 Good morning, and good afternoon to you all. My name is Joyce O'Connor and I chair the Digital Futures Group here at the IIEA. I hope you're all keeping well and staying safe. It's my pleasure to welcome you, a worldwide audience, 500 and all, to the IIEA webinar, GDPR at H2, Reflections of the Irish Data Protection Commissioner. Today we have an audience from the US, Canada, Finland, Israel, UK, France, Poland and the Ireland of Ireland. You can see all of us are very interested in the GDPR and it's hard to believe that it's just over two years since GDPR has entered into legislation. Little did we realize at that time how much a part of our lives that it is, how familiar we are with it. A recent survey from the EU Fundamental Rights Agency showed that 69% of the population, above the age of 16 in the EU, had heard about GDPR and 71% of people heard about their national data protection authority. You might say that's all very well, but the question is how is this legislation working? Over the next hour, Helen Dixon will give us her reflections and review on how things are progressing. She will speak for 25 minutes or so and then we will come to you for your questions. Will you submit your questions on our Q&A column, which is at the end of the screen there? I look forward to receiving them during Helen's presentation and I will gather them up and relay them to her after she finishes. I would ask you to give your name and affiliation when you ask a question. Today's presentation and Q&A is on the record. Please be free to join our discussion on Twitter using the handle at IIEA. But now it's my great pleasure to welcome and introduce our speaker Helen Dixon. Helen has been data protection commissioner since 2014. Thank you very much Helen for taking the time to be part of this webinar. We appreciate it very much indeed. As data protection commissioner, Helen is with conflict for holding the rights of individuals regarding how data about them is used. But since GDPR came into effect, the role and remiss of the commissioner of data protection has been extended to include a stronger and forced and focused. The Irish data protection commission is the unique supervisory authority for many of the world's tech companies that are headquartered in Ireland. Prior to taking up this position, Helen worked in senior roles in the economic government department and served as registrar of Irish companies. You are very welcome Helen, the floor is yours. Good afternoon everyone and very many thanks to the IIEA and indeed our chair, Joyce O'Connor, for this top class opportunity to engage with all of you this afternoon. On the sometimes I think seemingly marked by topic of the EU's General Data Protection Regulation, the GDPR. But love it or hate it, it's a daily reality now for every organisation that it must give due consideration to its collection and handling of personal data. And so I think it's definitely a topic worthy of our conversation this afternoon. And the GDPR really does need to be a conversation and an ongoing dialogue as we continue to figure out how we can each from the standpoint of our different roles optimally exploit the GDPR to ensure that the processing of personal data really does serve humankind to quote one of the recitals of the GDPR. And that dialogue I think has to be constant because of course the GDPR was designed based on high level principles including lawfulness and fairness. It's technology neutral, it advocates a risk based approach and in this way it's intended to cover all sectors, all contexts and scenarios in which personal data is processed. And therefore we have to understand that it requires a context specific interpretation in every case. And I think overall in the first two years we're off to a good start. Levels of awareness and engagement, Joyce mentioned this with the new law, are very high both as measured by the Irish DPC and our own Commissioned Surveys and then the Eurobarometer and Fundamental Rights Agency Surveys. We've seen very good evidence of good faith attempts to comply with the GDPR and we've also I think in very recent months with the range of personal data issues that this global pandemic has given rise to. We've seen how relevant the GDPR has been in steering a good course through some of these issues. So overall I think our common aim must be to not block processing and data flows that are in the interest of the public and individuals, but to steer away from the types of processing that tip the balance away from protecting the overall rights and freedoms of individuals such as in a scenario where there's excessive surveillance. A headline feature the GDPR was of course the massive finding regime that introduced where companies could be fined up to 4% of their global turnover for the preceding year and in Ireland public sector bodies can also be fined up to a million euros. But the key as concerns the Irish data protections Commission role as we have this conversation today is that all that we deliver must be done within the bounds of the legal framework we've been assigned. I know from listening to Joyce that there's quite a range of participants in the presentation today so you'll appreciate in my comments that follow now I'm trying to hit quite a range of bases. I'll try to keep jargon out of it as much as possible, some of it when it will inevitably creep in, but you'll notice I'll abbreviate the general data protection regulation to GDPR throughout. I'll also refer to my own office the Irish data protection Commission as the Irish DPC and I'll call the other data protection authorities DPAs. In a short talk like this it's impossible to even cover one data protection topic in any depth and I had thought that I might use the 25 minutes or so. To focus on the Irish DPC role as a supervisory authority now under the GDPR and I tried to give you. Some perspective of the span of tasks that we have not just under article 57 of the GDPR where the tasks are listed a to W. But also under the e-privacy directive and the law enforcement directive, but I realized that was going to involve an awful lot of high speed hopping across topics. So instead what I want to do is