Bernard Durkan (Kildare North, Fine Gael)
Link to this: Individually | In context | Oireachtas source

The proposer of the motion has 15 minutes, the Minister of State has 15 minutes and other speakers have ten minutes, with the exception of the penultimate speaker, who will be a Government speaker and will have five minutes, and the proposer will then have another ten minutes.

James Lawless (Kildare North, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I move:

That Dáil Éireann shall take note of the Report of the Joint Committee on Justice entitled "Report on meeting on 27th April 2021 on the topic of GDPR", copies of which were laid before Dáil Éireann on 22nd July, 2021.

I thank Deputies Pringle, Costello and the other members of the Joint Committee on Justice, of which I am Chairman, who have engaged in producing this report, some of whom cannot be present today. I thank the Minister of State, Deputy Rabbitte, for taking the debate and Deputy Buckley and the other Deputies who are in the Chamber for the discussion. This is the first report of the prolific justice committee that has come before the House, although we have delivered many reports in the past two years. It is a very good committee, the members of which work together productively and collaboratively. I am delighted one of our reports has found its way to a full formal debate in the Chamber.

The report we are considering deals with the general data protection regulation, GDPR, which falls under the remit of the committee and the Department of Justice. The regulation is in its fourth year as applicable legislation and it has had a significant impact on Ireland in the sense that we are the lead regulator for GDPR across the EU. That in itself has led to some tensions, with views being expressed at home and abroad that the approach is perhaps not always consistent. There is a threat associated with being both the home regulator and the EU-wide regulator. Some regulatory bodies within the EU and elsewhere would like to bring that function home, as it were, and decentralise the approach. It would not be a good thing for Ireland if that were to happen as it would not reflect well on our competencies and capacities. Our economic offering includes certainty for those who are headquartered here. We hold 40% of the EU's data sets and there is a significant presence by multinationals and similar corporations. There are many moving parts. The GDPR is relatively new legislation and very important for Ireland. There are great opportunities but also challenges and it is in this context that I bring the committee report before the House.

We published the report in July last year. Many members of the committee indicated an interest in this topic when we set about our work programme. We acknowledge the significant responsibility Ireland has in being the lead supervisory authority in Europe, which makes us responsible for progressing cases of data protection breaches filed against all companies the European headquarters of which are located here. In effect, we are the European headquarters for GDPR, which often means, by extension, we are the European headquarters, full stop, for those companies. Two weeks ago, we had an opportunity to meet with members of the European Parliament's Committee on Civil Liberties, Justice and Home Affairs, LIBE, which I will refer to again presently. We had a very good interaction with those members in which we discussed concerns expressed by counterparts across Europe that the fundamental rights of privacy for EU citizens may be endangered by lack of sufficient enforcement of the GDPR. Enforcement begins at home and Ireland's regulator is both State regulator and lead EU regulator, which makes this an issue of concern to the House.

As always, the Oireachtas committee conducted a stakeholder engagement and solicited a number of opinions in the course of this exercise. We invited key stakeholders to submit their written opinions and we then had a public meeting of the committee on 27 April 2021. This was a very interesting engagement and all the richer for the participation of our stakeholders. They included Dr. Fred Logue of FP Logue Solicitors, representatives of the Irish Council for Civil Liberties, ICCL, the Data Protection Commissioner, Ms Helen Dixon, and Mr. Max Schrems, who will be known to those following this discussion as a data protection veteran and expert. A number of members of the committee have since met with Mr. Schrems informally over coffee and were again pleased to hear his views on these matters. The stakeholders were invited to present to the committee any areas of reform or improvement they considered to be most necessary and urgent to implement and enforce the GDPR, with the aim being to establish which specific areas of enforcement could benefit from improvement and strengthening to ensure an efficient implementation of the regulation.

A number of key issues were raised by stakeholders. One was the delay in processing cases and complaints made to the Data Protection Commission, DPC. The committee was told this is one of the biggest stumbling blocks to achieving effective GDPR enforcement in Ireland. We have heard it said many times that cases take a very long time to get to completion. In some cases, completion is never marked and there is no end date to a complaint. Complaints seem just to sit. There may be reporting improvements in terms of a case closing mechanism whereby a case can be closed out rather than sitting on a shelf. The statistics may be somewhat skewed in that regard but there certainly is room for improvement. It was noted that Austria has issued 852 decisions and Spain has issued 700 since the implementation of the GDPR in 2018. In the same timeframe, Ireland, despite being lead regulator at an EU level, issued only four decisions. Those statistics do not flatter us. As I said, I understand there may be a system whereby the DPC does not close cases and, therefore, they appear to linger.

Some closure would be useful for all concerned and certainly would help the closing out of those items. The Data Protection Commissioner told the committee, in her own evidence that, among other reasons, the principles-based nature of the GDPR and the fact that there is little established case law to guide such evaluations means that every case must be evaluated on its own merits and this can take significant time. I do not really accept the point that the lack of established case law means it cannot be done. Any piece of law, by definition, is new, and it takes a while for courts and judges to pass decisions. The role of a regulator charged with upholding that legislation is to grapple with it and begin to make decisions. Perhaps they do not have the full force of precedent but I do not accept that a regulator must wait for a period of years for courts to consider a matter in detail before it can begin to follow a particular pattern. I think it should be the other way round or at least in parallel.

