The Irish Data Protection Commission has announced its Strategy for 2022-2027, highlighting 5 strategic goals:
- (1) “consistent and effective” regulation;
- (2) promoting data protection awareness;
- (3) protecting children;
- (4) providing clarity for stakeholders; and
- (5) supporting organisational compliance.
The strategy is based on a risk based approach to regulation which, according to the DPC, “resonated with the majority of commentators” to the public consultation the Commission conducted as it developed its new 5 year strategy.
It can’t do it alone
The DPC’s overarching objective is to do more for stakeholders, but it admits that it can’t meet its ambitions on its own. Some of its recently-announced objectives simply reframe what the DPC is already doing, or is obliged to do, e.g. “[r]egulating in a fair, impartial and transparent manner . . .[a]pplying corrective powers proportionately. . . [w]orking with the EDPB to develop consistent procedures,. . . [w]orking with peer DPAs to introduce consolidated and consistent enforcement across Europe.”
However, the need for increased and more nuanced guidance was an “almost universal” ask from those responding to the public consultation. The new strategy heeds that ask by promising to build expert-level partnerships with stakeholders to assist in the development of that guidance, in an overall effort to encourage meaningful and improved compliance outcomes.
Some change in direction
However, the strategy also contains some change in direction. The DPC intends to steer away from a complaint-heavy emphasis to one which prioritises cases likely to have the greatest systemic impact over the longer term. To do this, the regulator aims to raise public awareness of data protection rights, publish more guidance on its complaints handling processes, and promote “a cultural shift towards compliance.” While all that seems sensible, what it means in practice for the resolution any individual non-prioritised complaint deemed less important remains to be seen.
Responses to the public consultation showed differing appetites in the area of fining. Individuals tended to favour large fines for breaches whereas industry, unsurprisingly, sought a more risk based approach. The DPC notes that “there is sometimes a tendency to conflate fining with regulatory success and to use the imposition of fines as a means to measure effectiveness.”
Using softer enforcement tools
While hard enforcement tools are always available to it, the DPC emphasises the important role of guidance and engagement to drive accountability. The regulator regards both as valuable tools which should not be undervalued. “Driving compliance – rather than retrospectively and unilaterally penalising non-compliance – can ultimately produce better results for all stakeholders”.
With that said, however, the strategy is now set to “prioritise prosecution, sanction and/or fining those infractions that result from willful, negligent or criminal intent.” It also makes increasing the turn-around times for inquiries a strategic priority, including by working with its EDPB peers to improve communication and clarity in the Article 60 co-operation mechanisms.
More specifically, in the 5 year strategy the DPC promises to:
- Standardise public complaint handling and inquiry procedures;
- Clarify the limits of legislation and how/when corrective measures are imposed;
- Publish quarterly, rather than annual, case studies;
- Identify trends and themes in complaints in order to achieve strong collective outcomes
- Engage extensively with stakeholders “so that data protection rights are upheld as a behavioral default by society”;
- Prioritise the protection of the rights of children and vulnerable adults, including clarifying the bases for data sharing so that individuals are not disadvantaged by over cautious data controllers; and
- Enhance the technological foresight of the DPC to respond to evolving technologies.