Irish Civil Society Dogs Irish DPC With GDPR CriticismIrish Civil Liberties Council Files Complaint With European Commission Ombudsman
A civil society group accused the Irish data protection agency of soft-pedaling enforcement of European privacy law for big tech companies in a complaint filed with the European Commission ombudsman. The Irish Council for Civil Liberties said the Irish Data Protection Commission's use of "amicable resolution" to resolve complaints against large tech companies leaves systemic problems unaddressed.
The complaint comes as the European Commission said late last year it would start monitoring large, cross-border investigations conducted by national data protection authorities (see: Europe Will 'Streamline' Cross-Border GDPR Enforcement).
The GDPR, which went into effect in 2018, is among the world's toughest privacy rules, and major companies including Facebook and Google have been fined millions of euros for violations. A slew of American tech companies - including Google, Facebook, Microsoft, PayPal and Salesforce - have their European or international headquarters in Dublin, giving the Irish data protection authority jurisdiction over their privacy practices. Privacy activists and civil society groups have long dogged the Irish Data Protection Commission with accusations that it is soft on American tech companies. Irish commission head Helen Dixon contests the criticism.
An Irish Data Protection Commission spokesperson said the agency uses amicable resolution for low-impact cases such as requests for content removal or access to data. Because they're easier to resolve, they make up a higher percentage of the number of finished cases. Agency data shows that over an 18-month period ending in December 2021, 86% of cross-border complains ended with amicable resolution.
The spokesperson pointed to actions such as its 5.5-million-euro fine on WhatsApp in January and 405-million-euro fine on Instagram last September as evidence that the agency does undertake large-scale investigations.
More aggressive European oversight of national data protection authorities is a good thing, said the Irish Council for Civil Liberties' Johnny Ryan, who filed the complaint with the European Commission ombudsman. "This includes data on how long did it take for a case to move from one stage to another stage. The idea was that, at the moment, cases can sit in shelf in darkness, completely neglected and nobody knows anything about it."
Besides asking the commission to look into the rate of cases amicably resolved, Ryan's complaint urges the European Commission to ask for enforcement data stretching back to the start of GDPR enforcement.
"The Commission's failure to collect the necessary information over so long a period makes it impossible for the Commission to identify whether there is such a systematic failure," the complaint letter states.