Anne Rabbitte (Galway East, Fianna Fail) | Oireachtas source

I thank the Deputies for their contributions to what has been an informative and enlightening debate, at least for me. I have learned an awful lot from listening to it and reading my scripts. As I said at the outset, I am taking this debate on behalf of the Minister for Justice, Deputy McEntee. I also extend apologies on behalf of the Minister of State, Deputy James Browne.

The Data Protection Commission is statutorily independent in the performance of its duties. The Government's role is to ensure the DPC is fully resourced and supported to carry out its functions. The Government values the DPC's role as one of the largest EU DPAs and acknowledges its successful track record of national cross-border data protection regulation. In my opening statement, I outlined the ways in which the Department of Justice provided resources and statutory support to the DPC. A number of Deputies referenced the four cases that had been concluded by the DPC. It has concluded over 17,000 of almost 20,000 complaints received from individuals up to August 2022, and 793 cross-border complaints where the DPC was the lead authority have been concluded.

The Department will continue to build the capacity of the Data Protection Commission, supporting the existing commissioner and ensuring the commission can continue to deliver on its role. The commission itself has pointed out that much of the criticism levelled against it is based on incorrect representations of its enforcement work. It has incorrectly been claimed that almost 98% of major GDPR cases referred to Ireland remain unsolved. The accurate data, which are published by the DPC website, demonstrate that the DPC plays an effective role. For example, 73% of all cross-border complaints handled by the DPC as the leading supervisory authority since May 2018 have since been concluded. Indeed, the DPC is the leader among all EU data protection authorities in terms of the quantum of fines imposed and corrective measures enforced.

In order to support the evolving organisational structure, governance and business needs of the Data Protection Commission, the Government has approved commencement of the process to appoint two additional commissioners. In making this decision, the Government recognises that the DPC has evolved significantly since its inception and has an increased work burden and investigative complexity, as well as the DPC's fundamental role within the EU data protection architecture.

The outcome of the DPC's forthcoming review of its governance structure, staffing arrangements and the process to support the work to be performed by the new model of the commission will no doubt pave the way for its continued growth and development. I wish to make it clear that the Government has asked the DPC to carry out this review in light of the decision to augment the resources of the commission by appointing two additional commissioners. This is the right approach to take as it is consistent with the independence of the commission and will allow it to examine its process in adapting to the changing environment. The committee's report requested that a review of the DPC be undertaken, which should include an examination of whether staffing levels and resource allocations are appropriate. This report did not specify that the review should be independent. However, the Irish and EU-based special interest group has called for an independent, more root-and-branch style review of how DPAs operate. In response to those calls, I reiterate that the DPC is a statutory independent body, as per section 12(7) of the Data Protection Act 2018. On that basis, Government intervention in the running of the DPC would be inappropriate. The Government would not intervene in the DPP or court decision-making and should not do so for the DPC either.

Furthermore, the DPC is subject to oversight by the European Data Protection Board, EDPB, the European Commission, Irish courts, and the Court of Justice of the European Union, CJEU. Given that recent decisions of the DPC and the EDPB are being reviewed by the High Court and the CJEU, the need for the Government to respect the independence of the DPC and the EDPB is emphasised. The DPC has also been undergoing reviews by, among others, the Comptroller and Auditor General, the DPC's independent audit and risk committee, the DPC's internal auditors and the courts. It is worth noting that no issue of any gravity has arisen in the context of those recent reviews. In fact, in December 2021, the justice Commissioner, Didier Reynders, stated that the Commission had not identified any issues with Irish data protection rules or how they are enforced.

I reiterate the value this Government places on the DPC's work, as well as our intention to continue to support and resource the commission to carry out its increasingly voluminous and complex workload. I thank Deputy Lawless and the members of the committee for bringing this report before the House.

See this speech in context