direct you to the DPC two year activity report under the GDPR that my office published on the 20th of June. So if you go to our website it's www.dataprotection.ie you'll see if you go on to the landing page that there's a section called Latest News and I think you can download it as an item under that latest news section. And I really would encourage you to have a look at the span of work we've delivered on in the first two years. You'll see the first enforcement and finding cases the DPC has concluded under GDPR and under the law enforcement directive. You'll see the work we've done on children and data protection, the thousands of data breaches we've processed and concluded our enforcement action against the Irish government on the public services card, our cookie sweep and the enforcement plans we've set down off the back of the findings of that sweep, the progress we've made on big tech inquiries, the several thousand complaints against organizations from individuals that we've resolved, the targeted guidance on key topics of data protection we've issued, the in excess of 200 meetings DPC staff have participated and contributed at in Brussels as part of the European Data Protection Board, our ongoing prosecutions under the ePrivacy directive, the nine pieces of litigation we've concluded in the last two years, the support structures we've put in place for the 1900 newly appointed data protection officers under the GDPR and so on and so on. That's just a small taster of what is outlined in the report and indeed the report is only a subset of our activities. And in part, my reason for encouraging you to read the report is to drive an understanding that as a data protection authority, we don't have a choice about the multifaceted and broad role we've been assigned, the tasks are not optional. And of course, this goes in part to the question of how big EU governments should resource their national data protection authorities to be. If we want it all done and we want it all done quicker, all EU data protection authorities, including in particular the Irish, need to be more heavily resourced. But these are the choices and questions for government and politicians and not a question for me today. So instead, what I would like to do today is I'd like to optimize the IIEA's impeccable timing in terms of their invite to me. And I'd like to reflect a little on aspects of the EU Commission's two year review of the GDPR, which as you know was just recently published. Have a look at some of the issues arising in that I'd like to highlight some international and practitioner perspectives, as well as the experience of the Irish DPC on the first two years. There remains so much to be refined and improved and harmonized and delivered in terms of the GDPR that I think there has to be a recognition that the GDPR is a project for now, but it's also one for the longer term. And once I finish that, I'd like to focus some specific remarks then on two areas of the DPC's regulatory role. I'd like to talk about individual complaint handling and then for the week that's in it, I'd like to talk about the DPC's standard contractual clauses litigation on which the judgment is due to issue from the CJEU this Thursday. So let me just clarify a couple of quick things about the data protection authority I head up. The authority is 31 years old, now it was established in 1989. And it's one that's grown from fewer than 30 staff when I arrived at the end of 2014 to one with 146 staff today, now amongst the larger of the data protection authorities in the EU. We've been extremely fortunate over the last few years that we've been able to attract and recruit some top class lawyers, specialists in the fields of data protection and litigation, in addition to experienced investigators that have come from other regulated sectors, such as insurance and financial services, as well as a whole range of other specialists. We work for a long days, week in, week out, covering ever increasing volumes of work and litigation and EU coordination. Enforcement DAME is to create sustainable and well reasoned decisions that can act as precedents and guide and contribute to legal certainty. And I'm going to come back to that approach that we take when I talk about the data transfers litigation that we initiated. Originally, of course, the office would have had a considerably more national focus. However, with the application of the GDPR in May 2018, EU data protection, though, established for the first time a so-called one-stop shop for multinationals. And this allows a multi-national to be regulated by one lead supervisory authority in the member state in which their main establishment exists. So, of course, up to May 2018, the Irish DPC wouldn't have had exclusive jurisdiction to regulate many of the multi-nationals. They could, per the Casteca ruling of 2014 of the CJU, be regulated in any country where there was a branch. Now, under the GDPR, with the one-stop shop, the lead supervisory authority is obliged to engage in a co-decision-making process with other EU data protection authorities when the lead authority enforces. And this concept of main establishment is based on objective criteria and a factual analysis on the ground. Multinationals are not obliged to structure themselves to avail of the benefits of the one-stop shop, but many do in order to avoid being subject to separate investigations and enforcement by multiple data protection authorities in each country where they have a branch. In addition, the one-stop shop transfers the significant burden of articulating a harmonized EU law position onto the lead supervisory authority rather than the multinational trying to resolve what may seem like conflicting positions between data protection authorities. So the Irish DPC is now the EU lead supervisory authority for the data processing operations of companies such as Twitter, Facebook, Instagram, WhatsApp, Microsoft, Apple, Airbnb, Groupon, Ryanair, Google, Stripe, Dell and Intel. TikTok, having had its main EU presence in the UK and Germany up to recently, has established and is building out its operations in Ireland and announced its intention to avail of