Ms Anna Morgan:

In regard to fines, there is a particular process that must be followed as set out in the legal framework established under the 2018 Act. There is a decision made in the context of a statutory inquiry that is opened under section 10 and that decision is on whether there has been an infringement of the GDPR or the 2018 Act. The next step which the commission must take in exercising its decision-making power is to decide if there has been an infringement the type of corrective power that should be imposed. As the Deputy mentioned, administrative fines are one of a range of corrective powers that can be imposed by the commission. These corrective powers are the same across Europe.

Regarding the process that has to be followed, earlier I referred committee members to the statutory inquiry process we have outlined in our annual report. It is important to underline that. There cannot be any short cuts taken in the statutory inquiry and the decision making that occurs at the end of that inquiry. Ultimately, our decisions as a quasi-judicial body must be robust and legally sustainable. There are extensive powers in terms of judicial remedies that are open to any party that is impacted by our decision. We are mindful, in having plotted out those procedures over and above what is in the 2018 Act, that we must take full account of the right to due process and to fair procedures, which are all referenced in the GDPR as well. As I said no short cuts can be taken in regard to our inquiries. It is a process that must be followed. Once the fact finding stage has been completed and the analysis of the facts has been completed and the official decision-making function has been carried, out the end point will be a determination as to whether a corrective power or administrative fine, among others, should be imposed.

I refer the committee to Article 83 of the GDPR, which sets out the circumstances that must be taken into account by a data protection authority when determining the level of fine that should be imposed where there has been found to be an infringement of the GDPR. Of particular importance in this regard are issues such as the nature, gravity and duration of the particular infringement. The GDPR also emphasises that the purpose of administrative fines is to be effective dissuasion. They must also be proportionate. These are all factors which will be taken into consideration in the context of the decision-making phase, which will come after the investigation phase of our statutory inquiries concludes.