The Irish DPC continues to take flack for its handling of GDPR complaints. Now, officials are trying to defend them.
Is the Irish DPC being too soft on fines for large tech companies? Did they try to interfere in a GDPR process? Is the Irish DPC pushing for law changes that make things easier for Facebook? What about the accusation of corruption from Austria? These are a small sample of questions currently circling the Irish DPC as accusations continue to mount against the regulator.
We caught up with this story last year when we covered the continued tensions the regulator and NOYB (None of Your Business). While the push to file corruption complaints against the Irish DPC helped to reignite debate about the Irish DPC, concerns have been ongoing for quite a bit longer. Some were complaining that fines were slow to come out of the country. When the fines did come out, they were quite small. Some argued that the fines are so small, they wouldn’t act as a deterrent for the likes of Big Tech.
Of course, part of the problem is that many of the large tech giants ended up being located in Ireland. As a result, the Irish DPC would then be tasked with handling complaints against such companies. As a result of all that has happened so far, some go so far as to accuse the regulator of having too cozy of a relationship with large tech giants in the first place. Ultimately, the complaint filed by Noyb was really a sign that tensions were reaching critical levels.
As a somewhat recent example of how tense things have gotten, Irish officials were apparently going on the radio airwaves to try and push back against the various accusations being levied against the regulator. Journalists noted this as a sign that the spat with the Irish DPC had gone mainstream. From Politico:
So far those accusations have come from a rarified community of privacy activists and wonkish European lawmakers. But in past weeks criticism of the Irish DPC has gone mainstream, prompting soul-searching in a country that owes much of its prosperity to the many U.S. tech multinationals it lured to its shores.
On Sunday, the authority’s chief Helen Dixon had to go on national radio to defend the DPC after a slew of local media articles suggested Ireland’s reputation was at risk because of her office’s perceived misfiring.
“Anybody who does a search for Ireland and Data Protection Commissioner, your name and the office — it’s littered with international criticism of your office and Ireland as a result,” the interviewer, Gavin Jennings at public broadcaster RTÉ, said to Dixon.
Anxiety in Ireland over the country’s international standing has been rocked by a series of interventions by global big wigs.
In November, Facebook whistleblower Frances Haugen said Ireland faced a “conflict of interest” when regulating Big Tech because of the economic benefits it derives from hosting European headquarters of U.S. tech giants.
Shortly after, in December, European Commission Vice President Věra Jourová warned the GDPR may need overhauling if enforcement didn’t pick up, in a shock intervention that many interpreted as a swipe at Ireland. “We are in the crunch time now,” she said.
As the article suggests, the tensions aren’t just between activists and the regulator. Internal tensions between Ireland and other member states have been noted for some time now. Other regulators in other countries have expressed frustration with the Irish DPC. This has led to questions of overhauling the system because of how badly things have soured. More recently, the European Commission had to push back against calls to reform the system. From Euractiv:
Reynders stated his view in a reply to an open letter from 6 December co-signed by Dutch MEPs Sophie in ‘t Veld and Tineke Strik and the German Birgit Sippel and Cornelia Ernst.
“If no action is taken soon to dramatically improve enforcement of this EU flagship, the GDPR risks becoming a paper tiger,” the MEPs wrote, asking the EU executive whether it considered the EU privacy law was applied correctly in Ireland.
Under the GDPR, Ireland has the lead on most of the high-level cases as most Big Tech companies have their European legal basis there. MEPs consider the Irish Data Protection Commissioner (DPC) has interpreted such policing role too timidly and have called several times on the Commission to act.
“We have not so far identified issues with the Irish data protection rules or have evidence that these rules have not been respected,” the Commission replied, pointing to a recent case that saw the DPC issue a €225 million against WhatsApp.
“While establishing the EDPB, the legislator provided that the very purpose of the consistency mechanism is to allow for an open discussion and transparent and honest exchange of different points of view on how the GDPR should be interpreted,” Reynders responded.
The Commissioner stressed that it is not for the Commission to intervene or start an infringement procedure based on opinions expressed during such exchanges, even less so on a ‘complex matter’ such as the contractual basis where different views have been articulated.
Moreover, Reynders added that the Commission did not hesitate to initiate an infringement procedure to defend the GDPR in the past, mentioning the cases of Belgium, Poland and Hungary, but that the caution of the Irish regulator and its different point of view did not meet the necessary conditions.
It is unlikely that this response is going to be satisfactory to critics who long question what the Irish DPC has been doing. At the very least, there does seem to be an understanding of what is at stake when it comes to the reputation of the GDPR. If the system is seen by other countries around the world as unworkable, that would represent a significant setback for privacy rights around the world. After all, it’s hard enough to get other countries on board with the idea of establishing a whole new system for privacy of everyday citizens.
At this point, it doesn’t look like tensions are going to go away any time soon with this story. After all, the drama levels are reaching American levels of political drama. We’ll continue to monitor the situation for any developments that unfold.
Drew Wilson on Twitter: @icecube85 and Facebook.
