Mr. Max Schrems:

I thank the committee for inviting me to appear. I particularly thank it for holding this hearing because the issue goes far beyond Ireland. It is really a fundamental rights issue for the whole EU, given the situation that Ireland has.

I first engaged with the Data Protection Commission, DPC, when its office was located above a Centra supermarket in Portarlington and it was staffed by 20 employees. That was a long time ago. Since then there have been nine court engagements at the European Court of Justice, ECJ, over two cases. In particular, there has been the big change involving the GDPR, which was meant to make the fundamental right to privacy enforceable and a right on which people can rely. In that spirit, it is remarkable that the Government has allocated far more resources to the DPC. It is now one of the best-resourced digital protection agencies in Europe, which says a lot.

Much of the law in this area is not new. Much of the content of the Data Protection Act 1988 derives from a convention agreed in the 1980s. Most of the law is the same as that contained in the 1995 directive. As such, it is not new. However, the big difference is that the GDPR should have brought about enforcement that does not exist just on paper, but reaches reality somehow.

An interesting point is that in spite of the DPC being very well funded, it has very few results to show for that funding. Even the submission of the DPC to this committee kind of openly acknowledged that, albeit in rather diplomatic language. It received 10,000 complaints but handled only 4,700 of them, meaning that 53% of complaints go somewhere unknown. Only a handful of complaints are investigated. Most of them are referred to as being "concluded", which is a euphemism for the DPC not deciding those complaints. It is interesting that the DPC argues that it will build momentum in 2021 and issue six or seven decisions this year. That implies that 99.93% of all complaints will not be decided. This fundamental right in Europe is just not reachable and actually enforceable for 99.3% of the people who rely on it.

In comparison, in Austria, my home country, which is not really known for big tech, the regulator issues approximately 850 decisions per year. The Austrian regulator has a budget that is 15% of that of the DPC. There is a lot of input into the DPC but very little output. In Austria, 142 fines were issued, for example. Data protection agencies in other countries have similar numbers. The data protection agency, DPA, in Spain is very similar to the DPC in terms of budget and the like, but it has issued more than 700 decisions so far.

It is interesting that the DPC states in its submission that there may be cases that, although they are of imminent relevance for the given individual, are not relevant for the wider public and that, apparently, is why some cases are not handled even though everybody has a fundamental right to privacy. This is not just a European issue. We have received many emails from Irish citizens who have experienced exactly these problems.

A significant part of the background in this regard relates to a certain fear of law. The DPC stated that the GDPR is principle-based, there is no fixed template how to really apply the law and that enforcement all too often gives rise to challenges. Apparently, that is a reason not to enforce the law. I understand that many members of the committee are lawyers. As a lawyer, applying a rather abstract principle in the law to a given fact pattern is the daily business of law, so I was a little surprised that is, apparently, one of the big issues or, at least, it is the argument we have heard so far. In my personal experience, there is extremely poor understanding of material and procedural law in the DPC. Some cases have been pending for more than eight years. The cost to the taxpayer of the case that was lost twice at the ECJ and heard before nine courts so far has been in excess of an estimated €6 million. We can see there are very few positive things coming out of the DPC.

I do not want to just criticise; I also wish to suggest solutions. There is obviously the option of the DPC having three heads, rather than one as is currently the case. The additional two positions could be filled by people who have the expertise in material law, GDPR and procedural law to enable them to solve these issues to a certain extent. There is much uncertainty regarding procedural law. That is partly because there is no written procedural law in Ireland, whereas in many other countries one usually has case law on which one can rely. That could be clarified by the DPC. It currently refuses to clarify many of these issues, even in ongoing litigation. It is then haunted by this because the likes of Facebook rely on these uncertainties in the procedure to block cases with judicial reviews and so on.

Funding is another reason giving rise to a fear of litigation. Litigation is very expensive in Ireland compared with in other member states. That may be a reason to avoid it. However, enforcing the GDPR partly gives rise to fines of billions of euro, which would leave a net budget surplus if the GDPR were to be enforced. It would be interesting to see whether certain funds that would accrue in this regard would be allocated to the actual enforcement work itself. In France, for example, the value of fines issued exceed by far the costs incurred by the DPAs.

Those are some of the possibilities that should be explored. I am sure there will be further opportunities to engage on the details of these issues.