Ireland’s Data Protection Commissioner says her office had been overwhelmed by complaints from data privacy advocates for sweeping, resource-intensive investigations of entire industries.
Helen Dixon was responding to criticism from data protection advocate Johnny Ryan, who announced on Monday that he was filing a complaint with the European Union asking it to penalise countries that do not give data protection agencies enough resources.
Mr Ryan has examined budget and staffing data from data protection regulators in 28 European countries. In his report, published on Monday, he found that all but three countries – Germany, Britain and Italy – had annual budgets of less than €25 million. Most had only a handful of investigators with industrial expertise dedicated to reviewing technology industry cases.
Problem
Luxembourg, which is responsible for regulating Amazon, had a budget of roughly €5.7 million last year, worth about $6.2 million, or roughly Amazon's sales over 10 minutes.
Regulators acknowledge the problem and have called for more money. In a February survey of privacy regulators in 30 European countries, 21 responded that “resources are not enough” to fulfil their responsibilities.
At the centre of the dispute is Ireland, which has outsize influence over enforcement because Apple, Facebook, Google, LinkedIn and Twitter are all based there.
The country is responsible for leading more investigations, 127, than any other country in Europe, according to Brave, a company at which Mr Ryan is chief policy officer and which makes an internet browser with privacy protections to limit data tracking and advertising. Yet in nearly two years, it has not issued a single GDPR penalty.
“If you don’t have strong, robust enforcement and investment, this law is a fantasy,” said Mr Ryan. “We have failed to realise the potential of GDPR thus far.”
Ireland’s budget of €16.9 million ranks sixth among data protection agencies in Europe. Last year, Ireland’s data protection regulator sought a budget increase of €5.9 million. It got a third of that amount.
Speaking to the New York Times, Ms Dixon said she was frustrated by the budget restrictions but defended the work of her office, which she said employed more than 140 people work compared with 27 in 2017. She graded Ireland’s performance an “A for effort” but a “C-plus/B-minus in terms of output”.
Ms Dixon said rulings involving Twitter, Facebook and others were coming. But she said her office had been overwhelmed by complaints filed by advocates like Mr Ryan that called for sweeping, resource-intensive investigations of entire industries like digital advertising.
Fines
The commissioner said many people wrongly assumed that the GDPR would result in a swift and wholesale shake-up of data-collection practices of the largest tech companies.
“There will be fines; there is no doubt about that,” she said, but the law “doesn’t allow for taking on an entire sector”.
Under the law, regulators must respond to every complaint filed – more than 12,000 in Ireland since 2018. Mr Ryan, who lives in Ireland, filed a complaint with regulators there against Google over its ad-targeting practices.
Defending the pace of investigations, Ms Dixon said companies like Facebook asked a slew of procedural legal questions that must be responded to before cases can advance. Google stalled regulators by not immediately declaring where its European headquarters would be.
Regulators have other leverage beyond investigations, Ms Dixon said.
Facebook delayed the release of its dating app, she explained, after Irish authorities raised questions about its data collection.
“There are lots of different ways to go about creating a positive effect,” she said. “Not all of them cater around fines and the superficial commentary we sometimes see.” – New York Times