General Data Protection Regulation: Discussion

This meeting comes in the context of our elective work programme. As a committee we set out a work programme at the start of the term. This is our second such meeting. The first session on sexual offences and victim testimony was very successful, and I thank the Vice Chairman for chairing it.

Today is the second module of our work programme. It is really interesting line-up. The purpose of the meeting is to have engagement with a number of stakeholders who have made written submissions to assist the committee in its consideration of the topic of the general data protection regulation, GDPR. Our proceedings today are divided into two sessions. In session 1 the committee will engage with Mr. Max Schrems and Dr. Fred Logue. In session 2 we will engage with representatives from the Irish Council for Civil Liberties - Dr. Johnny Ryan will give a presentation - and the Data Protection Commission team.

All witnesses are appearing virtually before the committee today from locations outside of the Leinster House precinct, and they are all welcome to our meeting. We are joined in this session by Mr. Schrems and Dr. Logue. You are both very welcome to the deliberations today and I thank you for participating. I do not think I have spoken to either of you directly before but I am familiar with your work.

When we begin the engagement I will ask members and witnesses to mute themselves while not contributing so we do not pick up any background noise or feedback. I also ask that they use the button to raise their hands when they wish to contribute. As usual, I remind all those in attendance to ensure their mobile phones are on silent or are switched off to avoid interference.

Before we take the opening statements, I want to advise members and witnesses of the following in relation to parliamentary privilege. Witnesses and members should note there is a long-standing parliamentary practice that they should not criticise or make charges against any person or entity by name or in such a way as to make him, her or it identifiable or otherwise engage in speech that might be regarded as damaging to the good name of a person or entity. Therefore, if witnesses' statements are potentially defamatory in relation to an identifiable person or entity, they will be directed to discontinue their remarks. It is imperative they comply with any such directive if given by the Chair.

For witnesses attending remotely outside of the Leinster House campus, there are some limitations to parliamentary privilege and, as such, they may not benefit from immunity from legal proceedings as a witness who is physically present does. It is an unavoidable part of the Covid pandemic that we are having virtual committee hearings, but unfortunately it limits the privilege witnesses can enjoy. We are where we are in terms of the pandemic. Witnesses participating in this committee session from a jurisdiction outside of the State are advised they should also be mindful of their domestic law and how it may apply to any evidence they may give.

Members are reminded of the long-standing parliamentary practice to the effect that they should not comment on, criticise or make charges against a person outside of the House or an official either by name or in such a way as to make him, her or it identifiable. For members who are participating remotely, I ask them to keep their devices on mute until they are asked to speak. When speaking they should have their camera switched on and be mindful we are in public session, and when they are not speaking they should please mute themselves again.

In addition I remind members of the constitutional requirements that they must be physically present within the confines of the place in which the Parliament has chosen to sit, namely, Leinster House, to participate in public meetings. I will not permit a member to participate where he or she is not adhering to this constitutional requirement. Therefore, any member who attempts to participate in the meeting from outside of the precinct will be refused. We know the position in terms of the interpretation of the Constitution that the Houses of the Oireachtas have directed.

I remind members and witnesses that they should respect and strictly adhere to the subject matter scheduled for discussion today. Any deviation on this topic will rest with the Chair. We have an agenda, a topic and have received witness statements in advance. I ask members to confine their questions and engagement to those topics. Unfortunately, it is not permitted to stray into wider affairs because of a variety of decisions, Standing Orders, etc.

The provisions of Standing Orders in relation to matters which are sub judice place an onus on members to avoid, if at all possible, comment which might, in effect, prejudice the outcome of any legal proceedings which may be in being.

Therefore, I will not permit discussion or questioning that relates to current litigation. I will take all that as noted by all participants. I thank them for their attention.

The format of the meeting is that we will have two sessions with, effectively, two parties in each session. I will invite each witness or organisation to make an opening statement to a maximum of five minutes. Once the opening statements have been delivered, I will call on members in the order they indicate to put their questions. We will have one round of questions and, if time permits, a second round of follow-up questions. Unfortunately, the duration of the meeting is limited to two hours, as is the norm at the moment with the pandemic, etc., so I ask all participants to be as focused as possible in their contributions.

With those preliminaries addressed, I am delighted to call on our guests to deliver their opening statements. Mr. Schrems has the honour of going first. He is very welcome. I look forward to the engagement with him.

Mr. Max Schrems

I thank the committee for inviting me to appear. I particularly thank it for holding this hearing because the issue goes far beyond Ireland. It is really a fundamental rights issue for the whole EU, given the situation that Ireland has.

I first engaged with the Data Protection Commission, DPC, when its office was located above a Centra supermarket in Portarlington and it was staffed by 20 employees. That was a long time ago. Since then there have been nine court engagements at the European Court of Justice, ECJ, over two cases. In particular, there has been the big change involving the GDPR, which was meant to make the fundamental right to privacy enforceable and a right on which people can rely. In that spirit, it is remarkable that the Government has allocated far more resources to the DPC. It is now one of the best-resourced digital protection agencies in Europe, which says a lot.

Much of the law in this area is not new. Much of the content of the Data Protection Act 1988 derives from a convention agreed in the 1980s. Most of the law is the same as that contained in the 1995 directive. As such, it is not new. However, the big difference is that the GDPR should have brought about enforcement that does not exist just on paper, but reaches reality somehow.

An interesting point is that in spite of the DPC being very well funded, it has very few results to show for that funding. Even the submission of the DPC to this committee kind of openly acknowledged that, albeit in rather diplomatic language. It received 10,000 complaints but handled only 4,700 of them, meaning that 53% of complaints go somewhere unknown. Only a handful of complaints are investigated. Most of them are referred to as being "concluded", which is a euphemism for the DPC not deciding those complaints. It is interesting that the DPC argues that it will build momentum in 2021 and issue six or seven decisions this year. That implies that 99.93% of all complaints will not be decided. This fundamental right in Europe is just not reachable and actually enforceable for 99.3% of the people who rely on it.

In comparison, in Austria, my home country, which is not really known for big tech, the regulator issues approximately 850 decisions per year. The Austrian regulator has a budget that is 15% of that of the DPC. There is a lot of input into the DPC but very little output. In Austria, 142 fines were issued, for example. Data protection agencies in other countries have similar numbers. The data protection agency, DPA, in Spain is very similar to the DPC in terms of budget and the like, but it has issued more than 700 decisions so far.

It is interesting that the DPC states in its submission that there may be cases that, although they are of imminent relevance for the given individual, are not relevant for the wider public and that, apparently, is why some cases are not handled even though everybody has a fundamental right to privacy. This is not just a European issue. We have received many emails from Irish citizens who have experienced exactly these problems.

A significant part of the background in this regard relates to a certain fear of law. The DPC stated that the GDPR is principle-based, there is no fixed template how to really apply the law and that enforcement all too often gives rise to challenges. Apparently, that is a reason not to enforce the law. I understand that many members of the committee are lawyers. As a lawyer, applying a rather abstract principle in the law to a given fact pattern is the daily business of law, so I was a little surprised that is, apparently, one of the big issues or, at least, it is the argument we have heard so far. In my personal experience, there is extremely poor understanding of material and procedural law in the DPC. Some cases have been pending for more than eight years. The cost to the taxpayer of the case that was lost twice at the ECJ and heard before nine courts so far has been in excess of an estimated €6 million. We can see there are very few positive things coming out of the DPC.

I do not want to just criticise; I also wish to suggest solutions. There is obviously the option of the DPC having three heads, rather than one as is currently the case. The additional two positions could be filled by people who have the expertise in material law, GDPR and procedural law to enable them to solve these issues to a certain extent. There is much uncertainty regarding procedural law. That is partly because there is no written procedural law in Ireland, whereas in many other countries one usually has case law on which one can rely. That could be clarified by the DPC. It currently refuses to clarify many of these issues, even in ongoing litigation. It is then haunted by this because the likes of Facebook rely on these uncertainties in the procedure to block cases with judicial reviews and so on.

Funding is another reason giving rise to a fear of litigation. Litigation is very expensive in Ireland compared with in other member states. That may be a reason to avoid it. However, enforcing the GDPR partly gives rise to fines of billions of euro, which would leave a net budget surplus if the GDPR were to be enforced. It would be interesting to see whether certain funds that would accrue in this regard would be allocated to the actual enforcement work itself. In France, for example, the value of fines issued exceed by far the costs incurred by the DPAs.

Those are some of the possibilities that should be explored. I am sure there will be further opportunities to engage on the details of these issues.

I thank Mr. Schrems for that very interesting presentation. We will return to him with questions in a few moment. I invite Dr. Logue to take five minutes to set out his stall.

Dr. Fred Logue

I thank the Chairman and committee members. I am a principal solicitor with FP Logue and have a specialist information law practice, which includes data protection. In contrast with Mr. Schrems, I am here to share my everyday dealings with data protection issues of a more routine nature. Although they may be more everyday issues than those with which Mr. Schrems is concerned, these issues have significant importance for individuals and their daily lives and involve dealing with financial institutions, workplace surveillance, data retention, adoptees seeking their early life information, social welfare issues, access by the police, access to police records and so on. These are issues that cover the vast swathe of our lives. It is through this lens that we can get a good picture of how data protection is being enforced in Ireland.

It is worth pointing out that data protection rights are kind of radical because they create a legal relationship between a data controller and a data subject simply because the former processes the personal data of the latter. That exists irrespective of any other legal relationship such as contract, statute or common law, for example. It applies more or less equally regardless of whether the data controller is a public or private body. Mere processing of personal data gives rise to a legal relationship. That fact is missed by many data controllers.

The GDPR and the law enforcement directive are the primary EU law measures that give effect to that legal relationship. They do so by imposing obligations on data controllers, giving rights to data subjects and providing enforcement mechanisms.

The DPC in Ireland has the primary responsibility for enforcement. It is tasked with resolving disputes between data subjects and controllers. I echo Mr. Schrems that it is tasked with doing so in every dispute; it is not a discretionary jurisdiction under EU law. The commission has extensive powers under EU law to carry out those tasks.

Unfortunately, my overall experience is that compliance in Ireland, particularly with access requests, is poor and that GDPR and data protection is poorly understood by the people tasked with implementing it in many organisations, public and private. Even worse, few public authorities seem to be aware that they have a responsibility to ensure the effectiveness of EU law and they cannot hide behind Irish law which conflicts with EU law. I believe compliance is poor because enforcement is ineffective and virtually consequence free. The possibility, in my experience, of a DPC complaint does not appear to be something that motivates many controllers to comply with their obligations. I echo the observation by Mr. Schrems that complaints are taking way too long, they are way too expensive in terms of money and time, there are no documented procedures and what procedures are in place are too complex and do not lead to efficient or fair complaint handling. In fairness to the DPC, when it gets to a decision, it is not too bad, but by the time one gets there, usually the complaints procedure has failed to serve its purpose and the reasons for it have evaporated.

