Today I filed a complaint with the EU Commission about the level of budget increase awarded to the Irish Data Protection Commission in Budget2020 by the Department for Public Expenditure and Reform and the Department of Justice. For those readers unaware, the DPC had sought a €5.9 million increase to fund pay and non-pay costs associated with the need to increase the size of the office (again), their increased enforcement activity (including against Government), improvements in organisational efficiency (such as getting Dublin-based staff into one building and replacing IT systems provided by the Department of Justice with their own), and to cover the cost of legal and other non-pay costs associated with various enforcement actions.
They were awarded a total increase of €1.6 3 million, just 27% of what they had sought. This increase includes zero additional allocation for non-pay expenditure. This is a significant ommission.
The impact of this is simple. The DPC will not be in a position to do all the things the Office had identified needed to be done to ensure they can execute their functions effectively. This includes the development of a 5 year Regulatory Strategy, internal staff training and development, and the development of supports and tools for Data Protection Officers, particularly in the Public Sector where the DPC has an ongoing investigation into a Government Department.
Why Complain to the Commission?
I’ve complained to the Commission because it is their function to oversee how Member States are implementing EU law. Under Article 52 of the GDPR and Article 42 of the Law Enforcement Directive require Member States to ensure the independence of Data Protection Supervisory Authorities and, in particular sub-clause 4 of each of these Articles, which states that:
“Each Member State shall ensure that each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers, including those to be carried out in the context of mutual assistance, cooperation and participation in the Board.”
Providing just 27% of the requested increase cannot, to my mind, be reconciled with the obligation on the State to ensure that the necessary resources are provided for the effective performance of the tasks of the Data Protection Commission. This is especially the case when the increased budget is to cover the pay and non-pay costs associated with increased human resources, technical resources, premises, and infrastructure necessary for the Office to execute its statutory functions. In this context, it is worth noting that a proportion of that 27% increase will immediately be consumed simply through covering the cost of pay increments for the current staff of the Data Protection Commission, before another person is hired, trained, accommodated, and equipped to do their job.
In addition, Article 8 of the Charter of Fundamental Rights and Article 16 of the TFEU require that the Supervisory Authority be independent.
Therefore, as the EU Commission is the relevant entity to oversee the implementation of EU law in EU Member States, I complained there.
Am I saying the Data Protection Commission is ineffective?
No. I am not saying that.
However, as a publicly critical friend of the Commission for the last decade or so, I can’t sit back while the planned investments in improving the effectiveness of the office are undermined by a gutting of the requested funding.
The DPC has grown from an Office where everyone was sitting in the one room to an Office with staff in multiple locations in Dublin, in addition to their office in Portarlington. They are encumbered by legacy IT systems that are currently managed as part of the Department of Justice IT estate for various historic reasons.
I have personally experienced the challenges of trying to send client documents to the DPC or share documentation with them only to find “Computer Says No” due to file size restrictions and the inability to manage basic file sharing capabilites. For email and case management they are using the same basic technology I began my career administering in a telco back in 1997.
Factors like this can impair the effectiveness of any organisation. Hence, investment to address root causes of bottlenecks and impairments is necessary in any growing organisation.
And, in common with the organisations that they regulate, the Data Protection Commission needs to train and develop staff to ensure they have the necessary skills, knowledge and competences necessary to do their jobs efficiently and effectively. With a larger staff cadre, staff turnover and churn (as people get promotions into roles outside the DPC or simply don’t like the work and move on), and an increasingly complex regulatory environment with increased scrutiny of the procedural governance of investigations and enforcement, it’s necessary that staff are correctly, consistently, and appropriately trained. Otherwise, the DPC will quickly become ineffective as enforcement actions are appealed or judicially reviewed due to procedural or legal errors in the investigations.
Am I saying that the DPC is not independent?
No. I’m not saying that.
Over the past three generations of Commissioner they have, as best they could, worked to guard their functional indepedence (how they do their job) from the State and the other agencies of the State. This has not always been recognised by Government Departments or State agencies, so sometimes the DPC has been in conflicted situations.
The current Commissioner has done more than most to draw the line between the State and her office. From Januar 2020, the DPC is to have its own Accounting Officer, meaning that a further demarcation would be drawn from the perspective of operational independence (how they manage and adminster the Office) through control of budgets, implementation of their own IT systems and HR systems, and the transition of staff from what were, in effect, civil service posts in the Dept of Justice, to civil service posts in a seperate operational entity – the Office of the Data Protection Commission (see section 21 of the Data Protection Act 2018 in respect of staff appointments).
But doing that kind of transition and cutting the umbilical cord to the legacy IT and other systems within the Department of Justice requires a budget.
Am I saying that the Government is trying to punish the DPC
I am a firm believer that one should not ascribe to malice and conspiracy what can equally be explained by incompetence and carelessness. However, it is an interesting co-incidence that the DPC budget increase was ransacked at the time the Office is engaged in enforcement actions against various Government Departments arising from the unlawful expansion and roll out of the Public Service Card and MyGovID database. This is a flagship project of the (checks notes) the Department of Public Expenditure and Reform. A cynical person could view this as a crude attempt to put manners on the Regulator by the Civil Service.
Of course, it may simply be that as a result of internal staff movement in the Department of Justice the team who were handling the negotiation and prioritisation of the Data Protection Commission’s budget simply failed to appreciate the importance of Article 52 of the GDPR, Article 42 of the Law Enforcement Directive, and the consequences of underfunding the Regulator for Ireland’s regulatory credentials.
What am I saying?
I’m saying the State has an obligation under EU law to ensure that the Office of the Data Protection Commission is provided with the appropriate funding and other resources necessary for it to execute its functions effectively.
Given the historic underfunding of the Office, the necessary increase in staffing levels still required to allow complaints to be investigated in a timely manner, the necessary investment in IT systems and other technologies to run the Office, the necessary expenditure on staff training, the necessary sourcing of appropriate office space for the enlarged office, the necessary investment in proper strategic planning for how the Office conducts its enforcement and advisory roles effectively and without one compromising the other, and given the necessary expenditure on legal representation in litigation, appeals, and CJEU referrals, the €5.9 million increase sought was probably a conservative budget increase but consistent with the increases sought and granted in previous years.
The €1.6 million awarded is insufficient will require the DPC to, to use her own words, “reassess its planned expenditure for 2020, particularly in relation to foreseen non-pay expenditure for which the DPC has received a zero increase in allocation“.
That means the DPC will need to cut back on investment in systems, technology, facilities, external legal or other advisory services. Any non-pay expenditure will need to be met at 2018/2019 levels, which were set before the workload of enforcement of GDPR was adequately sized. This can only have a negative effect on the effectiveness of the Office as an independent Regulator.
What I am saying is that, should the State allow this to happen, it seems inevitable that the Government will be in breach of its obligations under GDPR, the Law Enforcement Directive, and the EU Charter of Fundamental Rights.
What happens next?
I await a response from the Commission. In the meantime, you can take a look at my comments on Twitter about this whole sorry mess…
Picking up my thread from this morning, particularly after @DPCIreland gave a statement that she was “disappointed” with the budget increase allocated to her.. https://t.co/bW5v3ggPCp https://t.co/0QPsMszkXB
— Daragh O Brien (@CBridge_Chief) October 9, 2019