Dr. Johnny Ryan:

It is a pleasure to join the committee today. I represent the Irish Council for Civil Liberties, ICCL, Ireland's oldest independent human rights body. We have worked on data protection for decades. Until recently, I was a senior executive for a Silicon Valley tech firm, where I worked with the inventor of JavaScript.

The GDPR gave the DPC powers to proactively investigate the misuse of data about us, and stop the misuse. It can "obtain access to any premises" and compel evidence. It can even force the biggest companies in the world to change what they do with our data. Although we all know there is a privacy crisis, the DPC does not appear to be using these powers to protect us. Three years ago, I blew the whistle to the DPC about real-time bidding, RTB. It is the largest data breach ever recorded. It allows data brokers to build illegal dossiers about us based on the private things we do online. This exposes us to manipulation and enables foreign interference in our elections. The crisis is so acute that one of my evidence bundles to the DPC featured on the front page of the Financial Times, and it was not a quiet day. Despite this, three years on, this week the DPC told me it has not even completed a "statement of issues" of what it should investigate. I want the committee to consider this sobering statistic: in the three years since the GDPR was applied, the Data Protection Commission has asserted its lead role in 196 cases, but delivered decisions, even draft decisions, in only four. In other words, the DPC has failed to resolve 98% of cases that are important enough to be of EU-wide concern. That means Ireland is the bottleneck of GDPR investigation of Google, Facebook, Microsoft, and Apple, everywhere in the EU.

We at ICCL have warned the Government that the DPC's failure to uphold the rights of 450 million Europeans creates strategic economic and reputational risks for Ireland. Although this is a small and peripheral country, the GDPR gave Ireland the chance to become the key location for digital regulation. That will not happen if the DPC continues to draw criticism from the European Court of Justice, the European Parliament, the authorities of Germany, France, Spain, Italy, the Netherlands, Austria, and Hungary. That is documented. Even last week, at a US event that I was speaking at, the CEO of the UK Competition and Markets Authority was also critical of it. This is a chorus of criticism. DPC inaction has forced other EU member states to sidestep Ireland on GDPR enforcement. If this continues, we will lose our relevance as a regulatory centre. It also jeopardises a new European Commission proposal that Ireland should become the super regulator for more key parts of the digital economy. I refer here to the new artificial intelligence package and the proposal on online content, the Digital Services Act.

The consequences of the DPC's problems are not limited to Europe. As members are probably aware, in the United States, two weeks ago Senator Ron Wyden introduced an important draft Bill to designate jurisdictions with inadequate data protection enforcement. We know from the drafters of the Bill that it intentionally targets the DPC's enforcement failure. If Ireland is so designated because of the DPC's problems, then every significant company here will be prevented from processing data of customers in the United States until they obtain an export licence from the US Department of Commerce. That will be hard because the same restrictions that will potentially be applied to US data are the ones that are currently applied to nuclear material. That would devastate the digital sector. The Government must ensure that Ireland meets its GDPR obligations. We at ICCL propose two urgent steps. First, like Max Schrems, we suggest the appointment of two new commissioners, as provided for in the 2018 Data Protection Act, and that the Minister should use her power to designate a chair of the commission. The second is to establish an independent review of how to reform the DPC.

Its problems may be due to more than just a lack of investment. The ICCL revealed a few months ago that a major reform inside the DPC is chronically delayed, five years after being announced and having cost the taxpayer more than €1 million so far.

I urge all members of this committee to call on the Government to rebuild our DPC to protect us in the data age. We must restore Ireland’s reputation as a regulatory leader. This is a once-in-a-generation moment of opportunity, like that taken by Frank Aiken in leading the world on nuclear non-proliferation in the middle of the last century. We must not squander that opportunity. I thank the committee.