Malcolm Byrne (Fianna Fail)
Link to this: Individually | In context | Oireachtas source

We need to start by acknowledging the important role that Ireland plays in the data sector. It is one that I hope will continue to grow. The question today is about how we manage those data and how we ensure citizens' data privacy. I hope that the Minister of State will express the Government's view about the recent judgment in the Schrems II case. Max Schrems and others would have argued that much of this litigation was unnecessary. Had the Data Protection Commissioner, DPC, made a decision based on the original case presented by Max Schrems and the responses provided by Facebook and others, it could then have been open to either party to challenge the decision of the DPC, but the DPC did not choose to go that route. Does the Minister of State believe that that was the correct approach by the Data Protection Commissioner? In general, does the Minister of State believe that moving to litigation is the correct approach?

When this case came before the European Court of Justice, the Data Protection Commissioner was alone in arguing that the standard contract clauses were invalid. The State and Max Schrems argued a contrary position. In light of that approach, I would be grateful, regardless of whether or the Government agrees with the Data Protection Commissioner's approach, to ask what are the total costs to the State of the Schrems II case. What are the total costs to the State in litigation since Max Schrems initially raised a number of privacy concerns with regard to Facebook?

I know have raised this issue before. Is the Data Protection Commission adequately resourced? Does it have a sufficient number of staff and sufficient expertise? The overall question of the architecture of the Data Protection Commission and its decision-making processes is also crucial. We have one Data Protection Commissioner. Is it the view of the Minister of State and Government that we should have one commission or a Data Protection Commission with three commissioners making decisions as is the case in other jurisdictions?

I am torn between the resources argument and the decision-making process when we compare Ireland's situation with data protection commissioners in other countries. The Spanish data protection commissioner issues fines almost weekly for data breaches. In the Irish case, only two fines have been issued for breaches of general data protection regulation, GDPR, since 2018, in the cases against Tusla. The Minister of State's colleague, the Minister of State, Deputy Fleming, was here last week. We talked about one of the challenges with banks and financial institutions, the breaches that have happened there, and whether the DPC has acted strongly enough in that regard. My concern in all of this relates to the reputational risk to Ireland if we do not get this right. There are concerns for individual citizens, businesses and companies if there are data breaches. If we are at the heart of trying to regulate all of this, especially given the important role that the social media giants play in our economy, we have to ensure that we have it right. I question whether our approach in this case was correct.What is the Minister of State's view on the future role of the DPC? I would be grateful if he commented on the litigation in question.

James Browne (Wexford, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I thank the Senator for raising this matter. It is important to note that the DPC is independent in the performance of its tasks and the exercise of its powers. Therefore, the Senator will appreciate that I cannot comment on legal proceedings in which the commission was or is involved. Nor can I comment on findings of the courts, given that they are also independent in the exercise of their duties.

The case referred to arose from a complaint referred to the DPC in June 2013 concerning the transfer of personal data to the US under the European Commission's safe harbour adequacy decision. In October 2015, the court struck down the safe harbour policy and the original case in the High Court was reformulated to challenge the transfer of EU citizens' personal data to the US via the use of standard contractual clauses, SCCs. It is a matter of public record that the DPC was involved in these proceedings and the court referred a number of questions to the European Court of Justice, ECJ. In its ruling in July, the ECJ upheld the use of SCCs to transfer data but struck down the EU-US privacy shield adequacy decision on the basis that the US did not provide adequate and enforceable safeguards and redress mechanisms where EU citizens' data were forwarded by US companies to US intelligence services that then processed them. Concerns about the lack of enforceable protections were raised about the use of SCCs to transfer data to the US.

More recently, Facebook and Mr. Schrems have instigated separate judicial review proceedings against the DPC in the High Court concerning mattes raised in both ECJ judgments. I will not comment any further. However, I will reiterate that the Government respects the judgment of the court and is fully supportive of the need to protect citizens' data through enforceable safeguards and proper redress mechanisms.

The Senator will appreciate that the GDPR provides for high data protection standards, imposes detailed obligations on bodies that process personal data and provides a range of possible sanctions, some of which are significant, for when those standards are breached. The GDPR specifies how bodies are to be regulated and all parties must adhere to these obligations.

Enforcement of the GDPR is a matter for the DPC - where it is the lead authority in the EU under the one-stop-shop mechanism - and other independent supervisory authorities across the EU in accordance with the processes set out by the GDPR. The Government has every confidence in the DPC in meeting its responsibilities to enforce and protect the data protection rights of EU citizens to the high standards required by the GDPR.

Malcolm Byrne (Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Unfortunately, I have a slight problem. While the DPC is independent, the language the Minister of State is using is pretty much the language we heard in the run up to the financial crash, when people were told that the Financial Regulator and the Office of the Director of Corporate Enforcement were independent agencies and the Oireachtas could not interfere. Ireland is potentially facing a significant reputational risk in terms of the misuse of data and in challenges such as the one brought by Mr. Schrems. The Government does not have its eye sufficiently on this industry. Senior levels of government face a challenge in understanding the importance of these issues. As the Minister of State knows, one of the major challenges that we will face in the coming years is the relationship between the State, the EU and other state actors and the social media giants. I respectfully suggest that the Government needs to examine how the DPC is functioning in dealing with these cases and ensure that Ireland is best positioned to protect the privacy of individual European citizens and the country's reputation.

James Browne (Wexford, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I assure the Senator that the Government's position is reflected in our ongoing commitment under the programme for Government to recognise the domestic and international importance of data protection in Ireland. Moreover, we will ensure that Ireland delivers on its responsibilities under the general data protection regulation.

The DPC finds itself at the fore of many key data protection decisions in the EU due to the presence of many of the world's leading technology companies in Ireland. As the Senator is aware, the GDPR is fast becoming the internationally recognised data protection standard. I assure the House that the Government will continue to engage with the DPC to ensure that the latter has the tools, support and resources it needs to perform its important role.The Government is committed to supporting the Data Protection Commission in its work. This is clearly shown in the increase in the commission's budget's from €3.6 million in 2015 to €16.9 million this year. More than €19 million has been secured for the commission in the 2021 budget, which is more than a fivefold increase on the 2015 allocation. I believe the Senator will agree that this reinforces the Government’s support in ensuring a robust regulatory framework as required by the GDPR and in protecting the State’s reputation in that regard.