the one-stop shop through a main establishment in Ireland. It's likely, I suspect, Brexit has influenced this development and the Irish DPC and other EU data protection authorities are now assessing if TikTok meets the main establishment criteria through its Irish operation. Platforms and big tech operators such as PayPal, Uber, Netflix, Sony, Spotify and Amazon are lead supervised by other EU data protection authorities. Joyce mentioned the Fundamental Rights Agency survey that was published last month to mark two years of the GDPR and, in fact, Irish respondents were right up there in the top tier, well above the average that Joyce quoted in terms of knowing that the Irish DPC exists and the fact that we are the authority with which to raise complaints. And this is indeed reflected in the complaint volumes we receive. But the DPC also takes very seriously its responsibilities as lead authority, regulating big tech companies that are based in Ireland in circumstances where almost all EU persons are affected by the processing and concluding the investigations we've opened into big tech is our number one priority. Those of you working directly in the field of data protection will be aware that the last few weeks have been a particular point of reflection on the GDPR as it passed through its first 24 months of application at the end of May. The EU Commission published its two-year report at the end of June, which it was required to do under Article 97 of the GDPR, and it went a little bit beyond looking at just the areas of transfers and cooperation and consistency specified in Article 97. For me, the word fragmentation hopped off the pages of the report in several contexts referenced by the EU Commission. The Commission's comments about a race to the lowest common denominator by the EU data protection authorities in some instances struck a definite chord. And this is, of course, despite the fact that the GDPR strengthened the EU coordination body with the previous Article 29 working party evolving into the European Data Protection Board, which is now not only an advisory body, but one with limited decision making power and a dedicated and permanent secretariat to support it. Harmonization rather than fragmentation is without doubt a fundamentally important goal of the GDPR, and it's necessary to give certainty to organizations, particularly those that operate across borders about how they should comply in implementing the GDPR. But it is a really heart not crack, certainly at EU data protection authority level. In my five and a half years of participation at the Article 29 working party, and now its successor, the European Data Protection Board, diametrically opposing views on matters, even on fairly minor tactical issues are expressed. And there is no easy solution to that, given the number of authorities involved. But in my view, the situation can be improved for all stakeholders, when the board itself prioritizes off work must be or is best done jointly between the data protection authorities, what can be left to individual authorities or completed by the secretariat with the chair. It's also important, I think, to bear in mind that appeals to national courts of decisions over time will give rise to potentially divergent decisions, in addition to which the expected uptake of compensation actions under Article 82 of the GDPR that will be decided by national courts will also potentially generate some differences in approach. So to some extent, I think complete harmonization will always be somewhat elusive. That brings me on to some of the wider stakeholder reflections on the GDPR at age two. Some of you might have seen the International Association of Privacy Professionals, the IAPP, it published what I thought was an interesting piece around the anniversary date on the 25th of May, where 10 experts, global experts, gave their views on GDPR. And even though some of them varied considerably and may even have conflicted, I found myself agreeing with almost every one of them. Gabriella Zanfer-Fortuna, she's an expert council with the Future of Privacy Forum, she acknowledged criticisms that there's been a lack of big fines under the GDPR so far, but she found it undeniable that the GDPR has nonetheless been a game changer. Ruth Boardman, who's a partner with Bird and Bird, she sees the GDPR as a big success story, but calls for more enforcement with big sanctions. Otherwise, she said it's hard to persuade organizations to bother applying the law, but equally, she called on data protection authorities to do more to carefully balance innovation and data protection. So she wants enforcement, but she wants it to be the right enforcement. Eduardo Usturan, he's a partner with Hogan Lovells. He sees the GDPR globally as highly influential and praises its risk-based approach and the new principle of accountability. A fellow data protection commissioner, a German commissioner, Marit Hansen, who's the commissioner in Schleswig-Holstein, she finds that the GDPR is very abstract in language and she makes the point that it inevitably requires hard graft by data protection authorities and courts to interpret it. It doesn't stand on its own, and actually I would add to that it's not just hard graft by data protection authorities and courts, it actually requires that hard graft by every organization. Who seeks to implement it? She compares the EU data protection authorities to acquire. She says we need to warm up our voices fully before we can sing in harmony together. So I'm taking it, she thinks we sing like crows at the moment. Lee Bygrave, who's a professor of law at the University of Oslo, he expressed some very strong views and he identified something that is actually long and concerned to me. And that is that a lot of the GDPR is turned in on itself and the in-crow, mostly the supervisory authorities themselves, he thinks the supervisory authority procedures that take up a lot of the articles of the GDPR should be stripped out of the law. So that it would be a more readable law that's then directed at the entities that are regulated and he points out the excessive procedural aspects as he sees it in particular around