Alice-Mary Higgins (Independent) | Oireachtas source

While the timeline in the presentation begins in 2016 the timeline in Cambridge Analytica begins in 2011. The witnesses have spoken of their concerns about litigation but there is an option between recommendation and litigation, which is an enforcement notice.

The Office of the Data Protection Commissioner has the power under section 10 to issue enforcement notices. Is it not the case that, if it were to have made use of that kind of enforcement notice in 2011 and 2012, the Cambridge Analytica breach might not have happened in 2013? Perhaps Ms Dixon could clarify also the question of how many enforcement notices the office has issued against State bodies or private companies? This is a robust existing power that does not require litigation and which can be used. It is a concern that there would be unwillingness, if there is that lead supervisory role, to use enforcement orders. For example, an issue which has come up a few times here is the question of privacy by default. I have been concerned that there is quite a lot of language about switching off settings. Can Ms Dixon confirm, for example, that we must have all privacy settings at the highest level and there must always be a situation of switching on an agreement to any action that shares data, rather than switching off the taking of data, which is a very important distinction? Again, there is a question of enforcement in that regard.

I was a little concerned at some of the language around Cambridge Analytica and the idea we are still waiting for hard evidence of it influencing political outcomes. Leaving aside the fact we have the vast commercial infrastructure that is based on micro-targeted advertising as evidence that it is clearly seen as having an effect - indeed, that is the main product offered by many of the commercial platforms - and leaving aside the fact we have long-established regulation in regard to electoral advertising because it has been identified as an area that needs regulation, so it would be extraordinary if we were not already on a presumption that it is having an effect, there is also the precautionary principle, which is a key principle in European regulation. Ms Dixon might address that question of the precautionary principle and whether we have an onus to take immediate action in areas where we feel there is a danger, rather than waiting for a long academic process in regard to the proven impacts in that regard.

I was also concerned with the idea that we are waiting for the ICO to make public policy recommendations that may have broader application for EU member states. While the ICO has its investigation in regard to Cambridge Analytica, I would think, given the lead supervisory role Ireland holds, that Ireland should be moving ahead and taking a lead, not simply looking forward to the outcomes from the ICO. Given that lead supervisory role, with Facebook Ireland serving 83% of all global Facebook users, I would like Ms Dixon to comment in particular on the issues around Article 9 of the GDPR and what she thinks the implications of Article 9 will be in regard to this area, specifically Article 9.2(d), which concerns the processing of special categories of personal data, that is, data around political or religious opinions and sexual orientation, and which, of course, includes photographs. These are issues which have been identified as needing particular protection and they, of course, form part of the profiling work by organisations like Cambridge Analytica. Will Ms Dixon clarify this specific question? In Article 9.2(d) it is clear the exemptions which are given around processing by political bodies, such as political parties, are for not-for-profit bodies and there is a prohibition on the sharing of that personal data or the work outside that body. Does Ms Dixon believe this part of the GDPR will provide a prohibition against any for-profit commercial company which seeks to process special categories of personal data without consent? Does she believe that is adequately provided for in Article 9? While it is legislation that is under way, Ms Dixon might also be free to comment on whether she believes this is adequately provided for in the Data Protection Bill?

In regard to the "honest ads" provisions and the online transparency proposals from Deputy Lawless, I believe there is a question around transparency, who is using the data and whether it is with permission. There is an assumption it is only about using the mechanisms around online behavioural targeting but there is the question of that data being shared.

On the gathering and storing of data external to Europe, we have seen online quizzes that are under way not necessarily on Facebook but on Google and other platforms that are seeking to build political profiles, and we have seen companies that have been gathering facial profiles and building databases in that regard. While I know the pending High Court referral will help on that issue, Ms Dixon might touch on it.