The next point that was made was that the Data Protection Commission needs to clarify its procedural law when processing complaints and cases of data breaches. The committee was told that the unclear nature of the DPC's processes means that cases risk being overturned due to apparent unfairness and a lack of transparency in decision-making processes and the exact definition of cases being concluded or resolved by the DPC must be clarified. That is a point I made a moment ago. In response, the DPC told the committee that it would attempt to codify what it publishes in its processes if it would provide greater legal certainty. Another point that was made in the debate was that the general compliance with and enforcement of the GDPR is perceived as being weak, which is not a good reflection on Ireland. Witnesses told the committee that non-compliance with the GDPR can often appear consequence-free and that companies will continue to breach the GDPR if they feel that there are no credible sanctions for non-compliance. I should say that some headline sanctions have been issued recently, including to some multinationals. However, there is still a view abroad that non-compliance does not really lead to any particular or purported sanction. Witnesses also criticised the lack of transparency in the DPC's approach of informal engagements with large corporations to find solutions to issues with GDPR, rather than the DPC using enforcement measures against them to comply with the GDPR. The poacher and gamekeeper becoming friends never makes for a good regulatory model. I think there is a suggestion that the DPC, at times, engages in a deep-dive with particular lead parties, but that is not necessarily good practice. I understand that there may be a practical desire to get close to the problem and attempt to work collaboratively to find a solution but perhaps the pendulum has swung too far. Certainly, the point was made by witnesses in the debate that the regulator is in with the regulated, helping them to devise processes. A better approach may be to stand back and actually issue sanctions and impose direction, rather than being in under the hood.

The risks of poor enforcement of the GDPR to Ireland’s role as lead supervisory authority in Europe is one that I flagged at the outset. It is of great concern not just to the technical GDPR arena, but to our economic offering. If we cannot guarantee certainty to technical and business companies that are headquartered here, the next logical implication is that the reason for the attractiveness of Ireland and Dublin as a hub begins to wane and some of that business begins to move abroad. The committee was informed that the DPC’s ability to carry out its role as lead state authority is coming under scrutiny by its European counterparts. We have seen pressure from other European states to relocate activity and to actually be allowed to regulate themselves in other EU capitals. Witnesses directed the committee towards several high-profile cases, such as the decision of the European Court of Justice in June 2021 when it effectively ruled that other data protection authorities, DPAs, could sidestep the DPC where it was perceived in being too slow in pursuing cases. The committee was concerned about the impact on Ireland’s reputation as the centre of data regulation in Europe if that became common practice.

I will move on to some of the key recommendations that were made in the report, on behalf of the committee. The committee recommended that the DPC moves from emphasising guidance towards a hard enforcement approach as a matter of urgency and that it be supported to do this by whatever means necessary, including the provision of additional resources, should that be required. It was recommended that the DPC increase the use of its sanctioning powers under Article 58(2) of the GDPR and that the DPC should publish quarterly statistics on the use of its sanctioning powers. The committee recommended that, to speed up the timeframes in which decision on GDPR cases are issued, a separate decision-making entity within the DPC, separate to that of commissioner could be created or individual case managers could be allowed to issue final decisions in cases on behalf of the DPC or both. In other words, delegate and divide and conquer. That makes a lot of sense. The committee recommended that the DPC should introduce more transparent and defined procedures when handling complaints, which should include clear deadlines as to how long it should take for cases to result in a final decision. It was recommended that multi-stakeholder hearings with other data protection agencies in Europe should occur first, in order for their feedback to be taken on board in this regard. I think an outreach programme to other European capitals and data protection regulation agencies elsewhere would make sense and would be part of healing those divisions that have emerged in recent times. As I have said, there is a bit of a turf war and some frustrations are being expressed elsewhere as to what are at least perceived, if not real, delays in Dublin. It was recommended that the DPC provide clarity by publishing the exact processes it follows when handling complaints and that the DPC should clarify its definitions regarding cases being concluded or resolved and consider using similar terms to those used in other European DPAs to avoid misinterpretation. Again, the point I made earlier about whether cases or closed, concluded, resolved, a work in progress or in limbo, and where exactly they are at, holds true. That is why we only have four concluded cases when other countries have 700 or 800. Perhaps it is a reporting difference, but we need to get to the bottom of it.

The committee recommended that the Minister appoint two new commissioners. The legislation refers to "commissioners" rather than a "commissioner". It was recommended that in accordance with the provisions of section 15(1) of the Data Protection Act 2018, the Government should avail of that option and appoint additional commissioners to strengthen the team. Perhaps there could be specialties within particular areas. If additional commissioners were being appointed, perhaps they could have different areas of expertise or responsibility. The committee recommended that a review be undertaken to strengthen and reform the DPC and should include an examination of whether staffing levels and resource allocation are appropriate. It is very often a challenge for any regulator but in an industry that is highly technical and competitive at the coalface in particular, a regulator faces the same HR challenges in hiring staff and is in the same market for staff as the players themselves, which often have greater resources and competitive bargaining power. A regulator will often face challenges in recruitment for that reason. That should be examined and the resources should be made available to the DPC and if it does need to hire additional technical, legal and IT staff, it should be made possible. At least, the review should take place and an informed decision made.

Recently, the committee had the opportunity to meet with a delegation from the LIBE Committee within the European Parliament to discuss matters relating to GDPR enforcement and the committee's report. The engagement was very fruitful and the committee felt that it provided an opportunity to take stock of its report and review progress made. There were some very helpful suggestions from MEPs from other EU states. Arising from the engagement, the committee reiterates its calls for a review of the DPC and its policies, procedures and processes. Some have called for this review to be undertaken by an independent body and not by the DPC itself. Nemo iudex in causa sua: one should not be a judge in one's own cause. I think that recommendation makes perfect sense.