The DPC could be forgiven for taking longer for more complex cross-border complaints such as that outlined by Mr. Schrems, but my experience is that the issues that have been highlighted in the presentation by the first speaker also apply, even to the most routine complaints at national level. I also think that the procedures are not fair, particularly in light of the recent Zalewski judgment of the Supreme Court. It is only a matter of time before that comes to court in Ireland. I am also uncomfortable that the DPC has very informal consultations or engagements with controllers. Often, it is involved in designing processes and products and services that it then is called on to investigate. A recent example of this is the national smart meter programme, where it seems the DPC has been involved since 2012 in its design but now is being called on to investigate it. We need the DPC for the rule of law and to ensure people's rights are vindicated. The eyes of Europe, and possibly the world, are on us. It is important that these problems are resolved in a way that gives rights their full effect in this jurisdiction.

I thank Dr. Logue for his presentation and brevity. I will call members in the order they indicated, commencing with Deputy Costello, whom I know has a great interest in this subject.

I thank both witnesses for their presentations. In the interests of transparency, I should say that Dr. Logue, as a solicitor, is acting for me in a small legal matter. I want to pick up on something he mentioned in his submission. Paragraph 12 references that several cases have emerged where the data controller deleted or destroyed information after the complaint was filed. I am conscious that An Garda Síochána have a duty to seek out and preserve all evidence bearing on the guilt or innocence of an accused. Does this not apply to the commission or to other judicial bodies here and is that a problem that we as a committee need to fix?

Was that question directed to Dr. Logue?

Yes. I will have a question for Mr. Schrems as well.

I ask the Deputy to put both questions now.

I am conscious that Mr. Schrems has a European-wide view on matters. We have seen Germany take efforts to bring enforcement against Google without involving Dublin and, recently, Italy side-stepping Dublin in regard to TikTok. What else is happening in Europe that we should be aware of that will likely further isolate Ireland? I ask Mr. Schrems to give an example of where policies and procedures in a data protection controller are working very well in a European context and what is the main difference between it and us? What are we doing wrong and what can we do better?

The Deputy's first question was directed to Dr. Logue and the second to Mr. Schrems. I invite Dr. Logue to respond.

Dr. Fred Logue

The Deputy is correct in regard to the deletion of personal data subject to a dispute and a subject access request. I have seen that in at least two or three cases. First, it is a breach of the GDPR because personal data have to be retained for as long as is necessary for the purpose. For the purpose of a subject access request, it is necessary to retain it. In terms of the DPC, it does not get a copy of the personal data that are being disputed. It is asked to adjudicate on a dispute over access to information, but it does not ask for a copy of the information. I find that unbelievable, to be honest. Second, in one particular case I asked the DPC to use its powers to order the controller not to destroy the personal data because the controller had told us that it would destroy the personal data upon a certain event happening, which was relatively likely. It took nine months to get the DPC to even engage with that and in the end, it would not exercise its powers. The DPC speaks about fair procedures and it having to take time to ensure fair procedures, but fair procedures also have to be applied in regard to what the data subject is trying to achieve. That is an important point. There is nothing in place that, first, prevents the information being deleted, second, the commission is not taking copies of the information that is being disputed. That needs to be looked at.

I thank Dr. Logue and I invite Mr. Schrems to respond.

Mr. Max Schrems

We have the same experience with access requests. It is impossible for DPAs to figure out what data are available unless they go on premises and take the hard drives out of computers. Otherwise, they would never know what is stored. That is a matter of logic. We have seen other DPAs do that, but we have not seen the DPC do it. For example, we have big cases in regard to Facebook, in respect of which Facebook still does not provide all the data to our understanding.

On the question regarding bypassing, that is definitely a big issue. We are an organisation that does strategic litigation. One of our biggest questions when we file a new case is how can we bypass the DPC. There are different routes and options. There are possibilities with class actions that are coming up in two years and there is a collective redress directive that allows GDPR class actions to be filed wherever the individual claimant is. There is a possibility that the DPAs will no longer see the main establishments in Ireland as main establishments. There are disputes around that. The jurisdiction of the DPC is based on the fact that a big international company claims domain establishment in Ireland. We saw companies, rather randomly, declaring the main establishment in Ireland for one purpose and not for another and going back and forth each year on where their main establishment is. That is then used to dispute that there is a main establishment in Ireland in the sense of decision-making from a GDPR perspective. That then leads to not them having an exclusive jurisdiction of the DPC. We had a case like that in Norway, which was about Twitter to a certain extent and the issue of main establishment. More and more DPAs are saying that they believe that a particular company in Ireland is not a main establishment; it is something else such as a subsidiary and it is not really making any decisions.

On e-privacy, there is now a live debate on how to reform e-privacy without the one-stop shop. If the DPC becomes the one-stop shop for e-privacy as well, the fear is that we will have the same problem that we have in regard to GDPR and so consideration is being given to establishing a different system for e-privacy. I personally am against that because I think it makes sense that the law is consistent and that we trust each other in the European Union, but right now that trust is hard to explain to people in Brussels. In terms of a last bypass, increasingly there is an appetite for an infringement procedure against, in this case, the whole Republic of Ireland.

This is interesting because it is an independent body but that is how EU law works. It would then be basically an infringement procedure against Ireland which the European Parliament, or at least a committee of it, has asked for. It is very likely this vote will go through.

The answer which is much harder to give is as regards the countries where everything works well. The GDPR is something that is very hard to enforce for people and it took a great deal of resources. We saw a great deal of hiring of the good people to the private sector so the data protection agencies, DPAs, were just brain-drained to a certain extent. There are all of these issues.

However, we see countries where, if you look at the numbers, they are definitely more efficient. In Austria we have a huge funding issue but you get your case decided. They even have to decide within six months by law. They do not always make that because they simply do not have the personnel right now but they are at least trying. Spain is quite interesting because they have similar numbers to the Data Protection Commission, DPC - similar complaints numbers, similar budget numbers and similar staff numbers - and there are five to six decisions that are popping out of Spain daily with exactly the same GDPR that needs to be enforced as in Ireland. We had very positive results in Norway. The quality of the staff is very good, as is the decision quality, which is well argued and everybody understands how the decision was arrived at and what it means. It is very likely these decisions will never be overturned because they are very solid.

In Germany certain DPAs are doing quite a good job. Germany has 17 DPAs. Everything is federated in Germany. There we see it is a bit different in each state. For example, Hamburg is usually very proactive. Some of the decisions are, however, pulled back by the courts, which is something the DPC argues regularly, as well, especially on the European level. It is interesting that the commissioner argues that Irish procedural law would hold her back from doing her job, while on the Irish level it is usually argued that it is GDPR, or European law, that is the big problem. It seems on each level of debate, the other level is always guilty of the problem. We see that in some countries the courts are very hard on the DPAs, which is very different from the situation in Ireland where the courts have allowed many decisions to stand, especially in comparison with litigation in other countries. It is a problem in Germany that certain courts try to push back against the idea of privacy.

I thank Mr. Schrems. I move on to our next questioner. Deputy Costello got first mover advantage in terms of a little bit of latitude on time, but I will have to move quickly through the questions and questioners and I ask everybody to keep it snappy because we are, unfortunately, under pressure for time, although we have had a very valuable contribution and engagement so far. Senator Malcolm Byrne is next up.

Go raibh maith again, a Chathaoirligh, and I start by asking whether you agree with all the conclusions Mr. Schrems has made, and by acknowledging the enormous contribution he has made in putting issues around data protection and privacy on the agenda. I have two questions, one each for both Mr. Schrems and for Dr. Logue, on the operation of the DPC. Mr. Schrems asked about moving from one commissioner to three here. I certainly would favour that and I ask that he speak further to that view. It follows Mr. Logue’s point that one of the challenges is that the DPC gets caught up with many individual cases and does not spend a significant amount of time on its own volition inquiries. Does Dr. Logue feel there is a better way to strike that balance between dealing with those big picture queries, such as the ones that Mr. Schrems was talking about, dealing with the Facebooks and the TikToks, and distinguishing that from the individual queries?

On the general point that Mr. Schrems made bout the decisions that are being made on data at a European level, and we are going to be dealing with biometrics, facial recognition, and data gathered in all sorts of other ways, to what extent do both witnesses feel policymakers, decision-makers and legislators such as ourselves understand the importance of data privacy and regulation? If they do not feel we understand that, what should be done to address that?

I thank the Senator and I appreciate the conciseness because we are under a little time pressure. I will return to the witnesses to answer those points.

Dr. Fred Logue

There has to be an individual remedy. Bodies like the Residential Tenancies Board, RTB, and the Workplace Relations Commission, WRC, handle between 5,000 and 8,000 complaints a year, and make decisions on them. They have the same kind of budget as the DPC and have that investigatory and supervisory role as well as an adjudication role. It can and is being done in this country. They hold hearings around the country and have appellate jurisdictions. Even the RTB has a telephone mediation service that deals with and closes 25% of the disputes over the phone through professional mediation. The model is already there.

There should be some sort of functional separation between the quasi-judicial part and the more administrative part. They are quite different skill sets and this should be looked at.

The committee should be looking at the Zalewski judgement which recently reviewed the Workplace Relations Commission's procedures. In data protection, for example, there is no penalty for giving false evidence to the DPC, there is no cross-examination and you cannot have a hearing or test the evidence. If someone says he or she cannot find something or he or she has looked for it, there is no way of determining whether that is a fact. The jurisdiction needs to be kept with the DPC and not go into the courts. They are not set up for that level of detailed adjudication on these things. We just do not have a court system that can handle that.

To answer Senator Byrne, policymakers and people like our legislators have a very good grasp of privacy and data protection. It is a testament to the members of this committee and to the wider body politic that they take a great deal of care and are very interested in ensuring Ireland retains its position as the leading jurisdiction for data protection in Europe.

Thank you, Dr. Logue. Mr. Schrems, do you want to give a brief reply to that also?

Mr. Max Schrems

Exactly. On the number of heads, there are a couple of reasons for that. One good reason is conflict of interest. If, let us say, the brother of the current commissioner is bringing a case, who would even decide on that case because she would be inherently conflicted? We have these situations. That is very much connected to the advisory part which has just been mentioned. We have cases where the DPC has advised Facebook in ten meetings how to, in my view, bypass the GDPR. We filed a case exactly the very first day of the GDPR about that bypass only to figure out later that there were previous engagements. We are not allowed even to see these engagements or to know what they are. They are apparently half a State secret. It leaves a very problematic situation. It would not allow us to appeal any decision on the basis of that prior engagement and the independence issue. If there are multiple heads, there could be options to separate these parts from each other and thereby ensure there is no conflict.

