Malcolm Byrne (Fianna Fail) | Oireachtas source

We need to start by acknowledging the important role that Ireland plays in the data sector. It is one that I hope will continue to grow. The question today is about how we manage those data and how we ensure citizens' data privacy. I hope that the Minister of State will express the Government's view about the recent judgment in the Schrems II case. Max Schrems and others would have argued that much of this litigation was unnecessary. Had the Data Protection Commissioner, DPC, made a decision based on the original case presented by Max Schrems and the responses provided by Facebook and others, it could then have been open to either party to challenge the decision of the DPC, but the DPC did not choose to go that route. Does the Minister of State believe that that was the correct approach by the Data Protection Commissioner? In general, does the Minister of State believe that moving to litigation is the correct approach?

When this case came before the European Court of Justice, the Data Protection Commissioner was alone in arguing that the standard contract clauses were invalid. The State and Max Schrems argued a contrary position. In light of that approach, I would be grateful, regardless of whether or the Government agrees with the Data Protection Commissioner's approach, to ask what are the total costs to the State of the Schrems II case. What are the total costs to the State in litigation since Max Schrems initially raised a number of privacy concerns with regard to Facebook?

I know have raised this issue before. Is the Data Protection Commission adequately resourced? Does it have a sufficient number of staff and sufficient expertise? The overall question of the architecture of the Data Protection Commission and its decision-making processes is also crucial. We have one Data Protection Commissioner. Is it the view of the Minister of State and Government that we should have one commission or a Data Protection Commission with three commissioners making decisions as is the case in other jurisdictions?

I am torn between the resources argument and the decision-making process when we compare Ireland's situation with data protection commissioners in other countries. The Spanish data protection commissioner issues fines almost weekly for data breaches. In the Irish case, only two fines have been issued for breaches of general data protection regulation, GDPR, since 2018, in the cases against Tusla. The Minister of State's colleague, the Minister of State, Deputy Fleming, was here last week. We talked about one of the challenges with banks and financial institutions, the breaches that have happened there, and whether the DPC has acted strongly enough in that regard. My concern in all of this relates to the reputational risk to Ireland if we do not get this right. There are concerns for individual citizens, businesses and companies if there are data breaches. If we are at the heart of trying to regulate all of this, especially given the important role that the social media giants play in our economy, we have to ensure that we have it right. I question whether our approach in this case was correct.What is the Minister of State's view on the future role of the DPC? I would be grateful if he commented on the litigation in question.