The committee also welcomes the decision of the Minister in July to appoint two new commissioners to the DPC. Although I do not believe the appointments have been made yet, there has been an indication of intent to do so. We ask that that be accelerated and made good. We stress the need for one of the commissioners appointed to have expert knowledge of material and procedural law. As I have said, different commissioners could have different strengths. It would make sense for them to complement one another rather than overlapping. Finally, the committee underlines its recommendations that the DPC should clarify the procedures used when handling complaints and provide clear deadlines as to how long it should take for cases to result in a final decision, alongside a clarification of the difference between concluded cases and cases which are resolved. Clarity in these matters would bring more transparency to the DPC's internal procedures and provide more confidence domestically and to its European counterparts.

I thank Members for their interest in this topic. I look forward to the Minister of State's engagement and, indeed, that of members of the committee. I look forward to the debate. I am glad to have had the opportunity to bring the report to the Chamber. I think it deserves a wide audience. It relates to matters that are significant for our regulatory reputation and our economic viewpoint and to very important issues such as privacy and data protection rights, which are enshrined at the heart of European and Irish legislation, and which deserve to be vindicated and regulated in a thorough and effective fashion.

Anne Rabbitte (Galway East, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I thank the Deputies for providing me with the opportunity to address the House. I am doing so on behalf of the Minister, Deputy McEntee, who sends her apologies that she cannot be here due to her attendance at the British-Irish Intergovernmental Conference.

We are here to discuss the Data Protection Commission and the legislation that underpins its work, the Data Protection Act 2018. The discussion takes place in the context of the report on the topic of the general data protection regulation published by the Joint Committee on Justice in 2021. I thank the committee for its hard work in compiling the report.

The GDPR report followed a public stakeholder engagement on 27 April with the Data Protection Commissioner and other stakeholders, including the Irish Council for Civil Liberties and Mr. Max Shrems, a data privacy advocate from the organisation known as None of Your Business, NOYB.

I want to be clear that under the Data Protection Act 2018, the Data Protection Commission is statutorily independent in the performance of its tasks and the exercise of its powers. This is in line with the GDPR, which states that supervisory bodies must be independent. The Government's commitment is to ensure the DPC is supported through both resourcing and a robust statutory footing to carry out its work.

The GDPR entered into force on 25 May 2018. It provides for higher standards of data protection for individuals and imposes more detailed obligations on bodies in the public and private sectors that process personal data. The GDPR also increases the range of possible sanctions for infringements of these standards and obligations.

The programme for Government clearly commits to recognising the domestic and international importance of data protection in Ireland. Delivering on this commitment means supporting and resourcing the DPC to deal with an ever-increasing workload with increasingly complex investigative requirements. This is largely due to the one-stop mechanism, which is a core element of the GDPR, providing for a central point of enforcement by a lead member state supervisory authority. Due to many major technology companies locating headquarters in Ireland, the DPC has significant lead supervisory authority responsibilities across the European Union. To that end, the resources of the DPC have steadily increased in recent years. The DPC has been funded under its own Vote as of 1 January 2020, with the Data Protection Commissioner as Accounting Office. The DPC received an allocation of €26.2 million under budget 2023, an increase of €3 million from 2022. This means that next year, funding will have increased more than sevenfold from its 2015 allocation, in line with the DPC's increased functions. To put this into perspective, the funding allocation in 2015 was €3.6 million. The DPC's sanctioned budget allocation for next year allows for recruitment of up to 283 staff by the end of 2023, which is an increase of 25 staff on the sanctioned figure for 2022.

The Department's role requires regular review of the legislation underpinning the DPC's work to ensure it is up to date and fit for purpose. To that end, the Courts and Civil Law (Miscellaneous Provisions) Bill 2022 will include a number of Committee Stage amendments to the Data Protection Act 2018. These are currently being drafted and cover a number of areas, including ensuring data subjects have third-party beneficiary rights in primary law, clarifying confidentiality obligations and clarifying DPC powers in respect of the issuance of reprimands.

A further proposed amendment will confer jurisdiction to hear data protection actions related to the District Court and, as it currently stands, the Circuit and High Courts. This will provide data subjects with improved access to justice when initiating actions under this Act and should reduce the associated costs for the data subjects and those providing a defence claim. The Bill was published on 13 September and is scheduled to go to Second Stage in early October.

The Government has committed to ensuring Ireland delivers on its responsibilities under the GDPR. The Department of Justice continues to monitor the impact of implementation of the GDPR and the impact of any possible future regulatory changes, as well as any changes within industry, in conjunction with the DPC. As part of this effort, an examination was instigated in 2021 by the then Minister for Justice, Deputy Heather Humphreys, to consider whether an increase in the membership of the DPC should be pursued. In line with the Government's commitment to ensuring the DPC can best deliver on its responsibilities, the Department of Justice was asked to consider the matter of appointing additional commissioners as provided for under the 2018 Act. This was initiated on the basis that the DPC had evolved significantly since its inception. In order to support the evolving organisational structure and the governance and business needs of the DPC, on 27 July, the Government approved commencement of the process to appoint two additional commissioners. This was in line with the Data Protection Act, which provides for the appointment of up to three commissioners. The Minister knows that these decisions also accord with the recommendation of the Joint Committee on Justice to appoint additional commissioners in its report on the GDPR. The GDPR report further suggested that at least one commissioner should have expert knowledge of material and procedural law. The Public Appointments Service is tasked with making a recommendation on the two people for appointment as commissioner, following an open selection competition. The expectation is that the new commissioners will have the appropriate skills to perform their functions under the Data Protection Act. This process is expected to take six months to complete.

