The Irish Data Protection Commission (DPC) is clearly under siege. Negative global and Irish press coverage has accrued in recent weeks, alongside criticisms by fellow EU data protection authorities (DPAs), privacy advocates and even, at times, concern from the European Court of Justice (ECJ).
And, with its surprising and ill-judged public statement this week in response to some of said criticisms , the DPC is developing a self-damaging siege mentality to match.
Yet this unfortunate state of affairs was entirely predictable, and largely avoidable. And though the fault ultimately lies primarily with, and must be shouldered responsibly by, the DPC, successive Irish governments have helped make this messy regulatory bed and must engage in resolving it.
Just how bad things are at the moment can be summed up in the opening sentence of a recent Bloomberg opinion piece: “Europe’s ambition to lead the world on data privacy has a weak spot: Ireland. ” The piece was published by the Washington Post, placing this unfortunate but truthful view in front of Washington lawmakers and lobbyists, a damaging reputational hit for Ireland.
The “too long, didn’t read” version of why this is all coming to a head now is that numerous DPC and government data protection chickens have alas, come home to roost. For those who aren’t interested in taking a deep dive into data protection issues and the intricacies of the General Data Protection Regulation (GDPR) – and that means most sentient beings – here’s a broad summary.
First, the Irish government has never taken data protection issues seriously. Never. Since the DPC’s founding, every administration has struggled to operate on paltry amounts of funding (a valid complaint from the current DPC, too).
And, as the previous data protection commissioner, Billy Hawkes, stated in his final annual report in 2014, the Irish State consistently ignores its own data responsibilities.
“Our audits of State organisations have, in too many cases, shown scant regard by senior management to their duty to safeguard the personal data entrusted to them – a duty that is all the greater because of the legal obligation to provide such personal data to the State,” Hawkes wrote in his foreword.
More recently, the State’s disregard for data handling has surfaced in the ECJ guidance opinion on data access in a referred case involving convicted murderer Graham Dwyer, where the ECJ criticised the State’s failure to amend Irish data-gathering legislation following a landmark 2014 ECJ case involving, yes, problems with the Irish State’s data gathering.
The government’s DPC funding shortfalls became especially egregious once it was apparent that GDPR would position Ireland as the de facto global regulator for numerous powerful multinationals. And it is a major governance conflict to place the regulator under a department (Justice) subject to the DPC’s regulatory oversight, reliant on funding from another department (DEPR) that is currently itself the subject of a DPC investigation. The DPC should be fully independent, funded by a levy on the companies it oversees (though I would argue the multinationals are better regulated at EU level).
But funding is a side issue. The majority of the DPC office’s reputational problems right now lie with the DPC’s own actions, decisions and public interactions (or lack of same).
In 2014, I wrote that the incoming GDPR would place “an additional burden and responsibility for good oversight on Ireland’s DPC”.
This week we’ve heard plenty about the burden from the DPC but only an astonishingly lengthy, legalese excuse on its website for the substantial and substantiated criticisms of its actions.
Summarised briefly, criticisms include complaints and objections from data protection and privacy advocates, and other EU regulators, about the extremely slow progress of complaints – made the worse because many decisions will be landmark findings that help define the GDPR’s effectiveness – and the DPC’s objections to, for example, publication by Austrian Max Schrems’ privacy advocate group NOYB of documents that confirm a wall of EU DPA disagreement with proposed decisions from Ireland’s DPC. They see too much accommodation of companies such as Facebook, and fines so minuscule that GDPR’s regulatory power is insulted and diminished.
The sclerotic approach to taking decisions rankles in the EU – and globally too. Just 2 per cent of 164 cases with the DPC have been ruled on, according to a September report from the Irish Council for Civil Liberties.
Incredibly, even though the ECJ has issued two internationally significant rulings regarding Max Schrems’ complaints to the Irish DPC, his original 2013 case remains undecided by the DPC. And the ECJ has encouraged the DPC to take decisive actions when it has the power to do so, rather than refer preliminary questions to the ECJ.
The DPC needs better resourcing. And the Government must enable an independent DPC fit for purpose. But the DPC, despite having many good people, has made so many own goals at this point that it has exasperated just about everyone, no matter their perspective or data regulation position.
The best reform would be a full overhaul – of funding, of structure, and of leadership.