 AM'r hyffordd mor iawn yn ei ddechrau ar Cyfrifol yng Ngolcaf y Llywodraethol yma yn deimlo. Mae'r galio'r ysgol o'r fawr o'r rhannu hynny. Mae'r perion gwahanol yn anghytrae i ni fydd yw olywodraeth a bryw fwy'r gwahanol i ddechrau, ac mae'na bod wrth i wych yn ddim yn cael ei bwrdd iawn, ac mae'n ddim yn cael eu ffaswr yn gwneud o'r teimlo i'r rhannu ei wneud hwnny, a gweithio a gweithio'n amser ac yn ystod yn y gweithio, mae i'n meddwl i'r ysgolion i'r llys i ddweithio, a'n fwyaf bod hynny ymddiannau oherwydd yn ei ddweithio ddweithio. Mae'n gweld i chi'n gwybod, mae'n gweithio'r ysgolion i'r Fynghwys Ilein, oedd gweithio'r gweithio i'r ysgolion i'r pethau a llys i'n gweithio. So, Jennifer Sullivan is Deputy Commissioner at the Data Protection Commission, she is responsible for the international side of things, she's going to give us a speech this evening for about 10, 15 minutes, that's on the record, and then once she's finished up we're going to strengthen the questions, and that's all Charon House, which means you can use the information but just don't reveal who said it or where they said it. So, Jennifer. Great. Good evening everyone. I'm delighted to be here and thanks to Dara and his colleagues for his very kind invitation. Personally very thrilled to be considered relevant to an under 35 age demographic. Obviously a day in the life of the Data Protection Commission could become a fairly expansive topic, and if I was to cover absolutely everything we do with the DPC, I'm not sure really how riveting that would be for me. Instead, what I thought I'd do was take you on a more selective or whistlestop tour of the work of the DPC, mainly focusing on our international and particularly EU facing activities. And I'll even make some stops on that tour at some of the more controversial or thorny issues, just to get them out of the way, I'm sure you'll have questions on those later. I'm looking forward to those questions I think, so we'll leave plenty of time for them. To start off on that tour, if I was to ask each of you what the DPC does, I'm sure you'd each have a different take on that question, and all would likely be very valid. And that's because we actually do have several different roles that we deliver on simultaneously. Every day in our life involves all of those roles. First off, we're a source of information for individuals who just have queries on their data protection rights. Moving on from that, we're an ombudsman effectively when those individuals have actual complaints when their data protection rights are being potentially infringed. And then we can effectively act as a mediator if it's appropriate to do so, to try and get their complaint resolved, get their rights vindicated in a way that's relatively quick. We're also an advisor and a consultation body for organisations. So for example, we must be consulted when there's new legislation being prepared that impacts on personal data processing. Where we've been an approver and an authoriser in certain situations, particularly, for example, in the mechanisms that are used to transfer personal data from the EU to outside the EU. We are a facilitator of organisations, for example, those organisations that are voluntarily trying to demonstrate their accountability using mechanisms like codes of conduct and certification. We're a type of policy setter in terms of how we interpret data protection law, kind of define how it applies to certain contexts, sectors, situations and produce guidance and case studies. We're also an awareness raising body and an educator on data protection rights, on obligations and even on regulation itself. That's for organisations and for individuals and a particular priority for us at the DPC is on educating and awareness raising among children. We do that generally through our website, through social media channels, through traditional media events like this and conferences and so on. And then in our engagement and cooperation with our fellow data protection authorities, we lean on all of our international diplomacy and education and communication skills and I'll come back to that in a while. And then obviously we're a supervisor, we're an investigator, we're an auditor and an enforcer of the law as it relates to data protection. So I'm not sure if you were counting there but that was ten different roles that we have every day. And we do all of that under a very definitive league of framework that's now in place, the main elements being the general data protection regulation or the GDPR, which you've all heard of, and also the Irish Data Protection Act from 2018, amongst other legislation. So on that last role I mentioned in that long, long list, the DPC now has a much expanded set of corrective powers under the GDPR that are available to us and that are to a certain extent prescribed under the Data Protection Act. And obviously the most commented upon of those powers is the administrative fine that's now available to us as a type of sanction. Now you might have seen references to the DPC as the lead regulator in Europe or Europe's data watchdog and so on and so on. And those headlines are linked to something called the one-stop shop model that was introduced under the GDPR. So any organisation is engaged in something called cross-border processing. If it processes personal data that affects individuals in many member states or if that processing is in the context of its activities in its entities across several member states. So under that one-stop shop model I mentioned, an organisation that engages in that cross-border processing since the GDPR was introduced, it's no longer subject to the