 Y cyfnod yw yn erioedll negynol oherwydd ydy oedd pan yw'r rhagor gweithio. Rwy'n ddau'n gwelif yn y gweithio fwy o rhyw un pwylltech yw hynny', o'r hyffordd yng Nghymru o'r acebeithio mewn deillaint rhagor yng nghymru, oedd yfnodd yn oed i mwy o'r prydysgrifio cerddurol sy'n gweld y ydysgrifennu ar yn rhan o'i fynd. Ac yna, rydych chi'n mynd i'r hoffffen, rydych chi'n rhaid i gyd yn sicr o'r rhaid yw cerddur hynod ar maen nhw. is simply what has been said about the regime and their issues of perception on pink mainly. So in the last few weeks in the job I attended the international conference of data protection commissioners. One of the main data protection authorities in Europe welcomed me to my new world by pointing out to me that there is a view of Ireland that the government attracts in big sulfur multi-nationals with questioning or tax incentives and that I, the regulator ond dwi'n meddwl i'r ddechrau i'r ddechrau o'r llwythau. A dwi'n meddwl i'r ddechrau i'r ddechrau i'r gwrthwyngau'n gwirio i'r byw, a dwi'n meddwl i'r ddechrau i'r ddechrau i'r ddechrau i'r ddechrau i'r ddechrau i'r ddechrau i'r gwrthwyngau. Felly, o'r ddweud y rhaid fyddion cyfweld i'r ddefnyddio ar y llyniadau a'r Llywodraeth a'r cyfrannu Mae'r ddydd yn fath o'r ffordd yn butwch eraill o'r parbyn sydd i'w ddim yn siaradau'n ddefnyddio'r ddaloedau a'r gwrthwng sydd hynny yn fawr yn ysgriffedd. O'r ddailwch, mae'n byw'r ddaloedau berydd a'r ddydd yn fawr yn cyfgleddau a'r grifwm yn ysaf. Yn tro yn cael'u bwysig i homi i nosio'r cyfrifiad a'. A-nall yma ymlaen i'w dda-dath ar gyfer y ddisgu'r gwrthwng yn ymlaen i'r ddefnyddio'r ddaloedau the International Association of Primesses, their annual conference in November. In Brussels a moderator at one of the itinerary sessions in front of a global audience of 800, said, oh yes. We've all seen the photos of the Irish Data Protection Office over the Sparshop and I had a good laugh. So they didn't get that quite right. That's in fact a centre of that though. But I think the sentiment was clear. Also stated at that same event, Ireland does not enforce date of protection laws. rhai a'r cymorydd yn y merbyn hyd yn y ffórm o gyfnodau fel parwch, drwy'n ei wneud o'r cymryd diolch am hyn yn ymgynghwyddoedd. Yn oedd yr argynidau perthyn controller yw nid oes i gynnwys, ac yn eitio brydd, ymrwydd a effaith yn llehwyrr. Mae'n ei wneud i gynnwys yn ychydig ffâldig i'r cymryd, Ond rwy'n ddweud o'r panffin, roedd yma i brodfodion i heb nifer, ddywodd o'r prydysgwr yn y cwymaint, arnu'n dda mid o'r cinnau ofyn a'r pethu yma o'r blaenau o'r prydysgwr yn ukwymig i'r prydysgwr. Yn mynd i'n ddadu'r prydysgwr, yn ddych bod yn ffysg yng ngosod o'r eu cyd-radder. Fy fyddy'r prydysgwr yn y cyd-radder, ym mewn starwyr rifyr. Mwysig am gweithio'r PhD. ac yn ddiddordeb ar hyn ar y cyfnodd companyau sydd yn gweithio gyd wedi'i gweithio. Mae'r rhai rydyn ni'n dda, ac mae'n ddiddordeb ar gyfer gyda'r mynd i'r ddiddordeb y byddwyr o'r cyfnodd sydd mwyaf, ond mae'r mynd i'r mynd i'r gweld cyffinodd gyfnodd sydd wedi'u gweithio'r cyffinodd cyffinodd cyffinodd y byddwyr o'r cyffinodd mae'n gweithio'r cyffinodd. Anything it's very important that we start to address these issues because if they remain unaddressed they are going to affect companies based in Ireland. Certainly the companies that I have interacted with so far don't want to be self-eregulated, they certainly don't want to be incompetent thereregulated and they don't want to have to fight a perception that that's the case. I think also if addressed these issues it will affect Ireland's ability to be a player as a lead regulator gyda byddwn i'w briflesio datblygu ddeirnau, ac mae gennym hoffa yma cerddio i ddim yn fawr sy'n dweud bod ni'n bywyr ddeirnau a яwb y ddeirnau sanff mwyaf ar wlad am yr eich rheidio. Dyma bod ydych chi'n deilio a bod nhw ni, rwy'n meddiadau i'ch leidio, felly byddwn i ddim ym mwyaf a'n nw'n cael ei rhaid gwahog yddwn ni'n gweithio i dda yn wirthawyr i ddeirnau sanff a'i wneud y cwmysig, ac rwy'n rydyn ni'n defnyddio'r cymdeithasol gyda'r cyffredinol y pethau yn siaradol i'r cyd-gwysig o'r cyd-gwysig o'r newid yma yn y cyd-bwysig, yma dwi'n iawn o'r cyd-gwysig o'r cyd-gwysig. Mae'n cyfrannu'n gweithio'r cyd-bwysig o'r cyd-bwysig o'r cyd-bwysig, oherwydd o'ch nhw'n dweud o'u cyd-bwysig o'r cyd-bwysig o'r cyd-bwysig o'r cyd-bwysig, ..y'r rhanau yn cael ei gweithio'r gweithio yma.. ..y'r rhanau yma o'i ffunciwn. Rwy'n gweithio'r dethyl i'r ddechrau. Mae'r ffrindiau fyddiwyddiol. Mae'r llef yma'r dŷlch. Mae'r ddweud i ddweud i'r dyfodol o'r ffrindiau.. ..ac ymddangos, ac oherwydd o'r ffaith.. ..y'r 1995, y Dysgu Welch Ffyrdd Bwyllfa? Mae'r ddaeth i'r ddweud i ddweud