Seanad debates

Wednesday, 19 January 2022

Nithe i dtosach suíonna - Commencement Matters

Data Protection

2:30 pm

Photo of Malcolm ByrneMalcolm Byrne (Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I thank the Minister of State for coming to the House to speak to this matter. He might recall we discussed it in September 2020, when I raised concerns around the capacity of the office of the Data Protection Commissioner, its resourcing and its powers in being able to deal with some of the challenges it continues to face.

First, I compliment the staff of the Data Protection Commissioner, who have been working under difficult circumstances and faced much criticism. Some of that has been unfair but some of it should also be taken on board. The Minister of State will be aware that there has been criticism from other European jurisdictions and data protection authorities across Europe. I note, however, that Commissioner Reynders is responsible for the data protection area and he recently came to the defence of the Data Protection Commissioner.What is clear is that there are major challenges in the area of data protection. We know that this is just going to continue to grow. A recent survey by McCann FitzGerald and Mazars found that businesses here were increasingly concerned about having to deal with issues of data protection and data privacy. However, William Fry conducted a survey of international businesses recently in which 89% of respondents recognised that the regulatory climate in Ireland would be regarded as good to excellent.

However, there are problems. The Minister of State acknowledged at the time that there were not sufficient staff in the Data Protection Commission. In an interview in the Business Poston 5 December, the commissioner stated that the office is currently unsustainable and unfit for purpose. We have the DPC already saying that the office is not sustainable in its current form. There were commitments by Government which have not been sufficient to meet the scale of the challenge.

Given the importance of data privacy and data protection, particularly following the Schrems II judgment, it is of increasing importance that we take action against companies engaged in data breaches. We must have a properly resourced and, more importantly, properly structured DPC. The time is long overdue. The Oireachtas justice committee recommended the following: that the Government appoint three data protection commissioners, as is provided for in legislation; that there be an independent review of the operation of the DPC to take on board criticisms and address concerns; and that we be in a position to give confidence that Ireland has an excellent data protection regime.

One of the largest fines set down by the DPC was against WhatsApp. Clearly the DPC is taking the issues very seriously. On the other side, however, last year there were nearly 7,000 Irish citizens and individuals who made complaints to the DPC. One of the complaints was about the length of time it is taking for the DPC to deal with some of those complaints. I ask the Minister of State to set out the Government's position with regard to the commission.

Photo of James BrowneJames Browne (Wexford, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I thank the Senator for raising this issue which he has consistently raised in the House. The programme for Government commits to recognise the domestic and international importance of data protection in Ireland and states that the Government will ensure that Ireland delivers on its responsibilities under the general data protection regulation. The Government is very conscious of the commitment to deliver effective data protection regulation and protection of the data privacy rights of EU citizens, which is critical to the development and growth of our digital economy. In dialogue with the Data Protection Commission and with other relevant Departments, the role of my Department is to ensure that the commission continues to have the resources required to fulfil its important statutory obligations.

GDPR obliges member states to ensure that each supervisory authority is necessarily resourced to perform its tasks and exercise its powers. To that effect, the DPC is one of the largest EU data protection authorities in terms of budget and staffing. The DPC is funded under its own Vote as of 1 January 2020, with the commissioner being Accounting Officer. It has received an allocation of €23.2 million under budget 2022, a 22% increase on the €19.1 million that was allocated for 2021. This equates to a €4.1 million increase in pay of €3.2 million and non-pay of €900,000. Furthermore, the 2022 allocation marks a sixfold increase on its 2015 allocation.

There have been significant increases over recent years. Resources awarded to the DPC have risen steadily. Staffing numbers increased from 110 at the end of 2018 to 191 in December 2021.Recognising the expanding breadth of the commission's regulatory role, its mission to safeguard data protection rights and the increasing demands, this increased allocation in 2022 will enable the recruitment of additional specialist and technical staff and address the increasing case load and complexity of cases being faced by the commission.

Under the Data Protection Act 2018, provision is made that the Government may determine that the commission could consist of up to three members. Section 15 states that "the Commission shall consist of such and so many members (not being more than 3) as the Government determines". Section 16 provides that in the event of there being more than one commissioner, the Minister shall appoint one to be chairperson with a casting vote. In keeping with the Government's commitments, and as conveyed to the Dáil in a written reply in October 2021, Deputy Humphreys, then acting as Minister for Justice, requested officials of the Department to consider the matter of appointing additional commissioners to the DPC. This was done on the basis that if such a recommendation were to be made, it would require the Minister to bring a recommendation to the Government for decision. Department officials are continuing to review this issue and it is expected that a recommendation will be made to the Minister shortly.

Photo of Malcolm ByrneMalcolm Byrne (Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I welcome the fact that there are discussions around a move towards three commissioners. I am certainly interested in hearing the Minister of State's personal view on whether this will happen, and happen quickly. In terms of addressing some of the concerns, including those raised by the DPC around its functioning, this may be a step forward. If the Minister of State cannot give a direct answer, I ask him to clarify what he means when he says a decision will be made by the Minister "shortly". I always wonder what exactly "shortly" or "imminently" means. I ask the Minister of State to provide a specific timeframe. I am sure will appreciate the urgency of the issue.

The question is not just about the commissioner and the number of commissioners. There is a broader issue around the functioning of the office. This is about ensuring we have an office that can cope effectively, given the huge challenges we are going to face over the next number of years around data protection. The Leas-Chathaoirleach and I sit on the Special Seanad Committee on the Withdrawal of the UK from the EU. One of the issues that the committee has addressed is the question of the UK's data protection regime diverging from the EU regime post Brexit. According to the DPC, such divergence could entail €1 billion in extra costs for Irish business. We must ensure the DPC is going to be in a position to be able to advise on all of those issues. I still believe there should be an independent review. I certainly believe there should be three commissioners. Perhaps the Minister of State can give us an indication of the timeframe involved.

Photo of James BrowneJames Browne (Wexford, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I thank the Senator for raising the matter. I cannot give a direct answer to his specific question. I would be loath to anticipate, in any way, what this independent review is going to propose. The Department has carried out recent reviews quite quickly where necessary. I expect the answer will come in a short time.

The Department of Justice continues to monitor the impact of the GDPR implementation, of any possible future regulatory changes and of any changes within industry, and to liaise with the DPC to ensure it continues to have the resources required to fulfil its statutory obligations. As I stated, the Minister for Justice is happy that by the end of 2022, the funding for the DPC will have increased sixfold from its 2015 allocation. The staffing numbers increased from 110 in 2018 to 191 in December 2021, with the additional budget for 2022 expected to bring the staffing target up to 260 by the end of this year. That is a substantial increase in staffing, recognising the need for and the increasing breadth of the DPC.

In keeping with the Government's commitment, and as conveyed to the Dáil in that written reply, the review requested by the then acting Minister for Justice, Deputy Humphreys, to the Department will be carried out as quickly as possible. This is on the basis that if such a recommendation were made, it would require the Minister to bring that recommendation to the Government for a decision on it.