I thank the Chairman and members for the opportunity to address the committee on the 2018 financial statements of the Office of the Data Protection Commissioner and the Data Protection Commission. As the Chair mentioned, I am joined by a number of my colleagues from the Data Protection Commission. I am going to refer to the Data Protection Commission as the DPC from now on. The colleagues I am joined by are deputy commissioners Anna Morgan, John O’Dwyer and Graham Doyle and the DPC’s professional accountant Graham Geoghegan, who has been a welcome new addition to our team in 2019.
The DPC is fully funded by the Exchequer currently through a subhead of Vote 24 of the Department of Justice and Equality. As the Comptroller and Auditor General just indicated, this latter arrangement will change in 2020 when the commission is to be allocated its own individual Vote. At that point, I, as currently the sole Commissioner for Data Protection, will become the Accounting Officer in line with section 25 of the 2018 Act. In this context, the DPC appreciates this early opportunity to engage with the committee as it will provide useful direction in terms of an exploration of the accounts of the DPC, particularly as the budget allocation of the DPC has increased considerably in recent years and as the authority now takes on many additional new and direct responsibilities in the areas of accounting, HR, ICT and procurement.
The committee is aware that the DPC is the national independent supervisory authority responsible for monitoring and enforcing the application of EU data protection law. The GDPR, the e-privacy regulations, the Irish Data Protection Acts 1988 to 2018 and the law enforcement directive all provide the main legal frameworks under which the DPC regulates. There are in the region of 20 other items of legislation under which the DPC must perform particular supervisory functions assigned to it. The Credit Reporting Act 2013 is one such example.
The provision that the data protection authority in each EU member state is independent in the performance of its functions is fundamental to the GDPR. Article 52 of the GDPR prescribes that each member state shall ensure that the supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and the exercise of its powers. Currently, based on figures produced by the European Data Protection Board, the DPC in 2018 was the eighth largest in the EU in terms of both employee numbers and budget, slotting in behind, for example, the UK with 513 staff and a 2018 budget of over €51 million and France with 199 staff and a budget of over €17 million.
The DPC operates in a very specific context at an EU level in that it is the lead supervisory authority in the EU under the GDPR for most of the world’s largest technology companies, given their headquarter locations here in Ireland. This brings considerable additional volumes of work, complexity and scrutiny but also grants the privilege to the DPC of handling cutting-edge cases in this important area of law.
It is worth recalling that 2018 was a historic year in terms of data protection. The 2018 Act was the first comprehensive piece of national data protection legislation enacted in the State since 2003 and it gave further effect to the GDPR in Ireland and transposed the law enforcement directive.
The core functions of the DPC under the GDPR and the 2018 Act include handling complaints from individuals on potential infringements of their data protection rights. In excess of 4,000 complaints were received in the calendar year 2018, which represented a 56% increase over the figure received in 2017. A total of 3,366 of those complaints were concluded in 2018. Some of the complaints are easily resolved with intervention by the Irish DPC. For example, an organisation might fail to provide an individual with a copy of their personal data, and when the DPC intervenes, the data may be immediately forthcoming. Other cases can be far lengthier and complex, particularly where many different laws are in play. This has been especially the case with complaints, for example, about receiverships and liquidations and about cases involving disputes between employers and employees.
The second function of the Data Protection Commission is to conduct inquiries and investigations regarding potential infringements of data protection legislation and to enforce the law as required using corrective measures and, now, administrative fines. In 2018, large-scale investigations that were under way included the investigation into the public services card; a finalised report and findings into non-compliance by the hospitals sector; 32 investigations into surveillance of citizens by the State sector through the use of technologies such as CCTV, body-worn cameras, automatic number plate recognition systems, drones and other technologies; and 15 investigations of a range of issues concerning so-called big tech companies. A final report and set of directions for compliance were also issued to Yahoo! EMEA Limited in respect of infringements relating to what was at the time the largest global data breach ever notified. Further, the DPC in 2018 issued a significant decision against the National Asset Management Agency, NAMA, regarding access to personal data, and details of this decision feature in the DPC's first annual report for 2018. There were also nine sets of District Court prosecutions taken by the DPC, which concluded during 2018. Eight of those concluded successfully, with costs awarded to the DPC and the final case being withdrawn due to compliance by the data controller.
The third function of the DPC is to promote awareness among organisations and the public of risks, rules, safeguards and rights in the processing of personal data. More than 50,000 contacts by email, telephone and web forms were received through the DPC’s information and assessment unit in 2018. A number of campaigns via the DPC website and in the national media were run by the DPC in 2018 to drive readiness for the GDPR. These included the launch of a comprehensive public consultation on children’s data. By the end of the awareness campaigns the DPC ran in 2018, 80% of Irish adults had been reached and, based on an independent survey commissioned by the DPC, 90% of SMEs were aware of the GDPR.
Fourth, we have a function in co-operating with data protection authorities in other EU member states on issues such as complaints and alleged infringements involving multinationals. In excess of 80 European Data Protection Board meetings were attended in Brussels by DPC staff in 2018. As of last year, EU data protection authorities use a shared IT platform to transfer and exchange information on cases, and more than one third of the cases on this IMI platform were assigned to the Irish DPC in accordance with the rules of the one-stop shop. Delivery of a harmonised implementation of the GDPR across the EU is central to the aims of the new law.
The fifth function of the DPC is to assess breach notifications from organisations that now have a mandatory obligation under the GDPR to report to the DPC and to ensure mitigation actions have been taken. A total of 4,740 valid data breaches were notified in the 2018 calendar year, which represents a significant increase over 2017. Each of these breach notifications was individually assessed and engagement with the reporting organisation took place, giving the DPC an opportunity to make recommendations on procedural and security mitigation measures to be put in place.
The funding of the DPC by Government has increased significantly in recent years, from €1.7 million in 2013 to €11.7 million in 2018, which comprised an allocation of €7.3 million for pay and €4.4 million for non-pay expenditure. The allocation was further increased for 2019 with a total allocation of €15.28 million. This commitment of additional budget has allowed the DPC to grow its staff from 27 in 2014 up to 110 at the end of 2018 and now to 138 today.
The majority of expenditure at the DPC relates to salary costs. The outturn on salaries for 2018 was €4.767 million. During 2018, the DPC added an additional 25 staff, all of whom were recruited through specialist competitive recruitment campaigns to ensure the DPC has the legal, technological, investigative and communications staff it requires to deliver on its mandate.
The DPC non-pay expenditure outturn was €3.286 million for 2018. It was composed mainly of office accommodation costs, communications costs, legal fees and costs, and business advisory services to prepare the DPC for GDPR. Legal fees and costs represent the biggest category of non-pay expenditure, and such cases will continue be a feature of the work of the Irish DPC, particularly now as punitive fines and measures can be imposed against organisations. Irish law allows a right of appeal by affected parties against decisions of the DPC. Currently, the DPC has 24 live civil litigation cases active in the courts.
In addition, the DPC initiated what has been one of the most significant data protection cases in the EU when it brought a High Court application in May 2016 seeking a reference to the Court of Justice of the European Union, CJEU, on the validity of an EU legal instrument underpinning personal data transfers in a case involving Facebook and Max Schrems, a data protection activist. The case is of fundamental importance to the determination of core issues of data protection under EU law and has drawn global media coverage and worldwide interest far beyond the data protection community. The outcome of the case potentially will have worldwide ramifications for data transfers out of the EU and is being closely followed by data protection regulators, law makers and the data protection community. A decision of the CJEU is awaited in late 2019 or early 2020.
I hope I can assist the committee further with responses to any questions members may have.