Ms Anna Morgan:

We thank the Joint Committee on Justice and Equality for the invitation to attend in order to discuss the recent annual report of the DPC for the period from 25 May to 31 December 2018. I am one of five deputy commissioners at the DPC and head of legal affairs. Accompanying me are Jennifer O’Sullivan, deputy commissioner, who is head of strategy, operations and international affairs, and Cathal Ryan, assistant commissioner, who has responsibility for the consultation function in respect of the public sector and law enforcement matters.

As members will be aware, 2018 was a momentous year for data protection in Ireland and across the EU, with the GDPR entering into application on 25 May 2018. This new legal framework has brought about transformative changes to the data protection regulation system, enhancing the data protection rights of individuals, cementing the responsibilities of organisations when processing personal data, and providing data protection regulators with a new toolbox of hard-edged enforcement mechanisms. While the GDPR is an EU regulation, it allows member states to give further effect to certain aspects of its rules at national level. This was done in Ireland by way of the Data Protection Act 2018 in respect of which this committee carried out pre-legislative scrutiny in mid-2017. The DPC acknowledges the valuable work carried out in relation to the general scheme of the Data Protection Bill 2017 and the comprehensive report which was produced by this committee as the outcome of that process.

The Data Protection Act 2018 forms a vital piece of the Irish data protection regulatory framework. In essence, the 2018 Act serves three overarching purposes. First, it gives effect at a national level to the GDPR in respect of those areas where a margin of manoeuvre was allowed for member states to specify the GDPR’s rules, such as the area of the age of digital consent. Second, the 2018 Act transposed the law enforcement directive into Irish law. That directive provides a separate set of data protection rules relating to the processing of personal data by law enforcement agencies for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. Third, the 2018 Act ended the existence of the Data Protection Commissioner and replaced it with the DPC, which is a body consisting of at least one and not more than three people, each of whom is a commissioner for data protection.

Together, the GDPR and the 2018 Act provide the DPC with a greatly strengthened suite of investigative, authorisation and enforcement powers. Under the previous legislative framework of the Data Protection Acts 1988 and 2003, the enforcement powers available to address contraventions of the law were essentially limited to the issuing of enforcement notices. However, under the new regulatory regime, the DPC may issue reprimands and warnings, and impose administrative fines up to a maximum of the higher of €20 million or 4% of annual global turnover. The DPC also has the power to issue directions to organisations to comply with requests by data subjects to exercise their rights, to bring processing into compliance with the law and to issue bans on processing or data transfers, amongst other powers.

The DPC’s enhanced medley of powers is reflective of its much increased range of statutory functions under the GDPR and the 2018 Act. These include raising awareness of rights and risks for individuals and of obligations on organisations which process personal data, advising the legislative function of Government on certain legislation, and co-operating with other data protection supervisory authorities in the EU to ensure the consistent application of the GDPR. At the core of the DPC’s obligations as the regulator and enforcer of data protection law is the obligation to handle every complaint relating to data protection which is lodged with the DPC and to investigate such complaints to the extent appropriate. In this regard, a significant change from the previous legislative regime is that the DPC is no longer obligated to issue a statutory decision on every complaint where it has not been possible to reach an amicable resolution between the complainant and the organisation concerned. While the DPC must now handle the complaint, it may address the complaint through a number of different actions including, among other things, issuing enforcement notices to the organisation concerned requiring it to take a particular action, issuing advice to the individual concerned, brokering an amicable resolution, or, where appropriate, commencing a statutory inquiry. The DPC has already found that the flexibility offered by the new national legislative regime in this regard has allowed it to make much more efficient use of its resources in seeking to vindicate the rights of individuals rather than having to dedicate significant resources to drafting and issuing statutory decisions. This efficiency is particularly significant in the context of the increased volumes of complaints that are now being received by the DPC, compared with the pre-GDPR period, which I will discuss in a few moments.

It should be noted that while the GDPR and the 2018 Act have been applicable since 25 May 2018, the new legislative regime does not apply retrospectively. Rather, the previous legislation, the Data Protection Acts 1988 and 2003, has been retained in law for certain limited purposes, including for dealing with complaints which relate to data processing prior to 25 May 2018 and for investigations which had already been commenced before that date. The DPC continues to deal with a number of complaints and issues which must be resolved under the previous legislative regime, including complaints which continue to be received in respect of the pre-GDPR period.

The DPC’s remit as a regulator is somewhat exceptional in that it applies regardless of industry and sector where any organisation, public or private, with the sole exception of the courts, is processing personal data. However, despite our broad jurisdiction to supervise the processing of personal data, it is important to point out that we do not have regulatory competence in law for many contemporary issues, such as so-called fake news, online content moderation and Internet safety.