supervision of every data protection authority in each of the member states it operates in. It's instead subject to the oversight of just one authority, the authority in the member state where it has what's called its main establishment. So generally where the decisions are made on how it processes personal data. So that authority is known as the lead supervisory authority. So the benefit really for those organisations is that for any given infringement that might have effect across many member states, for that one infringement they're only subject to one investigation, they'll have one decision and potentially one sanction. So you can see that there's quite a benefit to organisations from the one-stop shop model. And as I'm sure many of you know, many of the very big international technology firms have their base in Europe here in Ireland, and this is where their decisions are made on how personal data is processed. So that means the DPC is the lead supervisory authority for all of those big tech companies, but also for pharma companies, airlines and so on that have their base here in Europe. So not only do we have that relatively large number of companies for which we're the lead supervisory authority, but given the complexity and extent of those companies processing, given the fact that they generally have a very large user base, the work that we do in supervising those organisations is very extensive and it's very deep. So take a large number of companies, multiply that out by high complexity, and you can possibly see that it adds up to quite a disproportionate regulatory role for the DPC relative to the other data protection authorities in Europe, and that's before you even think about the size of the Irish population or other compartiers. So clearly given all of that, there's no such thing as a typical day at the DPC, but I'll keep going anyway with trying to contrive that for you. First off on any given day, it's very, very likely that there is at least one of us from the DPC in Brussels for a reason. So the body that's known as the European Data Protection Board, or EDPB, is the EU body that's made up of all of the EU's data protection authorities. Also in there are the three data protection authorities from the European Economic Area. There is the supervisor of the European institutions, the European Data Protection Supervisor and the Commission. So one of the EDPB's main tasks is to ensure the consistent application of the GDPR across the EU and the EEA. So there's a whole architecture of 12 subgroups that are specifically responsible for certain provisions and areas of the GDPR or cross-cutting issues. And those subgroups produce guidelines and position papers and opinions and so on. There's also a plenary meeting every month where decisions are actually made, opinions are approved, guidelines are approved and so on. So all of that adds up to over 100 meetings every year in Brussels. So quite a commitment for us and we generally attend all of them. We've also been rapporteur or lead rapporteur and some of the more fundamental guidelines that the EDPB has produced over the last couple of years. And we're also co-co-ordinator of one of those subgroups. Now I'm glad to say that there's a video conference and solution currently being tried. So hopefully we won't hit that 100 limit this year, hopefully. So that's some of the work on the EDPB that has general application. And then there's a mechanism called the cooperation mechanism as well under the GDPR. And that's the other key aspect of the EDPB's role and that relates to the specific cases. So those cross-border complaints and investigations. And this cooperation is part of life of the DPC all day, every day, given our lead supervisory authority status. So I mentioned that under the one-stop shop model. Organisations are generally subject to the supervision of one supervisory authority. And then they effectively have one interlocutor. If you're a complainant and you've lodged a complaint with another supervisory authority, you have that supervisory authority as your own interlocutor. But if you're the lead supervisory authority, you have to engage with the 31 other supervisory authorities. So that's where the pressure is in terms of managing the multiple stakeholders, making sure that communications and information sharing is happening under the GDPR and so on. Because in this model that we have, the other supervisory authorities are said to be concerned if the matter relates to individuals in their member state or if the company perhaps has another establishment there and so on. So the types of organisation that we supervise generally have users in all, EU and EEA member states, so generally we have to engage with all supervisory authorities for every complaint and investigation we deal with. Not only that, the DPC handles about one third of all the cross-border cases in the EU. So those cases, again as I mentioned, being typically very complex. And any one of our enquiries into cross-border processing could involve multiple, multiple mutual assistance requests, consultations, informal consultations under that cooperation procedure. So you can hopefully see how that mechanism keeps us very busy at the DPC, particularly the engine room that is our one-stop shop operations team. And that's without me even getting into the actual complaint handling, the actual investigative work that's being completed every day by a complaint handling and investigation teams. And I would say that this cooperation mechanism is still really evolving in terms of its implementation, in terms of its use and practice. And many of the more novel or