Irish DPC handed out fines of more than €1bn in 2022

7 Mar 2023

Data Protection Commissioner Helen Dixon. Image: Connor McKenna

Helen Dixon said the DPC issued two-thirds of fines issued across Europe last year on foot of ‘detailed and comprehensive investigations’.

The Irish Data Protection Commission (DPC) concluded 17 large-scale inquiries in 2022 that resulted in more than €1bn in fines, the watchdog’s annual report shows.

Published today (7 March), the report shows that the Irish DPC processed a total of 9,370 new cases from individuals last year. Of these, 6,660 were queries and 2,710 were complaints.

More than 10,000 cases were concluded last year, a figure that includes 1,920 complaints received prior to 2022. Cross-border complaints received numbered 125 – in which the Irish DPC was the lead supervisory authority – while 246 cross-border complaints were concluded.

Total valid breach notifications received in 2022 was 5,828. Moreover, four draft decisions in large-scale inquiries were in the EU co-decision making process as of 31 December.

The Irish DPC holds a special place in GDPR regulation and enforcement in the EU by virtue of the fact that many global tech giants, including Meta, Google and Apple, have their European headquarters here. This gives it the right to oversee most GDPR violation cases in the continent.

However, a law proposed by the EU last month and currently being drafted by the European Commission seeks to change this special position Ireland holds. Expected before the summer, the proposals will seek to streamline cross-border cooperation in enforcing GDPR within the EU.

‘Outsized role and exceptional performance’

Ireland’s Data Protection Commissioner Helen Dixon said that 2022 was a year that saw “significant outputs” from the DPC in its efforts to drive GDPR compliance and protect the rights of those in Ireland and across the EU.

“While the DPC encourages and guides organisations in achieving highest standards of protection in their processing of personal data, the DPC has also demonstrated it does not shy away from enforcing the law and applying sanctions where warranted,” she said of the report.

According to Dixon, two-thirds of the fines issued across Europe last year were issued by the DPC on foot of “detailed and comprehensive investigations”.

“[This is] a fact that underlines both the outsized role and exceptional performance of the organisation in effectively holding those guilty of non-compliance to account.”

A year ago, when the DPC published its previous annual report, Dixon defended the track record of the DPC in enforcing GDPR amid criticism from politicians and privacy advocates about the Irish watchdog’s ability to hold Big Tech accountable.

Dr Johnny Ryan, senior fellow at the Irish Council for Civil Liberties, said in 2021 that the DPC had failed to resolve 98pc of cases important enough to be of concern across the EU and that the country had become a “bottleneck of GDPR investigation and enforcement”.

A senior European Commission official warned later in the year that the EU’s privacy rules may need to change, with more power put in the hands of EU institutions, if enforcement is not effective.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Vish Gain is a journalist with Silicon Republic