commission would have to fulfil further criteria in order to issue an enforcement notice. In response to a parliamentary question the Minister said: "It should be noted that the findings in the DPC report do not have the force of law until such time as they are formalised in an enforcement notice." Is it the case that the Department is working inside the law, or is it working outside the law as found in the report?

Ms Helen Dixon

We conducted the investigation under the Data Protection Acts 1998 to 2003. If it reads the provisions, the committee will see that we have identified that section 10A provides for the commission to deal with infringements of data protection law. It is a matter for the Minister how she characterises the findings as a result of the statutory investigation which have been issued to the Department. Section 10A also states the commission may issue an enforcement notice in order to force compliance with its findings. The letter of 15 August has been published. When we issued the report to the Department, we followed the approach we take with most organisations. We deferred enforcement, pending the Department's voluntary compliance with the clear directions we had set out. That is why it is now necessary to proceed - we reserved our right to do so - to enforcement action.

Was Ms Dixon surprised at the Minister and the Department, given that the commission had deferred issuing an enforcement notice to see if the Department would come on board with the findings made in the report?

Ms Helen Dixon

Yes, we have been surprised by the response.

Two other Departments seem to have walked away from use of the public services card, including the Department of Transport, Tourism and Sport. The Tánaiste has also asked his Department to carry out a review of the criteria, especially as they apply to the Passport Office. If the card will not be mandatory or compulsory in obtaining a passport and given that the Tánaiste is perfectly fine with this, as is the Department of Transport, Tourism and Sport, does Ms Dixon see this as vindication of the Data Protection Commissioner's report and its findings?

Ms Helen Dixon

We have no insight, other than what we have read in the media, into why clarification has now been issued both to our department directly and in correspondence with us about complaints we are investigating about the use of the public services card. We have no insight into how that decision-making process arose. It is important to point out that in the context of our report and the findings we have made, they are findings specifically against the controller of the data - the Department of Employment Affairs and Social Protection. The report is about the processing of personal data being conducted by that Department in the context of SAFE, level-2 standard, and the issuing of the public services card. When Deputy Munster asks me about vindication, there has been no vindication of the findings in the response of the Department of Employment Affairs and Social Protection. It is not really a question I can answer because I have no such insight.

To me, it stood out that the other Departments did not have full confidence in the use of the public services card if they were not prepared to use it as a mandatory form of identification.

Ms Helen Dixon

It is equally possible because we do not have an insight that, for entirely operational and efficiency reasons, the Passport Office rejected use of the public services card. Simply, at this point we have not made enquiries into that matter.

What does Ms Dixon believe the consequences for the Department will be in continuing the use of the public services card as a mandatory form of identification? What will the consequences ultimately be after the enforcement notice is issued and what will be the consequences if the Department does not adhere to the law?

Ms Helen Dixon

For the Department of Employment Affairs and Social Protection.

Ms Helen Dixon

Once an enforcement notice is issued, the Department will have 21 days within which to comply or appeal. It depends on whether it will appeal or we are forced into issuing proceedings for non-compliance with the enforcement notice. Assuming it will go down the pathway of an appeal, it will clearly depend on the outcome of the process in the courts. Ultimately, we have confidence in our findings and investigation which was conducted fairly by the office and we have confidence in our analysis, over which we stand. I imagine the ultimate consequence will be that the Department will be required to comply.

I have one final question for the Comptroller and Auditor General about the report on the roll-out of the public services card. Under the heading of project management, I note that he says there was no single business case document for the card.

Mr. Seamus McCarthy

That was our finding.

As has been said here, logic dictates that the objective would be to set out the case clearly, with a decision made to proceed and so on. I imagine, where a single business case document is not presented for any proposal, it can lead to problems. That is where a proposal would leave itself open. Is Mr. McCarthy of the opinion that it is very important to have a business case document?

Mr. Seamus McCarthy

Absolutely. In a way, it is easier if there is a single document that sets out what the plan is, what the objectives are, what outcome is expected as a result of a project and the associated costs. If all of that is set out at the beginning, it makes my job much easier. It also makes much easier the job of those who are trying to deliver the project such that they will know when they are or are not making progress. It is a fundamental requirement for any public sector project that there be clarity on what one is trying to achieve. When we examined the development and roll-out of the public services card project, we found pieces of what was being attempted laid out in various documents.

There were probably contradictions in some of them so we are looking for what the latest position is and how it is evolving. It makes it much more difficult to manage a project in a value-for-money way.

Hence the issues that have arisen since. Mr. McCarthy spoke of a fundamental requirement for the board but one could also call it "standard practice" to dot the i's and cross the t's. Is it because the business case was not presented and everything was not checked through that we are in the fiasco in which we are now? A pig's ear has been made of it and laws have been broken.

Mr. Seamus McCarthy

I would not go quite as far as some of the Deputy's conclusions. I was looking at the project a number of years ago and I do not want to make any definitive conclusion now as to where the project is. I would have to examine it again before giving another comment on it.

Mr. McCarthy said the presentation of a business case was a fundamental requirement but that was missing from the start of this fiasco.

Mr. Seamus McCarthy

Yes.

Cuirim fáilte roimh na finnéithe. Don dara uair laistigh de trí bliana tá cothromaíocht inscne i gceist, rud atá iontach. For the second time, we have gender equality at one of the tables, though not at the top table. Often, reading documents for this committee just marks the beginning of a debate and I always leave such meetings wishing we had had more time to tease issues out. Ms Dixon is a breath of fresh air and the straightforward manner in which she has answered questions today is a model for everybody who comes before us.

I want to look at the accounts, at rented buildings and at the amount of money going on consultancy fees. The approach to the commission's report also has cost implications. I am confused about the issue of enforcement. Is it open to the Government to appeal the commission's findings at this point? Does the commission take enforcement proceedings and the Government fights them in court?

Ms Helen Dixon

In part it is up to the Department to take its own legal advice and it has concluded that the findings are not amenable to an appeal.

What choices does it have?

Ms Helen Dixon

I am not sure we would draw the same conclusion and case law indicates that it is unlikely an appeal would have been refused. In any case, we are beyond 21 days now. The next step is to proceed to enforcement.

We will then see what the Government or the Department does. It is fair to say the commission did not rush into this investigation, which has cost a lot of money. The commission is to get back to us on the question of the money and it is vital that it itemises the costs as best it can. In the annual reports to the Department every year, certain aspects were flagged.

Ms Helen Dixon

That is right. This goes back many years.

Function creep was flagged, which means moving out into other areas. What else was flagged?

Ms Helen Dixon

The issue of transparency was flagged. In our view there was a lack of coherence in what was being described. There are transparency requirements in data protection legislation, whereby individuals should understand why their data are being collected, processed and retained, but these were not being fulfilled. The Deputy says we did not rush into it and she is correct but we finally launched an investigation in 2017 when we could not make progress in terms of engaging.

That is the whole point.

Ms Helen Dixon

At that time there was an escalation with the publication of a statement on the website of the Department of Employment Affairs and Social Protection detailing a whole range of public sector bodies and Departments that were about to make procurement of the services card mandatory for accessing services. This was the final impetus which gave us a clear need to investigate it and set down findings.

The report sets out the background and this goes back to the 1990s. We had legislation in 2005 and there was a Government decision in 2013, which had implications. The annual reports repeatedly pointed out concerns, though Ms Dixon's predecessor accepted that there might be some justification for a requirement for a card, or something similar, for social welfare purposes. The commission did not object to this but teased the issues out to see what the implications were. Each year, the implications became much more serious and this was all conveyed to the Department, one way or another.

Ms Helen Dixon

That is right. It was conveyed in correspondence from me to the Secretary General.

