Ms Helen Dixon:

I thank the Senator for the question. I note the ICCL continues to repeat something completely erroneous. It is not just an erroneous interpretation. I am not sure whether there is a misunderstanding on the part of the ICCL. I am happy to submit to the committee a summary of the Advocate General Bobek opinion.

I believe when it sees it the committee will be satisfied it does not say what the Irish Council for Civil Liberties, ICCL, suggests and it does not make any criticism of the Irish Data Protection Commission, DPC.

I notice a number of the comments I made earlier have also been mischaracterised, but let me get on with answering Senator Malcolm Byrne's question. He asked about the kind of skills they are lacking. In large part the issues relate to the ability to retain the skills we have brought in. We have brought in top-class litigators. We cannot pay them at market rates, so if we cannot hope to pay them at market rates or anywhere near a reasonable rate and position them at a grade where we can retain them, we will lose them. The issues are around that ability to pitch recruitment at a level where we will attract the right type of candidates.

Regarding technologists, it is difficult also because we will never have technologists who know all about every type of technology. As we know, all of the platforms are proprietary and you would have to work in them to know everything about them. That is why we are satisfied the route we are going down in terms of the request to publish for the multiple supplier framework is the right route to address that as well as bringing in sufficient in-house staff to know the right questions to ask but also to know when we need outside assistance and the form of outside assistance we need.

The Senator asked a question about banking. We have engaged with him on this question previously and we know he understands that, the way enforcement is set up under the GDPR, we have to enforce against named cohorts and therefore we cannot do an investigation per seof the sector. We could certainly audit big players in the sector and then conduct individual investigations in respect of each. It is actually an area where we have a particular focus on an ongoing basis because of the quantities of breaches reported with which we engage. We have two statutory inquiries open currently with regard to individual banks. We have made a number of decisions in individual cases for which we will publish the case studies regarding banks.

The Senator's real question was about how we decide the priorities. Why might we decide to focus on banking? Why would we decide that RTB is important? I go back to the publication of the DPC strategy that is open now for consultation. We welcome all stakeholders' views on this issue of prioritisation, but in general we look at the types of harms that may be at issue. We look at the number of affected data sets. Those are the two primary considerations when we consider where to deploy what will always be resources that are much more scarce than the issues we are facing.