On the complaints numbers, the view of the GDPR and of European DPAs is that there is an easy access to justice if you have a complaint. The whole idea is there is a free procedure that is easy for every average person to use to get his or her access request or whatever it is. Obviously, free procedures in such areas draw a lot of attention from people who just submit stupid complaints and probably not the most relevant ones. That is common across the EU. Every DPA has that problem, but there are ways of getting rid of them. We see numbers where probably a third, 25% or 20% of these complaints do not make it into actual handling and 99.9% of cases do not see a final decision.

That leads to something of a negative spiral. The companies in their webinars and their rationale are risk-based. They are basically thinking that if it costs €1 million to comply with the GDPR but there is no realistic scenario in which they are going to get a penalty, then it makes business sense that they do not really comply with GDPR. If I know the regulator is doing that regularly, it ends up in a negative spiral where there is less compliance and more complaints which lead to an even greater clogging up of the system. This is a bit like the situation where if we are on the street and we all feel that there is terror all over the place, clearing the street is very hard. Once that situation arises, if when someone oversteps the law the police are always there and present, people then usually self-police and comply with the law from the get-go, which does not require any complaints or DPAs, and so on.

One country where that worked quite well is France. There are hefty fines that are meant to be seen as dangerous.

In France, for example, it was decided that websites have to display cookie banners that actually state "Yes" or "No" and not "Yes" or an endless maze of options. Once the data protection authority there announced that, we saw in our statistics that we were running that most of the cookie banners in France were suddenly compliant with the law. It did not really need complaints and it did not need enforcement. It just needed a credible threat of enforcement and that is how law works in general. That is how we work in most other areas.

I apologise to Mr. Schrems for cutting across him but I am conscious that four more speakers wish to contribute and there are only 20 minutes left in the first round. I am sure that there will be common ground in the replies. The four remaining questioners have five minutes each for questions and answers and I call Senator Ruane.

I will expand on two comments that have been made. My first question is for Mr. Schrems and my remaining questions are for Dr. Logue. Is the rationale for the call for three data protection commissioners connected to a conflict that may exist in having just one DPC or are there other specific governance and procedural improvements that would stem from having three DPCs?

My questions for Dr. Logue concern the functional separation between the administrative support functions of the DPC and the quasi-judicial functions. He mentioned the Residential Tenancies Board, RTB. Do we need two distinct public bodies to carry out these two separate functions adequately? He mentioned that the RTB and other organisations carry out these functions effectively. I ask him to say a bit more on that aspect. It was good of him to mention the functions of the RTB for comparative purposes. In terms of the type of cases to be dealt with, would there be much difference in trying to create that within the commission?

I appreciate the Senator's conciseness.

Mr. Max Schrems

There are benefits from independence, but there are also benefits from getting more knowledge on a decision-making level, which seems to be lacking right now. Quite honestly, if I ran my NGO the way that the DPC is run then I would probably be fired by my board but the DPC is independent so that is not an option. An option would be to add more people and that would act as a counterbalance, which, from my perspective, is the more important part. There are benefits, like these independence issues, that come with the addition of more management personnel.

Does Dr. Logue believe that we need two distinct public bodies and, if so, how would that work?

Dr. Fred Logue

I think there should be just one DPC. The benefit of expanding the commissioner level is because of the different skill sets. One needs either a very experienced lawyer or somebody with judicial experience to get the quasi-judicial side, at least, back on track. The procedure is not proper quasi-judicial procedure. There are no hearings, no evidence on oath and no engagement between the parties. It is very protracted paper-based decision-making.

The Workplace Relations Commission, WRC, holds 20 hearings a day and deals with a raft of employment and equality legislation. The WRC has much more coverage than the DPC yet it can manage to do this. The DPC has talked about amicable resolution. I have never figured out what that is, apart from the DPC telling people to ask a second time for the stuff they have already been told they cannot get. The RTB says it gets rid of a quarter of its cases based on telephone mediation conducted by professional mediators. The RTB and WRC are not exactly the same thing, but those two bodies are proof that the concept works. Given that the DPC is supposed to have expertise in data protection law, it grates when one hears the DPC say that data protection is very complex. It does not give us confidence that our regulator and adjudicator is fit for purpose when it thinks data protection is complex. It is not that complex, in my view. It is complex because the scales might be tipped back in favour of ordinary people. That is not complexity. It might upset powerful interests, particularly within the State or big business, but that is what the GDPR and the regulator are supposed to do.

My first question is for Mr. Schrems on the preference for negotiation over enforcement and the emphasis on informal engagement. He has more or less answered my question with what he said about there being an emphasis on mediation, cases being decided within six months, and having five or six decisions made in six months like in Austria and Spain. Is there anything else in either of those countries, or in Norway, which we could use to have more of an enforcement situation rather than negotiation or an informal engagement?

I have a couple of questions for Dr. Logue. What is his view on the increasing use of trackers on the cars of employees by telecoms organisations, for example? Does he think that police records and the PULSE system are adequately controlled?

In terms of local issues, particularly in County Kerry and I will not mention anything about the courthouse, there are GDPR concerns about litter. For example, in rural areas on private lands there are well known littering, dumping and fly-tipping areas. Following decisions made in Dublin about public spaces - it was suggested that it did not comply with GDPR - councils have declined to put cameras on private land which could be monitored by individual landowners in association with councils. Does Dr. Logue believe one can monitor fly-tipping areas in compliance with GDPR requirements?

Over the years the planning officers of county councils would give a briefing and discuss three or four planning applications, which may or may not be of concern to councillors. That practice was ended due to GDPR concerns. Does Dr. Logue believe the practice could be reintroduced to have a discussion and get the views of local authority members?

The last point that the Deputy made is interesting. A number of local authorities use GDPR in a sense that, maybe, was not envisaged. I would say that section 40 of the Data Protection Act 2018 enables public representatives to engage in certain ways with local authorities but local authorities have not interpreted the legislation in that way. I am interested in hearing the opinion of Dr. Logue on that as he is a local expert on this matter. Did the Deputy address his questions to either witness or both witnesses?

My first question, on how we can emphasise enforcement over negotiation, is for Mr. Schrems. All of my other questions, with regard to litter, planning, the Garda PULSE system and the tracking system on cars, are for Dr. Logue.

Like the Deputy, I seek Dr. Logue's opinion on section 40 of the Data Protection Act 2018.

Mr. Max Schrems

The majority of cases are very simple. I made an access request and did not get an answer. There is not much legal knowledge needed to decide such a case. Most data protection authorities work with a digital system here, as far as I am aware, so there is a case management system that escalates stuff the right way. Usually, for example, in Austria we work with textblocks on that because these decisions are all the same and one saves time for important stuff by getting quick decisions, although they are of high quality because these textblocks are reviewed by lawyers.

Everybody knows that they are accurate and that the courts have upheld them, so they are reused over and over again. That is how hundreds of decisions can be produced with very little need for oversight. There is very little need for later litigation if the quality is good at the beginning.

It is a bit of an omnibus question but will Dr. Logue do his best to give a flavour of his view on each part?

Dr. Fred Logue

The good news is that two answers cover all of the questions. The GDPR has become the new health and safety or insurance. It has become an excuse for not doing things we do not really want to do. There is absolutely no reason a planner cannot discuss a planning file with a public representative, regardless of section 40. It is just a normal thing. Advocate General Bobek has made an observation about using the GDPR to obstruct the protection of personal data rather than for its protection. That is just a symptom of poor compliance, particularly in the case of public bodies. As more disputes arise and as more sanctions are imposed, that should improve.

The second thing is a list of things that can or cannot be done. Under the GDPR, one can do most things but one has to have certain things in place. There has to be a legal basis. That is fundamental to the data protection regime. If one processes personal data, one must either have the consent of the data subject or it must be necessary for some purpose listed in the GDPR. It can be necessary to fulfil a legal obligation. For example, with regard to the enforcement of compliance with litter or waste legislation with CCTV, as long as the legislation in place meets the standards of EU law and the GDPR, this is allowed in principle. What happens, however, is that we do not put such legislation in place or that the legislation which is in place is deficient. Bodies, reacting to public pressure because CCTV is popular, then try to work around the legislation or try to shoehorn provisions into legislation which is not fit for purpose. The problem could easily be solved if we just had proper legislation. The legislation has to ensure a proper legal basis for the action and provide for safeguards against abuse. At the other end, there also has to be good compliance with data subject rights. For example, if I want to know if I have been captured on CCTV, I must be told. Notices must be in place. Employers who are tracking their employees must tell those employees and there must be a legal basis for doing so.

To answer the first three of the Deputy's questions, if we just implement the GDPR in the way it was designed to be implemented, none of those things would be disallowed in principle and we would find out which ones are disallowed through the legislative process.

I thank Dr. Logue. Before I bring in the next speaker, for the information of members I will mention that Deputy Pringle and Deputy Creed are the final two speakers I have noted for this first round. May I ask Dr. Logue a supplementary follow-up question? He mentioned the need for better legislation. Is he suggesting that the Data Protection Act 2018 should be extended or amended or is he suggesting legislation to deal with ancillary scenarios or how the GDPR is to be implemented in various sectors or contexts? Is he suggesting a code of conduct? I believe codes of conduct already exist for certain sectors. Is he suggesting that legislation in which the GDPR is featured should become part of other sector-specific legislation? What exactly is he suggesting? Will he finish on that point?

Dr. Fred Logue

In principle, it can be both. If powers exist to make regulations which facilitate data processing, this can be done under the 2018 Act. Things like CCTV will probably need their own sectoral legislation. The use of CCTV is pretty limited at the moment under the Garda Síochána Act 2005 and this does not really work for the enforcement of legislation regarding traffic or litter. It was really meant only to allow for An Garda to carry out public order investigations. When passing legislation for sectors, the procedure does not involve checking to see whether specific data processing provisions are required. I am not sure how it works, but it would be beneficial if a recommendation was made to build into parliamentary procedures a requirement to check at an early stage whether such provisions should be included rather than finding out when something goes wrong after the legislation has been passed.

That is interesting. I believe, in some cases, there is conflict between laws, including some of the legislation to which Dr. Logue alluded. I suppose that is part of the tapestry.

Does Dr. Logue have a view on whether there is enough control over the information compiled in police records on the PULSE system? In his opening statement, he specifically mentioned police records.

We are under a bit of pressure with time so I might move on. We will take the question at the end of the session if there is time, unless Dr. Logue could give a ten-second answer. I am sorry to put him under pressure but we have other speakers.