The Joint Committee on Justice report on the GDPR makes a number of recommendations in respect of the DPC. The Minister feels it is important to acknowledge that in the 15 months since the publication of that report, the DPC has achieved notable results as lead supervisory authority for personal data processing of the many global Internet platforms which are headquartered in Ireland. This is borne out by the accurate statistics on the DPC's work, which were published on its website. Article 60 of the GDPR provides for co-operation between the lead supervisory authority and the other supervisory authorities concerned when making a decision. Last year, the DPC issued more draft Article 60 decisions about major breaches of the GDPR than any other data protection authority in Europe. The DPC leads the bloc in both the quantum of monetary fines imposed on the draft decisions and the number of corrective measures enforced against online platforms. Furthermore, its decisions have been approved by fellow data protection authorities around Europe in over 90% of the cases.

The DPC has issued significant enforcement fines, the most notable of which include the €225 million fine imposed on Facebook in July 2021. In March this year, Meta Platforms Ireland Limited, the parent company of Facebook, was fined €17 million. It was fined €405 million last month for GDPR violations involving Instagram. On 13 September, the DPC also announced a draft Article 60 decision to other concerned supervisory authorities across the EU following a large-scale inquiry into TikTok. In addition to this, in 2021 the DPC also imposed a number of sanctions on other bodies.

According to the DPC, almost €650 million in fines has been levied against companies as a result of its investigations. It is fair to say that the DPC has performed its role of independent data protection regulation in the State very effectively to date. I want to emphasise this point, particularly in light of ongoing criticism of the organisation. It is particularly disappointing that some of that criticism continues to be based upon incorrect figures despite clear corrections having been provided by the DPC on multiple occasions.

The Government's decision to appoint two new commissioners sends a strong statement of its intention to continue to build the capacity of the DPC, support the existing commissioner and ensure that the DPC can continue to deliver on its role. The DPC has developed and grown significantly under the leadership of the current commissioner, Ms Helen Dixon, since its establishment. That is why, in light of her considerable experience and expertise, the Government has agreed to the proposal of the Minister, Deputy McEntee, that Ms Dixon be nominated as chairperson of the DPC pursuant to section 16 of the Data Protection Act. The Minister has also asked the DPC to undertake a review of governance structures, staffing arrangements and processes. The Joint Committee on Justice's GDPR report requested such a review be undertaken which should include an examination of whether staffing levels and resource allocation are appropriate.

The review is being carried out to support the work to be performed by the new model of commission, which comprises three commissioners instead of one.

The Government values the DPC's important and independent role as one of the largest EU data protection authorities and acknowledges its strong track record in carrying out its duty. The Department of Justice will continue to provide the support it requires.

Bernard Durkan (Kildare North, Fine Gael)
Link to this: Individually | In context | Oireachtas source

We have three more speakers. It will be tight enough to fit all three into the time available because a maximum of 75 minutes has been allocated to the debate. I ask everybody to keep that in mind, but we will include everyone. Deputy Costello has ten minutes. I ask him to save a few minutes so we will not run over. The debate has to finish-----

Patrick Costello (Dublin South Central, Green Party)
Link to this: Individually | In context | Oireachtas source

Given the session is due to finish at 9 p.m.-----

Bernard Durkan (Kildare North, Fine Gael)
Link to this: Individually | In context | Oireachtas source

-----in 75 minutes. We might get through the debate but it is 75 minutes from start to finish.

Patrick Costello (Dublin South Central, Green Party)
Link to this: Individually | In context | Oireachtas source

I will be as quick as I can. I acknowledge the work of the committee secretariat in compiling this report and the support they have given committee members. It is also important to acknowledge the role of the GDPR in protecting civil rights and our fundamental freedoms. If we look at the issues of real-time bidding and the use of these things in disinformation, misinformation, the manipulation of society and the undermining of democracy, we can see at one end why the GDPR is important. However, the GDPR will only be effective if it has teeth and if it is administered effectively. We asked for new commissioners and I acknowledge the Government has committed to appointing two such commissioners. Getting the right experience and skills is incredibly important.

However, I utterly reject the Government's line that the commission has performed its role as an independent data protection regulator in the State very effectively to date. I will offer more evidence on that but will start by considering the statement by the European Commission Executive Vice-President, Ms Vestager, who said that the EU Digital Services Act was written in a way to cut out Ireland to ensure it would not have the lead supervisory authority or role because everyone was disappointed by how we were performing in this area. That lack of effectiveness will result in huge economic loss for us. I will also point to the case of DPC v. Doolin in June this year. This was a High Court case and a later Court of Appeal judicial review on the decision-making of the Data Protection Commission. The Court of Appeal held that the commission was wrong in its understanding of law. The court called it "a manifest error ... which is serious and significant." Both the High Court and Court of Appeal held that the DPC made critical errors in its understanding of the concept of personal data. If the Data Protection Commission is getting the basic definition of "personal data" wrong, and is being held by the High Court and the Court of Appeal to have done that, it is not fair to say that office has been effective to date.

We also need to look at some of the issues raised by Deputy Lawless, such as the use of the terms "resolved" and "concluded", the opacity of this, and on what decisions are being made and how they are being made.I cannot remember the figure off the top of my head, but a significantly high number of decisions have been made, in the order of 84%, which used amicable resolution. That figure may only relate to cross-border decisions but there is a disturbingly high number of amicable resolutions, many of which focus on repeat offenders. European data protection authorities have come together to produce their own guidance, which outlines when amicable resolution should be used and when it is not appropriate. We continue to use it time and time again on occasions when it has been called out as inappropriate and because we keep doing that, we are missing systemic problems within the GDPR and systemic breaches of the GDPR. If we are failing to tackle systemic and repeat offenders, then we are hardly being effective. We are just not effective. On cross-border cases, we are not delivering results or numbers at the same level as other data protection authorities across Europe. We have been called out on this. As I said, the Commission Executive Vice President, Ms Vestager, called these things out specifically.