i ddweud i ddweud.. yn gofyn ond wc erafodol mae'r gennyn gyda symud i'r ffaith yn y bydd yma yn gyfan gondol, ac felly'r rydyn ni'n meddwl gwagafod i gael gynhyrchu ar gyfer gyda'r cyfrifiadau amdano ei phredigio cyfrifiadau ac na'n creu'r bau i ni gweithio. Mae'n mynd i'm nid o'n meddwl holl o'r cyfrifiadau ymrwyaf yn ei bodiedig drwsidagol a risu o bai'r amddannau i'u lly�t i'r meddwl i'r cyfrifiadau, The results have led to those companies implementing a large number of privacy improving changes. The new pay data protection authority for example wouldn't have any such powers to all of the private sector organisations. In addition, when we're necessary we have powers to effectively force companies to cease their operations until the data protection issues we've identified are corrected. And we would have seen this with the large scale loyalty build in 2013. It's important to mention also as a regulator in 2014 that Arnott has, While we have been measuring changes for the first time prosecuted company directors it was a private investigator company in this case MCK Investigations in October of 2014 for their role in their company's data protection offences. So, we're sending out the strongest possible signal as an enforcer here that not only will we prosecute companies where they will reach data protection rules but will hold those who manage them directly to companies to account as well. I think the significance of this case and the fact that we prosecuted the directors in this case has not gone unnoticed based on the flurry of visits I've had for companies since that time in October. However, all of that outlined not so much in defence of the office but really in setting out the facts in terms of our enforcement activity. I think there are a number of things in 2015 that the Irish data protection priority can do to improve its performance ac yn olygu y prosiectio y casig. Cymru ei ddod yn gweithio i gael gael y cyfnod o'r hwyl ac mae'n gynhyrch yn ymhygl â'r ddod a ddech wiz, mae gennym ni'n fwyaf ac mae gennym ni'n gweithio gyrraedd yn ddifarf o'r ffordd ar gynnwys cyfan. Ac mae'n ddod yn gweithio'n gweithio'n meddwl ac mae'n gweithio'n gweithio ar y mesud. arall i ddiwedadodau sydd yn gweithio'r gweithio ynghylchedd yn 2015. Rhaid i gael, yn Arland, ym mwy o'r blaenau a'r rhaglen nhw gweld, ymlaen y cyflwyno'r cyflwyno sydd yn gwneud y cwmpleiddiadau o'r cyflwyno'r cyflwyno'r cyflwyno. A hynny'n gwybod, bod ydych chi'n gweithio'r cyflwyno'r cyflwyno'r cyflwyno, gallwn i'ch gael ei wneud i'ch gael â'r cyflwyno'r cyflwyno'r cyflwyno ond ddeglaeth gyda'r fusill ac yn dweud y cyflaen o ddad. Yn hyn, diwrnod yw'n mynd i chi'n rai o prym o'r cyfrifio'r cyfrifio sydd y cyfrifio'r cyfrifio o'r cyfrifio, ond bynnag yneg dddangos ar hyn o'r cyfrifio'r cyfrifio ni'n ddeall ddim yn cael ei bod emoed i'r cyfrifio'r cyfrifio arwefan ac y cyfrifio cyfrifio barnwyr yn ein cyfrifio'r cyfrifio yn gyfrifio'r cyfrifio, mae hynny o hyd o gorfod ac yn cyfrifio'r bwysigol yw wahy a chyfodol ynglyn â'i gweithiau fe dim yn oes, a oedd y dweud o ymddangos cyfrifio ymweld i ddemwyntau cyfrifio o gyfrifio i ddim gydol yn rhoi'r bwysigol, ac yn ddweud gallwch mae roedd gyrfaedau deilig sy'n oes y gallwch pan o'r ôl rwyf yn ni'n amlwg ymddyntau a gweithio. Felly, mae hi ddim gydag o'r credu yma iawn a'i nu'n fawr yn ymhyfosure i ddefnyddio ddiogel roedd yn gweithio'r gwahanol i ddiwethaf yr adroddiadau yn ei fodfyn ar gyfer gyllideb. A mae heddiw i adrofodd iddo sy'n ddod yn cerddio y cerddiaeth, fel mae'ch bod yn gweithio dwi'r ganddalone ac oedd y gallu ddau i'r cyffredinol. Yn gynydwch yr heddiw yw'u cyffredinol, ac mae'r cyffredinol yw'r cyffredinol fflullwg, cysylltu, mae'r cyfrifio'r cyfeirio datblygu i ddisbu'r rhisiach a llifio'r peirio'r cyfrifio yn gweithio. Gweith aerfio'r prynrytiau ar ddweud gwleisio cyrraed yn ddwylliant, i ddim diolch yn ei wfosti daeth ddiwylliant i ddweud ei gwrthoch i ddweud o'r cyfrifio'r cyfrifio, ac rydw i gyd-feydd, ydw'n gofyn fydd ym mwyaf. Rydw i ar hyn, aeth ymddangosion fe g soilsiaeth i ddiwydus eu cyfrifio'r cyfrifio'r cyfrifio, ti wedi bod i'n meddwl y styldol yn ein gwnaeth,nydd i'r oposwydd Cymru yn gwneud cyfiadau yma o'w cyffrediau. Mae'n meddwl ei fod yn gweithio i'r Cyffrediau. Bryd I chaf wnaeth i'r cyffrediau hynny. Mae'r cyffrediau yn oed yn ddigyn nhw'r cyffrediau. Mae'r cyffrediau yn gyffrediau i'r cyffrediau hwn. A'r cyffrediau o'r cyffrediau én ymlaen nhw'n gweithio. Mae'r gymryd o hoped-odd mae'r cyffrediau i'n gynyddo targetingau ond mae'n gweithio i'r cyffrediau. efforts and security protection officer has been under resourced in staff quantity terms but also in terms of specialist skills