On April 27, 2021, the Irish Oireachtas Committee on Justice met in Dublin to consider recent written submissions received criticising the Irish Data Protection Commission (DPC).  The meeting was divided into two hour-long meetings with the first meeting devoted to the criticisms of Max Schrems, the Austrian privacy campaigner, and Fred Logue, an Irish data protection lawyer.  The second meeting, the longer of the two, heard from Helen Dixon, the Data Protection Commissioner, and the Irish Council of Civil Liberties.

Ten politicians, including the Chair (a lawyer with data law experience), questioned each of the invitees on what was a limited agenda.  Each participant was limited to a five minute opening statement after which member politicians attending queried them.  Discussion of ongoing cases was not permitted.

The Committee scheduled Mr. Schrems and Ms. Dixon on separate panels, presumably to avoid a repeat of Ms. Dixon’s objection to the previous invitation from the European Parliament’s LIBE Committee proposing to hear from both together at the same hearing.  Each in turn were the key participants in their panel discussions.  Mr. Schrems repeated criticisms he has made previously and Ms. Dixon gave a strong defence of her office.

Criticisms of the DPC and Suggested Reform

Mr. Schrems complained that it was “remarkable” that the Irish government had now made the DPC one of the best resourced DPAs in the EU but with very little result to show for it.  Mr. Schrems’s specific criticisms were that:

  • The DPC only investigated a small number of the 10,000 complaints it had received, handling just 4,700 of those and expecting to have six or seven decisions this year. Schrems compared this to the Austrian DPA which had only 50 percent of the budget of the Irish DPC but which produced 850 decisions annually and to the Spanish DPA with a similar budget to the DPC but has delivered 700 decisions so far.
  • The DPC had an extremely poor understanding of procedural law.
  • The DPC is fearful of litigation.

Mr. Schrems argued that such shortcomings fed an uncertainty that tech companies relied upon and suggested that the following reforms should be implemented in relation to the DPC:

  1. the appointment of two additional commissioners;
  2. clarification by the DPC of uncertainty regarding procedural law; and
  3. enforcement fines being allocated to the work of the DPC.

Mr. Logue’s criticisms focused on the lack of enforcement of everyday disputes between data subjects and data controllers.  Mr. Logue said the DPC’s decisions were “not bad” once delivered but that they took too long.  Mr. Logue also criticised the dual role of the DPC in consulting with stakeholders and then being called upon to investigate them, although he indicated that he was inclined to forgive the delays in dealing with cross-border issues.

The politicians asked Mr. Schrems and Mr. Logue for their proposals for improvement, how to build awareness of the importance of data protection to policy makers, whether two distinct bodies dealing separately with administrative issues and enforcement were needed, whether better legislation was needed, and the impact of GDPR on small business.  Mr. Schrems was critical of the fact that the GDPR does not differentiate according to business size because the GDPR lobby wanted a “one size fits all” model, which he maintained was “too high a bar” for small businesses.

The Irish Council for Civil Liberties representative, Johnny Ryan, introduced himself as a former whistle-blower in Silicon Valley.  Mr. Ryan complained of the failure of the DPC to resolve “98% of cases” and of Ireland being the “bottleneck of GDPR.”  He spoke of his fear that Ireland would lose its relevance as a regulation centre if the DPC continues to draw criticism from the Court of Justice of the European Union, the European Parliament and other Data Protection Authorities (DPAs) around Europe.  Mr. Ryan called for an independent review of the operation of the DPC and urged the Committee to take action to restore Ireland’s reputation as a regulatory leader.

The DPC’s Position

Ms. Dixon, Ireland’s Data Protection Commissioner, gave a calm and robust defence of her office and rejected much of the criticism of the DPC as “superficial” and based upon a lack of understanding.  She criticised the ease with which the DPC’s critics relied upon sensationalism to undermine its efforts.  The DPC spoke of a challenging background, with the GDPR still in its infancy and structural issues restraining the pace of delivery of the DPC’s efforts.  Ms. Dixon said the DPC was “going back to first principles” on the bigger cases and it would take time to evolve that process and speed up.

When questioned further by Committee members, Ms. Dixon agreed that improvements were needed and said that these were underway in relation to processes and speed of delivery.  When asked about the criticism from other DPAs, Ms. Dixon commented that these were the same DPAs that were on the record as rejecting the one stop shop model, suggesting such criticisms include a political element.  Ms. Dixon said that “superficial skimming” of criticisms was dangerous and that there was a need for a more reasoned conversation to eliminate exaggeration.

A number of other issues were also discussed with the DPC, including: the use of technology alone to decide more minor cases; challenges regarding recruitment; the level of funding needed; the tendering process for technology and forensic testing capabilities; and, the general need for further guidance and awareness of the GDPR.

Next Steps

The Committee Chair indicated that the hearing was the beginning of the conversation and that the Committee would schedule further such meetings.  Ms. Dixon suggested that the Committee also speak to others, referring to what she regarded as an “imbalanced set of views” presented at this particular meeting.

The DPC has now issued its Regulatory Strategy for 2021-2016 and is inviting responses to it through a public consultation, which is open until June 30, 2021.  This debate will continue to evolve over the coming months and both the Committee and the DPC’s consultation afford interested stakeholders an opportunity to provide input and Covington is available to assist clients in this regard.