Ms Helen Dixon:

I thank the Chair and the committee for this opportunity to engage in relation to the published general scheme of the Data Protection Bill 2017. As indicated by the Chair, I am joined this morning by two deputy commissioners from the Data Protection Commission, DPC. These are John O’Dwyer, who heads up the investigations function, and Anna Morgan, who heads our legal advisory function. I do not intend to read out the full written opening statement that I submitted to the committee but rather to briefly highlight for the committee the key issues that were presented in that statement. I trust that is in order for the committee.

This committee will be aware that data protection law is now being subject to a once in a generation overhaul and modernisation. In a recent opinion of the Advocate General, Mr. Bobek, at the Court of Justice of the European Union, he pointed out that there is no doubt that the protection of personal data is of primordial importance in the digital age and he went on to reflect the main concern of personal data protection, for which it has been originally introduced and must be vigorously protected: large-scale processing of personal data by mechanical, digital means, in all its varieties, such as the compiling, administration, and the use of large datasets, passing on of datasets for purposes other than legitimate ones, assembling and harvesting of metadata, and so on.

Since the existing data protection directive was implemented in the EU in 1995, every organisation has now essentially become a technology organisation and a digital data organisation, not to mention the growth of the true born-on-the-Internet companies. Every Department typically has a website and a range of databases. Almost any corner shop operates a till and processes credit card payments electronically, for example. The laws, therefore, required updating to allow for the scale of technology developments and to cover the important case law that has issued in recent years from the CJEU interpreting the fundamental right in Article 8 of the EU charter to have one's personal data protected.

In rendering the law fit for today's purposes and in seeking to ensure innovation is not stifled but happens in a way that respects fundamental rights, the EU is also overhauling the role of data protection authorities under the law, in particular, applying a much harder enforcement and sanctioning edge to our role. Europe's law makers have taken the view that infringements of data protection law are a serious matter and are demanding more accountability and transparency from every organisation that processes personal data, backed up by strong ex postenforcement by data protection regulators.

As the Department of Justice and Equality outlined this morning, the structure of the new laws that will apply in Ireland from May 2018 will be in the following form. The committee has received copies of the direct effect General Data Protection Regulation, GDPR, text from us yesterday. This forms the substance of the new data protection law in Ireland from May 2018 and it is intended to be implemented as one harmonised law across the European Union, EU. In addition to the direct effect GDPR text, there will be an Irish data protection Act, and that is the subject of our discussions today. It will implement a limited number of measures to give further effect to some of the provisions in the GDPR and transposes, as we heard, the law enforcement directive that will come into effect in May 2018. In due course, we will also have a new e-privacy regulation that will apply with direct effect and it will govern confidentiality of communications and e-marketing.

In general terms, the Data Protection Commissioner, DPC, welcomes the new legal regime for data protection law and the important additions to our tool kit as an enforcer. It is undoubtedly the case there will be investigations where a punitive fine is warranted in order to deter organisations from failing to invest in compliance and to deter them from creating risks for consumers and individuals. As a supervisory authority, we occupy a unique position in Europe in that our supervision remit covers the largest global Internet companies that have their European bases here in Ireland. As a result of the platform types they represent and the volume of users they service at a scale of hundreds of millions, a comprehensive tool kit as an enforcer is a necessity. The DPC is extremely pleased that Ireland is now one of the first countries in Europe to publish heads of a Bill to underpin the GDPR. It facilitates greater planning by organisations preparing for the GDPR to have some insight into how the new Irish Act underpinning the GDPR may be structured. However, there are three key areas to which we want to bring the committee's particular attention.

The first is the matter raised earlier by the Department of Justice and Equality relating to the retention of portions of the existing data protection legislation. As was noted earlier, it is intended that when the GDPR comes into direct effect in May 2018, the existing EU 1995 directive will be repealed in its entirety, reflecting the fact that the GDPR is intended to represent a clean slate, establishing a single legal instrument in which data protection rules and principles will be set out. However, as we heard from the Department of Justice and Equality, there is no guarantee presented in the heads of Bill that were published that the existing Irish Data Protection Acts from 1988 and 2003 will be repealed. We consider that their retention runs the risk of creating legal uncertainty in terms of precisely which provisions of the law will apply and in what circumstances post-May 2018, let alone considering how inaccessible for those seeking to comply with the law such an arrangement would be. In addition, a patchwork presentation of the new Irish law in the form of a 2018 amendment Act rather than a completely new stand-alone Act does not create the impression of a new, modernised regime.

Further, given the Irish DPC's obligations under the GDPR to co-operate in law with other European data protection authorities, a patchwork presentation would undermine confidence in Ireland's ability to regulate the multinationals located here. The Irish DPC is of the view that if the pieces of the 1988 and 2003 Acts to be retained are capable of identification, it must be possible to fully repeal those Acts and rewrite the small number of provisions that require retention into a new stand-alone Bill.

The second matter we wanted to raise relates to administrative fines for public authorities and bodies. It is a serious matter of concern for the DPC under the general scheme, which relates to head 23, that it is proposed that administrative fines would not be imposed on public bodies and authorities. The purpose of the punitive fines provided for in the new law is to act as a deterrent to all types of organisations, and we see no basis upon which public authorities would be excluded, particularly given that arguably higher standards in the protection of fundamental rights are demanded of those entities. Additionally, the workload proposed for the DPC in making assessments of whether public bodies are engaged in activities that would compete with equivalent private sector bodies takes us away from our substantive role in data protection terms.

The final issue we wanted to bring to the attention of the committee relates to the handling of complaints from individuals under the GDPR, which introduces changes in the manner in which the DPC must deal with complaints from individuals concerning alleged infringements of their data protection rights. Under the Data Protection Acts from 1988 and 2003, an individual has the statutory right to seek a decision or determination from the Data Protection Commission in all complaints or cases where a complaint has been made to the DPC about a data controller or processor where the complaint could be amicably resolved. The GDPR takes a broader approach, envisaging outcomes to complaints other than formal decisions. For example, it envisages the provision of guidance or information to the complainant to self-resolve a complaint. Reflecting this approach, the GDPR provides that an individual has the right to lodge a complaint with the relevant supervisory authority under Article 77 to have the complaint handled and be informed within three months on the progress or outcome of the complaint. It is also important to note in this context that the supervisory authority is required to investigate a complaint to the extent appropriate. Our aim in these circumstances will be to ensure our resources are deployed in a way that maximises them and pursues investigations in the areas of the most grave and enduring infringements on an objective and priority basis.

I thank the Chairman and members of the committee for their attention and we look forward to answering any questions the committee might have.