Ms Helen Dixon:

Viviane Reding would have been proud of me inflating it to 20% of turnover.

On the question relating to Cambridge Analytica, the transnational nature of global data flows and whether the new laws to be introduced on 25 May will be effective, the first thing to emphasise about the GDPR is that it is a harmonised law. It is intended not only to be a modernised law for Europe but to be harmonised. It is intended that there will be a much more co-ordinated and consistent application of the law across the EU than there has been heretofore, where there have been separate and fragmented transpositions of the 1995 directive in EU member states. To that end, where the Irish Data Protection Commissioner acts as the lead supervisory authority in supervising any entity, we must consult with other data protection authorities as we go and must take the utmost account of the views of other data protection authorities. Ultimately, any of those other data protection authorities can offer a relevant and reasoned objection to any conclusions or findings we make in an investigation. That is with the aim of ensuring there is a consistent and co-ordinated application of the law.

There are also very strong provisions for mutual assistance between the data protection authorities in the GDPR. Currently, it is the case that Cambridge Analytica is a data controller in data protection terms that is located in the UK and subject to the jurisdiction of the Information Commissioner's Office in the UK. However, in conducting her investigation, the Information Commissioner proactively had a call for an hour with me yesterday and is keeping relevant data protection authorities up to date regarding her investigation and we are assisting in any way we can. Consequently, there are ways in which the new regulation can be brought to bear regardless of the location of an entity.

In respect of political micro-targeting, the Deputy mentioned Brexit. As I outlined earlier, the Information Commissioner in the UK is concentrating on the application of data protection law to the use of big data analytics and micro-targeting so in particular, she is looking at what sources of data a company like Cambridge Analytica has. Is it procuring data from data brokers in Europe? Are those data being lawfully procured? It now appears as though it might have procured data from Facebook that was not lawfully procured. The Information Commissioner in the UK is looking specifically at the sources of data, the legal basis for the processing, whether the UK electorate could have been aware that its data were being processed in that way by data analytics firms and so on. In one of her recent appearances before a parliamentary committee in the UK, she said she is not expecting a smoking gun in any shape or form but her investigation has not yet concluded. It is concentrated around the data protection issues relating to the likes of Cambridge Analytica.

Regarding juveniles and young users of the Internet, the GDPR over and above the 1995 directive is now calling out that children merit special protection in a data protection sense. There are a number of provisions in the GDPR relating to child users.

In particular, Article 8 of the GDPR now allows member states set an age over which a child will not require the consent of parents to access information services online. As the committee is aware, that age has been set at 13 in Ireland.

There is a requirement now for data controllers, and in particular for online service providers, to show that they are giving children the special additional protection that they merit. This may be in the form of modified services that are appropriate to the age of development of users, and it may be certainly be represented in terms of the type of transparency and plain language notices that are offered to children. The platforms that we supervise have told us that we will see differentiated services in some cases being offered to children from 25 May 2018.

In relation to Deputy Smith's questions in respect of behaviours and attitudes and political micro-targeting, the Deputy said she was confused following the opening statement regarding the role of the DPC. Our opening statement was designed to convey that the particular legislation that the committee intends to carry out scrutiny on today is not a matter for comment by this office as to whether there is a requirement for an imprint on a political advertisement that shows the original funder. We are concerned, however, with every aspect of electoral activity and political activity that concerns the processing of personal data.

In relation to Cambridge Analytica and the 87 million users who were mostly based in the USA, what was at issue in that particular case was that Dr. Kogan at Cambridge University, who was originally the app developer who accessed the data from Facebook's platform, is alleged to have transmitted it on, contrary to Facebook's policies, to Cambridge Analytica. He had been doing psychometric research at Cambridge University based on a model called OCEAN, which concerns personality traits of individuals, such as openness and conscientiousness, right through to where on the scale of neurotica a person stands. What was asserted to be the case was that individuals could be micro-targeted based on these personality profiles and classifications and I pointed out that social scientists and academics, who are looking now live at this area, say there is no evidence that targeting based on that type of personality and psychometric segmentation has happened or that it has manipulated results.

Further research is needed in this area, but it is undoubtedly the case, because it is happening already in an offline context as well as an online context, that there is political micro-targeting. It is not necessarily harmful or a bad thing that there would be some targeting of messages. It happens in an offline context where posters or particular issues that politicians want to promote relative to a geographic area in which individuals live are segmented and targeted messages are delivered to the constituents in that way. Not all political micro-targeting is harmful, and not all of it involves a manipulation of users data in a way that they would not anticipate.

Individuals have some level of control, albeit the transparency around how they can exercise that control is not yet good enough and we expect to see an improvement from May under the GDPR. Users need to be aware that if they have not exercised their controls online to switch off interest-based advertising, they are being targeted based on segments that the platforms deem them to be interested in.

In relation to the 87 million affected users, and Facebook confirmed these figures, 15 individuals in Ireland downloaded the app that Dr. Kogan published and up to 44,000 Irish users were affected as friends of users who downloaded the app in that their data was accessed by Dr. Kogan and, it is alleged, passed to Cambridge Analytica.

In terms of vulnerable Internet users, the Deputy is absolutely correct. Children were just an example of vulnerable Internet users. There are many reasons that the GDPR, as proposed and enacted, now requires privacy by design and default and encodes these new principles.

Under the GDPR, in order to ensure that before users have to search and look for controls about what it should switch off and switch on, they should be already able to anticipate that there is a level of default protection when they arrive on the platform. This is what we anticipate we are going to see, not just from the platforms but from all sorts of sectors and data controllers from 25 May 2018.