Three-quarters of Irish data watchdog’s data privacy decisions since 2018 overruled – report

Meta, Google, Airbnb, Yahoo!, Twitter, Microsoft, Apple and Tinder account for 87^% of cross-border GDPR complaints to Ireland’s DPC

Under Data Protection Commissioner Helen Dixon, the DPC has been carrying out a review of its governance structures, staffing arrangements and processes since last summer. Photograph: Cyril Byrne
Under Data Protection Commissioner Helen Dixon, the DPC has been carrying out a review of its governance structures, staffing arrangements and processes since last summer. Photograph: Cyril Byrne

Three-quarters of decisions by Ireland’s Data Protection Commissioner in EU cases have been overruled by its European counterparts in favour of tougher enforcement, a new report has found.

The report from the Irish Council for Civil Liberties found “little substantial enforcement” of GDPR against the big technology companies in EU-level cases, with almost two-thirds of measures imposed by late last year classed as reprimands.

Ireland’s data watchdog has been highlighted in the report as a bottleneck for data protection cases against Big Tech, with 75 per cent of its decisions in EU-wide cases overruled by the European Data Protection Board. The figures include final decisions from January 2023 that are not yet included in the European register of final decisions.

Only one other country in one other case has been overruled in such a manner.

READ MORE

As Google, Meta, Apple, TikTok and Microsoft have headquarters in Ireland, the Data Protection Commission is the lead authority investigating data privacy complaints about tech giants in Europe.

Some 87 per cent of cross-border GDPR complaints to Ireland’s DPC involve the same eight companies: Meta, Google, Airbnb, Yahoo!, Twitter, Microsoft, Apple, and Tinder.

The report said the regulator tends to use its discretion under Irish law to choose “amicable resolution” to conclude 83 per cent of the cross-border complaints it receives, instead of resorting to enforcement measures.

“Five years on, the data now show a stark failure to enforce the GDPR – particularly against Big Tech. That failure exposes everyone to serious digital hazards: discrimination, manipulation, information distortion, and invasive AI,” said ICCL senior fellow Dr Johnny Ryan. “We urge the European Commissioner for Justice, Didier Reynders, to finally take action.”

The report said strong powers of enforcement and investigation brought in by the GDPR have not been taken up. The registry of approved decisions shows only 49 compliance orders and 28 fines by late 2022.

Although lack of funding may have been an issue in the past, the report concedes, it is no longer considered a primary problem, with the EU’s data protection agencies now having a combined budget of more than €337 million. Ten national data protections authorities still have budgets under €2 million.

Ireland’s budget is in the top five in the European Economic Area. Last summer, the Government announced that two additional data protection commissioners would be hired, and that Helen Dixon would be promoted to chairwoman of the DPC – in an attempt to better resource the watchdog in recognition of its growing workload.

The DPC has been carrying out a review of its governance structures, staffing arrangements and processes since last summer. – Additional reporting: Press Association

Data protection boss Dixon rejects criticism over enforcementOpens in new window ]

Ciara O'Brien

Ciara O'Brien

Ciara O'Brien is an Irish Times business and technology journalist