Ms Helen Dixon:

I thank the Chairman. Let me say at the outset, in case I do not get to say it later, that there is no question but that the DPC recognises that improvements have to be made. In particular, we take the points made earlier about processes and the need to streamline them. We have already engaged in trying to make the processes more streamlined for all stakeholders. We accept the points arising, in part, from the processes in respect of delay, and all of us want to speed up.

However, the difficulty, and I will respond to the specific question, for the DPC is that clearly as a regulator, we are uniquely surrounded by an enormous range of stakeholders. We handle the complaints of thousands of data subjects but, equally, potentially handle the complaints of millions of EU data subjects. We regulate hundreds of thousands of entities - public and private sector, Internet, big tech and voluntary - and in some cases, individuals in terms of their data processing. We recognise the oversight of this Oireachtas. Equally, there is the European Parliament. There are 37 EU data protection authorities, if we count in the regional data protection authorities and so on, so we are at the centre of a very large range of stakeholders, each with their own expectations.

The problem, some of which we have seen this evening, is that it seems very easy for those who are determined to criticise the DPC and fail to recognise what is being achieved - I am not sure anyone reads our annual report because I have not heard any of it reflected in what is being discussed - to rely on very sensationalist statements that, unfortunately, are based on complete inaccuracies. We have heard about Bermuda triangles, things being Kafkaesque and so on. They are great headline generators but the reality is far removed from them.

The Chairman asked me a question about criticism from abroad, including Europe. While we respect the European Parliament in terms of its oversight role, it is well documented in the correspondence I have published how the European Parliament's Liberties, Justice and Home Affairs, LIBE, Committee conducted itself and failed to engage with the DPC in coming to the views it expressed in resolutions. I remind the committee that the European Parliament is a step removed from what this Parliament would be in terms of looking at what a national data protection authority would do. There is a particular onus on it to ensure its information is accurate, which did not occur. Let us put the criticisms from other EU data protection authorities in context. If we go back and look at the original proposal from the European Commission for a new regulation in 2012, we can see that the same data protection authorities that are criticising Ireland and the one-stop-shop were on record as rejecting the concept of the one-stop-shop and any role for the Commission in encroaching on regulatory roles that were the purview of national data protection authorities prior to that so it is no surprise there is a political element to the criticisms being made.

The Chairman raised the issue of parallel processes. The Chairman said that this was evidenced from some of the witnesses but, in fact, there is no evidence to support this in the way that has been suggested. One of the witnesses has called an aid a completely erroneous interpretation of the opinion of the Advocate General of the Court of Justice of the European Union from January of this year in a case called Facebook v.Belgium Privacy Commission. Advocate General Bobek did not criticise the Irish DPC or call it out for regulatory inertia. In fact, the Advocate General said that the GDPR, and its implementation and enforcement, is in its infancy and criticised those who were seeking to undermine it with speculation regarding under-enforcement of the GDPR. The references to that opinion are completely erroneous and do not give any indication that there is a sidestepping of the DPC.

Other issues that have been raised have been around the Italian regulator's urgency procedure in the case of TikTok. Again, this is not a case of sidestepping the Irish DPC. There has been engagement with the Italian regulator on this case, which relates to harmful content. It relates to a regulatory remit that the Italian regulator has that is not within the remit of the Irish DPC. I could go on but I realise the Chairman wants to let other people in to answer questions. There are layers of detail to all of these issues. A superficial skimming of the surface in terms of all of these criticisms, and I realise we will not have time to get into all of them this evening, is dangerous. It is very hard to get to the point where we can have a reasonable conversation, which the DPC is fully open to, where we can look critically at how to measure the effectiveness of regulation under the GDPR and eliminate this type of exaggeration we are hearing.