75% of Irish data watchdog's GDPR decisions since 2018 overruled – report
Three quarters of the Irish data watchdog’s GDPR decisions were overruled by European regulators, a report has found.
The report indicates that 75% of the Data Protection Commission’s decisions in EU cases over a five-year period were overruled by the European Data Protection Board (EDPB).
The EDPB had demanded tougher enforcement action in these cases, the report by the Irish Council for Civil Liberties (ICCL) said, with only one other country in one other case overruled in such a manner.
The figures include final decisions from January 2023 that are not yet included in the EDPB register of final decisions, from which the figures are based.
If these three cases are not included, the figure is 88% of DPC decisions overruled.
The report said that the DPC tends to use its discretion under Irish law to choose “amicable resolution” to conclude 83% of the cross-border complaints it receives, instead of using enforcement measures.
The ICCL report claims that Ireland remains “the bottleneck of enforcement” for major cross-border cases in Europe.
“When it does eventually do so, other European enforcers then routinely vote by majority to force it to take tougher enforcement action,” it said.
As Google, Meta, Apple, TikTok and Microsoft have headquarters in Ireland, the Data Protection Commission is the lead authority investigating data privacy complaints about tech giants in Europe.
Some 87% of cross-border GDPR complaints to Ireland’s DPC also involve the same eight companies: Meta, Google, Airbnb, Yahoo!, Twitter, Microsoft, Apple, and Tinder.
On EU-wide cases, the ICCL report found that since May 2018 – when GDPR laws came into effect – and late 2022, 64% of the 159 enforcement measures were reprimands, stating that enforcement against tech giants in Europe “remains largely paralysed”.
The EDPB register of EU-level decisions shows there were 49 compliance orders issued over four and a half year years.
The report called on the European Commissioner for Justice Didier Reynders to “take serious action” to enforce GDPR laws across Europe.
Last summer, the Irish Government announced that two additional data protection commissioners would be hired, and that Helen Dixon would be promoted to chairwoman of the DPC – in an attempt to better resource the watchdog in recognition of its growing workload.
The DPC has been carrying out a review of its governance structures, staffing arrangements and processes since last summer.