Ms Helen Dixon:

I will have to limit myself. It is full of challenges. Significant challenges with the new data protection regime relate to this issue that I mentioned of so-called cross-border processing of data, for example, processing of data by Internet multinationals located in Ireland, where the data of all Europeans is processed. In those cases, we will not be exercising our own exclusive competence. We are required to co-operate with other European data protection authorities and to keep them informed of investigations as we conduct them, and of the outcome, and to allow them to express views which we are required to take account of. It is a significant complication when one is trying to co-ordinate across such a range of data protection authorities with very different cultural backdrops to how they view data protection in general terms, but also how they view, for example, American corporations that target services at European users. We anticipate this is going to create a layer of complexity as we become involved in bringing decisions before the European Data Protection Board.

I did not mention earlier, because it is probably a level of complexity too far, that once the European Data Protection Board makes a decision there will be a further layer of complexity in how those decisions can be appealed, such as through annulment actions before the European Court of Justice. This is a very particular challenge. An ongoing challenge in data protection legislation is that it is high level and principles based, as will be future laws to large extent. This is appropriate because the laws need to offer a level of flexibility to all of the various organisations to which they apply. We find there is a challenge, in particular for public sector bodies, in implementing principles-based legislation because it means they need to step back and conduct detailed analysis in every scenario that presents, in terms of processing personal data, looking at whether there is a statutory basis to collect and process it in the first place, whether it is meeting the legitimising conditions and whether it is meeting the transparency requirements to users, and then deciding whether all of this amounts to a lawful purpose. It is the challenge of encouraging organisations to conduct this analysis themselves rather than expecting a simple binary answer on whether they can do something or not.