The Data Protection Commission (DPC) has called on the Government to allow it to recruit more people at higher pay to allow it to continue to operate properly in the coming years.
These include taking on additional senior management “at closer to market rates of pay” and expanding lower grades so it can deal with the “additional complexities’ arising from being responsible for regulating the EU operations of Irish-based tech giants such as Facebook.
“The current structure and management framework of the DPC is unsustainable and unfit for purpose, belonging – as it does – to another time and another legislative framework,” it said in a recent budget submission.
"There are not enough people – and significantly too few senior managers – in the DPC to operationalise key projects. Failure to recognise and respond to this in future budget allocations will serve to ingrain the regulatory unsustainabilities that have been called out in this submission and significantly magnify the risks to Ireland's reputation, both in Europe and in the wider global context," it added.
The DPC said that while financial and staffing allocation had increased over the past six years, its structure is unchanged from that which was deemed adequate to meet the requirement of the 1988 Data Protection Act.
Fit for purpose
"At present, the foundations upon which the DPC is expected to expand can no longer bear the load of its enhanced remit, and therefore a fundamental reconfiguration is necessary in order to ensure that the DPC – and by default, Ireland – is developed as a regulatory entity that is truly fit for its reconceived purpose," it said.
“To continue to allocate resources to the office according to a 1988-construct is simply to build unsustainable risks into the future of Ireland’s data regulatory stability,” the organisation added.
It asked that it be allowed to take on two new directors, a request that had been previously rejected, but which was recently granted. It also urged the Government to allow it to make further changes by expanding lower grades. It stressed it was looking at doing this, not just to solve current operational issued, but also to allow it to continue to respond effectively in the coming years.
In its budget submission, the commission stressed that it was struggling to complete inquiries, largely due to its increased workload.
“Even beyond the core regulatory and inquiry functions of the office, the lack of adequate managerial bandwidth directly limits the DPC’s capacity to operate at an effective strategic level, such as is to be expected of a leading supervisory authority in a pan-European context,” it said in its budget submission.
“The DPC’s senior managers are completely absorbed in negotiating the immediate impasse at which the commission finds itself, with no facility left to focus on the critical evaluation and mitigation planning necessary to veer away from the precarious juncture towards which the DPC is inevitably bound – unless real efforts are made to respond to this office’s request for government support.”
De facto EU regualtor
With most of the big tech companies having located their European headquarters in Dublin, the DPC has become a de facto regulator for their pan-European data activities. However, there have been widespread complaints about delays by the DPC in reaching decisions in investigations.
Just last month, European commissioner Vera Jourova said the commission was “understaffed and needs additional capacity”.
“In the three years since the General Data Protection Regulation came into effect across Europe, the role of the DPC has changed beyond all recognition,” the organisation said in its budget submission.
“The vestiges of the small domestic regulator with confined national remit and limited powers have long gone, to be replaced by one of the most impactful and widely scrutinised supervisory authorities in Europe, with a reach and relevance that extends to all European persons,” it added.