The Irish Data Protection Commissioner (DPC) recently doubled its budget, and is busy hiring and building capability. It’s an encouraging sign, the function had been significantly under-resourced in recent times; but one wonders whether there needs to be more done. The DPC is responsible for three areas right now – privacy in relation to Internet Services companies like Facebook and Google; privacy in relation to state organisations like the Gardaí; and privacy in relation to private national companies who possess data. That all three domains are vested in this single organisation says something for the breadth of work that these guys have to take on. But nowhere in their mandate does it suggest that they may have a role in commercial or security issues, for which there is no competent authority in the state, and certainly no strategy to address them.