| 22.4°C Dublin

Ireland's DPC needs more staff

Adrian Weckler


Max Schrems

Max Schrems

Max Schrems

There are many over-the-top, misleading claims made about Ireland's Data Protection Commissioner from foaming critics.

But one of them has always been hard to completely refute: the office isn't sufficiently resourced.

Cynics and critics say this is done on purpose, a sign of soft regulatory intent to appease mostly US multinationals.

Helen Dixon and government figures dismiss this, arguing that competent expansion is hard and has generally been done as quickly as possible up to now.

The office has increased to around 160 staff and a budget of €17m. But this simply isn't enough to keep pace with the workload landing on its doorstep.

Consider what Dixon has on her plate:

The world's biggest (and most controversial) data-slurping tech companies, which keep getting bigger and adding more services;

Hundreds of small and middle-tier data-slurping companies, newly settling in Ireland to follow the giants;

Government departments and semi-state companies with public service cards and corner-cutting practices;

Banks, insurance firms and credit unions;

Garden-variety hacks and data breaches in "ordinary" society.

And then there are the momentous geopolitical court rulings, such as the Schrems judgment a fortnight ago: to her endless list of tasks, the DPC must now add the duty of telling Facebook, Google and thousands of other businesses that their data transfers to the US may no longer be allowed.

All of this occurred to me when, last week, I rang the DPC to ask what its position was on the huge Twitter hack the week before. Would this kick off anything much? The polite answer was that a data breach notification from Twitter was received, but that's about all that was happening.

I understood. There simply aren't people to just drop some of the hundreds (or thousands) of other tasks it's currently at for a mid-level hack that may only have exposed the personal information of a handful of celebrities.

This whole situation causes tension with European neighbours. Many EU countries already give out about Ireland's tech-friendly, low tax industrial set-up. Not only do we take all the big rich tech firms, they moan, but then we don't apparently resource the regulatory end of things quickly enough.

Politically, this is levelled at the Government as an indication of cynical soft-touch regulation.

It's a point that privacy campaigner Max Schrems made again recently, before last week's momentous European Court judgment that struck down the EU-US Privacy Shield treaty.

"Soon after the GDPR came into force it became obvious that the DPC is acting as a bottleneck for Europeans' right to privacy," he said.

"The procedure is Kafkaesque and seems to be almost designed to delay user complaints for years and thereby protect US multinationals that are headquartered in Ireland."

Schrems is sometimes given to a bit of drama. As one would expect, his reasoning has always been strongly rejected by the Irish DPC's office as well as successive governments.

And yet Schrems, the one who filed the initial complaints in Dublin about Facebook's transfer of his data to the US, is not alone in this view. Some rival data protection authorities whisper similar things.

Schrems, too, has a right to be taken seriously on the specific question of delay. There is a valid question over due process and resource constraints leading to a system that frustrates the timely vindication of rights.

It takes years for some of the important complaints and data breach investigations to be fully processed by the DPC. In Schrems's own Facebook case, much of it has been down to legal uncertainty over who should call the shots on making such a massive call on the suspension of data flows between the US and the EU. No-one can blame the DPC here for seeking ECJ cover: that is a treaty-shattering, geopolitical call.

But since the GDPR came into force over two years ago, the DPC has amassed well over 20 investigations into giant tech multinationals (around half of them involving Facebook). None has been completed. Just one, into a Twitter data breach, is in its final Article 60 consultation process with other European data protection authorities.

When it comes to the pace of DPC decisions on big tech, it's fair to say that it is taking a long time.

Dixon makes valid points in defence of this. First, very few of the other European data protection authorities are especially more advanced in major cross-border investigations.

Second, if you rush decisions, like her British counterpart has done at least once, you leave it open to even longer delays because of inevitable, complex appeals. (At least one major multinational privacy chief told me privately that his company would be less likely to appeal an Irish DPC judgment if it's "thorough" and involved proper consultation. Because much of this is new legal ground, high-powered company lawyers are less likely to quickly accept a ruling and pay up unless they feel they've been walked through every last step.)

Third, it's not easy to expand a serious regulatory agency quickly. This isn't a start-up.

But even with all of these reasonable points, it's hard to avoid the conclusion that Ireland's data protection authority simply needs more staff. They're too thinly resourced. The volume of work they're facing is getting bigger and bigger. People's expectations of their privacy rights being vindicated, both here and across Europe, are getting deeper.

We need to make a statement that shows EU neighbours we understand the future scale of our responsibilities. Otherwise, we may continue to find ourselves the butt of snarky comments about "soft regulation".

Sunday Indo Business