We have also been criticised and corrected regarding cross-border decisions that have gone to other European data protection authorities. There is significant evidence of weight of other data protection authorities calling us out as the roadblock to effective administration of the GDPR and they are taking steps to get around us. As I said, the Commission is writing legislation to cut us out because it does not see us as effective in any meaningful way. This was on the cover of the Business Post. I do not understand why this is not a huge scandal. The loss of the role we could have had under the EU Digital Services Act will affect our economy and the nation's bottom line. This is all because we have not had, despite what the Minister of State may claim, an effective administration of the GDPR in this country.

It is not just about the budget. When I was elected in 2020, I started raising this subject. At that point, the commission was not resourced properly. The Data Protection Commission now has the fifth-highest budget of any EU data protection authority so it is not just about budget. It cannot just be about budget. This is why we need this independent review. It must be an independent review so we can examine the policies, procedures, decisions and the use of amicable resolutions. What exactly do "resolved" and "concluded" mean? Why are we continuing to fail to address the systemic problems? These are the issues we should look at. The addition of two extra commissioners gives us a perfect opportunity to do that.

I will also flag that a review of procedures, and legislation around procedures, is now essential in light of the Supreme Court decision in the Zalewski case. While we talk about whether the DPC is in line with EU law, I am not fully convinced the DPC is in line with constitutional law as adjudicated by the Chief Justice in the Zalewski decision. The Chief Justice was very clear that quasi-judicial decision-making bodies should have the same standard of justice as a court. We had to introduce emergency legislation to amend the policies, procedures and processes of the Workplace Relations Commission, but that will happen across all our quasi-judicial decision-making bodies. Major consequences flow from this that we are barely beginning to grapple with.

Now is the time we need to look at this matter and ensure we are meeting basic Irish constitutional justice standards because I do not believe we are. Are we achieving European standards in effectively administering the GDPR? I do not believe we are. Again, I am not alone in this. The European Commission said the same things I am saying. The Court of Appeal and the High Court in Ireland have both said the same thing. I cannot more firmly reject the suggestion that this commission has been very effective to date. The step of appointing two commissioners is very positive but we need a fully independent review to ensure that the Data Protection Commission can be effective into the future.

Bernard Durkan (Kildare North, Fine Gael)
Link to this: Individually | In context | Oireachtas source

There are 40 minutes left for two speakers who have five and ten minutes, and two other speakers with ten minutes each.

Thomas Pringle (Donegal, Independent)
Link to this: Individually | In context | Oireachtas source

I welcome the Minister of State back to the Chamber. She seems to be the Minister for the Dáil rather than anything else.

James Lawless (Kildare North, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

She is the hardest working Minister in the House.

Thomas Pringle (Donegal, Independent)
Link to this: Individually | In context | Oireachtas source

She is the only working Minister in the House because she is the only Minister who turns up in the House by the look of things. That is a sad reflection because this motion was tabled three weeks ago for debate in the House. There is a Minister of State in the Department of Justice, with no disrespect to the Minister of State who is present. I would put a lot of store by what this Minister of State has to say more than any other.

However, there is a junior Minister in the Department of Justice who could have been here today. This is a disgrace and shows a lack of respect for this House. It cuts across every Department and everything that happens here. I faced the same situation yesterday with a Topical Issue matter. The Minister of State was here for Topical Issue debates yesterday as well. I have said enough about that. We might have another discussion on the matter at some stage.

It is good to see this report being discussed in the Chamber. It was published in July 2021 and is only now coming up for discussion. It is interesting that we had an EU delegation before the Joint Committee on Justice last week to discuss the GDPR and, lo and behold, this report just happened to be approved for discussion in the House around the same time. It is fortunate coincidences like this that make life interesting around here. Things like that continue to go on.

This report was published in July 2021. I wonder what the view of the Department was in the meantime because we in the committee certainly do not know. Surely, more than a year after receiving the report there could have been a response. We have a response today although not from the Minister but from the stand-in Minister of State. That is the problem. This report was sent to the Department in July of last year and we have not had any response before now. I wonder if the response outlined in the Department's speech today is in response to the visit of the EU delegation in recent weeks.

We see that legislative provisions are being introduced on Committee Stage of another Bill that will sort out some of these matters, which seem to have been viewed as problematic in the Department for some time. However, they are being introduced on Committee Stage so there will not be any Second Stage debate on them. We do not know what is to be included because we have not seen the amendments. According to the Minister of State's speech, the Bill was published last week and the amendments in respect of the GDPR will be submitted on Committee Stage. That is the way the Government does business around here. That is fair enough and we will just have to live with it.

Before I heard the Minister of State's speech, I had forgotten the format and that she would have a chance to respond. She has already answered some of my points. I am sure the Department has given consideration to recommendation No. 5, at least. We have heard some more about that with regard to what is being proposed by way of amendments on Committee Stage of another Bill.

From the meeting between the EU committee members and the Joint Committee on Justice, it appears there are discrepancies between some of the statistics the committee used in compiling its report and those the EU committee members were aware of. For example, the report states in its summary and evidence that, from May 2018 to December 2020, draft decisions were produced in only 2% of cases. The EU group, through Clare Daly’s office, insisted there were decisions in 65% of cases. That is certainly an improvement although we must still ask whether resolution in 65% of cases is adequate. It seems to me that it may not be because that resolution rate is very low.

There also appears to be confusion around the definition of resolution of a complaint. The Data Protection Commission says that it does not have to report a decision where a complaint is simply closed after a resolution has apparently been reached with no report issued, that is, where the complaint is amicably solved. This is provided for in section 109(3) of the Data Protection Act 2018, which states:

Where the parties concerned reach an amicable resolution of the subject matter of the complaint, the complaint shall, from the date on which the amicable resolution is reached, be deemed to have been withdrawn by the complainant concerned.

