Patrick Costello (Dublin South Central, Green Party) | Oireachtas source

I will be as quick as I can. I acknowledge the work of the committee secretariat in compiling this report and the support they have given committee members. It is also important to acknowledge the role of the GDPR in protecting civil rights and our fundamental freedoms. If we look at the issues of real-time bidding and the use of these things in disinformation, misinformation, the manipulation of society and the undermining of democracy, we can see at one end why the GDPR is important. However, the GDPR will only be effective if it has teeth and if it is administered effectively. We asked for new commissioners and I acknowledge the Government has committed to appointing two such commissioners. Getting the right experience and skills is incredibly important.

However, I utterly reject the Government's line that the commission has performed its role as an independent data protection regulator in the State very effectively to date. I will offer more evidence on that but will start by considering the statement by the European Commission Executive Vice-President, Ms Vestager, who said that the EU Digital Services Act was written in a way to cut out Ireland to ensure it would not have the lead supervisory authority or role because everyone was disappointed by how we were performing in this area. That lack of effectiveness will result in huge economic loss for us. I will also point to the case of DPC v. Doolin in June this year. This was a High Court case and a later Court of Appeal judicial review on the decision-making of the Data Protection Commission. The Court of Appeal held that the commission was wrong in its understanding of law. The court called it "a manifest error ... which is serious and significant." Both the High Court and Court of Appeal held that the DPC made critical errors in its understanding of the concept of personal data. If the Data Protection Commission is getting the basic definition of "personal data" wrong, and is being held by the High Court and the Court of Appeal to have done that, it is not fair to say that office has been effective to date.

We also need to look at some of the issues raised by Deputy Lawless, such as the use of the terms "resolved" and "concluded", the opacity of this, and on what decisions are being made and how they are being made.I cannot remember the figure off the top of my head, but a significantly high number of decisions have been made, in the order of 84%, which used amicable resolution. That figure may only relate to cross-border decisions but there is a disturbingly high number of amicable resolutions, many of which focus on repeat offenders. European data protection authorities have come together to produce their own guidance, which outlines when amicable resolution should be used and when it is not appropriate. We continue to use it time and time again on occasions when it has been called out as inappropriate and because we keep doing that, we are missing systemic problems within the GDPR and systemic breaches of the GDPR. If we are failing to tackle systemic and repeat offenders, then we are hardly being effective. We are just not effective. On cross-border cases, we are not delivering results or numbers at the same level as other data protection authorities across Europe. We have been called out on this. As I said, the Commission Executive Vice President, Ms Vestager, called these things out specifically.

We have also been criticised and corrected regarding cross-border decisions that have gone to other European data protection authorities. There is significant evidence of weight of other data protection authorities calling us out as the roadblock to effective administration of the GDPR and they are taking steps to get around us. As I said, the Commission is writing legislation to cut us out because it does not see us as effective in any meaningful way. This was on the cover of the Business Post. I do not understand why this is not a huge scandal. The loss of the role we could have had under the EU Digital Services Act will affect our economy and the nation's bottom line. This is all because we have not had, despite what the Minister of State may claim, an effective administration of the GDPR in this country.

It is not just about the budget. When I was elected in 2020, I started raising this subject. At that point, the commission was not resourced properly. The Data Protection Commission now has the fifth-highest budget of any EU data protection authority so it is not just about budget. It cannot just be about budget. This is why we need this independent review. It must be an independent review so we can examine the policies, procedures, decisions and the use of amicable resolutions. What exactly do "resolved" and "concluded" mean? Why are we continuing to fail to address the systemic problems? These are the issues we should look at. The addition of two extra commissioners gives us a perfect opportunity to do that.

I will also flag that a review of procedures, and legislation around procedures, is now essential in light of the Supreme Court decision in the Zalewski case. While we talk about whether the DPC is in line with EU law, I am not fully convinced the DPC is in line with constitutional law as adjudicated by the Chief Justice in the Zalewski decision. The Chief Justice was very clear that quasi-judicial decision-making bodies should have the same standard of justice as a court. We had to introduce emergency legislation to amend the policies, procedures and processes of the Workplace Relations Commission, but that will happen across all our quasi-judicial decision-making bodies. Major consequences flow from this that we are barely beginning to grapple with.

Now is the time we need to look at this matter and ensure we are meeting basic Irish constitutional justice standards because I do not believe we are. Are we achieving European standards in effectively administering the GDPR? I do not believe we are. Again, I am not alone in this. The European Commission said the same things I am saying. The Court of Appeal and the High Court in Ireland have both said the same thing. I cannot more firmly reject the suggestion that this commission has been very effective to date. The step of appointing two commissioners is very positive but we need a fully independent review to ensure that the Data Protection Commission can be effective into the future.

See this speech in context