On Jul 22, 2021, the Irish Joint Committee on Justice (“Committee“) published a report that included a series of recommendations on the work of the Irish Data Protection Commission (“DPC“). The Committee, made up of 14 politicians from across the political spectrum and drawn from both the Dáil (the elected first house) and Seanad (the senate), issued this report following a public hearing held on April 27, 2021 (see our prior blog post here). The recommendations in the report address, among other things, concerns raised about the Irish DPC’s oversight and enforcement of the EU General Data Protection Regulation (“GDPR“).
Four parties appeared before the Committee during its April hearing: Max Schrems, an Irish data protection lawyer, the Irish Council for Civil Liberties, and the DPC. The criticisms discussed at the hearing revolved largely around delays in processing data protection complaints and cases, as well as a lack of clarity on DPC procedures. The potential risk to Ireland’s role as a Lead Supervisory Authority in Europe was also a key concern expressed by both the Committee and some of the witnesses appearing before it.
The Committee’s public hearing follows a long line of controversy involving the DPC and the activist Max Schrems. Just five weeks before the hearing, the DPC refused an invitation to appear before the LlBE Committee of the European Parliament to address complaints raised by Max Schrems. Then, less than a month after the April hearing, the Irish High Court refused to review an application submitted against the DPC, which included Max Schrems as an interested party and followed from a complaint he originally submitted to the DPC in 2013.
The Committee, cognizant of the differing opinions it heard on the effectiveness of GDPR implementation and monitoring by the DPC, referred to “several elements of the Commission’s procedures requiring attention and reform”. In referring to the “serious concerns” raised about “reports of the particularly slow progress of some cases being handled by the DPC” the Committee have issued a number of recommendations to the Minister for Enterprise Trade and Employment (“Minister“).
Those recommendations, several of which are aimed at expediting delays in processing cases, state that the DPC should:
- urgently move from emphasizing guidance to emphasizing enforcement;
- increase the use of its sanctioning powers – particularly orders stopping infringers from processing data, in addition to dissuasive fines – to ensure effective implementation of GDPR;
- streamline its complaint-handling processes;
- clarify its written procedures and rules with fellow DPAs; and
- publish the exact processes it follows when handling complaints and clarify its definitions on when cases have been “concluded” or “resolved”.
The Committee also recommended:
- that Irish data protection legislation be reviewed, with a view to codifying the published processes of the DPC;
- the creation of a decision-making entity within the DPC, separate to that of Commissioner, to improve the time frames in which the Commission issues decisions;
- that the Minister appoint two new Commissioners, at least one of whom should be a legal expert. (This is unsurprising, given that the trend away from single position regulators in Ireland in recent years, as well as the fact that the current Data Protection Commissioner will remain in office until 2024.); and
- that a review be undertaken to strengthen and reform the DPC and including whether staffing levels and resource allocation are appropriate.
It will be interesting to see what happens next. Given the importance of an effective regulator to Ireland’s reputation as a key international hub for large technology companies operating in Europe, and in light of the cross-party Committee support for the reforms recommended, it seems likely that the Minister will take action to improve and strengthen the DPC.
We will continue to provide updates on these developments as they evolve.