A data privacy campaigner has complained to the European ombudsman about the EU's failure to act against Ireland over the pace of big tech investigations by the State's privacy watchdog.
Johnny Ryan, senior fellow at the Irish Council for Civil Liberties (ICCL), lodged his complaint with the ombudsman, Emily O'Reilly, over the failure of the European Commission to take infringement action against the State over the enforcement of the EU's sweeping data protection laws.
Mr Ryan wrote to European commissioner for justice Didier Reynders in September saying the EU's executive arm had a duty as the guardian of EU treaties to see that the General Data Protection Regulation (GDPR)– the EU data protection law – was properly applied.
He complained to Mr Reynders that the Irish data privacy regulator was failing to apply the powerful EU privacy law to US technology giants, claiming 98 per cent of significant complaints about privacy infringements remained unresolved by the Data Protection Commission.
Mr Ryan said complaints were “just languishing and going into a black box process and not proceeding – that means that enforcement across the EU is paralysed”.
The Irish regulator has disputed Mr Ryan’s 98 per cent figure as inaccurate, arguing it has received more than 1,300 cross-border complaints from other EU data protection authorities since the introduction of GDPR in May 2018, with more than 700 of these resolved.
Under GDPR's one-stop-shop mechanism, the Irish watchdog is the lead EU regulator responsible for supervising and enforcing the EU law against large tech multinationals such as Google, Facebook, Apple and Twitter because their European headquarters are based in Dublin.
Mr Ryan described the European commissioner’s failure to respond to the ICCL’s concerns in September as “a case of maladministration”, putting the privacy of 470 million EU citizens at risk.
“He hasn’t acted on this, he hasn’t monitored this, and he hasn’t even responded to very well-founded, detailed evidence suggesting that he needs to do something about it,” said Mr Ryan.
The Irish regulator has been the subject of repeated criticism from privacy campaigners and other EU data regulators for failing to take faster action against tech giants.
The regulator has defended the pace of enforcement action, saying that “things need to and will move quicker now that we have been through the various processes for the first time”.
The regulator has commenced 35 cross-border inquiries since 2018 and has sent six draft decisions to other EU data regulators under the GDPR’s “article 60” consultation process.
Two of these have used the “article 65” mechanism to resolve disputes between regulators, resulting in fines of €450,000 against Twitter last year and €225 million against WhatsApp this year.
“It is vital that these cases are thoroughly tested by the [Data Protection Commission], as they inevitably will set the standard for similar decisions in the future. It is important we get these right,” said a spokesman for the Irish regulator.
WhatsApp is challenging the decision in three separate legal cases, two in Ireland and one in Europe. A further two decisions, relating to Facebook, are at the "article 60" consultation phase.
“We have a strong pipeline of other inquiries at a fairly advanced stage, with more draft decisions expected to go to article 60 in the coming weeks,” said the spokesman.
He said the regulator’s timeframes for investigation of big tech companies were “in line with equivalent European Commission competition law cases.”
He added the commission met Mr Reynders earlier this month and kept him “up to speed in terms of the challenges facing the DPC around timeframes that include the procedures implemented around the one-stop-shop element of the process.”
There was no response to queries from The Irish Times to the European Commission representative office in Dublin.