 Thank you very much indeed, Eamonn, and thank you for that new analogy about the Referee. I've heard various ones in my time as State Protection Commissioner, and I'm a Referee as well. Oh, good. I think it's a nice way to be presented. So I'm very grateful that you invited me to talk to you this afternoon. It's actually the fourth time I've had the privilege to speak at the Institute since I was first appointed all those years ago in 2005. The other challenges were – the other occasions were also linked to some of the main challenges I faced during my tenure, the impact of technology, the influence of European law, the IDA's success in attracting multinational companies to Ireland. The other main challenge I faced, state interference with the right to data protection, also had a significant international dimension, though it was the domestic dimension that I found most challenging. The four themes – technology, the European Union, multinationals, and state interference – have come together more recently in relation to the revelations about the extent of access by U.S. and European intelligence agencies to personal data held by major internet and telecommunications companies. The revelations have provoked a long overdue debate on the proper balance in a democratic society between the protection of personal data and the obligation on governments to take measures against those who would use these services to further criminal objectives. The disclosures have already led to commitments by the U.S. Administration in relation to the activities of U.S. intelligence services. They have also led to a re-examination of data flows between the European Union and the United States under the so-called Safe Harbor Agreement and a recent referral by the Irish High Court to the Court of Justice of the European Union of a question related to the compatibility of Safe Harbor with the EU's Charter of Fundamental Rights. The resulting debate has thrown a welcome spotlight on the general issue of state access to personal data. The recent decision of the EU Court to invalidate the Data Retention Directive has clearly set out the need for proportionality in this area. The lack of such proportionality led my predecessor, Joe Mead, to take enforcement action against the initial Irish data retention regime, action that has now been vindicated by the European judgment. The judgment also shows the importance of challenging such privacy-destroying measures as was done in this case by a non-governmental organization, Digital Rights Ireland, supported by the Irish Human Rights Commission. It now falls to the Irish High Court, which referred the case to the EU Court, to take account of the judgment in its consideration of the Irish Data Retention legislation. But the EU Court's judgment has significance beyond that of data retention. Four audits of state organizations have in too many cases shown insufficient regard by senior management to their duty to safeguard the personal data entrusted to them. A duty that has all the greater because of the legal obligation to provide such personal data to the state. I have often felt I was fighting a losing battle in stressing the need for proportionality in this area. There is no question but that the state needs to take reasonable measures to protect society in general against evils such as crime, including the crime involved in defrauding the state. There is also a clear need to constantly seek ways to improve the delivery of public services. But where these legitimate interests involve the processing and particularly the sharing of personal data without the individual's consent, it is essential that legally binding safeguards against excessive or improper processing are put in place. Where we have been consulted in advance on legislation, we have usually been able to quietly achieve a reasonable accommodation between the public policy objective and the protection of personal data. Such a win-win outcome is preferable to the situation we too often find ourselves in of being obliged to respond publicly and critically to badly thought out initiatives which are likely to lead to significant downstream problems. Of course, as a former civil servant, I understand the pressure that often arises to act quickly in response to the political imperatives of the day. But I would not be the first sympathetic outsider to insist on the need to stand up to such pressure and to take a longer view of consequences. One such consequence of failure to treat personal data with respect is the lessening of the trust that should exist between the individual and the state. When we think of Big Brother, it is usually in terms of George Orwell's dystopian vision of an all-seeing, all-knowing state and recognition that there may be uncomfortable elements of reality about its applicability even in democracies like Ireland. But since Orwell's time, we've also seen increased information gathering by non-state actors that sometimes appear to operate in a universe of their own. At least the state as Big Brother is subject to the constitution and the law. But what of the internet giants that stride the world's electronic highways, hoovering up personal data about us as part of a Faustian trade-off for so-called free services? The EU Court has also struck out for the rights of the European citizen in this area in its recent landmark judgment in the case involving Google. The Court's decision contained two key privacy protective elements. First, the Court ruled that entities like Google are subject to European Union data protection law since they sell advertising based on search results in the EU. And second, the Court gave concrete expression to an aspect of the so-called right to be forgotten by ruling that an individual has a right to request removal of links to information about horror hymn with an obligation on the search engine to exceed to that request, in most cases, subject to a public interest test. The EU Court's decisions in both the data retention and Google cases reflect the increased relative importance of data protection in the European legal order since the entry into