The increased demands on the Data Protection Commission (DPC) and its chief Helen Dixon are probably best summed up by a complaint it received last year. An individual was unhappy about a photograph of their pet and its unflattering angle and wanted the State’s data privacy regulator to remove it from an online publication.
Dixon, speaking on the publication of the DPC’s 2021 annual report, lamented the fact that the commission has become “a proxy for the customer service departments of so many big entities” – from telcos to banks – where customers are not getting adequate human responses to complaints.
The 2021 annual report shows that the DPC received 10,888 queries and complaints from individuals last year, an increase of 7 per cent, of which 8,017 were concluded by year end.
It is not as if the the State’s watchdog hasn’t enough to manage being the data privacy enforcer for Big Tech companies operating across the European Union, and following a complex rule book, the gargantuan GDPR and its labyrinthine processes.
Court action
Working through these rules must be like herding cats, judging from page 66 of the report that shows the long list of EU regulators that can – and do – object to the DPC’s draft rulings in Big Tech investigations. Germany’s regulators have raised objections in all but one ruling.
Although it is being challenged in the courts, the €225 million fine imposed last year on WhatsApp, the messaging app owned by Facebook parent Meta, shows the regulatory bite of the data privacy watchdog. In contrast, the biggest fine imposed by the Central Bank was almost €38 million against Ulster Bank over the tracker mortgage scandal, while the multiyear investigation into bond trading at stockbroker Davy yielded €4.1 million.
Of course the €23 million-a-year DPC with its 195 staff is nowhere near equipped to be the EU’s GDPR police against the might of Big Tech, but widely-voiced concerns about the pace and scale of investigations may be down to the complexity of the regulations as well as the adequacy of the DPC’s actions and resources. As Dixon says, GDPR – not yet four years old – is a “work in progress” with elements of over- and under-implementation, inappropriate implementation and expectations around GDPR that simply cannot be met by GDPR.