The Irish Council for Civil Liberties, which still has serious concerns, and other organisations, as well as some very good journalists, alerted the Dáil as to the implications. In 2017, the commission acted. It asked for the report to be published and Ms Dixon has clarified that there was nothing the commission could do about the Government failing to publish the report under existing legislation. In module 2-----

Ms Helen Dixon

It is actually the second half of module 1 and it is still under the Act so the biometric questions are under the same restrictions in terms of an absence-----

When the commission produces its report and wants it published, it is up to the Government.

Ms Helen Dixon

It is up to the Comptroller and Auditor General and the Department of Employment Affairs and Social Protection.

We asked questions in the Dáil last night and we were told there was a business case. Is the Department of Public Expenditure and Reform aware that there is a business case? If so, where is it and when was it produced?

Mr. Liam Gleeson

Unfortunately, I am not familiar with it so I cannot answer.

Mr. Gleeson is not alone in not being familiar with it. Nobody is familiar with it and nobody seems to have seen it, although the Minister told us last night that there was a business case.

Mr. Liam Gleeson

I am sure there is and we will respond to the Deputy separately on this, if that is okay.

Okay. I do not mean to zone in on any particular person but we are here to discuss value for money and the business case. I was raised to believe the devil quotes scripture for his own purpose and we all now do that. I see that a chapter of the Comptroller and Auditor General's report is being quoted ad nauseam, by me as well as others. It is being done incorrectly, as it happens. The Minister quoted it last night but she quoted arguments given by the Department and not the Comptroller and Auditor General. The Comptroller and Auditor General sensibly, clearly and in a moderate way stated that there was no one business plan at inception. He said he believed it was very good and that it had good points and elements of good practice but that there were a number of omissions and partly addressed matters. This report dates from September 2016 and it puts the reader on notice that there is no business case.

In terms of value for money, where is the business case? The contract for €3 million, to be rolled out by 2016, did not happen and it was way under that. A new contract was entered into with advance payments to the company. Lots of bodies come before us and we haul them over the coals for a business case, for a rationale for why something is necessary or to tell us the benefits of something. If I accept Ms Dixon's report, the benefits are illusory, particularly in the area of making services available. It was supposed to be an enabler but it has become an inhibitor. It was supposed to make it easy for Departments to roll out their services but that has not happened. Fraud is a minute factor and identity fraud is a minute part of overall fraud, yet errors are higher. We are rolling out a project the costs of which were projected to be €60 million by 2016, although nobody can tell me what they are now.

Mr. Seamus McCarthy

It was a projected expenditure up to the end of 2017.

It was a projected figure up until the end of 2017. It was quoted in the Dáil again last night, as was a figure of €62 million. The figure for activation - whatever that means - was not included. I have a card. It is not a very high-quality photo, but that is a different matter. I do not know about the high-value photo. In any event, it runs out of the date. I would like to see where details of when the card runs out and how it is renewed are mentioned in the business case. There are no answers on that side today.

Mr. Liam Gleeson

I am afraid not.

I thank Mr. Gleeson very much. We will go back to the Data Protection Commission accounts. Can Ms Dixon explain the situation in respect of rent? The commission was in a premises in Fitzwilliam Square provided by the Office of Public Works and paid no rent. Is that right?

Ms Helen Dixon

That is right. We still occupy that building-----

Very good. The commission pays no rent.

Ms Helen Dixon

-----at no cost.

I understand that the commission then expanded and needed additional premises. It went to two different places, for which a fairly high rent is paid. The commission is now hoping to occupy another premises for which it will also be paying rent.

Ms Helen Dixon

We will be paying rent. For 2018 we had to take up serviced accommodation in a Regus building. We took a number of rooms in that building.

That is all set out. I have read it. What I do not understand is why the Office of Public Works cannot provide the commission with another building. The commission is moving away from paying no rent, which is how it should be as it provides a vital service paid for with taxpayers' money. Was that rent-free accommodation just a temporary arrangement with the Office of Public Works?

Ms Helen Dixon

The building at 21 Fitzwilliam Square is owned by the State. That is why no rent is payable.

That is very good.

Ms Helen Dixon

It is way too small for our requirements in Dublin. Only 40 staff can be accommodated.

I am not asking Ms Dixon to justify that. I have often made the point that public money is being wasted on rent, which is keeping market rents artificially high. I do not expect Ms Dixon to have an answer to that, but that is where I am coming from. I then see a perfect situation in which the commission is accommodated rent-free in a Government-owned building. That is great. Problems then arose and the organisation needed extra space. I will come back to how that space was acquired. Did the Office of Public Works look at any other building owned by Government or the OPW for the commission, rather than private accommodation?

Ms Helen Dixon

We have been through a series of very lengthy engagements with the Office of Public Works since I was appointed more than five years ago. It is for the OPW to say why it has not been able to secure a building suitable for our needs and in which all our Dublin-based staff could be located. It says that, in part, it is because there have been very few suitable properties on the market that it can make available. The other response I believe it would give is that the building requirements we have specified pose particular challenges. The Deputy may be aware that at a data protection conference in Dublin just this week one of the presenters put up a very large photo of the office in Portarlington, which is located over a supermarket. This photograph has been circulated globally with commentary to the effect that this is how seriously Ireland takes data protection. As such, we have specified to the Office of Public Works that we ideally need a standalone building which is not co-located with Government Departments to reflect our independence. We also ideally need a building that is located centrally in Dublin, near to the large entities we supervise. We also ideally need a building that is not located over a supermarket or commercial premises that could be used against us.

There are very specific criteria that need to be fulfilled for the commission to function.

Ms Helen Dixon

There are some specific requirements.

Is the Office of Public Works handling that for the commission? Does it handle the acquisition of premises?

Ms Helen Dixon

It does.

Did it handle the acquisition of the two temporary premises?

Ms Helen Dixon

The Deputy is referring to the Regus serviced accommodation in Trinity Point where we are now located. The OPW corresponded clearly with us and told us that it would be unable to provide anything suitable for our needs. It proposed that we look at serviced accommodation options.

That is what the commission did.

Ms Helen Dixon

That is what we did.

With regard to Ms Dixon's own role, she just mentioned that she was appointed five years ago. Has she been reappointed?

Ms Helen Dixon

The Government reappointed me at the end of May.

Was that for another five-year term?

Ms Helen Dixon

Yes.

I would love to tease out the issue of the rented buildings but I am conscious of time. I want to ask about legal costs awarded against the Data Protection Commission. This is mentioned on page 17. The accounts cover two periods; I am looking at the period from 25 May 2018 to the end of December 2018. Legal costs awarded against the Data Protection Commission totalled €445,401. Will the commissioner explain those figures?

Ms Helen Dixon

I will. It is worth mentioning that the legal costs awarded against the Data Protection Commission in respect of cases coming to a conclusion in 2018 were exceptional. The first very significant amount is that paid in costs to Max Schrems as a result of the judicial review he took in 2014 that gave rise to a reference case to the Court of Justice of the European Union, which was ultimately remitted back to the Irish High Court. He was awarded his costs from that action because the Court of Justice of the European Union found that he had a valid complaint. A cost demand of €900,000 was submitted to the Data Protection Commission in respect of his estimate of costs. We considered that to be excessive and hired a legal costs accountant who engaged in a taxation process and we succeeded in having the claim reduced to €300,000. Therefore, of the nearly half a million euro mentioned, €300,000 relates to Max Schrems's costs arising from that particular case. The other significant amount included relates to costs awarded to the former Minister for Justice and Equality, Alan Shatter. He took an appeal against a decision of the then commissioner in 2014 with regard to a case that involved the former Deputy, Mick Wallace. He lost in the Circuit Court but appealed to the High Court, which took a different view from that of the Circuit Court. Ultimately costs followed from the judgment of the High Court. His costs were €97,848.

Would it be possible to get a note on that?

Yes. Will the commission provide us with a note?

