With the advent of the EU’s General Data Protection Regulation in 2018 Ireland has become the EU lead data regulator for the majority of international technology companies. This means that by default if any European citizen has a complaint against Facebook, Google, Twitter or many of their peers, their complaint must first be handled through the Irish Data Protection Commissioners (DPC) office. This “one-stop-shop” mechanism was intended to streamline and simplify the process of managing complaints for not only companies, but also for regulators, by making clear who holds the authority on complaints and prevent overlap.
However, a rather predictable issue has emerged and become an increasingly frequent talking point amongst those who deal with the DPC. How is one of the smallest data protection commissioners meant to deal with the biggest companies in an effective and timely manner. This has become an increasingly sore point for the various other European authorities who have become increasingly frustrated at the lack of progress from their Irish counterpart. To date the DPC has failed to issue any judgements under GDPR against any of the intentional tech companies in its jurisdiction under GDPR.
In recent months the ire of the European authorities has turned from the Commissioner to the Irish Government. In their 2019 pre-budget submissions Helen Dixon, head of the commission requested an additional €5.9 million to bring her total budget to €21.1 million in order to effectively enforce GDPR and advise Irish firms on compliance. She only received €1.6 million. This has led several of her European counterparts to criticise the Irish Government for underfunding the Commissioner’s office at a time of heightened scrutiny.
Only weeks before the budget, the DPC had issued a highly critical report of the Government’s implementation of the Public Service Card (PSC) and outlined several steps that the Government would need to take to bring the card into compliance with the law. This report also noted that more findings against the Government in relation to PSC would be made in 2020. The Government has chosen to challenge these findings in a move seen by some as undermining the Commissioner.
With the recent hiring of lawyers specialising in calculating the quantum for large fines, it would appear that the DPC is preparing to issue its first serious GDPR enforcements irrespective of its lack of support. Additionally news has filtered out of several cases where it has stopped new products and services being launched by tech companies who have not complied with regulations on data protection, most notably Facebook’s dating service and “I voted” feature, both which were quietly shelved in February after DPC intervention. Though the question remains how long it can continue to compete with big tech if its funding requests are ignored.
Aaron Bowman – Former Tribune Editor