The leadership of Ireland’s Data Protection Commission (“DPC”) is to be expanded to a three-person Commission, with the current Commissioner taking the lead role as Chair. The Irish Minister for Justice announced the decision on July 27, 2022, along with the Government’s decision to undertake a review of its governance structures, staffing arrangements and processes for the newly modeled Commission.
The DPC’s Heavy Workload
The decision is hardly a surprise.
The DPC has expanded its operations significantly in recent years to meet its increased workload under the GDPR and Ireland’s updated Data Protection Act 2018 (“DPA”) – particularly as the lead supervisory authority for many of the largest global technology companies with their European base of operations in Ireland. The DPC was originally established in 1989, and by 1997, still had a staff of only 8 people – counting among them the then Commissioner, and handling a relatively confined remit of activities. Now, 25 years later, and particularly since the entry into force of the GDPR in 2018, the DPC appears to have outgrown the single commissioner model.
Those days are long gone, with the Commission’s work growing in complexity – not just in terms of its remit and staffing, but also the complexity of issues brought before the DPC in its enforcement of the GDPR. The DPC now has (as of the end of 2021) a staff of 195, and continues to recruit, with budget for a staffing goal of 258 by the end of this year.
Changes Anticipated
Section 15 of the DPA anticipated the need for a multi-member DPC by providing for up to three commissioners, to be ultimately decided upon at the discretion of the Government. The three-person commission model is not new to Ireland and has been reflected in several of the leading Irish regulators, including the Competition and Consumer Protection Commission, the Commission for the Regulation of Utilities and ComReg (the Commission for Communications Regulation). Also, most recently, a three-person commission structure has been legislated for the new Corporate Enforcement Authority. The planned new Media Commission, currently advancing through the legislative process, will also have a multi-member commission structure of 3 members with the potential to expand it to 6. It’s by now a tried, tested and effective regulatory model in Ireland.
A report commissioned by Ireland’s then Department of Public Enterprise in 2000 studied several potential regulatory models and ultimately recommended that a three-member board or commission, with the members having full-time appointments, as the ideal governance model for Irish regulatory bodies. It was then adopted for the then energy and telecoms regulators as being the better model to deal with the growth in their regulatory complexity and workload. It was felt that the collegiality of the multi member commission would lead to better decision making and improved institutional memory. While speedier decision making could be an advantage in the single member regulator model, the arguments against such a model included the span of expertise required, the potential for undue personalization of the office and for regulatory capture.
More recently, a July 2021 report publish the Joint Oireachtas Committee on Justice (a parliamentary committee) on the effectiveness of GDPR enforcement since 2018, recommended the appointment of two additional commissioners (see here our previous blog).
The recruitment process for the two new Commissioners will now begin, with appointments expected within the coming months.