 Thank you very much indeed Paul with these negotiations of Croke Park going on and so on every plug for the public service is appreciated. But I'm very happy to be sharing a platform with Marnie this afternoon, and as she said our experience of auditing Facebook Ireland brought us back up against some of the most challenging issues about protecting personal data in the digital age. And as Marnie said it was a mutually beneficial engagement as she says in Very American gyda'r gweithio, ac, oherwydd, mae gennym ni'n ymwysig o'r company gyda Facebook. Yn cael y cyfnod gyda'r cyfnod, mae'n cerddwch i ddweud y ddrwy'r informatio ar gyfer internetau yma yng Nghymru. Mae'r gyfnod o'r Llyfr yn bryd i'r gweithio ar gyfer Facebook i'r cyfnod ymwysig o'r cyfnod. Ond yw'r ddweud yng Nghymru? Felly mae'n cyfnod ymgylchol gyda'r platform ydy o'r cyfnod yn cael ei ddweud. The charge instead is the right to use the personal information you provide to give advertisers a guarantee of being able to deliver highly targeted advertising to a highly segmented market. Do people understand the deal underlying the use of free services? Is the take it or leave it deal fair? How far should regulators interfere to redress the power imbalance between the individual user and the internet provider? Or should regulators butt out of an agreement freely entered into? Looking back over 10 or 20 years, that is if like me and Paul as he admits it, you're not a digital native, it is amazing how the digital age has impacted on all of our lives. Work is mainly conducted on some form of electronic equipment, work related research is no longer an issue of wading through a library, instead information is at your fingertips. Much of our social life is conducted using digital devices of increasing complexity as Marnie mentioned. Apps in our smartphones tell us everything from the weather to the nearest restaurant to the time of the next bus or train. A new generation of toddlers is beginning to use tablets rather than rattles for entertainment. And I'm wondering could this be the end of the guilt mitigating bedtime story for working parents? Happily not for my generation. New and beneficial uses of digital technology are being developed every day. This week a major eHealth conference is taking place in Dublin exploring the actual and potential benefits of more effective use of technology in the health sector. Big data offers the potential to identify everything from traffic congestion to climate change to the spread of infectious diseases to identifying a likely threat to public security. But there is a darker side to the digital age. How confident can you be in entrusting your sensitive medical data to a national eHealth system? What degree of control over this data can you reasonably assert? The same technology that allows you to find the nearest restaurant or bus is also tracking your every movement. It's like having someone looking over your shoulder all the time. As we all travelled here today, we left a trace of our journey through our mobile device and through capture of our images at certain points along the way. Such casual collection of our personal information has become so commonplace that we forget that it is happening. Much of the time the information collected will not harm us. But are we becoming anewr to the fact that it is actually happening? What if analysis of your pattern of movement or online transactions leads to you being wrongly identified as having criminal intent? At a more banal level, what if such online activity causes you to be profiled as falling into a particular income or consumer category to which you do not belong? What of the creepy effect of online behaviour and advertising? Turning to a personal anecdote, I'm afraid I have to tell Marnie I'm not a regular user of Facebook. I only go on to Facebook to check the privacy policy. But giving the minimum information, the accurate information that Facebook insists on, which is your name, your gender and your date of birth, the advertisements I receive are for dating sites for over 40s and dieting sites. All I can say is I'm glad my wife wasn't looking over my shoulder when that came up on the screen. Anyway, the extent of collection and use of our personal data in our daily lives is such that traditional data protection principles of notice and consent increasingly lose their value. How many of us bother to pause over the terms and conditions we sign up to when, for example, we install a new piece of software? So-called click-fatee comes into play for Marnie, with a desire in this fast-moving age to get on to the next item on our agenda. This situation points to a greater need for organisations that collect personal data to adopt a privacy-by-design approach, focusing from the beginning on the privacy expectations of customers and addressing these through product and service design that minimises the collection of personal data and accepts full accountability for how personal data is used. Data protection laws exist to provide a minimum level of control to the individual over the collection and use of their personal data. Ubiquitous technology and the information gathering and sharing that it facilitates has made the challenge all the greater. Data protection law cannot be so prescriptive as to resolve every issue, a point Marnie made quite forcibly. There is and always will be inevitable tension between the right to privacy and other rights. We've seen this tension being played out in the Irish and European courts. For example, in relation to the extent to which copyright holders can infringe on the right to data protection in order to combat unauthorised file sharing. Other areas of tension include the balance to be struck between the right to privacy and the right to freedom of expression. The balance to be struck in such cases is likely to require litigation leading to authoritative court rulings and happily involving lots of lawyers. The Lisbon Treaty and the EU Charter of Fundamental Rights elevated data protection to the status of a treaty obligation and a fundamental right separate to the general right to privacy. The draft legislative package currently under negotiation at EU level challenges our legislators to develop a legal framework that leaves up to data protection's enhanced status while recognising the challenges of the digital world. So how does it do this? The draft regulation has a clear human rights basis while also recognising the importance of free movement of data. It provides that the law will apply to any company providing service to Europeans whether they're based in the EU or not. The regulation puts greater emphasis on the principle of data minimisation, the obligation on the data controller to only collect the minimal amount of information needed to deliver a service and where possible to use anonymised data. It puts a heavy focus on the duty of an organisation to be transparent, something Marnie also emphasised, to be transparent about its data collection and user policies including an obligation to specify for how long personal data will be retained. The right to get a copy of your own data has also been strengthened. The regulation does away with routine notification or registration obligations. Instead, focusing more on accountability, it requires organisation to document their procedures and in the case of public bodies and large organisations such as Facebook to appoint a dedicated data protection officer with a specific mandate to oversee data protection in the organisation. Part of the new accountability approach also paces obligations and organisations to adopt an active approach to data protection involving privacy by design and an obligation to carry out a privacy