Jack Chambers (Dublin West, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I thank the witnesses for appearing. I dealt with representatives of the DPC at the Joint Committee on Justice and Equality when we were processing the Data Protection Act 2018. I am alarmed by the soft wording in the statement provided by the DPC. There is reference to ongoing engagement with the companies. That is too soft and weak. The DPC has strong legislative back-up under GDPR and there should be enforcement consequences. Engagement is not good enough when damage is being done by companies that are based here. People's private conversations and lives are being invaded and the GDPR is being breached. It is not good enough to state that the DPC has yet to reach a conclusion. It has a remit to inform the public about the breach of the GDPR by these companies and the fact that information on people's private conversations and lives is being collected. We know from evidence presented in The Guardianand by whistleblowers that that has happened, and is happening. However, the DPC is merely engaging with the companies. It should be concentrated on enforcement.

Have the companies become too big to regulate? Is the DPC too small to regulate them? There is a trend across several areas whereby damage is continuously being done. A leak of sensitive information could impact on people's private lives. I do not criticise Mr. Sunderland. There are funding issues. I acknowledge the DPC is attempting to increase its ability to deal with the concentration of data that rests in this country.

The committee spent months discussing the digital age of consent.

That is not being adhered to here. There is no lawful basis for what they are doing. It is not transparent because nobody knows it is happening apart from people who happen to read The Guardianand other newspapers. People with Apple watches or who subscribe to Amazon do not know that it is happening. What is the commission doing to drive awareness of this? Is there evidence of the sharing or sale of this data? How many companies are processing data of this nature? Is there a mechanism through which the practice can be actively monitored? I would like to hear more from the commission about enforcement. Can the officials provide detail about what that might mean for companies? Is the enforcement consequence sufficient to remove the clear breach? These companies have decided to breach the regulatory framework and GDPR and have knowingly breached them.