Patrick Costello (Dublin South Central, Green Party) | Oireachtas source

This is a rather complex and long-running case, the consequences of which reach into many areas of public policy. It will have implications for Brexit, foreign direct investment and foreign trade. Quite simply, on foot of this judgment, the EU-US privacy shield has been declared invalid. As such, there is no safe and legal way to transfer data from a European Union citizen to the United States. Any company carrying out such data transfers is doing so at significant risk.

This case started in June 2013, seven years ago. Hopefully now that we finally have the judgment, we can see some real action to protect the fundamental rights of European citizens concerning their own data and privacy. The collapse and demise of the EU-US privacy shield was inevitable and widely predicted. It was a replacement for the previous safe harbour arrangement, to which little change had been made. As that arrangement had been declared invalid, this ruling was inevitable. It would be really positive if we could see some action from the Data Protection Commissioner to prevent what are, according to the European Court of Justice, unsafe and illegal transfers of data. The German Federal Commissioner for Data Protection and Freedom of Information has already been warning people that they should stop these data transfers because of the demise of the EU-US privacy shield and the insufficient safeguards built into the standard contractual clauses on which companies will now have to rely.

The plaintiff in the case, Max Schrems, has published an open letter to the Irish Data Protection Commissioner asking when she will take action. One point we need to know is when the action will happen. The important follow-up question is whether the Data Protection Commissioner actually can act. Have we given her the resources to act properly? While her budget has increased, it is only a third of what she asked for. Her budget has failed to keep pace with the complexity and volume of complaints her office receives. We have seen her struggle to deal with this case. Serious complaints concerning real-time bidding, a very scary practice where data privacy is concerned, seem to have stalled and are going nowhere. Other data protection authorities around Europe have called us out as the roadblock to meaningful enforcement of the general data protection regulation, GDPR. We need to say when the action will happen. Are we giving the Data Protection Commissioner what she needs to act? I have said several times in this Chamber that we have not. After this judgment, her workload will not just become more complex; it will also massively increase. She does not have enough resources as it is, so we need to do more. This has huge consequences for many areas.

See this speech in context