EU official warns data rules may need to change – putting Irish DPC in the spotlight

3 Dec 2021

Image: © mixmagic/Stock.adobe.com

Enforcement of GDPR has attracted a lot of criticism since the regulations came into force in 2018, with a great of deal of that placed on Ireland’s DPC.

Ireland’s role in policing Big Tech on data protection is coming under scrutiny, as a senior European Commission official has warned that the bloc’s privacy rules may need to change if enforcement is not effective.

Politico reports that commission vice-president Věra Jourová said more power may need to be put in the hands of EU institutions when it comes to General Data Protection Regulation (GDPR).

“Either we will all collectively show that GDPR enforcement is effective or it will have to change and … any potential changes will go towards more centralisation,” she said at a conference this week in Brussels.

Under GDPR’s ‘one-stop shop’ mechanism, tech giants such as Facebook and Google are currently able to handle much of their GDPR responsibilities in one EU country. This means that many data protection investigations fall to regulators in countries where Big Tech companies have European headquarters – namely Ireland and Luxembourg.

Any changes would likely give more power to the EU executive or Europe’s network of privacy regulators, Jourová said.

DPC in the spotlight

Enforcement of GDPR has attracted a lot of criticism since the regulations came into force in 2018, with a great of deal of that placed on Ireland’s Data Protection Commission (DPC).

The DPC acts as the EU’s lead data supervisor for several major US tech players that have European headquarters in Ireland, including Facebook, Google, TikTok and Twitter. In September, WhatsApp was issued the DPC’s largest ever fine for breaching GDPR.

But this has created a hefty workload for the regulator. At an Oireachtas hearing earlier this year, the DPC faced criticisms over how it has been handling GDPR complaints against Big Tech companies.

Dr Johnny Ryan, senior fellow at the Irish Council for Civil Liberties, said Ireland had become a “bottleneck of GDPR investigation and enforcement”, and privacy campaigner Max Schrems claimed there was a “spiral of unresolved complaints” being created.

In response, Data Protection Commissioner Helen Dixon said much of the criticism was unfounded and that the complexity lies in “an enormous range of stakeholders” involved.

“The complexities of the decision-making involved in the ‘one-stop shop’, which multinationals may avail of under the GDPR, means that the pace of delivery is not solely within the domain of the DPC,” she added.

‘Time to revisit’ the DPC structure

But Dixon could be getting further support at the DPC. It was recently reported that the Department of Justice has asked officials to consider expanding the number of data protection commissioners from one to three.

Privacy advocates are encouraging the Government to do so. Digital Rights Ireland has recently written to Minister for Justice Helen McEntee, TD, saying it is “now time to revisit” how the DPC is structured.

In a letter first reported on by the Irish Examiner and later posted on Twitter, the group said the appointment of additional commissioners would be an “opportunity to develop the global role of the DPC”.

“A stronger DPC is needed to protect human rights and uphold Irish and EU law, and the appointment of new commissioners is an opportunity to develop this,” the letter concluded.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Sarah Harford was sub-editor of Silicon Republic

editorial@siliconrepublic.com