Dr. Fred Logue

The ten-second answer is that the basic principles of data protection are transparency and protection of the rights of data subjects. If the police implement those correctly, and if there is enforcement and supervision in that regard, in principle there should not be a problem.

I thank the two presenters for their contributions so far. I have two quick questions, which are directed to both witnesses. In the figures provided to us by the Data Protection Commission, there seems to be a discrepancy in the definitions of "concluded" and "resolved" with regard to the status of cases. What is the witnesses' understanding of those two terms as they relate to cases taken up by the DPC?

It was said that there is a very significant backlog of cases. It seems to me that court proceedings may be required to clarify certain issues. Would that have the effect of resolving a lot of cases in one go? I am sure repeat cases would come up and that a court decision would influence whether they moved forward. Would such proceedings clarify a lot of issues? Would they streamline some of the work that needs to be done?

Mr. Max Schrems

I am mindful of time. The term "resolved" is also one of my biggest questions in life. There seems to be a sort of Bermuda triangle somewhere. We have heard from people involved in cases that the DPC no longer comes back to them but rather says that it will not investigate the matter further. We have seen random answers in emails or have been told about them. If one looks at the numbers, these are the cases that must be categorised as resolved. That is my understanding of the terminology. There is a problem there.

With regard to the clarifications, I am mindful of how long the courts can take. I have been involved in litigation for eight years now. Court proceedings are probably not the easiest way in which to clarify matters. There are certain parts of the Irish Data Protection Acts that could be clarified such as procedural issues with regard to the steps involved and how long things can take. There could be options there. It is common in other jurisdictions for these things to be clarified in the legislation.

The other option is for the DPC to have a multi-stakeholder hearing and to clarify its procedures itself. There is some beauty to that idea because the commission knows what it is doing procedurally, at least with regard to the steps involved. There are publications which say there are 12 steps to the procedure and others which say there are six. Now there is litigation in which the commission has said that it is a one-step procedure. That is exactly what Facebook used in its judicial review as regards the DPC. It said that it did not even know what the procedure is, so it is all unfair. Unless that is clarified in that way, it may be quicker to clarify it in law or in instruments issued by the DPC itself rather than by putting it to the courts.

Dr. Fred Logue

If complaints take three years rather than three months, there will automatically be 12 times more complaints on the books. One sometimes gets an email out of the blue after a year saying that one's complaint will be closed automatically if the commission does not hear from one within 14 days. Nobody knows what "resolved" or "concluded" means. With regard to these administrative things, if something changes or something new comes in, litigation occurs which clarifies the matter and it settles down after a while. There has been litigation with regard to the Residential Tenancies Board, the Workplace Relations Commission, the Information Commissioner and a whole load of such decision makers, but things just settle down and, ultimately, there is very little litigation because people know where they stand legally. By blocking that, we are just prolonging the length of time it takes for things to settle down. We should just let it go. We should make decisions and have them reviewed and then, in a year or two, it will start running a bit more smoothly.

We will go to our final questioner for this round. I will invite Deputy Creed to wrap up the session. Deputy Creed, do you wish to put your points to the room?

My thanks to our two witnesses. Their opening remarks and the replies to questions to date have been peppered with reference to big data, big business, big tech and big brother. My questions are borne out of constituency experience. Unfortunately, there are not many big tech or big data companies in my constituency. However, we have many public-facing small businesses. I want to ask a critical question. Is our core legislation fit for purpose? I am asking the question because the European Commission report from 2020 stated that compliance costs were a bigger issue for small and medium-sized enterprises. At the same time, the Commission gave no comfort to those enterprises in recommending any difference in approach.

The witnesses in their references talked about data controllers. What if a person is the chief cook and bottle washer of the local hospitality industry, small medical practice or small retail enterprise? When these people get correspondence from the much-maligned Data Protection Commissioner, it puts the fear of God into them. They do not have an in-house solicitor to which to refer the complaint. I imagine these people take no comfort whatsoever in the submission from Dr. Logue, especially where he says he believes that more use has to be made of fines and compensation as a matter of routine. I am not saying all these aforementioned SMEs are compliant, but in most cases they attempt to be and they may be non-compliant by default. From my experience many of the complaints are vexatious. There may be people who want to be part of the compensation culture that Dr. Logue seems to be promoting in his submission. He seems to suggest people should be compensated. Section 109(2) of the 2018 Act refers to proposals for amicable solution. A small business may get a letter calling for a proposal for an amicable solution. They may be informed that if that does not materialise the case will move up a step in terms of how the Data Protection Commissioner will deal with it. That is a threatening procedure to a small business.

This goes back to my question. Is the legislation fit for purpose? It seems it fails to differentiate between small entities and what appears to be the primary focus of the concerns of the witnesses, which relate to big data, privacy, big tech and big brother. Yet, many small businesses are caught up in all of this. They may wish to be compliant but the cost of compliance is in many respects beyond their resources. I have seen examples of where this is graphically brought home by the correspondence they receive from the Data Protection Commissioner. I believe they are easy prey. They will be unable to take their case to the High Court, the Supreme Court or the Court of Justice of the European Union for comfort. They will be shivering in their boots while they are anxious to be compliant but bearing the costs disproportionately.

I thank Deputy Creed for his question. It was a really interesting question and somewhat different to the flavour so far. That is an interesting angle and a good contribution. I will call on Mr. Schrems and then Mr. Logue to wrap up this session. What do you say to that, Mr. Schrems?

Mr. Max Schrems

I will try to be as short as possible. My answer will probably surprise the committee. I feel the same. That is one fundamental problem of the GDPR. It does not differentiate exactly. I come from a family in which my mother has a small business and I am now running a NGO with 15 people. We have the same red tape issues as many SMEs. This came, however, from the lobbying of industry. The industry wanted a one size fits all law that does not differentiate to a certain extent. It came especially from the conservative side in the European Parliament. I advocated at the time for the need to differentiate. Big tech companies, in particular, wanted to have a one size fits all law because it means they will be under the same law as a local business. The hope was that the bar would go down for them but the bar is now too high for a smaller business.

The way to solve it is basically how most data processing agreements deal with it. There is amicable resolution in most countries of which I am aware. This usually means when a company gets an angry letter from the Data Protection Commission and the company complies and answers the access request, then the case is simply ended with a notice and warning. That is it. Oftentimes we have fines of €500, €200 and so on. That is reasonable in these situations. With a small SME I have a right to get a copy of my data, so I do not think there is much of a difference. It can be done in enforcement and can be applied. The GDPR foresees this to be reasonable under Article 83, if I am not mistaken.

The final comment of this session will be from Dr. Logue. Dr. Logue, do you want to speak to the question of red tape for small businesses?

Dr. Fred Logue

I am a small business owner and chief bottle washer. I ensure that does not happen simply by being compliant. Fines are not my idea. The European legislature has put in fines that are persuasive and effective. I wish to point out as well that in Ireland we have lower fines for public bodies than private bodies. That was a decision of the Oireachtas. Perhaps members should be talking to their colleagues in the Oireachtas about why they have gone soft on public bodies relative to private bodies.

At the end of the day, we need legal certainty. If we have legal certainty, then we can easily comply. We need strong enforcement so that the people who do not want to comply are not undercutting the people who do invest in compliance. At the end of the day we are talking about protecting individual people and their rights.

I did not talk about big tech in my submission. My opening statement referred to basic everyday rights relating to employment interaction, police surveillance and adoption. There was nothing about big tech. All my clients are ordinary individuals who have been wronged by public and private sector bodies.

I noted that in the opening statement.

Dr. Fred Logue

I apologise for running over.

I wish to thank our two witnesses, Mr. Schrems and Dr. Logue, for their participation. It was a valuable engagement.

That concludes our first session. I remind the two witnesses they are welcome to watch the rest of the meeting on the Oireachtas web channel if they wish, but this concludes their participation. They are welcome to continue to watch the second round.

Sitting suspended at 7.35 p.m. and resumed at 7.40 p.m.

We will now commence the second part of the meeting. I welcome the witnesses to our meeting. I will give them a moment to take up their positions. I see Dr. Ryan and Ms Dixon. They are both very welcome to the session. I believe Ms Morgan is also joining us from the Data Protection Commission, DPC. I see her smiling in the corner. I thank all three witnesses for their attendance and participation in this session. I look forward to the engagement. I remind the witnesses to unmute their devices when they are speaking to the committee and when they are not contributing they should mute themselves. We have established that everyone can hear me. I will leave the housekeeping at that. We are all used to it at this stage.

This is session 2 of our meeting, which is to have an engagement with a number of stakeholders who have made a written submission to assist the committee in its consideration of the general data protection regulation. Before the opening statements are taken I will give some quick advices on parliamentary privilege. All witnesses are reminded of the long-standing parliamentary practice that they should not criticise or make charges against any person or entity by name or in such a way as to make him, her or it identifiable or otherwise engage in speech that might be regarded as damaging to the good name of a person or entity. Therefore, if their statements are potentially defamatory in respect of an identifiable person or entity, they will be directed to discontinue their remarks. It is imperative that witnesses comply with any such direction. For witnesses attending remotely, outside the Leinster House campus, which is the case with the three witnesses in this session - all the witnesses today are remote - there are some limitations to parliamentary privilege. As such, they may not benefit from the same level of immunity from legal proceedings as a witness who is physically present. There we are, the pandemic has us meeting remotely, but at least we can meet. The witnesses should be mindful that the privilege does not extend to the same degree as it would ordinarily.

Members are advised of the same. Rather than read the long version of the caution to members, I will take it as read, because I know they have been to several meetings at this stage and they are aware of the rules on privilege and parliamentary procedure and good practice. I remind members to avoid commentary on any matters relating to current proceedings which are sub judice, as that might prejudice the outcomes.

The format of the meeting is that I will invite each organisation to make an opening statement of a maximum of five minutes. Once the opening statements have been delivered I will then call on the members of the committee in the order that they indicate. There will be one round of questions at any rate and we will see how we get on before I talk about supplementary questions. I will call on the speakers in the following order: Dr. Ryan and then Ms Dixon. They have five minutes each. If Ms Dixon wishes to share time with her colleague, she is welcome to do so, or she may wish to take all the time and her colleague can respond to questions as they are asked. It is her prerogative. I will go to Dr. Ryan without further ado. We are mindful of time as we are, unfortunately, subject to a strict timeline because of the pandemic. We have a two-hour cap on the time for meetings. Dr. Ryan is very welcome to this forum. We are delighted to have him with us. I look forward to hearing what he has to say. He has five minutes to make his opening statement.

