Dr. Fred Logue:

I thank the Chairman and committee members. I am a principal solicitor with FP Logue and have a specialist information law practice, which includes data protection. In contrast with Mr. Schrems, I am here to share my everyday dealings with data protection issues of a more routine nature. Although they may be more everyday issues than those with which Mr. Schrems is concerned, these issues have significant importance for individuals and their daily lives and involve dealing with financial institutions, workplace surveillance, data retention, adoptees seeking their early life information, social welfare issues, access by the police, access to police records and so on. These are issues that cover the vast swathe of our lives. It is through this lens that we can get a good picture of how data protection is being enforced in Ireland.

It is worth pointing out that data protection rights are kind of radical because they create a legal relationship between a data controller and a data subject simply because the former processes the personal data of the latter. That exists irrespective of any other legal relationship such as contract, statute or common law, for example. It applies more or less equally regardless of whether the data controller is a public or private body. Mere processing of personal data gives rise to a legal relationship. That fact is missed by many data controllers.

The GDPR and the law enforcement directive are the primary EU law measures that give effect to that legal relationship. They do so by imposing obligations on data controllers, giving rights to data subjects and providing enforcement mechanisms.

The DPC in Ireland has the primary responsibility for enforcement. It is tasked with resolving disputes between data subjects and controllers. I echo Mr. Schrems that it is tasked with doing so in every dispute; it is not a discretionary jurisdiction under EU law. The commission has extensive powers under EU law to carry out those tasks.

Unfortunately, my overall experience is that compliance in Ireland, particularly with access requests, is poor and that GDPR and data protection is poorly understood by the people tasked with implementing it in many organisations, public and private. Even worse, few public authorities seem to be aware that they have a responsibility to ensure the effectiveness of EU law and they cannot hide behind Irish law which conflicts with EU law. I believe compliance is poor because enforcement is ineffective and virtually consequence free. The possibility, in my experience, of a DPC complaint does not appear to be something that motivates many controllers to comply with their obligations. I echo the observation by Mr. Schrems that complaints are taking way too long, they are way too expensive in terms of money and time, there are no documented procedures and what procedures are in place are too complex and do not lead to efficient or fair complaint handling. In fairness to the DPC, when it gets to a decision, it is not too bad, but by the time one gets there, usually the complaints procedure has failed to serve its purpose and the reasons for it have evaporated.

The DPC could be forgiven for taking longer for more complex cross-border complaints such as that outlined by Mr. Schrems, but my experience is that the issues that have been highlighted in the presentation by the first speaker also apply, even to the most routine complaints at national level. I also think that the procedures are not fair, particularly in light of the recent Zalewski judgment of the Supreme Court. It is only a matter of time before that comes to court in Ireland. I am also uncomfortable that the DPC has very informal consultations or engagements with controllers. Often, it is involved in designing processes and products and services that it then is called on to investigate. A recent example of this is the national smart meter programme, where it seems the DPC has been involved since 2012 in its design but now is being called on to investigate it. We need the DPC for the rule of law and to ensure people's rights are vindicated. The eyes of Europe, and possibly the world, are on us. It is important that these problems are resolved in a way that gives rights their full effect in this jurisdiction.