ICCL report: Ireland is Europe’s ‘Wild West’ of data protection

13 Sep 2021

Image: © Alexander/Stock.adobe.com

The Irish Council for Civil Liberties’ report into the enforcement of data regulations in Europe described Ireland as a ‘bottleneck’ for GDPR complaints.

The Irish Council for Civil Liberties (ICCL) has called Ireland “Europe’s Wild West when it comes to data protection”.

According to a report released today (13 September) by the ICCL, entitled Europe’s enforcement paralysis, Big Tech companies including Facebook and Google are enjoying a “data free-for-all” in Ireland.

Ireland’s Data Protection Commission (DPC) is the lead authority for GDPR-related complaints against Apple, Microsoft, Facebook and Google and other tech players that have European headquarters in Ireland.

Together with Spain, Germany, Sweden, France, Luxembourg and the Netherlands, Ireland receives 72pc of all cross-border complaints referred between data protection authorities (DPAs) in the EU.

Echoing previous criticisms levelled at the DPC by the ICCL, the report described Ireland as a “bottleneck” for these complaints. It said the Irish watchdog is the lead supervisory authority for 164 European cases, but almost all (98pc) of these remain unresolved.

Earlier this month, it issued its largest ever fine to WhatsApp for GDPR breaches.

GDPR established a ‘one-stope shop’ mechanism that allows companies to handle much of their GDPR responsibilities in one country, which in many cases is Ireland. One-fifth of all complaints referred between DPAs are referred to the DPC, the report said, and other DPAs across Europe are prevented from intervening if the Irish DPC takes the lead in cases against tech firms headquartered here.

According to the ICCL report, the DPC is “chronically underfunded” and has been for decades. It recommended that the Irish Government conduct an independent review to reform and strengthen the DPC.

It also recommended that the Minister for Justice appoint two additional data protection commissioners.

The report said that Europe’s DPAs are not adequately resourced for the digital era and lack the capacity to investigate and understand what tech companies do with people’s data. Only five EU member states have more than 10 tech specialists, it said, but more than half have only four or fewer.

The ICCL was critical of the European Commission and claimed that due to failures across the region as a whole, GDPR legislation is “silently failing”.

In the report’s foreword by senior ICCL fellows Alan Toner and Johnny Ryan, it claimed that DPA budget boosts have declined every year since the GDPR was introduced in 2018, “which indicates that national governments are not committed to the GDPR’s proper application”.

“The European Commission is at fault, too,” Toner and Ryan wrote.

“It has the duty under the EU Treaties to ensure that EU law is applied. But the Commission has inadequate data to judge whether the GDPR is applied correctly. There is no consistent view across the European Economic Area of whether or how often lead DPAs use their investigative powers, or what specific powers are used.”

Blathnaid O’Dea was a Careers reporter at Silicon Republic until 2024.