Since the introduction of the GDPR, data protection has undergone what the Commissioner referred to in the 2018 annual report as the “GDPR effect”; in other words, the mobilisation of individuals to action to tackle what they see as misuse or failure to adequately account for and explain what is being done with their data. This has been reflected in the significant increase in complaints and queries received by the DPC during the period from 25 May to 31 December 2018, with more complaints received in that seven-month period than in the full year of 2017. Equally, this period has seen a doubling in the number of data breach notifications received by the DPC with the now mandatory requirement on organisations to report data breaches to the DPC within 72 hours. In light of the requirement on the Government to consult the DPC on certain new legislation which concerns data processing activities, there has also been a very significant increase in the DPC’s workload to review and provide observations on new and draft legislation, with 25 items of primary or secondary legislation coming to the DPC for review during this seven-month period.

Critically, the DPC commenced a considerable number of statutory inquiries under the GDPR during 2018 concerning systemic issues in the commercial and public sectors. Of these, 15 relate to the multinational technology sector, examining issues involving processing by Internet platforms, such as the right of individuals to access their personal data, transparency, the legal basis for processing and the security and safeguarding of users' personal data. A further 33 domestic statutory inquiries were also commenced during 2018, examining issues such as the use of CCTV by local authorities, data breaches by Tusla, and the role of the data protection officer in the Department of Employment Affairs and Social Protection. Each of these inquiries is complex, challenging and raises multiple data protection and legal issues, and the DPC has allocated considerable resources to investigating these issues of systemic public importance. It is expected that the majority of these inquiries will be concluded during 2019. During the period in question, the DPC also took successful prosecutions against five organisations for 30 offences in total related to direct marketing under the regulations known as the e-privacy regulations.

As committee members are aware, the DPC's functions and responsibilities are not solely reserved to domestic regulation of data protection. Under the GDPR and the new one stop shop regime, the DPC has the role of the lead supervisory authority for multinational organisations that have their EU headquarters in Ireland and meet objective criteria to demonstrate that this is their main establishment in the EU. This means that, in addition to handling and investigating complaints from data subjects in Ireland related to these organisations, the DPC must also do so for data subjects in other European Economic Area, EEA, jurisdictions, including when the complaints were originally lodged with other data protection authorities. The DPC is responsible for co-ordinating a consensus on a complaint or a possible infringement of the GDPR with all of the other EEA data protection authorities that are said to be concerned by the issues in question under the co-operation and consistency mechanism of the GDPR.

The DPC's activities in its role as lead supervisory authority represent a considerable proportion of its workload in co-operating with other relevant data protection authorities and keeping them up to date on ongoing investigations and complaint handling. In addition, as a member of the newly established European Data Protection Board, EDPB, which comprises all the EEA data protection authorities, the DPC devotes significant resources to travelling to the monthly EDPB plenary meetings and frequent meetings of its 12 subgroups, with upwards of 100 meetings planned for 2019, all with the aim of ensuring the consistent application of the GDPR.

The very serious expansion of the DPC's remit at national and EU level and the huge increase in workload volumes came as no surprise to the DPC. In the year leading up to the application of the GDPR, the DPC carried out an extensive evaluation and change management process to map the operational and resource impacts of the new functions that the DPC was to take on and the anticipated increases in volume. The Government's increased funding for the DPC during 2018 of €11.7 million, of which €7.3 million represented pay allocation, enabled the DPC to respond to its need for greatly elevated staffing levels and recruit 25 people during the course of 2018, bringing staff numbers to 110. The DPC targeted specialist recruitment during this period, running five specialist competitions with the support of the Public Appointments Service, enabling it to appoint new staff in the legal, investigations and technology areas among others. These appointments were critical for the DPC to continue to build a highly skilled workforce to deliver its expanded regulatory remit under the GDPR. The DPC has continued to increase its staffing levels in the early part of 2019 and the staff head count currently stands at 135, with further recruitment this year expected to take the DPC to 160 staff by the end of 2019.

Strategically, the DPC continued to prioritise its awareness raising activities during 2018, with an ambitious outreach programme of participation in national and international events as well as issuing public information and guidance, undertaking significant media engagement and launching a new website. In conjunction with these ongoing activities, the DPC launched a high profile public consultation at the end of 2018 on the processing of children's data and the rights of children as data subjects. This is with a view to producing guidance materials for children and young people and the organisations that process their data, and encouraging industry to draw up codes of conduct to promote best practices in this area. A further stream of this consultation launched in early 2019, which aims to directly gather the views of children and young people in the classroom through the delivery of a specially created lesson plan. Both streams of the DPC's consultation are running, with a closing date of Friday, 12 April. At a broader organisational level, the DPC commenced a significant project in late 2018 to develop a new five year regulatory strategy, which will include extensive external consultation during 2019. This new regulatory strategy will guide the DPC in prioritising its work and strategically balancing competing demands in the exercise of its regulatory powers, and will give greater insight to stakeholders on how the DPC intends to regulate.

As was 2018, 2019 will be a big year for the DPC, with these consultation projects, its continued expansion and operational enhancement plans and, particularly, with the first wave of decisions arising from its ongoing statutory inquiries anticipated in the latter half of the year. The DPC is committed to firm and robust regulation and looks forward to continuing to break new ground during 2019 under the GDPR and 2018 Act. We thank committee members for their attention and are happy to take questions.