Ms Helen Dixon

We already have a note prepared which we would be happy to give to the committee.

Marketing and media expenses and GDPR awareness are mentioned on the same page. The commissioner has already touched on this. This also represents a big sum if we take the two six-month periods together. The commissioner explained some of this already.

Ms Helen Dixon

Clearly 2018 was an exceptional year. We were obliged to make sure organisations were aware of the new law and that the public was aware of its rights. The majority of those expenses relate to national media campaigns we ran in cinemas and in the national newspapers. That money was paid to a company called Spark.

The commissioner would not expect the figure to be so high next year.

Ms Helen Dixon

No, this was an exceptional campaign to drive awareness.

The debate around the commissioner's findings will also help with awareness, will it not? The commission will not need a marketing campaign.

Ms Helen Dixon

That expenditure will be absent from the 2019 accounts.

Again, I do not expect the commissioner to comment on policy or political matters, but she talked about a risk analysis leading to this investigation. The commission did not rush into this. Finally, it was broadened out and the commission carried out a risk analysis. Then came the investigation and all that ensued. I have heard the argument that people have embraced this card and that there are no complaints at all about it. I have heard that the Department has carried out fact-finding searches when in fact it has carried out market research to tell us that people are not objecting to this card at all. I read most of the commissioner's report. I would like the commissioner to elaborate on her point that this is not just about privacy.

Ms Dixon spoke about control and the predictability of information that belongs to me or any other individual, and about how that is managed and the degree of control I have over that. Perhaps she could elaborate on that in light of the market research which the Minister and the Government are relying on to claim this is all a big fuss about nothing.

Ms Helen Dixon

The report indicates that even today it is not entirely clear what the card represents proof of. Is it definitive proof of address? How can it be if someone has changed address since they completed SAFE 2 registration? In fact, how a person is supposed to change their address is not clear from anything published on SAFE 2 and the public services card, PSC.

The other issue around foreseeability for individuals is that if it is not clear to an individual that procurement of a public services card is to be mandatory to make a school transport appeal, for example, then he or she may at a minimum endure significant inconvenience when he or she discovers at the last minute that this is now a requirement and must submit to having his or her personal data processed in this way. There is a range of issues around transparency concerning what the card is or is not and what it represents proof of. There are even issues with where the card can be presented as an ID card. Section 263 of the Social Welfare Act 2005 provides that any entity which is not a specified body under the legislation cannot have the card presented to it. There seems to be some evidence that individuals are using the card as an ID when they go to the credit union and are required to provide ID. This is prohibited under the Social Welfare Act 2005.

There is a range of issues around foreseeability. I raised a particular issue at paragraph 359 of the report. There has been a lot of talk about how the card allows a "once and done" process. However, paragraph 359 of the report outlines that if I engage with a specified body using my public services card and point out to the specified body that I have since changed address and it records that, I have absolutely no guarantee that the change of address will be transmitted back and recorded on the SAFE 2 register by the Department of Employment Affairs and Social Protection. That does not represent a "once and done" process in those circumstances and it is not foreseeable which address is held by which public sector body. We have identified a range of issues.

I thank Ms Dixon for being here. I was watching from my office on the monitor, so I heard most of the proceedings. I know she has dealt with this earlier, but will Ms Dixon remind me what stage the process with the Department has reached? She issued her report in August and then there were 21 days to appeal. Is that correct?

Ms Helen Dixon

The Department's own legal advice was that it did not have a right to appeal the findings. We have not engaged with that because 21 days have passed. On 15 August, we required the Department to voluntarily comply with a set of clear directions that we issued to it.

We know that is not happening. Is there a schedule to be followed now?

Ms Helen Dixon

The next step is an enforcement action. I mentioned earlier that despite the fact that we have compiled the report and the directions letter, we cannot simply label those to state we now want to enforce them. There is a form and format on its face that the enforcement notice has to follow. The work of preparing that is under way.

Does that take a significant amount of time?

Ms Helen Dixon

Because it is likely to see the inside of a courtroom once it is issued, we want to ensure that we comply with the formalities in terms of what has to be presented on its face.

Deputy Marc MacSharry: Could Ms Dixon give a ballpark estimate of when it might be ready?

Ms Helen Dixon

In the next number of weeks.

When that happens, are the courts the Department's only recourse?

Ms Helen Dixon

To appeal those findings, yes.

Is that appeal made to the Circuit Court?

Ms Helen Dixon

That is right.

In that case, the Department appeals, the Data Protection Commission presents its case and the Department represents its case. We waste an awful lot of taxpayers' money in the meantime. Is that what will really happen?

Ms Helen Dixon

There will be costs for the taxpayer from that process so that is correct.

Let us say my company breaches the regulations and the Data Protection Commission writes to me saying I needed to do this, that and the other. Suppose that, as a private entity, I argue that the commission had misinterpreted the law and I will not do any of that. What would happen?

Ms Helen Dixon

We are following the same process that we do in all cases. I briefly mentioned in my opening statement that in similar circumstances in June 2018 we issued a very substantial report on findings to Yahoo EMEA Limited. This is detailed in our second annual report from last year. We invited that company to voluntarily comply with a very clear set of directions. In that case, while not particularly pleased with our findings, the company did voluntarily comply. We have supervised its compliance with those requirements. It depends. There have, of course, been private sector companies that have appealed our decisions. There is a right of appeal.

When an entity does not accept the Data Protection Commission's findings and has a right of appeal to the courts, does that create additional work for the Data Protection Commission?

Ms Helen Dixon

Of course, because we then have to engage in a litigation process which may not stop at the Circuit Court as there may be a further appeal. I mentioned that we have 24 live litigation cases currently before the courts. Many of the cases we have been involved in have travelled from the Circuit Court to the High Court, the Court of Appeal, the Supreme Court and, in three cases, to the Court of Justice of the European Union.

Of the 24 live cases, how many are against State agencies?

Ms Helen Dixon

Many of them are appeals by individuals of decisions that went against them. I think there are three at the moment. We will come back to the Deputy on that. It is a very small number.

There is ongoing litigation with State agencies on the basis that they did not accept the Data Protection Commission's findings.

Ms Helen Dixon

In response to a previous question, I mentioned that the Courts Service had appealed a decision of the Data Protection Commission. That is awaiting judgment. The hearing has already been held. An appeal has also been lodged by the Department of Employment Affairs and Social Protection against a decision I made this year. That Department has also initiated judicial review proceedings on the same matter.

Could we get a breakdown of the 24 cases and the cost so far in real terms?

Ms Helen Dixon

Certainly.

I do not mean costs that the Data Protection Commission can farm out. Can we get a handle of the amount of resources these cases are taking from the Data Protection Commission's core business, which ultimately is to continue with its work rather than getting held up in court?

Regarding the State agencies-----

I ask Ms Dixon to ensure that information comes through the Chair.

Ms Helen Dixon

Of course.

We will all get to see it then. I listened to Mr. Fallon trying to answer a question on the situation earlier. The position is that State agencies are in breach of the law. Obviously, that is subject to appeal, litigation or whatever. Mr. Fallon indicated that these are matters for the Government to consider. That was as far as he was prepared to go on that issue. Did I hear him correctly? I was watching on the monitor.

Mr. Richard Fallon

A finding has been made in respect of one Department which has declared certain matters unlawful. That is being contested. In law, that matter remains to be resolved and proven one way or the other.

Beyond that, I am not sure what the Deputy is asking me.

Just that. I see an awful lot of taxpayers’ money about to be wasted in court. We legislated for the Data Protection Commission, DPC, to do a job. It has done it. We do not like the sound of it, however. The language used in the correspondence sent to the DPC suggested it was a State agency and should get with the programme. It suggested the Department is not happy with this and it will agree a set of terms and conditions but the law does not apply to it. Collectively, the Oireachtas has made an entire mess of this card and now we have to clean it up. Money is in short supply but we are going to waste millions of euro litigating about who is right and how the law should be interpreted. That is tragic.

