Michael Creed (Cork North West, Fine Gael) | Oireachtas source

My thanks to our two witnesses. Their opening remarks and the replies to questions to date have been peppered with reference to big data, big business, big tech and big brother. My questions are borne out of constituency experience. Unfortunately, there are not many big tech or big data companies in my constituency. However, we have many public-facing small businesses. I want to ask a critical question. Is our core legislation fit for purpose? I am asking the question because the European Commission report from 2020 stated that compliance costs were a bigger issue for small and medium-sized enterprises. At the same time, the Commission gave no comfort to those enterprises in recommending any difference in approach.

The witnesses in their references talked about data controllers. What if a person is the chief cook and bottle washer of the local hospitality industry, small medical practice or small retail enterprise? When these people get correspondence from the much-maligned Data Protection Commissioner, it puts the fear of God into them. They do not have an in-house solicitor to which to refer the complaint. I imagine these people take no comfort whatsoever in the submission from Dr. Logue, especially where he says he believes that more use has to be made of fines and compensation as a matter of routine. I am not saying all these aforementioned SMEs are compliant, but in most cases they attempt to be and they may be non-compliant by default. From my experience many of the complaints are vexatious. There may be people who want to be part of the compensation culture that Dr. Logue seems to be promoting in his submission. He seems to suggest people should be compensated. Section 109(2) of the 2018 Act refers to proposals for amicable solution. A small business may get a letter calling for a proposal for an amicable solution. They may be informed that if that does not materialise the case will move up a step in terms of how the Data Protection Commissioner will deal with it. That is a threatening procedure to a small business.

This goes back to my question. Is the legislation fit for purpose? It seems it fails to differentiate between small entities and what appears to be the primary focus of the concerns of the witnesses, which relate to big data, privacy, big tech and big brother. Yet, many small businesses are caught up in all of this. They may wish to be compliant but the cost of compliance is in many respects beyond their resources. I have seen examples of where this is graphically brought home by the correspondence they receive from the Data Protection Commissioner. I believe they are easy prey. They will be unable to take their case to the High Court, the Supreme Court or the Court of Justice of the European Union for comfort. They will be shivering in their boots while they are anxious to be compliant but bearing the costs disproportionately.