Irish DPA Criticised (Again) Over GDPR Enforcement
The Irish DPA has been criticised by the German federal data regulator. Fair enough?
Here’s the background:
A letter from thefederal data protection regulator (BfDI) Ulrich Kelber has been reported by the Irish Times criticising the Irish Data Protection Commission (DPC).
This letter reiterated what many observers have been saying about the Irish DPC for some time. As home to most big tech companies, Ireland has earned a reputation as a GDPR-compliance haven.
Is the Irish DPC’s reputation fair?
Think of it this way. As lead supervisory authority to Facebook and Google, the DPC’s job is to ensure these companies comply with data protection law.
Under the one-stop-shop procedure, DPAs have to forward complaints about these firms to the DPC except in certain specific circumstances.
Despite this, Ireland has never concluded an investigation Google, Facebook, or any of their subsidiaries. But other DPAs have — even within the very narrow set of circumstances under which they have been permitted to do so.
Here’s a list of every EU DPA that has fined each firm since 2018.
• France (under both the GDPR and the ePrivacy Directive)
• (Not Ireland)
• UK (Data Protection Directive)
• France (ePrivacy Directive)
• (Not Ireland)
So what enforcement action has the Irish DPA taken against big tech firms?
Just one penalty, against Twitter for €450,000, after it failed to properly notify the DPC of a data breach.
This isn’t a large fine — around 0.1% of Twitter’s turnover. But the Irish DPA originally proposed an even smaller penalty, of between €135,000 and €275,000.
This small penalty was seen as too lenient by other EU DPAs. They disputed it under the first-ever use of the GDPR’s Article 65 procedure. Several DPAs recommended multi-million euro fines.
On the other hand, Ireland is reportedly due to impose a €50 million on WhatsApp later this year (but this hasn’t been officially confirmed yet).
This is a complex issue, and the GDPR isn’t all about fines. There’s also some question as to whether the German regulator was right to criticize the DPC in this way. But it does reiterate this bottleneck of GDPR enforcement.