How much has come in with fines?

Ms Helen Dixon

We did touch on it earlier. We have not issued a fine under the GDPR. We are still concluding the first wave of investigations we have opened under the 2018 Act.

When fines come in, where will that money go?

Ms Helen Dixon

It is remitted to the Exchequer.

The commission has some legal fees. It has eight senior legal advisers. What is the expertise? Are they barristers or solicitors?

Ms Helen Dixon

Is the Deputy referring to in-house expertise?

Ms Helen Dixon

We have both barristers and solicitors on our staff. Currently, we have 20 legal staff who have practitioner backgrounds and practising certificates. I need to check the split between solicitors and barristers. It might be half and half.

When the commission goes to court with its 25 litigation cases, does that internal team handle those?

Ms Helen Dixon

No, that does not remove the need for external support in terms of proceedings. Most of our legal fees go on external support for the 24 live litigation cases in which we are involved. There is also the Data Protection Commissioner versus Facebook and Max Schrems case, the standard contractual clauses case. There will always be a need for external support because of the volume of litigation in which we are involved.

We would have to replicate a small law firm with legal support services in our office. That would not represent an efficiency or value for money. In terms of that high number of in-house legal practitioners, some are deployed internally as legal advisers horizontally across the organisation. Others are deployed in actual investigator roles, meaning they have full-time roles in terms of the volumes we are dealing with in-house.

I might suggest that 20 in-house legal practitioners would be a reasonably sized firm, not a small one.

Ms Helen Dixon

When one looks at how we have to deploy them in light of the functions we have, they are not available for litigation support.

How does the commission select firms or barristers for individual litigation cases?

Ms Helen Dixon

We have run public procurement processes. We are about to run a new one for external legal services. We design weighting in terms of how we select with cost being a significant component. We also look at the quality of the services we can procure and the spread of services a firm can provide to us.

Does the commission tender not per case but for a year or two?

Ms Helen Dixon

Yes. We tender for a year with the ability to roll over. Considering the lifecycle of cases, there has to be an element of continuity in terms of the support we received. There was a question earlier from Deputy Connolly about the near €500,000 costs we had to pay to other parties last year. All of those cases started over five years previously.

Who are the current legal advisers?

Ms Helen Dixon

Currently the law firm which advises us is Philip Lee Solicitors.

That is coming up for tender again and will go through the normal process.

How does the commission’s costs compare to our European counterparts?

Ms Helen Dixon

Is that the costs for litigation, office accommodation and so forth?

Yes, the overall costs.

Ms Helen Dixon

We have done no such comparison. I mentioned earlier that in budget and employee number terms we are eighth, based on statistics from the European Data Protection Board. It would be almost impossible to make a direct comparison as to how we compare. As a data protection authority in the EU, we are almost unique in terms of the volume of litigation in which we are involved. That is because the Data Protection Acts in Ireland have always provided a clear right of statutory appeal to any party affected by our decisions. In other EU member states, that has not been the case.

If a ruling is made in another member state, is it the case that there is no appeals process?

Ms Helen Dixon

For example, in the UK, typically a data controller against which a decision was made would have a right of appeal but the complainant would not.

I note on the commission’s website that there is an option for making a protected disclosure. Has there been any made internally?

Ms Helen Dixon

Yes, I can give the Deputy the statistics. We have had several protected disclosures made to us from outside. In general, most of them have been in fact complaints by individuals within organisations about how personal data has been processed. In many of the cases, we have agreed with the individual to examine the complaint on its merits. We have then discussed with them whether we can process the complaint in circumstances where they would have wanted to remain anonymous. The statistics for 2019 are five received, three closed, one under investigation and one under assessment. In 2018, five received, four closed and one still being investigated. We have statistics going back to 2015 if the Deputy wants them.

When a case is closed, whatever the outcome, are there any follow-up interviews to assess the complainant’s satisfaction with the process?

Ms Helen Dixon

For investigating, there is correspondence with the complainant.

I understand that. At the end of the process and it is closed, is there a policy of asking the person if they were satisfied with the process? It would be like an exit interview when one leaves a company.

Ms Helen Dixon

We do not have such a process.

Have there been protected disclosures in the commission?

Ms Helen Dixon

No. We have had none internally.

If any other member wishes to speak, I will allow him or her to do so presently. I have a few questions for the delegates, whom I thank for their presentation. First, however, I wish to clarify a matter for the public record. We are often accused of being a little mischievous in who we call in, the idea being that we want to get headlines in the newspapers. That is not the case. The request to the delegates to appear before the committee was issued to them last July, well before the events of later in the summer. Issues relating to the public services card were raised at previous meetings of the committee, which led to my request for a meeting with the delegates. One of those issues concerned the large social media companies registered in Ireland within an EU context, and the role of the Irish Data Protection Commission, not just in an Irish and European context but also in a worldwide context. It is a relatively small office which has been getting larger as the years go by. As such, my concern is whether there is the scope, ability and resources within the organisation to deal with its new responsibilities. That was my motivation as Chairman in inviting the delegates to appear before the committee. Other issues have arisen in the meantime, and I understand why they have taken up most of our discussion time. That discussion has been useful in giving us a good insight into the commission's growing role and importance.

Will Ms Dixon indicate who collects the fines that are issued by the commission and were issued by its predecessor, and where those moneys go?

Ms Helen Dixon

The Data Protection Commission itself is responsible for collecting the fines. My colleague, Mr. Geoghegan, is working to ensure that the appropriate bank accounts and logistical arrangements for the collection of the fines are in place in advance of our imposing the first administrative fine. From there, the fines are remitted back to the Exchequer.

In a sense, therefore, there is no great incentive for the commission to collect fines if they are adjudicated in the courts. It is really a loss to the Exchequer rather than to Ms Dixon's office.

Ms Helen Dixon

Ultimately, yes, but that is a positive thing because we would not want to be open to an assertion that we were pursuing a certain outcome in order to feather our nest in some way.

I mentioned earlier that I submitted a question some months ago to all Ministers about agencies under their remit with authority to take court prosecutions. In his reply on 2 April 2019, the Minister for Justice and Equality indicated that in 2014, the Data Protection Commission prosecuted fines through the courts totalling €25,000, all of which was collected. In 2015, just one company was fined €2,000, which was collected in full. In 2016, ten companies and one company director were prosecuted, with total fines of €16,600 issued, of which €7,500 was still outstanding in April this year. In 2017, seven companies and one company director were prosecuted, with fines totalling €24,000 and an amount outstanding at the end of April of €20,000. In 2018, the fines imposed totalled €6,000 and the amount outstanding in April 2019 was €3,040. I was interested to see the figures for moneys not collected. Ms Dixon has confirmed that the loss is not to her office but to the Central Fund and, therefore, the taxpayer. The amounts involved are not large at this stage, but there was mention earlier of a figure of €1 million.

Ms Helen Dixon

To clarify, those fines were imposed by the courts and are in respect of violations of the e-privacy regulations. It is a matter for the Courts Service to collect them. The prospective process we are discussing in terms of fines under the GDPR is a different process, and those fines will be imposed by the Data Protection Commission and collected by us, albeit the courts will confirm the fines. There are two different processes at issue.

Members will note that a division has been called in the Dáil. All members who offered have spoken.

May I ask a question, Chairman?

I will facilitate the Deputy, although she might miss the vote.

Thank you, Chairman. I will be brief.

Members may take it that I will conclude the meeting and they need not return after the vote.

Why was the report we have discussed published without the enforcement order being ready? Was the timeframe not known to the 20 or so legal staff working for the commission? Ms Dixon might indicate whether there was a breakdown in this regard. Is it routine to outline the findings of a report without an enforcement order being ready? Perhaps Ms Dixon can give some examples of where the same thing happened previously.