the one-stop shop. Lachy Mural, another legal practitioner at Morrison Foster, she says the GDPR and EU data protection laws flawed and it fails to deliver what it says it will to data subjects. She says this is nothing to do with the lack of enforcement. It's to do with the fact that particularly online data processing operations are so complex that the individual is never going to be in a position to understand. And she calls for a new social contract and rethink of data protection laws such that they actually determine what is and what is not permissible. And it struck me when I was reading her comments in particular that they appear to concur with some of the big academics in the area of data protection and privacy, like Woody Hartzo. He has long said that aspiring to control for the individual is the wrong approach. It puts too much pressure on the individual. Daniel Solove, he equally has written about the privacy paradox and he says, don't give people more tools to manage. That's putting the pressure back on to individuals. Data protection authorities need to regulate the architecture and structure of the way that information is used. Bojana Bellamy, then of the Center for Information Policy Leadership, she went through the good, the bad and the yet to be fulfilled aspects of the GDPR. She wishes for greater harmonization and calls for more use of innovations in the GDPR, such as certification and codes of conduct. She talks about the data protection authorities. And I quote her when she says they're buried under an avalanche of complaints, breach notifications and populist calls for enforcement. And she says data protection authorities should instead be building engagement and leading from the front. Graham Greenleaf, a very well known law professor, said his strong hope is that the GDPR will make a substantial contribution to dismantling the society of surveillance capitalism in which he says we now live. But he says data protection authorities in the GDPR cannot alone do this and it requires parallel efforts of competition, consumer and anti-discrimination regulators. And I'm going to mention the German Competition Authority Facebook case in a few minutes. That is some relevance to the point he makes. So you can hear in that small snapshot an incredible array of views expressed even on the topic of enforcement alone, very different perspectives. And of course, civil society bodies equally around the anniversary, the two year anniversary of the GDPR have forthrightly reflected their views. They lament the lack of harmonization of member state procedural rules. They lament what they see as the slow pace of enforcement. And of course, as of last week, the NGO, None of Your Business or NOIB has been granted leave in the Irish High Court to judicially review the DPC for alleged delay in two inquiries my office is conducting in respect of WhatsApp and Instagram. Leigh Bygrave that I mentioned just now and others, they talk about the procedural complexity of the GDPR and I can tell you, as a data protection authority, this is a real challenge. The EU Commission mentioned joint operations and joint enforcement in its two year report and said that the data protection authorities need to engage these facilities that are provided for under the GDPR. So far, as far as I know, the Irish DPC is the only authority that has attempted a joint operation with another data protection authority. Because in reality, no other data protection authority when it comes down to it is willing to give up its staff and certainly none with the value added skill that we could usefully deploy. In the case where we did work on a limited joint operation with another data protection authority, it was of course queried by the controller that we were investigating. And in fact, it took up more time answering the queries of the controller than we would have gained out of the limited joint operation. But we will persevere. I'm simply suggesting that the good idea of pooling resources in joint operations of data protection authorities certainly remains more aspirational than reality at the moment. At the EU Commission press conference at the end of June when commissioners Urova and Reigners launched their two year review at the GDPR, I was interested to note perhaps I wasn't surprised that the only press or media questions that referenced individual data protection authorities were questions that asked about the Irish DPC. And the gist of the questions was about the pace of enforcement against big tech companies. And there's a few things perhaps to say about that. First, the standard of decision making and reasoning that Irish courts expect from the DPC is well clarified. And it is objectively the case that what some member states would not fly in Ireland. Interestingly, that same day that the EU Commission report was launched, one of my legal team members participated in a webinar that was hosted by the Field Fisher law firm where an Irish senior council went through the requirements as laid down by case law on Irish public bodies to give reasons for decisions and highlighted that the courts have become more rigorous in Ireland on this point in recent years. And the council cited the example that in the past, it might have passed muster for a public decision maker to cite two conflicting submissions in an investigation and to conclude that as decision maker, I prefer the evidence of X over Y. Now that would not be accepted. There must be a clear reasoning as to why X is preferred over Y. And as I've said before, because Irish laws always provided for an appeal by any party to a decision I have made, the Irish DPC is uniquely accustomed to litigation and its demands. So using the new legal framework for the reasoning has to be built from the ground up because of a lack of case law or precedence takes time. Learning to apply what is a real legal complexity of the competition law concepts around undertaking in the GDPR takes time to do properly. And I would suggest that if I'm going to find a platform, I'm going to proceed in a manner that's legally correct. Already the Irish DPC has in fact brought our first draft decision in relation to a