Irish data regulator fails to resolve 98% of big tech GDPR cases

Google, Amazon, Facebook and Apple apps on a smartphone display
(Image credit: Shutterstock)

The Irish Data Protection Commission (DPC) is failing to process a surging backlog of hundreds of GDPR cases against big tech firms and is hindering pan-European data protection enforcement as a result, campaigners claim.

As of May 2021, the Irish DPC was the lead supervisory authority for 164 such cases of pan-European significance, according to research by the Irish Council of Civil Liberties (ICCL), but 98% of these cases remained unresolved.

In the three years between May 2018, when GDPR came into force, and May 2021, the data watchdog has only sent four draft decisions to the European Data Protection Board (EDPB) for examination and approval.

“Ireland is the big EU bottleneck,” the report states. “No other GDPR enforcer in the EU can intervene if the Irish DPC asserts its lead role in cases against big tech firms headquartered in Ireland. As a result, EU GDPR enforcement against big tech is paralysed by Ireland’s failure to deliver draft decisions on cross-border cases.”

The Irish DPC, however, has categorically rejected the findings of the report, suggesting the statistics aren't accurate, and that it's just invested in the capabilities to handle a greater caseload.

“The DPC is on record calling for a proper peer review of statistics across the EU, however statistics included in this report are inaccurate," deputy commissioner, Graham Doyle, told IT Pro.

"The DPC has received more than 1,200 cross-border complaints from other Data Protection Authorities (DPAs) since the introduction of the GDPR in May 2018 with over 600 of these resolved.

"In terms of technical resources, no DPA will have the in-house tech skills to do everything. As the DPC informed the ICCL last week, we have just completed an extensive procurement exercise and we now have a framework worth over €2 million over the next few years, with five companies from which we can draw down state of the art, niche tech knowledge going forward.”

The Irish DPC is the most significant data protection authority in Europe because many major tech companies are based in Ireland due to favourable tax conditions. Ireland is home to the likes of Apple, Google and Facebook, as well Microsoft, eBay, Dropbox, and a dozen other major household names.

In practice, this means 21% of all complaints referred between regulators have been referred to the Irish DPC. Ireland, alongside Spain, Germany, the Netherlands, France, Sweden and Luxembourg, handle 72% of all complaints referred between DPAs.

When cross-border GDPR complaints arise concerning any Irish-based company, the Irish DPC is nominated as the lead supervisory authority by default to lead the investigation under the ‘one-stop shop’ principle.

Investigators are then expected to produce draft decisions, which are referred to the EDPB and fellow data protection authorities for approval, before a final decision is submitted. For example, in January the Irish DPC submitted a draft decision regarding a €50 fine against WhatsApp. After intervention by fellow European regulators, and the EDPB, the Irish DPC increased the fine to €225 million.

Campaigners have, in the past, criticised the Irish DPC for being slow to process a rising backlog of cases. The organisation's own figures showed that, in 2019, complaints rose by 75% even though no fines were collected.

The commissioner, Helen Dixon, said in February 2020 that the regulator was trying to lay a solid foundation for enforcement in light of the DPC’s increased prominence since GDPR was introduced. This included raising the staff count to cope with the demands of 2020 and beyond.

The ICCL, however, found the Irish DPC has been chronically underfunded for years, and, despite now being the fifth best-funded regulator, doesn’t have the structural capacity or staffing levels to cope with this demand.

However, this is an issue that's present more broadly across Europe, too. The UK’s Information Commissioner’s Office (ICO), which hasn’t been examined in this report due to Brexit, is the largest regulator in Europe but only employs 13 people in its cyber investigations team.


The Total Economic Impact™ of IBM Spectrum Virtualize

Cost savings and business benefits enabled by storage built with IBMSpectrum Virtualize


On the other hand, the report praised Spain’s regulator for its output, having submitted 41 draft decisions to the EDPB for cross-border cases as of May 2021. This is despite enjoying a smaller budget than the Irish DPC's, and a smaller staff count.

Senior fellow at ICCL, Johnny Ryan, who was previously chief policy and industry relations officer at Brave, co-authored the report and wrote a letter addressed to the EU commissioner for justice, Didier Reynders.

In this letter, he called for the European Commission to monitor GDPR enforcement across the continent much better, and to take actions against regulators that are effectively undermining the data protection regime.

“ICCL believes that the costs of failing to properly apply the GDPR will be severe,” Ryan wrote. “The fanfare surrounding the GDPR was such that the EU’s global influence will wane if it is allowed to fail.

“Consumers will suffer too, because innovative startups and venerable news publishers will be unable to compete because of Big Tech’s entrenched internal data free-for-alls. The worst cost will be that continuing data misuse will tyrannise citizens, and debase politics. Therefore, we urge you to intervene.”

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.