impact assessment for significant new products or data processing operations. There's also provision for independent audit of data protection procedures in certain circumstances and encouragement for the adoption of privacy seals and certification. Reflecting the development of the internet, social networks and cloud services, there's a new right to move your data from one electronic platform to another. The much talked about right to be forgotten is given expression in a clearer obligation on organisations to have a justifiable data retention policy and an obligation to delete personal data on request except where this would be incompatible with other rights. The new regulation strengthens the obligation to keep data secure and extends to all sectors the data breach notification requirement that already applies to telecommunications companies. The draft regulations provisions in relation to transfers of personal data outside of the European Union do not involve significant change. The general principle remaining that the data protection rights of European residents should remain protected although the permitted methods for achieving this objective have been somewhat expanded. The regulation provides for strengthening of the independence and powers of data protection authorities. It also proposes that a data controller with operations in different member states would only be subject to the jurisdiction of the data protection authority where it has its main establishment. The powers of data protection authorities are to be significantly strengthened as well as provisions for sanctions applied by courts. There's also an obligation on data protection agencies to apply administrative sanctions in cases of intentional or negligent breaches of the regulation. The regulation and the accompanying law enforcement directive are being intensively negotiated in both the European Parliament and the Council of Ministers. Getting the balance right between protecting the personal right to data protection while not inhibiting innovation is not an easy task. It is difficult to predict what the final text will look like and whether the intensive effort being made by the Irish EU presidency to progress the negotiations will be sufficient to get it over the line by the target date of 2014. So what are the implications for us in Ireland? Clearly we must welcome the effort to update data protection law in order to restore a sense of control for individuals over the personal data in this information intensive digital age. The requirement that organisations take more responsibility for adopting privacy friendly policies to a privacy by design approach will also be welcomed by responsible industry players. Transparency is a bottom line issue as Marnie has mentioned. We need to be told in simple terms how our personal data is being used. We should be given choice where possible but consent should be meaningful, not a tick box agreement to unintelligible legalese. But it is also important that established business models and new innovations not be unnecessarily disrupted, including the advertisement based model that drives much of the consumer internet. Concepts such as the right to be forgotten need to be expressed in terms that are realistic and that recognise the reality of how the digital world operates. Speaking recently to European archivists, I also heard a concern that overzealous application of the right to be forgotten coupled with existing official reticence due to freedom of information laws could mean that there could be lean pickings for future historians. At a more personal level, in an era when letter writing and photo albums have been replaced by electronic communication and online storage, what trace of our activities will we leave to our descendants? As an aside, the final outcome of yesterday's high court case in Ireland, taken by an individual wrongly accused of not paying a taxi fare, it will be interesting in relation to the extent of the measures that platforms such as Google and Facebook are expected to take where information in a video goes viral on the internet. We must also be realistic on the global nature of digital data flows. Focusing on the strict accountability of an organisation to safeguard personal data wherever it flows globally is more likely to protect this data than largely futile attempts to restrict such flows at national borders. As Ireland is a welcoming company for many US multinational companies, including Facebook, we have a particular interest in aiming for interoperability between EU and US models of privacy protection. Protection of privacy is a common value as is evident from the broad agreement on privacy principles. The US approach is more sectoral in nature, with highly effective enforcement in those sectors by organisations such as the Federal Trade Commission. An umbrella privacy law incorporating basic privacy principles underpinned by industry codes of practice, an approach that has been urged by the current US administration would be a significant contribution to such interoperability. Such an approach, coupled with the application of a more risk-based approach to international transfers in the final version of the EU regulation, could help to eliminate unnecessary obstacles to commerce while guaranteeing protection of privacy on both sides of the Atlantic. As Maranie has mentioned, current efforts to achieve a comprehensive EU-US trade and investment agreement could help to provide the necessary incentive on both sides to embrace such an approach to the benefit of both sides of the Atlantic. There is likely to be significant debate around the idea of a one-stop shop for multinational companies, whether they are European or non-European. The idea is obviously attractive for companies. If the concept is to be acceptable, it is essential that all data protection authorities are willing to rely on the lead data protection authority to vindicate the rights of all EU citizens, not just those of its own member states, something we do every day in relation to users of Facebook Ireland. For this, it will be essential that the consistency mechanism among data protection authorities works as intended to ensure uniform application of the law. It will also be essential that data protection authorities have the resources necessary to carry out their broader European oversight responsibilities. This is a key issue for us due to the large number of multinational companies handling personal data that have substantial operations in Ireland. I am glad that the government have recognised this by allocating more resources to our office and giving a public commitment that we will be provided with such additional resources as we need to discharge our broader European oversight responsibilities. Our experience of audit and continuous oversight of Facebook Ireland brought home to us the resource implications of having regulatory responsibility for companies like this. Effective data protection in the digital age is a challenge but not an impossible one. It involves us as individuals making a greater effort to understand what is happening to our personal data so that we can exercise greater control. For organisations, whether public or private, it involves a much greater effort to meet the privacy expectations of customers and citizens, ideally using privacy as a competitive selling point. For the European Union, the current legislative process offers an opportunity to align legal requirements both with the expectations of individuals and the borderless realities of the digital age. Working together, we can ensure that the promise of the digital age leads to an enrichment of our lives and those of our children. Thank you very much.