This removes the need for any reporting. However, the same section of the Act states that the commission has a high degree of flexibility in whether it agrees to accept an amicable solution. Perhaps what is at dispute is the willingness of the commission to decide to amicably solve so many cases. That is a result of the woolly language used in the legislation. In the same section of the Act, we see terms such as "considers appropriate" and "may take such steps as it considers appropriate", as well as provisions for when the commission "considers" that something has happened. All of this is in section 109 of the Act. The Act was probably written to be so woolly. That is part of the problem with it.

The question is whether companies should be able to amicably resolve so many complaints when there is a power imbalance that is so much in their favour. That is a question that the commission may need to deal with.

The one thing about this report that has bothered me is that the Data Protection Commissioner has not really engaged with the committee since its publication. Surely if she felt that we had got things wrong, she would have pointed that out in correspondence with the committee since the report was published. Perhaps that is one advantage of it having been so long since the report's publication that this debate is taking place in the House. There has been plenty of time for the Data Protection Commissioner to highlight her concerns, so we can only assume that her office is happy with the report and agrees with the recommendations contained in it.

Of the 17 recommendations in the committee's report, quite a few of them are for the Minister and the Department to deal with. There may be recommendations that the commissioner act in a certain way that is not provided for in the legislation. It would be interesting to hear the Department's view on that, as we probably did earlier when we heard that legislative provisions are going to be rushed in through Committee Stage of other legislation without any proper consideration in the House. That is the Department's view on these recommendations. Surely, as it has been so long since the report was published, the Department will have had adequate time to mull it over. We see that it has and that legislation is now being brought forward when, coincidentally, EU committee members came before the committee a few weeks ago. Those members also met with the Minister at the same time. Perhaps all of this arose from that.

I wrote this response before I saw the Minister of State's speech but the one thing the Department is actually going to do is to act on one of the recommendations I am not sure about, No. 10, in which the committee recommends that the Minister appoint two new commissioners with specific skill sets that are provided for in the legislation. It seems to me that this might be a cosmetic exercise that would give the impression of change without actually achieving the desired effect. That might be what is happening here. I hope I am wrong but time will tell, although it will probably be another three or four years before we have another report and another attempt to look at this matter. This recommendation might have merit if it were part of a complete examination of the legislation to see if it is adequate and provides an overall solution. To my mind, if the law was right, it would not make any difference whether there was one commissioner or 21 but maybe that is just my ignorance and how I view things. If the legislation was adequate, met the needs and did what needed to be done, it would not matter whether there was one, three or five commissioners. We will see what is chosen in the legislation and what the outcome will be. I hope the language of the amendments will not be as woolly and open to interpretation because that is part of the problem with the whole thing. I am grateful for the opportunity to contribute to this debate. I hope it will not be so long after we publish our next reports that we actually see some action from the Department.

Pat Buckley (Cork East, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

The motion we are considering proposes that "Dáil Éireann shall take note of the Report of the Joint Committee on Justice entitled "Report on meeting on 27th April 2021 on the topic of GDPR", copies of which were laid before Dáil Éireann on 22nd July, 2021". I will start by paying tribute to the members and staff of the committee for their work on the report. It is typical of the unglamorous but important work that committees are set up to tackle. I understand from my Sinn Féin colleagues that Deputy Lawless has done a good job within the committee.

I will turn to the concerns Sinn Féin has in this area, which were raised when the matter was discussed in the committee. The first is the resourcing of the DPC, a concern raised by Deputy Martin Kenny. The DPC takes an incredibly long time to get back to a lot of complainants. Covid-19 may have had some impact but, with much of the commission's work not necessarily requiring in-person visits and so on, that is no excuse. The delays were also an issue well before the pandemic. There was some discussion of this at the committee hearing and we respectfully diverged from the commissioner's views on the resourcing. We made provision in a previous alternative budget for an increase in funding to the DPC, which the Government heeded. However, the reality is that we are a number of years behind in terms of that investment. We cannot afford to become a data protection blackspot and it is not difficult to imagine the DPC has been deliberately under-resourced compared to its European counterparts. Given that so many technology companies are based here, far more than is the case in those counterpart countries, it is unacceptable for this under-resourcing, whether deliberate or otherwise, to continue.

The second concern, which is strongly reflected in the report's recommendations, is the issue of negotiation over enforcement. The resources tech companies have, compared with those of any State agency, are significant, and their ability to protest and litigate is extremely strong. Negotiation might make sense in order to protect precious State resources but the statistics are far too skewed away from any enforcement. A change in mindset is needed here.

A third issue that was raised was that of the mother and baby homes and how the records were going to be sealed and so forth. One would be hard-pressed to find a piece of law that is invoked as regularly and as strongly as the GDPR on a wide number of issues. Unfortunately, it is misapplied and misunderstood by many, despite the fact it is simple enough in legal terms. For instance, the advice of the Minister for Children, Disability, Equality, Integration and Youth was that GDPR did not apply to these records, whereas a number of experts felt it clearly did. There was a need for clarity as to whether the sealing of records in those cases would have been a breach of legislation, especially EU legislation. These records represent more than just data for many, and cases such as those of people boarded out, which Deputy Daly has been vocal on, need to be looked at as well.

Finally, there are increasing applications of data, or more accurately, large amounts of quantitative data, across our daily lives. Legislation and regulation need to be ahead of the curve here rather than being reactive. In that context, the report's call for a review of the Data Protection Act 2018 to ascertain if legislative amendments are necessary, and to consider codifying the published processes of the DPC as regulations, is incredibly important.

