James Lawless (Kildare North, Fianna Fail) | Oireachtas source

I move:

That Dáil Éireann shall take note of the Report of the Joint Committee on Justice entitled "Report on meeting on 27th April 2021 on the topic of GDPR", copies of which were laid before Dáil Éireann on 22nd July, 2021.

I thank Deputies Pringle, Costello and the other members of the Joint Committee on Justice, of which I am Chairman, who have engaged in producing this report, some of whom cannot be present today. I thank the Minister of State, Deputy Rabbitte, for taking the debate and Deputy Buckley and the other Deputies who are in the Chamber for the discussion. This is the first report of the prolific justice committee that has come before the House, although we have delivered many reports in the past two years. It is a very good committee, the members of which work together productively and collaboratively. I am delighted one of our reports has found its way to a full formal debate in the Chamber.

The report we are considering deals with the general data protection regulation, GDPR, which falls under the remit of the committee and the Department of Justice. The regulation is in its fourth year as applicable legislation and it has had a significant impact on Ireland in the sense that we are the lead regulator for GDPR across the EU. That in itself has led to some tensions, with views being expressed at home and abroad that the approach is perhaps not always consistent. There is a threat associated with being both the home regulator and the EU-wide regulator. Some regulatory bodies within the EU and elsewhere would like to bring that function home, as it were, and decentralise the approach. It would not be a good thing for Ireland if that were to happen as it would not reflect well on our competencies and capacities. Our economic offering includes certainty for those who are headquartered here. We hold 40% of the EU's data sets and there is a significant presence by multinationals and similar corporations. There are many moving parts. The GDPR is relatively new legislation and very important for Ireland. There are great opportunities but also challenges and it is in this context that I bring the committee report before the House.

We published the report in July last year. Many members of the committee indicated an interest in this topic when we set about our work programme. We acknowledge the significant responsibility Ireland has in being the lead supervisory authority in Europe, which makes us responsible for progressing cases of data protection breaches filed against all companies the European headquarters of which are located here. In effect, we are the European headquarters for GDPR, which often means, by extension, we are the European headquarters, full stop, for those companies. Two weeks ago, we had an opportunity to meet with members of the European Parliament's Committee on Civil Liberties, Justice and Home Affairs, LIBE, which I will refer to again presently. We had a very good interaction with those members in which we discussed concerns expressed by counterparts across Europe that the fundamental rights of privacy for EU citizens may be endangered by lack of sufficient enforcement of the GDPR. Enforcement begins at home and Ireland's regulator is both State regulator and lead EU regulator, which makes this an issue of concern to the House.

As always, the Oireachtas committee conducted a stakeholder engagement and solicited a number of opinions in the course of this exercise. We invited key stakeholders to submit their written opinions and we then had a public meeting of the committee on 27 April 2021. This was a very interesting engagement and all the richer for the participation of our stakeholders. They included Dr. Fred Logue of FP Logue Solicitors, representatives of the Irish Council for Civil Liberties, ICCL, the Data Protection Commissioner, Ms Helen Dixon, and Mr. Max Schrems, who will be known to those following this discussion as a data protection veteran and expert. A number of members of the committee have since met with Mr. Schrems informally over coffee and were again pleased to hear his views on these matters. The stakeholders were invited to present to the committee any areas of reform or improvement they considered to be most necessary and urgent to implement and enforce the GDPR, with the aim being to establish which specific areas of enforcement could benefit from improvement and strengthening to ensure an efficient implementation of the regulation.

A number of key issues were raised by stakeholders. One was the delay in processing cases and complaints made to the Data Protection Commission, DPC. The committee was told this is one of the biggest stumbling blocks to achieving effective GDPR enforcement in Ireland. We have heard it said many times that cases take a very long time to get to completion. In some cases, completion is never marked and there is no end date to a complaint. Complaints seem just to sit. There may be reporting improvements in terms of a case closing mechanism whereby a case can be closed out rather than sitting on a shelf. The statistics may be somewhat skewed in that regard but there certainly is room for improvement. It was noted that Austria has issued 852 decisions and Spain has issued 700 since the implementation of the GDPR in 2018. In the same timeframe, Ireland, despite being lead regulator at an EU level, issued only four decisions. Those statistics do not flatter us. As I said, I understand there may be a system whereby the DPC does not close cases and, therefore, they appear to linger.

