The Data Protection Commission (DPC) should adopt a culture of enforcement rather than "emphasising guidance" in its efforts to get businesses and organisations to comply with data privacy regulations, the Joint Oireachtas Committee on Justice has recommended.
The committee said it "fears that citizens' fundamental rights are in peril" as a result of the way the DPC operates. It delivered its verdict in a report based on its April meeting with data protection commissioner Helen Dixon and three data privacy campaigners and experts.
The DPC will "face a more emboldened and entrenched group of systematic infringers" of General Data Protection Regulation (GDPR) unless it moves to a tougher enforcement model, the committee concluded. It added that the Minister for Justice should take any necessary steps to ensure this can happen.
The committee, chaired by Fianna Fáil TD James Lawless, has recommended that the DPC increase the use of its existing sanctioning powers, in particular the implementation of "dissuasive" fines and the use of orders stopping infringers from processing data.
Delays in processing complaints were highlighted in the report, with the committee urging the DPC to investigate the use of indexing software in a bid to streamline its complaints-handling procedures. It said this could allow for repeat decisions to be made quickly.
The committee made 17 recommendations in total. Among them were a call on the DPC to “provide clarity” by publishing the exact processes it follows when handling complaints and also by releasing quarterly statistics on the use of its powers.
The committee accepted a call by the Irish Council for Civil Liberties that two additional commissioners be appointed, in accordance with the Data Protection Act 2018, to bolster resources at the State agency.
A review should examine whether current staffing levels and the allocation of resources are appropriate, while “a decision-making entity” within the DPC, separate to that of the commissioner, should be given the power to make final decisions on behalf of the DPC in order to shorten the time it takes for cases to be resolved, it said.
Consideration should be given to amending the current legislation to allow non-governmental organisations represent GDPR complaints on behalf of individuals or groups of citizens, it also suggested.
Of the 196 cases in which the DPC asserted its status as lead authority in the EU from May 2018 to December 2020, it produced a draft decision in four of these cases. The only fine issued to a big tech company was the €450,000 penalty given to Twitter last December in relation to a 2018 breach of GDPR.
Data privacy campaigners have argued that criticism of the DPC from other data protection agencies in the EU following the Twitter investigation poses “a reputational risk” to the Republic.
The DPC has disputed this, arguing that in cross-border cases the complexities of the decision-making processes contribute to the length of time they take.