Anne Rabbitte (Galway East, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I thank the Deputies for their contributions to what has been an informative and enlightening debate, at least for me. I have learned an awful lot from listening to it and reading my scripts. As I said at the outset, I am taking this debate on behalf of the Minister for Justice, Deputy McEntee. I also extend apologies on behalf of the Minister of State, Deputy James Browne.

The Data Protection Commission is statutorily independent in the performance of its duties. The Government's role is to ensure the DPC is fully resourced and supported to carry out its functions. The Government values the DPC's role as one of the largest EU DPAs and acknowledges its successful track record of national cross-border data protection regulation. In my opening statement, I outlined the ways in which the Department of Justice provided resources and statutory support to the DPC. A number of Deputies referenced the four cases that had been concluded by the DPC. It has concluded over 17,000 of almost 20,000 complaints received from individuals up to August 2022, and 793 cross-border complaints where the DPC was the lead authority have been concluded.

The Department will continue to build the capacity of the Data Protection Commission, supporting the existing commissioner and ensuring the commission can continue to deliver on its role. The commission itself has pointed out that much of the criticism levelled against it is based on incorrect representations of its enforcement work. It has incorrectly been claimed that almost 98% of major GDPR cases referred to Ireland remain unsolved. The accurate data, which are published by the DPC website, demonstrate that the DPC plays an effective role. For example, 73% of all cross-border complaints handled by the DPC as the leading supervisory authority since May 2018 have since been concluded. Indeed, the DPC is the leader among all EU data protection authorities in terms of the quantum of fines imposed and corrective measures enforced.

In order to support the evolving organisational structure, governance and business needs of the Data Protection Commission, the Government has approved commencement of the process to appoint two additional commissioners. In making this decision, the Government recognises that the DPC has evolved significantly since its inception and has an increased work burden and investigative complexity, as well as the DPC's fundamental role within the EU data protection architecture.

The outcome of the DPC's forthcoming review of its governance structure, staffing arrangements and the process to support the work to be performed by the new model of the commission will no doubt pave the way for its continued growth and development. I wish to make it clear that the Government has asked the DPC to carry out this review in light of the decision to augment the resources of the commission by appointing two additional commissioners. This is the right approach to take as it is consistent with the independence of the commission and will allow it to examine its process in adapting to the changing environment. The committee's report requested that a review of the DPC be undertaken, which should include an examination of whether staffing levels and resource allocations are appropriate. This report did not specify that the review should be independent. However, the Irish and EU-based special interest group has called for an independent, more root-and-branch style review of how DPAs operate. In response to those calls, I reiterate that the DPC is a statutory independent body, as per section 12(7) of the Data Protection Act 2018. On that basis, Government intervention in the running of the DPC would be inappropriate. The Government would not intervene in the DPP or court decision-making and should not do so for the DPC either.

Furthermore, the DPC is subject to oversight by the European Data Protection Board, EDPB, the European Commission, Irish courts, and the Court of Justice of the European Union, CJEU. Given that recent decisions of the DPC and the EDPB are being reviewed by the High Court and the CJEU, the need for the Government to respect the independence of the DPC and the EDPB is emphasised. The DPC has also been undergoing reviews by, among others, the Comptroller and Auditor General, the DPC's independent audit and risk committee, the DPC's internal auditors and the courts. It is worth noting that no issue of any gravity has arisen in the context of those recent reviews. In fact, in December 2021, the justice Commissioner, Didier Reynders, stated that the Commission had not identified any issues with Irish data protection rules or how they are enforced.

I reiterate the value this Government places on the DPC's work, as well as our intention to continue to support and resource the commission to carry out its increasingly voluminous and complex workload. I thank Deputy Lawless and the members of the committee for bringing this report before the House.

John Lahart (Dublin South West, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

That was an acronym-filled speech. I call Deputy Lawless to conclude.

James Lawless (Kildare North, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I thank the Minister of State. I agree with Deputy Pringle that she is a very hardworking Minister who is performing a number of duties in this House at the moment, not least her own. Well done to her on that. It is noted. I thank all Deputies who took part in the debate and the members of the committee, as well as Deputy Buckley, who I know speaks on behalf of Deputies Daly and Martin Kenny. I thank him for bringing those views into the room today. I also thank the tireless staff of the committee, in particular the sage that is Mr. Alan Guidon, who gives us great steer on every matter under the sun, not least this one, and is still a marvel with his technical expertise and procedural knowledge. I thank our policy advisor, Emer Hannon, and our staff, Fiona McCarthy and Keelan Crowe, who all worked tirelessly on the many reports that have been produced. I also take this occasion to put on the record that the justice committee covers 50% or more of all legislation across the Houses, so I again give credit to the members of the committee for their co-operation and throughput in that regard.

I welcome the statements by the Minister of State, particularly the news that the appointment of the two additional commissioners is ongoing. I look forward to that process completing. The committee would welcome a role in that process. There is a procedural precedent for candidates coming before the committee for a hearing and we stand ready to do that at the appropriate time. I stress the importance of the two new commissioners complementing the current commissioner but also bringing some diverse skill sets to the role. We do not need three people doing the same job; we need three people doing different jobs with different skill sets and drawing from different professional life experiences. That is a positive development.

The Minister of State noted that one of our recommendations was that a review be performed of the organisation. She advised that a review is being initiated.

I welcome that but I would add the caveat that, as I said earlier, an internal review is often less useful than an external one. If there was another body or if somebody was seconded in as part of that, it might add greater value. It would certainly have greater credibility even if the result is the same. It would be in the organisation's own interest to consider that approach. I know the Minister of State will pass that suggestion on to the relevant Minister. It should be taken on board.

