James Browne (Wexford, Fianna Fail) | Oireachtas source

I thank the Senator for raising this matter. It is important to note that the DPC is independent in the performance of its tasks and the exercise of its powers. Therefore, the Senator will appreciate that I cannot comment on legal proceedings in which the commission was or is involved. Nor can I comment on findings of the courts, given that they are also independent in the exercise of their duties.

The case referred to arose from a complaint referred to the DPC in June 2013 concerning the transfer of personal data to the US under the European Commission's safe harbour adequacy decision. In October 2015, the court struck down the safe harbour policy and the original case in the High Court was reformulated to challenge the transfer of EU citizens' personal data to the US via the use of standard contractual clauses, SCCs. It is a matter of public record that the DPC was involved in these proceedings and the court referred a number of questions to the European Court of Justice, ECJ. In its ruling in July, the ECJ upheld the use of SCCs to transfer data but struck down the EU-US privacy shield adequacy decision on the basis that the US did not provide adequate and enforceable safeguards and redress mechanisms where EU citizens' data were forwarded by US companies to US intelligence services that then processed them. Concerns about the lack of enforceable protections were raised about the use of SCCs to transfer data to the US.

More recently, Facebook and Mr. Schrems have instigated separate judicial review proceedings against the DPC in the High Court concerning mattes raised in both ECJ judgments. I will not comment any further. However, I will reiterate that the Government respects the judgment of the court and is fully supportive of the need to protect citizens' data through enforceable safeguards and proper redress mechanisms.

The Senator will appreciate that the GDPR provides for high data protection standards, imposes detailed obligations on bodies that process personal data and provides a range of possible sanctions, some of which are significant, for when those standards are breached. The GDPR specifies how bodies are to be regulated and all parties must adhere to these obligations.

Enforcement of the GDPR is a matter for the DPC - where it is the lead authority in the EU under the one-stop-shop mechanism - and other independent supervisory authorities across the EU in accordance with the processes set out by the GDPR. The Government has every confidence in the DPC in meeting its responsibilities to enforce and protect the data protection rights of EU citizens to the high standards required by the GDPR.