platform to article 60 and this is the process of co decision making that I mentioned to you earlier. So we're already well advanced in the lessons to be learned in terms of that process. I would also highlight the complexity of the data processing operations involved in some of the platforms we investigate, which clearly distinguishes these cases from many others. It has to be said equally that there is so much superficial and pre judging commentary that circulates about how platforms infringed the GDPR purportedly. But to quote a high court judge in a ruling from May of this year in Ireland, unsubstantiated opinions, speeches and empty rhetoric are not a substitute for facts. And facts are what the Irish DPC has to establish in order to conduct the legal analysis in order to be satisfied if there are infringements occurring or not. But what we are satisfied at in terms of the role of the Irish DPC is that we're learning techniques and have learned techniques over the last two years that are going to allow us speed up in future cases. I said I wanted to mention that German competition authority case, the Bundes Kartellamt case that relates to a decision it took last year in respect of Facebook. And it came back into the news just last month around the two year review time of the GDPR because the German Supreme Court made an interim decision that the Kartellamt could enforce its order against Facebook. But what I want to say about it rather than getting into the details of the case is that that is an investigation that started in 2016, so four years ago. And it's of course not at its conclusion yet because the substantive appeal in the case has still to be decided in the Düsseldorf court, which could result in the matter coming back before the German Supreme Court, and maybe even a reference to the CJU. And that's a case that involves competition law. Remember, competition law has been around for many decades longer than data protection law and certainly the GDPR. Similarly, EU commission competition law cases also taken the order of years to conclude. So it's really a little perplexing to figure out why many think that complex GDPR investigations that could give rise to massive fines could be concluded post taste. And of course, this is the same for all EU data protection authorities. In fact, the Irish DPC is the first to bring a draft decision through the co decision making process in respect of a large scale multinational. I noticed a further comment in the EU commissions to your report that also suggested that the ultimate objective of the GDPR is to change the culture and behavior of all actors involved for the benefit of individuals. And the idea there seems to be that fines and the massive fining provisions will achieve this. I simply want to make a comment on this that perhaps that is the case, but there is no evidence that that is the case that finds change behavior. Have a look at the five billion dollar fine that was imposed by the Federal Trade Commission against Facebook last year, a historically massive fine. Look at the 50 million euro fine imposed by the French data protection authority against Google. Are we suggesting that behaviors have changed as a result of these fines? Look at years of competition law fines. So I want to line today that of course the DPC will apply fines because it is required by the GDPR to do so. But I don't think we can guarantee based on the evidence before us that behavioral changes in organizations are necessarily going to be achieved. Commissioner Margarita Vestiger, the EU competition commissioner, she talked as it happened last month about repeat competition law cases against platforms. She mentioned Apple and Google as examples and she said they're not learning the lessons. They're not changing behavior. And so I think there needs to be more realism in terms of what enforcement can deliver. In fact, I think it's true to say in overall terms that academics and policymakers have not bottomed out yet on how to measure the effects of regulation in the area of data protection and certainly not what the effects of different forms of enforcement are. It's interesting, Paul DeHurt, a Belgian based academic in David Wright, they wrote a book. I think it was back in 2014 enforcing data protection law. And it's worth looking at in terms of some of the ideas that they had around measuring the effects of regulation in this area. Interestingly, there have only been four completed cases involving fines that are cross-border, in other words involving multinationals across the EU in the first two years of the GDPR. Two were from Malta and one each from Latvia and Lithuania. And in terms of the co-decision making process involved, they involved a very limited number of data protection authorities, only one other data protection authority in most of those cases. So they weren't household name multinationals. Yet across the EU there are in excess of 200,000 multinationals, leave aside the many high-profile internet platforms located in Ireland. The European Data Protection Board last month began to publish for the first time a register of all so-called Article 60 decisions of the GDPB. And if you go to that database, you'll see the four decisions only that I've referenced that involve fines if you filter it by administrative fines decisions. And a significant number of the cases, if you have a look through the database, you'll see that they find that there was no violation of the GDPR. And the GDPB secretariat indeed itself tweeted when it was launching the database publicly that it shows that EU DPAs are not fining machines. And yet there are some DPAs in the EU that issue a high number of fines typically for smaller amounts on an ongoing basis. And then there are other DPAs that reserve fining for the most serious of intentional infringements of the GDPR. So really what I'm trying to say is I think as a community, we need to debate and work on a definition of what effective regulation of personal data processing and separately enforcement of the GDPR given its massive span of sectors and contexts, what that really means and how it can be measured. What is the balance that needs