Ireland is failing to apply the EU’s privacy laws to US Big Tech companies, with 98 percent of 164 significant complaints about privacy abuses still unresolved by its regulator.
Google, Facebook, Apple, Microsoft, and Twitter all have their European headquarters in Dublin, making Ireland’s Data Protection Commissioner the lead EU regulator responsible for holding them to the law.
But the Irish DPC has been repeatedly criticized, both by privacy campaigners and by other EU regulators for failing to take action.
An analysis by the Irish Council for Civil Liberties found that the vast majority of cases were still unresolved and that Spain, which has a smaller budget than Ireland for data protection, produces 10 times more draft decisions.
Johnny Ryan, senior fellow at ICCL, said Ireland was the “worst bottleneck” for enforcement of the EU’s General Data Protection Regulation.
“GDPR enforcement against Big Tech is paralyzed by Ireland’s failure to deliver draft decisions on cross-border cases,” he added, noting that the rest of the EU has to wait for Irish draft decisions before they are able to take their own action against the companies.
The Irish regulatory authority, headed by Helen Dixon, did not respond to a request for comment.
“The whole cooperation system relies on a few key [data protection agencies] moving cases along, and so far this is barely happening,” said Estelle Massé, senior policy analyst at Access Now.
The Irish reticence to police Big Tech has been criticized by several other European countries, including France, Spain and Italy.
In July, the Irish parliament published a report calling for reform of the Irish DPC, and urging it to start enforcing the GDPR. It said it “fears that citizens’ fundamental rights are in peril.”
In March, long-simmering tensions over Ireland’s treatment of Big Tech burst out into public after German officials attacked the Irish.
Ulrich Kelber, Germany’s chief data protection watchdog, wrote to members of the European Parliament to complain that Germany alone had “sent more than 50 complaints about WhatsApp” to the Irish authorities, “none of which had been closed to date.”
He also criticized Ireland’s “extremely slow case handling, which falls significantly behind the case handling progress of most EU and especially German supervisors.” He noted that by the end of last year, Ireland was leading 196 cases but had concluded only four, while Germany had closed 52 out of 176 cases.
EU officials said that Brussels was limited in what it could do to force Dublin into action. EU privacy rules give the European Data Protection Board the power to act against data watchdogs at a member-state level, but its powers are limited, and it cannot force an authority such as the Irish DPC to do its job.
Under current rules, Dublin is in the strongest position to force its own data protection agency to exercise its powers, the officials said. However, the EU may in theory open infringement proceedings against a member state that doesn’t bring in effective policies to safeguard privacy rules.
Additional reporting by Jude Webber.