How Ireland became EU's reluctant data privacy enforcer

How Ireland became EU's reluctant data privacy enforcer

As host to the European headquarters of major tech companies, Ireland also has a major role in enforcing EU data privacy rules
As host to the European headquarters of major tech companies, Ireland also has a major role in enforcing EU data privacy rules. Photo: CONOR BARRINS / AFP/File
Source: AFP

Five years after the EU introduced a mammoth data privacy law to rein in big tech, Ireland's watchdog is its chief enforcer. Critics say this helps explain why the regulation is failing.

Dublin is at the centre of the General Data Protection Regulation (GDPR) regime because the city hosts the European headquarters of the likes of Google, Meta, Twitter and TikTok.

The regulation is a straight-up challenge to the business models of these firms, which gather personal data to create the algorithms that serve content and ads to their users.

And its enforcement is a challenge for Ireland, which has courted big tech with generous tax incentives.

Even though the EU's 19th biggest nation is by far the bloc's biggest issuer of GDPR penalties -- hitting Meta with a record 1.2-billion-euro ($1.3 billion) fine this week alone -- critics say GDPR enforcement is a joke and Ireland is the chief jester.

Read also

Biggest fines under EU privacy law

"Europe's failure to enforce the GDPR exposes everyone to acute hazard in the digital age," Johnny Ryan of the Irish Civil Liberties Union wrote in a report marking five years of GDPR.

PAY ATTENTION: Join Legit.ng Telegram channel! Never miss important updates!

He said Europe could hardly claim to be a regulatory superpower if it could not even enforce its own laws.

Tangle of confusion

The GDPR, which came into force five years ago this Thursday, is meant to protect Europeans from having their data misused by companies and public institutions.

The law dictates that citizens must consent to the ways in which their data is used.

GDPR is enforced by national data protection agencies (DPAs).

However, critics like Ryan, Austrian campaigner Max Schrems, and an array of digital rights groups say cases can take years to resolve, punishments are rarely severe enough and citizens have few rights to take part.

Read also

Meta hit with record 1.2-billion-euro fine over EU data rules

DPAs, the critics say, are either badly funded, badly trained, in thrall to big companies, largely inactive or non-responsive.

Each has its own rules and practices and while Germany spends more than 100 million euros a year on its agencies, Romania barely breaks one million euros.

This leads to unequal enforcement and a tangle of confusion about their role -- Ireland's Data Protection Commission (DPC) is at the centre of it all.

'Careful' challenges

Even the DPC's massive fine against Meta on Monday descended into slight farce when the Irish agency said other European bodies had ordered it to do it.

France's watchdog, CNIL, was among four agencies to demand tougher action.

"The CNIL is very careful to challenge, in the best sense of the word, the proposals of the DPC," CNIL chief Marie-Laure Denis told AFP in an interview.

And it got worse -- Schrems, who had brought the case against Meta, detailed how he had to fight for a decade to get Ireland to investigate.

Read also

Dark cloud over ChatGPT revolution: the cost

The Irish DPC generally tries to avoid issuing fines or even investigating at all, instead relying on "amicable procedures" to resolve cases.

The soft approach has led to the EU's central body, the European Data Protection Board (EPDB), overruling Ireland's DPC in most of its EU-level cases -- a power it almost never uses against anyone else.

Legal expert Ray Friel from the University of Limerick told AFP the EDPB wanted to use heavy fines "to make these companies sit up and take notice".

But the Irish DPC had focused more on "rehabilitation".

The DPC did not immediately respond to an AFP request for comment.

End of secrecy

Ireland's approach is out of step with the hard rhetoric emanating from the European Commission, which positions itself as a champion of the people against big corporate interests.

The EU's executive arm has defended the DPAs in the past but Justice Commissioner Didier Reynders announced earlier this year that reform was coming.

Read also

Business tough in China as national security trumps all

He promised to boost supervision of the DPAs and further proposed a law to govern how DPAs work with each other.

Activists are urging the commission to be bold.

Estelle Masse, Europe legislative manager at the Access Now digital rights NGO, called for an end to secrecy, for individuals to be given more rights and for clear deadlines to be set for resolution of complaints.

"Our fundamental rights are at stake, it's outrageous that we've had to wait for years for violations to be resolved," she wrote in a recent report.

But Schrems is far from hopeful that the commission will grasp the nettle.

He said Brussels was actually proposing to reduce the ability of individuals to take part.

"It seems the commission takes the view that the less the parties are talked to, the less the people are talked to, the more efficient the procedure gets," he said, adding that this "is not true".

Source: AFP

Authors:
AFP avatar

AFP AFP text, photo, graphic, audio or video material shall not be published, broadcast, rewritten for broadcast or publication or redistributed directly or indirectly in any medium. AFP news material may not be stored in whole or in part in a computer or otherwise except for personal and non-commercial use. AFP will not be held liable for any delays, inaccuracies, errors or omissions in any AFP news material or in transmission or delivery of all or any part thereof or for any damages whatsoever. As a newswire service, AFP does not obtain releases from subjects, individuals, groups or entities contained in its photographs, videos, graphics or quoted in its texts. Further, no clearance is obtained from the owners of any trademarks or copyrighted materials whose marks and materials are included in AFP material. Therefore you will be solely responsible for obtaining any and all necessary releases from whatever individuals and/or entities necessary for any uses of AFP material.