The Irish Data Protection Commission has announced its Strategy for 2022-2027, highlighting 5 strategic goals:

  • (1) “consistent and effective” regulation;
  • (2) promoting data protection awareness;
  • (3) protecting children;
  • (4) providing clarity for stakeholders; and
  • (5) supporting organisational compliance.

The strategy is based on a risk based approach to regulation which, according to the DPC, “resonated with the majority of commentators” to the public consultation the Commission conducted as it developed its new 5 year strategy.

It can’t do it alone

The DPC’s overarching objective is to do more for stakeholders, but it admits that it can’t meet its ambitions on its own.  Some of its recently-announced objectives simply reframe what the DPC is already doing, or is obliged to do, e.g. “[r]egulating in a fair, impartial and transparent manner . . .[a]pplying corrective powers proportionately. . . [w]orking with the EDPB to develop consistent procedures,. . . [w]orking with  peer DPAs to introduce consolidated and consistent enforcement across Europe.”

However, the need for increased and more nuanced guidance was an “almost universal” ask from those responding to the public consultation.  The new strategy heeds that ask by promising to build expert-level partnerships with stakeholders to assist in the development of that guidance, in an overall effort to encourage meaningful and improved compliance outcomes.

Some change in direction

However, the strategy also contains some change in direction.  The DPC intends to steer away from a complaint-heavy emphasis to one which prioritises cases likely to have the greatest systemic impact over the longer term.  To do this, the regulator aims to raise public awareness of data protection rights, publish more guidance on its complaints handling processes, and promote “a cultural shift towards compliance.”  While all that seems sensible, what it means in practice for the resolution any individual non-prioritised complaint deemed less important remains to be seen.

Fining

Responses to the public consultation showed differing appetites in the area of fining.  Individuals tended to favour large fines for breaches whereas industry, unsurprisingly, sought a more risk based approach.  The DPC notes that “there is sometimes a tendency to conflate fining with regulatory success and to use the imposition of fines as a means to measure effectiveness.”

Using softer enforcement tools

While hard enforcement tools are always available to it, the DPC emphasises the important role of guidance and engagement to drive accountability.  The regulator regards both as valuable tools which should not be undervalued.  “Driving compliance – rather than retrospectively and unilaterally penalising non-compliance – can ultimately produce better results for all stakeholders”.

With that said, however, the strategy is now set to “prioritise prosecution, sanction and/or fining those infractions that result from willful, negligent or criminal intent.”  It also makes increasing the turn-around times for inquiries a strategic priority, including by working with its EDPB peers to improve communication and clarity in the Article 60 co-operation mechanisms.

More specifically, in the 5 year strategy the DPC promises to:

  • Standardise public complaint handling and inquiry procedures;
  • Clarify the limits of legislation and how/when corrective measures are imposed;
  • Publish quarterly, rather than annual, case studies;
  • Identify trends and themes in complaints in order to achieve strong collective outcomes
  • Engage extensively with stakeholders “so that data protection rights are upheld as a behavioral default by society”;
  • Prioritise the protection of the rights of children and vulnerable adults, including clarifying the bases for data sharing so that individuals are not disadvantaged by over cautious data controllers; and
  • Enhance the technological foresight of the DPC to respond to evolving technologies.

 

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.