Data Protection Commission criticised as WhatsApp decision nears

Ireland lagging behind as fines totalling €410m issued for violations in Europe in 2019

Data protection authorities in Europe issued fines worth a combined €410 million to organisations last year for violations but none originated in the Republic, despite it being home to many of the world’s biggest technology companies.

New figures compiled by the Italian data protection body Osservatarorio di Federprivacy – which includes data from official sources in 30 countries – show authorities in the European Economic Area imposed 190 fines in 2019.

Italy was the most active data protection authority, with 30 actions last year, while the UK was the most punitive, with fines totalling €312 million, some 76 per cent of all sanctions issued.

Ireland and Luxembourg were among a small handful of countries yet to impose fines for data privacy violations. Informed sources have said that the Data Protection Commission is in the final stages of its investigation into WhatsApp over possible breaches of EU data privacy rules, with a draft decision expected to be circulated to other authorities to consider within weeks.


This is the first of the commission’s many investigations to approach its end point with delays blamed on complications that arise from pursuing companies that operate cross-border.

Data regulators

The General Data Protection Regulation (GDPR), introduced in May 2018, gives data regulators powers to fine companies up to 4 per cent of their global turnover of the previous year or €20 million, whichever is greater, for violating the law.

Most of the sanctions issued to date for data breaches across Europe have been for domestic violations, with more complicated investigations ongoing in a number of jurisdictions. The largest fine issued in a cross-border context, according to the Data Protection Commission, has been €61,000.

“The investigation of cross-border issues is highly complex and takes time to complete, highlighted by the fact that there have been very few decisions with fines issued under the GDPR in relation to cross-border investigations across all 28 EU supervisory authorities since the application of the GDPR in May 2018,” said deputy commissioner Graham Doyle.

Federprivacy chairman Nicola Bernardi said the failure of the Irish Data Protection Commission to issue fines thus far is a concern given the large number of leading tech companies based here.

He expressed concerns that technology companies may be treated with more leniency in Ireland than in other jurisdictions and called for greater consistency to be applied across the EU for dealing with sanctions.

The Irish Data Protection Commission is the lead EU regulator for companies including Google, Facebook, Microsoft and Twitter under the "one-stop-shop" mechanism, which was introduced with GDPR.

‘One-stop-shop system’

“With the one-stop-shop system, a corporation should be able to choose any place in EU for its head office without any problem, but actually the majority of the main technological English-speaking corporations are not choosing the UK but Ireland as the place of their European head office,” said Mr Bernardi.

“We need to enforce a consistent application of the legislation in order to avoid inconsistencies that will give advantages to a minority of stockholders,” he added.

The most frequently fined violations last year were for illicit use of personal data, which was cited in 44 per cent of all sanctions issued. Other causes for fines included poor security and data breaches.

The Data Protection Commission is carrying out more than 70 separate investigations into organisations for possible data breaches. This includes 21 investigations into leading tech companies such as Google.

The commission received less than one-third of the additional funding it sought in Budget 2020 to cope with the increased workload it now has due to GDPR.

Charlie Taylor

Charlie Taylor

Charlie Taylor is a former Irish Times business journalist