The Data Protection Commission (DPC) has rejected claims it is deliberately refusing to regulate big tech companies, or that it is incapable of doing so.
Speaking before an Oireachtas Joint Committee on Justice, Commissioner Helen Dixon defended the work of the DPC as critics, including Austrian privacy campaigner Max Schrems, called for the organisation to be urgently reformed.
Ms Dixon rejected charges made by other speakers during the session – which focused on the General Data Protection Regulation (GDPR) – saying much of it was unfounded.
“Issues relating to the enforcement of the regulation by my office have attracted, and continue to attract, particular and trenchant criticism, much of it directed to the idea that, as an emanation of the Irish State, the DPC is deliberately refusing to regulate – or has deliberately been constituted so as to be incapable of it,” Ms Dixon said.
With most of the big tech companies such as Google and Facebook having located their European headquarters in Dublin, the DPC has become a de-facto regulator for their pan-European data activities. However, there have been widespread complaints about delays by the DPC in reaching decisions in investigations.
Ms Dixon criticised both a “superficial skimming of the surface” on major issues and “exaggeration” by some critics.
She also rebutted criticism regarding the time taken to reach decisions.
“No two cases are the same. At this point in time, a little under three years into the application of the regulation, there is as yet little established case law to guide these evaluations and so each review requires first-principles analysis,” she said.
“The complexities of the decision-making involved in the ‘one stop shop’, which multinationals may avail of under the GDPR, means that the pace of delivery is not solely within the domain of the DPC,” Ms Dixon added.
Her comments came as Mr Schrems, who is involved in an ongoing complaint against Facebook’s user data policies, said the DPC “has an extremely poor understanding of the material law provisions of GDPR” and, “makes about every procedural mistake you can think of”.
Mr Schrems said that instead of enforcement, “the DPC takes an approach of ‘micro debating’ complaints and ‘negotiating’ compliance with the law instead of enforcing it.”
He said this makes companies even more reluctant to comply, creating what he said was a “spiral of unresolved complaints”.
Mr Schrems called for the two vacant seats of the commission to be filled by respected experts to improve the quality of decisions. He also urged reform of the DPC’s procedures and the reallocation of GDPR fines to ensure it can litigate its cases.
The privacy campaigner noted the high number of complaints that do not reach decision stage, something also noted by Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties. Mr Ryan told the committee the DPC has failed to resolve 98 per cent of cases important enough to be of concern across the EU, and therefore needs to be urgently reformed.
Mr Ryan referred to a "chorus of criticism" against the DPC across Europe with many other jurisdictions circumventing it where possible.
“We have to restore Ireland’s reputation as a regulatory leader,” he said, urging reform.
Also appearing at the session was Fred Logue, a solicitor and data-protection expert. He expressed concern that "inordinate delays" in processing complaints allow controllers to neutralise them. He also said he believed that understanding of the GDPR was "poorly understood" within DPC.
“The eyes of Europe are upon us and so it is important that problems with the DPC are resolved,” Mr Logue said.
The GDPR, which came into effect in May 2018, gives regulators powers to fine companies up to 4 per cent of their global turnover of the previous year or €20 million, whichever is greater, for violating the law.
Ms Dixon said the DPC recognises that improvements have to be made and that processes need to be streamlined and speeded up. But she added the difficulty it faces is that it has “an enormous range of stakeholders”.