Dr. Johnny Ryan

It is a pleasure to join the committee today. I represent the Irish Council for Civil Liberties, ICCL, Ireland's oldest independent human rights body. We have worked on data protection for decades. Until recently, I was a senior executive for a Silicon Valley tech firm, where I worked with the inventor of JavaScript.

The GDPR gave the DPC powers to proactively investigate the misuse of data about us, and stop the misuse. It can "obtain access to any premises" and compel evidence. It can even force the biggest companies in the world to change what they do with our data. Although we all know there is a privacy crisis, the DPC does not appear to be using these powers to protect us. Three years ago, I blew the whistle to the DPC about real-time bidding, RTB. It is the largest data breach ever recorded. It allows data brokers to build illegal dossiers about us based on the private things we do online. This exposes us to manipulation and enables foreign interference in our elections. The crisis is so acute that one of my evidence bundles to the DPC featured on the front page of the Financial Times, and it was not a quiet day. Despite this, three years on, this week the DPC told me it has not even completed a "statement of issues" of what it should investigate. I want the committee to consider this sobering statistic: in the three years since the GDPR was applied, the Data Protection Commission has asserted its lead role in 196 cases, but delivered decisions, even draft decisions, in only four. In other words, the DPC has failed to resolve 98% of cases that are important enough to be of EU-wide concern. That means Ireland is the bottleneck of GDPR investigation of Google, Facebook, Microsoft, and Apple, everywhere in the EU.

We at ICCL have warned the Government that the DPC's failure to uphold the rights of 450 million Europeans creates strategic economic and reputational risks for Ireland. Although this is a small and peripheral country, the GDPR gave Ireland the chance to become the key location for digital regulation. That will not happen if the DPC continues to draw criticism from the European Court of Justice, the European Parliament, the authorities of Germany, France, Spain, Italy, the Netherlands, Austria, and Hungary. That is documented. Even last week, at a US event that I was speaking at, the CEO of the UK Competition and Markets Authority was also critical of it. This is a chorus of criticism. DPC inaction has forced other EU member states to sidestep Ireland on GDPR enforcement. If this continues, we will lose our relevance as a regulatory centre. It also jeopardises a new European Commission proposal that Ireland should become the super regulator for more key parts of the digital economy. I refer here to the new artificial intelligence package and the proposal on online content, the Digital Services Act.

The consequences of the DPC's problems are not limited to Europe. As members are probably aware, in the United States, two weeks ago Senator Ron Wyden introduced an important draft Bill to designate jurisdictions with inadequate data protection enforcement. We know from the drafters of the Bill that it intentionally targets the DPC's enforcement failure. If Ireland is so designated because of the DPC's problems, then every significant company here will be prevented from processing data of customers in the United States until they obtain an export licence from the US Department of Commerce. That will be hard because the same restrictions that will potentially be applied to US data are the ones that are currently applied to nuclear material. That would devastate the digital sector. The Government must ensure that Ireland meets its GDPR obligations. We at ICCL propose two urgent steps. First, like Max Schrems, we suggest the appointment of two new commissioners, as provided for in the 2018 Data Protection Act, and that the Minister should use her power to designate a chair of the commission. The second is to establish an independent review of how to reform the DPC.

Its problems may be due to more than just a lack of investment. The ICCL revealed a few months ago that a major reform inside the DPC is chronically delayed, five years after being announced and having cost the taxpayer more than €1 million so far.

I urge all members of this committee to call on the Government to rebuild our DPC to protect us in the data age. We must restore Ireland’s reputation as a regulatory leader. This is a once-in-a-generation moment of opportunity, like that taken by Frank Aiken in leading the world on nuclear non-proliferation in the middle of the last century. We must not squander that opportunity. I thank the committee.

I thank Dr. Ryan. Ms Dixon is next to give evidence. I am aware that the spotlight has been on her office for most of this session and, indeed, the last. We want to work with her and hear what she has to say. She will have the opportunity to respond. She should set out her own stall. This is a solution-based exercise. Ms Dixon has the floor and is welcome to tell us what the solution might be. She is welcome to the meeting and I thank her for giving of her time. We look forward to hearing what she has to say.

Ms Helen Dixon

On behalf of the DPC, I thank the committee for this opportunity to engage with it and contribute to its review of certain aspects of the GDPR. The review comes at an important juncture in what are still the comparatively early implementation stages of this new legal framework. There is nobody in the EU who has not been touched by the GDPR. Many people are impacted professionally, in work contexts, and as individuals in terms of how it is applied in the processing of their personal data. For all legislators and the DPC, as a specialist regulatory body, there is an additional dimension to our relationship with the GDPR.

The aims of the GDPR are to ensure that the fundamental right of everyone to have their data protected is upheld, that processing of personal data serves society, that data protection is not held out as an absolute right but is considered in relation to its function in society and balanced against other fundamental rights, and that the law is implemented in a uniform way across the EU.

In our dialogue this evening, we may, depending on time and questions raised, end up talking about everything from CCTV and children’s data to pseudonymisation and much more. A law that applies to the processing of personal data applies in almost endless contexts and scenarios, which, by default, means the DPC’s regulatory range is equally boundless.

That range of contexts and scenarios reflects itself in constant high volumes of inbound work to the Irish DPC. Last year alone, we had more than 10,000 cases. Some 60% of the complaints lodged with the DPC last year were concluded in the same calendar year. We also handled 42 applications for the approval of binding corporate rules, dealt with more than 6,000 security breach notifications and progressed 87 full-scale statutory inquiries.

Given that everyone has a perspective on the GDPR in light of the myriad ways in which all of us interact with and experience it, it is reasonable to expect that there are equally numerous perceptions of the GDPR’s relative progress since its implementation. With the previously referenced range of contexts to which the GDPR applies, it naturally follows that its advantages and improvements are felt differently by different stakeholders. This is why it is far too simplistic to review the GDPR at this stage in terms of straightforward success or failure, and the committee is right to consider instead the headway that is being made to administer this principles-based regulation proportionately across all of these varied contexts. The GDPR does not spell out sector-specific infractions in the way that other legislation might. Since the regime is principles based, every potential infringement has to be examined and evaluated on its own merits. No two cases are the same. At this point, a little under three years into the application of the regulation, there is as yet little established case law to guide these evaluations. Thus, each review requires first-principles analysis.

The DPC has a particular role under the GDPR in terms of being the lead supervisory authority for the many Internet and technology companies with European headquarters in Ireland. The complexities of the decision-making involved in the one-stop shop, which multinational corporations may avail of under the GDPR, mean that the pace of delivery is not solely within the domain of the DPC. We recognise that collective momentum in this area must increase but equally highlight the structural constraints of the co-decision-making processes provided for in Chapter VII of the GDPR.

A consistent and comprehensive approach to measuring the outcomes and comparative effectiveness of regulation and enforcement by EU data protection authorities under the GDPR is not yet in place. In that vacuum, opinions abound and criticism is constant. Informed criticism must be embraced, of course, not feared, because it drives improvement and contributes in a very tangible way to the delivery of better outcomes. As such, I welcome the committee’s engagement with the issues at hand and its initiation of a dialogue in which we identify what is working well and what is not. Where things are not working well, we examine ways to improve them.

The committee will have seen from the written submissions of certain of the witnesses that issues relating to the enforcement of the regulation by my office have attracted, and continue to attract, particular and trenchant criticism, much of it directed to the idea that, as an emanation of the Irish State, the DPC is deliberately refusing to regulate, or has deliberately been constituted so as to be incapable of regulating, certain multinational companies operating within Ireland, for the same kinds of reasons as those said to explain Ireland’s approach to the taxation of Apple and other such companies. One contributor expresses concern that poor performance on the part of the DPC presents a significant economic and reputational risk for Ireland. Both call in aid observations said to have been made by regulatory and political commentators across Europe and beyond, none of them favourable.

These are extremely serious charges for my office and for the Government and, in light of certain of the charges, for the State as a whole. For the part of the DPC, I reject the charges made and the unfounded bases on which they are made.

Against this sort of challenging backdrop, I hope, through a dialogue with this committee, that some of the noise can be dialled down and that some meaningful insights may be gained into the assessment of the GDPR in practice and the performance of my office as a statutory regulator. I accept that, given the range of issues to be considered and the complexity of at least some of them, we will not achieve all of that this evening, but I look forward to making a solid start and wish to assure the committee of my commitment to ongoing engagement between us on these issues and such others as the committee regards as being important, and as its workload allows.

I thank Ms Dixon for her opening remarks. I will lead with two questions and then go around the room to facilitate the members. We will try to be short and sweet in our questions in this round. The witnesses will have the same time as the previous witnesses but the members may have to be speedier.

I have a big-picture question and a practical question for Ms Dixon. The first deals with the elephant in the room, which she deals with herself in her submission, namely, the threats from abroad to data protection in Ireland and the threat it is said these pose to our economic strategy and attractiveness as a digital hub for many companies. The concern, which I have expressed at meetings of this committee, is that if other member states and other regulatory fora begin parallel and competing processes of regulation, as has been evidenced by witnesses at the previous session and as has been testified in the European Parliament, various courts around Europe and various other parliaments, and if these processes of regulation grow legs and become practice, it will threaten our attractiveness as a one-stop shop. It is not a conversation we are starting; the conversation is already under way and we are joining it at this meeting this evening. It is important that we tackle it. I share Ms Dixon's view that there is a serious concern for the Government and the State as a whole. I hope we can work together to tackle it. It is very much a live concern. How does the DPC respond to that?

Ms Helen Dixon

I thank the Chairman. Let me say at the outset, in case I do not get to say it later, that there is no question but that the DPC recognises that improvements have to be made. In particular, we take the points made earlier about processes and the need to streamline them. We have already engaged in trying to make the processes more streamlined for all stakeholders. We accept the points arising, in part, from the processes in respect of delay, and all of us want to speed up.

However, the difficulty, and I will respond to the specific question, for the DPC is that clearly as a regulator, we are uniquely surrounded by an enormous range of stakeholders. We handle the complaints of thousands of data subjects but, equally, potentially handle the complaints of millions of EU data subjects. We regulate hundreds of thousands of entities - public and private sector, Internet, big tech and voluntary - and in some cases, individuals in terms of their data processing. We recognise the oversight of this Oireachtas. Equally, there is the European Parliament. There are 37 EU data protection authorities, if we count in the regional data protection authorities and so on, so we are at the centre of a very large range of stakeholders, each with their own expectations.

The problem, some of which we have seen this evening, is that it seems very easy for those who are determined to criticise the DPC and fail to recognise what is being achieved - I am not sure anyone reads our annual report because I have not heard any of it reflected in what is being discussed - to rely on very sensationalist statements that, unfortunately, are based on complete inaccuracies. We have heard about Bermuda triangles, things being Kafkaesque and so on. They are great headline generators but the reality is far removed from them.

