Ireland’s outsize role as the main enforcer of EU data law is divisive. Privacy investigations into social media giants Facebook and TikTok have sparked bitter disputes with regulators in Germany and beyond, prompting repeated claims that the Dublin authorities are ineffective, which they are quick to deny.
At issue is the General Data Protection Regulation (GDPR), a labyrinthine body of EU law that was supposed to put manners on Big Tech. For critics seeking sharper and swifter enforcement, the regime is failing. But Europe’s chief data regulator rejects that argument, insisting real progress is being made in the drive to control how mammoth corporations exploit personal data.
“I don’t think that it’s a problem when we dispute significant cases,” said Anu Talus, the Finnish national supervisor who is chairwoman of the European Data Protection Board (EDPB), the independent body that oversees the EU data privacy rules.
Interviewed this week in her Helsinki office, she said the regime has spurred co-operation between regulators and become a point of reference for business.
“If you’re talking about GDPR in general, I think that there are evidently good results,” she said.
Although it has practically no public profile, the European board has key powers in relation to Ireland’s many GDPR duties. When the law took force more than five years ago, it was billed as a game-changer to keep pace with the ever increasing role of vastly profitable technology in 21st-century life.
[ Europe’s verdict on Ireland’s Data Protection Commission is damningOpens in new window ]
At the heart of it all was a “one-stop-shop” system for national data supervisors to assume pan-European responsibilities wherever companies base their EU headquarters. Ireland is a hub for US tech groups – Microsoft, Apple, Google, Facebook-owner Meta and many more – so Helen Dixon, the data protection commissioner in Dublin, became the main European regulator for virtually the entire sector.
But Dixon’s findings must still be approved in Brussels by the European board, comprised of national and regional data protection watchdogs.
Dr Talus began her five-year term as chairwoman in May, placing her in the centre of a tussle between privacy campaigners pressing for stronger data enforcement and industry participants who want a “more flexible” approach.
“They are quite far apart from each other,” she said.
In the backdrop is a gulf between Dixon and some of her counterparts, whose opposition to Irish draft decisions against errant companies has led to time-sapping dispute procedures over penalties and the scope of findings. Dixon has been attacked by privacy activists for slow investigations but has always rejected their complaints, accusing critics of “superficial skimming of the surface” and “exaggeration”.
Still, Dixon recently described the one-stop-shop system as something of a “legal maze” that requires “constant navigation, building an ever more complex landscape for litigators”.
Although Dr Talus said some 900 cross-border cases have been decided since GDPR took force in 2018, the largest among them have proved highly contentious.
In one case this year, a record €1.2 billion fine against Meta for grave GDPR violations in US data transfers was imposed in the face of Dixon’s claim that no financial sanction at all was needed in that particular case. The penalty, appealed by Meta in the High Court, came after Dixon faced a backlash from German, Austrian, French and Spanish regulators. There were similar disputes in several separate cases against Meta, whose GDPR fines overall have now reached €2.5 billion, all of them appealed.
These are major penalties certainly, although they must be measured against the vast scale of company finances. Meta’s profit in the first quarter of 2023 was €5.26 billion.
There is more. A recent €345 million fine against the video-sharing social network TikTok, also under appeal, came after a long dispute with German and Italian regulators that took no less than a year to resolve. TikTok faces a separate investigation into transfers of personal data to China.
For many observers, the tide of disputes over Dixon rulings smacks of an implicit lack of confidence in some quarters in decisions from the Irish supervisor.
Still, Dr Talus was clear in her response when asked whether she perceived any problem in Dublin.
“No,” she said. “I actually think that it shows that the GDPR is working because there is the mechanism to solve these issues and this is what the legislature foresaw when the GDPR was created. There was a need to have a mechanism to solve the different interpretation of the data protection authorities.”
Asked again whether there were questions over Irish decision-making, Dr Talus said “this is not where I would look,” and insisted she would “rather focus” on differing legal interpretations of the GDPR.
“I think that this is what is in the core here because if there are different interpretations of certain provisions of the GDPR, this is not necessarily a consequence of poor decision-drafting. I mean you can have a difference of view which are both really well justified or reasoned,” she said.
At its root, such wrangling flows from the political decision of EU leaders to give primacy to national regulators when dealing with transnational social media. That was quite the opposite of Brussels’ centralised approach to competition issues, where the European Commission is in command of enforcement and ruthlessly guards its prerogatives.
Dr Talus, herself a negotiator for the Finnish government when the GDPR was settled, said the aim in the data regime was to “combine” proximity to people in member states with EU-level decision-making.
“It’s very difficult to understand the structures because it’s a completely new type of decision-making,” she said.
“There are many different member states. There are different [legal] traditions also to enforce – and this is where the GDPR is trying to harmonise the practices in the EU.”
But was this efficient? Was there a more centralised alternative that might have achieved a better result and less internecine squabbling between supervisors?
“This is what we have now and what the EDPB does is to make it work as effectively and as efficiently as possible,” Dr Talus replied.
She acknowledged scope to improve the regime, welcoming proposals from the European Commission in July to streamline co-operation between supervisors and set new deadlines to settle disputes. The EDPB, which made a wishlist of reforms a year ago, has called for its swift approval, with additional tweaks.
[ Gerard Howlin: Ireland is on the frontline of the battle against misinformationOpens in new window ]
Dr Talus rejected the argument that the Brussels board, with only 45 officials, could never match the resources of Big Tech companies that can deploy hundreds of staff and advisers in regulatory battles. Much of the work was done by national bodies, she said. Still, she has asked for nine more staff and sought a 22 per cent budget increase to €9.3 million for the European board next year.
With critics claiming Dublin was overwhelmed by its gargantuan GDPR task, the Irish supervisor is no stranger to tough talk over resources. More than one year after the Government resolved to appoint two new commissioners to serve with Dixon, who will chair the commission, the posts were finally advertised last month.
Is this a welcome move for Dr Talus? She insisted it was not for her to comment but added: “What I can say is that I do have two deputies and I truly appreciate that. It’s a blessing.”