75 per cent of Irish data watchdog’s GDPR decisions overruled

The report indicates that 75 per cent of the Data Protection Commission’s (DPC's) decisions in cross-border investigations over a five-year period were subsequently overruled by the European Data Protection Board (EDPB), which felt the Irish watchdog's decisions were not sufficiently stringent.

The EDPB had demanded tougher enforcement action in these cases, the report by the Irish Council for Civil Liberties (ICCL) said, with only one other country in one other case overruled in such a manner.

The figures include final decisions from January 2023 that are not yet included in the EDPB register of final decisions, from which the figures are based. If these three cases are not included, the figure is 88 per cent of DPC decisions overruled.

The report said that the DPC tends to use its discretion under Irish law to choose “amicable resolution” to conclude 83 per cent of the cross-border complaints it receives, instead of using enforcement measures.

The ICCL report claims that Ireland remains “the bottleneck of enforcement” for major cross-border cases in Europe. “When it does eventually do so, other European enforcers then routinely vote by majority to force it to take tougher enforcement action,” it said.

As Google, Meta, Apple, TikTok and Microsoft all have headquarters in Ireland, the Data Protection Commission is the lead authority investigating data privacy complaints about tech giants in Europe.

Some 87 per cent of cross-border GDPR complaints to Ireland’s DPC also involve the same eight companies: Meta, Google, Airbnb, Yahoo!, Twitter, Microsoft, Apple and Tinder.

On EU-wide cases, the ICCL report found that since May 2018 – when GDPR laws came into effect – and late 2022, 64 per cent of the 159 enforcement measures were reprimands, stating that enforcement against tech giants in Europe “remains largely paralysed”.

The EDPB register of EU-level decisions shows there were 49 compliance orders issued over four and a half year years.

The report called on the European Commissioner for Justice Didier Reynders to “take serious action” to enforce GDPR laws across Europe.

Last summer, the Irish Government announced that two additional data protection commissioners would be hired and that Helen Dixon would be promoted to chairwoman of the DPC, in an attempt to better resource the watchdog in recognition of its growing workload.

The DPC has been carrying out a review of its governance structures, staffing arrangements and processes since summer 2022.

In January this year, it was revealed that Meta alone paid over 80 per cent of the EU’s 2022 GDPR fines. European authorities issued fines totalling €832m (£731m) to a number of Big Tech firms for violating GDPR in 2022, of which Meta paid over 80 per cent, according to data analysis done by Atlas VPN.

In the UK, the government has begun moves to reform GDPR data protection laws, claiming that the purported post-Brexit freedoms would remove the “unnecessary bureaucracy” of data protection laws inherited from the EU.

Then-culture secretary Nadine Dorries presented the government’s new 'Data Protection and Digital Information Bill' in September last year, a piece of legislation she described as “one of Brexit’s biggest rewards”. 

At time of writing, the Data Protection and Digital Information Bill stands at the Committee stage, prior to a report being published, followed by a third House of Commons reading of the Bill. It would then move to the House of Lords, assuming Commons approval, to go through the same five-stage review process.