75% of Irish data watchdog’s GDPR decisions since 2018 overruled – report
The Irish Council for Civil Liberties claims that Ireland remains a ‘bottleneck’ for GDPR enforcement.
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.Three quarters of the Irish data watchdog’s GDPR decisions in EU-wide cases were overruled by European regulators, a report has found.
The report indicates that 75% of the Data Protection Commission’s decisions in cross-border investigations over a five-year period were overruled by the European Data Protection Board (EDPB).
The EDPB had demanded tougher enforcement action in these cases, the report by the Irish Council for Civil Liberties (ICCL) said, with only one other country in one other case overruled in such a manner.
The figures include final decisions from January 2023 that are not yet included in the EDPB register of final decisions, from which the figures are based.
If these three cases are not included, the figure is 88% of DPC decisions overruled.
The report said that the DPC tends to use its discretion under Irish law to choose “amicable resolution” to conclude 83% of the cross-border complaints it receives, instead of using enforcement measures.
The ICCL report claims that Ireland remains “the bottleneck of enforcement” for major cross-border cases in Europe.
“When it does eventually do so, other European enforcers then routinely vote by majority to force it to take tougher enforcement action,” it said.
As Google, Meta, Apple, TikTok and Microsoft have headquarters in Ireland, the Data Protection Commission is the lead authority investigating data privacy complaints about tech giants in Europe.
Some 87% of cross-border GDPR complaints to Ireland’s DPC also involve the same eight companies: Meta, Google, Airbnb, Yahoo!, Twitter, Microsoft, Apple, and Tinder.
On EU-wide cases, the ICCL report found that since May 2018 – when GDPR laws came into effect – and late 2022, 64% of the 159 enforcement measures were reprimands, stating that enforcement against tech giants in Europe “remains largely paralysed”.
The EDPB register of EU-level decisions shows there were 49 compliance orders issued over four and a half year years.
The report called on the European Commissioner for Justice Didier Reynders to “take serious action” to enforce GDPR laws across Europe.
Last summer, the Irish Government announced that two additional data protection commissioners would be hired, and that Helen Dixon would be promoted to chairwoman of the DPC – in an attempt to better resource the watchdog in recognition of its growing workload.
The DPC has been carrying out a review of its governance structures, staffing arrangements and processes since last summer.