Data privacy watchdog defends record on enforcing EU rules

Helen Dixon says ‘more needs to be done’ to stand up for Ireland’s regulatory record

Data Protection Commissioner Helen Dixon has defended her record on enforcing EU data privacy laws, saying Ireland needed to stand up for the regulator and results it has achieved so far.

Speaking on the publication of the watchdog’s 2021 annual report, Ms Dixon said “very damaging” profiles on Ireland’s data protection regime had been written over the years.

She said that misinformation had been “amplified” by commentators who “have no knowledge” of the work it has done, the fines imposed, the cases progressed or the litigation it has engaged in.

It was a problem for Ireland and a problem for the DPC, she said.

“More needs to be done in terms of Ireland standing up for the increasingly well-funded regime that it has put in place with significant capacity and results to show.”

The regulator has been criticised for the pace and scale of investigations into Big Tech since sweeping EU data protection rules – General Data Protection Regulation – came into effect in 2018 that made the commission the EU regulator for major tech multinationals based in Ireland.

The DPC has invited Facebook whistleblower Frances Haugen to a meeting to explain its work and "the specifics of the legal framework under which we regulate" after she called for an independent review of the regulator at an appearance before the Oireachtas media committee.

Big Tech

In a potential significant move for Big Tech companies operating transatlantic, the DPC is expected to order that Facebook owner Meta suspend data transfers to the US in a move that has raised threats from the social media giant to pull its websites from Europe.

Ms Dixon said she could not comment on the planned move as it was “a provisional view only” as she has invited submissions from other EU regulators on the matter.

At the end of last year, the commission had 81 statutory inquiries ongoing, including 30 cross-border ones into technology companies such as Google, Facebook, Twitter and LinkedIn.

Four draft decisions on Big Tech investigations were circulated to other EU data protection authorities during 2021: three into Facebook and one into WhatsApp, also owned by Meta.

The WhatsApp decision led to a €225 million, the highest imposed by the Irish regulator. The messaging app is challenging this decision through the Irish and EU courts.

Objections

Ms Dixon said that two EU supervisory authorities had lodged objections to the DPC’s ruling on an investigation into 12 data breaches at Meta/Facebook but that it had reached a consensus with those two regulators through the article 60 process when it consults with fellow regulators.

“That one will conclude and finalise very shortly,” she said.

Two other decisions have drawn objections from 10 other EU regulators – one into an investigation into Meta's Instagram unit about the processing of personal data of children – and from six other authorities into another investigation into Facebook on a complaint received from NOYB, the digital rights organisation founded by Austrian privacy campaigner Max Schrems.

Ms Dixon said the DPC may not be able to reach a consensus with other regulators on those cases, and that it was “likely” this would end up in the article 65 dispute resolution mechanism.

Recruit

She said the commission planned to recruit another 70 staff this year, on top of 195 staff employed at the end of last year, and will look to increase staff numbers beyond this again, in addition to seeking a larger budget, in excess of the €23 million increased budget allocated for 2022.

“We will be looking for more budget because there’s so much more that can be done. There is demand that things be done faster and that more things be done at the same time in terms of regulation. There’s huge interest and scrutiny of data protection regulation,” she said.