Some closure would be useful for all concerned and certainly would help the closing out of those items. The Data Protection Commissioner told the committee, in her own evidence that, among other reasons, the principles-based nature of the GDPR and the fact that there is little established case law to guide such evaluations means that every case must be evaluated on its own merits and this can take significant time. I do not really accept the point that the lack of established case law means it cannot be done. Any piece of law, by definition, is new, and it takes a while for courts and judges to pass decisions. The role of a regulator charged with upholding that legislation is to grapple with it and begin to make decisions. Perhaps they do not have the full force of precedent but I do not accept that a regulator must wait for a period of years for courts to consider a matter in detail before it can begin to follow a particular pattern. I think it should be the other way round or at least in parallel.

The next point that was made was that the Data Protection Commission needs to clarify its procedural law when processing complaints and cases of data breaches. The committee was told that the unclear nature of the DPC's processes means that cases risk being overturned due to apparent unfairness and a lack of transparency in decision-making processes and the exact definition of cases being concluded or resolved by the DPC must be clarified. That is a point I made a moment ago. In response, the DPC told the committee that it would attempt to codify what it publishes in its processes if it would provide greater legal certainty. Another point that was made in the debate was that the general compliance with and enforcement of the GDPR is perceived as being weak, which is not a good reflection on Ireland. Witnesses told the committee that non-compliance with the GDPR can often appear consequence-free and that companies will continue to breach the GDPR if they feel that there are no credible sanctions for non-compliance. I should say that some headline sanctions have been issued recently, including to some multinationals. However, there is still a view abroad that non-compliance does not really lead to any particular or purported sanction. Witnesses also criticised the lack of transparency in the DPC's approach of informal engagements with large corporations to find solutions to issues with GDPR, rather than the DPC using enforcement measures against them to comply with the GDPR. The poacher and gamekeeper becoming friends never makes for a good regulatory model. I think there is a suggestion that the DPC, at times, engages in a deep-dive with particular lead parties, but that is not necessarily good practice. I understand that there may be a practical desire to get close to the problem and attempt to work collaboratively to find a solution but perhaps the pendulum has swung too far. Certainly, the point was made by witnesses in the debate that the regulator is in with the regulated, helping them to devise processes. A better approach may be to stand back and actually issue sanctions and impose direction, rather than being in under the hood.

The risks of poor enforcement of the GDPR to Ireland’s role as lead supervisory authority in Europe is one that I flagged at the outset. It is of great concern not just to the technical GDPR arena, but to our economic offering. If we cannot guarantee certainty to technical and business companies that are headquartered here, the next logical implication is that the reason for the attractiveness of Ireland and Dublin as a hub begins to wane and some of that business begins to move abroad. The committee was informed that the DPC’s ability to carry out its role as lead state authority is coming under scrutiny by its European counterparts. We have seen pressure from other European states to relocate activity and to actually be allowed to regulate themselves in other EU capitals. Witnesses directed the committee towards several high-profile cases, such as the decision of the European Court of Justice in June 2021 when it effectively ruled that other data protection authorities, DPAs, could sidestep the DPC where it was perceived in being too slow in pursuing cases. The committee was concerned about the impact on Ireland’s reputation as the centre of data regulation in Europe if that became common practice.

