GDPR measures are ‘failing’ to reign in Big Tech, report claims

15 May 2023

Image: © Alexey Novikov/Stock.adobe.com

The ICCL claims 75pc of the Irish DPC’s investigation decisions have been overruled by its European peers, due to demands for tougher enforcement action.

Ireland’s Data Protection Commission (DPC) has been criticised in a new report, which claims the country remains a GDPR “enforcement bottleneck” when it comes to regulating Big Tech companies.

The Irish Council of Civil Liberties (ICCL) claims that 87pc of the DPC’s cross-border GDPR complaints involve the same eight Big Tech companies, which are Meta, Google, Airbnb, Yahoo, Twitter, Microsoft, Apple and Tinder.

The report also claims that the DPC chooses “amicable resolution” to resolve 83pc of the cross-border complaints its receives, instead of conducting a full investigation.

“Using amicable resolution for repeat offenders, or for matters likely to impact many people, contravenes European Data Protection Board (EDPB) guidelines,” the ICCL said in its report.

The ICCL claims that 75pc of the DPC’s investigation decisions have been overruled by “majority vote of its European peers”, which demand tougher enforcement action.

“The Irish Government resists calls for an independent review of the DPC that could determine how to strengthen and reform it,” the report said.

The DPC claimed it issued more than €1bn in fines last year as a result of 17 large-scale inquiries. The watchdog fined Meta a total of €390m for its targeted advertising practices in January, though this fine had been increased due to European Data Protection Board (EDPB) intervention.

The ICCL report was also critical of GDPR enforcement across the EU. By late 2022, the report claims that 64pc of 159 GDPR enforcement actions were “merely reprimands”.

“Europe’s failure to enforce the GDPR exposes everyone to acute hazard in the digital age,” the ICCL said in its report. “It also threatens Europe’s place in the world: the EU can not be a regulatory superpower unless it enforces its own laws,”

The report also claims that funding does not appear to be the issue, as budgets for EU data protection authorities have doubled since 2016. The combined budget for these EU authorities was €337.6m in 2022, the ICCL said.

ICCL senior fellow Dr Johnny Ryan said the organisation is calling on European Commissioner for Justice, Didier Reynders, to “finally take action”.

“Five years on, the data now show a stark failure to enforce the GDPR – particularly against Big Tech,” Ryan said. “That failure exposes everyone to serious digital hazards: discrimination, manipulation, information distortion and invasive AI.”

Last September, a delegation of MEPs visiting Dublin called for an independent review of the Irish DPC due to concerns the authority was a GDPR enforcement “bottleneck”.

The European Commission is set to propose a new law this year that will seek to streamline cross-border cooperation in enforcing GDPR within the EU.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com