to be struck between guiding organizations to compliance versus imposing sanctions from the outset? Just to go on then very quickly and say I'm going to cut down the comments I wanted to make about individual complaint handling because I know we do want to leave some time for questions. In terms of individual complaint handling, there's an obligation, it's a mandatory task on every EU data protection authority to handle complaints from individuals at least 40% of the resources of the Irish DPC are dedicated to this function. It's worth mentioning that the GDPR doesn't set down in itself a means of prioritizing complaints, nor a statute of limitations on matters that can be complained of. And so the DPC is dealing with a huge range of issues and expectations of the public every day. So while the GDPR talks about data protection authorities as now being supervisory authorities, conducting those larger scale investigations of more systemic issues is far from the only task to which we must dedicate ourselves. I wanted to mention in the context of complaint handling my favorite Advocate General Opinion, and I hope you all have a favorite Advocate General Opinion from the Court of Justice as well, but it's the Advocate General Opinion in the regas case that was C-13 slash 16. And that's the one you'll recall where Advocate General Bobbock wrote what he called data protection protective epilogue at the end of that decision. And he said, looking at the series of events in question, an uninformed bystander might raise the innocent question, should the issue of an individual request for the identity of a person who damaged that individual's property, and whom the individual wishes to sue for damages really be a case in which the police officers are required to carry out several layers of balancing of interest and proportionality, followed by a protracted litigation and an opinion from the National Data Protection Authority. And he said that case is another instance in which data protection laws reach into and are employed in rather surprising circumstances. It generates not just for the uninformed bystander, a certain intellectual unease as to the reasonable use and function of data protection rules. And he said in some common sense is not a source of law, but it's certainly ought to guide interpretation of it. And really what he was getting at in that case is that there needed to be a proportionate response to the data protection issue that was raised in it. And this is a complexity we have, along with our fellow EU data protection authorities, in terms of persuading individuals that if there is an interference with their rights at issue in what they present, it's a very minor interference and requires a proportionate response in terms of the resources of the regulator and also from the controller involved. So in short, the real comment I wanted to make about individual complaint handling is that the Irish DPC is very much dedicated to it and supports the view that data protection authorities should handle all complaints from individuals. But I believe there need to be more rules and parameters around it in order to ensure effective use of resources. Otherwise, it's simply not scalable. Last thing I want to make a few comments on is the data transfers litigation, because as we know the Court of Justice of the European Union is going to rule on this case this week. So what is the case all about? I think most of you are familiar with it at this stage. And you know that the starting point in EU data protection law has been that transfers of EU personal data outside of the EEA are prohibited unless it can be shown that effectively the EU protections are travelling with the data to any third country. And so the Safe Harbor scheme that regulated a large portion of EU US data transfers that was struck down by the CJU in 2015 when questions about the validity of the scheme found their way to the CJU somewhat unexpectedly. And reflecting the way in which the Safe Harbor issues came into the CJU's crosshairs, the 2015 judgment from the Court dealt with the scheme of what we might call technical grounds. That is to say the underlying issues of principle relating to the compatibility of EU and US laws generally in the context of EU US data transfers were not decided on. You'll recall that the Court decided it on the basis of whether the EU Commission had conducted an adequate assessment. So one consequence of this is that the demise of Safe Harbor gave rise to a good deal of uncertainty casting shadow over a number of other transfer mechanisms including the standard contractual clauses. So the DPC after examining the impact of the Safe Harbor decision on these clauses came to the view that the standard contractual clauses do not in fact adequately protect the interests of the EU citizens. And so in order to test that view and to try to resolve the uncertain position of data subjects and controllers alike in relation to EU to US transfers, the DPC brought legal proceedings in Ireland in 2016. The purpose of which was to invite the Irish Court to examine the DPC's concerns about the SEC and if could share those concerns to refer the matter to the CJU so that the CJU could examine the SEC's transfer mechanism. And of course only the CJU has the authority to rule on the validity of an EU legislative measure like the standard contractual clauses. So the named respondents as we know in that legal action we took were Facebook Ireland and Max Shrens and both of those opposed our application to the Irish High Court for a reference albeit for different reasons. So there was a very lengthy hearing in the Irish High Court of six and a half weeks and the High Court ruled in favour of the DPC finding that our concerns about EU US data transfers were well founded and identified a series of questions that required answers from the CJU. The High Court's judgment was later upheld following an unsuccessful appeal by Facebook to the Irish Supreme Court. So viewed in the round the reference questions that the Irish High Court to establish whether US laws and practices give rise to unlawful interference with the rights of EU citizens when their personal