EU privacy rules make 2018 ‘existentially critical’ for data protector

Commissioner says more staff would reverse negative perception as ineffective regulator

Incoming EU privacy rules covering online personal data make this year "existentially critical" to the reputation of the Data Protection Commissioner and Ireland, the regulator has said in a private submission.

Commissioner Helen Dixon pushed for a massive increase in public funding last year, arguing in a budget submission that it would become the pan-EU regulator for most of the world's top internet companies, including Facebook and Twitter, under the new General Data Protection Regulation (GDPR) that comes into effect on May 25th.

This is based on the fact that their European headquarters are located in Ireland.

The submission was released by the Department of Justice under the Freedom of Information Act.

Ms Dixon said the DPC would be responsible for protecting data privacy rights for hundreds of millions of people across the EU under the regulation’s “one-stop-shop” mechanism, making it the supervisory authority for US tech multinationals with EU bases in Dublin.

She said an increase in staff was “putting right the under-resourcing of the DPC in the past and helping reverse the negative international perception of the DPC as being ineffective as a national regulator”.

A former German data protection commissioner had claimed in 2015 that Facebook chose to set up its EU headquarters in Dublin because Ireland had “the lowest levels of data protection”.

Historic underfunding

“Acknowledging historic underfunding of the DPC, the welcome increases in funding in recent years should be viewed in the context of the organisation the DPC must become if it is [to] carry out its globally significant role as one of the world’s leading data protection regulators,” Ms Dixon said.

“The coming into effect of the GDPR in May 2018 establishes next year as being existentially critical to the international reputation of the DPC and of Ireland as a country that takes its obligation seriously to fund a professional and internationally respected data protection regulator.”

over the next few years we will have to take on an ever more prominent and leading role in defining where the EU boundaries lie for artificial intelligence, the internet of things and a number of other fundamental areas

Illustrating the financial pressures it has faced from an increased workload, its budget overran by €700,000 in 2017 due to additional costs from legal cases, it said. The commissioner expects costs to rise further this year, in particular due to the introduction of the GDPR.

Approval was given in October to increase the DPC’s public funding to €11.7 million for 2018, an increase of 55 per cent, and to increase staff numbers to about 140.

In March 2017, Dale Sunderland, deputy data protection commissioner, told department official Seamus Clifford that projected staffing requirements were "likely to have been underestimated as they don't take account of the anticipated impact of the proposed new ePrivacy regulation".

Privacy rules

That regulation, which will come into force in May, is aimed at strengthening privacy rules for all electronic communication such as on Skype, Gmail, Facebook messenger and WhatsApp.

“One of the big changes there is that it is proposed that we will take over regulatory functions currently the responsibility of ComReg,” wrote Mr Sunderland.

Given that many leading technology multinationals are based in Ireland, he warned that “over the next few years we will have to take on an ever more prominent and leading role in defining where the EU boundaries lie for artificial intelligence, the internet of things and a number of other fundamental areas,” he wrote.

"In particular the multinationals themselves will be looking to us to take a leading role in shaping regulatory policy for Europe. "

The one-stop shop mechanism means the commissioner “will in effect be regulating on behalf of the EU”.

Mr Sunderland noted that the UK data protection commissioner had a staff of about 500 and had just requested another 200 employees to be ready for GDPR.

“The stakes are high, both for the reputation of the DPC and Ireland itself as an international data hub,” he said.


GDPR is the European Union’s data protection rules that will come into force on May 25th. The aim of the new regulation is to give individuals back control of their personal data and strengthen the rights over it, and to simplify the regulatory environment by unifying the rules across the EU. It could result in massive fines for big internet companies that breach the law and create problems for how they store, delete and return data to citizens.


2013: €1.7m

2014: €1.8m

2015: €3.6m

2016: €4.7m

2017: €7.5m

2018: €11.7m