Data Protection Commissioner has 22 investigations open into big tech firms, according to annual report
The Irish Data Protection Commissioner has rejected claims Ireland is a “bottleneck” for enforcement and says her office is now concluding complaints more quickly than new ones emerge.
Helen Dixon also said the Irish DPC’s position as Europe’s pre-eminent enforcer is not being diluted through new European Commission proposals for greater administrative harmonisation around big cross-border cases.
She said she believes the US-EU transatlantic data agreement has been “positively” received by European data authorities, signalling that Facebook and other big tech data firms may ultimately overcome the current threat of a US-EU data ban.
Ms Dixon was speaking as her office launched its annual report for 2022, a year that saw over €1bn in fines for big tech firms, mostly owned by Meta.
According to the report, there are 22 additional investigations currently open into big tech firms, eight of which involve Meta companies. Three of the inquiries are into Twitter, while Google and TikTok have two each. Apple, Linkedin, Yahoo, Tinder, Yelp and Quantcast make up the remaining probes.
Ms Dixon said the coming months will be “busy” with more big tech referrals and decisions.
She said Ireland had sped up its processes in resolving cases and dismissed accusations that her office is an enforcement “bottleneck”.
She said that a January research study from the legal firm DLA Piper concluded that two thirds of the fines and corrective measures issued across the combined EU, UK and EEA last year under the GDPR were issued by the Irish DPC.
“That means that the activity to generate whatever the fines are was enormous. It involved the conclusion of 17 large-scale investigations in Ireland, and in each case, there was a comprehensive investigation, detailed analysis and findings.
Ms Dixon rejected claims that Ireland’s central position as Europe’s primary tech privacy enforcer was being undermined
“So I think there can’t be a bottleneck in circumstances where two thirds of the activity under the GDPR is coming from the DPC.”
Ms Dixon also rejected claims that Ireland’s central position as Europe’s primary tech privacy enforcer was being undermined by European Commission proposals to harmonise administrative procedures.
“We have been one of the movers and shakers behind encouraging the EU Commission to do that,” she said.
“Especially aspects of the administration of the One Stop Shop. As the most active enforcer potentially in the world, or at least in Europe, we are disproportionately affected by that lack of harmonisation of administrative laws in Europe.”
According to the annual report, the DPC stepped in to change or halt a number of feature changes from big tech firms that would have affected all of Europe.
In one case, it stopped TikTok from changing its ad terms and conditions from ‘consent’ to ‘legitimate interest’, which would give the company more flexibility in pushing ads at people.
Irish DPC has imposed fines of €1.3bn on a number of big tech companies
In another case, it asked Apple to shorten the period in which it keeps raw data files about blurred photos in Apple Maps.
Over the past two years, the Irish DPC has imposed fines of €1.3bn on a number of big tech companies.
Ms Dixon also claimed that objections to draft decisions were mostly concentrated in a handful of European countries where the national data protection agencies have “adopted positions which they may now be defending before their own national courts.”
She said that she was “surprised” the European Data Protection Board had instructed her office to initiate a fresh investigation into WhatsApp and Facebook, following large fines imposed on the Meta companies. The Irish office is seeking to have the direction annulled.
“I think it’s a clear overreach and I am surprised that the EDPB put itself in that position,” she said. “This co-decision making that we are engaged in has to be balanced against the fact that the GDPR provides for the lead authority to be the sole interlocutor with the regulated entity. But this is complex. It is important to have these cases heard. From our point of view, it will provide clarity on the rules.”
Asked about an increase in Commissioners from one to three, as promised by the government last year, Ms Dixon said that the acting Justice Minister Simon Harris told her that his department "is engaging with the Department of Public Expenditure and Reform around the terms and conditions and that once whatever sanction they're seeking was obtained, they would then liaise with the public appointments service to start a recruitment process".
The DPC processed 9,370 new cases last year, a decrease of 14pc on the year before. 2,710 of them progressed to a “formal complaint-handling process”. The regulator says that it concluded 10,008 cases in 2022, of which 3,133 were resolved through formal complaint-handling.
The most frequent GDPR topics for queries and complaints were access requests, fair-processing, disclosures on direct marketing and the right to be forgotten.
As well as the larger financial penalties on tech firms, last year the DPC had six administrative fines it imposed on organisations ranging from Limerick City and County Council to Bank Of Ireland and Meta confirmed by the High Court.
The DPC’s funding increased from €19.1m to €23.2m last year, sourced entirely from the Exchequer. This year, Ms Dixon said, it will rise to €26m.