Beannachtaí Ó Bhaile Átha Cliath
Greetings from Dublin.
Helen Dixon, the Irish Data Protection Commissioner, moved on from her role this week after a busy 10-year term. She has been described as a leading light in data protection regulation, overseeing the introduction of the EU General Data Protection Regulation, which gave her office significant powers, essentially becoming a global regulator to the world's largest technology companies as well as many other organizations.
Dixon played a pivotal role in the GDPR's initial implementation in 2018, as well as in transforming the DPC into a regulatory powerhouse with more than 220 staff members across multiple offices.
Despite public, political and industry pressure, Dixon maintained a balanced and principled approach to enforcement and regulation. She regularly supported the use of corrective measures for noncompliant companies, in addition to focusing on fines. To summarize her legacy, I would say that it lies in this principled approach, strategic enforcement, global impact and transformation of the DPC. Personally, I will miss her leadership role in our community. As an Irish woman, I was always proud when she took the stage at IAPP conferences. She was eloquent, knowledgeable, humorous and a role model for women privacy pros worldwide.
Dixon has an unwavering commitment to public service and will bring her significant public sector expertise to her new role in ComReg, the Commission for Communications Regulation. In a recent interview in the Irish Independent, she mentioned she recently started boxing. One wonders whether the telecoms regulated by ComReg are looking forward to becoming her new sparring partners in her new role.
As Dixon departs, a new era commences, with three commissioners to take over leadership of the DPC. The Data Protection Act 2018 provides for a multimember structure of the DPC, with a minimum of one and a maximum of three commissioners. Des Hogan and Dale Sunderland have been appointed to commissioner roles, beginning 20 Feb., following an open competition organized by the Public Appointments Service. The third commissioner has yet to be appointed. They will each serve five-year terms which can be renewed for one further five-year period.
As chair, Hogan will lead the DPC team. His background as assistant chief state solicitor and his role in the Irish Human Rights Commission demonstrates expertise in both legal and human rights issues. Sunderland served as a deputy commissioner in the DPC. He assumed the role in 2016 and was actively involved in cross-border issues involving Big Tech. This experience will help him as commissioner.
The Data Protection Act does not specify how the commissioners will divide responsibilities, so it remains to be seen how the members of the DPC will work together in practice. As chair, Hogan will have the casting vote in decisions if there is a tied vote.
The DPC has published a strategy statement so its focus is somewhat set until 2027. However, given the profiles of these two men, we are likely to see a "business-as-usual" approach in terms of regulatory enforcement, with a focus on human rights and legal issues.
We expect announcements soon on cases involving Google, Yahoo and TikTok which are currently in an Article 60 consultation process with the other EU supervisory authorities. These cases were initiated and presided over by Dixon, but will be the first large cases formally signed off by the new commissioners.
We have an Irish saying: "tús maith is ea leath na h’oibre" — "a good start is half the work." Both commissioners will, no doubt, be keen on making a good start in their new roles and all of us privacy pros wish them the very best.