Even as Covid-19 has forced us to spend more time online, we face a deepening privacy crisis. Headlines about predatory profiling of vulnerable people by gambling firms, electoral manipulation, and market distortion that hurts us as consumers are now matters of routine. But five years ago a new law was introduced to prevent precisely this. The EU General Data Protection Regulation (GDPR) was a result of the Snowden revelations. European legislators resisted the strongest lobbying onslaught ever mounted and protected our rights to privacy and data protection.
After a two-year grace period the new law gave Ireland’s Data Protection Commission (DPC) and its counterparts across Europe the legal powers to “obtain access to any premises” and demand “access to all information”. They were given the power to force even the most powerful companies in the world to change what they do with the data that sustains their businesses, and if necessary to stop using it at all.
Ireland’s DPC became the “lead supervisory authority” responsible for overseeing that Google, Facebook, Apple and Microsoft comply with the GDPR across the EU because these firms have their EU headquarters here. Ireland now has the central role in protecting the data rights of 452 million people across Europe against the misuse of their data by big tech.
Ireland is the bottleneck of GDPR enforcement against Google, Facebook and big tech for all of Europe
But as the Irish Council for Civil Liberties (ICCL) revealed last month, Ireland has not risen to the challenge. The “IMI” system that all European enforcers use to co-ordinate cases shows that Ireland’s DPC has the “lead supervisory authority” responsibility for 164 GDPR “cross-border” cases. (This is distinct from purely domestic cases that affect citizens in one country alone. “Cross-border” cases affect citizens across the EU.) Of these 164 major EU cases for which Ireland is responsible, the DPC produced draft decisions in only four in the three years since the GDPR was applied.
Some 98 per cent of the cross-border cases for which Ireland is responsible remain unresolved. No GDPR enforcer in any other EU member state can intervene because Ireland is the lead authority. Ireland is the bottleneck of GDPR enforcement against Google, Facebook and big tech for all of Europe.
These data cases made headlines across the EU when ICCL revealed them. In the last year the DPC has been criticised by the European Court of Justice, where an advocate general of the court referred to its “persistent administrative inertia”; the European Parliament; and by its counterparts in Germany, France, Spain, Italy, the Netherlands, Austria, Poland, Portugal and Hungary.
In June, the Oireachtas Justice Committee noted that “citizens’ fundamental rights are in peril”, and urged the DPC to start “emphasising enforcement as a matter of urgency”.
The DPC has achieved results in supervising the public sector. But it is failing in its duty to hold Google, Facebook and other big tech firms to account
The DPC’s problems may be due to more than lack of investment. Earlier this year the ICCL revealed the DPC’s failure to implement a major ICT overhaul, five years after announcing that it was necessary in order to prepare for its GDPR role. Though the mounting cost to the taxpayer had climbed over €1 million the DPC continued to use antiquated technology to organise and handle complicated GDPR complaints.
A former DPC employee told the ICCL this was “like trying to run your payroll system with an abacus”. In that instance the DPC’s problems were not a result of inadequate funding from government. The DPC’s European counterparts do more with less. Spain’s Agencia Española de Protección de Datos produced four times the number of draft decisions on cross-border GDPR matters than our DPC, but cost the Spanish taxpayer €3 million less.
The DPC has achieved results in supervising the public sector. But it is failing in its duty to hold Google, Facebook and other big tech firms to account.
The GDPR presented us with an opportunity to strengthen our position as a global hub of the digital economy. But it also imposed a great responsibility on Ireland to uphold the rights of all Europeans.
The risks from continued failure are too acute
DPC inaction has forced other EU member states to sidestep Ireland on GDPR enforcement. If this continues we will lose our relevance as a regulatory centre.
Ireland’s failure as GDPR super-regulator also jeopardises a new European Commission proposal that Ireland should take on this role for more key parts of the digital economy, including the new Digital Services Act and the new Artificial Intelligence Regulation. Continued failure jeopardises all of our rights and may make Ireland irrelevant as a global tech hub.for
Our DPC must be reformed and strengthened. We have three recommendations.
First, for the Government to provide for an independent review of how to strengthen and reform the DPC. European Justice Commissioner Didier Reynders recently welcomed this in a letter to Barry Andrews MEP.
Second, the Minister for Justice should use her power to appoint two additional data protection commissioners as provided for in our national law that transposes the GDPR.
Finally, the Oireachtas Justice Committee published recommendations in June 22nd for the reform of the DPC, and we urge the Government and the DPC to adopt a mindset of reform and improvement, and act on them.
The risks from continued failure are too acute.
Johnny Ryan is a senior fellow at the ICCL, focused on surveillance, data rights, competition/anti-trust and privacy