The Irish Data Protection Commission has announced its strategy for 2022-2027, highlighting 5 strategic objectives:
- (1) “coherent and effective” regulation;
- (2) promote awareness of data protection;
- (3) protect children;
- (4) provide clarification to stakeholders; and
- (5) support organizational compliance.
The strategy is based on a risk-based approach to regulation which, according to the DPC, “resonated with the majority of commentators” during the public consultation the Commission carried out when drafting its new five-year strategy.
He can’t do it alone
The DPC’s overarching goal is to do more for stakeholders, but it admits it cannot meet its ambitions alone. Some of its recently announced objectives only reframe what the DPC already does or is obliged to do, for example “[r]regulate in a fair, impartial and transparent manner. . .[a]applying remedial powers proportionately. . . [w]work with the EDPS to develop consistent procedures. . . [w]work with peer data protection authorities to introduce a consolidated and consistent application across Europe. »
However, the need for increased and more nuanced guidance was an “almost universal” request from those responding to the public consultation. The new strategy responds to this demand by promising to create expert-level partnerships with stakeholders to help develop this guidance, in an overall effort to encourage meaningful and improved compliance outcomes.
A few changes of direction
However, the strategy also contains some change of direction. The DPC intends to move away from a focus on complaints to favor cases likely to have the greatest long-term systemic impact. To do this, the regulator aims to raise awareness of data protection rights, publish more guidance on its complaints handling processes and promote “a cultural shift towards compliance”. While this all sounds sensible, it remains to be seen what this means in practice for the resolution of any non-priority individual complaints deemed less important.
Responses to the public consultation showed different appetites for fines. Individuals tended to favor high fines for violations, while industry, unsurprisingly, sought a more risk-based approach. The DPC notes that “there is sometimes a tendency to confuse fines with regulatory success and to use the imposition of fines as a means of measuring effectiveness.”
Use of more flexible application tools
While strict enforcement tools are always at its disposal, CPD emphasizes the important role of direction and engagement in fostering accountability. The regulator views both as valuable tools that should not be undervalued. “Fostering compliance – rather than retrospectively and unilaterally penalizing non-compliance – can ultimately produce better outcomes for all stakeholders.”
That said, however, the strategy is now set to “prioritize prosecution, sanction and/or fine violations resulting from willful, negligent or criminal intent”. He is also making increasing application processing times a strategic priority, including working with his counterparts in the EDPB to improve communication and clarity of cooperation mechanisms under Article 60.
Specifically, in the five-year strategy, the DPC promises to:
- Standardize procedures for handling complaints and investigating the public;
- Clarify the limits of the legislation and how/when corrective measures are imposed;
- Publish case studies quarterly rather than annually;
- Identify complaint trends and themes to drive strong collective outcomes
- Engage broadly with stakeholders “so that data protection rights are recognized as a behavioral fault by society”;
- Prioritize protecting the rights of children and vulnerable adults, including clarifying the bases for data sharing so that individuals are not disadvantaged by overly cautious data controllers; and
- Improve the DPC’s technological forecasting to respond to changing technologies.