Ms Helen Dixon

There is no question about an enforcement notice not being ready. As I clarified earlier, we issued the final report on 15 August, together with a clear letter stating that, as in other cases, we were deferring enforcement and inviting the Department to comply voluntarily with the clear set of directions. There is no question mark about something not being ready; it simply was not the process that was followed.

Was there an understanding that the Department might comply voluntarily, which would negate the need for an enforcement?

Ms Helen Dixon

That is right. The Deputy asked whether it is routine to outline findings without having an enforcement notice ready, to which the answer is that it absolutely is routine. We do not anticipate litigation in respect of every decision we make. The Deputy asked for previous examples of the same thing happening. I referred earlier to the case of Yahoo! EMEA Limited in June 2018, where we issued details of our findings in respect of a detailed investigation similar to the one we undertook in the case we are discussing today. In the Yahoo! EMEA Limited case, we invited and received the company's voluntary compliance, thereby negating the need to move to an enforcement action. There is nothing unusual in terms of the process we followed in the case we are discussing.

I thank Ms Dixon for clarifying that.

I have a few more questions. One of the commission's main findings related to information being held for longer than was necessary. People lose cards all the time. Surely if the information is in the system for a year, two years or three years, it makes it easy for a card to be reprinted? There is a value there for the body holding the information. Does Ms Dixon understand the point I am making?

Ms Helen Dixon

Yes. The information that is at issue in terms of our finding relates to supporting documentation that is collected as part of the SAFE 2 registration process.

Will Ms Dixon explain what SAFE 2 is for the benefit of listeners? Although many people have a public services card, others, including myself, have not had a requirement to obtain one. Perhaps I will do so when I renew my driver's licence. Will Ms Dixon explain the process for those who have not applied for a card? It is not her job to do so, but it would be helpful.

Ms Helen Dixon

I am happy to explain. We talk all the time about the public services card but what really is of significance is that behind the card is a registration system that is administered for the Department of Employment Affairs and Social Protection. It is a system which requires individuals to attend an Intreo office for a face-to-face interview, to which they must bring copies of identification documents such as a passport or driver's licence, documents demonstrating proof of address and other documentation.

The proof of address requirement is getting more difficult to meet. I meet people every day in my office who are in rented accommodation and have pay-as-you-go ESB meters and telephones. They do not have utility bills.

Ms Helen Dixon

The Department of Employment Affairs and Social Protection has foreseen that and offers a range of options that can be used as evidence of address, such as official letters from hospitals or other public sector bodies addressed to the individual. Our findings relate to the indefinite and blanket storing of all the supporting documentation. The legislation sets out that the Minister cannot issue a public services card until she is satisfied as to identity. Once the requirements to satisfy identity have been met, there is a question mark over the necessity of retaining all the supporting documentation, particularly in circumstances where, as Deputy Connolly outlined, there is a requirement to renew the card every seven years. However, it is proposed by the Department, despite the fact that further documentation is required to renew the card, that the existing documentation would be retained. Evidence simply was not produced by the Department to demonstrate a necessity to retain the documentation. Equally, the issue of whether the address at which one first registered is still the valid address arises in the ongoing accumulation of all the supporting documentation.

There is not an issue with the photograph, name, PPS number, date of birth, address or whatever. Ms Dixon is stating that there is no great need for the additional, supporting documentation to be retained.

Ms Helen Dixon

If the Department cannot issue a card until it is satisfied as to the identity, once it issues the card and registers the person on SAFE 2, it means the Department is satisfied as to identity. What purpose, therefore, other than in exceptional circumstances, which we were open to the Department outlining to us, could retention of that volume of documentation serve?

On the issue of photographs, approximately 3 million cards have been issued. From a data protection point of view, how satisfied is Ms Dixon that there can be no cyberbreach or cyberattack by people who should not have access to the photographs?

Ms Helen Dixon

On security issues and those related to biometric processing, we have yet to issue our provisional findings to the Department. Those issues were not the subject of the first report.

Ms Dixon might clarify what she stated earlier. She indicated that she was setting out to publish a report containing a great deal of information and that she concentrated on transparency and retention. What will come next? Has the commission commenced that work? She might apprise the public in that regard. I gather that the report is only the first step. It has been published and, to put it mildly, there is a difference of opinion.

Ms Helen Dixon

We are significantly advanced in the process of issuing a further draft report to the Department that will make provisional findings subject to anything it wants to submit to us on biometric processing, such as information related to the issue of the photographs, the arithmetic template or the photo-matching.

On the security issues the Chairman raised, we are looking at a number of other case studies, such as the free travel scheme - a variant of the public services card - and the information that is passed back and processed by the Department from public and private sector transport operators.

Is the commission examining the use of the chip, given that no State bodies seem to be able to use it? To paraphrase Ms Dixon, it is unnecessary for the card to have a chip if no one uses it, and she is against collecting unnecessary information or data. Is the chip an unnecessary component, given that nobody seems to have a plan to use it? We were told years ago the intention was to futureproof the card but there is no sign of that proof being required, or is there? Is the commission dealing with that issue?

Ms Helen Dixon

At this point, I cannot say whether we will make any provisional findings on it. It is certainly within scope for examination but I cannot say whether we will make any findings on it.

I am sure Ms Dixon understands my reason for asking the question.

The current and future location of the commission's office has been mentioned a number of times. I will give Ms Dixon a little warning. The record of the Office of Public Works, OPW, in moving public bodies is not as good as its people will claim. Every time it moves a public body, there is grief involved. The moves are not properly planned. The Department of Health was moved to Baggot Street and the measurements in the building were wrong. There were arguments about staff, open space and all sorts of matters. The final cost for the life of the lease remains to be determined. The OPW did not get it right. It came to Leinster House to work on a project in the building. While we acknowledge that it is an historic building, the cost rose. Representatives from the Tax Appeals Commission, TAC, appeared before the committee last year and I draw a parallel between it and the DPC. They stated the TAC had nothing but grief from the OPW during their office's move. We have yet to invite an organisation to appear before the committee that has stated the OPW efficiently managed a transition to a new office. I hope the DPC will be the first but we have not yet heard.

Mr. Seamus McCarthy

We moved a couple of years ago-----

Did the Comptroller and Auditor General do okay? The OPW was afraid of him.

Mr. Seamus McCarthy

It was not too bad. I am sure the OPW is afraid of the DPC too.

I take the point. Everyone says that the OPW is wonderful but it is not. We have not found it to be. Whoever manages the project on the DPC's side should not believe everything he or she is told. He or she should double-check because we have found organisations indicating that they experienced a great deal of grief. That is a general comment for our guests from the Department of Public Expenditure and Reform more than anything else.

The Department of Finance published legislation concerning the TAC this week to increase the number of commissioners from one to two. When the TAC was being set up as a new body, the Department did not adequately project its work programme. It was under-resourced, therefore, from year one, and there have been backlogs and delays. The backlogs continue and the Department is beginning to increase the commission's resources to a reasonable level. I am worried the same will happen in the case of the DPC. I make these remarks as Chairman of the Committee of Public Accounts to the senior personnel throughout the public service. When a new body is set up, the mere setting-up of the body will attract business. That the DPC exists, that it has a new office, that it has received great prominence and that it has issued the report will, in itself, increase public awareness and bring more cases. The public sector has never adequately projected an increase in such activity. I hope the increase in resources the DPC seeks will meet the demand next year and in the following years. We might find that an additional €5 million is sufficient but events might take over and it could be well short of the mark. My advice is that the DPC should be cautious because other public bodies have struggled with resources in the early stages of their lifespan.

As a Deputy, I represent Portarlington in County Laois. How many members of DPC staff are based in the Portarlington office and what is the plan for it? The commission was based there primarily. Will Ms Dixon outline the accommodation plans for the commission?