over the last number of years. In addition we have had insufficient investment in terms of the backup of systems that we are using and the front-end processing systems for customer complaints. I am very pleased but am even more relieved that the government has now sanctioned this additional budget and provided the sanction for recruitment of additional staff. We already have a recruitment campaign underway now new year to immediately recruit 18 new staff to the office. These will all be Dublin-based staff and ultimately the plan is that we recruit an additional 45 staff with 29, 28 staff based down in Port Arrington. I mentioned the OPW is looking for a Dublin premises for us and they've let me know that even if they locate something very quickly by the time fit-out is completed it's likely to be the end of the year. So I think we'll be looking at having a temporary premises in Dublin in the short term and then a permanent premises from the next year onwards and we'll advise you of the data or of the address of that premises as soon as we can. I mentioned earlier to colleagues that I visited just before Christmas when a UK counterpart to talk to him about the profile of his 400 person team just to get some ideas in terms of the type of skills that we might recruit in. So I got some very good ideas in terms of what's worked for them and we're trying to implement all of that now. Another big area that we want to target for improvement in 2015 is how we work in cooperation with other data protection authorities. You're probably aware that Ireland is part of a permanent working party of data protection authorities in Europe called the article 29 working party under the 1995 data protection directive and we're also part of the building data protection enforcement network called GCAN where we strong things to the FTC in the US and the Canadian data protection commissioner in particular and obviously this type of cooperation is essential particularly where Ireland is regulating data rich companies with all of the cross-folder data flows that this implies. And today as I mentioned earlier as a European level there can be a perception that we're at odds with the approach of our larger continental neighbours in terms of regulation of data rich multinationals. But I think no weed evidence of this has been induced. That said I think it's probably our lack of bandwidth and resources that we've deployed to article 29 and its various working parties that is probably contributing to this view that we're not entirely trustworthy or competent. We have had to make big decisions in the past in the case of Facebook reaches and I think in a context for our article 29 partners don't see us often enough enough at meetings at subgroups expressing views and building knowledge of the context in which Ireland makes its decisions. I think that has led to some of these issues. In addition you'll be aware that the article 29 working party regularly issues opinions which are not binding but are extremely influential on important areas in relation to data protection matters. And at the moment Ireland is in 3D a voice at the table in terms of negotiations of the positions that are adopted in terms of these opinions and I think it's important that we sit down at the table and that we're there. So in that context I think despite the fact that as an office we've worked proactively already in terms of these elements we've done with some of the Irish minority nationals. We have expertise that other countries don't have in data protection terms as regulators but this isn't yet recognised or appreciated at EU level and I think we need to rectify that by having more staff on the ground. So in summary then 2015 is going to be a year of significant recruitment and expansion of resources for the Irish data protection authority establishment of new premises and capital, new systems and tools for staff to work with greater participation at article 29 and in its various subgroups and in addition in the context of having all of these additional resources we want to increase and improve the proactive and reactive engagement we have with companies and organisations based in Ireland. It's probably worth mentioning at this point that because we are looking to implement a big change program at the data protection commissioner during this year the senior resources of the office including myself are probably going to inevitably be more internally focused when we do that. So you know I get about I don't know maybe 20 requests a day to speak of various different events and it can be hard to turn them down but I think we are going to have to manage the amount of travel and speaking of events