[German]It is a scandal of the first order that has been known for a long time. The Irish Data Protection Commission (IDPC) systematically blocks and delays proceedings against US giants such as Google, Facebook, etc. for violations of the General Data Protection Regulation (GDPR). The whole thing has been publicly named several times by data protection activists and other European data protectors. But the EU Commission stands idly by and watches this goings-on. Now the Irish Councile for Civil Liberties (Irish data protection activists) has presented a report that once again proves the systematic sabotage of data protection by the Irish data protection authority IDPC.
Back in March 2021, German Federal Data Protection Commissioner Ulrich Kelber had criticized Ireland’s “extremely slow case processing, which lags significantly behind the processing progress of most EU and especially German supervisory authorities.” As part of the complaint, Kelber revealed that Ireland had processed 196 data protection cases by the end of 2020, but had closed only four of them. Germany, on the other hand, has closed 52 of its 176 cases. The following tweet points out the facts, which are documented in the Irish Councile for Civil Liberties’ (ICCL)GDPR-Report 2021.
The message from the above tweet: The Irish Data Protection Authority (IDPC) is crippling enforcement of the GDPR against Google, Facebook and other Big Tech companies from the US (they are based in Ireland). In the three years since the GDPR (May 2018 to May 2021), Ireland has sent only four draft GDPR decisions to the European Data Protection Board. 98% (160) of cases remain unresolved.
The message from the ICCL report is that Europe is unable to control how large tech companies use European users’ data. Three and a half years after the introduction of the General Data Protection Regulation (GDPR), enforcement of the EU GDPR against Big Tech is paralyzed because Ireland has failed to provide draft decisions for important cross-border cases. Even in the case of the fine against WhatsApp, the Irish data protection authority tried to block (see GDPR: WhatsApp fined with 225 million Euro).
In addition, European data protection authorities remain underfunded and have too few investigators specialized in the technology sector. The key findings from the report are:
- The Irish Data Protection Commission is the bottleneck in enforcing the GDPR against Big Tech in the EU. Almost all (98%) major GDPR cases referred to Ireland remain unresolved.
- Despite Covid-19 forcing many Europeans to work online, data protection authorities remain ill-equipped to police the tech sector. Only 9.7% of the 2,950 full-time employees of EU authorities are technology specialists.
- Less than half (44%) of final EU-wide decisions by data protection authorities include remedies such as fines or orders to stop processing.
- A small number of Member States (Ireland, Spain, Germany, the Netherlands, France, Sweden, and Luxembourg) receive nearly three-quarters (72%) of all cross-border complaints referred between DPAs.
EU countries’ investment in data protection authorities is declining. Germany alone accounts for nearly one-third (32%) of all spending on EU data protection authorities overseeing the private sector. More than half of all national data protection authorities have small annual budgets (€5 million or less). The ICCL has written to EU Justice Commissioner Didier Reynders urging the Commission, as “guardian of the Treaties,” to ensure that the General Data Protection Regulation is properly applied and to take action against Ireland and other EU Member States that jeopardize fundamental rights in the Union. The full report can be downloaded here.
Cookies helps to fund this blog: Cookie settings