force of the Lisbon Treaty in December 2009. This is not an elect the importance of other rights and the obligation on the state to take action to protect society in general from the impact of terrorism and serious crime. Those enemies of society also use the electronic highways that we all rely on and we must accept a need for law enforcement authorities to have some access to them. And we must not overstate the negative in relation to technology. Looking back over my period in office, it is amazing how the digital age has made all our lives easier. Work is conducted more efficiently on some form of electronic equipment. Work-related research is no longer an issue of wading through a physical library. Instead, information is at your fingertips. Much of our social life is conducted using digital devices of increasing complexity. Apps and our smartphones tell us everything from the weather to the nearest restaurant to the time of the next bus or train. New and beneficial uses of digital technology are being developed every day. Big data offers the potential to identify everything from traffic congestion to the spread of infectious diseases to identifying a likely threat to public security. But there is a darker side to the digital age. How confident can you be in entrusting your sensitive medical data to a national e-health system? What degree of control over this data can you reasonably assert? The same technology that allows you to find the nearest restaurant or bus is also tracking your every movement, like having someone looking over your shoulder all the time. What if analysis of your pattern of movement or online transactions leads to you being wrongly identified as having criminal intent? At a more banal level, what if such online activity causes you to be profiled as falling into a particular income or consumer category to which you do not belong? And what of the creepy effect of online behavioral advertising? The extent of collection and use of our personal data in our daily lives is such that traditional data protection principles of notice and consent increasingly lose their value. This situation points to a greater need for organizations that collect personal data to adopt a privacy by design approach, focusing from the beginning on the privacy expectations of customers and addressing these through product and service design that minimizes the collection of personal data and accepts full accountability for how personal data is used. Data protection laws exist to provide a minimum level of control to the individual over the collection and use of their personal data. Ubiquitous technology and the information gathering and sharing that it facilitates has made the challenge all the greater. Data protection law cannot be so prescriptive as to resolve every issue. There is and always will be inevitable tension between the right to privacy and other rights. We have seen this tension being played out in the Irish and European courts. For example, in relation to the extent to which copyright holders can infringe on the right to data protection in order to combat unauthorized file sharing. Other areas of tension include the balance to be struck between the right to privacy and the right to freedom of expression, as is evident in the debate surrounding the recent Google case. The balance to be struck in such cases is likely to require litigation leading to authoritative court rulings. Discussions about data protection in this country are often on the basis that the concepts involved are imports into our legal system from a somewhat alien civil law tradition. The recent High Court judgment by Judge Gerard Hogan, in a case involving access by US intelligence agencies to personal data under the control of Facebook Ireland, reminds us that our own constitution already provides significant protection to residents of this country. Judge Hogan, a distinguished constitutional scholar in his own right, underlined that the right to privacy is guaranteed by our constitution as reiterated in a succession of rulings by the superior courts. Citing the constitutional protection of the inviolability of the dwelling contained in article 40.5 of the constitution, Judge Hogan questions if the type of mass surveillance of communications allegedly being carried out by US intelligence agencies could be considered compatible with our constitution. Interestingly, given the source of some of the criticisms of data protection in Ireland, he notes that similar terminology is used in the German basic law and has been interpreted in the same way by the German constitutional court. While Judge Hogan concluded that Irish law appeared to have been preempted by European Union law in this instance, his judgment stands as a necessary reminder that we should look to our constitution as a first line of defence in relation to privacy and data protection. His judgment should also serve as a reminder to the public service that the constitution places limits on the permitted degree of interference with personal privacy even before we look to the protections provided by European Union law. To quote Judge Hogan's judgment, by safeguarding the inviolability of the dwelling, article 40.5 provides yet a further example of a light motif which suffuses the entire constitutional order, namely that the state exists to serve the individual and society and not the other way around. The Lisbon Treaty and the EU Charter of Fundamental Rights elevate a data protection to the status of a treaty obligation and a fundamental right separate to the right to privacy. The draft legislative package currently under negotiation at EU level challenges our legislators to develop a legal framework that lives up to data protections in hand status while recognising the challenges of the digital world. The draft regulation is a clear rights basis while also recognising the importance of free movement of data. It provides that the law will apply to any company providing services to Europeans whether they are based in the EU or not. Indeed, the recent Court of Justice decision in relation to Google points to the futility of companies