 Good afternoon everybody and you're very welcome. I'm Alex White, Director General of the Institute here and warm welcome to everybody. I don't think it's would be any exaggeration to say that our guests this afternoon occupies and has occupied for a number of years, an exceptionally important position and role in Ireland and the impact of our decisions are considerable, not just for the citizens of this country but in fact for reasons that you'll be aware of for citizens of member states and countries across Europe and indeed arguably further afield. Helen Dixon took up the role of data protection, Protection Commissioner in Ireland in 2014 and in the period really in the lead up period to the GDPR, the General Data Protection Regulation of 2018. And then afterwards obviously of course addressing and dealing with complaints and references and breaches and the whole regulatory environment and complex litigation in the Irish courts, occasionally in the Court of Justice European Union, dealing also with her fellow regulators in other member states, and perhaps occasionally having to put up with the odd grumble from them for reasons that those of us who observe what goes on will be aware also. So a critically important position that our guest has occupied for those years and will continue to occupy until February of next year, and when Helen Dixon moves to a new role, a new regulatory role with Comreg. So we're absolutely delighted to have Helen Dixon with us this afternoon and to speak with us for 20 minutes or so. And to make a presentation. And thereafter, we'll have a Q&A. So if you have any questions you hear in the room you can simply use the obvious expedient of putting your hand up to indicate that you'd like to ask a question you might just give us your name and designation or organization if you have one. And if you are watching us other than in the room from home or from your office or from somewhere else either in Ireland or abroad, you'll be able to ask a question using the Q&A function on the zoom, which you're well familiar with at this stage. So just to remind you that the talk, the kind of initial presentation and then also the Q&A is all on the record this afternoon. So I'm really looking forward to this presentation of Helen Dixon's and indeed to discussion that we hope will follow thereafter. So it's my great pleasure to introduce Helen Dixon. Good afternoon everyone and thank you very much to Alex for the lovely introduction and thanks as ever to the IIEA for the invitation to join you all here today. I've spoken several times at the IIEA during my tenure as commissioner and indeed I've attended very many excellent talks at the IIEA. I was thinking back to Terrell McSweeney, former FTC commissioner who spoke here, the late Giovanni Butarelli, Roberta Viola and Coon Leanarts, the president of the CJU. These are talks over the last 10 years during my tenure that really stick out in my mind has been particularly insightful. Perhaps now, because the pandemic seems to be a little bit more in our rear view mirror, I'm out and about doing a lot of speaking events these days. There's a lot of conferences back on in Ireland, Brussels and elsewhere, and requests then for individual contributions from me at events like this one today. And of course the staff at the DPC are engaged in very significant outreach to. And I think it reflects an ever stronger appetite on the part of practitioners, businesses, NGOs, the public and all types of organizations to engage with data protection issues, and to seek to find pathways to ensuring that rights are protected, but personal data can still be processed where and does appropriate. One of the organizers from one of the very recent events I was doing when I was talking about some of the other events that I was going to be doing, said to me, I hope you've got a single transferable speech that you can roll out. And of course I don't because the GDP or is very wide and vast in its scope and application and it's also dynamic and fast moving in its implementation. And the messages to a group of C sweet business leaders, versus a group of very experienced EU data protection officers, or a group of central bankers, or a group of EU parliamentarians have to be tailored differently based on the time available. So the messages are always the same, but the subset that I can deliver in a short space of time has to be targeted. And so to today's event, where I'm going to attempt to go through a very whistle stop tour of five years of application of the GDP or. I'm speaking here here today on behalf of the Irish data protection authority. But as Alex mentioned, in fact, my office plays an EU wide role in enforcement of European data protection law in that the Irish DPC is the lead supervisory authority for a lot of very complex internet platforms and technology companies that are based here on rules of EU establishment. But the role of lead is just that my office leads in investigations and enforcement. And indeed, I would say we lead in work rate, but we're also bound in a form of action making with scores of other data protection authorities in a cooperation and consistency mechanism that's aimed at ensuring a harmonized interpretation of EU data protection law across the block and at least that's the theory of it. By any measure, Ireland is Europe's most active regulator and enforcer under the GDP or and I state that as a matter of simple metrics and not as any provocation. My office of over 220 expert staff has handled and concluded tens of thousands of complaints since the GDP or came into application from all across the EU, and about all sorts of data processing issues. And last year, the Irish DPC delivered over two thirds of the entire enforcement across the combined EU UK and EA and this was on foot a very detailed and comprehensive investigations. If you're familiar with the DPC's website. All of the conclusions of these investigations are published on the landing page. The over 3 billion in fines and the orders for compliance the DPC has issued span an Irish credit union, a large bank, a courier company, the Irish police force, a private health care provider, and of