Ms Helen Dixon:

On behalf of the DPC, I thank the committee for this opportunity to engage with it and contribute to its review of certain aspects of the GDPR. The review comes at an important juncture in what are still the comparatively early implementation stages of this new legal framework. There is nobody in the EU who has not been touched by the GDPR. Many people are impacted professionally, in work contexts, and as individuals in terms of how it is applied in the processing of their personal data. For all legislators and the DPC, as a specialist regulatory body, there is an additional dimension to our relationship with the GDPR.

The aims of the GDPR are to ensure that the fundamental right of everyone to have their data protected is upheld, that processing of personal data serves society, that data protection is not held out as an absolute right but is considered in relation to its function in society and balanced against other fundamental rights, and that the law is implemented in a uniform way across the EU.

In our dialogue this evening, we may, depending on time and questions raised, end up talking about everything from CCTV and children’s data to pseudonymisation and much more. A law that applies to the processing of personal data applies in almost endless contexts and scenarios, which, by default, means the DPC’s regulatory range is equally boundless.

That range of contexts and scenarios reflects itself in constant high volumes of inbound work to the Irish DPC. Last year alone, we had more than 10,000 cases. Some 60% of the complaints lodged with the DPC last year were concluded in the same calendar year. We also handled 42 applications for the approval of binding corporate rules, dealt with more than 6,000 security breach notifications and progressed 87 full-scale statutory inquiries.

Given that everyone has a perspective on the GDPR in light of the myriad ways in which all of us interact with and experience it, it is reasonable to expect that there are equally numerous perceptions of the GDPR’s relative progress since its implementation. With the previously referenced range of contexts to which the GDPR applies, it naturally follows that its advantages and improvements are felt differently by different stakeholders. This is why it is far too simplistic to review the GDPR at this stage in terms of straightforward success or failure, and the committee is right to consider instead the headway that is being made to administer this principles-based regulation proportionately across all of these varied contexts. The GDPR does not spell out sector-specific infractions in the way that other legislation might. Since the regime is principles based, every potential infringement has to be examined and evaluated on its own merits. No two cases are the same. At this point, a little under three years into the application of the regulation, there is as yet little established case law to guide these evaluations. Thus, each review requires first-principles analysis.

The DPC has a particular role under the GDPR in terms of being the lead supervisory authority for the many Internet and technology companies with European headquarters in Ireland. The complexities of the decision-making involved in the one-stop shop, which multinational corporations may avail of under the GDPR, mean that the pace of delivery is not solely within the domain of the DPC. We recognise that collective momentum in this area must increase but equally highlight the structural constraints of the co-decision-making processes provided for in Chapter VII of the GDPR.

A consistent and comprehensive approach to measuring the outcomes and comparative effectiveness of regulation and enforcement by EU data protection authorities under the GDPR is not yet in place. In that vacuum, opinions abound and criticism is constant. Informed criticism must be embraced, of course, not feared, because it drives improvement and contributes in a very tangible way to the delivery of better outcomes. As such, I welcome the committee’s engagement with the issues at hand and its initiation of a dialogue in which we identify what is working well and what is not. Where things are not working well, we examine ways to improve them.

The committee will have seen from the written submissions of certain of the witnesses that issues relating to the enforcement of the regulation by my office have attracted, and continue to attract, particular and trenchant criticism, much of it directed to the idea that, as an emanation of the Irish State, the DPC is deliberately refusing to regulate, or has deliberately been constituted so as to be incapable of regulating, certain multinational companies operating within Ireland, for the same kinds of reasons as those said to explain Ireland’s approach to the taxation of Apple and other such companies. One contributor expresses concern that poor performance on the part of the DPC presents a significant economic and reputational risk for Ireland. Both call in aid observations said to have been made by regulatory and political commentators across Europe and beyond, none of them favourable.

These are extremely serious charges for my office and for the Government and, in light of certain of the charges, for the State as a whole. For the part of the DPC, I reject the charges made and the unfounded bases on which they are made.

Against this sort of challenging backdrop, I hope, through a dialogue with this committee, that some of the noise can be dialled down and that some meaningful insights may be gained into the assessment of the GDPR in practice and the performance of my office as a statutory regulator. I accept that, given the range of issues to be considered and the complexity of at least some of them, we will not achieve all of that this evening, but I look forward to making a solid start and wish to assure the committee of my commitment to ongoing engagement between us on these issues and such others as the committee regards as being important, and as its workload allows.