providing services to Europe claiming that they are not subject to existing EU data protection law. Throughout the draft regulation, there is a strong emphasis on the accountability of organisations for the personal data that they process. There's a heavy focus on the duty of an organisation to be transparent about its data collection and use policies including an obligation to specify for how long personal data will be retained. The new accountability approach also places obligations in organisations to adopt an active approach to data protection involving privacy by design and an obligation to carry out a privacy impact assessment for significant data processing operations. The new regulation strengthens the obligation to keep data secure and extends to all sectors the data breach notification requirement that already applies to telecommunications companies. The draft regulations provisions in relation to transfers of personal data outside of the European Union do not involve significant change. The general principle remaining that the data protection rights of European residents should remain protected although the permitted methods for achieving this objective have been somewhat expanded notably with a greater role for the system of binding corporate rules which can be used by multinational companies. The regulation provides for a strengthening of the independence and powers of data protection authorities including an obligation to apply administrative sanctions in cases of intentional or negligent breaches of the regulation. It also provides that a company with operations in different member states would deal mainly with the data protection authority where it has its main establishment. That authority being obliged to work closely with other data protection authorities to ensure uniform application of the law. Getting the balance right between protecting the personal right to data protection while not unduly inhibiting innovation and international commerce is not an easy task. The regulation and accompanying law enforcement directive have been intensively negotiated in both the European Parliament and the Council of Ministers. The Parliament before its dissolution managed to agree revised texts of both instruments. The discussion continues in the Council of Ministers with an intention that the legislative package will be approved next year with entry into force in 2017. So what are the implications for us in Ireland? Clearly we must welcome the efforts to update data protection laws in order to restore a sense of control for individuals over their personal data in this information intensive digital age. The requirement that organizations take more responsibility for adopting privacy friendly policies through a privacy by design approach will also be welcomed by responsible industry players. Transparency is a bottom line issue. We need to be told in simple terms how our personal data is being used. We should be given choice where possible but consent should be meaningful not a tick box agreement to unintelligible legalese. It is also important that established business models and new innovations not be unnecessarily disrupted including the advertisement based model that drives much of the consumer internet. Concepts such as the right to be forgotten need to be expressed in terms that are realistic and that recognize the reality of how the digital world works. The European Parliament's text has helped us in this respect. We must be realistic on the global nature of digital data flows. Focusing on the strict accountability of an organization to safeguard personal data wherever it flows globally is more likely to protect this data than largely futile attempts to restrict such flows at national borders. However, there needs to be a new understanding on the proper limits to state access to such data if such global data flows are to continue. As Ireland is a welcoming home for many US multinationals we have a particular interest in aiming for interoperability between EU and US models of privacy protection. Privacy is a shared value as it's evident from the broad agreement on privacy principles. The US approach is more sectoral in nature with highly effective enforcement in those sectors by organizations such as the Federal Trade Commission. Class actions in relation to privacy infractions are also an important driver of good data protection in the US. Recently attending a conference in the US I was struck by the fact that the good practice advice from panels was not very different from what you would hear at a European event. The difference was that the main driver was not prescriptive law as in Europe but the financial and reputational risks arising from class actions. And we've also seen the influence of US court judgments such as the recent landmark Supreme Court Riley decision requiring a warrant to search the smartphone of an arrested person. An umbrella privacy law incorporating basic privacy principles underpinned by industry codes of practice something that has been urged by the current US administration would be a significant contribution to such transatlantic interoperability. Such an approach coupled with the application of a more risk-based approach to international transfers in the final version of the EU regulation could help to eliminate unnecessary obstacles to commerce while guaranteeing protection of privacy on both sides of the Atlantic. Again, a renewal of trust on the proper limits of state access to data has to be an essential component of a new transatlantic understanding. A revised safe harbor agreement between the EU and the US incorporating improved safeguards would be an essential first step. The recent report by the UN High Commissioner for Human Rights on the human rights dimension to mass surveillance should provide a common point of reference based as it is on the international covenant and civil and political rights which has been ratified by most states including the United States. There continues to be significant debate in the EU Council of Ministers around the idea of a one-stop shop for multinational companies. The idea is obviously