James Lawless (Kildare North, Fianna Fail) | Oireachtas source

I thank the Minister of State. I agree with Deputy Pringle that she is a very hardworking Minister who is performing a number of duties in this House at the moment, not least her own. Well done to her on that. It is noted. I thank all Deputies who took part in the debate and the members of the committee, as well as Deputy Buckley, who I know speaks on behalf of Deputies Daly and Martin Kenny. I thank him for bringing those views into the room today. I also thank the tireless staff of the committee, in particular the sage that is Mr. Alan Guidon, who gives us great steer on every matter under the sun, not least this one, and is still a marvel with his technical expertise and procedural knowledge. I thank our policy advisor, Emer Hannon, and our staff, Fiona McCarthy and Keelan Crowe, who all worked tirelessly on the many reports that have been produced. I also take this occasion to put on the record that the justice committee covers 50% or more of all legislation across the Houses, so I again give credit to the members of the committee for their co-operation and throughput in that regard.

I welcome the statements by the Minister of State, particularly the news that the appointment of the two additional commissioners is ongoing. I look forward to that process completing. The committee would welcome a role in that process. There is a procedural precedent for candidates coming before the committee for a hearing and we stand ready to do that at the appropriate time. I stress the importance of the two new commissioners complementing the current commissioner but also bringing some diverse skill sets to the role. We do not need three people doing the same job; we need three people doing different jobs with different skill sets and drawing from different professional life experiences. That is a positive development.

The Minister of State noted that one of our recommendations was that a review be performed of the organisation. She advised that a review is being initiated.

I welcome that but I would add the caveat that, as I said earlier, an internal review is often less useful than an external one. If there was another body or if somebody was seconded in as part of that, it might add greater value. It would certainly have greater credibility even if the result is the same. It would be in the organisation's own interest to consider that approach. I know the Minister of State will pass that suggestion on to the relevant Minister. It should be taken on board.

Great emphasis is placed on the statistics. There are lies, damned lies and statistics. It is quite confusing, even for the people in the weeds on this, to determine whether their case has been closed, satisfied, progressed or concluded and often it can be a matter of opinion or labelling. In my office, I operate a constituency representation system. I often wonder whether a case is really closed. I wonder whether it is closed to the satisfaction of the person who raised it. We might say that the matter has been replied to but that does not necessarily mean the case is closed and it certainly does not mean it is closed satisfactorily. We could spend all day using different labels as we try to figure out the most appropriate one. We need to bring some clarity to this because a number of stakeholders and witnesses across the EU and locally have identified this as being an issue. Perhaps it leads to under-reporting or under-crediting of the DPC. Perhaps it leads to misreporting across Europe. Some kind of consistency of approach to those categories would be helpful for all concerned.

Some other findings of the committee perhaps did not get as much attention today. Under the Data Protection Acts that preceded the GDPR, the data protection website featured case studies that I found quite useful. People could look up a particular scenario if, for example, they owned a small business or were considering making a complaint. A club or organisation wondering what procedure it could use in a particular scenario could look it up to see what someone else had done and what the finding was. There was a good knowledge base under the old system. I do not believe that is still in place and I am not sure if it would be compatible with the GDPR.

Sometimes people believe that the foot that treads lightly is the better approach. Alternatively, heavy enforcement leads to fewer breaches. There is an initial flurry of activity because there is lack of compliance, enforcement and sanctions and this can lead to increased resources being required but behaviours begin to settle down after a while. If the stick is wielded at the start, businesses and organisations get to know the system and what happens if they put a foot out of line unless people put a foot out of line in the first place because people begin to behave themselves and the system almost manages itself. I note that there were multiple complaints regarding data subject access requests, is any individual has a right to make. Many organisations are still not fulfilling these requests to the extent they should and perhaps the DPC has not been as heavy-handed as it ought to have been in those scenarios. If that was applied robustly and consistently, those organisations would cop on pretty fast and we would end up with fewer complaints on the far side because better practices would ensue.

Deputy Costello quoted a Business Postarticle. A concern flagged by me and other Members today and in the committee is that there is an economic advantage for Ireland, which is vulnerable. It is often thought that perhaps large tech companies welcome a light touch but they do not always welcome it because what business really wants is certainty. If there is uncertainty about a decision that is coming down the track or there is a risk of another decision being imposed by another EU state because the decision in Ireland is taking so long to come around, businesses are left in an uncertain environment. Contrary to what might be intuitive, business, including big business, will actually welcome a heavier touch and if that means sanctions, so be it, provided there is certainty of approach and companies know certain actions will have certain consequences. That leads to a more certain business environment, which is a more attractive business environment.

Deputy Costello mentioned the digital services directive. I would add that an artificial intelligence, AI, directive is coming downstream from Europe. It may be that Dublin is viewed in certain capitals as a less attractive option for centralisation of areas such as digital services or AI regulation and activity because of a perceived lack of enforcement on data protection, which undermines our offering in other areas. There is a wider tapestry to consider.

I am not sure if it was Deputy Pringle or Deputy Costello or both who made the point regarding the Zalewksi decision. The point was made by a number of witnesses at the committee as well that the DPC procedures tend to be internal. There is a degree of opacity as to how certain decisions are made. I strongly recommend that it be considered whether there is room for a forum similar to the Workplace Relations Commission or the Residential Tenancies Board, which are quasi-judicial bodies that can hold hearings that allow affected parties to come into a room, have a hearing, be represented if they require it and have a decision issued within a space of time. I know the Residential Tenancies Board processes 20 cases per day while the Workplace Relations Commission might be similar. Many resolve themselves prior to getting to that stage. The Zalewksi decision shone a light on those and as I highlighted yesterday, they are constitutional, very efficient and preferable to a full court hearing. It is a halfway house between an administrative body making a decision off its own bat and having a quasi-judicial chamber with an adjudicative function. I advise the Department to consider if there is any role within the DPC for that type of decision-making to be progressed and pursued. It is a very efficient way of doing things.

A general point was raised repeatedly in the joint committee by a number of witnesses and Mr. Schrems also made it when we discussed the matter with him more recently. The GDPR is great legislation and it is great to have privacy at the heart of Europe and the heart of legislation. One criticism that could be levied at it is that it is one size fits all. The difficulty with that is that a local GAA club or charity could be tied up in knots trying to comply with it. Even if some of it is simple, it struggles to get on board with the process and procedures involved because it is trying to match a mid-tier system whereas a tech giant can get away lightly in some cases because it is coming down to the level of a mid-tier system. We have a one-size-fits-all set of rules that smaller organisations struggle to keep up with despite their best efforts, while a large organisation can duck and dive in some cases because it is perhaps a lower level of complexity than may be appropriate to the size of that organisation. If the GDPR was to be written again, and I do not think anyone involved would like to have to revisit it, perhaps a banded approach where the tiers reflect the degree of complexity in the organisation and the degree of onerousness on the user at that level could be adopted. That might be an improvement but I think it is outside the scope of this House. It is a matter for our colleagues in Brussels to consider.

I am delighted this report has come before the House. It did take a while to have it presented to the Dáil. We have many other reports waiting to come out next week and in the weeks after that. We will certainly be churning them out for the next while.

See this speech in context