Minister McEntee announces appointment of new Data Protection Commissioners and pays tribute to outgoing Commissioner Helen Dixon

The Minister for Justice Helen McEntee has today announced the appointment by Government of two new Data Protection Commissioners, Dr. Des Hogan and Mr. Dale Sunderland. Their appointments will take effect from 20 February 2024, for a five-year term.

Dr. Des Hogan has been appointed as Chairperson by the Minister.

The Data Protection Commission has grown significantly in size, scope and responsibility over the last decade.

Following a review by the Department of Justice into how best to support this growth, the government decided to appoint two additional Commissioners who were selected following an open completion run by the Public Appointments Service.

Minister McEntee said:

The government has ensured that the DPC is resourced to carry out its critical and independent role. The Commission received an allocation of €28.1 million under Budget 2024, an almost eightfold increase on its 2015 allocation of €3.6 million.

Minister McEntee also paid tribute to outgoing Data Protection Commissioner Helen Dixon, whose tenure comes to an end on 19 February, 2024 after almost a decade in the post.

Minister McEntee said:

The vacancy for the third DPC Commissioner will be filled through a new Public Appointments Service competition as soon as possible.

Dr. Des Hogan

Dr Des Hogan has been Assistant Chief State Solicitor in the Office of the Chief State Solicitor since 2015.

A qualified solicitor, Dr. Hogan was awarded a PhD in Law from Trinity College Dublin and a Masters in European Law from UCD. He previously held a number of senior positions in the Irish Human Rights Commission (IHRC), including acting Chief Executive from 2012 to 2014.

Prior to that, he worked for the Australian Human Rights and Equal Opportunity Commission and for Amnesty International in Australia and at its International Secretariat in London.

Mr Dale Sunderland

Dale Sunderland joined the Data Protection Commission in 2016 as a Deputy Commissioner and played a central role in building its capacity as a leading global regulator in the context of an expanded remit under the GDPR.

He has been a Deputy Commissioner at Director level since June 2022, with a leading role in the supervision of global social media and internet companies based in Ireland. Mr Sunderland worked for the Department of Justice in various roles from 2002 to 2016.

Recruitment process

Section 15 of the Data Protection Act 2018 provides that the Data Protection Commission (DPC) have up to three Commissioners, with Section 16 providing for the appointment by the Minister of a Chairperson if there is more than one Commissioner. A single Commissioner had been in place to this point, with the current Commissioner having been appointed by Government in September 2014 for a five-year term, and subsequently reappointed for a further five-year term in 2019.

In 2022, the government approved commencement of a process to increase the number of Commissioners for Data Protection to three. This arose following a review undertaken by the Department of Justice, having regard to the evolving organisational structure, governance and business needs of the DPC.

Reflecting the expanded nature of the role, the complexities of the caseload and the changes in the regulatory environment, approval was sanctioned for the Commissioner post to be aligned with the terms and conditions of the Deputy Secretary grade, having previously been at Assistant Secretary. The Chairperson receives an allowance to bring their remuneration to the equivalent of the Secretary General III grade.

The current Commissioner, Ms. Helen Dixon, notified the Minister on 15 November 2023 of her intention to step down from the position on 19 February 2024.

The recruitment process for Commissioners was undertaken by the Public Appointments Service, which identified two recommended candidates, for consideration by Government for appointment.

Two Commissioners have now been appointed by Government, with a third vacancy remaining to be filled. The Public Appointments Service is to shortly commence a process to fill this remaining vacancy. The new Commissioners are being appointed for a five-year term, in accordance with Section 15 of the Data Protection Act.

One of the two new Commissioners is being appointed Chairperson in accordance with Section 16(1) of the Data Protection Act.

Data Protection Commission

The Data Protection Commission has responsibility for a significant body of work. In recent years as GDPR and protection of personal data have moved into mainstream public consciousness, the DPC has seen its workload increase in all areas of the organisation.

Ireland has a key role in enforcement of GDPR across Europe. This is due to the ‘one stop shop’ mechanism, which is a core element of the GDPR, providing for a central point of enforcement by a lead Member State supervisory authority. As many of the very large online platforms, search engines and technology enterprises that operate in the EEA have their European headquarters in Ireland, the DPC has lead supervisory authority responsibilities in respect of these bodies within the EEA.

As part of its European functions, the Data Protection Commission also supports the work of several international data protection bodies and groups, including, but not limited to: the European Data Protection Board, European Data Protection Supervisor (EDPS)/Europol Cooperation Board (ECB), and the Coordinated Supervision Committee (CSC).

The core functions of the DPC include:

• conducting large-scale inquiries and investigations into entities of varying size, in both the public and private sectors, both nationally and in an international context
• cooperating with data protection authorities in other EU member states on a regular basis
• handling complaints from individuals from Ireland and throughout the EU in relation to their data protection rights
• driving compliance through conducting audits, promoting awareness, and consulting with organisations

In the event of infringements of the GDPR being found to have occurred, the exercise of corrective powers, including orders to bring processing into compliance and the imposition of administrative fines.

The delivery of effective data protection regulation and protection of the data privacy rights of EU citizens are acknowledged as important policy objectives of Government. The Programme for Government: Our Shared Future (2020), commits to, “recognise the domestic and international importance of data protection in Ireland”, and states that the government, “will ensure that Ireland delivers on its responsibilities under the General Data Protection Regulation”.

The Department of Justice monitors the impact of the implementation of GDPR; the impact of any possible future regulatory changes across Europe as well as any changes within industry, in conjunction with the DPC, to ensure that the Commission continues to have the resources required to fulfil its important statutory obligations.

Role of Commissioner

In respect of their role, the Commissioners for Data Protection are responsible for:

• implementing the provisions of the Data Protection Acts, GDPR and other EU data protection law
• overseeing investigations and decision-making on complaints regarding breaches of the Acts, GDPR and other EU data protection law
• leading and directing on litigation and enforcement action as required, including bringing and prosecuting summary proceedings for offences
• ensuring the development and maintenance of the requisite knowledge within the organisation to enable its statutory functions to be effectively exercised
• engaging with other lead supervisory authorities in fulfilling the Commission’s statutory responsibilities and in executing its powers under GDPR and other European data protection law
• ensuring the Data Protection Commission is effectively represented on the European Data Protection Board and other international data protection bodies and facilitating a deepening of existing relations and promoting exchanges on behalf of Ireland in the regulation of laws protecting personal data
• maintaining effective relationships with a complex range of national and international stakeholders, including strong working relationships with other European lead supervisory authorities
• strategically guiding the effective communication of information on matters within the regulatory remit of the DPC
• acting as a figurehead for the organisation and serving as the public spokesperson for the organisation as required
• appearing before relevant Oireachtas Committees, as required
• supporting the management team to develop, motivate and manage the staff resources of the DPC, particularly in strengthening capability and capacity across a rapidly expanding organisation
• overall responsibility for the general management and control of the activities of the DPC, including the oversight of key corporate functions such as the development of strategy, business planning, financial management, while ensuring implementation of strong corporate governances structures and practices in the organisation