Google, Facebook, Apple, Microsoft and Twitter are some of the big technology companies with their European headquarters in Dublin. This makes the Data Protection Commission (DPC) the body in charge of resolving privacy issues raised against these companies.
In fact, one in five complaints (21%) sent to regulatory bodies have been referred to the DPC.
However, the increasing number of complaints of abuse or violation of the GDPR regulations against these large companies begins to accumulate in the Irish body and a bottleneck is occurring.
Only 4 cases out of 164
Since the GDPR came into force, the DPC has accumulated cases of pan-European importance as the main authority to review them. As of May 2021, the number rises to 164 cases, according to an investigation by the Irish Civil Liberties Council (ICCL). Nevertheless, 98% of these cases remained unsolved.
Furthermore, in the three years since European data protection regulations came into force (in May 2018) and May 2021, the Irish data protection agency has only submitted four draft decisions to the European Data Protection Board (EDPB) for review and approval.
“Ireland is the great bottleneck of the EU,” states the report, which denounces that no other body that oversees the RGPD in the EU (such as the Spanish Data Protection Agency) can intervene if the Irish CPS “is granted his lead role in cases against large Ireland-based tech companies. As a result, EU GDPR enforcement against big tech is at a standstill due to the fact that Ireland does not provide draft decisions on cross-border cases. “
It should be noted that when complaints arise in various countries about GDPR compliance in relation to any Irish-based company, the DPC is designated as the lead supervisory authority by default to conduct the investigation under the “single window” principle.
Once the CPS issues a decision, it is usually forwarded to the European Data Protection Board and other data protection authorities for approval, before a final decision is made. This was the case, for example, of the fine against WhatsApp. At first, from Ireland it was decided that the fine would be 50 million euros, but after the intervention of other European regulators and the EDPB, the Irish DPC increased the fine to 225 million euros.
Spain, an example to follow
Ireland, together with Spain, Germany, the Netherlands, France, Sweden and Luxembourg, handle 72% of all complaints sent between the bodies in charge of ensuring data protection in Europe.
The Irish Civil Liberties Council assures that the DPC is very slow to process these cases, which are accumulating. Meanwhile, consider that the Spanish Data Protection Agency is a role model for its performance, as it has submitted 41 draft decisions to the EDPB for cross-border cases, despite having a smaller budget than that of the DPC and a smaller staff.
That is, according to this body, the APD solves ten times more projects than its Irish counterparts, also having a lower budget.
Complaints on the rise, lower budget
This organization also denounces that, despite the fact that every year the number of complaints for data protection grows throughout the European Union, the majority of regulatory bodies see their budget reduced.
According to their data, although there was a significant reinforcement since 2016 in preparation for GDPR, since then they have been reduced. The German agency is the one with the most resources: the 94.7 million euros of budgets represent one in every 3 euros (32%) of all the money that the regulatory bodies count.
On the other side of the scale are nine countries with budgets of less than 2 million euros per year.