The Republic's record on enforcing data protection rules on Big Tech is coming under increasing scrutiny as the European Commission has indicated it is prepared to intervene in cases of weak oversight.
EU commissioner for values and transparency Vera Jourová told a privacy conference that enforcement would have to be “effective” or it “will have to change”.
Ms Jourová said that penalties and rulings against Google, Facebook and WhatsApp indicated that there was a cultural problem with compliance at the large tech companies that play an important role in the Republic's economy.
“Clearly there is a problem with compliance culture among those companies that live off our personal data. Despite the fact that they have the best legal teams, presence in Brussels and spent countless hours discussing with us the GDPR. Sadly, I fear this is not privacy by design,” she said.
“I think it is high time for those companies to take protection of personal data seriously. I want to see full compliance, not legal tricks. It’s time not to hide behind small print, but tackle the challenges head on.”
The Czech politician and commission vice-president warned that matters were now coming to a head and that any changes would be towards more centralised enforcement such as through the European Data Protection Board (EDPB) and Commission.
“We are in the crunch time now,” she said. “Either we will all collectively show that GDPR enforcement is effective or it will have to change. And there is no way back to decentralised model that was there before the GDPR. Any potential changes will go towards more centralisation, bigger role of the EDPB or commission.”
A spokesman for the the Republic’s Data Protection Commissioner (DPC) declined to comment on the issue of centralising enforcement, describing it as a matter for the European Commission.
The development comes amid mounting calls on the Republic to strengthen enforcement and beef up the DPC to better oversee the activities of the digital behemoths based in the Republic.
Under current rules data protection enforcement is the responsibility of authorities in the nation where the company is based within the single market, meaning the State is seen as having the role of implementing such regulations on behalf of much of the EU.
Unhappiness at the Republic's record on this is widespread among other EU countries. As the EU prepares for two major reforms of the digital rule book, Irish officials have vowed that they will beef up regulatory enforcement. DPC chief Helen Dixon has defended the agency, arguing that enforcement takes time and that the regulations are more complex than many appreciate.
Hopes in other EU countries that they will be able to hold companies directly to account over perceived infractions rather than having to go through the Republic were given a boost on Thursday, as the advocate general of the European Court of Justice published an opinion that national consumer protection agencies can bring actions against companies based elsewhere.
Infringing personal data
Though not binding, the opinion is influential. It relates to an ongoing case that was referred up by a German court that had been considering accusations by the Federation of German Consumer Organisations that Facebook Ireland infringed personal data, unfair competition, and consumer protection rules in its provision of free games by third parties on its "App Centre".
The darkening mood towards enforcement in the Republic was reflected by an opinion piece published by Bloomberg and the Washington Post this week titled "Ireland's the Wrong Privacy Watchdog for Europe".
It noted criticism from the European Parliament, objections by other European data-protection agencies, and comments by Facebook whistleblower Frances Haugen that the Republic has a conflict of interest in regulating tech.
"The criticism bubbling up for years has recently become a chorus, and points to issues with both speed and quality of work," wrote its author Parmy Olson, describing the Republic as a "weak spot" in "Europe's ambition to lead the world on data privacy".