I thank the joint committee for inviting me to address it on the data protection package being negotiated at EU level. Members have already heard from the Minister for Justice and Equality, Deputy Alan Shatter, on the main features of the legislative package and the considerable progress achieved by him and his officials during the Irish Presidency of the Council of Ministers. Whether this progress will be sufficient to have the proposals approved by the Council and the European Parliament in advance of next year's European elections remains uncertain.
Data protection has become an increasingly important issue in the European Union following the entry into force of the Lisbon treaty. The draft regulation, as put forward by the Commission, reflects the increased importance in a number of ways. It accepts that the core principles set out in the 1995 data protection directive remain sound but need to be strengthened and updated in order to better protect the individual right to data protection and make clear to organisations the heavy obligations they take on when they gather and possess the personal information of individuals.
The regulation also addresses the importance of uniform application of the law within the European Union, not least in order to ensure the free movement of data. The individual right to protection of personal data that each of us enjoys is rightly at the heart of the Commission's proposals. Regarding the somewhat bewildering online world, the regulation insists on the need for much greater transparency about what information is being collected from us and how it is being used. As is appropriate for what is now a fundamental individual right, the proposals aim to give each of us greater control over what happens to our data and the related rights to have the minimum data collected, to have access to our data and to have it corrected, if necessary.
Let me turn to issues of direct relevance to data protection authorities such as mine. The proposed one-stop shop for multinational companies, be they European or non-European, is the subject of significant discussion. The idea of having a single regulator responsible for oversight of a multinational company is obviously attractive for companies. Our experience of dealing with multinational companies here suggests it makes sense for a regulator to become very familiar with the business of a particular company, knowing its data protection policies inside out and ensuring these are in compliance with the law. If the concept is to be acceptable, it is essential that all data protection authorities be willing to rely on the relevant data protection authority to vindicate the rights of all EU citizens, not just those of its own member state.
For this, it will be essential that the proposed “consistency mechanism” work as intended to ensure uniform application of the law.
This issue is of particular importance to us in Ireland for two reasons. First, many companies providing services for Irish residents, for example, telecommunications and banking services, are European multinationals based in other EU member states. Under the proposed regulation, oversight of their data protection practices would in future be primarily the responsibility of the data protection authority where they have their main establishment. Second, many non-EU multinationals, especially US multinationals, have chosen Ireland as a base from which to provide services throughout the European Union. Under the proposed regulation, oversight of their data processing activities would mainly be the responsibility of our office.
It will be essential that data protection authorities have the resources necessary to carry out their broader European oversight responsibilities. This is a key issue for us owing to the large number of multinational companies handling personal data that have substantial operations in Ireland. The Minister for Justice and Equality, Deputy Alan Shatter, has responded by providing additional staff and funding for our office and given a commitment to keep the resourcing of the office actively under review to ensure additional necessary resources will be made available.
I am sure companies will welcome the removal of most routine notification or registration requirements. This is in exchange for a very strong focus on the responsibility placed on organisations to show to customers and regulators that they are willing to be accountable and demonstrate this through privacy impact assessments, a privacy by design approach, allocating sufficient resources to deal with privacy issues and notifying data breaches when they occur.
It has long been a complaint from those concerned with data protection that data protection authorities do not have the teeth to enforce the rights of individuals. It has often been put to me that when cold commercial decisions have to be made on issues such as marketing, the bottom line question is what it is going to cost companies if they do not comply. The answer - €1 million euro or 2% of worldwide turnover - should cause even the most hardened CEO to have second thoughts about taking risks in this area.
It is important, of course, that such powers be used sparingly so as not to discourage organisations from seeking guidance from data protection authorities. In our office we always make it clear that we prefer to help companies to comply rather than have to deal with the consequences of non-compliance. For the same reason, we have always asked that we be consulted on new laws in order that we can ensure due account is taken of data protection when issues such as data sharing are being considered. While I am sure companies will be happy with the less prescriptive approach taken in relation to advance notification of processing, they will need to realise that this shifts responsibility squarely onto them, which is where it properly lies. The regulation is clear that failure to live up to these responsibilities will attract heavy penalties.
Of course, there are points that may need to be further clarified as the package goes through the legislative process. There has already been much debate, for example, on issues such as the definition of personal data and the restrictions on the use of consent. The issue of international transfers of personal data has also recently been to the fore.
I will now deal briefly with the draft directive dealing with law enforcement which is part of the legislative package. A harmonised set of basic rules applying to the activities of police forces across the European Union has much to commend it. We must also acknowledge that some exemptions from data protection requirements are necessary to permit the police to do its work in the public interest. This is already reflected in the exemptions granted to An Garda Síochána in our own data protection legislation which otherwise fully applies to the area of law enforcement. Getting data protection law right is important in order to give concrete expression to the right to protection of our personal data and to do so in a way that does not inhibit innovation in the rapidly changing Internet world in which we live.
I hope these comments are of assistance to the committee. I am very happy to answer questions members may have.