Ms Helen Dixon

When I was appointed commissioner at the end of 2014, the only location of the Data Protection Commissioner was in Portarlington, where there are now 27 members of staff. The number certainly has not decreased and, in fact, it hit a spike two years ago. We have a leased building in Portarlington. The lease was taken out by the OPW and is for 20 years. The rent is paid by the OPW and not recouped from us. The lease will expire on 30 November 2026. We have had a number of works carried out on the office over the years. This year, in particular, a little later than one would have hoped, there was a repainting of the front of the building to reflect the name of the Data Protection Commission as opposed to that of the Data Protection Commissioner, and that has been completed. The plans for the office are that it is business as usual. The staff are a critical part of our infrastructure and team. Experts in the office have been with the data protection authority in Ireland for close to 14 years. We rely heavily, therefore, on their expertise and corporate memory.

The principal office will be here in Dublin and the office in Portarlington will remain in operation.

Ms Helen Dixon

That is right. Mr. John O'Dwyer, deputy commissioner, is based in Portarlington and is a frequent traveller on the train.

Ms Dixon's predecessor used to travel on the train.

Ms Helen Dixon

That is right, he did that every day.

I do not like overdoing constituency talk but this is relevant to the Vote, particularly given that the cost of accommodation was mentioned. Portarlington is a zero cost to the organisation, which is important.

Is this the DPC's largest investigation to date or has it engaged in larger ones?

Ms Helen Dixon

I mentioned a couple of times that the Yahoo! EMEA Limited investigation was certainly very large in scale and required a significant volume of resources. We have a lot of very large-scale investigations under way now, such as those relating to the 31 local authorities, An Garda Síochána, the big tech investigations-----

Is there an audit of the 31 local authorities?

Ms Helen Dixon

It is an investigation.

Explain the work. I have heard from some local authorities and they described it as an audit and that they all fared fairly poorly, or that was their understanding. Will Ms Dixon outline the current programme?

Ms Helen Dixon

We are both correct. The inquiries we are conducting into the local authorities commenced as audits and the provisions in section 136 of the legislation allow us to use the findings of the audit and inquiry. It is ultimately in the form of an investigation but involved an audit element. It is probably a technicality that we do not need to dwell on. Those investigations in respect of the local authorities are in relation to what we call surveillance technologies. We are looking at CCTV systems, automatic number plate recognition systems and any drones or body-worn cameras that are being deployed by the local authorities, and looking at whether they are in compliance with the data protection legislation and the Garda Síochána Act if required, in particular section 38 of that Act.

I presume the Garda would be entitled to have more of that information than a local authority.

Ms Helen Dixon

Based on the analysis we have conducted in the investigation so far, the local authorities are deploying as controllers a broad range of systems of surveillance in many contexts. Under section 149, we will publish the findings.

How many local authorities has the DPC visited so far?

Mr. John O'Dwyer

Six draft reports have been issued.

What is the next step with those six?

Ms Helen Dixon

The investigator has issued the draft reports to the local authorities. Once they make their submissions, the investigator will finalise the report and give it to me, as the decision maker. I will make the final decision and apply the corrective measures and fines, if applicable, that are appropriate to the decision I have made. At that point, we will publish the findings.

At the draft report stage, there is a bit of toing and froing.

Ms Helen Dixon

The controller is invited to make submissions.

Is that the 21-day period?

Ms Helen Dixon

No, this is not an enforcement period.

This is an earlier stage.

Ms Helen Dixon

This is an earlier stage.

When the DPC issues its report, they still have 21 days to say whether they are going to comply.

Ms Helen Dixon

In fact, they will have 28 days. Under the 2018 Act, when I issue the final decision, they will have 28 days to appeal.

They are coming down the tracks.

Ms Helen Dixon

They are coming down the tracks and-----

Ms Dixon stated that the commission can issue these reports.

Ms Helen Dixon

We have the power to publish under section 149 of the 2018 Act.

That did not happen in respect of the report we are discussing because it came under the old legislation.

Ms Helen Dixon

That is right.

That is why the DPC could not publish on this occasion. If it was commencing the report into the public services card now, it would have legal authority to publish its report.

Ms Helen Dixon

That is right.

We had correspondence twice stating that the Department had to issue the report, rather than the commission. That explains it. I could not understand how it could issue it for the local authorities. It is from now on. Are there any old reports that are still being completed under the old system which the commission cannot publish? It can send us a note on that.

Ms Helen Dixon

Yes.

In other words, we will be in the same boat and it will be up to the Department to publish it or not.

Ms Helen Dixon

In respect of biometrics, security and free travel.

Let us hope it does that.

I have a question for the Department. I got the impression from what Mr. Fallon said earlier that if there is a difference, the courts can adjudicate, although he did it not put in those words. No appeal went in for the period under review in the Department and the view is, "Look, it can go to court."

Mr. Richard Fallon

No. The starting point here is that we have legislation that reflects the will of the Oireachtas on the regulation of data protection and it has established certain procedures for the carrying out of investigations and the issuing of reports. In that instance, that process has been commenced in regard to a particular Department and the public services card. Within that legislation, there are certain safeguards and options for parties who are subjected to such proceedings. They are now in play and part of the statutory process for dealing with these matters. We have established a statutory process to deal with such matters and that statutory process is now taking place.

I do not want to repeat what Deputy Kelly said earlier and I am not trying to put words in Mr. Fallon's mouth. The Department is the parent Department from a funding point of view in respect of this report, given the year under review. Is it supportive of the Data Protection Commissioner or is it neutral?

Mr. Richard Fallon

As stated in response to Deputy Kelly earlier, our Department fully recognises the statutory independence of the commissioner and the commission, and fully abides by and supports the discharge of its functions.

In other words, the Department does not have to be for or against. The commissioner is entitled to do this and that is it, and on it goes.

Mr. Richard Fallon

Yes, absolutely. It is a regulator. It is our Department-----

It is not for the Department to have a view.

Mr. Richard Fallon

It is our Department that promulgated the legislation and put all the independence provisions into it, in keeping with the GDPR. There is no doubt around the integrity of our position regarding the will of the Oireachtas and the statutory mandate it has been given.

Why then has the Department a requirement in respect of passports and the Irish National Immigration Service that require production of the public services card, although it has now withdrawn that requirement in the case of national citizens.

Mr. Richard Fallon

That is the citizenship item. What we are doing there is acknowledging a point of principle that has been raised by the Data Protection Commissioner. We are responding to that point as raised.

The Department is not saying whether it is right or wrong; it is just responding.

Mr. Richard Fallon

We have to see what the outcome of the statutory process is.

Is it a precautionary move from the Department's point of view or is it a move that it thinks is correct?

Mr. Richard Fallon

Obviously, from a policy point of view, the Department has decided there is no need to make it mandatory and, in light of the current situation, the prudent step is not to pursue that.

It is only required in a few instances. For example, the Department of Transport, Tourism and Sport requires it in respect of driving licences and it is also required of first-time applicants for passports who are over 18 years of age. The Government seems to be willing to take on the Department, if Mr. Fallon does not mind me saying so. On the other hand, the Government is dropping the requirements for the card to be used in several locations. There is a little bit of playing it both ways. So be it. That is not for Mr. Fallon to answer.

Mr. Richard Fallon

I thank the Chairman.

It is an observation and I am not asking him to comment.

Are there service level agreements or other agreements in place between the Department, which will be taking the lead on this, and its European counterparts? Ireland is fighting the Apple case and, regardless of who wins or loses, it is a moot point as to who will get to divvy up the money. It will not necessarily all come to Ireland.

Similarly, if the DPC takes a case, Ireland should not have to take the entire cost because it could run into millions at EU level or if there are substantial fines.

