In an address to the Institute of International and European Affairs on 7 January 2015, Helen Dixon, the recently appointed Irish Data Protection Commissioner, highlighted a number of challenges facing the Office of the Data Protection Commissioner (the “DPC”) as well as outlining a number of key data protection themes that can be expected in 2015.
Challenges – Real and Perceived
The Commissioner noted comments made by her European counterparts that Ireland was perceived to have a “light touch” when it comes to the regulation and enforcement of data protection. She cited comments made to the effect that Ireland is facilitating forum shopping by data companies, that the DPC is not as independent from government as it should be and that Ireland does not enforce data protection penalties against multi-national companies.
The DPC emphasised that the above are mainly issues of perception rather than reality. Whilst she welcomed the increased €3.65 million funding which has been allocated to her office for 2015, the DPC acknowledged that adequately resourcing her office remains an ongoing challenge. The DPC also defended noteworthy features of the Irish regime such as the DPC’s strong legal and auditing powers which have been used to conduct large scale audits of Facebook and LinkedIn. The Commissioner also cited the recent prosecution of the directors of two private investigation firms as evidence that the DPC will not hesitate to sanction those who do not comply with data protection legislation.
The Commissioner highlighted the importance of changing this perception of the Irish regime on the basis that: (i) many multinationals have made it known that they do not wish to be “softly” regulated as they do not want to have to fight a perception that this is the case and need legal certainty as to their data protection obligations; and (ii) if Ireland is to be a lead enforcement authority when the new Data Protection Regulation is enacted, it cannot be perceived as taking a lax approach towards compliance with data protection obligations.
The DPC announced that the following measures are to be implemented during the course of 2015:
- the development of media and PR activity by the DPC;
- the re-orientation of how data protection complaints are dealt with by the DPC, in order to eliminate unmeritorious referrals;
- the establishment of a Dublin office of the DPC (the regional office in Portarlington will still be maintained);
- the start of an active recruitment process to increase the levels of staffing and expertise of the office;
- more active co-operation between the DPC and other EU data protection regulators;
- deeper Irish engagement with the Article 29 Working Party; and
- encouraging government bodies to engage with data protection issues at an early stage of major data projects such as Eircode.
The Commissioner noted that Ireland’s ability to contribute to the activities of the Article 29 Working Party has been hampered by lack of resources. However, it is envisaged that, with the additional funding allocated to her office for 2015, Ireland will now be able to “take a seat at the table” with the aim of contributing to EU data protection policy as well as ensuring that the expertise of the DPC’s office is recognised at EU level.
Data Protection Themes for 2015
The Commissioner discussed important themes that will affect both her office and all EU data protection authorities in 2015. These include:
In response to the revelations about the widespread use of cable and phone tapping by national authorities, the Commissioner flagged surveillance as a matter that should be addressed by data protection legislation as it is currently not fully within the scope of the Data Protection Directive 1995. However, she acknowledged that this will be a matter for the Courts and/or the legislature.
Big Data and the Internet of Things
The challenges facing the DPC and society more generally in the sphere of Big Data and Internet of Things include: how to regulate when technological developments are outpacing existing legislation, dealing with refusals of search engines to de-list references to an individual as a result of the Google Spain decision and the implications of the ECJ judgment in which the court held that private use of CCTV was, in the given circumstances, not covered by the “household exemption”3.
Draft Data Protection Regulation
The Commissioner expressed concern over recent proposals to amend the “one stop shop” element of the draft Data Protection Regulation. The amended proposal requires a lead authority’s decision on a matter of data protection to be accepted by all EU data protection regulators on a consensus and unanimous basis. Therefore, in cases where a unanimous consensus could not be reached, one EU Member State could veto the lead authority decision and the question would then be referred to the European Data Protection Board, which would make the final binding decision. According to the DPC, such an outcome may lead to a situation where “Ireland could be cast in the role of chief co-ordinator rather than lead decision maker”. The DPC did note that the Regulation is in draft form, and that these proposed changes to the “one stop shop “principle are not finalised.