course, some of the world's largest internet platforms. Infringements related to issues arising with unauthorized disclosure, security of processing, data protection by design and default, special protection of children when processing personal data, data transfers out of the EU transparency and lawful basis for processing. And a couple of our large scale decisions equally attracted a lot of attention, precisely because we found no infringement after we investigated, and ultimately those types of decisions demonstrate that the DPC doesn't regard a data breach as a form of strict liability infringement. In other words, the fact of a data breach is not in and of itself a failure to comply with the GDP or and if you look at the arc life and alliance cases on the DPC website, you'll see the analysis that led to those conclusions. Interestingly, I think the DPC has also conducted a detailed and lengthy investigation of Catholic Church personal data processing. This was on thought of a significant number of complaints the DPC received for complainant sought to utilize the article 17 right to deletion in respect of their baptismal records on the basis that they no longer want to be members of the Catholic Church. They said their parents presented them as babies and gave consent on their behalf and they wanted to withdraw it now. And again that detailed decision is on the DPC website and ultimately concluded in this particular circumstances of the processing that the right to be forgotten did not apply. It's an interesting one though to have a look at because we had to look at canon law and where it crossed over with with the GDP or it's noteworthy at this point that many of the bigger decisions the DPC has made are the subject of multiple complex litigation procedures. Three more sets of which were lodged just this week by Metta. High Court judicial review and appeal proceedings in Ireland that themselves may ultimately give rise in due course to preliminary reference cases to the CJU are in play, as well as annulment actions to the EU general court and the CJU. And so there are inevitable issues of sequencing involved in all of these proceedings now as some of the EU level issues must typically be resolved before the High Court in Ireland can proceed with its hearings. And there are significant points of data protection substance, but also big points of procedure in play in those proceedings. In some ways I think the 2018 act almost incentivizes appeals of the bigger cases, because an automatic stay on fines kicks in. But equally I do have to acknowledge as I said that there are novel points in terms of the application of the law that arise. And so I certainly am not questioning the motivation for lodging proceedings. There are now very considerable DPC resources, including much of my own time directed to litigation matters on an ongoing basis. And one of the challenging aspects of matters the subject of litigation for a quasi judicial decision makers such as the role I have is that I become largely constrained from appearing to play out the issues involved in the litigation when I speak publicly in ways that might appear that I'm trying to influence the outcome in the courts, which of course I won't seek to do, but I can speak factually about the cases what the issues in play are, and what the likely timeframes are. In addition to all of that type of enforcement work and litigation, the DPC continues to issue guidance notes on the application of the GDP or on an ongoing basis. And we publish case studies quarterly in relation to data protection complaints we've investigated and resolved. Recently we pulled together our case studies into a compendium of case studies, and we've had really positive feedback from practitioners and stakeholders on their utility. We also keep organizations on their toes in respect of direct marketing obligations under EU privacy legislation, and we take a number of successful prosecutions each year against organizations direct calling or SMSing individuals without their consent or in contradiction of preferences indicated for marketing. Furthermore, the DPC has offered observations to government on hundreds of pieces of the legislation on which it has mandatorily been consulted under the 2018 Act and the GDPR. And independently then of all of that public enforcement and regulatory activity by the DPC. Ireland has seen this year the conclusion of its first private enforcement case that didn't settle and actually went to hearing. It's a case that concluded with a compensation award under the GDPR of 2000 euros the case was Kaminsky versus Bali McGuire foods and the circuit court in Ireland didn't deviate of course from the trend we've seen in other courts in Europe. The court here found that there had to be a causal link between the damage asserted by the individual and the infringement of the GDPR and found also that the loss in this case went beyond mere upset. So with all of this regulatory activity that I've outlined and indeed enforcement activity doesn't suggest the GDPR or privacy or data protection are winning on behalf of humankind. The question of whether we're all winning and what winning looks like is one I've come back to many times before. We know that measuring the impacts of regulation are very difficult. Assessing the cost for business the savings to business the boon to the economy of greater trust by consumers and elimination of barriers to trade with the level playing field that harmonize standards bring the better protection of rights and freedoms and elimination of discrimination. How do we measure all of this how do we measure what processing by companies has been foregone after they concluded data at risk impact assessments. How do we really measure all of this and how do we measure the impact of the law as it's written on the books versus the role of the enforcer like the DPC in the mix. These are questions that every area of regulation contends with but I suspect they're even more complex in the context of the GDPR. You heard me earlier outline the span of sectors and society the DPC's investigations cover. And I think it's not for nothing the GDPR has been dubbed the