Government approves expansion of the Data Protection Commission
Last updated on
Last updated on
Minister for Justice Helen McEntee today announced that the government has approved commencement of the process to appoint 2 additional Commissioners to support the evolving organisational structure, governance and business needs of the Data Protection Commission (DPC). The appointments are to be made in accordance with Section 15 of the Data Protection Act 2018, which provides for up to 3 Commissioners to be appointed. The Minister also announced her intention to appoint the current Commissioner Helen Dixon as Chairperson of the Data Protection Commission.
The decision follows an examination instigated in 2021 by the then Minister for Justice, Heather Humphreys, to consider whether an increase in the membership of the Commission should be pursued. In line with the government’s commitment to ensure that the DPC can best deliver on its responsibilities, the Department of Justice was requested to consider the matter of appointing additional Commissioners, as provided for under the 2018 Act. This was initiated on the basis that the DPC has evolved significantly since its inception. The increased working burden and investigative complexity has been regularly highlighted by the Commission itself and its stakeholders.
Following completion of this work, and advice that the number of Commissioners be increased, the government has approved the recommendation to increase the number of Data Protection Commissioners by 2 and has agreed that that a process to appoint 2 new Commissioners should now commence, and that the current Commissioner would be proposed for appointment by the Minister as Chairperson of the Data Protection Commission.
Speaking after Cabinet, Minister McEntee said:
"The Data Protection Commission has performed its role of independent data protection regulation in the State very effectively to date. In recent years, the Commission is dealing with an increased workload with increasingly complex investigative requirements.
"Today’s government decision sends a strong statement of its intention to continue to build the capacity of the Data Protection Commission, support the existing Commissioner and ensure that the Commission can continue to deliver on its role.
"The Data Protection Commission has developed and grown significantly under the leadership of the current Commissioner since its establishment. In light of her considerable experience and expertise, Government has agreed to my proposal to appoint Helen Dixon to the position of Chairperson of the Data Protection Commission pursuant to section 16 of the Data Protection Act.
"Consequent to the government decision, I am also asking that the DPC undertake a review of governance structures, staffing arrangements and processes in order to support the work to be performed by the new model of Commission."
The process to select the two new Commissioners is to be undertaken by the Public Appointments Service, as provided for under Section 15 of the Data Protection Act 2018. The appointments will then be made by the government. It is expected that this process will take in the region of 6 months to complete. The terms and conditions of the appointments are subject to the agreement of the Minister for Public Expenditure and Reform.
The decision to expand the number of commissioners is now considered timely having regard to recent, current and developing circumstances. These factors informed the recommendation that the number of Commissioners be increased.
When the statutory provisions on data protection were being expanded through the Data Protection Act 2018, it was recognised that the entry into force of the General Data Protection Regulation (GDPR) and of the Act itself would have implications for the workload of the DPC. It was similarly anticipated that the volume of supervisory and investigative work would increase and cases would become more complex, especially those with cross-border aspects. It was acknowledged that both the Regulation and the EU Law Enforcement Directive confer a range of additional tasks and powers including investigative, corrective, authorisation and advisory powers on the DPC and that the volume of complaints was also likely to increase.
The working burden and investigative complexity of being a ‘lead supervisory authority’ for those complaints about data controllers established in this jurisdiction, irrespective of the origin of the complaints concerned, was also recognised when the legislation was developed. Section 15 of the Data Protection Act 2018 therefore provided for the establishment of a Data Protection Commission, with at least one, but not more than three, Commissioners. Section 16 of the Act provides for the appointment by the Minister of a Chairperson where there are multiple Commissioners.
Since establishment, there has been a growth in the mandate and workload of the DPC. Funding for the DPC has increased more than six-fold from its 2015 allocation of €3.647 million, to a €23.2 million Budget allocation in 2022. This has been in line with its increased functions and responsibilities. Based on current information, the DPC staffing numbers have increased from 110 in 2018 to 191 at the end of 2021 and there is provision for total staff numbers of 258 by the end of 2022, based on the sanctioned budget allocation.
The Programme for Government commits to ‘recognise the domestic and international importance of data protection in Ireland’ and states that the government ‘will ensure that Ireland delivers on its responsibilities under the General Data Protection Regulation’.
The Department of Justice monitors the impact of the implementation of GDPR; the impact of any possible future regulatory changes across Europe as well as any changes within industry, in conjunction with the Data Protection Commission, to ensure that the Commission continues to have the resources required to fulfil its important statutory obligations.
When the Data Protection Bill was initiated in the Seanad in February 2018 during its passage through the Oireachtas, the Minister at the time (Deputy Charlie Flanagan) directly addressed the rationale for having the provision to appoint three Commissioners, noting that it, “is a future-proofing provision to allow, should the need arise, for the appointment of additional commissioners in response to an increased commission workload”. This increased workload has now come to pass and the need to appoint additional commissioners has arisen. This emerging need has also been highlighted by the Joint Oireachtas Committee on Justice in its report on GDPR published in July 2021, which recommended that two additional Commissioners be appointed. Having multiple commissioners would also be consistent with the experience observed with other independent regulators dealing with significant and complex areas of responsibility.
The proposal to appoint additional Commissioners ensures an effective and well-resourced, highly-skilled regulator and is consistent with broader strategic developments in the digital sphere in Ireland.
The national digital strategy, ‘Harnessing Digital - The Digital Ireland Framework’, published in February 2022, is a high-level national framework to position Ireland as a digital leader, at the heart of European and global digital developments. It sets out a pathway to drive and enable the digital transition across the economy and society; and places a strong emphasis on balance, inclusiveness, security and safety, underpinned by a coherent governance structure.
Cognisant of Ireland’s important role in implementing digital regulations, this Strategy re-enforces Ireland’s firm commitment to continue to provide a modern, cohesive, well-resourced regulatory framework.
This includes working to maximise the coherence of digital and regulatory structures, and the wider regulatory cooperation framework; and being a strong voice in Europe for a balanced approach to digital regulation.