that we do over the next number of months. Just want to very quickly if I still have time to mention plenty of time good subtle thought I'm seeing as the big themes in data protection certainly in the conversations I'm having over the last number of months. I think the first one that's worth mentioning is jurisdiction. This is for the longest time been a complex matter in the world of data and data protection but it appears to have grown even more complex I think post the European or the ECJ's judgment in the Google Spain case this summer. This was of course the case that recognised a right to the so-called right to be forgotten and as part of its judgment in that case the court ruled that even though Google declares itself as having its seat in the US and has its data controller operations in the US and not Europe that the fact that it's operating a subsidiary in Spain in this case that sells Google advertising with the aim of making the search engine profitable then it is established for the purposes of the 1995 directive in Spain or any other EU country every other EU country in which it has similar operations and so it ruled that Spain did have jurisdiction in terms of requiring Google to comply with its data protection laws and in terms of the multi nationals who regulate in Ireland we're now seeing potentially some interesting interpretations of jurisdiction based on that ECJ judgment. I'll take for example the case of Facebook. Facebook would have declared its main establishment in Europe in data protection terms to be in Ireland and so any user of Facebook service signs up to Facebook Ireland limiters when it's signing up to terms and conditions and so for the last number of years Ireland has effectively been the regulator for Facebook in terms of any complaints be they complaints from Irish nationals or from other jurisdictions so other data protection authorities would pass on their complaints in respect to Facebook and we would investigate decision. So with the last number of months we have been working with Facebook in terms of new terms and conditions and privacy policy with plans to rule out this month and there would have been a significant amount of engagement on this and it would have reached conclusion in November or in fact in December of last year allowing Facebook to proceed with its plans. However using the Google Spain judgment as its basis in the latter weeks of December we've now seen the Dutch data protection authority make a preemptive move in this area and they've publicly announced through a press release so I'm not I'm not revealing anything you won't already know they announced that they are investigating Facebook's new privacy policy in terms of conditions so they haven't been more specific as to part exactly on which aspect of what they're investigating but they're asserting jurisdiction in so far as it affects Dutch nationals based on that Google Spain judgment. I think companies would speak for themselves as to how they find that development and I know Facebook has publicly expressed its disappointment in terms of the Dutch move given the amount of work they've done in working on this project with the Irish authority but from the perspective of Ireland's data protection authority I think this development is starting to underline the challenges that Ireland may envisage when it is acting as a leader authority under the proposed one-stop shop in the draft new data protection regulation which I'll touch on again shortly so our exclusive confidence in respect of dealing with companies such as Facebook controlling Ireland under the 1995 directive is therefore already now coming under threat of reinterpretation in the mighty Google Spain judgment and the manner in which this is occurring this re-investigation of aspects that we have already spent months engaging on doesn't I think over well in terms of our role as a new DPA under the data protection regulation. I was going to mention somewhat extensively the Microsoft case as well as it's one that concerns jurisdiction this is the one where Microsoft refused to accede to the US court issued certain seizure warrant requiring them to hand over email content and they refused because the email content they say is stored on on a server at its facility in Ireland. I'm not going to say too much about it because the government has since filed an amicus brief in favour of Microsoft in this case but I think the judgment is due from the US court in January and it's going to be a case that will help us it'd be interesting I think and instructive in terms of jurisdiction. Surveillance is also an area that is occupying the lines of article 29 regulators quite