law of everything because it really does permeate all aspects of the economy and society in Ireland and the EU. There isn't a day goes by in Ireland where our newspaper cuttings aren't filled with issues where the DPC is cited issues to do with CCTV and local communities, whether our state broadcaster can publish a register of interests of its staff online, whether a local fast food outlet can install cameras in the vanity area of its restrooms, whether nursing homes can share information when passing on a patient that is a history of aggressive behavior towards other residents, or whether YouTube is entitled to deploy ad blocker detection software without explicit consent. As many of you know my tenure at the DPC will end soon. And one of the reflections I had in recent months as I looked back at nearly 10 years of major data protection issues that have cropped up and in which the DPC has been involved and I'm thinking here of issues relating to Brexit and free flows of data, particularly on the island of Ireland and the time in which it looked like perhaps there was going to be a disruption to those data flows, EU to US transfers which have been a constant issue during my tenure Cambridge Analytica. I should mention air code since Alex is here, public services card, audit of political parties in Ireland, the Microsoft warrant case and so on there've been lots of issues have flared up and burned bright for a time. But I realized recently that the story that has lingered the longest and generated the most press cuttings, and with which perhaps there's been the biggest public connection that I've seen is one that's actually outside the jurisdiction of my office. And it's the recent public service Northern Ireland data breach. And I think it's a case that almost in its simplicity illustrates so many truisms about data protection for us. Firstly, it reminds us of the CJ use point about the care that's needed when transacting with large data sets. It reminds us also of the need for policies and processes that account for that human propensity to make mistakes. And most of all, I think it illustrates to us the context is everything in data protection terms. So from what we all understand in that PSNI data case. An FOI request was being responded to an erroneously when the aggregated data in a spreadsheet was being published. The full data sheets from which the aggregated data was extracted were also published for a time online. And the thousand officers of the PSNI were identified with initials surnames ranks and locations. And of course if you think about it if the same or occurred at the DPC, where we unintentionally published a spreadsheet of our 220 staff with those details. There would be no consequences there would be no risk in actual fact for our staff. But in the case of the PSNI. There are risks even up to a risk of life. So sometimes when we try to say that it's certain sectors or industries or platforms that are inherently high risk from a data processing point of view, we can miss the point, because as we've seen from this type of issue here. And also in the Irish jurisdiction in terms of DPC investigations, for example, of certain matters that to slur where there was a failure to redact sensitive data and documents, allowing that information then to fall into the hands of the person a particular individual was in fact being protected against. When I attend specialist data protection conferences and legal events. Those of us who specialize in this area can become very mired in the complexity and some of the considerable and undoubted specialist technicalities of data protection law transfer impact assessments controller to process or agreements homomorphic encryption and other privacy enhancing technologies, and all of these are necessary to discuss and have their place, but we can lose sight in the debates and the arguments and the technicalities of what the ultimate purpose the GDPR serves is, and the GDPR shouldn't of course become an end in and of itself. The risk based approach is very much central to the GDPR and it's a tricky subject for all of us risk and how to deal with it. While large data sets are of particular importance as underlined time and time again by the courts, the GDPR with its large fines and it's very tough enforcement focus often is applied and viewed through the lens of individual complaints. And we often talk in GDPR terms about organizations needing to avoid creeping out individuals in terms of how they use their personal data and avoiding going beyond what will be in the reasonable expectations of a person. But trying to design systemic processes and policies to safeguard personal data, which comply with the GDPR, but which also meet the expectations of every affected individual is challenging. In an interesting judgment this year from the first tier tribunal in the UK. In the case Experian versus the information commissioner. The judge made a number of interesting and quite challenging observations I think one of which was by reference to the obligation on organizations to deliver transparency and to layer information appropriately for users. The judge said that ultimately it was a matter of judgment, because what surprises one person may not surprise another. And he said the mere fact that some people might subjectively find some things surprising is not a particularly useful yardstick. In digital platform terms. It's interesting I think to consider at this point how much we understand about user perceptions about data protection. In quote a Dutch study titled data protection or data frustration individual perceptions and attitudes towards the GDPR and I cited often because it's one of the rare empirical studies there is it was published in 2020. And it highlighted that enhancing control over one's data and raising awareness were among the main aims that the EU Commission set for the GDPR. What the author authors found were high levels of reactance to the GDPR amongst those they interviewed people felt stressed by it in their work and professional context afraid that they would make a mistake and be deemed to breach the GDPR and correspondingly to their side work. They didn't