On the 27th of July the Department of Justice announced that the Government had approved the expansion of the Data Protection Commission by two additional Commissioners. The Data Protection Commission (DPC) since its inception, has had only one Commissioner. The appointments will be made in accordance with Section 15 of the Data Protection Act, 2018 (the Act), which allows for up to three Commissioners. The current Commissioner, Helen Dixon, will become the Chairperson of the Data Protection Commission on its expansion. This article explains the decision to expand and evaluates the potential impact of this change, including changes to the organisation of the DPC, increased ability to investigate complaints and increased ability to supervise big tech.
The decision follows an investigation which began in 2021, instigated by the then Minister for Justice, Heather Humphreys, T.D. Focusing on the Governments commitment to ensure that the DPC can best deliver on its responsibilities, the Department of Justice was tasked with examining whether the DPC should be expanded to three Commissioners, as allowed for under the Act. The investigation was triggered due to the increased working burden and investigative complexity for which the DPC has become responsible since its inception. Following the completion of this investigation and after advice was received that the number of Commissioners should be expanded, the Government has given the green light to begin the process of appointing the two new Commissioners. The process to appoint the two new Commissioners will be undertaken by the Public Appointments Service and the appointments will then be made by the Government. The whole process should take approximately six months.
The Minister for Justice, Helen McEntee, T.D. also made it clear that the entire current structure of the DPC would be reviewed, saying “I am also asking that the DPC undertake a review of governance structures, staffing arrangements and processes in order to support the work to be performed by the new model of Commission”. The move to appoint two new Commissioners will be welcomed by many, as it was publicly by the Irish Council for Civil Liberties (ICCL). However, the ICCL called for an independent review of the DPC, saying “Without such a review it will be impossible for the new Commissioners to know what they need to fix”. The ICCL were clear that they don’t believe the DPC can perform this review themselves and find “the Ministers suggestion that the DPC review itself is totally inadequate”.
The Data Protection Commissions workload has expanded since the introduction of the General Data Protection Regulation in May 2018. With the introduction of GDPR it was correctly anticipated that the volume of supervisory and investigative work would increase and in addition, cases would increase in complexity. This growth is reflected in the DPC’s budget and staffing figures. Funding for the DPC has increased from a budget of €3.7M in 2015 to €23.2M in 2022. Staffing has increased from 110 in 2018, when the GDPR came into effect, to 191 at the end of 2021 with a provision for 258 by the end of 2022. The DPC has faced some harsh criticism over the years, from around Europe as well as at home, regarding the perceived slow pace of their investigations. One of the key demands being made by the critics was that Ireland should have three Commissioners, not one. With this change, we can expect better and faster investigations into breaches and complaints.
However, the criticisms of the DPC go beyond the slower pace of investigations. Much of the concern is focused on the growing power of the large tech giants, all of which are sitting on the DPC’s doorstep and for whom the DPC has supervisory responsibilities. Data privacy campaigners to European politicians have all been critical that the DPC has not gone far enough or fast enough in response to data breaches and other privacy concerns with these huge companies. There have even been suggestions made that the slow pace of the DPC’s investigations is linked to the Governments reliance on the tech giants for jobs and taxes, which the DPC has denied. With a new, potentially much improved, structure in place, we can expect the DPC to have a better ability to supervise big tech.
Overall, an expansion and reorganisation of the DPC will be a welcome move, in the DPC itself, in Ireland and all across Europe. However, what we can only speculate on at this point is the shape any reorganisation will take. We have no information on who these new Commissioners will be, if they’ll be taken from within the current regime or not. Given the fact that the current Commissioner is to be made Chairperson it would seem likely that some type of appellate system will be put in place where investigations would take place under the two new Commissioners and a review process be managed by the Chairperson. At the very least, it would seem prudent that at least one Commissioner would focus solely on the tech industry or take full responsibility for all cross-border investigations. Were this to be the case we could see the pace of these large scale investigations increase and the effects of the outcomes, for those relying on their services, felt faster.
However the DPC decide to organise themselves, one thing is certain, we will see a new, expanded Data Protection Commission by early 2023. We can fully expect the DPC to improve investigations into data incidents and SAR complaints. Whether this has an immediate impact on their processes will be a question for next year.
Trilateral’s Data Governance and Cyber Risk Team has extensive experience supporting organisations undertaking complex projects to comply with their data protection obligations. We offer a range of data governance services, including compliance support and updates regarding opinions published by the Data Protection Supervisory Authorities. Please feel free to contact our advisors, who would be more than happy to help.