Lenin reportedly once remarked that trust is good but control is better. Ireland’s former chief financial regulator reached a similar conclusion – sadly too late – during his May 2015 testimony before the Oireachtas committee into the banking crisis.
Patrick Neary said the financial regulator he once headed failed so badly because it placed excessive trust in banks to “conduct their affairs prudently and properly”.
“The system,” he said drily, “did not deliver the required outcome.”
For many, data is the currency of the digital age and data regulators are as crucial as financial regulators. Nearly five years ago, in May 2018, new EU data protection rules came into effect to reflect this new reality.
The General Data Protection Regulation (GDPR) attempts to balance EU citizens’ fundamental right to privacy in the digital age with the interests of companies and others to engage in legitimate, profitable data processing.
Given the concentration in Ireland of big tech companies, with cross-border business models based on massive user-data collection and targeted advertising, GDPR rules shifted a huge level of responsibility on to Ireland’s Data Protection Commission (DPC) as lead regulator for companies with their headquarters in Ireland.
Commissioner Helen Dixon stepped up to the challenge and secured extra resources to deal with the huge rise in caseload.
And yet, even after imposing multimillion fines – the latest, €395 million fines on Meta Ireland this month for illegal data collection by its Facebook, Instagram and WhatsApp subsidiaries – the DPC’s vocal critics around Europe are still unhappy. Why?
Because the DPC is acting under duress. Left to its own devices, the Irish regulator planned to fine Meta a maximum of €59 million for breaching transparency rules on data processing at Facebook and Instagram – not for illegal data processing of 450 million EU citizens, which contributes to its massive global turnover (2021: €108.95 billion)
The much larger fines on Meta were forced by other European data regulators under dispute resolution procedures overseen by the European Data Protection Board (EDPB) which can review decisions by national regulators.
This body, comprising EU and some EEA members, identified serious GDPR breaches, demanded higher fines and concluded that the DPC had failed to investigate the original complaints with “due diligence”.
Overruling a national regulator requires a two-thirds majority. In the recent Meta cases, of the 30 member states in the EDPB, four abstained from voting, according to sources, while all others backed the EDPB position. No one sided with the Irish regulator.
There is a pattern here: in seven EDPB interventions in national decisions to date, all but one have involved the Irish regulator.
The DPC says Ireland’s big tech concentration – and the complex, high-stakes nature of their investigations – makes a focus on its work inevitable.
Critics disagree, linking the interventions to how the Irish regulator – faced with a choice – will always choose the most tortuous, lengthy and expensive legal route to a decision rather than a simple application of EU law.
Their concern, that this has made Dublin a bottleneck for data protection decisions, is shared by the European Parliament.
After a September 2022 visit to Dublin, MEPs from the parliament’s committee on civil liberties, justice and home affairs said they agreed with findings of the Dáil’s own justice committee: the Government needs to overhaul DPC operations and the underlying legislation.
French MEP Gwendoline Delbos-Corfield, after meeting Meta executives, said: “How nice they are about the DPC is not that reassuring.”
The underlying tension on data protection arises from opposing outlooks on privacy, informed by different legal traditions, historical experience and sociocultural norms.
Do data protection bodies exist to protect citizens’ privacy, as almost all EU regulators seem to believe? Or is their role, as Helen Dixon said after the recent Meta decision, to act as an “honest broker”?
“We don’t achieve results,” she told the New York Times, “by simply seeking to rewrite the GDPR as we would have liked to have seen it written.”
But that, in effect, is the main complaint levelled at her by fellow European regulators.
In off-the-record conversations with The Irish Times, many have the same message: even allowing time for the new data rules and its regulatory regime to settle in, the DPC is a regulator in denial. While Dublin is the lead authority for investigating big tech firms based in Ireland, it does not have sole responsibility.
Even as this regulatory tug of war heads to the European Court of Justice, it’s time the Irish Government shows its hand.
After nearly five years, is the big tech regulatory system Ireland has created – with lengthy, expensive investigations; damp squib national decisions; legal uncertainty for citizens and companies alike – delivering the required outcome?
It has certainly been good for Meta, and perhaps good for Ireland Inc’s reputation in Silicon Valley.
But if Ireland’s data regulator continues on this path, its EU colleagues will intervene and overrule – again and again.