Data Protection Commissioner Helen Dixon has said that it is difficult to imagine what legal basis any data controller would have to create a centralised database from varied sources without the knowledge of the data subjects.
At the Oireachtas Justice Committee, she was asked by Fine Gael Senator Barry Ward whether it was legitimate for any organisation to take publicly available and legitimate databases to consolidate and create a super-database used to extrapolate other information.
Mr Ward did not mention Sinn Féin's Abú database directly but he asked about the compilation of huge information on voters, extrapolating voter intent and predictive scores.
Ms Dixon said that under Article 14 of GDPR, if a data controller obtains data indirectly, they have an obligation to inform data subjects.
She said the question was what was the legal basis for the database's creation in the context of the principles of GDPR and the 2018 Data Protection Act examining whether that created a legal basis sufficient for what has taken place.
Ms Dixon said it was not possible to be definitive because the devil was in the detail. She said it was theoretically possible to legitimise it but equally it was possible it would fail in implementation on every single principle.
At the same hearing, privacy campaigner Max Schrems strongly criticised the performance of the Data Protection Commission, saying it has very few results for being one of the best resourced regulators in Europe.
He said that last year, the DPC only investigated 4,700 of 10,000 complaints lodged and it had an extremely poor understanding of material procedural law.
He suggested the Commission should have three commissioners instead of one in order to tackle the workload.
Data Protection Commissioner Helen Dixon told the committee that the office recognises that improvements have to be made and processes must be streamlined.
But she said some were determined to criticise the DPC and it seemed very easy for them to rely on very sensationalist statements that are based on complete inaccuracies.
Ms Dixon also said there had been a conflation of complaint handling and enforcement.
She said that under GDPR, complaint handling was a different function and the only obligation on the DPC is to handle a complaint to the extent appropriate so they are not necessarily the same thing.
She said she rejected any criticism that the DPC was deliberately refusing to regulate particular multinational companies based in Ireland.
Lawyer Fred Logue said compliance with subject access requests in Ireland is quite poor and GDPR and data protection is poorly understood by people implementing it - both in the public and private sectors.
He said enforcement was ineffective and virtually consequence free.
Sinn Féin TD Pa Daly raised the ending of planning briefings for councillors from planning officers. He said they had been told these were ended because of GDPR.
Mr Logue said GDPR had become an excuse cited for not doing things.
"There is absolutely no reason why a planner cannot discuss a planning file with a public representative. It's just a normal thing."
Ms Dixon also said that the Department of Public Expenditure and Reform had declined to sanction a move to a Baggot street building for all the Commission's Dublin staff.
She said funding is needed, especially to attract staff.