Anne Rabbitte (Galway East, Fianna Fail) | Oireachtas source

I thank the Deputies for providing me with the opportunity to address the House. I am doing so on behalf of the Minister, Deputy McEntee, who sends her apologies that she cannot be here due to her attendance at the British-Irish Intergovernmental Conference.

We are here to discuss the Data Protection Commission and the legislation that underpins its work, the Data Protection Act 2018. The discussion takes place in the context of the report on the topic of the general data protection regulation published by the Joint Committee on Justice in 2021. I thank the committee for its hard work in compiling the report.

The GDPR report followed a public stakeholder engagement on 27 April with the Data Protection Commissioner and other stakeholders, including the Irish Council for Civil Liberties and Mr. Max Shrems, a data privacy advocate from the organisation known as None of Your Business, NOYB.

I want to be clear that under the Data Protection Act 2018, the Data Protection Commission is statutorily independent in the performance of its tasks and the exercise of its powers. This is in line with the GDPR, which states that supervisory bodies must be independent. The Government's commitment is to ensure the DPC is supported through both resourcing and a robust statutory footing to carry out its work.

The GDPR entered into force on 25 May 2018. It provides for higher standards of data protection for individuals and imposes more detailed obligations on bodies in the public and private sectors that process personal data. The GDPR also increases the range of possible sanctions for infringements of these standards and obligations.

The programme for Government clearly commits to recognising the domestic and international importance of data protection in Ireland. Delivering on this commitment means supporting and resourcing the DPC to deal with an ever-increasing workload with increasingly complex investigative requirements. This is largely due to the one-stop mechanism, which is a core element of the GDPR, providing for a central point of enforcement by a lead member state supervisory authority. Due to many major technology companies locating headquarters in Ireland, the DPC has significant lead supervisory authority responsibilities across the European Union. To that end, the resources of the DPC have steadily increased in recent years. The DPC has been funded under its own Vote as of 1 January 2020, with the Data Protection Commissioner as Accounting Office. The DPC received an allocation of €26.2 million under budget 2023, an increase of €3 million from 2022. This means that next year, funding will have increased more than sevenfold from its 2015 allocation, in line with the DPC's increased functions. To put this into perspective, the funding allocation in 2015 was €3.6 million. The DPC's sanctioned budget allocation for next year allows for recruitment of up to 283 staff by the end of 2023, which is an increase of 25 staff on the sanctioned figure for 2022.

The Department's role requires regular review of the legislation underpinning the DPC's work to ensure it is up to date and fit for purpose. To that end, the Courts and Civil Law (Miscellaneous Provisions) Bill 2022 will include a number of Committee Stage amendments to the Data Protection Act 2018. These are currently being drafted and cover a number of areas, including ensuring data subjects have third-party beneficiary rights in primary law, clarifying confidentiality obligations and clarifying DPC powers in respect of the issuance of reprimands.

A further proposed amendment will confer jurisdiction to hear data protection actions related to the District Court and, as it currently stands, the Circuit and High Courts. This will provide data subjects with improved access to justice when initiating actions under this Act and should reduce the associated costs for the data subjects and those providing a defence claim. The Bill was published on 13 September and is scheduled to go to Second Stage in early October.

The Government has committed to ensuring Ireland delivers on its responsibilities under the GDPR. The Department of Justice continues to monitor the impact of implementation of the GDPR and the impact of any possible future regulatory changes, as well as any changes within industry, in conjunction with the DPC. As part of this effort, an examination was instigated in 2021 by the then Minister for Justice, Deputy Heather Humphreys, to consider whether an increase in the membership of the DPC should be pursued. In line with the Government's commitment to ensuring the DPC can best deliver on its responsibilities, the Department of Justice was asked to consider the matter of appointing additional commissioners as provided for under the 2018 Act. This was initiated on the basis that the DPC had evolved significantly since its inception. In order to support the evolving organisational structure and the governance and business needs of the DPC, on 27 July, the Government approved commencement of the process to appoint two additional commissioners. This was in line with the Data Protection Act, which provides for the appointment of up to three commissioners. The Minister knows that these decisions also accord with the recommendation of the Joint Committee on Justice to appoint additional commissioners in its report on the GDPR. The GDPR report further suggested that at least one commissioner should have expert knowledge of material and procedural law. The Public Appointments Service is tasked with making a recommendation on the two people for appointment as commissioner, following an open selection competition. The expectation is that the new commissioners will have the appropriate skills to perform their functions under the Data Protection Act. This process is expected to take six months to complete.

The Joint Committee on Justice report on the GDPR makes a number of recommendations in respect of the DPC. The Minister feels it is important to acknowledge that in the 15 months since the publication of that report, the DPC has achieved notable results as lead supervisory authority for personal data processing of the many global Internet platforms which are headquartered in Ireland. This is borne out by the accurate statistics on the DPC's work, which were published on its website. Article 60 of the GDPR provides for co-operation between the lead supervisory authority and the other supervisory authorities concerned when making a decision. Last year, the DPC issued more draft Article 60 decisions about major breaches of the GDPR than any other data protection authority in Europe. The DPC leads the bloc in both the quantum of monetary fines imposed on the draft decisions and the number of corrective measures enforced against online platforms. Furthermore, its decisions have been approved by fellow data protection authorities around Europe in over 90% of the cases.

The DPC has issued significant enforcement fines, the most notable of which include the €225 million fine imposed on Facebook in July 2021. In March this year, Meta Platforms Ireland Limited, the parent company of Facebook, was fined €17 million. It was fined €405 million last month for GDPR violations involving Instagram. On 13 September, the DPC also announced a draft Article 60 decision to other concerned supervisory authorities across the EU following a large-scale inquiry into TikTok. In addition to this, in 2021 the DPC also imposed a number of sanctions on other bodies.

According to the DPC, almost €650 million in fines has been levied against companies as a result of its investigations. It is fair to say that the DPC has performed its role of independent data protection regulation in the State very effectively to date. I want to emphasise this point, particularly in light of ongoing criticism of the organisation. It is particularly disappointing that some of that criticism continues to be based upon incorrect figures despite clear corrections having been provided by the DPC on multiple occasions.

The Government's decision to appoint two new commissioners sends a strong statement of its intention to continue to build the capacity of the DPC, support the existing commissioner and ensure that the DPC can continue to deliver on its role. The DPC has developed and grown significantly under the leadership of the current commissioner, Ms Helen Dixon, since its establishment. That is why, in light of her considerable experience and expertise, the Government has agreed to the proposal of the Minister, Deputy McEntee, that Ms Dixon be nominated as chairperson of the DPC pursuant to section 16 of the Data Protection Act. The Minister has also asked the DPC to undertake a review of governance structures, staffing arrangements and processes. The Joint Committee on Justice's GDPR report requested such a review be undertaken which should include an examination of whether staffing levels and resource allocation are appropriate.

The review is being carried out to support the work to be performed by the new model of commission, which comprises three commissioners instead of one.

The Government values the DPC's important and independent role as one of the largest EU data protection authorities and acknowledges its strong track record in carrying out its duty. The Department of Justice will continue to provide the support it requires.

See this speech in context