The Irish data watchdog faces criticism from privacy advocates who claim it isn’t adequately dealing with a ‘bottleneck’ of GDPR complaints.
Ireland’s Data Protection Commission (DPC) is facing criticism over how it has been handling GDPR complaints against Big Tech companies.
An Oireachtas Joint Committee on Justice yesterday (27 April) was told of concerns about “a spiral” of unresolved GDPR complaints.
Dr Johnny Ryan, senior fellow at the Irish Council for Civil Liberties (ICCL), told the committee that the DPC has failed to resolve 98pc of cases important enough to be of concern across the EU.
GDPR came into effect in May 2018 and gives data regulators the power to fine companies up to 4pc of their global turnover or €20m, whichever is greater, for violating Europe’s data protection rules.
As well as being the national data watchdog, the Irish DPC also acts as the EU’s lead data supervisor for several major tech players that have European headquarters in Ireland, including Apple, Facebook, Google, LinkedIn, TikTok and Twitter.
While Ryan said this has given the DPC the opportunity to be “the key location for digital regulation,” he said it also means the country has become a “bottleneck of GDPR investigation and enforcement”, causing other EU countries to sidestep Ireland when going after tech companies.
In January this year, the Advocate General of the European Court of Justice issued an opinion that a privacy complaint against Facebook could be handled by any of the national data protection authorities across the EU.
Speaking to the Joint Committee yesterday, Ryan said that this sidestepping “jeopardises a European Commission proposal that Ireland become the super regulator for another key part of the digital economy”.
Complaints taking too long
In December, Twitter became the first company to be fined under GDPR by the DPC in a cross-border case. The decision followed almost two years of investigation after Twitter disclosed that some users’ protected tweets had been made public.
Privacy solicitor Fred Logue told the Joint Committee that complaints made to the DPC are taking too long. He added that while the DPC’s final decisions “are generally of good quality … the procedure to get there is tortuous to the extent that it often serves no real purpose”.
Last September, the ICCL also released a report criticising the DPC for failing to act when it comes to concerns about real-time bidding, which involves advertisers using data to target users with online ads.
The ICCL described the practice as a “data breach at the heart of the online advertising sector” that allows illicit profiling of users by data brokerage firms. The DPC opened an investigation into Google Ireland’s Ad Exchange business in May 2019, which is still ongoing.
As well as the lengthy procedures and other member states taking matters into their own hands, the Irish DPC also faced criticism from Austrian privacy campaigner Max Schrems for having an “extremely poor understanding of the material law provisions of GDPR”.
“The DPC takes an approach of ‘micro debating’ complaints and ‘negotiating’ compliance with the law instead of enforcing it,” Schrems told yesterday’s Joint Committee session.
He added that this means companies are less likely to comply with the GDPR, creating a “spiral of unresolved complaints”.
Schrems, whose long-standing case against Facebook resulted in a landmark EU ruling against Privacy Shield, has been a long-time critic of the Irish DPC.
In an open letter last year, Schrems’ non-profit group Noyb called on European authorities to push the Irish data watchdog to speed up its handling of cases and what it perceived as a slow “Kafkaesque procedure” by the regulator in taking on the major tech companies based in Ireland.
What did Helen Dixon say?
Data Protection Commissioner Helen Dixon defended the work of the DPC at the Joint Committee, saying much of the criticism was unfounded.
While she acknowledged that improvements to processes are necessary, she said the complexity lies in “an enormous range of stakeholders”.
“Issues relating to the enforcement of the regulation by my office have attracted, and continue to attract, particular and trenchant criticism, much of it directed to the idea that, as an emanation of the Irish State, the DPC is deliberately refusing to regulate – or has deliberately been constituted so as to be incapable of it,” she said.
“No two cases are the same. At this point in time, a little under three years into the application of the regulation, there is as yet little established case law to guide these evaluations and so each review requires first-principles analysis.
“The complexities of the decision-making involved in the ‘one stop shop’, which multinationals may avail of under the GDPR, means that the pace of delivery is not solely within the domain of the DPC,” she added.
The DPC’s annual report from last year showed that of the 6,628 valid breach notifications received in 2020, 90pc were concluded within the same year. As of 31 December 2020, the DPC had 83 statutory inquires on hand, including 27 cross-border inquiries.