The Chairman asked me a question about criticism from abroad, including Europe. While we respect the European Parliament in terms of its oversight role, it is well documented in the correspondence I have published how the European Parliament's Liberties, Justice and Home Affairs, LIBE, Committee conducted itself and failed to engage with the DPC in coming to the views it expressed in resolutions. I remind the committee that the European Parliament is a step removed from what this Parliament would be in terms of looking at what a national data protection authority would do. There is a particular onus on it to ensure its information is accurate, which did not occur. Let us put the criticisms from other EU data protection authorities in context. If we go back and look at the original proposal from the European Commission for a new regulation in 2012, we can see that the same data protection authorities that are criticising Ireland and the one-stop-shop were on record as rejecting the concept of the one-stop-shop and any role for the Commission in encroaching on regulatory roles that were the purview of national data protection authorities prior to that so it is no surprise there is a political element to the criticisms being made.

The Chairman raised the issue of parallel processes. The Chairman said that this was evidenced from some of the witnesses but, in fact, there is no evidence to support this in the way that has been suggested. One of the witnesses has called an aid a completely erroneous interpretation of the opinion of the Advocate General of the Court of Justice of the European Union from January of this year in a case called Facebook v. Belgium Privacy Commission. Advocate General Bobek did not criticise the Irish DPC or call it out for regulatory inertia. In fact, the Advocate General said that the GDPR, and its implementation and enforcement, is in its infancy and criticised those who were seeking to undermine it with speculation regarding under-enforcement of the GDPR. The references to that opinion are completely erroneous and do not give any indication that there is a sidestepping of the DPC.

Other issues that have been raised have been around the Italian regulator's urgency procedure in the case of TikTok. Again, this is not a case of sidestepping the Irish DPC. There has been engagement with the Italian regulator on this case, which relates to harmful content. It relates to a regulatory remit that the Italian regulator has that is not within the remit of the Irish DPC. I could go on but I realise the Chairman wants to let other people in to answer questions. There are layers of detail to all of these issues. A superficial skimming of the surface in terms of all of these criticisms, and I realise we will not have time to get into all of them this evening, is dangerous. It is very hard to get to the point where we can have a reasonable conversation, which the DPC is fully open to, where we can look critically at how to measure the effectiveness of regulation under the GDPR and eliminate this type of exaggeration we are hearing.

I have a second practical question. I have heard of methods, resources and technologies that could be used. In her presentation, the commissioner spoke about a principle-based approach and said that every case is unique. Might there be an opportunity to fast-track some of the more minor cases or more repetitive type of requests? Must there be human input in all cases? Could we have a rules engine? There is technology like TIBCO and Fair Isaac. There may be workflow software.

It is a slightly different point but working as a data protection lawyer at the time, pre-GDPR, there was a case file on the DPC website a couple of years ago. It was a case study hub. There was a distillation of principles, in the way common law does in other areas of law, so that the wheel was not always being reinvented. I am not saying the DPC does reinvent the wheel every time. To what extent is there an opportunity even for a preliminary opinion to be delivered by a process of codification? I think one of the statements said that the volume of cases dealt with last year was 10,000 and I think the commissioner alluded to more. What level of technology can be employed? Could there be some degree of codification with the right to review, etc., for those who want it to be escalated? I saw it myself under the pre-GDPR regime, although I appreciate the current regime is slightly different.

Ms Helen Dixon

It is interesting that the Chairman referenced the case studies because they are a particularly useful way to communicate with lots of controllers who are looking to understand how to comply. In our annual report this year, we published a range of new case studies. In addition to the case studies on our website, the Chairman might have seen that we have published all of the decisions we made under the 2018 Act, including the eight decisions so far in respect of which we have imposed fines. Regarding those cases, we are getting feedback from stakeholders that they find it particularly useful.

There has been significant conflation of the issues of complaint handling and enforcement. If one looks under the GDPR, one can see that complaint handling is a separate function and the only obligation on the DPC now is to handle a complaint to the extent appropriate. They are not necessarily the same thing. When I was referencing the fact that no two cases are the same, what I was really reflecting is that around those larger-scale enforcement cases, we are really having to go back to first principles. I think everyone on the committee knows that the most frequent complaint type the DPC receives year in, year out is a complaint about the exercise of the right of access. Each year, it represents at least 30% of the complaints we receive. It is probably the most important right that individuals seek to access. I am interested in the Chairman's ideas regarding ways to make it faster because we wish we could do so. In every case where an access request is made that a company refuses, or the individual perceives he or she has not received all the data, we cannot see any fast-track route to resolving that other than engaging in often iterative contact with the controller to ensure the data is finally released. It is worth thinking about and we would really like to talk about it further with the committee. It is not particularly obvious how technology could assist.

We will return to this topic because it is a core part of the committee's work programme and agenda.

My question is primarily for the commissioner.

I welcome the commissioner and acknowledge she has a very difficult position. I notice in the Data Protection Commission's annual report 2020 is referred to as being a platform or a stage for moving forward. I also acknowledge what the commissioner said today and I welcome that she said data protection is not an absolute right. Very often it is used by officialdom to stymie matters rather than to allow them to proceed. I welcome that attitude towards it.

I wish to ask Ms Dixon about the compilation of databases and whether it is legitimate for any organisation to take a number of publicly available and legitimate databases and consolidate them to create a super database that may be used to extrapolate other information from it. What rights are afforded to individuals to know essentially whether they are on that database, what information it has about them, what information it has extrapolated about them and what remedies are available to them in obtaining that information or any predictive scores or trends that might have been identified?

I think that question is directed to Ms Dixon. I ask questioners that if they are directing their questions to identify to whom they are directed. Ms Dixon might reply to that question.

Ms Helen Dixon

I thank the Senator for his interesting question. In a hypothetical scenario, it is difficult to imagine what legal basis any data controller would have to create a centralised database from varied sources without the knowledge of data subjects. The first question to be asked is what is the legal basis for the creation of the database - the procuring of it from other sources. Under Article 14 of the GDPR, if a data controller obtains data indirectly, not directly from the data subject, the data controller has an obligation as soon as possible thereafter to inform the data subject. Typically, that would be an obligation on the data controller.

Fred Logue Associates earlier also referenced Advocate General Bobek from a Rigas case from the Court of Justice of the European Union from 2016. That is a case where in his opinion the Advocate General said it was these data sets that were of primary importance and the primary purpose of data protection law, and the reason it is of primordial importance. I am not sure what is behind the hypothetical scenario the Senator presented but it would certainly be something that would be of interest to us, as a regulator, in terms of how it could be compliant.

Does the Chairman mind if I follow up briefly on that?

As the Senator did not get to speak in the first round of questions, I will indulge him in this round.

I am thinking of electoral registers that are legitimately available but there might also be copies of marked registers which show whether a person has voted, and they can go back a large number of years. Consolidating them compiles a great deal of information about the voters. Is it legitimate for that information to be brought together without the knowledge of those voters and perhaps for extrapolations to be made from that, including, for example, voter intent or predictive scores about how people might vote? Is there is a legitimacy to that and, if so, is there an obligation on the data controller to inform those persons on that register? What remedies are available to them in the event there may be a shortcoming in respect of data protection obligations?

Ms Dixon might like to answer that question and then I will move on to the next questioner.

Ms Helen Dixon

Again, one would have to trace through all the principles of the GDPR and examine the 2018 Act. Clearly, there is a very specific context, as the Senator referred to data collected and compiled for electoral activities. There is provision in the 2018 Act that allows for it, although it is not a free for all. First, one would have to check if that provision created a legal basis sufficient for what is taking place. Second, that provision does not eliminate, as the Senator said, the obligation on any controller to ensure transparency with respect to data subjects and to ensure those data subjects will be able to exercise all rights that may be relevant to them under the GDPR. It is not possible to give a definitive answer because the devil will be in the detail of how it is done. It is theoretically possible to legitimatise it. Equally, it is possible it would fail in actual implementation on every single one of the principles and, therefore, it would be important to step through it in the actual detail in order to answer the Senator's question definitively.

I thank Ms Dixon. I will move on to Deputy Costello.

I thank the witnesses in this session. This is a highly complex issue. As our time is limited, I will quickly put my questions. It is important we critically examine and review these issues. Hopefully, as the Chairman and the commissioner, Ms Dixon, said, this will be the first of several conversations we will have. It would be good to invite the commissioner to come before the committee again as soon as possible to discuss some of these issues. As Ms Dixon said, there are some policy measures could that change. We have heard talk of the need for a multi-stakeholder consultation to help develop clear processes. We have also heard talk from the witnesses of an independent review of the commission, how it operates and of its procedures and investigations. Under those, we could also consider the number of commissioners. Perhaps one commissioner could split off to examine the day-to-day administrative work, one might have a slightly more specialist role and a chair could help review the policies and procedures.

Is an independent review or a multi-stakeholder engagement something the commissioner would be happy to engage in or to have set up? What is her view on having additional commissioners to help her do the job and deliver on these complex tasks?

Those questions were directed to Ms Dixon and she might like to respond to them.

Ms Helen Dixon

I thank the Deputy for his questions. The first issue he raised is that of an independent review of the DPC, although he also mentioned a multi-stakeholder forum. I am not sure if that was raised as being one and the same. I would make a few points about having an independent review, quite apart from the various levels of scrutiny the DPC is under in terms of reviews of its decisions by the courts, the presentation of its annual report, which is laid before the Houses of the Oireachtas every year, and the governance scrutiny under which it operates with internal audits, the role of the Comptroller and Auditor General and so on. An important point to mention is that we have rolled out a further iteration of our consultation on our strategy as a regulator, our enforcement and our regulatory strategy. Stakeholders may wish to be aware we published that next iteration last week. We would be very happy to receive inputs, comments, critiques and ideas regarding that regulatory strategy, which will serve as a forum of review and reflection for the DPC.

An independent review of the DPC is something this committee may wish to form its own views on. I would suggest, in line with my earlier comments, it is very important that if a review was set up that it would seek to do more than skim the surface. It would have to engage with the idea of correctly and comprehensively measuring the effectiveness of regulation and enforcement to the extent that it would have to engage with the European element of the role the DPC has and it would need to have the capability to do that. In setting it up, there would probably need to be a consultation with the European Commission on it.

Given the very particular independence of an authority like the DPC and the role we have in regulating personal data processing by Government, there might be question marks over the Government establishing an independent review, lest it should be considered that it was trying to stymie enforcement actions against itself and so on. We are always open to the idea of review and the input of ideas but it would need some consideration. I am not sure exactly what the committee is considering when that question is put to me.