quite considerably and the stone revelations of 2013 and more recently now the revelations of GCHQ tapping of cables between Ireland and the UK have given immediate rise to significant concerns and they've also resulted in quite a number of queries and a couple of complaints to the Irish Data Protection Office which would be aware that essentially surveillance is outside of the scope of the 1995 directive because of its national security exemptions but I think he's opinioning now that that's not sufficiently defined. I think regulators are of the view that while we're never going to fully know what's going on in national security terms we need a definition of what is covered by this area and we need definition of what the issues in the areas are so ultimately it's probably one for the courts and the legislature but certainly article 29 is tracking this very very carefully. Other things of international level relate to big data and internet of things the article 29 working party issued a paper on internet of things at the end of 2014 because there really is a lot of concern amongst my peers in Europe about these particular subjects some of them feel we're very much moving towards a world of digital predetermination of humans as they call it and they see a sort of a doomsday scenario where some of our human free will is going to be removed from us because everything that we're looking at is so digitally predetermined based on our own personal preferences that have been recorded. I don't think I quite share at the level of pessimism that my colleagues have but there is clearly an issue in terms of the speed at which technical innovation and social media in particular with its online behaviour and advertising features has vastly outpaced legislation and regulation and it is going to take some clever and long-term fixing and regulators have a role to playing us but ultimately I think these probably are very much areas that are going to need to political and societal solutions as well. I mentioned earlier the Google Spain judgment and the right to be forgotten the article 29 working party issued guidance on decision making on the right to be forgotten cases and so all of the data protection authorities at the moment are working through appeals Ireland has received about 30 appeals in relation to cases where Google has refused to de-list so there's quite a volume of work involved in this and it's clearly an area that's evolving. I thought it was quite interesting at some of the forum I intended to hear the US reaction to that judgment because clearly it's been one of a considerable surprise at a judgment of the court in that case. The US are also particularly keen on a renaming of the right and I argue quite correctly that it's not right to call it a right to be forgotten because as you know it results in a de-listing only versus a search done on the personal name of the person if you search for the particular story under any other combination other than personal name the information is still available. It's worth marking I think that the ECJ has been a massive player last year in terms of expanding our knowledge and understanding of of matters in data protection terms. You'd be aware it struck down the EU data protection or data retention directive in May of this year and that was just a month before it recognised the so-called right to be forgotten and then more recently we've seen it issue a judgment at the end of the year in relation to a case that concerned household CCTV usage and we're still examining that case but it seems to me that it may have broader implications in that the judgment touches on the household exemption that applies under the 1995 directive and while this was a case about CCTV a lot of the companies we regulate in Ireland would rely on the household exemption in terms of the ability of users to upload their contact list to a product like Facebook or Google or LinkedIn and now the court is suggesting that the application of that household exemption is is a lot narrower so more to come I think in that space. The other big area of of interest is of course EU data protection regulation and under this been treated as my recognition of personal data as a fundamental right providing it with a renewed and elevated status and as you're aware this EU data protection regulation was proposed to bring in a pan-European network so that we're not dealing with these different transpositions of the directive in Europe it was intended to level the playing field and provide consistency in terms of application of the law in Europe and a very significant feature of of the framework that's proposed is this idea of a one-stop shop and in