Eamon Ryan (Dublin Bay South, Green Party) | Oireachtas source

I thank Ms Dixon very much for coming in. I have always had the highest regard for the Data Protection Commissioner. The commissioner has always carried out her work in the best traditions of the Irish public service and the Irish regulatory system, as did her predecessor. I agree very much with her comments that we have to follow guiding principles in terms of digital regulation and she mentioned processing to be fair and proportionate.

I am hoping that the commissioner will agree that one of the other principles that might apply is to be transparent, wherever possible. It is a good principle in terms of the management of data systems and the regulation of them. In that regard, I have 14 written questions that I want to give to the Data Protection Commissioner, not to have answered now but to receive written replies in the next day or two, if possible.

I have similar questions for the Facebook representative as I want to use this opportunity to put them in a written form, as I will not have time to ask the number of questions I have orally, so I will hand them out in a second.

Following on from the very first question the Chairman asked, can I ask about this issue of third party access to friends data, which was at the corner of the problem in the Cambridge Analytica scandal? As Ms Dixon says, this issue was originally raised by, among others, Maximilian Schrems in his complaint in 2011. He was very specific in raising concerns about the ability of Facebook to do exactly that in its system in Europe.

My understanding is that that process, where one has that audit in 2011 and 2012, the recommendation or the direction - I am not what word one would use - or the instruction to Facebook to stop that capability was very centre stage. It was not a peripheral issue; it was a very significant issue. In regard to that process, in terms of this audited approach, is it what the commissioner calls "an engaged regulatory process", where it is iterative and where, as the commissioner says, it engages with the company? I heard the commissioner's response earlier on but it beggars belief that having gone through that iterative process and having gone through two audit processes, which one presumes had reached a conclusion in terms of the contents of the audit having been discussed - it was not that Facebook was just presented with an audit without any engagement prior to that - that it resisted the implementation of that direction from the Data Protection Commissioner for 18 months.

They presented an audit without any prior engagement. Then for 18 months they resisted the implementation of that direction from the Data Protection Commissioner. The witness said taking a litigious route would have been difficult but the fact that the company ignored that recommendation, and the central points of Max Schrems' complaint and proceeded for that period, allowed Cambridge Analytica harvest the data which had not insignificant consequences for democratic systems elsewhere.

In the iterative process the witnesses have described did the Data Protection Commission ask Facebook for written confirmation that such data breaches were not occurring? When did it first become aware of the Cambridge Analytica case and what sanctions, if any, can it apply as a regulator with regard to what happened in that case? I heard the witnesses mention the fine when WhatsApp and Facebook were exchanging data despite Facebook's having made a commitment that would not be done. Is there not still an issue with, for example, WhatsApp, where my understanding is that my friends' data is being harvested for use by the company? It may not be, or at least I hope it is not, transferred to Facebook. Within the company, however, it is harvestable data. Do the witnesses think it appropriate that people's data and contact information, which sometimes can be quite extensive, can be used for commercial purposes without their consent? Is that fair and proportionate on that principle?

On the issue of data surveillance in foreign jurisdictions, and standing up for our country, Judge Gerard Hogan and the Irish court system deserve great credit for the way they have raised such issues with the European Court of Justice to defend the rights of European citizens. Judge Hogan's judgments were exemplary in grappling with incredibly complex and difficult issues. Is the witnesses' opinion that all Irish data is subject to surveillance by the UK Government Communications Headquarters, GCHQ, when it exits this country on a fibre network going through the UK? What implications are there in the recent judgments, or work of the Data Protection Commissioner in regard to surveillance of data in other jurisdictions outside the EU, that may apply post Brexit? Is the commission considering that and can it help to guide the committee because we are interested in the wider policy issues and what we should do about that?