data is transferred to the US and if so what consequences flow from that as a matter of EU law. And I think this is important to understand in terms of why the DPC initiated the case and the way it did. It was a means of ensuring the CJU would have all the facts evidence and legal submissions before it in order to decide on whether unlawful interference is in fact an issue. And it provides we believe the only means by which to end the uncertainty around this area of law that had arisen separately and independently the EU made its own fresh attempt to deal with the challenges presented by EU US data transfers when it adopted the Privacy Shield decision in August 2016 and while the Privacy Shield wasn't challenged by the DPC in its legal action, both the Irish courts and CJU recognized that any principled examination of the underlying tensions between the European and US systems of laws they relate to transfers couldn't be undertaken without considering the Privacy Shield also. So the CJU judgment it's due out this week. We keenly await the judgment anticipating that it's going to provide a definitive reference point against which the challenges presented by EU to US transfers can be addressed into the future and that it's going to bring certainty to bear and we think it's going to have a series of to it in part it's going to define the role also of data protection authorities in terms of enforcing. So in short, there's a huge amount at stake in terms of these legal transfer mechanisms, but lots to look forward to I think on Thursday in terms of certainty. Finally, in conclusion, the GDPR is a very worthwhile work in progress. You'll see referenced in the DPC two year activity report when you download us that we're very shortly in fact this month, going to publish our straw man five year regulatory strategy where we seek to address some of the issues I've raised today around prioritization and effective and sustainable assignment of resources. This draft strategy is going to be open for public consultation as esteemed stakeholders of our office all of you listening today. We really hope you'll share your views with us hearing your views is the only way we can fairly and transparently underpin the choices that will always be necessary in terms of where and how resources are best deployed to deliver on the promise of the GDPR. Thank you very much Helen for a really extensive overview of what you've said is a multi custard and broad ranging organization and the work that you do. And I thank you for a very clear presentation and for opening up the conversation and there are a range of questions and I go immediately to them. And the first one and you might be surprised is from Paul Sweeney is a member of the IAEA. And the question is, does your office have sufficient resources to regulate the tech companies as lead regulations in the EU. So in part Paul, I think I've answered that question in terms of the comments that I've made today. And it's interesting that the first question focuses in on one aspect of the role of an EU data protection authority and the Irish DPC. And that it relates to regulation of a subset of the span of entities that we have to regulate. And of course I understand why the question focuses in that way because even though many argue you have a choice about whether you engage with the platform or not. We know that the reality is that the platforms touch every user in the EU and that there are millions hundreds of millions of users affected by their operations. And the answer to the question is, it depends on how quickly you anticipate outputs would be generated. So in the context of processing 13,000 breach notifications in the last two years, 15,000 complaints from individuals. And I can see the next question queuing up in the Q&A is about one of those individual complaints and when we'll conclude that. And so I think we have enough resources and the right resources to conclude, but we can't do it all simultaneously and immediately. Could we do it more resources? Absolutely we could. And I made that comment early. If we want it all done and we want it all done quicker, which I think we do, then we absolutely have to have additional resources to do that. We're working flat out as it is. We're committed to what we do and we're learning very quickly in terms of applying the new legal framework. But we can only go at the pace we can go as we balance all of the obligatory tasks that we have. Thanks Helen. The next question is in very different areas on consent and it's from John Woods, Data Protection Officer from St Patrick's Mental Health Services. John asked the question, I understand that the Office of the Data Protection Commission on discussions with the Department of Health with regards to possible amendments of the Health Research Regulations, in particular amending the requirement for a data controller to obtain explicit consent for retrospective chart review studies. Can you advise on the current stages of these discussions? I can't, I'm afraid. John, I would have to talk to my colleague David Murphy. It's about two or three months since I had an update from him. So I don't want to give you an inaccurate status report today. But if you want to drop us a line, we can most certainly give you the latest status update on that. Thanks Helen. The next question is from Anna Nicholas from the European Centre for Digital Rights. In our dealings with the DPC, we have been told that there is a six step procedure to an investigation. However, in our experience with other DPAs in Europe, they do not have such an extensive process. We would be very grateful if the DPC could share the rationale for such a procedure and the intended benefits behind such an approach. So, thanks Anna. In part, I outlined this matter in the comments that I made. First of all, this six step procedure is an indicative procedure. And it's simply reflective of natural steps that have to be taken in any investigation, commencing and setting out the scope of an investigation, and then allowing for a right to be heard as part of the process of concluding an investigation as interim steps. So the six step procedure to which