Five years after the EU introduced a mammoth data privacy law to rein in big tech, Ireland's watchdog is its chief enforcer. Critics say this helps explain why the regulation is failing.
Dublin is at the center of the General Data Protection Regulation (GDPR) regime because the city hosts the European headquarters of the likes of Google, Meta, Twitter and TikTok.
The regulation is a straight-up challenge to the business models of these firms, which gather personal data to create the algorithms that serve content and ads to their users.
And its enforcement is a challenge for Ireland, which has courted big tech with generous tax incentives.
Even though the EU's 19th biggest nation is by far the bloc's biggest issuer of GDPR penalties—hitting Meta with a record 1.2-billion-euro ($1.3 billion) fine this week alone—critics say GDPR enforcement is a joke and Ireland is the chief jester.
"Europe's failure to enforce the GDPR exposes everyone to acute hazard in the digital age," Johnny Ryan of the Irish Civil Liberties Union wrote in a report marking five years of GDPR.
He said Europe could hardly claim to be a regulatory superpower if it could not even enforce its own laws.
Tangle of confusion
The GDPR, which came into force five years ago this Thursday, is meant to protect Europeans from having their data misused by companies and public institutions.
The law dictates that citizens must consent to the ways in which their data is used.
GDPR is enforced by national data protection agencies (DPAs).
However, critics like Ryan, Austrian campaigner Max Schrems, and an array of digital rights groups say cases can take years to resolve, punishments are rarely severe enough and citizens have few rights to take part.
DPAs, the critics say, are either badly funded, badly trained, in thrall to big companies, largely inactive or non-responsive.
Each has its own rules and practices and while Germany spends more than 100 million euros a year on its agencies, Romania barely breaks one million euros.
This leads to unequal enforcement and a tangle of confusion about their role—Ireland's Data Protection Commission (DPC) is at the center of it all.
'Careful' challenges
Even the DPC's massive fine against Meta on Monday descended into slight farce when the Irish agency said other European bodies had ordered it to do it.
France's watchdog, CNIL, was among four agencies to demand tougher action.
"The CNIL is very careful to challenge, in the best sense of the word, the proposals of the DPC," CNIL chief Marie-Laure Denis told AFP in an interview.
And it got worse—Schrems, who had brought the case against Meta, detailed how he had to fight for a decade to get Ireland to investigate.
The Irish DPC generally tries to avoid issuing fines or even investigating at all, instead relying on "amicable procedures" to resolve cases.
The soft approach has led to the EU's central body, the European Data Protection Board (EPDB), overruling Ireland's DPC in most of its EU-level cases—a power it almost never uses against anyone else.
Legal expert Ray Friel from the University of Limerick told AFP the EDPB wanted to use heavy fines "to make these companies sit up and take notice".
But the Irish DPC had focused more on "rehabilitation".
The DPC did not immediately respond to an AFP request for comment.
End of secrecy
Ireland's approach is out of step with the hard rhetoric emanating from the European Commission, which positions itself as a champion of the people against big corporate interests.
The EU's executive arm has defended the DPAs in the past but Justice Commissioner Didier Reynders announced earlier this year that reform was coming.
He promised to boost supervision of the DPAs and further proposed a law to govern how DPAs work with each other.
Activists are urging the commission to be bold.
Estelle Masse, Europe legislative manager at the Access Now digital rights NGO, called for an end to secrecy, for individuals to be given more rights and for clear deadlines to be set for resolution of complaints.
"Our fundamental rights are at stake, it's outrageous that we've had to wait for years for violations to be resolved," she wrote in a recent report.
But Schrems is far from hopeful that the commission will grasp the nettle.
He said Brussels was actually proposing to reduce the ability of individuals to take part.
"It seems the commission takes the view that the less the parties are talked to, the less the people are talked to, the more efficient the procedure gets," he said, adding that this "is not true".
© 2023 AFP