Interview with: Laura Flannery, Assistant Commissioner at the Data Protection Commission, Ireland
OneTrust DataGuidance sat down with Laura Flannery, Assistant Commissioner at the Data Protection Commission, Ireland in October 2019 for our ‘Regulator Spotlight’ series. Laura shares her opinion on how the European Data Protection Board's ('EDPB') consistency mechanism has developed as well as discussing the key differences between the GDPR and Ireland’s implementation law.
How has your work within the Irish Data Protection Commission been impacted by the entry into effect of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')?
Obviously, with the GDPR it is great to have a harmonised law and have a better platform to work from because our laws in the past did not take into account the development of digital technology. In terms of our work, there has been an awful lot more awareness and, therefore, there has been a huge increase in complaints from data subjects. I think we have had over 10,000 since the GDPR entered into force, and we have also had quite a huge increase in data breach notifications. So, for ourselves, we have expanded unbelievably in the last couple of years, and we have had to deal with that and deal with the challenges and the opportunities that brings as well. We have had some major recruitments, we have hired an awful lot of legal and technical expertise, as well as investigators to cope with that. So, it has been a time of growing and a time of learning so far.
How has the EDPB's consistency mechanism developed in the management of cross-border cases?
The development in terms of the certification mechanism has not really been tested as of yet, particularly in relation to complaints, but there have been a number of consistency opinions in relation to data protection impact assessments. There have been a few Article 64 of the GDPR opinions as well. But, the role of the EDPB has not really been tested for consistency in terms of dispute resolution between an elite supervisory authority and a concerned supervisory authority that has not really been fully tested yet. So, we have a bit of a learning curve and we have a bit of a way to go with the consistency mechanism. But on the other hand, we actually, in terms of cooperation, we have been sharing our experiences across all of the data protection authorities and using expertise from other data protection authorities and feeding into that. So, it has actually been quite beneficial already without the mechanism being tested yet, and we can see the benefits that we will have in the future.
How do you see the future development of mechanisms for the transfer of data?
There has actually been an awful lot of focus on this and a lot of discussion about this at the moment because of Brexit, and particularly, as you are aware, if there is a no deal Brexit, all of a sudden Great Britain becomes a third country. And so, there would be an awful lot of small and medium-sized enterprises and an awful lot of data controllers in Ireland who, by nature of our closeness with the UK, would be transferring personal data to the UK. So, we advise, at the moment, that Standard Contractual Clauses ('SCCs') are actually one of the most convenient methods to transfer personal data. Until there is a decision on Brexit, we do not know what way the Court of Justice is going to go in their decision. They may find the SCCs are actually perfectly valid and legal. There are other mechanisms, in the GDPR, providing for these, such as adequacy decisions and binding corporate rules.
There is also a lot of potential for a code of conduct and certification mechanisms. Again, this has not been tested, but in the EDPB, one of the working groups is actually looking at providing guidance in terms of using codes of conduct and certification mechanisms as tools for international transfers. But there are other ways. And we are positive that there will be ways there, but again, it is a learning curve and there will be quite a way to go for the future landscape of data transfers.
To access the full video of Laura's interview, click here.
Laura was interviewed as part of the 'Regulator Spotlight' video series. To watch other video interviews filmed by OneTrust DataGuidance, click here.