interesting or challenging procedures have not even been invoked yet just over one year in. Only 25 decisions in total that relate to cross-border processing have made their way entirely through the EDPB cooperation mechanism. And none of those 25 cases so far have been of high complexity. So our one-stop shop operations team is not the only team in the DPC who's kept busy on the international front with every new headline in the media, every high profile data breach that's announced, every new enquiry that we commence ourselves, our communications and media team is generally inundated with requests for response, requests for interviews. Sometimes they have to clarify some misunderstandings that have arisen. And the majority of those requests that are coming in at this point are from international outlets, given the role of the DPC as a lead supervisory authority in that context. And I suppose we take it that it is important that we provide information where it's in the public interest to do so, both at a national and an international level. So one of the teams of these media stories obviously has related, that you may have seen relates to fines under the GDPR and the DPC has not issued any fines yet. And that's simply because we have not yet issued decisions for those high profile enquiries. And there's a very good reason for this. And those reasons mainly boil down to our need to be fair to all the parties involved. We want to be fair and we must be fair. And we do that by applying very rigorous procedures under that fair procedure principle. I've mentioned the Irish Data Protection Act from 2018 a couple of times. So I'm sure all of you know that as an EU regulation the GDPR has direct effect. But the Data Protection Act is itself quite prescriptive in terms of our procedures and how our powers can be applied. So I suppose the DPC regulates in an international and EU context but very much under a framework of both EU and Irish law. And that extends to how the principles of fair procedure are applied under Irish law. Particularly in the decision making process of an administrative body like the DPC. And also taking into account the case law that has been developed through the Irish courts in that area. So as well as being the focus of international media we also speak very regularly at conferences around Europe and further afield. There's enormous attention globally on how the GDPR has been implemented. So as the lead authority I suppose that we are in terms of our supervision of a very large number of multinational companies there's a high interest in our experience specifically. And we do believe in being as transparent and open as possible on that experience as it can only be of assistance and other jurisdictions. And really it's remarkable how far the international debate on data protection and privacy has evolved since May 2016 when the GDPR text was finalised and even in the last 12 months, 13 months today since the GDPR actually came into force and I suppose who would have thought even a year ago that the CEOs of the major tech companies would be trying to outdo each other in their public acclaim of the GDPR and their demands for greater regulation globally in the area of data protection. So that's a less than comprehensive rundown of some of our daily efforts on the international side of things. I've left out lots and lots of important work that's done across the organisation but hopefully your own questions will touch on many of those areas. Will I briefly look ahead at the next few months? So 2018 obviously was the game changing year and the introduction of the GDPR but 2019 and 2020 are both looking to be pretty seismic in themselves because the GDPR is really starting to have an impact. So if we look ahead at our focus over the next few months and some headlines from that in a couple of weeks the Court of Justice of the EU will hold its hearing on the proceedings that the DPC brought related to standard contractual clauses in a case on the trends too. Brexit is potentially on the horizon and if there is a no deal Brexit we would have a fairly extensive operational impact and in that scenario the UK would become a third country so that point I mentioned on personal data transfers any transfers from the EU to the UK would require those transfer mechanisms to be in place as a safeguard of personal data. We're still looking forward to the text of the new EU privacy regulation so watching those councill negotiations with great interest. Over the next few months obviously the first significant decisions and potentially fines will issue from the DPC once they've worked their way through the EDPB cooperation mechanism and through to being enforced so we'll be monitoring the deterrent effect of those. The major outputs from our children's consultation on which I'd be delighted to answer your questions those outputs will start to come into play as well we'll be producing guidance, policy and hopefully starting to change the norms on how children's personal data is used and safeguarded. We'll still be building our own organisational capacity building expertise trying to work up to more simultaneous enforcement and I suppose above all else we'll be continuing our efforts to battle the many myths and legends that have grown legs over the last 12 months on what the GDPR stops people from doing so the scariest one I've heard of so far is on the paramedic who was prevented from being provided the medical history of an unconscious individual because of the GDPR so hopefully we'll be starting to counter some of those myths over the next 12 months so I'm looking forward to your questions, thanks.