you refer is indicative. And in terms of what you say are the procedures of other data protection authorities, it very much depends I suppose on which data protection authority you're talking about. It also depends on what procedure is being referenced in a simple complaint handling procedure. There may not be very many formalities in an investigation that may result in the exercise of corrective powers and the imposition of a large fine. You're going to have a larger swede of procedures. And so I talked during my comments about the standards to which the Irish courts hold the Irish DPC. We can provide you with details. In fact, I think we've listed some of the cases in our two year activity report of cases where we've been pulled up by the courts in relation to both procedures and matters of fact in terms of how we established the facts in a case. So we have to basically follow a standard that we know is the standard to which we will be reviewed in the courts. But as I talk to you right now, I'm not particularly familiar with what investigation we're handling on your behalf. So perhaps we can talk offline about that. Thanks Helen. The next question is from Lee McKenna from Mazzars. The DPO network managed by the DPC has not yet become active. Understandably, the scheduled March event was postponed due to COVID. However, could this now be the schedule using online tools? Yeah, I don't think the DPC is planning to run a DPO network. I think what we've announced and always announced is that we want to facilitate networking by DPO's and facilitate what are already some existing sectoral DPO networks just to clarify. We have given some thought to running the conference that we planned to hold in the Helix in DCU that we had to cancel online, but we really didn't think it was going to be capable of delivering in the same way. Because what a large part of what we wanted to achieve with that event is to allow for face-to-face networking, learning from experience of other DPOs and conversations to happen, and moral support to be provided between DPOs in terms of their experiences and the challenges. And so you simply lose that online. But what we have done in lieu is we've published a number of podcasts. You may have seen them that detail some of the topics that we were going to cover in the event. And we're going to continue to push out those podcasts and also written guidance. Thanks Helen. The next question is for Connor McRae from thejournal.io. Privacy concerns around COVID-19 tracking app were quickly classified over recent months and it appears to be widely accepted that a state agency can and should gather data in this way for the purpose of contact tracing during the pandemic. Could this set precedent for future similar data gathering projects by state agencies that are believed to be in the public good? Oh, I'm not sure Connor, I get your question because of course we've always had infectious diseases legislation. There always have been notifiable diseases and contact tracing as a necessary part of that has long occurred less in the public domain, I suppose, because they weren't pandemic type situations. Typically that pertain to them. So there is nothing new in terms of contact tracing where there is a notifiable disease under the infectious diseases legislation. The legitimization of the activity of tracing close contacts seems clear. So I'm not sure. The next question is from Eileen Tully, who is a DPO with the Department of Justice. And she goes back to the statistic is in relation to the 40% of DPC resources are dedicated to complainants and that the law does not allow for prioritization. I'm wondering what Helen's view is on how legislation might assess DPC to deliver a proportionate response. Thanks, Eileen. I'm not even sure that legislation would be necessary because, in fact, as we all know, one of the strengths of the GDP or is that it seeks to implement a risk based approach. So organizations that are subject to regulation by the GDP are only required to take the organizational and technical measures as they're called proportionate to the risk of the data processing at issue. And I think it is open to data protection authorities to apply that same risk based approach when it's looking at the interference with rights. And I think really what's needed is for EU data protection authorities to consider together how best to prioritize complaints and to publicize that and then to impose that discipline in terms of how we handle complaints. I think we can influence it already with legislation. So for example, just to give an example this year, my office has spent quite a bit of time on an individual who has complained that the logoed envelope by a controller that sent him with post is potentially identifying his business. It's the postman it's identifying it to and that equally he has complained that the envelope folded into the envelope has allowed potentially his email address to be seen in the window of the envelope. And this is not a matter of significant interference if at all with data protection rights, but it's very difficult to impose a discipline with individuals that demonstrates to them, there is no significant interference. And so I think it is it is within our own control to at least take some positive steps forward on that with our fellow EU data protection authorities and perhaps supported by the EU Commission. Thank you very much, Helen. We've lots more questions, but unfortunately, time has cut off with us. My tech, I'd like to thank all of those of you, your audience for your participation and for your questions is very much appreciated. But Helen, thank you for a really tour de course on quite an extensive brief, and you've given us such clarity, and I have created an open conversation for people to follow up. And also, I think your forthcoming strategy offers people the opportunity to participate and share their ideas. I was reading the New York Times there recently, and you were down with saying that you got a for effort in the DPC and C plus or B minus for output, but as an educationist, I'd have to say I'd give you a higher, higher grade on that. So thank you very much for that.