Mr. John O'Dwyer:

To address Senator Byrne's first question about divergence, this is built into the adequacy decision. I will go back a little in the sense that we are starting from a very good place as the UK has implemented the GDPR in full in its national legislation. It is probably the closest we will ever have to a third country that has a good data protection regime.

It has the legislation and the redress mechanism in the sense that people can bring cases to the Information Commissioner's Office, ICO, which is the equivalent of our organisation in the UK. The UK has a full complaints and judicial procedure in that regard. That is all built in so it is starting from a good place. If it does start to diverge and if the UK Government decides to change the legislation or to dispense with the ICO for some reason, mechanisms are built into the adequacy decision that allow the European Commission to suspend that decision in whole or in part. Those kinds of protections are built in. In addition, there is a sunset clause. The adequacy decision will expire after four years unless renewed. It will not continue in force after those four years but, because of that sunset clause, must be proactively renewed. This allows a review to take place in four years' time which will see what the situation in the UK and in UK law is at that time. There are also measures that may be taken in the interim if the UK begins to diverge.

On the question of the DPC's resources, our resources have been increased substantially over recent years. I joined the DPC in 2013. At that time there were fewer than 30 staff and the commission budget was approximately €2.5 million. We now have almost 150 staff and our budget for 2021 is €19 million. The Government has been quite good in resourcing the commission. In recent years, we have received substantial increases in resources year on year. Like any organisation, if we had more money and more resources, we could do more. There is a lot more we could do because, as I said earlier, thousands and thousands of companies are processing personal data every day of the week. There are lots of them we do not need to go near. There are also the very high-profile companies operating platforms such as Facebook, Google and all of those other companies based in Ireland. They take up a lot of our resources but, more than occasionally, we also get involved with other companies and public sector bodies.

The Senator may have seen our annual report, which was released last week. We were notified of in the region of 6,000 breaches last year. All of those breaches are assessed internally within the DPC, after which we interact with the companies involved. We receive thousands of complaints every year and, again, we interact with the companies against which those complaints are made. There is a lot of activity and, obviously, if we had more resources we could do a lot more but, equally, I do not want to be in any way critical of the Government. It has been very generous in providing the DPC with year-on-year increases. We hope to continue to build on that.