Irish data regulator fails to resolve 98% of big tech GDPR cases

In September’s Issue of the Debrief, we reported on the Irish Data Protection Commission (DPC) issuing its largest ever fine under GDPR rules to the messaging service WhatsApp. Despite this landmark case, there are significant concerns throughout the EU at the apparent “bottleneck” of GDPR complaint cases against big tech firms currently sitting with the DPC in Ireland.

The Irish Council for Civil Liberties produced a 2021 report on the enforcement capacity of data protection authorities (DPAs) in Europe. Ireland has become one of the most significant DPAs in Europe as some of the largest technology companies such as Google, Facebook, Apple and Microsoft are headquartered there due to the favourable tax conditions. When cross-border GDPR complaints are raised against Irish-based companies, the Irish DPC is named lead authority by default. The Irish DPC has lead supervisory authority for 164 cases, of which, 98% remain unresolved.

“No other GDPR enforcer in the EU can intervene if the Irish DPC asserts its lead role in cases against big tech firms headquartered in Ireland. As a result, EU GDPR enforcement against Big Tech is paralysed by Ireland’s failure to deliver draft decisions on crossborder cases.”

Johnny Ryan & Alan Toner (ICCL Report on the enforcement capacity of data protection authorities)

One of the authors of the ICCL Report, Johnny Ryan, has said that Ireland’s DPC had made it “impossible to uphold data rights and police how Google, Facebook, Apple and Microsoft use peoples’ data across Europe”.

A general lack of specialist technology staff (who understand how companies like Google or Facebook work) throughout all European DPAs, along with chronic underfunding of the Irish DPC in the past, are cited as contributory factors; the ICCL report stated that Spain’s DPA had however, produced ten times the amount of draft decisions than Ireland’s DPC, despite having a smaller budget for doing so.

The Irish DPC challenged the findings of the ICCL report, claiming that the statistics included in the report were inaccurate and stating that they had just invested considerably in their infrastructure to enable them to handle the much larger caseload:

“We have just completed an extensive procurement exercise and we now have a framework worth over €2 million over the next few years, with five companies from which we can draw down state of the art, niche tech knowledge going forward.”

DPC Deputy Commissioner, Graham Doyle

The Oireachtais (Irish national parliament) released a report in July of this year, acknowledging “serious concern” around the particularly slow progress of some cases being handled by the DPC and made a series of recommendations:

“It is now more than five years since the GDPR went into effect, and more than three years since it was applied. The Committee fears that citizens' fundamental rights are in peril. Based on the evidence provided to the Committee, it became clear that while there were differing opinions regarding the effectiveness of GDPR implementation and monitoring by the DPC, there are also several elements of the Commission’s procedures that require attention and reform.”

House of Oireachtas - Report on meeting on 27th April 2021 on the topic of GDPR

The ICCL Report made similar recommendations calling for reform and strengthening of the Irish DPC and a movement away from emphasising guidance, towards emphasising enforcement.

Since this report, the Irish DPC have launched two inquiries into TikTok and have also raised concerns regarding Facebook’s new wearable tech product “Facebook View.”

You can read the ICCL’s report in full here and the Oireachtas report in full here.