Since the introduction of the GDPR, Ireland’s Data Protection Commission has been swamped with work to enforce the regulations. However, due to the abundance of cases to investigate, privacy authorities are said to be too slow to act on violations.
With many tech giants deciding to locate their European headquarters in Ireland for tax reasons, the biggest GDPR-related investigations are falling on the Irish Data Protection Commission’s plate. With controversial social media site TikTok recently relocating to the country, the privacy authority is coming under heavy pressure, CNBC suspects.
Privacy activist NOYB, short for ‘none of your business’, believes the DPC is taking too little action to tame the tech giants. “The expectations towards the DPC are very disappointing,” NOYB lawyer Romain Robert told CNBC. “We don’t see that many decisions.”
Only one GDPR fine
Since the GDPR was introduced in 2018, the organisation has only handed out one fine to a US tech giant when Twitter was fined 450,000 euros last December. Twitter was fined for failing to report a possible breach of end-user privacy data within 72 hours.
Deputy commissioner Graham Doyle of the DPC says he has been trying to control expectations since the GDPR regulations began. “There is this focus on the pace at which investigations go and a belief that just because you have more people, it means things will happen quicker. That’s not necessarily the case. In some areas it will help but in others it means that you can do more simultaneously.”
The DPC is growing fast. Last year it received 19.1 million euros from the Irish government. The year before, it received 16.9 million. The number of employees is also growing fast. The company currently has almost 150, but expects this number to grow to 200 by the end of the year.
Currently, the DPC is investigating what could potentially be its largest GDPR fine to date. The privacy watchdog is investigating whether WhatsApp is open enough about what data the chat app shares with Facebook. The chat app is facing a fine of between 30 and 50 million euros. In addition, the French CNIL has handed out a penalty of 50 million euros to Google.
Privacy authorities act to slowly
Still, Robert thinks that European authorities are acting too slowly. He points to the Luxembourg privacy watchdog as an example, which has not yet taken action against Luxembourg-based Amazon. Robert advocates an objective analysis of all resources, budgets and workload of the DPA. That way, a full picture can be formed of how the GDPR is performing.