Mr. Dale Sunderland:

Yes. I thank the Senator for her questions and her comments about the Data Protection Commission. We do not have many fans. I am delighted the Senator is a fan. She mentioned that GDPR is often used as a reason for not doing things which, to be honest, very much irritates us because that is a deflection from the purpose of data protection.

The Senator also mentioned the platforms and raised a very valid point about the role of regulators. The Data Protection Commission is only responsible for regulating the use and processing of personal data. In regard to online content and moderation of content, including illegal content and harmful content, that is another sphere entirely in which the Data Protection Commission is not involved. The gap and lacuna that leaves is a matter beyond the Data Protection Commission, but is a fair comment.

In terms of the platforms, the Senator is correct that they vary in terms of their lawful basis processing under Article 6 of the GDPR. Some of them rely on contract and others rely on consent. There are a lot of complexities there but on that point I would point out that we have a number of ongoing inquiries looking at the lawful basis on which the online platforms process personal data in the context of a user signing up. One of those, which we reference in our recently published annual report, is in relation to Facebook and its reliance on the lawful basis for processing.

The issue around community standard is separate to data protection. It includes data protection but it is more large-scale than that. It is about all the issues around online content and what they allow on their platforms but there is a nexus at certain points. Where they are introducing new types of data processing or changing the way in which they do things, the platforms have to undertake a screening to see if there is a high risk to the data protection rights of individuals. Where they identify a high risk - I would imagine anything to do with processing around elections may fall into this space - they have to do a data protection impact assessment. Even if they are not required to do a data protection impact assessment, there are other obligations they must comply with, including the principles of data protection such as that the processing is fair, lawful and transparent and they only use data for the purposes for which it was collected and so on. It is really complex in terms of these platforms and the way they are structured. However, these are issues the Data Protection Commission is incrementally looking at as we work through our various inquiries and in other areas such as our supervisory function where we engage with the platforms on a regular basis around new products and services.

Members might have heard last year the example of Facebook dating and how the Data Protection Commission intervened in the process to review the data protection impact assessment. It secured changes on the back of that in terms of transparency for individuals regarding how data would be used in Facebook dating, for example. All those changes helped in making recommendations to Facebook to make sure it was compliant.

In this space, online advertising is obviously a big issue. We have open inquiries into how the online ad tech system works. There is an inquiry into the Google Authorized Buyer organisation and another into an organisation called Quantcast. This is all looking into and teasing through all the things that happen in the background concerning how data are collected in online and offline contexts, how they are merged and how they are resurfaced to determine what advertisements members and I might see, depending on how we browse or what we like online. All of that is very much in play at the moment. It is not the answer to all of these issues but it certainly has a part to play in the overall picture of working out what compliance means under GDPR and the standard expected under GDPR. That work is ongoing.