the original commission proposal on the one-stop shop they had proposed this idea that multinationals instead of having to talk around 28 member states will be able to declare a main establishment and deal with one lead authority in the country where they had that main establishment and the idea was that the lead authority where they would receive a complaint from anywhere in Europe from the data sector to anywhere in Europe would investigate the complaint would consult with relevant data protection authorities as needed would take on board their opinions would take on board any opinions of the commission and then will propose a final solution however concerns over time have been raised about the fact that this approach means that justice could be inaccessible for data subjects not located where the lead authority is so for example if I investigated a complaint from a Spanish data subject about Facebook if they wanted to appeal my decision they would have to appeal it in the Irish courts so now we have a new proposal on the table and it's now proposed that where a lead authority is going to propose a decision they would have to have that accepted on on a consensus and unanimous basis by all of the other data protection authorities so any one data protection authority could could veto the proposed decision and if that occurs then the decision is referred on to the European data protection board which is going to be established as a board of all the data protection authorities and so I think for me this presents the worry that as a regulator we could end up becoming a chief coordinator and that we would investigate a decision we would coordinate with all of the relevant data protection authorities which could be all of them we would work at doing a balancing test proposing a decision and ultimately it could be vetoed and the issue referred on to the European data protection board and I think it creates a list of the lack of certainty then for companies who are dealing with Ireland as a lead to data protection authority and as I said may cast us in the role of chief coordinator rather than lead decision maker but the negotiations aren't completed on that so all is not lost yet I'll just briefly mention because I am running out of time the major Irish government projects that we're dealing with at the moment and I mean the list is as long as both my arms are only going to touch on a couple of them as examples Irish water with no pun intended would have swamped our office for the months of September and October we were simply dealing with nothing but Irish water and PPSNs and aircodes could be the next big wave of criticism matters that we deal with the government's intention to introduce a national postcode system which as you know is going to be a system where the postcode is unique to each individual dwelling so right down to apartment level and also it's going to be a randomised code rather than a hierarchy from the code so the form of code that's being introduced is in the form of personal data as it would be recognised under the data protection acts and it's going to have to be protected as such which is what I was looking on data communications the other big area we've been dealing with is in relation to the department of public expenditure and reforms data sharing proposals and there's a lot of work still ongoing on that so all of the I mean I've only mentioned a tiny number of them there all of the government data projects are extremely time consuming none of them are straightforward they're extremely complex and I am trying to encourage government departments and government bodies to do much more of the groundwork in data protection terms before they come to the data protection commissioner in terms of the projects that they're proposing we're tending to see projects at a very late stage where data protection is sort of a tap on in the uses that's to be dealt with rather than seeing the groundwork being done so in conclusion I think 2015 is going to be a very exciting year for the Irish data protection office we're finally going to be in recruitment mode and expanding and growing our skills base to better deliver on our statutory functions we're going to be growing our relationships with other enforces and regulations in Europe and beyond and while as I said we're delivering on that challenging change program it's going to be a lot going on in terms of large-scale government projects tracking the EU regulation the regulation of the large majority nationals including the social networking sites that are here managing our relationships with Europe but we're going to be working very hard on delivering across the board that's it