Ms Dixon also mentioned the European Data Protection Board. What is the DPC's relationship to it? What authority does it have? When does it step in and the DPC step out?

Ms Helen Dixon

The European Data Protection Board is a group of all of the EU data protection authorities. The European Commission also participates and the European Data Protection Supervisor is also a member. The Irish Data Protection Commission is a member and a part of the European Data Protection Board. It is a decision-making body. It has a limited role in making decisions in certain circumstances that are set down under the GDPR. Its primary purpose is to promote a harmonised implementation of the GDPR across the EU. We do that, as a board, by issuing agreed guidance on concepts under data protection legislation, concepts regarding transparency, consent and so on.

In terms of specific cases and investigations, the European Data Protection Board has a particular role in the co-operation and consistency mechanism, and the dispute resolution mechanisms between data protection authorities. As a board, we have rules of procedure that we have agreed between us. The GDPR provides for the appointment of a chair to the board and the chair is the head of a national data protection authority, voted on by the members of the European Data Protection Board. The commissioner for Austria is the current chair of the European Data Protection Board. We meet in plenary form on a monthly basis in Brussels, typically a full two-day meeting each month. We meet in subgroup form every month for the 11 different subgroups that exist. The Irish Data Protection Commission will attend more than 100 meetings this year in Brussels in terms of-----

Obviously Ms Dixon attends the key ones, but some of her staff-----

Ms Helen Dixon

I will be attending the week after next - the plenary of the European Data Protection Board.

If there are 100 meetings, it is not just Ms Dixon herself.

Ms Helen Dixon

It is definitely not just me; all of my colleagues-----

We would like her here some of the time.

Ms Helen Dixon

Yes. In the week after next, I will be out at the plenary meeting. My colleague, Anna Morgan, will attend the November meeting and John O'Dwyer attended the last one.

Ms Helen Dixon

We rotate attendance. As of April this year the Irish Data Protection Commission requested a standing slot on the agenda of the European Data Protection Board, EDPB, meetings where we could proactively provide an update in respect of the "big tech" cases that we are handling and the progress on them and any issues that are arising in terms of co-operation procedures between the data protection authorities around these investigations. By that, I am referring in part to that IMI IT platform that we use to share details on cases between us.

A number of issues have arisen for us as a board in the first year in terms of complaints that have been lodged with a data protection authority in an EU member state that then have to be transmitted to the Irish DPC for investigation. There have been issues in terms of translation of the complaints and timeframes involved in transmitting the case to the Irish Data Protection Commission. In those cases, we are obliged to communicate with the complainant back through the originating data protection authority. We have a journey to go as a board in terms of smoothing out all of those handoffs that have now become part of the process.

Issues have also arisen in the first year around different administrative law procedure in the different EU member states. While we are conducting an investigation, we would never release full information on the investigation while it is under investigation, and the transparency rules in other member states and their administrative laws have different procedures that impact on those issues.

We are very active members of the European Data Protection Board. We have led as rapporteur on some of the big guidance projects that the EDPB has undertaken in terms of publishing guidance. Ultimately when we complete the decision-making process on these investigations we have under way - I mentioned earlier that under Article 60 of the GDPR I cannot finalise a decision on my own; I must transmit it as a draft and allow every other EU data protection authority that is concerned with the issue give input. Any of those data protection authorities or a multiple of them can raise what is called a relevant and reasoned objection to any part of my draft decision. I am then obliged to try to reconcile what they raise with me as an objection with my findings. Ultimately if I cannot, under Article 65 of the GDPR I then institute the dispute resolution mechanism of the European Data Protection Board. This is the area where it has a decision-making function. It first of all decides if it is a relevant and reasoned objection that has been raised with me and, second, it may opt to take over the decision-making in respect of the-----

Can it take prosecutions?

Ms Helen Dixon

No, it has no prosecution powers.

That is all great. However, if the Irish DPC has to take a prosecution against one of the major social media companies, does it have to carry the cost of that? There could be a benefit for all EU citizens. I saw a case reported yesterday where Ms Dixon's colleague in France had a case against Facebook about the right to be forgotten. There are two sides to it. First, it succeeded but it only applied in the EU and the court had no jurisdiction on the right to be forgotten outside the EU. That is a benefit to all EU citizens. Did the French data protection commission carry the cost of that for the benefit of all EU citizens? Would Ms Dixon have been aware of that? Based on what she said, if it was going to take a case and make a decision, she had to be consulted on that, be made aware of it and either object or not object. Given that Facebook is headquartered in Ireland, why was that case taken by France.

Ms Helen Dixon

It was a case in respect of Google-----

Was it Google? I forget which it was.

Ms Helen Dixon

----- rather than Facebook, but Google is also headquartered in Ireland. The Chairman has hit on what is a very complex issue - the issue of the French authority's action in respect of Google. Under the GDPR the one-stop shop is a benefit to multinationals and it is designed as a benefit. Ultimately, they are subject to one decision by one enforcer and there is one appeal that can be taken and one fine ultimately. If they are not availing of the one-stop shop where they are supervised by one authority, they are, per the previous regime, subject to the jurisdiction of every individual data protection authority where they are supplying services.

The one-stop shop is a benefit and there are conditions that organisations have to meet in order to avail of that benefit. One of the specific conditions is that the data controller must be EU territorially based to avail of the one-stop shop. At the time that the French authority investigated Google, its controllership was not located territorially in Ireland or the EU. Google could have been investigated and subject to sanctions by any of the data protection authorities in the EU. As it was, the French data protection authority conducted an investigation.

Sorry, the case the Chairman is referring to, the right to be forgotten case, predates the GDPR completely so there was no one-stop shop applicable at that time.

Do I get the gist that Ms Dixon does not have an issue with the Department of Employment Affairs and Social Protection using the public services card because it was all set up to draw benefits and everything like that? It is when other agencies or organisations are using it not for the purpose of social protection. Am I oversimplifying it?

Ms Helen Dixon

Of course, I want to say it in my words when I hear the Chairman say it. That is the gist of it, but I want to clarify that while we made a finding that there are provisions in the social welfare legislation and a necessity shown around social welfare benefits, as the Chairman said, that positive finding concerns the data elements that we have examined. As discussed earlier, we are still looking at the issue of biometric processing-----

Ms Helen Dixon

-----in the context even of social welfare claimants.

There may be a qualification to that positive finding in due course.

The first finding refers to a person "claiming, presenting for or receiving a benefit".

Ms Helen Dixon

That is right. The gist of what the Chairman said is correct.

Does that cover the Student Universal Support Ireland, SUSI, grant or is it confined to the Department? It was not clear from the recommendation. I would consider receipt of a grant to be receiving a benefit. Is SUSI getting the go-ahead under that?

Ms Helen Dixon

No.

This relates to the Department of Employment Affairs and Social Protection.

Ms Helen Dixon

The way in which the benefits are defined in the legislation is that they are benefits paid by the Department of Employment Affairs and Social Protection.

As such, it does not cover people getting grants. We will discuss the response of the Department of Employment Affairs and Social Protection when its representatives appear before the committee. I cannot ask Ms Dixon to comment on the Department's response, on which we will have a significant number of questions to put to its officials.

Ms Dixon may be surprised by two other issues. She mentioned the travel pass a few times and perhaps she will tell me if I am right or wrong on this issue. Deputies meet constituents with different problems. I met a person who is a carer and had the travel pass as part of the social welfare card, which they could present to Iarnród Éireann to travel to and from Dublin or as the case may be. A point came when this person was no longer a carer and was, by right, no longer entitled to use the card. The card still worked for free travel, however. Four or five months later, the person got a bill from Iarnród Éireann for €1,048 along with a list of all of the dates on which the card had been used since the point at which, in Iarnród Éireann's opinion, the person was no longer deemed to be a carer. Iarnród Éireann used the public services card to collect information on the number of rail trips the person made. One day the person arrived in Heuston Station and could not pass through the gate because Iarnród Éireann had obviously been in touch with the Department of Employment Affairs and Social Protection.