feel its benefits as individuals in their social sporting and community lives, where they felt it could disrupt previously simple and innocent activities like sharing a sports team photo. And one of the verbatim quotes from one of the interviewees in that study was as follows. You come across even about a picture on the sport field, and you come across the GDPR in then the most unexpected places, for example the library. When you want to reserve a book, you can't do it in your name anymore, but you need to know your library ID number odd. I would suggest that their findings, their findings point in a direction of there being perhaps no paradox at all in terms of how people transact online with their data. The authors say people are aware of privacy and its importance. They're also aware of their rights, but in our digital society using and sharing data has become such an integral part of our lives that their choice isn't a real one. They choose to share data because it forms an inherent part of their daily life. And they say that these conclusions call into question if the decisions made by individuals when sharing data are paradoxical, or rather simply reflect their needs in a highly ratified society. And ultimately they say further research on individual attitudes and privacy behavior is needed to further explain the effects of that lack of choice on user behaviors. And there is a strong case I think for more targeted research and measurement of the effects of data protection regulation. When the Czech Advocate General Bobak was departing from the CJU in 2021, he talked in two of his opinions that October about the fact that there's practically no limit to the GDPR's reach. And he predicted in one of his opinions that either lawmakers or the courts may have to one day limit its scope. On the lawmakers side we heard EU Justice Commissioner Didier Rangers last week reiterate that there are no plans to reopen the hard fought GDPR. And that seems reasonable. On the part of the courts perhaps we will see some evolution. There was a recent Advocate General opinion published over the summer its case C115 slash 22. There was a case from the Austrian courts about an athlete who was convicted of sports doping and the sports regulatory body or governing body published details of her violation on the website and she raised a complaint about it. And interestingly the Advocate General who opined on this before the court gives final judgment said well first of all sports doping isn't regulated by EU law. So this issue doesn't fall to be looked at under the GDPR. She then went on to say that if she was wrong and in the alternative, no individual proportionality assessment would be required here in relation to the individual that the interference was justified by the public interest in publishing the details, because of the aim of stopping other young athletes from taking drugs and it's interesting that she references what's needed in modern societies in terms of the proportionality of publishing. So pending any big moves from lawmakers of the court society which I don't think any of us are anticipating. We have the law that we have on the books. And at this five year mark I think there are still real deficits in measurement. The EU is now conducting its second evaluation of the GDPR as it's required to do under article 97 I think it has to have completed it by next summer. And the DPC has had a couple of interactions with this evaluation that's underway we've been interviewed by the EU's fundamental rights agency. That's taking the mood music around the one stop shop across data protection authorities. And we've also been asked by the EU Commission to fill out a questionnaire where it's seeking to effectively count the implementation of the GDPR. But even that's fraught with difficulty given that there's still no agreed taxonomy between data protection authorities and definitions of simple things even complaints don't always align across member states. This is perhaps already been recognized by the EU Commission in terms of its proposal already in advance of the conclusion of its evaluation of the GDPR and the one stop shop. Because as many of you know it published this summer a proposal around a procedural harmonization in relation to enforcement of the GDPR. And the DPC is the authority most affected in light of its work rate by a lack of harmonization of administrative procedural aspects of member state law. As they relate to enforcement, we strongly support such a proposal, establishing a clear minimum standard of procedural rights will streamline the operation of the GDPR and provide greater legal certainty. In that regard, the DPC always seeks to involve the complainant in an inquiry and a decision making process, whereas most other EU data protection authorities provide for limited or no involvement of the complainant in the process. And so I think a byproduct of this proposal from the EU Commission should have become law is that it will also start to standardize the terminology as we have that limited harmonization of administrative laws. I want to mention as well in the context of measurement that next year in 2024, the DPC is going to find itself at the midpoint of its own five year regulatory strategy, and the DPC intends to engage in its own ambitious measurement project. Much has been done in the past two years to progress the priorities that were set out in the strategy in terms, especially of ongoing engagement and guidance efforts. We've built new partnerships with representative bodies, especially those dealing with children and vulnerable groups. And in an effort to ensure that the message of data protection is being communicated in a manner that's comprehensible to those groups we want to involve them next year in this measurement project. The DPC's overarching goal is to do more for more. And that's well underway. It's of course, as it is in all areas of regulation, difficult to measure the impact of our work strictly in quantifiable terms. There's no direct correlation between the DPC publishing X piece of guidance on our website and a corresponding decrease in complaints. So what the DPC intends to do in 