In terms of three commissioners, it is quite correct that section 15 of the 2018 Act future-proofed itself by providing for additional commissioners. In the experience of the DPC to date, that is not where any bottlenecks have occurred. Albeit almost three years have now passed, but we are in the earlier stages of the GDPR with a broad base of newly-opened investigations under the 2018 Act, not all of which have progressed to decision-making stage at this point. The appointment of additional commissioners is a matter for the Government.

I have many questions but not much time. Many people have talked about what needs to change and happen around the funding issue. The DPC was allocated €19.1 million in the budget when the commission was looking for much more than that. Given the importance of the office, I find it unacceptable that the allocated funding was approximately half the amount requested. What shortfalls happen in the absence of that funding? What does not get done because of those funding challenges?

I will add my voice to that question. This committee reviews the Estimates and the voted spend for Ms Dixon's office, and I asked a similar question at the Estimates review earlier this year. It is a matter that is of great interest to the committee.

Ms Helen Dixon

The DPC has stated that its funding needs to continue to increase and acknowledges the incremental increases in its funding over the past five years. Given the scale of the challenges the committee has heard so much about, there is no doubt that we need to continue and increase the funding of the commission. In fact, looking back at the budget we have been granted over the past couple of years, we have generally been granted close to what we required on the pay side of the budget. We have not had to forgo any recruitment. Particularly in light of challenges that we faced in recruiting last year and slower than expected recruitment because of the need to move testing and interviewing processes remotely, we did not use up our full budget. We have managed to continue to recruit as much as we can each year within our pay budget. On the issue of recruitment of staff, the Senator will have seen in the pre-budget submission we made that the real issue is around getting sanction at the grades and salary levels we need for the specialists we require at the DPC and at senior grades who would report directly to me, as commissioner.

There has been a bigger gap in the funding we have been granted for non-pay-related functions. The types of things we have ended up forgoing, and which were forgone anyway because of circumstances, relate to the office space the DPC has been seeking to procure for years. We had hoped to move all our Dublin-based staff into a new Dublin headquarters. That has not happened because, despite the Office of Public Works, OPW, identifying a suitable new building off Baggot Street to house the DPC, the Department of Public Expenditure and Reform declined sanction for it. As a result, we did not require all of the non-pay expenditure that was allocated in that direction.

Our funding does need to increase. We also need to increase our capability to recruit staff at the grades and levels we need in order for us to do more with our non-pay budget. We have drawn up a large tender that will be published shortly, work on which started last year because it is a big project. It is a request for tenders from multiple suppliers to supply advice across a range of technologies and Internet technologies, and to conduct forensic testing on behalf of the DPC related to some of our Internet investigations. We do not have the types of resources and expertise needed to draw up that large tender document, nor can we recruit staff to do it, as a result of which things take longer and we spend less on the technology advice we need to procure. Those are the types of budget issues we are facing.

That point is taken. I will jump to Senator Malcolm Byrne. I remind members of the time limits, particularly for those who have spoken. There are two members offering who have not been in and they may get a little more latitude. Senator Byrne has spoken and now has a second bite of the cherry.

I will be direct in my questioning. This dialogue is important. I will ask a question following on from that asked by Senator Ruane. Ms Dixon might outline the particular skill shortages and levels of staff shortages. Are there particular commercial or regulatory lawyers or specialists in particular areas of technology on the skills side that are missing?

I also have a more general question about the decision-making process within the DPC for Ms Dixon and Dr. Ryan to consider. I read the annual reports of the DPC and one of the issues I observed in 2019, for instance, was that the top four organisations against which complaints relating to data breaches and privacy had been made were the pillar banks. I wrote to Ms Dixon's office at the time and suggested that her office should consider an inquiry, of its own volition, into the area of banking, breaches of data privacy and the whole area of data protection in the banking space. This also relates to Dr. Ryan's point on real-time bidding and the complaint he made which, in my view, is a particular important issue, looking from the outside. I would like to hear from Ms Dixon and Dr. Ryan about what they think the decision-making process should be with regard to the prioritisation of particular complaints. Why should the real-time bidding complaints take priority over others? I suggest an own-volition inquiry into banking. How are those decisions made?

Dr. Johnny Ryan

I thank the Senator. In the early days of the GDPR, our DPC and its staff very often used the refrain that the GDPR is risk-based. The idea there is a sensible one, that is, that the things that cause the most risk and the deepest harms to the most people deserve the most scrutiny. However, those things are hard to do and it is easier to go after the small fry. That is a problem. It is why we need independent consideration of how to fix this problem.

One thing I have noticed at this hearing is that our colleagues at the DPC will, it seems, reject any criticism as unfounded. Criticism is political if it comes from another authority. It is tied to stories about tax and so forth, even though it was not. It is improper if it comes from the European Parliament. If an Advocate General of the European Court of Justice has opined about "persistent administrative inertia" of Facebook's lead authority, which is the DPC, that criticism is also rejected, contrary to fact. We are all concerned that fundamental rights are hanging in the balance and the real hazard that we slide towards a dystopia. We must engage with these matters. The Senator is asking a question that appears to need an independent look.

I am glad that Dr. Ryan had an opportunity to come in. His contribution is valuable and he has not answered many questions, as the session has fallen. Ms Dixon is also welcome to reply.

Ms Helen Dixon

I thank the Senator for the question. I note the ICCL continues to repeat something completely erroneous. It is not just an erroneous interpretation. I am not sure whether there is a misunderstanding on the part of the ICCL. I am happy to submit to the committee a summary of the Advocate General Bobek opinion.

I believe when it sees it the committee will be satisfied it does not say what the Irish Council for Civil Liberties, ICCL, suggests and it does not make any criticism of the Irish Data Protection Commission, DPC.

I notice a number of the comments I made earlier have also been mischaracterised, but let me get on with answering Senator Malcolm Byrne's question. He asked about the kind of skills they are lacking. In large part the issues relate to the ability to retain the skills we have brought in. We have brought in top-class litigators. We cannot pay them at market rates, so if we cannot hope to pay them at market rates or anywhere near a reasonable rate and position them at a grade where we can retain them, we will lose them. The issues are around that ability to pitch recruitment at a level where we will attract the right type of candidates.

Regarding technologists, it is difficult also because we will never have technologists who know all about every type of technology. As we know, all of the platforms are proprietary and you would have to work in them to know everything about them. That is why we are satisfied the route we are going down in terms of the request to publish for the multiple supplier framework is the right route to address that as well as bringing in sufficient in-house staff to know the right questions to ask but also to know when we need outside assistance and the form of outside assistance we need.

The Senator asked a question about banking. We have engaged with him on this question previously and we know he understands that, the way enforcement is set up under the GDPR, we have to enforce against named cohorts and therefore we cannot do an investigation per se of the sector. We could certainly audit big players in the sector and then conduct individual investigations in respect of each. It is actually an area where we have a particular focus on an ongoing basis because of the quantities of breaches reported with which we engage. We have two statutory inquiries open currently with regard to individual banks. We have made a number of decisions in individual cases for which we will publish the case studies regarding banks.

The Senator's real question was about how we decide the priorities. Why might we decide to focus on banking? Why would we decide that RTB is important? I go back to the publication of the DPC strategy that is open now for consultation. We welcome all stakeholders' views on this issue of prioritisation, but in general we look at the types of harms that may be at issue. We look at the number of affected data sets. Those are the two primary considerations when we consider where to deploy what will always be resources that are much more scarce than the issues we are facing.

I thank Ms Dixon. I will move rapidly through the remaining speakers. Deputies Kenny, Carroll MacNeill and Pringle are the remaining questioners. We are over time at this point and to be fair to staff and the supporting person at the committee also I do not want to detain us any longer than is necessary. I call Deputy Kenny to put his points. I will then call Deputy Carroll MacNeill and Deputy Pringle will conclude our session.

I thank both witnesses. There seems to be an issue of resources. Despite what Ms Dixon is saying, the issue is we have so many genuine complaints from people that their issues are not being dealt with, the DPC is taking a very long time to respond to people, and it is taking a very long time for any progress to be made. To say there is no issue with resources or whatever is not correct. Covid-19 may be having some impact on it. I do not know. Perhaps this year is different but it seems to be an issue that is ongoing from previous years. If the workload is increasing, that needs to be spelled out and Ms Dixon should say it is increasing. If, as she said, she has difficulty sometimes trying to recruit more people, that suggests either she expects the workload to increase or she has recognised there is a problem and she needs more staff to make the situation more efficient. All of us would support that.

We need to get these issues resolved because all the elected representatives here have come across various situations where members of the public have complained about the way they are being dealt with, particularly the length of time it is taking, and that they are not getting the kind of response they would have expected to get. There must be a level of acceptance that we need to be working together. If somebody says there is something wrong or points out a problem, it is not healthy to get defensive about it immediately because there is a problem. We can all see that and that needs to be recognised. That is my first point. I am not making it to be accusatory or difficult but it needs to be said.

The other issue is one that was very much in the headlines in recent months and concerned many people who were suffering major trauma. I refer to the issue of the mother and baby homes, how the records were going to be sealed and the issues around that. There was a need for clarity as to whether the sealing of records in those cases would have been a breach of legislation, especially EU legislation. I would like to get both witnesses' view on that. I will leave it at that as time is short.

I appreciate that. The Deputy asked two questions and I ask both witnesses to respond to each of them. Ms Dixon might like to start.

Ms Helen Dixon

I thank Deputy Kenny. He raised a number of particularly important questions that I wanted to circle back on to address. In terms of some of the inaccuracies about what has been presented, I do not think I would be doing my job if I did not inform the committee there are significant inaccuracies. It is not a question of not accepting criticism or that there is a problem. The DPC is entirely open to the idea that improvements have to be made.

There are a couple of comments to make about complaints. One is that under the previous regime in Ireland, almost uniquely in Europe, under section 10 of the Acts, the DPC had an obligation to investigate every complaint and to produce a decision if the complainant so required. There was a particular backlog, therefore, once the GDPR commenced, that had to be worked through where we did not get to apply a risk-based approach or an examination of the extent appropriate. We were obliged to conduct an investigation. That is one comment to make.

It is important to say that 60% of the complaints we receive in any calendar year are resolved in that same calendar year. Some of the points raised before the committee this evening regarding complaints are not obligations of the DPC under the GDPR. I am aware that gives rise to dissatisfaction, and some of the dissatisfaction members have heard from their constituents may relate to that. However, there is no obligation on the DPC under the 2018 Act to produce a decision in the case of any complaint. We are obliged to seek to resolve it amicably and then otherwise produce an outcome, which may not be a decision. We heard that Logue Associates would prefer if there was a decision in each case and requests that there would be, especially because he says individuals may want to seek compensation, but that is not an area within the remit of the DPC.