Ms Helen Dixon

We would be very interested in looking at that in the context of the findings I am about to issue.

Ms Dixon gets the story I told.

Ms Helen Dixon

Yes, I do.

Iarnród Éireann used that.

Mr. Seamus McCarthy

Presumably, Iarnród Éireann would have known of the trips that were taken and it was reimbursed for some but not for others.

Will Mr. McCarthy explain that again?

Mr. Seamus McCarthy

Iarnród Éireann would have had to claim for the payments in relation-----

Is that the way it works?

Mr. Seamus McCarthy

I think so.

It is not like the bus where people just hop on and the the company gets a grant. Is Iarnród Éireann paid per journey?

Mr. Seamus McCarthy

I think it is different for train journeys.

I am talking about trains.

Mr. Seamus McCarthy

Buses may be different.

We know about the buses. Bus Éireann and other companies get a grant to cover the cost of travel passes. It is different for trains.

Mr. Seamus McCarthy

The Department of Employment Affairs and Social Protection would have no way of knowing what journeys were being taken.

Iarnród Éireann knew.

Mr. Seamus McCarthy

It is Iarnród Éireann which knows what the journeys are.

When Iarnród Éireann went back to the Department, for some reason, the Department informed it that the person was not entitled to the card. Maybe the Department had not cancelled the entitlement to the travel pass when it cancelled the carer's allowance.

Mr. Seamus McCarthy

Iarnród Éireann must have been looking for payment.

I do not know.

Mr. Seamus McCarthy

No, it must have been looking for payment from the Department.

Yes, and it then went after the individual to prosecute. The public services card is doing all sorts of things.

Ms Helen Dixon

We would be very happy to receive details on that in the context of what we are looking at.

I do not think this was an isolated case.

The Data Protection Commission was criticised in one of the reports. I understand Ms Dixon said the Social Welfare Consolidation Act 2015 was very hard to follow and unclear. She was critical on the basis that it was not clear how the whole system worked. She was accused of using pejorative and sensationalist language. I will make one point in her defence on that issue. We had a special debate in the Dáil yesterday on the public services card. The card was introduced in the 2005 Act. Section 263 has been amended six times in three different pieces of primary legislation. A further provision on which the Department of Employment Affairs and Social Protection relies in relation to the public services card project is section 241, which has been amended 28 times by 11 different enactments. This demonstrates, from a legislative point of view, a lack of consolidation. We have here a provision that has been amended 30 or 40 times, including every year in the Social Welfare Act. The legislation that underpins the public services card has been amended at least 50 times. How could any reasonable citizen be expected to know what legislation he or she is looking at? The commissioner's criticism was, therefore, very valid. It applies to social protection legislation because it is not consolidated often enough but probably also applies to many other public bodies for which legislation is repeatedly amended. How could anyone find their way back through the 50 different amendments?

This discussion has been nice and rosy so far. However, it would be remiss of me not to voice the numerous complaints people have made since the introduction of GDPR. I know GDPR is needed for good reason but citizens are being strangled by it. GDPR is designed to help citizens and I will give one example of how the legislation the Data Protection Commission is enforcing works on the ground. I have umpteen examples but I will give this example because it arose last weekend. There is an old couple who live in my constituency. The husband, who is 96 years of age, is deaf, has dementia and is confined to bed. His wife is 86 years of age and is not faring much better. They live on their own and use a community alert device operated via their landline to buzz if something happens. Lightning knocked out their telephone last Friday night. When a carer phoned Eir on her mobile phone from the couple's home she was told the provider could not speak to her as she was not the account holder. The woman of the house then spoke but was told that as she was not the account holder, she could not speak on her husband's behalf. Her husband is deaf and cannot speak on the phone. The 85-year old woman was then told that if the couple changed the account on the website from the husband's name into the wife's name, the company would speak to the woman. The husband and wife are both bedridden. I got on the case and I have been involved in identical cases.

I will give another example involving another good neighbour. Every Deputy can recite a litany of these cases. The Data Protection Commission gets flak on this one issue from many people. People may or may not agree with some of what is going on. The second case involves an old person living in an isolated area. The landline went down and because there is no mobile signal where the person lives, they could not make a mobile call. A good neighbour who visits every day volunteered to ring on the old person's behalf but the provider would not speak with the neighbour as this person is not the account holder. Does Ms Dixon accept that in extreme cases the legislation can, when implemented as the commission intended, cause enormous personal hardship in a many cases? Does she understand my point?

Ms Helen Dixon

I do.

These are genuine cases.

Ms Helen Dixon

That is not implementation of the legislation as the data protection authority intends.

The authority is blamed for it.

Ms Helen Dixon

I am aware of that. The GDPR, as I said earlier, requires organisations to be accountable, to conduct their own risk assessments, to implement identity verification procedures that are proportionate to the risks in terms of why identity is being verified, very similar to the public services card issues that we have to discuss, and to ensure that they have means by which people with disabilities can be accommodated in any of those processes. Those telcos do not represent the views of the Data Protection Commission in terms of how they are implementing in those cases.

We are aware of those very specific cases. I mentioned earlier, in response to Deputy Connolly, that the most complained of sectors per our 2018 report are telcos and banks. In respect of telcos, my colleague, John O'Dwyer, recently had a meeting on site with ComReg about this very issue of how identity verification is being delivered and how people with disabilities can be accommodated. We gave ComReg a range of solutions that should not put people in the kind of circumstances that the Chairman outlined today.

Ms Helen Dixon

It is an area we will publish guidance on, in light of all the comments.

I will ask Ms Dixon to send us a note on that because those are the sort of matters that when they take off on Facebook, everybody blames GDPR. They say we have gone mad when we are down to such a situation. It stems from GDPR and perhaps it is not being implemented properly. When it is not implemented properly it can damage the good name of GDPR and what GDPR is trying to achieve. The commissioner understand the point. I ask the Data Protection Commission to send us a note on what its guidance to these telephone companies is because ourselves, the Data Protection Commission, ComReg or some other body should put this up there in order that people are aware there should be ways to do this. Maybe these telephone companies should be told to make sure they have these procedures in place. It is not that these companies are subcontracting agencies just to handle phone calls but it might not be employees who are dealing with it. The witnesses understand what the difficulties are with the chain of who is responsible for answering the phone to their customers. People should be fully aware of that. A bit of education is probably required in some of these companies.

Ms Helen Dixon

Definitely. Lots of education is required.

A lot of information is required because we have seen local authorities that are now getting the different levels of forms together for people to sign and that is all an improvement. It is a bedding-in process as well, so we understand there will be hiccups. It was useful and good to have the Data Protection Commission here. As one of the members said earlier, we have witnesses who come here and are helpful, up front and straight and the witnesses from the Data Protection Commission have been among those. We have other witnesses who come in and try not to be as upfront and that is obvious to the public. It is good for public bodies when people see public officials being so open, straight and upfront. We appreciate that and we appreciate the work of the Data Protection Commission. The witnesses were clear and you answered everything put to them. Anything on which we require supplementary information can be sent on in writing to the committee.

I thank the commissioner and all her staff, the Department of Justice and Equality, the Department of Public Expenditure and Reform and the Comptroller and Auditor General and his staff for their information and attendance today. The clerk to the committee will seek any follow-up information or carry out any agreed actions arising from the meeting. Is that agreed? Agreed. The meeting is adjourned until Thursday, 3 October 2019 when we will meet An Bord Pleanála in respect of its financial statements for 2018.

The witnesses withdrew.
The committee adjourned at 2.02 p.m. until 9 a.m. on Thursday, 3 October 2019.