attractive for multinational companies. But if the concept is to be acceptable it is essential that all data protection authorities are willing to rely on the lead data protection authority to vindicate the rights of all EU citizens not just those of its own member state. For this it will be essential that the consistency mechanism works as intended to ensure uniform application of the law. In our approach to oversight of multinational companies providing services from Ireland to individuals in other countries in Europe and beyond we have been anticipating the situation that will apply under the new regulation to a one-stop regulator. We use our power of audit to carry out a detailed examination of a multinational company's processing of personal data to ensure that such processing is at least compliant with Irish and European data protection law and ideally goes beyond mere compliance. In carrying out such an audit we take account of the concerns of other data protection authorities. By framing our audit reports in terms of best practice we can take account of issues that might not be strict compliance issues under our law but are of concern to colleague data protection authorities. And not only European data protection authorities. We have signed memorandum of understanding with the Federal Trade Commission the main privacy enforcer in the United States as well as with the data protection authorities of Canada and Australia. We are also enthusiastic supporters of efforts to develop more effective cooperation between data protection authorities through multilateral forums. In already anticipating the one-stop shop in how we carry out our activities we are also hoping to set a standard in relation to how the consistency mechanism will work to the benefit of Irish residents in relation to the many multinational that have their main headquarters in other EU member states. In practice it is the activities of such European multinationals operating in areas such as banking and telecommunications that give rise to the greatest number of complaints from Irish residents. This is a dimension of the one-stop shop that seems to have been lost in the public debate. It will also be essential that data protection authorities have the resources necessary to carry out their broader European oversight responsibilities. This is a key issue for us due to the large number of multinational companies handling personal data that have substantial operations in Ireland. I am glad that the government have recognized this by allocating more resources to our office and giving a public commitment that we will be provided with such additional resources as we need to discharge our broader European oversight responsibilities. Our experience of audit and continuous oversight of companies such as Facebook Ireland and LinkedIn Ireland brought home to us the resource implications of having regulatory responsibility for companies like this. The announcement last week that Minister of State Dara Murphy has been assigned specific responsibility for data protection within the Department of the Tishok is a further recognition by the government of the importance of data protection, not only in a European context but also in terms of the responsibility of the state to uphold the data protection rights of individuals in the state's dealings with them. Looking to the future that faces my successor, I expect that the challenges she or he will face will be significant. On the domestic front, continued vigilance about the encroachment of the state into the private lives of individuals will be necessary. Effective oversight of multinational companies carried out as it is under a critical international spotlight will remain an essential aspect of the Ireland Inc proposition. In terms of regulatory approach, the likelihood that we will be operating under a uniform, more prescriptive EU legal regime will limit the discretion available to individual data protection authorities. The power to directly impose significant fines and the expectation that this power will be used where organizations fail to comply with the law may alter somewhat the relationship between the commissioner and regulated entities. Some things won't change. Being unpopular is an occupational hazard. Upholding the right to protection of personal data when faced with a media storm calling for firmer action against crime or fraud is never easy. So a thick skin and grim determination, qualities not included in the formal job description are essential. Increase media attention to data protection issues even when critical of the data protection commissioner is welcome. Preaching data protection as a set of abstract principles rarely works. Getting across the message through issues being raised through the media is far more effective. And can I salute Elaine Edwards for a very effective contribution this morning in highlighting the privacy issues raised by making a full CRO data available online. And we've seen a much greater level of knowledge and specialization in the media on issues related to data protection. Hopefully my successor will have available an expanded team of dedicated individuals to carry out the variety of work that is already done to a high standard by our office. Effective data protection in the digital age is a challenge but not an impossible one. It involves us as individuals making a greater effort to understand what is happening to our personal data so that we can exercise greater control. For organizations whether public or private it involves a much greater effort to meet the privacy expectations of individuals ideally using privacy as a competitive selling point. For the European Union the current legislative process offers an opportunity to align legal requirements both with the expectations of individuals and the borderless realities of the digital age. For Ireland the opportunity is there to be seen as a model of a small country that can embrace advanced technology without sacrificing rights guaranteed by our constitution and by European law. Privacy is not dead, it just needs nurturing. Thank you for your attention.