Ireland is ‘worst bottleneck’ for enforcing EU data privacy law – ICCL

Report says Irish data protection watchdog failing to take action against US tech giants

Ireland is failing to apply the EU's privacy laws to US tech giants, with 98 per cent of 164 significant complaints about privacy abuses still unresolved by its regulator, according to a civil rights group.

Google, Facebook, Apple, Microsoft and Twitter all have their European headquarters in Dublin, making Ireland's Data Protection Commission (DPC) the lead EU regulator responsible for holding them to the law.

But the Irish DPC has been repeatedly criticised, both by privacy campaigners and by other EU regulators, for failing to take action.

A new analysis by the Irish Council for Civil Liberties (ICCL) found that the vast majority of cases were still unresolved, and that Spain, which has a smaller budget than Ireland for data protection, produces 10 times more draft decisions.

In its 2021 report on the enforcement capacity of data protection authorities, Johnny Ryan, senior fellow at ICCL, said Ireland was the "worst bottleneck" for enforcement of the EU's General Data Protection Regulation (GDPR), although the report is critical of data protection regulators across the EU.

“GDPR enforcement against Big Tech is paralysed by Ireland’s failure to deliver draft decisions on cross-border cases,” he added, noting that the rest of the EU has to wait for Irish draft decisions before they are able to take their own action against the companies.

Mr Ryan has been a persistent critic of the Irish data privacy watchdog.

Duty

The ICCL says it has now written to European commissioner for justice Didier Reynders, noting the European Commission's duty as "guardian of the treaties" to see that the GDPR is properly applied, and calling on it to "act against Ireland and other EU member states that jeopardise fundamental rights in the union".

The Irish regulatory authority, headed by Data Protection Commissioner Helen Dixon, did not respond to a request for comment. Ms Dixon has previously defended her office robustly against arguments that it is not doing enough, fast enough to address data concerns.

Earlier this year, she noted that, just three years into the application of the regulation, there was as yet little established case law in the area. As a result, each review required first-principles analysis.

“The whole co-operation system relies on a few key [data protection agencies] moving cases along, and so far this is barely happening,” said Estelle Massé, senior policy analyst at Access Now.

The perceived Irish reticence to police Big Tech has been criticised by several other European countries, including France, Spain and Italy.

In July, the Oireachtas published a report calling for reform of the Irish DPC, and urging it to start enforcing the GDPR. It said it "fears that citizens' fundamental rights are in peril".

Tensions

In March, long-simmering tensions over Ireland's treatment of Big Tech burst out into public after German officials attacked the Irish DPC. Ulrich Kelber, Germany's chief data protection watchdog, wrote to members of the European Parliament to complain that Germany alone had "sent more than 50 complaints about WhatsApp" to the Irish authorities, "none of which had been closed to date".

He also criticised Ireland’s “extremely slow case handling, which falls significantly behind the case handling progress of most EU and especially German supervisors”.

He noted that by the end of last year, Ireland was leading 196 cases, but had concluded only four, while Germany had closed 52 out of 176 cases.

EU officials said that Brussels was limited in what it could do to force Dublin into action. EU privacy rules give the European Data Protection Board the power to act against data watchdogs at member state level, but its powers are limited and it cannot force an authority such as the Irish DPC to do its job.

Under current rules, Dublin is in the strongest position to force its own data protection agency to exercise its powers, the officials said. However, the EU may in theory open infringement proceedings against a member state that doesn’t bring in effective policies to safeguard privacy rules. – Copyright The Financial Times Limited 2021

Latest Stories