2024 is to commission a series of surveys across several of its stakeholder sectors in Ireland and beyond to ascertain levels of knowledge growth and impact levels over the first two years of the strategies implementation. And we're currently looking actually the project will be led by my colleague, Enbi Donnelly, who's here. We're currently researching the types of academics and specialist bodies that can assist us in both designing and implementing these surveys. And then we'll roll those out again in 2026 so that we can measure the impact. I'm going to skip on a little bit because I'm looking at the fact that it's already 130 so I realized that I've underestimated how long all the points I wanted to make are going to take. So I'll skip through a little bit that I was going to talk about in relation to the risk based approach because I suspect many of you are familiar with the risk based approach that's central to the GDP or and some of the challenges that it presents. So to move on, I'll cover a few limited points in the last few minutes and maybe one of the things that I will mention in the context of looking at risk is the particular focus that the DPC has put over the last number of years on children. We've a very strong children's policy team that is focused on preparing interpretive guidance in relation to the GDP or to guide organizations of all types in terms of how children should be protected in the processing of personal data. And one of the messages we've had to underline in that context is that the aim shouldn't be to shut children out as a way of protecting them, but finding a way to provide them with appropriate access to products and services that protects them in line with their evolving capacities. And the same principle of course should apply in terms of adults safeguarding when it comes to at risk adults, but the DPC has been contacted now on numerous occasions by advocacy groups in this area. And they say that data that should be shared to protect vulnerable adults is not being shared when needed with fear of GDP or infringement being cited as a basis for not sharing. And this shouldn't be the case, perhaps the data should be shared perhaps it shouldn't, but assessment of whether there's a legal basis to share and the establishment of measures necessary to safeguard individuals in the context of sharing or what are required. But this is far easier said than done, particularly when we don't have parallel legislation to the children first legislation. There's a lot to unpick in these types of issues that have been presented to the DPC on these matters, and the GDP or should certainly not be the main issue that presents any blockages. The Law Reform Commission in Ireland is conducting a detailed study currently, which will be published I believe by the year end. And it's a study on a regulatory framework for adult safeguarding. And to the extent it makes any recommendations for legislation or codes of conduct, or any other type of recommendations. The DPC will be particularly engaged around trying to clarify definitions for what an at risk adult is so that any derogations that apply won't be blown wide open, if if the definition is too broad. One further particular observation of the DPC over the last year is that we are seeing definite increased professionalization of the data protection officer role in Ireland. And we can identify now clear characteristics of the good DPOs, who can understand risk who know their business, who can accept there aren't definite answers and precedence to everything, but can still plot an appropriate course that's both protective of rights but allows a business to run. On the other end of the scale, we're seeing small practices that are simply ignoring data subjects and the GDP or and the DPC in several cases in very recent months I've had to issue enforcement notices to these small businesses to try and compel release of data to individuals. My letters are ignored we make phone calls and we're greeted with great hostility and told that these small businesses are trying to stay afloat and they don't need all this paperwork and GDP or headache on top of them. And the DPC needs to factor all of this as we go forward into how we support compliance across the board. Additionally, we're still getting an awful lot of household CCTV complaints. And these are an area of great difficulty because in many cases, the issues are far greater than data protection when neighbors fall out. As I've said today, it is all that I've said actually today is really by way of concluding that the GDP or with its very broad scope has a long way to go, despite its successes in protecting rights. We've a long way to go in terms of developing greater understanding of the risk based approach reaching better legal certainty on fundamental principles, which will happen in part through adjudication by the courts. And there are now about 50 cases pending before the CJU, which in due course will provide more guidance. As I said equally, I think through more empirical research by academics will start to understand our data fight society better and in the round. The very final thing to say is of course that the GDP or is no longer the only show in town, particularly when it comes to technology and digital regulation. Everyone listening here today will be well familiar with the suite of new digital laws that Europe has proposed and adopted and put into application already in some cases like the Digital Services Act. So coherence cooperation and coordination between regulators, including the EU Commission is going to become increasingly a priority as these laws interweave with one another. The DPC has been very pleased in the last year that Professor Joyce O'Connor at the IIA has convened a digital stakeholders group of academic NGO regulator industry practitioner representatives to discuss and consider digital and digital regulatory matters. While it deliberately hasn't had any hard outputs yet from the forum, it's already providing a very useful way in which policy matters can be discussed between stakeholders. So again, thank you on so many levels to the IIA and thank you all for your attention today.