Great emphasis is placed on the statistics. There are lies, damned lies and statistics. It is quite confusing, even for the people in the weeds on this, to determine whether their case has been closed, satisfied, progressed or concluded and often it can be a matter of opinion or labelling. In my office, I operate a constituency representation system. I often wonder whether a case is really closed. I wonder whether it is closed to the satisfaction of the person who raised it. We might say that the matter has been replied to but that does not necessarily mean the case is closed and it certainly does not mean it is closed satisfactorily. We could spend all day using different labels as we try to figure out the most appropriate one. We need to bring some clarity to this because a number of stakeholders and witnesses across the EU and locally have identified this as being an issue. Perhaps it leads to under-reporting or under-crediting of the DPC. Perhaps it leads to misreporting across Europe. Some kind of consistency of approach to those categories would be helpful for all concerned.

Some other findings of the committee perhaps did not get as much attention today. Under the Data Protection Acts that preceded the GDPR, the data protection website featured case studies that I found quite useful. People could look up a particular scenario if, for example, they owned a small business or were considering making a complaint. A club or organisation wondering what procedure it could use in a particular scenario could look it up to see what someone else had done and what the finding was. There was a good knowledge base under the old system. I do not believe that is still in place and I am not sure if it would be compatible with the GDPR.

Sometimes people believe that the foot that treads lightly is the better approach. Alternatively, heavy enforcement leads to fewer breaches. There is an initial flurry of activity because there is lack of compliance, enforcement and sanctions and this can lead to increased resources being required but behaviours begin to settle down after a while. If the stick is wielded at the start, businesses and organisations get to know the system and what happens if they put a foot out of line unless people put a foot out of line in the first place because people begin to behave themselves and the system almost manages itself. I note that there were multiple complaints regarding data subject access requests, is any individual has a right to make. Many organisations are still not fulfilling these requests to the extent they should and perhaps the DPC has not been as heavy-handed as it ought to have been in those scenarios. If that was applied robustly and consistently, those organisations would cop on pretty fast and we would end up with fewer complaints on the far side because better practices would ensue.

Deputy Costello quoted a Business Postarticle. A concern flagged by me and other Members today and in the committee is that there is an economic advantage for Ireland, which is vulnerable. It is often thought that perhaps large tech companies welcome a light touch but they do not always welcome it because what business really wants is certainty. If there is uncertainty about a decision that is coming down the track or there is a risk of another decision being imposed by another EU state because the decision in Ireland is taking so long to come around, businesses are left in an uncertain environment. Contrary to what might be intuitive, business, including big business, will actually welcome a heavier touch and if that means sanctions, so be it, provided there is certainty of approach and companies know certain actions will have certain consequences. That leads to a more certain business environment, which is a more attractive business environment.

Deputy Costello mentioned the digital services directive. I would add that an artificial intelligence, AI, directive is coming downstream from Europe. It may be that Dublin is viewed in certain capitals as a less attractive option for centralisation of areas such as digital services or AI regulation and activity because of a perceived lack of enforcement on data protection, which undermines our offering in other areas. There is a wider tapestry to consider.

I am not sure if it was Deputy Pringle or Deputy Costello or both who made the point regarding the Zalewksi decision. The point was made by a number of witnesses at the committee as well that the DPC procedures tend to be internal. There is a degree of opacity as to how certain decisions are made. I strongly recommend that it be considered whether there is room for a forum similar to the Workplace Relations Commission or the Residential Tenancies Board, which are quasi-judicial bodies that can hold hearings that allow affected parties to come into a room, have a hearing, be represented if they require it and have a decision issued within a space of time. I know the Residential Tenancies Board processes 20 cases per day while the Workplace Relations Commission might be similar. Many resolve themselves prior to getting to that stage. The Zalewksi decision shone a light on those and as I highlighted yesterday, they are constitutional, very efficient and preferable to a full court hearing. It is a halfway house between an administrative body making a decision off its own bat and having a quasi-judicial chamber with an adjudicative function. I advise the Department to consider if there is any role within the DPC for that type of decision-making to be progressed and pursued. It is a very efficient way of doing things.

A general point was raised repeatedly in the joint committee by a number of witnesses and Mr. Schrems also made it when we discussed the matter with him more recently. The GDPR is great legislation and it is great to have privacy at the heart of Europe and the heart of legislation. One criticism that could be levied at it is that it is one size fits all. The difficulty with that is that a local GAA club or charity could be tied up in knots trying to comply with it. Even if some of it is simple, it struggles to get on board with the process and procedures involved because it is trying to match a mid-tier system whereas a tech giant can get away lightly in some cases because it is coming down to the level of a mid-tier system. We have a one-size-fits-all set of rules that smaller organisations struggle to keep up with despite their best efforts, while a large organisation can duck and dive in some cases because it is perhaps a lower level of complexity than may be appropriate to the size of that organisation. If the GDPR was to be written again, and I do not think anyone involved would like to have to revisit it, perhaps a banded approach where the tiers reflect the degree of complexity in the organisation and the degree of onerousness on the user at that level could be adopted. That might be an improvement but I think it is outside the scope of this House. It is a matter for our colleagues in Brussels to consider.

I am delighted this report has come before the House. It did take a while to have it presented to the Dáil. We have many other reports waiting to come out next week and in the weeks after that. We will certainly be churning them out for the next while.

Thomas Pringle (Donegal, Independent)
Link to this: Individually | In context | Oireachtas source

We should get EU committees to come over.

James Lawless (Kildare North, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Exactly. We will be inviting plenty more over after this. I thank the Minister of State and all the Members who participated in this debate. I am glad I had the opportunity to have this debate tonight.