The Data Protection Commission said it had “a year of strong regulatory results” but “higher standards” are needed in many sectors.
Ireland’s data protection commissioner Helen Dixon has defended the track record of Ireland’s Data Protection Commission (DPC) in enforcing GDPR in the country in a new report, amid criticism from politicians and privacy advocates of her ability hold Big Tech accountable.
Dixon called 2021 “a year of strong regulatory results” from the DPC in its annual report for 2021 published today (24 February), while also acknowledging that there is room for improvement.
“It is clear that ‘data controllers’ in Ireland continue to improve their compliance efforts, but higher standards of responsiveness to individuals seeking to exercise their rights are still needed in many sectors,” she said in a statement.
As well as being the national data watchdog, the DPC also acts as the EU’s lead data supervisor of GDPR, which came into effect in May 2018, for several major tech players that have European headquarters in Ireland, including Apple, Facebook, Google, LinkedIn, TikTok and Twitter.
Dixon defends DPC
According to the report, the DPC experienced a 7pc increase in the number of queries and complaints it received last year compared to 2020, concluding a majority of them. It also concluded 95pc of all breach notifications it received in 2021.
The DPC also said it concluded five “large-scale inquiries” in 2021, including a GDPR investigation into Meta-owned WhatsApp which concluded in a €225m fine slammed on the messaging app in September.
Speaking on the publication of the report, Dixon said that “very damaging” had been written over the years on the DPC, with misinformation “amplified” by commentators who “have no knowledge” of work done by the watchdog, according to The Irish Times.
Taoiseach Micheál Martin made similar comments earlier this week in Berlin, when he defended Dixon as “well up to the mark” and that Ireland should be “more robust” in her defence, accusing her critics of acting the way they did “for their own interests”.
The DPC has faced fierce criticism from privacy activists and politicians in recent years for its alleged lax handling of GDPR complaints against Big Tech companies in Ireland.
Dr Johnny Ryan, senior fellow at the Irish Council for Civil Liberties, told An Oireachtas Joint Committee on Justice last April that the DPC had failed to resolve 98pc of cases important enough to be of concern across the EU.
He said that because so many companies had European HQs in Ireland, the country has become a “bottleneck of GDPR investigation and enforcement”.
This, he said, caused other EU countries to sidestep Ireland when going after tech companies, which “jeopardises a European Commission proposal that Ireland become the super regulator for another key part of the digital economy”.
In August 2020, the DPC said Facebook’s use of standard contractual clauses in respect of European user data does not comply with GDPR, and proposed that the company may have to cease EU-US transfers.
Earlier this month, Meta threatened to pull Facebook and Instagram from the EU market despite having “absolutely no desire” to do so, adding that a “theoretical risk” was not enough justification to block data flows between the EU and US.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.