Data protection commissioner bemoans ‘clunky’ EU law thwarting big tech investigations

Helen Dixon is about to depart her role as privacy watchdog to take up a new position in ComReg

Helen Dixon has forced companies to pay about €2.8 billion for violating the EU’s landmark General Data Protection Regulation. Photograph: Nick Bradshaw
Helen Dixon has forced companies to pay about €2.8 billion for violating the EU’s landmark General Data Protection Regulation. Photograph: Nick Bradshaw

The data protection commissioner, who has been criticised for dragging her feet on investigations into tech giants such as Meta, blamed “clunky” EU procedures for wasting energy, time and money in the race to defend citizens’ privacy.

Helen Dixon, who is about to finish in her post and take up a role in ComReg, has forced companies to pay about €2.8 billion for violating the EU’s landmark General Data Protection Regulation.

Overnight, GDPR put regulators in the Republic and Luxembourg – where many companies have their EU base – in pole position with powers to dole out fines as high as 4 per cent of annual sales.

But Ms Dixon said it was made way more tortuous than it could have been due to features of the EU’s final agreement on the legislation, which took effect in 2018 to great fanfare.

READ SOME MORE

Housing in 2024: ‘several more years before we see the quantity of houses we need’

Listen | 31:21

“It’s extremely difficult,” Ms Dixon, who is stepping down after leading the Data Protection Commission for the past decade, said in an interview at her Dublin office.

Hard-wired into the EU law, still seen as the world’s toughest privacy rule book, is a system of co-operation with other watchdogs across the 27-nation union. That meant before Ms Dixon could lay a glove on the big tech firms under her watch, other watchdogs could often weigh in.

While “co-operation is working well,” it’s “a clunky form of co-operation that is leading to a lot of different avenues of legal challenge”, Ms Dixon said. “In fact, an awful lot of energy, time and litigation resources are going in [to] sorting out issues that arise” because of the law.

“The biggest surprise was that political and economic compromise that was made in terms of the form of the one-stop-shop,” said Ms Dixon, referring to the deal on a key part of the rules supposed to put most oversight powers in the hands of a single data authority close to where companies are based.

The version “got inserted at the 11th hour”, she said, and hadn’t previously been “on the horizon”.

She said “things could have been smoother without the last-minute political changes” and “would have resulted in much more cases being handled, that would have then gone into courts, which would have held them up or not. And we’d be moving on much faster.”

Ms Dixon said that in private she has also had a lot of praise and gained a lot of respect from peers, and played down reports of clashes with them.

Last year, she levied the biggest GDPR fine yet, when she imposed a record €1.2 billion bill on Meta and gave the firm a deadline to stop shipping users’ data to the US. – Bloomberg