Regarding the issue of mother and baby homes and the sealing of the records, that was clearly a very complex matter because the legislation that gave rise to the commission of investigation derived from 2004 and was pre the EU Charter of Fundamental Rights coming into legal force and pre the GDPR. Later on, issues arose in terms of the application to the GDPR and the rights of individuals to the processes that had been laid down. The DPC is on record as saying a blanket sealing of the records was not justified and that individuals had rights of access. That is the position now where the archive has transferred to the Minister for Children, Equality, Disability, Integration and Youth and that Department is giving effect to the rights of individuals.

I thank Ms Dixon. Does Dr. Ryan want to comment on those two points?

Dr. Johnny Ryan

Yes, briefly. I thank Deputy Kenny for the statement and question. As happened many times in the past, the ICCL has been supportive of the DPC. It was strongly supportive in the case of the public services card and so on.

My colleagues, who were very active on the mother and baby homes issue, were supportive of the DPC's action in that particular case also.

I thank Dr. Ryan and appreciate his brevity.

I have one observation on the back and forth between the commissioner and the other witness. I appreciate all of the different perspectives but there is an unusual tension. It is very obvious to see. Having watched some of these interactions with public bodies for some time at this stage, I am aware it is never as straightforward as observers may sometimes try to say it is. I am a little concerned about the tension and the dynamics going on here. Even just checking the decision referred to by Dr. Ryan, and he referred to paragraphs 114 and 135, and while I appreciate Dr. Ryan and the commissioner are deeply involved in this and work on it every day and that I do not, my reading of this, however, is that it is not the same criticism of the Data Protection Commission that Dr. Ryan attests. I am very happy to take more detailed submissions on these different points but I just want to strike a note of caution on this.

Dr. Johnny Ryan

May I respond on that? We might just get the full-----

I will let Dr. Ryan make the point.

Dr. Johnny Ryan

The committee does not need to take my word for it-----

I am reading it here in front of me.

Before we go back to-----

I am reading it there and I am happy to take more on it. The witness has had ample opportunity to-----

Before we go back to Dr. Ryan I am mindful of the time and I want to take the question or questions, and then move on. If there is a second question let us have it.

The question relates to the Data Protection Commission. I am coming to it from the perspective of constituents and from consumers who find all of this very difficult. They are, in large part, aware of the general rules but not necessarily what they cover, how to access them and so on. This includes the Article 5 rules for data being stored only for as long as necessary, or the big differences between buying something and getting data. A person who buys a barbecue online, for example, may give his or her data for that purpose but there is an end point to that transaction. There are, however, other things that may be more open ended. Article 6 is around the legality of collecting and processing personal data and the question of consent being specific and unambiguous. It is very much a proactive consent, as far as I understand. Article 17 is the right of erasure, if that is the correct term, or the right to be forgotten. I am concerned about the burden placed on citizens to be aware of their rights in relation to this and the burden placed on them around finding out about who is the right point of contact, about providing identification required to the data being held, about seeking rationale for the retention of the data, and about challenging the rationale or obtaining help. It is very difficult, especially if people do not know that the data are held about them. To what extent can more be done proactively to help consumers and citizens be aware of how to navigate the process?

Dr. Ryan was about to respond to the first point. Does the Deputy have a preference for who should respond to her second point?

The commissioner, please.

Very good. I know Dr. Ryan wanted to come in on the first point and we will then ask the commissioner to respond on the broader point about support for consumers.

Dr. Johnny Ryan

If the Deputy will allow me I will also say a word on the second point. Unfortunately, a decision was made in the implementing law not to allow NGOs to represent large bodies of people and proactively act on their behalf. That is a real pity. In the medium term we should definitely look at that again.

On the first point, I was saying not to take my word for it. I was going to say to take Helen Dixon's counterpart's word for it. That court case arose because of a case taken by Willem Debeuckelaere. Until last year Mr. Debeuckelaere was the commissioner for the Belgian Data Protection Authority and wanted to act against Facebook. There is a quote from him on page 8 of my written submission, which is an extensive quotation that might put it into context. Representing bodies of people is essential.

There is some disagreement between witnesses on different statements that have been made, or different views from abroad or from other fora that were touched on in submissions. As a committee we must deal with what is out there. While there are differences, perceptions can sometimes be stronger and they can have consequences also. It is important to deal with facts but it is also important to address issues that arise. The commissioner is attempting to do that, but perhaps as part of the body of work to be done there is a bit of marketing to be done too if this is the case. We do need to address those issues in every sense and that includes in the court of public opinion.

I will say to all witnesses, including the two witnesses in session with us now and those from earlier, that if there are other points that have not been addressed in the oral exchanges this evening, if there are other points the witnesses wish to make that have not been covered tonight or they feel could be covered in more detail, or if they want to reply to a particular point that was made, they are more than welcome to submit written submissions to the clerk of the committee for circulation to the committee members. That option is there and I would advise the witnesses to take it up. I would certainly find it useful to consider some of those points.

I now ask the commissioner to come in on the second question, and I will then move on to Deputy Pringle for the final question of the evening because we have gone over time.

Ms Helen Dixon

I thank Deputy MacNeill for her question. It is very much acknowledged that the burden placed on individual data subjects to understand their rights and to know how to exercise them is considerable. There is a whole body of academics now who say the very central concept of the GDPR of giving the data subject back control such as control to exercise rights and control to decide whether they consent actually results in putting an unsustainable burden on them. That is, nonetheless, the central purpose of the law. Aside from the Data Protection Commission publishing more and more guidance on how individuals can exercise their rights, I believe the much more important thing we can do is to guide controllers to be compliant and transparent, and as helpful as possible to the public in explaining how data are processed. We see time and again that poor communication leads to a lot of the issues between controllers and data subjects.

It is also important to mention the new role under the GDPR of the data protection officer that must be appointed by public sector bodies and which many private sector organisations are also obliged to appoint. The DPO officer's role, or that of the office, is to act as an important link between members of the public, the individual and the organisation, and to make all of this simpler. The DPO helps the person to exercise his or her rights. A big focus and a priority for the Data Protection Commission is to support this new role of DPO and to teach DPOs how they can be more effective in supporting individuals.

We will now go to Deputy Pringle for the final exchange of the evening. Deputy Pringle gets to have the last word, certainly among the members.

I thank the Chairman and hope I will be brief. It is unusual for me to be at a meeting where a body has got such negative responses and submissions compared with previous ones. To my mind this is a sign there must be something wrong with it. For Ms Dixon to come in and give the committee such a strident defence of it shows there is something wrong with how the system is working across the board. I take on board, however, what Ms Dixon has said on the figures given by the earlier contributors, and that they could be misplaced.

I was looking at the executive summary of the commission's annual report. It says "Over 60% (2,186) of complaints lodged with the DPC in 2020 were concluded". The number of complaints received by the DPC was 4,660. This only works out at 46% and I wonder where this discrepancy comes from. Maybe I am reading it wrong or not reading it right. There is an anomaly there in the DPC's own figures that I can see. It is difficult to see where that arises from.

Perhaps Ms Dixon could address that.

One of the previous contributors spoke about the ways of addressing some of the problems. I take from what Ms Dixon said that she does not accept there are any problems. It was said that the Department has the power to make regulations, that under the data Act the conditions could be clarified or that Ms Dixon, as commissioner, could an hold a briefing for representative bodies and interested people and outline how she deals with complaints and things like that.

How does the commissioner view those issues - issues of clarification and clarifying the role for everybody - because to my mind, and I am no expert on this and I come to it relatively cold, there does appears to be a problem. Whether that problem is totally one way or the other, which is not usually the case, there appears to be a problem.

Ms Helen Dixon

That is an interesting observation. I agree with Deputy Pringle that if everyone is making a complaint, and the same complaint, then there has to be an issue. I think I am on record several times this evening as saying that we acknowledge improvements are necessary around processes and the issue of delay. That is accepted and I think those improvements will happen. We have already started to initiate them.

Given the fact there are significant criticism this evening, I would say that, in line with what I said earlier, as a regulator, we are uniquely positioned at the centre of an enormous range of stakeholders. I know this committee was limited in its time in terms of how many hearings it could conduct on GDPR and when it could conduct them but there is a whole range of data protection practitioners, academics and others who the committee is not hearing from this evening. I am not sure whether members would hear the same perspectives or imbalanced set of views. In fact, there could be a broader set of hearings possible at this time.

In regard to the statistics, I will look up the figures the Deputy referenced - the calculation of the percentages - and we will submit a written note clarifying what he thinks may be a miscalculation on our part. If I understood the Deputy's last question correctly, he asked whether I should conduct oral hearings as part of complaint handling. Did I understand that correctly?

Three options were given by the earlier contributors about how things could be improved. One was that the Minister had the power to make regulations that would speed up the process or that the data Act could be amended to clarify conditions in terms of speeding up the process. Another option was that the Data Protection Commissioner could hold briefings for interested parties in how complaints could be dealt with and so on that might clarify some of the issues as well. I wonder what Ms Dixon's views are on that.

Ms Helen Dixon

I beg the Deputy's pardon. I understand fully his question now. As I mentioned earlier, we have put out our strategy for consultation. That will be one way we will hear views on these issues of the conduct of complaints. We have already taken on board the suggestion by Fred Logue and Associates on publishing details of our processes and we plan to do that shortly. In regard to the making of regulations, we will certainly give that consideration. We could codify what we publish as our processes in regulations, if that would give greater legal certainty. We are certainly listening to all the feedback in regard to processes.

That concludes our engagement with witnesses this evening. I thank all of them for a very comprehensive engagement. It was quite a detailed exchange but at the same time it felt like we only skimmed the surface. This is an issue which is fundamental to the Department and very close to the interests of this committee as well. I am sure we will return to these issues on subsequent occasions over the lifetime of this committee.

I thank Dr. Ryan, Ms Dixon, Mr. Schrems and Dr. Logue for their helpful and specific exchanges. I reiterate to all the witnesses who took part that if there are points that need to be clarified, supplemented or added to, they should feel free to send them in writing to the clerk for circulation to the committee. We will consider them as part of our later deliberations and reviews. That concludes the witness-engagement part of the meeting. I also thank our staff because we ran over time. I thank them for their patience and perseverance in supporting us through that.

I will move on to some housekeeping matters. I propose we publish all opening statements on the committee website. Is that agreed to? Agreed. That concludes our formal business. All housekeeping matters and comments have been deferred to our next joint meeting. As there is no other business, this meeting of the joint committee is adjourned sine die.

The joint committee adjourned at 8.46 p.m. sine die.