The Irish Data Protection Commission has a plan for the next five years. Here are our thoughts.
The Data Protection Commission of Ireland has invited interested parties to comment on its draft regulatory strategy for the next five years. ICCL's response is presented below.
Data Protection Commission of Ireland
Regulatory Strategy Consultation
21 Fitzwilliam Square South
D02 RD28
25 June 2021
Response to the DPC regulatory draft strategy
Dear Colleagues,
We commend your exercise in consulting on the Data Protection Commission’s strategy for the next half decade, and endorse many of the aspirations contained within the consultation document.
In this response to your invitation we make two recommendations of highest priority, and further recommendations on matters of lower priority.
HIGHEST PRIORITY
Highest priority: take on Big Tech
ICCL notes the realistic and practical reference to the finite resources of the DPC, and the need to put these resources to where they can do the most good. We also note with approval the intention to take an approach based on risk, prioritising matters that create higher risks for larger numbers of people over others.
The DPC has shown itself willing to enforce against the public sector, for example in the matter of the Public Services Card. But there is a severe under-enforcement against dominant players in the private sector that create high risks for large numbers of people. Those entities set the model for the behaviour of smaller firms, too.
We are therefore deeply concerned by the consultation document’s suggestion that guidance from the DPC will suffice.
It is now over five years since the GDPR was applied, and over three years since it came into effect. The 2018-2020 grace period is over. Indeed, since an infringement of the GDPR is highly likely to be an infringement under the ePrivacy Directive, this grace period may have been unnecessary. We strongly urge that the DPC to move to hard enforcement. Urgently. Otherwise, not only will the fundamental rights of individuals remain imperilled, but the DPC will face a more emboldened and entrenched group of systematic infringers.
We also caution against relying on guidance as a means of prompting enforcement. Those with experience in industry will recognise that the surest way to give clarity to data controllers about the law is to show that several years of systematic infringement will be sanctioned. Sanctions must be severe enough to be dissuasive, and should use orders banning processing where possible.
Therefore, while recognising the DPC’s efforts to enforce in the public sector, ICCL strongly suggests that the DPC’s highest strategic priority must be robust, adversarial enforcement against unlawful data processing by Big Tech.
Highest priority: reform and strengthen the Commission
An important step over the next five years should be to acknowledge and the many issues raised at the 27 April hearing of the Oireachtas Justice Committee. We recommend that the DPC urgently request that the Minister appoint two additional commissioners, and that it request that the State establish an independent review of how best to reform and strengthen the DPC. In addition, we commend the consultation document’s references to expertise and training. Further detail in this area would be useful.
LOWER PRIORITY
- Competition
We recommend that the DPC investigate collaboration between data protection supervisory authorities and their sister agencies supervising competition matters.
Under-enforcement in competition has made the task of data protection authorities harder, by allowing big tech firms to gain positions of significant power. Under-enforcement in data protection has now also made the task of competition authorities harder, entangling them in matters previous beyond their purview. Big Tech market and rights problems metastasised in the gap between data protection and competition authorities. These gaps must close.
Though competition & data protection communities have caused problems for each other, they offer remedies for each other, too. For example, the supervisory authorities of Hamburg and Bonn’s cooperation with the Bundeskartelamt in Germany, the cooperation between the CNIL and the Autorité de la concurrence in France, and the recent memorandum of understanding between the ICO and the Competition & Markets Authority in the UK.
As lead authority for Google, Facebook, Microsoft, Apple, and other Big Tech firms, it is important that the DPC attempt to stimulate cooperation with its competition counterparts.
- Transparency
We commend the DPC for aspiring to more transparency. However, we note that the DPC has so far refused to provide ICCL with a statistics on the use of its powers – while ICCL has received information from other supervisory authorities. We urge the Commission to regularly publish statistics on the use of its powers of investigation and sanction under Section 127 and 130 - 140 of the Data Protection Act 2018. We also urge the Commission to waive its broadly interpreted exceptions to the Freedom of Information Act.
- We note that the DPC has a responsibly to investigate every complaint
The DPC is required to investigate every complaint, and inform the complaint of the outcome, per Article 57(1)f of the GDPR. The only exception is if a complaint is withdrawn by the person who made it. There may have been confusion about this responsibility in the Commissioner’s testimony. We elaborate on this in a note to the Oireachtas Justice Committee, following the 27 April hearing at which I and the Commissioner gave testimony.
We note that some of the plans in the consultation document may envisage an approach at odds with this responsibility.
Yours faithfully,
Dr Johnny Ryan FRHistS
Senior Fellow
Irish Council for Civil Liberties