I will move on to some of the key recommendations that were made in the report, on behalf of the committee. The committee recommended that the DPC moves from emphasising guidance towards a hard enforcement approach as a matter of urgency and that it be supported to do this by whatever means necessary, including the provision of additional resources, should that be required. It was recommended that the DPC increase the use of its sanctioning powers under Article 58(2) of the GDPR and that the DPC should publish quarterly statistics on the use of its sanctioning powers. The committee recommended that, to speed up the timeframes in which decision on GDPR cases are issued, a separate decision-making entity within the DPC, separate to that of commissioner could be created or individual case managers could be allowed to issue final decisions in cases on behalf of the DPC or both. In other words, delegate and divide and conquer. That makes a lot of sense. The committee recommended that the DPC should introduce more transparent and defined procedures when handling complaints, which should include clear deadlines as to how long it should take for cases to result in a final decision. It was recommended that multi-stakeholder hearings with other data protection agencies in Europe should occur first, in order for their feedback to be taken on board in this regard. I think an outreach programme to other European capitals and data protection regulation agencies elsewhere would make sense and would be part of healing those divisions that have emerged in recent times. As I have said, there is a bit of a turf war and some frustrations are being expressed elsewhere as to what are at least perceived, if not real, delays in Dublin. It was recommended that the DPC provide clarity by publishing the exact processes it follows when handling complaints and that the DPC should clarify its definitions regarding cases being concluded or resolved and consider using similar terms to those used in other European DPAs to avoid misinterpretation. Again, the point I made earlier about whether cases or closed, concluded, resolved, a work in progress or in limbo, and where exactly they are at, holds true. That is why we only have four concluded cases when other countries have 700 or 800. Perhaps it is a reporting difference, but we need to get to the bottom of it.

The committee recommended that the Minister appoint two new commissioners. The legislation refers to "commissioners" rather than a "commissioner". It was recommended that in accordance with the provisions of section 15(1) of the Data Protection Act 2018, the Government should avail of that option and appoint additional commissioners to strengthen the team. Perhaps there could be specialties within particular areas. If additional commissioners were being appointed, perhaps they could have different areas of expertise or responsibility. The committee recommended that a review be undertaken to strengthen and reform the DPC and should include an examination of whether staffing levels and resource allocation are appropriate. It is very often a challenge for any regulator but in an industry that is highly technical and competitive at the coalface in particular, a regulator faces the same HR challenges in hiring staff and is in the same market for staff as the players themselves, which often have greater resources and competitive bargaining power. A regulator will often face challenges in recruitment for that reason. That should be examined and the resources should be made available to the DPC and if it does need to hire additional technical, legal and IT staff, it should be made possible. At least, the review should take place and an informed decision made.

Recently, the committee had the opportunity to meet with a delegation from the LIBE Committee within the European Parliament to discuss matters relating to GDPR enforcement and the committee's report. The engagement was very fruitful and the committee felt that it provided an opportunity to take stock of its report and review progress made. There were some very helpful suggestions from MEPs from other EU states. Arising from the engagement, the committee reiterates its calls for a review of the DPC and its policies, procedures and processes. Some have called for this review to be undertaken by an independent body and not by the DPC itself. Nemo iudex in causa sua: one should not be a judge in one's own cause. I think that recommendation makes perfect sense.

The committee also welcomes the decision of the Minister in July to appoint two new commissioners to the DPC. Although I do not believe the appointments have been made yet, there has been an indication of intent to do so. We ask that that be accelerated and made good. We stress the need for one of the commissioners appointed to have expert knowledge of material and procedural law. As I have said, different commissioners could have different strengths. It would make sense for them to complement one another rather than overlapping. Finally, the committee underlines its recommendations that the DPC should clarify the procedures used when handling complaints and provide clear deadlines as to how long it should take for cases to result in a final decision, alongside a clarification of the difference between concluded cases and cases which are resolved. Clarity in these matters would bring more transparency to the DPC's internal procedures and provide more confidence domestically and to its European counterparts.

I thank Members for their interest in this topic. I look forward to the Minister of State's engagement and, indeed, that of members of the committee. I look forward to the debate. I am glad to have had the opportunity to bring the report to the Chamber. I think it deserves a wide audience. It relates to matters that are significant for our regulatory reputation and our economic viewpoint and to very important issues such as privacy and data protection rights, which are enshrined at the heart of European and Irish legislation, and which deserve to be vindicated and regulated in a thorough and effective fashion.

See this speech in context