Ms Helen Dixon:

I will do my best. In response to Deputy Eamon Ryan, we would welcome receipt of the 14 questions he wants to submit in writing and we will be happy to respond. The Deputy talked about the delay in terms of Facebook implementing the recommendation. Again, looking back, although we never thought what Facebook was doing was proportionate, the issue of evolving social norms cannot be ignored when we are looking at novel applications of technology in an area like social media, which was still quite new in 2010-11. Max Schrems was not the only person calling out this issue about access to friends data - civil society bodies like the American Civil Liberties Union in the US had also been highlighting it.

In terms of the iterative process that was engaged in, we have this type of process with actors in all sectors. Given that there is an interpretation required of what is high-level, principles-based law in any particular area of application, be it in the insurance sector or the banking sector, or on a social media platform, there is a period when there has to be some type of iterative process where we share with a regulated entity what our interpretation of the law is and how it applies in a very particular scenario. It is legitimate that there may be push-back and an assertion of a legal basis or an assertion of proportionality, but, ultimately, that was not accepted by our office and the issue was resolved.

It is very easy to look back and say things were black and white. An example of an evolving social norm that might be helpful to consider in this context is the issue of caller ID. When this first came out in the 1990s, users considered it an invasion of privacy if someone they were calling could recognise their number and if their caller ID was automatically submitted. Now, very few people would answer their mobile phone if they could not see who was calling them, so there has been a 360° spin in terms of the social norm around caller ID. While it is just one example and I am not saying the access to friends data fell into that category, what I am suggesting is that there is often a process with all types of sectors and it is not simply black and white.

In terms of when we became aware of the Cambridge Analytica case, it was on 16 March when the story was broken in The Observer. It was not new news to us that friends data had been accessed and it was a feature of the platform until Facebook made the upgrade. What was new news to us was that The Guardianhad contacted Facebook in 2015 in regard to allegations that all of the data had not been deleted by Cambridge Analytica.

In terms of sanctions, looking at it under the current legislation, in particular the Irish Data Protection Acts, the committee will be aware there are very few offences under the current legislation and the legislation is directed towards compelling compliance with the Acts. Under the GDPR, clearly, the sanctions are considerably higher.

There are three use cases for data sharing that were proposed by WhatsApp and Facebook when WhatsApp sought to amend its privacy policy after the approved merger. Two of them related to business analytics and security on the platform and the third use case relates to sharing of data between the two entities as controllers for the purposes of ad serving and friend suggestions.

We have prohibited that use and Facebook and WhatsApp have provided us with an undertaking that they will not implement that use case until the DPC is satisfied that there is a legal basis for doing so. Deputy Eamon Ryan asked whether what we are discussing could be done without a person's consent. The answer is "No".

The Deputy also referred to contact lists, which are covered in one of the recitals to the GDPR. This is an area of the law at which we intend to look further in circumstances in which the recital under the GDPR clarifies matters. This happens with all platforms and Internet service providers. Platforms give users the option to upload the contact lists on their phones to be managed by the Internet service to facilitate the user. The recital in the GDPR spells out, quite correctly, that the uploading of the contact list from a person's phone is done under the so-called "household exemption" under data protection law. As such, when one acts under this exemption, the full laws do not apply in terms of uploading the list. However, further use and processing of that contact list by the platform or any controller requires a legal basis. I am not sure if the Deputy is bringing to our attention the fact that some platform is making further use of material. If so, we would be interested to receive the information.

Deputy Eamon Ryan's final question related to data surveillance and GCHQ post Brexit. The EU Commission is already being pushed by the UK in this regard and will be required to agree some type of mutual recognition of the UK having an adequate level of data protection. Assuming that there is no such recognition, the UK will undoubtedly seek an adequacy finding from the EU Commission. It will be the responsibility of the Commission to conduct a full analysis in the context of making an adequacy finding in respect of the UK. We will co-operate in that process.

Deputy Lawless referred to Cambridge Analytica. I note that some 300,000 users directly engaged and gave consent to the downloading of the app. If it transpires to be true that Dr. Kogan passed the data to Cambridge Analytica, that would have occurred in any event minus the friend data had that been restricted. The supervision activity Ms Neary is undertaking with Facebook is around the case regardless of whether friend data was accessed or not, how Facebook vets apps, how Facebook controls the permissions it gives apps and what examination it is carrying out of the privacy policy proposed by an app developer.

On the issue of warrants, we have very strong powers already to enter premises. We conducted almost 100 on-site inspections and investigations last year. Some of those involved dawn raids conducted by the assistant commissioner, Mr. Tony Delaney, regarding a series of prosecutions he has commenced involving private investigators. Our powers are further strengthened under the new Data Protection Bill. While we will continue to have the same powers to enter, we will also gain the ability to obtain warrants from the District Court where there is an objection by controller to our entry onto a premises. We are confident about those powers.

The Deputy also asked about the level of industry readiness in the context of the GDPR. Our office has undertaken a huge awareness campaign, particularly during the past 12 months. We surveyed the industry, especially SMEs and microenterprises, a year out from the GDPR. We saw that while there was a high level of awareness of the new laws, there was a great deal less preparedness in respect of them. We are rerunning the survey and should have the results next week. We can keep the committee updated on that.

I was asked about the huge number of events at which we have spoken and the type of representative bodies, for example, the Small Firms Association, with which we have engaged. There has been huge engagement in Ireland on the GDPR and there is a high level of awareness. However, there are some areas in respect of which organisations are not fully prepared, including some of the new ones covered under the directive. In particular, the requirement to deliver higher standards of protection for children is an area in respect of which we have not seen the level of engagement we want.

Senator McDowell asked about a situation whereby someone from Northern Ireland might want to influence matters. He or she could seek to influence offline or online. The question related to online and data protection issues. I cannot speak to what electoral laws would apply. I presume finance and transparency provisions would apply to whoever was funding a campaign in terms of making a declaration. In the context of targeting online, such an entity could purchase advertising with Facebook and target based on segments.

I was asked about clear opportunities to opt out. The opportunities are not clear enough. We have been having the same discussion since I became Data Protection Commissioner. Those who are in the data protection business longer than me say that we have been having the same discussion for ten or 20 years. This is why Ms Viviane Reding has said that the time has come for punitive fines and a new, modernised, fit-for-purpose law, which is something we will have from next month. Aside from clear opportunities to opt out, free Internet services based on the monetising of personal data and the way in which the ad-tech sector operates require us to unravel and look behind the whole sector. In data protection terms, any publisher or newspaper using social plug-ins and dropping third-party cookies from its website is the controller in those instances and has obligations under the law. This is what we have started to discuss with our fellow data protection authorities. As we supervise the platform and its responsibility, there is a need to look at all of the other players in a sector which has a very long tail that leads to opaqueness for users.