22 Jul 2021, 15.27
The Joint Committee on Justice, in a report launched today, Thursday 22 July, on the General Data Protection Regulation (GDPR) has put forward a series of recommendations to the Minister and to the Data Protection Commissioner based on stakeholder engagement held on the 27 April 2021.
The implementation of the General Data Protection Regulation (GDPR) in 2018 was seen as a landmark provision towards safeguarding the data protection and privacy rights of EU citizens.
Committee Cathaoirleach Deputy James Lawless said: “While the ‘bedding in’ period of the regulation has seen some challenges as companies and individuals adapt, the Joint Committee on Justice acknowledges the importance of upholding this provision to secure the fundamental rights of privacy for EU citizens. Thus, the examination of this topic was prioritised as part of its Work Programme for 2021.”
The Cathaoirleach added: “In reaching out to stakeholders to gain diverse perspectives on the implementation of GDPR in Ireland, the written submissions and witnesses provided the Committee with an insight into several areas for reform, where it appears that the current system, for a variety of reasons, fails to adequately support citizens that wish to pursue cases of data breaches. Among these key areas identified by the witnesses and Committee include the issue of delays in processing complaints of data breaches, the need to clarify procedural law used by the DPC when handling complaints and the need for better general enforcement of GDPR and more staff qualified in relevant areas of procedural and material law.
The Committee has made a number of recommendations for these areas and it is hoped that these will receive due consideration.
A copy of this report and recommendations will be sent to the Minister for Justice and the Committee looks forward to working proactively and productively with the Minister and with the DPC to address the issues identified regarding the implementation of the GDPR.
I would like to express my gratitude on behalf of the Committee to all the witnesses who attended our public hearing to give evidence and those who forwarded written submissions.”
Read the full committee report here.
The Joint Committee on Justice has 14 Members, nine from the Dáil and five from the Seanad. More information can be found on the dedicated Committee Webpage.
Notes to Editor:
The following recommendations were made by the Committee in relation to the topic:
1. The Committee recommends that the DPC move from emphasising guidance to emphasising enforcement as a matter of urgency, and that the Minister for Justice ensures the provision of whatever means may be necessary to support this. Otherwise, the Committee fears that not only will the fundamental rights of individuals remain imperilled, but the DPC will face a more emboldened and entrenched group of systematic infringers.
2. The Committee recommends that the DPC increases the use of its sanctioning powers under Article 58(2) of the GDPR, particularly orders stopping infringers from processing data, and dissuasive fines, to ensure effective implementation of GDPR and that it is not deterred from pursuing cases of data breaches due to the high litigation costs involved.
3. The Committee recommends that the DPC investigates the potential of implementing an indexing software package in an effort to streamline its complaints handling procedures, which could allow for repeat decisions to be made quickly and efficiently.
4. The Committee recommends that the DPC clarifies its written procedures and rules following multi-stakeholder hearings with fellow Data Protection Agencies (DPA) including a public consultation process with other stakeholders in the EU, so that feedback from them could be taken onboard regarding which procedures require more clarity.
5. It is recommended that the Data Protection Act 2018 be reviewed to ascertain if legislative amendments are necessary, and to consider codifying the published processes of the DPC as regulations.
6. The Committee recommends that the DPC should clarify its definitions regarding cases being ‘concluded’ or ‘resolved’ and consider using similar terms to those used in other European DPAs to avoid misinterpretation.